vi.starbugs.net Nginx HTTP/2 HTTP/3 部署记录

系统

已完成

关键文件

当前站点配置

server {
    listen 80;
    server_name vi.starbugs.net;

    location /.well-known/acme-challenge/ {
        root /var/www/vi.starbugs.net;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    listen 443 quic reuseport;
    http2 on;
    http3 on;

    server_name vi.starbugs.net;
    root /var/www/vi.starbugs.net;
    index index.html;

    ssl_certificate /etc/letsencrypt/live/vi.starbugs.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vi.starbugs.net/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

    add_header Alt-Svc 'h3=":443"; ma=86400' always;
    add_header QUIC-Status $http3 always;

    location / {
        try_files $uri $uri/ =404;
    }
}

证书自动续期流程

certbot 安装后已创建 systemd 定时器,系统会定期执行证书续期检查。

查看定时器状态:

systemctl status certbot.timer --no-pager
systemctl list-timers certbot.timer --no-pager

证书续期配置文件:

/etc/letsencrypt/renewal/vi.starbugs.net.conf

当前使用 webroot 方式续期,验证目录为:

/var/www/vi.starbugs.net/.well-known/acme-challenge/

Nginx 80 端口配置保留了 ACME 验证路径:

location /.well-known/acme-challenge/ {
    root /var/www/vi.starbugs.net;
}

续期成功后自动重载 nginx 的 hook:

/etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

hook 内容:

#!/bin/sh
systemctl reload nginx

权限:

chmod 755 /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

手动测试续期流程:

certbot renew --dry-run

手动强制执行续期检查:

certbot renew

手动续期指定域名证书:

certbot certonly --webroot -w /var/www/vi.starbugs.net -d vi.starbugs.net

续期成功后的证书路径保持不变:

/etc/letsencrypt/live/vi.starbugs.net/fullchain.pem
/etc/letsencrypt/live/vi.starbugs.net/privkey.pem

如果续期失败,检查:

验证命令

nginx -v
nginx -V
nginx -t
systemctl status nginx --no-pager
systemctl status certbot.timer --no-pager
systemctl list-timers certbot.timer --no-pager
ss -ltnup
curl --noproxy '*' -I --http2 --resolve vi.starbugs.net:443:127.0.0.1 https://vi.starbugs.net
certbot renew --dry-run

验证结果

注意事项

HTTP/3 使用 UDP 443,需要在云服务器安全组和系统防火墙放行:

官方 nginx mainline 源当前为 1.31.1,不是 1.30;该版本已包含 HTTP/2 和 HTTP/3 支持。