如何在 meteor 和 nginx 中使用 letsencrypt 和 prerender.io
How to use letsencrypt and prerender.io with meteor and nginx
信息零散,但没有一处完整的解决方案。我正在添加一个工作解决方案,我在生产中使用它(进行了一些安全调整)。
1。示例 nginx.conf
# Upstreams
upstream index {
server 127.0.0.1:8080;
}
# Servers
server {
listen 80;
server_name example.com;
location / {
return 301 https://www.example.com$request_uri;
}
location /.well-known {
alias /var/www/example/.well-known;
}
}
server {
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 80;
server_name static.example.com;
root /static;
expires 365d;
# hide cookie header => cookie-free-domain
fastcgi_ignore_headers Set-Cookie;
fastcgi_hide_header Set-Cookie;
location ~* \.(eot|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
expires 1M;
}
location /.well-known {
alias /var/www/settlin/.well-known;
}
}
server {
listen 443;
server_name static.example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
root /static;
expires 365d;
# hide cookie header => cookie-free-domain
fastcgi_ignore_headers Set-Cookie;
fastcgi_hide_header Set-Cookie;
location ~* \.(eot|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
expires 1M;
}
}
server {
listen 80;
server_name www.example.com;
charset UTF-8;
location / {
try_files $uri @prerender;
}
location @prerender {
proxy_set_header X-Prerender-Token aXwmLUBOhz9RqiuKnWUy;
set $prerender 0;
if ($http_user_agent ~* "baiduspider|twitterbot|facebookexternalhit|rogerbot|linkedinbot|embedly|quora link preview|showyoubot|outbrain|pinterest|slackbot|vkShare|W3C_Validator") {
set $prerender 1;
}
if ($args ~ "_escaped_fragment_") {
set $prerender 1;
}
if ($http_user_agent ~ "Prerender") {
set $prerender 0;
}
if ($uri ~* "\.(js|css|xml|less|png|jpg|jpeg|gif|pdf|doc|txt|ico|rss|zip|mp3|rar|exe|wmv|doc|avi|ppt|mpg|mpeg|tif|wav|mov|psd|ai|xls|mp4|m4a|swf|dat|dmg|iso|flv|m4v|torrent|ttf|woff|svg|eot)") {
set $prerender 0;
}
#resolve using Google's DNS server to force DNS resolution and prevent caching of IPs
resolver 8.8.8.8;
if ($prerender = 1) {
#setting prerender as a variable forces DNS resolution since nginx caches IPs and doesnt play well with load balancing
set $prerender "service.prerender.io";
rewrite .* /$scheme://$host$request_uri? break;
proxy_pass http://$prerender;
}
if ($prerender = 0) {
proxy_pass http://index;
}
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /.well-known {
alias /var/www/settlin/.well-known;
}
}
server {
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name www.example.com;
charset UTF-8;
location / {
try_files $uri @prerender;
}
location @prerender {
proxy_set_header X-Prerender-Token aXwmLUBOhz9RqiuKnWUy;
set $prerender 0;
if ($http_user_agent ~* "baiduspider|twitterbot|facebookexternalhit|rogerbot|linkedinbot|embedly|quora link preview|showyoubot|outbrain|pinterest|slackbot|vkShare|W3C_Validator") {
set $prerender 1;
}
if ($args ~ "_escaped_fragment_") {
set $prerender 1;
}
if ($http_user_agent ~ "Prerender") {
set $prerender 0;
}
if ($uri ~* "\.(js|css|xml|less|png|jpg|jpeg|gif|pdf|doc|txt|ico|rss|zip|mp3|rar|exe|wmv|doc|avi|ppt|mpg|mpeg|tif|wav|mov|psd|ai|xls|mp4|m4a|swf|dat|dmg|iso|flv|m4v|torrent|ttf|woff|svg|eot)") {
set $prerender 0;
}
#resolve using Google's DNS server to force DNS resolution and prevent caching of IPs
resolver 8.8.8.8;
if ($prerender = 1) {
#setting prerender as a variable forces DNS resolution since nginx caches IPs and doesnt play well with load balancing
set $prerender "service.prerender.io";
rewrite .* /$scheme://$host$request_uri? break;
proxy_pass http://$prerender;
}
if ($prerender = 0) {
proxy_pass http://index;
}
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
暂时不要使用这个配置,因为证书的路径不存在。把它放在手边。
2。安装 letsencrypt
sudo apt-get -y install letsencrypt 或您的发行版的首选方式。参考:https://letsencrypt.org/getting-started/
3。生成证书:
在执行此操作之前,您需要在 nginx conf 中添加 /.well-know 位置条目,以便 letsencrypt 可以验证 ACME。
letsencrypt certonly --webroot -w /var/www/example -d example.com -d www.example.com -d static.example.com
此命令通过访问 $webroot/.well-known/acme.... 文件中生成的密钥来验证证书。这就是为什么我们确保 .well-known 部分直接通过 nginx 提供,而不通过流星。
这将在 /etc/letsencrypt/live/example.com.
