#!/bin/bash # ═══════════════════════════════════════════════════════════ # 🔒 铸渊主权服务器 · SSL证书自动化配置 # ═══════════════════════════════════════════════════════════ # # 编号: ZY-SVR-SSL-001 # 守护: 铸渊 · ICE-GL-ZY001 # 版权: 国作登字-2026-A-00037559 # # 功能: # 使用 Let's Encrypt (certbot) 自动获取免费SSL证书 # 自动配置 Nginx HTTPS # 自动设置证书续期 # # 用法: # sudo bash setup-ssl.sh <域名> [邮箱] # sudo bash setup-ssl.sh guanghulab.online admin@guanghulab.online # sudo bash setup-ssl.sh --all # 配置所有已知域名 # # 前提条件: # 1. 域名已解析到本服务器IP # 2. Nginx已安装并运行 # 3. 80端口可从外网访问 # ═══════════════════════════════════════════════════════════ # 颜色定义 RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' log_info() { echo -e "${GREEN}[铸渊SSL]${NC} $1"; } log_warn() { echo -e "${YELLOW}[铸渊SSL]${NC} ⚠️ $1"; } log_error() { echo -e "${RED}[铸渊SSL]${NC} ❌ $1"; } log_step() { echo -e "${BLUE}[铸渊SSL]${NC} 📌 $1"; } # ── 配置 ────────────────────────────────────── ZY_ROOT="/opt/zhuyuan" SSL_DIR="${ZY_ROOT}/config/ssl" NGINX_CONF_DIR="${ZY_ROOT}/config/nginx" NGINX_SITES_AVAILABLE="/etc/nginx/sites-available" NGINX_SITES_ENABLED="/etc/nginx/sites-enabled" LOG_FILE="${ZY_ROOT}/data/logs/ssl-setup.log" # ── 检查root权限 ───────────────────────────── if [ "$(id -u)" -ne 0 ]; then log_error "需要root权限运行此脚本" log_info "请使用: sudo bash $0 $*" exit 1 fi # ── 确保目录存在 ───────────────────────────── mkdir -p "$SSL_DIR" "$NGINX_CONF_DIR" "$(dirname $LOG_FILE)" # ── 记录日志 ───────────────────────────────── exec > >(tee -a "$LOG_FILE") 2>&1 echo "" echo "═══════════════════════════════════════════════" echo "🔒 SSL配置开始 · $(TZ=Asia/Shanghai date '+%Y-%m-%d %H:%M:%S CST')" echo "═══════════════════════════════════════════════" # ── §1 安装 certbot ────────────────────────── install_certbot() { log_step "§1 安装 certbot..." if command -v certbot &> /dev/null; then CERTBOT_VER=$(certbot --version 2>&1 | head -1) log_info "certbot 已安装: $CERTBOT_VER" return 0 fi log_info "安装 certbot 和 nginx 插件..." # 更新包列表 apt-get update -qq # 安装 certbot + nginx 插件 apt-get install -y -qq certbot python3-certbot-nginx if command -v certbot &> /dev/null; then log_info "✅ certbot 安装成功" else log_error "certbot 安装失败" exit 1 fi } # ── §2 验证域名解析 ────────────────────────── verify_domain() { local domain="$1" log_step "§2 验证域名解析: $domain" # 获取本机公网IP local server_ip server_ip=$(curl -sf --max-time 5 https://api.ipify.org 2>/dev/null || curl -sf --max-time 5 https://ifconfig.me 2>/dev/null || echo "unknown") log_info "本机公网IP: $server_ip" # 解析域名 local domain_ip domain_ip=$(dig +short "$domain" 2>/dev/null | tail -1) if [ -z "$domain_ip" ]; then log_error "域名 $domain 无法解析" log_warn "请确认域名DNS已配置指向本服务器IP: $server_ip" return 1 fi log_info "域名 $domain 解析到: $domain_ip" if [ "$domain_ip" = "$server_ip" ]; then log_info "✅ 域名解析正确 · 指向本机" return 0 else log_warn "域名解析IP ($domain_ip) 与本机IP ($server_ip) 不一致" log_warn "如果使用CDN或负载均衡,这可能是正常的" # 不阻断,让certbot验证决定 return 0 fi } # ── §3 获取SSL证书 ─────────────────────────── obtain_certificate() { local domain="$1" local email="${2:-admin@${domain}}" log_step "§3 获取SSL证书: $domain" # 检查是否已有有效证书 if [ -f "/etc/letsencrypt/live/${domain}/fullchain.pem" ]; then local expiry expiry=$(openssl x509 -enddate -noout -in "/etc/letsencrypt/live/${domain}/fullchain.pem" 2>/dev/null | cut -d= -f2) log_info "已有证书,过期时间: $expiry" # 检查是否即将过期(30天内) if openssl x509 -checkend 2592000 -noout -in "/etc/letsencrypt/live/${domain}/fullchain.pem" 2>/dev/null; then log_info "✅ 证书仍然有效,跳过获取" return 0 else log_warn "证书即将过期,续期中..." fi fi log_info "使用 Let's Encrypt 获取免费SSL证书..." log_info "域名: $domain" log_info "邮箱: $email" # 确保80端口的Nginx正在运行(certbot需要HTTP验证) if ! systemctl is-active --quiet nginx; then log_warn "Nginx未运行,启动中..." systemctl start nginx fi # 使用 certonly 模式 + nginx 插件进行验证 # certonly 只获取证书不修改Nginx配置,铸渊自己管理Nginx SSL配置 certbot certonly \ --nginx \ --non-interactive \ --agree-tos \ --email "$email" \ --domain "$domain" \ 2>&1 if [ $? -eq 0 ]; then log_info "✅ SSL证书获取成功: $domain" # 创建符号链接到铸渊标准路径 ln -sf "/etc/letsencrypt/live/${domain}/fullchain.pem" "${SSL_DIR}/${domain}-fullchain.pem" ln -sf "/etc/letsencrypt/live/${domain}/privkey.pem" "${SSL_DIR}/${domain}-privkey.pem" log_info "证书链接已创建: ${SSL_DIR}/" return 0 else log_error "SSL证书获取失败" log_warn "" log_warn "常见原因:" log_warn " 1. 域名未正确解析到本服务器" log_warn " 2. 服务器80端口未开放(检查防火墙/安全组)" log_warn " 3. Let's Encrypt 速率限制(每小时最多5次失败)" log_warn "" log_warn "排查步骤:" log_warn " ping $domain # 确认域名解析" log_warn " curl -I http://$domain # 确认HTTP可访问" log_warn " sudo ufw status # 检查防火墙" return 1 fi } # ── §4 配置Nginx SSL ───────────────────────── # ⚠️ 架构说明 (Reality反探测优先): # Xray 监听 443 (外部) · VLESS+Reality协议 # dest回落到 www.microsoft.com:443 (反探测伪装·不可改为内部端口) # Nginx SSL 监听 8443 (外部直接访问) · 独立HTTPS服务 # # 如果Xray未安装 → Nginx直接监听443 (标准HTTPS) # 如果Xray已安装 → Nginx监听8443 (避免端口冲突) configure_nginx_ssl() { local domain="$1" local cert_path="/etc/letsencrypt/live/${domain}" log_step "§4 配置Nginx HTTPS: $domain" if [ ! -f "${cert_path}/fullchain.pem" ]; then log_error "证书文件不存在: ${cert_path}/fullchain.pem" return 1 fi # 读取当前Nginx配置 local nginx_conf="${NGINX_CONF_DIR}/zhuyuan-sovereign.conf" if [ ! -f "$nginx_conf" ]; then nginx_conf="${NGINX_SITES_AVAILABLE}/zhuyuan.conf" fi if [ ! -f "$nginx_conf" ]; then log_error "Nginx配置文件未找到" return 1 fi # 确定这是哪个域名(主站还是预览站) local site_mode="preview" local api_port="3801" if echo "$domain" | grep -q "hololake"; then site_mode="production" api_port="3800" fi # 确定SSL监听端口: Xray在443时用8443,否则用443 local ssl_listen_port="443" local ssl_listen_addr="" if command -v xray &>/dev/null; then ssl_listen_port="8443" ssl_listen_addr="" log_info "检测到Xray已安装 · Nginx SSL使用端口8443 (避免与VPN冲突)" log_info "网站HTTPS: https://${domain}:8443" # 开放8443端口 ufw