bookworm/bookworm-boot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2d36862f38
bookworm-boot/setup-https.sh

120 lines
3.5 KiB
Bash
Raw Normal View History

feat: Bookworm Portable v1.5 — 8 fixes (P0 NDA + P1 banners + P2 perf) - P1: Banner v1.3→v1.5, Hooks 29→34 - P1: 卸载脚本补删 更新Bookworm.lnk - P1: git stash pop 安全检查 - P2: Playwright 检测改用 npm list - P2: 代理端口扫描 500ms async 超时 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 23:34:27 +08:00
#!/bin/bash
# ============================================================
# Bookworm Portable - HTTPS 配置脚本 (P1-1)
# 为 Gitea 配置 Nginx HTTPS 反代
# ============================================================
# 前提: deploy-gitea.sh 已执行, Nginx + certbot 已安装
# 用法: ssh root@8.138.11.105 'bash -s' < setup-https.sh
# ============================================================
set -euo pipefail
DOMAIN="code.letcareme.com"
GITEA_PORT=3300
CERT_DIR="/etc/letsencrypt/live/$DOMAIN"
echo "========================================="
echo " Bookworm HTTPS 配置 v1.0"
echo "========================================="
# 1. 检查证书
if [ ! -d "$CERT_DIR" ]; then
echo "[1/4] 证书不存在,申请新证书..."
certbot certonly --nginx -d "$DOMAIN" --non-interactive --agree-tos --email leesu@letcareme.com
else
echo "[1/4] 证书已存在: $CERT_DIR"
fi
# 2. 创建 Nginx 配置
echo "[2/4] 配置 Nginx 反代..."
cat > /etc/nginx/sites-available/gitea.conf << EOF
# Bookworm Gitea - HTTPS 反向代理
server {
listen 80;
server_name $DOMAIN;
return 301 https://\$host\$request_uri;
}
server {
listen 443 ssl http2;
server_name $DOMAIN;
ssl_certificate $CERT_DIR/fullchain.pem;
ssl_certificate_key $CERT_DIR/privkey.pem;
# 安全头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
# Git LFS 和大文件上传
client_max_body_size 512M;
location / {
proxy_pass http://127.0.0.1:$GITEA_PORT;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# WebSocket 支持 (Gitea 通知)
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
}
}
EOF
# 启用站点
ln -sf /etc/nginx/sites-available/gitea.conf /etc/nginx/sites-enabled/gitea.conf
# 3. 测试并重载 Nginx
echo "[3/4] 测试 Nginx 配置..."
nginx -t
systemctl reload nginx
echo " [OK] Nginx 已重载"
# 4. 更新 Gitea ROOT_URL
GITEA_INI="/var/lib/gitea/custom/conf/app.ini"
if [ -f "$GITEA_INI" ]; then
echo "[4/4] 更新 Gitea ROOT_URL..."
# 更新端口
sed -i "s/^HTTP_PORT\s*=.*/HTTP_PORT = $GITEA_PORT/" "$GITEA_INI"
# 更新 ROOT_URL 为 HTTPS
sed -i "s|^ROOT_URL\s*=.*|ROOT_URL = https://$DOMAIN/|" "$GITEA_INI"
# 确保 Gitea 只监听本地
if ! grep -q "HTTP_ADDR" "$GITEA_INI"; then
sed -i "/^\[server\]/a HTTP_ADDR = 127.0.0.1" "$GITEA_INI"
else
sed -i "s/^HTTP_ADDR\s*=.*/HTTP_ADDR = 127.0.0.1/" "$GITEA_INI"
fi
systemctl restart gitea
sleep 2
if systemctl is-active --quiet gitea; then
echo " [OK] Gitea 已重启 (端口 $GITEA_PORT, 仅本地监听)"
else
echo " [ERROR] Gitea 重启失败"
journalctl -u gitea -n 10
exit 1
fi
else
echo "[4/4] [!] Gitea 配置不存在,请先运行 deploy-gitea.sh"
fi
echo ""
echo "========================================="
echo " HTTPS 配置完成!"
echo "========================================="
echo ""
echo " 访问: https://$DOMAIN"
echo " HTTP → HTTPS 自动跳转: 已启用"
echo " HSTS: 已启用 (1年)"
echo " Gitea 端口: $GITEA_PORT (仅 127.0.0.1)"
echo ""
echo " 证书续期: certbot 已自动配置 cron"
echo " 验证: curl -I https://$DOMAIN"
echo "========================================="
Reference in New Issue Copy Permalink