From c26c04cf44dd2c8e6f50fe77ecceb3919a29a052 Mon Sep 17 00:00:00 2001 From: jeremygan2021 Date: Sun, 22 Mar 2026 23:40:37 +0800 Subject: [PATCH] create --- create_new_domain_cert.sh | 68 +++++++++++++++++++++++++++++++-------- 1 file changed, 55 insertions(+), 13 deletions(-) diff --git a/create_new_domain_cert.sh b/create_new_domain_cert.sh index c7c974b..b8ee63b 100755 --- a/create_new_domain_cert.sh +++ b/create_new_domain_cert.sh @@ -563,12 +563,15 @@ install_certificate() { generate_https_config() { log_step "生成 HTTPS 配置..." - cat > "$HTTPS_CONF_FILE" < "$HTTPS_CONF_FILE" <<'EOF' # HTTP 到 HTTPS 的强制跳转 server { listen 80; listen [::]:80; - server_name ${DOMAIN}; + server_name DOMAIN_PLACEHOLDER; + + # 正确的 301 跳转配置 return 301 https://$host$request_uri; } @@ -576,11 +579,11 @@ server { server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name ${DOMAIN}; + server_name DOMAIN_PLACEHOLDER; # SSL 证书配置 - ssl_certificate ${CERT_DIR}/cert.pem; - ssl_certificate_key ${CERT_DIR}/key.pem; + ssl_certificate CERT_DIR_PLACEHOLDER/cert.pem; + ssl_certificate_key CERT_DIR_PLACEHOLDER/key.pem; # SSL 安全配置 ssl_protocols TLSv1.2 TLSv1.3; @@ -591,21 +594,28 @@ server { # add_header Strict-Transport-Security "max-age=31536000" always; # 日志配置 - access_log /var/log/nginx/${DOMAIN}.access.log; - error_log /var/log/nginx/${DOMAIN}.error.log; + access_log /var/log/nginx/DOMAIN_PLACEHOLDER.access.log; + error_log /var/log/nginx/DOMAIN_PLACEHOLDER.error.log; # 后端服务代理 location / { - proxy_pass http://localhost:${BACKEND_PORT}; - proxy_set_header Host \$host; - proxy_set_header X-Real-IP \$remote_addr; - proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto \$scheme; + proxy_pass http://localhost:PORT_PLACEHOLDER; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; } } EOF + # 使用 sed 替换占位符 + sed -i "s/DOMAIN_PLACEHOLDER/${DOMAIN}/g" "$HTTPS_CONF_FILE" + sed -i "s|CERT_DIR_PLACEHOLDER|${CERT_DIR}|g" "$HTTPS_CONF_FILE" + sed -i "s/PORT_PLACEHOLDER/${BACKEND_PORT}/g" "$HTTPS_CONF_FILE" + log_success "HTTPS 配置已生成: $HTTPS_CONF_FILE" + log_info "配置内容预览:" + head -n 15 "$HTTPS_CONF_FILE" } # 最终验证 @@ -688,15 +698,34 @@ final_verification() { echo -e "${CYAN}测试 2: HTTP 跳转测试${NC}" local http_response=$(curl -I -s --connect-timeout 10 "http://${DOMAIN}" 2>&1) local http_code=$(echo "$http_response" | grep -i "HTTP/" | head -n1 | awk '{print $2}') - local location=$(echo "$http_response" | grep -i "Location:" | head -n1) + local location=$(echo "$http_response" | grep -i "^Location:" | head -n1 | sed 's/Location: *//i' | tr -d '\r') if [[ "$http_code" == "301" ]] || [[ "$http_code" == "302" ]]; then log_success "✅ HTTP 跳转正常 (HTTP $http_code)" if [[ -n "$location" ]]; then log_info "跳转目标: $location" + + # 验证跳转目标是否正确 + if [[ "$location" =~ ^https://${DOMAIN} ]] || [[ "$location" =~ ^https://${DOMAIN}/ ]]; then + log_success "✅ 跳转目标正确: $location" + else + log_warn "⚠️ 跳转目标可能不正确: $location" + log_info "期望格式: https://${DOMAIN}..." + fi + else + log_warn "⚠️ 收到 HTTP $http_code 但没有 Location 头" + log_error "这可能导致浏览器无法自动跳转" fi else log_warn "⚠️ HTTP 跳转异常: ${http_code:-无响应}" + echo "" + log_error "完整响应头:" + echo "$http_response" | head -n 10 + echo "" + log_error "如果显示 nginx 默认页面,可能原因:" + echo " 1. nginx 使用了旧的配置文件" + echo " 2. 80 端口有多个 server 块冲突" + echo " 3. 需要完全重启 nginx 而不是重载" fi # 验证 SSL 证书 @@ -735,6 +764,19 @@ final_verification() { echo " 3. 在线验证 SSL 配置:" echo -e " ${GREEN}https://www.ssllabs.com/ssltest/analyze.html?d=${DOMAIN}${NC}" echo "" + echo -e "${CYAN}🔧 手动诊断命令(如遇问题):${NC}" + echo " # 查看生成的配置文件:" + echo -e " ${GREEN}cat $HTTPS_CONF_FILE${NC}" + echo "" + echo " # 检查 80 端口的 server 配置:" + echo -e " ${GREEN}grep -A 5 'listen 80' $HTTPS_CONF_FILE${NC}" + echo "" + echo " # 测试 nginx 配置:" + echo -e " ${GREEN}nginx -t && systemctl restart nginx${NC}" + echo "" + echo " # 手动测试 301 跳转(查看 Location 头):" + echo -e " ${GREEN}curl -I -v http://${DOMAIN} 2>&1 | grep -i location${NC}" + echo "" echo -e "${YELLOW}⚠️ 提示:${NC}" echo " - HTTP 请求会自动 301 跳转到 HTTPS" echo " - 证书将在 60 天后自动续期"