allow 8443/tcp comment "Nginx SSL (Xray共存)" 2>/dev/null || true else log_info "Xray未安装 · Nginx SSL使用标准端口443" log_info "网站HTTPS: https://${domain}" fi log_info "站点模式: $site_mode · API端口: $api_port · SSL端口: $ssl_listen_port" # 生成SSL server block local ssl_conf="${NGINX_CONF_DIR}/ssl-${domain}.conf" cat > "$ssl_conf" << SSLCONF # ═══════════════════════════════════════════════ # 🔒 铸渊SSL配置 · ${domain} # 自动生成于: $(TZ=Asia/Shanghai date '+%Y-%m-%d %H:%M CST') # 证书来源: Let's Encrypt (certbot) # 证书路径: ${cert_path}/ # # SSL端口: ${ssl_listen_port} # $([ "$ssl_listen_port" = "8443" ] && echo "⚠️ Xray占用443(VPN) · Nginx SSL在8443(直接访问)" || echo "标准HTTPS · 端口443") # ═══════════════════════════════════════════════ # ─── HTTPS 服务 ─── server { listen ${ssl_listen_port} ssl http2; server_name ${domain}; # ─── SSL证书 (Let's Encrypt) ─── ssl_certificate ${cert_path}/fullchain.pem; ssl_certificate_key ${cert_path}/privkey.pem; # ─── SSL安全配置 ─── ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # ─── 安全头 ─── add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Server-Identity "ZY-SVR-002" always; add_header X-Site-Mode "${site_mode}" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # ─── 静态文件 ─── root /opt/zhuyuan/sites/${site_mode}; index index.html; location / { try_files \$uri \$uri/ /index.html; } # ─── API反向代理 ─── location /api/ { proxy_pass http://127.0.0.1:${api_port}; proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host \$host; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; proxy_set_header X-Site-Mode "${site_mode}"; proxy_cache_bypass \$http_upgrade; proxy_read_timeout 86400; } # ─── AI聊天API (SSE流式) ─── location /api/chat { proxy_pass http://127.0.0.1:3721/api/chat; proxy_http_version 1.1; proxy_set_header Host \$host; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header Connection ""; proxy_buffering off; proxy_cache off; chunked_transfer_encoding on; proxy_read_timeout 120s; proxy_send_timeout 60s; } # ─── Persona Studio API ─── location /api/ps/ { add_header Access-Control-Allow-Origin * always; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always; add_header Access-Control-Allow-Headers "Content-Type, Authorization" always; if (\$request_method = OPTIONS) { return 204; } proxy_pass http://127.0.0.1:3002/api/ps/; proxy_http_version 1.1; proxy_set_header Host \$host; proxy_set_header X-Real-IP \$remote_addr; proxy_read_timeout 120s; } # ─── 铸渊专线订阅 ─── location /api/proxy-sub/ { proxy_pass http://127.0.0.1:3802/; proxy_http_version 1.1; proxy_set_header Host \$host; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; } # ─── 健康探针 ─── location = /health { proxy_pass http://127.0.0.1:${api_port}/api/health; proxy_set_header Host \$host; } # ─── 静态资源缓存 ─── location /static/ { alias /opt/zhuyuan/sites/${site_mode}/static/; expires 7d; add_header Cache-Control "public, immutable"; } # ─── 错误页面 ─── error_page 404 /404.html; error_page 500 502 503 504 /50x.html; # ─── 日志 ─── access_log /opt/zhuyuan/data/logs/nginx-${site_mode}-ssl.log; error_log /opt/zhuyuan/data/logs/nginx-${site_mode}-ssl-error.log; } $([ "$ssl_listen_port" = "443" ] && cat << REDIR # ─── HTTP → HTTPS 重定向 ─── server { listen 80; server_name ${domain}; return 301 https://\\\$host\\\$request_uri; } REDIR ) SSLCONF log_info "SSL配置已生成: $ssl_conf" # 安装到Nginx cp "$ssl_conf" "${NGINX_SITES_AVAILABLE}/ssl-${domain}.conf" ln -sf "${NGINX_SITES_AVAILABLE}/ssl-${domain}.conf" "${NGINX_SITES_ENABLED}/ssl-${domain}.conf" log_info "SSL配置已安装到Nginx" if [ "$ssl_listen_port" = "8443" ]; then log_info " HTTPS: https://${domain}:8443 (直接访问)" log_info " HTTP: http://${domain} (端口80·正常访问)" log_info " VPN: Xray占用443 · dest→microsoft.com (反探测)" else log_info " HTTPS: https://${domain} (标准端口443)" log_info " HTTP重定向: 80 → https://${domain}" fi # 测试Nginx配置 if nginx -t 2>&1; then log_info "✅ Nginx配置测试通过" systemctl reload nginx log_info "✅ Nginx已重新加载" else log_error "Nginx配置测试失败" # 回滚 rm -f "${NGINX_SITES_ENABLED}/ssl-${domain}.conf" systemctl reload nginx return 1 fi return 0 } # ── §5 设置自动续期 ─────────────────────────── setup_auto_renewal() { log_step "§5 配置证书自动续期" # certbot安装时通常已配置systemd timer if systemctl is-enabled certbot.timer 2>/dev/null; then log_info "✅ certbot自动续期已启用" else # 手动启用 systemctl enable certbot.timer 2>/dev/null || true systemctl start certbot.timer 2>/dev/null || true log_info "✅ certbot自动续期已配置" fi # 添加续期后自动reload nginx的hook local hook_dir="/etc/letsencrypt/renewal-hooks/post" mkdir -p "$hook_dir" cat > "${hook_dir}/reload-nginx.sh" << 'HOOK' #!/bin/bash # 铸渊SSL · 证书续期后自动重载Nginx systemctl reload nginx echo "[铸渊SSL] $(date) · 证书已续期 · Nginx已重载" >> /opt/zhuyuan/data/logs/ssl-renewal.log HOOK chmod +x "${hook_dir}/reload-nginx.sh" log_info "✅ Nginx reload hook 已配置" # 测试续期(dry-run) log_info "测试续期功能..." certbot renew --dry-run 2>&1 | tail -3 } # ── §6 验证HTTPS ───────────────────────────── verify_https() { local domain="$1" log_step "§6 验证HTTPS: $domain" sleep 2 # 等待Nginx完全重载 # 确定SSL端口 local ssl_port="443" if command -v xray &>/dev/null; then ssl_port="8443" fi log_info "验证SSL端口: $ssl_port" # 检查SSL端口是否监听 if ss -tlnp | grep -q ":${ssl_port} "; then log_info "✅ SSL端口 ${ssl_port}: 监听中" else log_warn "SSL端口 ${ssl_port} 未监听" fi # 使用curl测试HTTPS local test_url="https://${domain}/" if [ "$ssl_port" != "443" ]; then test_url="https://${domain}:${ssl_port}/" fi local response response=$(curl -sf -o /dev/null -w "%{http_code}" "$test_url" 2>/dev/null) if [ "$response" = "200" ] || [ "$response" = "301" ] || [ "$response" = "302" ]; then log_info "✅ HTTPS访问正常 · 状态码: $response" log_info " → 访问: $test_url" else log_warn "HTTPS访问状态码: ${response:-无响应}" log_warn " → 尝试访问: $test_url" log_warn " → 