#!/bin/bash # ============================================ # SSL 证书配置脚本(Let's Encrypt) # ============================================ # 用途:为 api.muststudy.xin 配置 HTTPS # 使用方法:在服务器上执行 bash deploy/setup-ssl-api.sh # ============================================ set -e # 颜色 GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' BLUE='\033[0;34m' NC='\033[0m' echo -e "${BLUE}🔒 开始配置 SSL 证书...${NC}" echo "" # 配置变量 DOMAIN="api.muststudy.xin" NGINX_CONF="/etc/nginx/conf.d/wildgrowth-api.conf" # ============================================ # 第一步:检查并安装 Certbot # ============================================ echo -e "${BLUE}📦 第一步:检查 Certbot...${NC}" if ! command -v certbot &> /dev/null; then echo -e "${YELLOW}⚠️ Certbot 未安装,开始安装...${NC}" # 检测系统类型 if [ -f /etc/redhat-release ]; then # CentOS/RHEL yum install -y epel-release yum install -y certbot python3-certbot-nginx elif [ -f /etc/debian_version ]; then # Debian/Ubuntu apt-get update apt-get install -y certbot python3-certbot-nginx else echo -e "${RED}❌ 无法检测系统类型,请手动安装 certbot${NC}" exit 1 fi echo -e "${GREEN}✅ Certbot 安装完成${NC}" else echo -e "${GREEN}✅ Certbot 已安装${NC}" fi echo "" # ============================================ # 第二步:确保 Nginx 配置存在(HTTP) # ============================================ echo -e "${BLUE}🌐 第二步:检查 Nginx 配置...${NC}" if [ ! -f "$NGINX_CONF" ]; then echo -e "${YELLOW}⚠️ Nginx 配置文件不存在,创建基础配置...${NC}" cat > $NGINX_CONF <<'EOF' server { listen 80; server_name api.muststudy.xin; # 日志 access_log /var/log/nginx/wildgrowth-api-access.log; error_log /var/log/nginx/wildgrowth-api-error.log; # 上传文件大小限制 client_max_body_size 10M; location / { proxy_pass http://localhost:3000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cache_bypass $http_upgrade; # 超时设置 proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; } } EOF # 测试并重载 Nginx if nginx -t; then systemctl reload nginx echo -e "${GREEN}✅ Nginx 配置已创建${NC}" else echo -e "${RED}❌ Nginx 配置有误${NC}" exit 1 fi else echo -e "${GREEN}✅ Nginx 配置文件已存在${NC}" fi echo "" # ============================================ # 第三步:申请 SSL 证书 # ============================================ echo -e "${BLUE}🔐 第三步:申请 SSL 证书...${NC}" echo -e "${YELLOW}⚠️ 这将为 ${DOMAIN} 申请 Let's Encrypt 证书${NC}" echo "" # 检查证书是否已存在 if [ -d "/etc/letsencrypt/live/${DOMAIN}" ]; then echo -e "${YELLOW}⚠️ 证书已存在,是否续期?${NC}" read -p "续期证书?(y/n): " -n 1 -r echo if [[ $REPLY =~ ^[Yy]$ ]]; then certbot renew --dry-run echo -e "${GREEN}✅ 证书续期测试完成${NC}" else echo -e "${YELLOW}⚠️ 跳过证书续期${NC}" fi else # 申请新证书 echo -e "${BLUE}正在申请 SSL 证书...${NC}" certbot --nginx -d $DOMAIN --non-interactive --agree-tos --email admin@muststudy.xin if [ $? -eq 0 ]; then echo -e "${GREEN}✅ SSL 证书申请成功${NC}" else echo -e "${RED}❌ SSL 证书申请失败${NC}" echo -e "${YELLOW}提示:请确保:${NC}" echo " 1. 域名 ${DOMAIN} 已正确解析到服务器 IP" echo " 2. 防火墙已开放 80 和 443 端口" echo " 3. Nginx 正在运行" exit 1 fi fi echo "" # ============================================ # 第四步:验证 SSL 配置 # ============================================ echo -e "${BLUE}✅ 第四步:验证 SSL 配置...${NC}" # 测试 Nginx 配置 if nginx -t; then systemctl reload nginx echo -e "${GREEN}✅ Nginx 配置验证通过${NC}" else echo -e "${RED}❌ Nginx 配置验证失败${NC}" exit 1 fi # 测试 HTTPS 连接 echo "" echo -e "${BLUE}测试 HTTPS 连接...${NC}" if curl -s -k https://${DOMAIN}/health > /dev/null; then echo -e "${GREEN}✅ HTTPS 连接正常${NC}" else echo -e "${YELLOW}⚠️ HTTPS 连接测试失败,请检查配置${NC}" fi echo "" echo "============================================" echo -e "${GREEN}🎉 SSL 配置完成!${NC}" echo "============================================" echo "" echo "📊 验证信息:" echo " - 证书路径: /etc/letsencrypt/live/${DOMAIN}/" echo " - HTTPS URL: https://${DOMAIN}" echo "" echo "📝 证书自动续期:" echo " Let's Encrypt 证书有效期为 90 天" echo " Certbot 会自动续期,或手动运行: certbot renew" echo "" echo "🌐 测试命令:" echo " curl https://${DOMAIN}/health" echo ""