node网站升级http为https

[jackieli123723]

• 由于恶心的新浪云升级到https要自己多掏腰包，本次是基本本地测试可用。到期果断换阿里云
• 本地效果图--可修另外的域名修改host来本地测试给网站加上https绿色小锁

node-http升级到https

http访问 http://mall.lilidong.cn

面给大家说说怎么配置：
先说下网站环境
System environment: Centos 7
Nginx version: nginx/1.10.0
本人懒省事，用的阿里云一键安装包sh-1.5.5

下面进入正题 1、配置nginx支持https协议访问，需要在编译安装nginx的时候添加相应的模块–with-http_ssl_module和–with-http_gzip_static_module，命令查看是否有相应模块，没有需要重新编译，默认一键安装包都带了。

nginx -V 2、防火墙开启https协议默认端口443

# vi /etc/sysconfig/iptables #编辑防火墙配置文件，添加以下代码
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
:wq! #保存退出
service iptables restart(/bin/systemctl restart  iptables.service)  #重启防火墙

3、利用脚本快速获取Let’s Encrypt SSL证书

# mkdir /home/worker/certs //创建certs目录
# cd /home/worker/certs   //进入certs目录
下载脚本文件
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.conf
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.sh
给予脚本755权限
chmod +x letsencrypt.sh

4、配置letsencrypt.conf文件

vi letsencrypt.conf

# only modify the values, key files will be generated automaticly.
ACCOUNT_KEY="letsencrypt-account.key"
DOMAIN_KEY="mall.lilidong.cn.key"
DOMAIN_DIR="/home/worker/website/vue-longyuan-store-front-mobile/dist"
DOMAINS="DNS:mall.lilidong.cn"
#ECC=TRUE
#LIGHTTPD=TRUE

:wq!   保存

5、执行脚本生成需要的key文件

[root@lilidong /home/worker/certs]#  ./letsencrypt.sh letsencrypt.conf
Generate account key...
Generating RSA private key, 4096 bit long modulus
..............................++
...................................................................................................................................................................................................................++
e is 65537 (0x10001)
Generate domain key...
Generating RSA private key, 2048 bit long modulus
..................+++
..........................+++
e is 65537 (0x10001)
Generate CSR...mall.csr
Parsing account key...
Parsing CSR...
Registering account...
Registered!
Verifying mall.lilidong.cn...
mall.lilidong.cn verified!
Signing certificate...
Certificate signed!
New cert: mall.chained.crt has been generated //看到这个说明获取证书成功
[root@lilidong /home/worker/certs]# ll
total 32
-rw-r--r-- 1 root root 1647 Jan 20 01:16 lets-encrypt-x3-cross-signed.pem
-rw-r--r-- 1 root root 3243 Feb  8 03:41 letsencrypt-account.key
-rw-r--r-- 1 root root  266 Feb  8 03:41 letsencrypt.conf
-rwxr-xr-x 1 root root 2170 Feb  8 03:30 letsencrypt.sh
-rw-r--r-- 1 root root 3444 Feb  8 03:41 mall.chained.crt
-rw-r--r-- 1 root root 1797 Feb  8 03:41 mall.crt
-rw-r--r-- 1 root root  928 Feb  8 03:41 mall.csr
-rw-r--r-- 1 root root 1675 Feb  8 03:41 mall.lilidong.cn.key

如果出现如下错误信息：

错误1

Traceback (most recent call last):
File “/tmp/acme_tiny.py“, line 2, in <module>
import argparse, subprocess, json, os, sys, base64, binascii, time, hashlib, re, copy, textwrap, logging ImportError: No module named argparse

执行以下命令：

yum install python-argparse

错误2

Traceback (most recent call last):
File “setup.py“, line 3, in <module>
from setuptools import setup, find_packages ImportError: No module named setuptools

安装setuptools

wget http://pypi.python.org/packages/source/s/setuptools/setuptools-0.6c11.tar.gz tar zxvf setuptools-0.6c11.tar.gz cd setuptools-0.6c11 python setup.py build python setup.py install

错误3

ValueError: Wrote file to /alidata/www/boke/.well-known/acme-challenge/23YlOKT25QPM0NtJL-tHkWOxEXja_aVUTAqKXwlp66g, but couldn’t download http://lirongyao.com/.well-known/acme-challenge/23YlOKT25QPM0NtJL-tHkWOxEXja_aVUTAqKXwlp66g

