Notys's blog
用一种简单的方式,让世人在有限时间内 , 具备无限可能 !
Halo配置域名访问及SSL证书

写在前面

  1. 假设你已经成功配置并运行好了 Halo,且不是使用 80 端口运行。
  2. 请确保域名已经成功解析到服务器 IP,并确认服务器是否需要备案。
  3. 请检查服务器的 80 和 443 端口是否开放。
  4. 如 3 所述,如果你使用了类似 宝塔面板 之类的 Linux 管理面板,可能还需要在面板里设置端口。
  5. 并不一定要求按照下列教程操作,这里仅仅以供参考。
  6. 如 2 所述,你需要做的仅仅是反向代理 Halo 运行端口,并配置 SSL 证书而已,所以并不要求配置方式。

使用 Nginx 进行反向代理

① 安装 Nginx

# 添加 Nginx 源
sudo rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

# 安装 Nginx
sudo yum install -y nginx

# 启动 Nginx
sudo systemctl start nginx.service

# 设置开机自启 Nginx
sudo systemctl enable nginx.service

② 配置 Nginx

# 下载 Halo 官方的 Nginx 配置模板
curl -o /etc/nginx/conf.d/halo.conf --create-dirs http://halo.ryanc.cc/config/nginx.conf

下载完成之后,我们还需要对其进行修改

# 使用 vim 编辑 halo.conf
vim /etc/nginx/conf.d/halo.conf

打开之后我们可以看到

server {
    listen 80;

    server_name example.com www.example.com;

    location / {
        proxy_set_header HOST $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://127.0.0.1:8090/;
    }
}

注意:请把 example.com 改为自己的域名。

修改完成之后

# 检查配置是否有误
sudo nginx -t

# 重载 Nginx 配置
sudo nginx -s reload

③ 配置 SSL 证书

在这里我只演示如果自动申请证书,如果你自己准备了证书,请查阅相关教程。

# 安装 certbot 以及 certbot nginx 插件
sudo yum install certbot python2-certbot-nginx -y

# 执行配置,中途会询问你的邮箱,如实填写即可
sudo certbot --nginx

# 结果如下:

[root@VM_0_6_centos ~]# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: cherishspring.cn
2: www.cherishspring.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cherishspring.cn
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/halo.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Traffic on port 80 already redirecting to ssl in /etc/nginx/conf.d/halo.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://cherishspring.cn

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=cherishspring.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cherishspring.cn/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cherishspring.cn/privkey.pem
   Your cert will expire on 2020-05-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@VM_0_6_centos ~]# 
# 自动续约
sudo certbot renew --dry-run

最后浏览器测试一下配置:

https://www.ssllabs.com/ssltest/analyze.html?d=cherishspring.cn

注意:

在设置了反向代理之后,请一定记得去 halo 的管理端设置一下正确的博客地址,否则会造成资源获取不成功。