中创建证书
4。自动续订
首先,干运行接受条款。
letsencrypt renew --dry-run --agree-tos
然后在 crontab 中一个简单的 letsencrypt renew 安排在 12 小时。理想情况下,每年只需要更新一次,但 12 小时的检查将保证证书始终是最新的。如果证书有效,则此命令不执行任何操作,因此是安全的。
5。预渲染
由于我使用的是 nginx,所以在 nginx 阶段处理预呈现是有意义的,而不是将其添加到我的流星应用程序中。
该配置只是说每个查询都将通过 @prerender 位置进行内部重定向,这将确定是否需要预呈现。如果需要,它将通过 service.prerender.io 或流星服务请求。
注意:
static.example.com nginx conf 中的代码完全是可选的。我个人更喜欢 nginx 来提供静态文件。这样我也可以确保静态文件服务域是无 cookie 的。
参考文献:
信息零散,但没有一处完整的解决方案。我正在添加一个工作解决方案,我在生产中使用它(进行了一些安全调整)。
1。示例 nginx.conf
# Upstreams
upstream index {
server 127.0.0.1:8080;
}
# Servers
server {
listen 80;
server_name example.com;
location / {
return 301 https://www.example.com$request_uri;
}
location /.well-known {
alias /var/www/example/.well-known;
}
}
server {
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 80;
server_name static.example.com;
root /static;
expires 365d;
# hide cookie header => cookie-free-domain
fastcgi_ignore_headers Set-Cookie;
fastcgi_hide_header Set-Cookie;
location ~* \.(eot|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
expires 1M;
}
location /.well-known {
alias /var/www/settlin/.well-known;
}
}
server {
listen 443;
server_name static.example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
root /static;
expires 365d;
# hide cookie header => cookie-free-domain
fastcgi_ignore_headers Set-Cookie;
fastcgi_hide_header Set-Cookie;
location ~* \.(eot|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
expires 1M;
}
}
server {
listen 80;
server_name www.example.com;
charset UTF-8;
location / {
try_files $uri @prerender;
}
location @prerender {
proxy_set_header X-Prerender-Token aXwmLUBOhz9RqiuKnWUy;
set $prerender 0;
if ($http_user_agent ~* "baiduspider|twitterbot|facebookexternalhit|rogerbot|linkedinbot|embedly|quora link preview|showyoubot|outbrain|pinterest|slackbot|vkShare|W3C_Validator") {
set $prerender 1;
}
if ($args ~ "_escaped_fragment_") {
set $prerender 1;
}
if ($http_user_agent ~ "Prerender") {
set $prerender 0;
}
if ($uri ~* "\.(js|css|xml|less|png|jpg|jpeg|gif|pdf|doc|txt|ico|rss|zip|mp3|rar|exe|wmv|doc|avi|ppt|mpg|mpeg|tif|wav|mov|psd|ai|xls|mp4|m4a|swf|dat|dmg|iso|flv|m4v|torrent|ttf|woff|svg|eot)") {
set $prerender 0;
}
#resolve using Google's DNS server to force DNS resolution and prevent caching of IPs
resolver 8.8.8.8;
if ($prerender = 1) {
#setting prerender as a variable forces DNS resolution since nginx caches IPs and doesnt play well with load balancing
