有分散的信息,但在一个地方没有完整的解决方案。我正在添加一个工作解决方案,我正在我的生产中使用(通过一些安全性调整)。
答案 0 :(得分:2)
# Upstreams
upstream index {
server 127.0.0.1:8080;
}
# Servers
server {
listen 80;
server_name example.com;
location / {
return 301 https://www.example.com$request_uri;
}
location /.well-known {
alias /var/www/example/.well-known;
}
}
server {
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 80;
server_name static.example.com;
root /static;
expires 365d;
# hide cookie header => cookie-free-domain
fastcgi_ignore_headers Set-Cookie;
fastcgi_hide_header Set-Cookie;
location ~* \.(eot|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
expires 1M;
}
location /.well-known {
alias /var/www/settlin/.well-known;
}
}
server {
listen 443;
server_name static.example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
root /static;
expires 365d;
# hide cookie header => cookie-free-domain
fastcgi_ignore_headers Set-Cookie;
fastcgi_hide_header Set-Cookie;
location ~* \.(eot|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
expires 1M;
}
}
server {
listen 80;
server_name www.example.com;
charset UTF-8;
location / {
try_files $uri @prerender;
}
location @prerender {
proxy_set_header X-Prerender-Token aXwmLUBOhz9RqiuKnWUy;
set $prerender 0;
if ($http_user_agent ~* "baiduspider|twitterbot|facebookexternalhit|rogerbot|linkedinbot|embedly|quora link preview|showyoubot|outbrain|pinterest|slackbot|vkShare|W3C_Validator") {
set $prerender 1;
}
if ($args ~ "_escaped_fragment_") {
set $prerender 1;
}
if ($http_user_agent ~ "Prerender") {
set $prerender 0;
}
if ($uri ~* "\.(js|css|xml|less|png|jpg|jpeg|gif|pdf|doc|txt|ico|rss|zip|mp3|rar|exe|wmv|doc|avi|ppt|mpg|mpeg|tif|wav|mov|psd|ai|xls|mp4|m4a|swf|dat|dmg|iso|flv|m4v|torrent|ttf|woff|svg|eot)") {
set $prerender 0;
}
#resolve using Google's DNS server to force DNS resolution and prevent caching of IPs
resolver 8.8.8.8;
if ($prerender = 1) {
#setting prerender as a variable forces DNS resolution since nginx caches IPs and doesnt play well with load balancing
set $prerender "service.prerender.io";
rewrite .* /$scheme://$host$request_uri? break;
proxy_pass http://$prerender;
}
if ($prerender = 0) {
proxy_pass http://index;
}
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /.well-known {
alias /var/www/settlin/.well-known;
}
}
server {
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name www.example.com;
charset UTF-8;
location / {
try_files $uri @prerender;
}
location @prerender {
proxy_set_header X-Prerender-Token aXwmLUBOhz9RqiuKnWUy;
set $prerender 0;
if ($http_user_agent ~* "baiduspider|twitterbot|facebookexternalhit|rogerbot|linkedinbot|embedly|quora link preview|showyoubot|outbrain|pinterest|slackbot|vkShare|W3C_Validator") {
set $prerender 1;
}
if ($args ~ "_escaped_fragment_") {
set $prerender 1;
}
if ($http_user_agent ~ "Prerender") {
set $prerender 0;
}
if ($uri ~* "\.(js|css|xml|less|png|jpg|jpeg|gif|pdf|doc|txt|ico|rss|zip|mp3|rar|exe|wmv|doc|avi|ppt|mpg|mpeg|tif|wav|mov|psd|ai|xls|mp4|m4a|swf|dat|dmg|iso|flv|m4v|torrent|ttf|woff|svg|eot)") {
set $prerender 0;
}
#resolve using Google's DNS server to force DNS resolution and prevent caching of IPs
resolver 8.8.8.8;
if ($prerender = 1) {
#setting prerender as a variable forces DNS resolution since nginx caches IPs and doesnt play well with load balancing
set $prerender "service.prerender.io";
rewrite .* /$scheme://$host$request_uri? break;
proxy_pass http://$prerender;
}
if ($prerender = 0) {
proxy_pass http://index;
}
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
不要使用此配置,因为证书的路径不存在。保持方便。
letsencrypt sudo apt-get -y install letsencrypt或您发行版的首选方式。参考:https://letsencrypt.org/getting-started/
在执行此操作之前,您需要在nginx conf中使用/.well-know位置条目,以便letsencrypt可以验证ACME。
letsencrypt certonly --webroot -w /var/www/example -d example.com -d www.example.com -d static.example.com
此命令通过访问$webroot/.well-known/acme....文件中生成的密钥来验证证书。这就是为什么我们确保.well-known部分直接通过nginx提供,而不通过流星。
这将在/etc/letsencrypt/live/example.com中创建证书。
首先,干运行接受条款。
letsencrypt renew --dry-run --agree-tos
然后在12小时安排crontab中的一个简单的letsencrypt renew。理想情况下,每年只需更新一次,但12小时的检查将保证证书始终是最新的。如果证书有效,则此命令不执行任何操作,因此是安全的。
由于我使用的是nginx,因此在nginx阶段处理prerender是有意义的,而不是将其添加到我的meteor应用程序中。
配置只是说每个查询都将在内部通过@prerender位置重定向,这将确定是否需要预渲染。如果需要,它将通过service.prerender.io或通过meteor提供请求。
static.example.com代码纯粹是可选的。我个人更喜欢nginx来提供静态文件。这样我也可以确保静态文件服务域不含cookie。