可能需要等待DNS传播" fi # 检查证书信息 echo | openssl s_client -servername "$domain" -connect "${domain}:${ssl_port}" 2>/dev/null | \ openssl x509 -noout -subject -issuer -dates 2>/dev/null || true # 如果是标准443端口,测试HTTP→HTTPS重定向 if [ "$ssl_port" = "443" ]; then local redirect redirect=$(curl -sf -o /dev/null -w "%{redirect_url}" "http://${domain}/" 2>/dev/null) if echo "$redirect" | grep -q "https"; then log_info "✅ HTTP→HTTPS重定向正常" else log_warn "HTTP→HTTPS重定向未生效 (可能需要等待DNS)" fi else log_info "ℹ️ Xray占用443端口,HTTP不会重定向到HTTPS" log_info " → 网站HTTP访问: http://${domain} (端口80)" log_info " → 网站HTTPS访问: https://${domain}:${ssl_port}" log_info " → VPN: 通过Xray端口443正常工作" fi } # ── 主逻辑 ──────────────────────────────────── main() { local domain="$1" local email="${2:-}" echo "" echo "═══════════════════════════════════════════════" echo "🔒 铸渊SSL证书自动化配置" echo "═══════════════════════════════════════════════" echo "" if [ "$domain" = "--all" ]; then # 配置所有已知域名 log_info "配置所有域名..." # 从Nginx配置中提取域名 local domains=() if [ -f "${NGINX_SITES_AVAILABLE}/zhuyuan.conf" ]; then while IFS= read -r d; do # 跳过占位符和IP if [[ "$d" != *"PLACEHOLDER"* ]] && [[ "$d" != *"_"* ]] && [[ "$d" =~ \. ]]; then domains+=("$d") fi done < <(grep "server_name" "${NGINX_SITES_AVAILABLE}/zhuyuan.conf" | awk '{for(i=2;i<=NF;i++) print $i}' | tr -d ';') fi if [ ${#domains[@]} -eq 0 ]; then log_error "未找到已配置的域名" log_warn "请指定域名: sudo bash $0 guanghulab.online" exit 1 fi for d in "${domains[@]}"; do log_info "────────────────────────────" log_info "处理域名: $d" log_info "────────────────────────────" process_domain "$d" "$email" echo "" done elif [ -z "$domain" ]; then echo "用法:" echo " sudo bash $0 <域名> [邮箱]" echo "" echo "示例:" echo " sudo bash $0 guanghulab.online" echo " sudo bash $0 guanghulab.online admin@guanghulab.online" echo " sudo bash $0 --all # 配置所有已知域名" echo "" echo "说明:" echo " 使用 Let's Encrypt 免费SSL证书" echo " 自动获取、配置、续期" echo " 证书有效期90天,自动续期" exit 0 else process_domain "$domain" "$email" fi echo "" echo "═══════════════════════════════════════════════" echo "🔒 SSL配置完成 · $(TZ=Asia/Shanghai date '+%Y-%m-%d %H:%M:%S CST')" echo "═══════════════════════════════════════════════" } process_domain() { local domain="$1" local email="${2:-admin@${domain}}" # §1 安装certbot install_certbot # §2 验证域名 verify_domain "$domain" || { log_error "域名验证失败,但仍尝试获取证书..." } # §3 获取证书 obtain_certificate "$domain" "$email" || { log_error "获取证书失败: $domain" return 1 } # §4 配置Nginx configure_nginx_ssl "$domain" || { log_error "Nginx SSL配置失败: $domain" return 1 } # §5 自动续期 setup_auto_renewal # §6 验证 verify_https "$domain" log_info "" log_info "🎉 $domain SSL配置完成!" log_info "" log_info "证书文件:" log_info " 完整链: /etc/letsencrypt/live/${domain}/fullchain.pem" log_info " 私钥: /etc/letsencrypt/live/${domain}/privkey.pem" log_info "" log_info "访问: https://${domain}" } main "$@"