原因是国内DNS解析问题，还有没有目录没有权限写入等提示

完成后会生成以下几个文件

-rw-r--r-- 1 root root 1647 Jan 20 01:16 lets-encrypt-x3-cross-signed.pem
-rw-r--r-- 1 root root 3243 Feb  8 03:41 letsencrypt-account.key
-rw-r--r-- 1 root root 3444 Feb  8 03:41 mall.chained.crt
-rw-r--r-- 1 root root 1797 Feb  8 03:41 mall.crt
-rw-r--r-- 1 root root  928 Feb  8 03:41 mall.csr
-rw-r--r-- 1 root root 1675 Feb  8 03:41 mall.lilidong.cn.key

6、打开网站配置文件，修改和添加红色部分

# vi /alidata/server/nginx/conf/vhosts/rongyao.conf
server {
        listen  443;
        ssl on;
        ssl_certificate /home/worker/certs/mall.chained.crt;
        ssl_certificate_key /home/worker/certs/mall.lilidong.cn.key;
        server_name mall.lilidong.cn;
        index index.html index.htm index.php;
        root /home/worker/website/vue-longyuan-store-front-mobile/dist;
       ...省略部分...
}
server {
listen 80;
rewrite ^(.*) https://mall.lilidong.cn$1 permanent;  //强制80转向443
}

:wq!   保存
#service nginx restart   重启NGINX服务
至此HTTPS协议配置完成。

7、每月1号定时自动续期，因为这个证书只有90天有效期。

0 0 1 * * /alidata/server/nginx/certs/letsencrypt.sh /alidata/server/nginx/certs/letsencrypt.conf >> /alidata/log/lets-encrypt.log 2>&1
如何配置定时任务参考这篇文章《Linux定时重启系统或服务》

server {
        listen 443 ssl;

        ssl_certificate /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx.key;
    keepalive_timeout   70;
        server_name www.yourdomain.com;
    #禁止在header中出现服务器版本，防止黑客利用版本漏洞攻击
    server_tokens off;
    #如果是全站 HTTPS 并且不考虑 HTTP 的话，可以加入 HSTS 告诉你的浏览器本网站全站加密，并且强制用 HTTPS 访问
    #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        # ......
        fastcgi_param   HTTPS               on;
        fastcgi_param   HTTP_SCHEME         https;

    access_log      /var/log/nginx/wiki.xby1993.net.access.log;
        error_log       /var/log/nginx/wiki.xby1993.net.error.log;
    }
 server_name www.yourdomain.com;

 报错这个
 [root@localhost sbin]# ./nginx -s reload
 nginx: [error] invalid PID number "" in "/usr/local/nginx/logs/nginx.pid"
 或者
[root@localhost sbin]# ./nginx -s reload
nginx: [error] open() "/usr/local/nginx/logs/nginx.pid" failed (2: No such file or directory)

 用下面这个命令
 [root@localhost nginx]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

 查看端口
 [root@lilidong /home]# netstat -anp
bash: netstat: command not found
[root@lilidong /home]# yum install net-tools

serveice

yum install initscripts  

二、防火墙开启https协议默认端口443

vi /etc/sysconfig/iptables #编辑防火墙配置文件，添加以下代码

-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

:wq! #保存退出

service iptables restart #重启防火墙

 报错误
 [root@lilidong /etc/sysconfig]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
Failed to get D-Bus connection: Operation not permitted

[jackieli123723]

var options = {
  key:  fs.readFileSync('./okcerts/mall.lilidong.cn.key'),
  cert: fs.readFileSync('./okcerts/mall.chained.crt')
}

https.createServer(options, app).listen(PORT, HOST, null, function() {
    console.log('Server listening on port %d in %s mode', this.address().port, app.settings.env);
    console.log(`https代码部署成功访问端口https://localhost:${this.address().port}`);
});

额外https-http2

[root@ali-ly-basic-data-118 src]# cat server.js
'use strict'

const fs = require('fs')
const path = require('path')
// eslint-disable-next-line
const http2 = require('http2')
const helper = require('./helper')

const PORT = process.env.PORT || 8511
const PUBLIC_PATH = path.join(__dirname, '../public')

const publicFiles = helper.getFiles(PUBLIC_PATH)

//创建HTTP2服务器
const server = http2.createSecureServer({
  cert: fs.readFileSync(path.join(__dirname, '../ssl/cert.pem')),
  key: fs.readFileSync(path.join(__dirname, '../ssl/key.pem'))
}, onRequest)

// Request 事件
function onRequest (req, res) {
    // 路径指向 index.html
  const reqPath = req.url === '/' ? '/index.html' : req.url
    //获取html资源
  const file = publicFiles.get(reqPath)

  // 文件不存在
  if (!file) {
    res.statusCode = 404
    res.end()
    return
  }

  res.stream.respondWithFD(file.fileDescriptor, file.headers)
}

server.listen(PORT, (err) => {
  console.log('监听服务器启动=====\n')
  if (err) {
    console.error(err)
    return
  }

  console.log(`Server listening on ${PORT}`)
})