如何使用letsencrypt和prerender.io与meteor和nginx

时间:2016-10-19 18:32:59

标签: meteor nginx prerender lets-encrypt

有分散的信息,但在一个地方没有完整的解决方案。我正在添加一个工作解决方案,我正在我的生产中使用(通过一些安全性调整)。

1 个答案:

答案 0 :(得分:2)

1。示例nginx.conf

# Upstreams
upstream index {
  server 127.0.0.1:8080;
}

# Servers
server {
  listen         80;
  server_name   example.com;
  location / {
    return 301 https://www.example.com$request_uri;
  }
  location /.well-known {
    alias /var/www/example/.well-known;
  }
}

server {
  listen         443;     
  ssl        on;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  server_name   example.com;
  return 301 https://www.example.com$request_uri;
}

server {
  listen         80;
  server_name   static.example.com;
  root          /static;
  expires 365d;

  # hide cookie header => cookie-free-domain
  fastcgi_ignore_headers Set-Cookie;
  fastcgi_hide_header Set-Cookie;

  location ~* \.(eot|ttf|woff|woff2)$ {
    add_header Access-Control-Allow-Origin *;
    expires     1M;
  }

  location /.well-known {
    alias /var/www/settlin/.well-known;
  }
}

server {
  listen         443;
  server_name   static.example.com;
  ssl        on;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  root          /static;
  expires 365d;

  # hide cookie header => cookie-free-domain
  fastcgi_ignore_headers Set-Cookie;
  fastcgi_hide_header Set-Cookie;

  location ~* \.(eot|ttf|woff|woff2)$ {
    add_header Access-Control-Allow-Origin *;
    expires     1M;
  }
}

server {
  listen       80;
  server_name  www.example.com;
  charset     UTF-8;

  location / {
    try_files $uri @prerender;
  }

  location @prerender {
    proxy_set_header X-Prerender-Token aXwmLUBOhz9RqiuKnWUy;

    set $prerender 0;
    if ($http_user_agent ~* "baiduspider|twitterbot|facebookexternalhit|rogerbot|linkedinbot|embedly|quora link preview|showyoubot|outbrain|pinterest|slackbot|vkShare|W3C_Validator") {
        set $prerender 1;
    }
    if ($args ~ "_escaped_fragment_") {
        set $prerender 1;
    }
    if ($http_user_agent ~ "Prerender") {
        set $prerender 0;
    }
    if ($uri ~* "\.(js|css|xml|less|png|jpg|jpeg|gif|pdf|doc|txt|ico|rss|zip|mp3|rar|exe|wmv|doc|avi|ppt|mpg|mpeg|tif|wav|mov|psd|ai|xls|mp4|m4a|swf|dat|dmg|iso|flv|m4v|torrent|ttf|woff|svg|eot)") {
        set $prerender 0;
    }

    #resolve using Google's DNS server to force DNS resolution and prevent caching of IPs
    resolver 8.8.8.8;

    if ($prerender = 1) {
        #setting prerender as a variable forces DNS resolution since nginx caches IPs and doesnt play well with load balancing
        set $prerender "service.prerender.io";
        rewrite .* /$scheme://$host$request_uri? break;
        proxy_pass http://$prerender;
    }
    if ($prerender = 0) {
      proxy_pass              http://index;
    }
    proxy_redirect          off;
    proxy_set_header        Upgrade $http_upgrade;
    proxy_set_header        Connection "upgrade";
  }

  location /.well-known {
    alias /var/www/settlin/.well-known;
  }
}

server {
  listen         443;     
  ssl        on;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  server_name  www.example.com;
  charset     UTF-8;

    location / {
    try_files $uri @prerender;
  }

  location @prerender {
    proxy_set_header X-Prerender-Token aXwmLUBOhz9RqiuKnWUy;

    set $prerender 0;
    if ($http_user_agent ~* "baiduspider|twitterbot|facebookexternalhit|rogerbot|linkedinbot|embedly|quora link preview|showyoubot|outbrain|pinterest|slackbot|vkShare|W3C_Validator") {
        set $prerender 1;
    }
    if ($args ~ "_escaped_fragment_") {
        set $prerender 1;
    }
    if ($http_user_agent ~ "Prerender") {
        set $prerender 0;
    }
    if ($uri ~* "\.(js|css|xml|less|png|jpg|jpeg|gif|pdf|doc|txt|ico|rss|zip|mp3|rar|exe|wmv|doc|avi|ppt|mpg|mpeg|tif|wav|mov|psd|ai|xls|mp4|m4a|swf|dat|dmg|iso|flv|m4v|torrent|ttf|woff|svg|eot)") {
        set $prerender 0;
    }

    #resolve using Google's DNS server to force DNS resolution and prevent caching of IPs
    resolver 8.8.8.8;

    if ($prerender = 1) {
        #setting prerender as a variable forces DNS resolution since nginx caches IPs and doesnt play well with load balancing
        set $prerender "service.prerender.io";
        rewrite .* /$scheme://$host$request_uri? break;
        proxy_pass http://$prerender;
    }
    if ($prerender = 0) {
      proxy_pass              http://index;
    }
    proxy_redirect          off;
    proxy_set_header        Upgrade $http_upgrade;
    proxy_set_header        Connection "upgrade";
  }
}

不要使用此配置,因为证书的路径不存在。保持方便。

2。安装letsencrypt

sudo apt-get -y install letsencrypt或您发行版的首选方式。参考:https://letsencrypt.org/getting-started/

3。生成证书:

在执行此操作之前,您需要在nginx conf中使用/.well-know位置条目,以便letsencrypt可以验证ACME。

letsencrypt certonly --webroot -w /var/www/example -d example.com -d www.example.com -d static.example.com

此命令通过访问$webroot/.well-known/acme....文件中生成的密钥来验证证书。这就是为什么我们确保.well-known部分直接通过nginx提供,而不通过流星。

这将在/etc/letsencrypt/live/example.com中创建证书。

4。自动续订

首先,干运行接受条款。 letsencrypt renew --dry-run --agree-tos

然后在12小时安排crontab中的一个简单的letsencrypt renew。理想情况下,每年只需更新一次,但12小时的检查将保证证书始终是最新的。如果证书有效,则此命令不执行任何操作,因此是安全的。

5。预渲染

由于我使用的是nginx,因此在nginx阶段处理prerender是有意义的,而不是将其添加到我的meteor应用程序中。 配置只是说每个查询都将在内部通过@prerender位置重定向,这将确定是否需要预渲染。如果需要,它将通过service.prerender.io或通过meteor提供请求。

注意:

nginx conf中的

static.example.com代码纯粹是可选的。我个人更喜欢nginx来提供静态文件。这样我也可以确保静态文件服务域不含cookie。

参考文献:

  1. https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
  2. https://github.com/prerender/prerender
  3. https://gist.github.com/thoop/8165802