摘要：如果綁定七牛云空間的域名能使用等這類免費的網址那么就完美了。然而七牛目前并不支持這類短期的免費證書。下面我教大家一種利用實現以的方式訪問七牛資源的方法。七牛云空間應該已經綁定了自定義的域名，不懂如何綁定的請查看前一篇文章。

上一篇文章 為七牛云存儲空間綁定自定義域名，并使用七牛云提供的免費SSL證書，將自定義加名升級為HTTPS 我們提到利用七牛的免費SSL證書，將自定義加名升級為HTTPS的方法。

不知道有沒有小伙伴會像我一樣擔心一年七牛的SSL證書不免費了怎么辦？每個域名每年都要幾千塊的支出對于個人和小企業來說還是一筆不小的數目。

如果綁定七牛云空間的域名能使用 lets‘encrypt 等這類免費的網址那么就完美了。
然而七牛目前并不支持 lets"encrypt 這類短期的免費證書。

下面我教大家一種利用 Nginx + lets"encrypt 實現以https的方式訪問七牛資源的方法。

首先聲明，使用這種方法相當于主動放棄了七牛云存儲的CDN優勢，只適合訪問量不高的個人和小公司。

要有一個域名。

七牛云空間應該已經綁定了自定義的域名，不懂如何綁定的請查看前一篇文章。筆者綁定的域名是 md.ws65535.top。

有一臺帶公網IP的Linux服務器。筆者服務器IP為 54.191.48.61，Linux環境為 ubuntu14.04。其他發行版原理相同，只不過軟件安裝方式和目錄結構略有不同。

ubuntu@ip-172-31-27-111:~$ sudo apt-get install nginx

ubuntu@ip-172-31-27-111:~$ nginx -v
nginx version: nginx/1.4.6 (Ubuntu)

ubuntu@ip-172-31-27-111:~$ sudo service nginx start

ubuntu@ip-172-31-27-111:~$ ss -tln
State      Recv-Q Send-Q               Local Address:Port                 Peer Address:Port
LISTEN     0      128                              *:80                    *:*
LISTEN     0      128                              *:22                    *:*
LISTEN     0      128                             :::80                    :::*
LISTEN     0      128                             :::22                    :::*

ubuntu@ip-172-31-27-111:~$ curl http://54.191.48.61







Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.

For online documentation and support please refer to
nginx.org.

Commercial support is available at
nginx.com.

Thank you for using nginx.

server {
    server_name qiniu-ssl.ws65535.top;

    location / {
        proxy_pass http://md.ws65535.top;
    }
}

編輯完成后使用 nginx -s reload 重新載入Nginx配置文件。

記錄類型為 A，主機記錄為 qiniu-ssl.ws65535.top，服務器IP為 54.191.48.61

例如
http://qiniu-ssl.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg
可以訪問到下面的資源
http://md.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg

此處只記錄ubuntu14.04安裝方法

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx 

$ sudo certbot --nginx

ubuntu@ip-172-31-27-111:~$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: agency.ws65535.xyz
2: qiniu-ssl.ws65535.top
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter "c" to cancel): 2 #此處選擇將 qiniu-ssl.ws65535.top 設為https
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for qiniu-ssl.ws65535.top
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/qiniu-ssl

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you"re confident your site works on HTTPS. You can undo this
change by editing your web server"s configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press "c" to cancel): 2 #是否強制將http方式訪問的請求跳轉到以HTTPS方式訪問
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/qiniu-ssl

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://qiniu-ssl.ws65535.top

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=qiniu-ssl.ws65535.top
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/qiniu-ssl.ws65535.top/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/qiniu-ssl.ws65535.top/privkey.pem
   Your cert will expire on 2018-11-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let"s Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

ubuntu@ip-172-31-27-111:~$ cat /etc/nginx/sites-enabled/qiniu-ssl
server {
    server_name qiniu-ssl.ws65535.top;

    location / {
        proxy_pass http://md.ws65535.top;
    }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/qiniu-ssl.ws65535.top/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/qiniu-ssl.ws65535.top/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = qiniu-ssl.ws65535.top) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name qiniu-ssl.ws65535.top;
    listen 80;
    return 404; # managed by Certbot
}

sudo vim /etc/crontab

# 每月自動更新ssl證書
19 3 1 * * root /usr/bin/certbot renew --dry-run