set $prerender "service.prerender.io";
rewrite .* /$scheme://$host$request_uri? break;
proxy_pass http://$prerender;
}
if ($prerender = 0) {
proxy_pass http://index;
}
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /.well-known {
alias /var/www/settlin/.well-known;
}
}
server {
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name www.example.com;
charset UTF-8;
location / {
try_files $uri @prerender;
}
location @prerender {
proxy_set_header X-Prerender-Token aXwmLUBOhz9RqiuKnWUy;
set $prerender 0;
if ($http_user_agent ~* "baiduspider|twitterbot|facebookexternalhit|rogerbot|linkedinbot|embedly|quora link preview|showyoubot|outbrain|pinterest|slackbot|vkShare|W3C_Validator") {
set $prerender 1;
}
if ($args ~ "_escaped_fragment_") {
set $prerender 1;
}
if ($http_user_agent ~ "Prerender") {
set $prerender 0;
}
if ($uri ~* "\.(js|css|xml|less|png|jpg|jpeg|gif|pdf|doc|txt|ico|rss|zip|mp3|rar|exe|wmv|doc|avi|ppt|mpg|mpeg|tif|wav|mov|psd|ai|xls|mp4|m4a|swf|dat|dmg|iso|flv|m4v|torrent|ttf|woff|svg|eot)") {
set $prerender 0;
}
#resolve using Google's DNS server to force DNS resolution and prevent caching of IPs
resolver 8.8.8.8;
if ($prerender = 1) {
#setting prerender as a variable forces DNS resolution since nginx caches IPs and doesnt play well with load balancing
set $prerender "service.prerender.io";
rewrite .* /$scheme://$host$request_uri? break;
proxy_pass http://$prerender;
}
if ($prerender = 0) {
proxy_pass http://index;
}
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
暂时不要使用这个配置,因为证书的路径不存在。把它放在手边。
2。安装 letsencrypt
sudo apt-get -y install letsencrypt 或您的发行版的首选方式。参考:https://letsencrypt.org/getting-started/
3。生成证书:
在执行此操作之前,您需要在 nginx conf 中添加 /.well-know 位置条目,以便 letsencrypt 可以验证 ACME。
letsencrypt certonly --webroot -w /var/www/example -d example.com -d www.example.com -d static.example.com
此命令通过访问 $webroot/.well-known/acme.... 文件中生成的密钥来验证证书。这就是为什么我们确保 .well-known 部分直接通过 nginx 提供,而不通过流星。
这将在 /etc/letsencrypt/live/example.com.
中创建证书4。自动续订
首先,干运行接受条款。
letsencrypt renew --dry-run --agree-tos
然后在 crontab 中一个简单的 letsencrypt renew 安排在 12 小时。理想情况下,每年只需要更新一次,但 12 小时的检查将保证证书始终是最新的。如果证书有效,则此命令不执行任何操作,因此是安全的。
5。预渲染
由于我使用的是 nginx,所以在 nginx 阶段处理预呈现是有意义的,而不是将其添加到我的流星应用程序中。
该配置只是说每个查询都将通过 @prerender 位置进行内部重定向,这将确定是否需要预呈现。如果需要,它将通过 service.prerender.io 或流星服务请求。
注意:
static.example.com nginx conf 中的代码完全是可选的。我个人更喜欢 nginx 来提供静态文件。这样我也可以确保静态文件服务域是无 cookie 的。