背景

公司原来实现是基于亚马逊的elb,但是现在后端负载只有一台服务器,节省开支,选择lua resty auto ssl自动生成证书。该组件是基于openresty的,可以通过在配置文件中内置一些配置,就可以达到自动生成证书的功能。以后添加域名就不用考虑部署ssl证书的事情,直接配置好对应的服务即可,方便实用。

安装lua包管理器luarocks
可以选择openresty项目自己的包管理器OPM,但我还是选择了luarocks,为了少走弯路。首先安装luarocks

wget http://luarocks.org/releases/luarocks-2.0.13.tar.gz //下载
tar -xzvf luarocks-2.0.13.tar.gz //解压
cd luarocks-2.0.13/
//这里需要注意prefix 路径跟自己的openresty安装路径是否匹配
./configure --prefix=/usr/local/openresty/luajit \
    --with-lua=/usr/local/openresty/luajit/ \
    --lua-suffix=jit \
    --with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1
make
sudo make install

准备工作

luarocks install lua-resty-auto-ssl 安装组件
sudo mkdir /etc/resty-auto-ssl
sudo chown runner /etc/resty-auto-ssl 这个权限名称基于自己的用户
 //因为要绕过nginx 对于ssl配置的要求,需要生成一个自签名证书,同时如果生成证书不成功的话,也会默认使用这个证书
    sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
   -subj '/CN=sni-support-required-for-valid-ssl' \
   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
   -out /etc/ssl/resty-auto-ssl-fallback.crt

全局配置

这个组件的机制就是在nginx内嵌一些配置,然后自动更新证书,首先需要在http上下文添加配置,可以单独创建一个文件叫resty-http.conf, 然后在http中include。

resty-http.conf
# The "auto_ssl" shared dict should be defined with enough storage space to
# hold your certificate data. 1MB of storage holds certificates for
# approximately 100 separate domains.
lua_shared_dict auto_ssl 1m;

# The "auto_ssl" shared dict is used to temporarily store various settings
# like the secret used by the hook server on port 8999. Do not change or
# omit it.
lua_shared_dict auto_ssl_settings 64k;

# A DNS resolver must be defined for OCSP stapling to function.
#
# This example uses Google's DNS server. You may want to use your system's
# default DNS servers, which can be found in /etc/resolv.conf. If your network
# is not IPv6 compatible, you may wish to disable IPv6 results by using the
# "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off").
resolver 8.8.8.8;

# Initial setup tasks.
init_by_lua_block {
    auto_ssl = (require "resty.auto-ssl").new()
    auto_ssl:set("allow_domain", function(domain)
      return true
    end)

    auto_ssl:init()
}

init_worker_by_lua_block {
    auto_ssl:init_worker()
}

server {
    listen 127.0.0.1:8999;

    client_body_buffer_size 128k;
    client_max_body_size 128k;

    location / {
      content_by_lua_block {
        auto_ssl:hook_server()
      }
    }
}

然后再定义个文件用来给Let's Encrypt用来域名验证(resty-server-http.conf):

location /.well-known/acme-challenge/ {
    auth_basic off;
    content_by_lua_block {
        auto_ssl:challenge_server()
    }
}

以上两个文件创建好以后,就可以在nginx.conf里面内嵌配置了:

  include resty-http.conf;

  server {
    listen 80;
    include resty-server-http.conf;
 }

server级别的设置

以上配置是用来给lets encrypt用的,一些是内嵌在server级别的配置

  若当前还没有证书或已过期则自动申请
  ssl_certificate_by_lua_block {
    auto_ssl:ssl_certificate()
  }

  # 这里配上之前我们生成的自签名证书,否则会报错
  ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
  ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;

接下来,重启服务,如果没有特殊问题,访问一下就可以发现已经变成https服务了
Tips,虽然是为了https搭建配置的,但是服务器的80端口必须开启。这是苦恼我好久的地方。