因主流的浏览器都要求以https的方式访问网站,现有一些在用的网站架构是python django的,故以此为例进行配置说明。用Nginx + Gunicorn模式进行部署,用acme.sh制作免费的ssl证书,实现以https方式访问。
1、django gunicorn
1.1、安装gunicorn
source~/venv/bin/activate pipinstallgunicorn1.2、用到的wsgi.py
[run@ygremoteserver GOAMAS]$catgoamas/wsgi.py""" WSGI configforgoamas project. It exposes the WSGI callable as a module-level variable named ``application``. Formoreinformation on this file, see https://docs.djangoproject.com/en/5.2/howto/deployment/wsgi/"""importos from django.core.wsgiimportget_wsgi_application os.environ.setdefault('DJANGO_SETTINGS_MODULE','goamas.settings')application=get_wsgi_application()1.3、启动gunicorn
$cdproj/GOAMAS $ gunicorn goamas.wsgi:application\--bind unix:/opt/GOAMAS/gunicorn.sock\--workers3\--timeout1201.4、查看gunicorn服务情况
[root@ygremoteserver ~]# ps aux | grep gunicorn | grep -v greprun7047390.01.33224423648pts/2 S+12:070:00 /app/run/venv/bin/python3.13 /app/run/venv/bin/gunicorn goamas.wsgi:application --bind0.0.0.0:8000 run7048180.04.123858470608pts/2 Sl+13:020:01 /app/run/venv/bin/python3.13 /app/run/venv/bin/gunicorn goamas.wsgi:application --bind0.0.0.0:8000[root@ygremoteserver ~]# ps -ef|grep gunicornrun704739704418012:07 pts/2 00:00:00 /app/run/venv/bin/python3.13 /app/run/venv/bin/gunicorn goamas.wsgi:application --bind0.0.0.0:8000 run704818704739013:02 pts/2 00:00:01 /app/run/venv/bin/python3.13 /app/run/venv/bin/gunicorn goamas.wsgi:application --bind0.0.0.0:80002、acme.sh安装
2.1、下载acme.sh
[root@ygremoteserver ~]# wget https://get.acme.sh--2025-12-1621:51:34-- https://get.acme.sh/ Resolving get.acme.sh(get.acme.sh)...104.21.34.62,172.67.199.16,2606:4700:3031::ac43:c710,... Connecting to get.acme.sh(get.acme.sh)|104.21.34.62|:443... connected. HTTP request sent, awaiting response...200OK Length: unspecified[text/html]Saving to: ‘index.html’ index.html[<=>]1.01K --.-KB/sin0s2025-12-1621:51:36(21.0MB/s)- ‘index.html’ saved[1032][root@ygremoteserver ~]#[root@ygremoteserver ~]# mv index.html acme.sh2.2、acme.sh的内容
[root@ygremoteserver ~]# cat acme.sh#!/usr/bin/env sh#https://github.com/acmesh-official/get.acme.sh_exists(){cmd="$1"if[-z"$cmd"];thenecho"Usage: _exists cmd"return1fiiftypecommand>/dev/null2>&1;thencommand-v$cmd>/dev/null2>&1elsetype$cmd>/dev/null2>&1firet="$?"return$ret}if[-z"$BRANCH"];thenBRANCH="master"fi#format "email=my@example.com"_email="$1"if["$_email"];thenshift_email="--$(echo"$_email"|tr'='' ')"fi_url="https://raw.githubusercontent.com/acmesh-official/acme.sh/$BRANCH/acme.sh"_get=""if_existscurl&&["${ACME_USE_WGET:-0}"="0"];then_get="curl -L"elif_existswget;then_get="wget -O -"elseecho"Sorry, you must have curl or wget installed first."echo"Please install either of them and try again."exit1fiif!$_get"$_url"|sh-s -- --install-online$_email"$@";thenecho"Install error"echo"中国大陆用户请参考:"echo"https://github.com/acmesh-official/acme.sh/wiki/Install-in-China"fi2.3、执行acme.sh进行安装
[root@ygremoteserver ~]# sh acme.sh% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100226k100226k001213200:00:190:00:19 --:--:--2973[Tue Dec1609:52:51 PM CST2025]Installing from online archive.[Tue Dec1609:52:51 PM CST2025]Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz[Tue Dec1609:52:52 PM CST2025]Extracting master.tar.gz[Tue Dec1609:52:52 PM CST2025]It is recommended toinstallsocat first.[Tue Dec1609:52:52 PM CST2025]We use socatforthe standalone server,whichis usedforstandalone mode.[Tue Dec1609:52:52 PM CST2025]If you don't want to use standalone mode, you may ignore this warning. [Tue Dec 16 09:52:52 PM CST 2025] Installing to /root/.acme.sh [Tue Dec 16 09:52:52 PM CST 2025] Installed to /root/.acme.sh/acme.sh [Tue Dec 16 09:52:52 PM CST 2025] Installing alias to '/root/.bashrc' [Tue Dec 16 09:52:52 PM CST 2025] Close and reopen your terminal to start using acme.sh [Tue Dec 16 09:52:53 PM CST 2025] Installing alias to '/root/.cshrc' [Tue Dec 16 09:52:53 PM CST 2025] Installing alias to '/root/.tcshrc'[Tue Dec1609:52:53 PM CST2025]Installingcronjob nocrontabforroot nocrontabforroot[Tue Dec1609:52:53 PM CST2025]bashhas been found. Changing the shebang to usebashas preferred.[Tue Dec1609:52:55 PM CST2025]OK[Tue Dec1609:52:55 PM CST2025]Install success![root@ygremoteserver ~]# source ~/.bashrc2.4、acme.sh初始化
[root@ygremoteserver ~]# acme.sh --remove -d www.a100.fun[Tue Dec1610:00:42 PM CST2025]The domain'www.a100.fun'seems to already have an ECC cert,let's use it. [Tue Dec 16 10:00:42 PM CST 2025] www.a100.fun has been removed. The key and cert files are in /root/.acme.sh/www.a100.fun_ecc [Tue Dec 16 10:00:42 PM CST 2025] You can remove them by yourself. [root@ygremoteserver ~]# [root@ygremoteserver ~]# acme.sh --register-account -m test@foxmail.com [Tue Dec 16 10:03:17 PM CST 2025] Registering account: https://acme.zerossl.com/v2/DV90 [Tue Dec 16 10:03:20 PM CST 2025] Already registered [Tue Dec 16 10:03:20 PM CST 2025] ACCOUNT_THUMBPRINT='ZojJOwit7T11111111111111111ODMohhxr60dZc'[root@ygremoteserver ~]#[root@ygremoteserver ~]# acme.sh --set-default-ca --server letsencrypt[Tue Dec1610:03:45 PM CST2025]Changed default CA to: https://acme-v02.api.letsencrypt.org/directory[root@ygremoteserver ~]#2.5、用acme.sh生成https要用到的证书文件
[root@ygremoteserver ~]# acme.sh --issue -d www.a100.fun --nginx[Tue Dec1610:08:10 PM CST2025]Using CA: https://acme-v02.api.letsencrypt.org/directory[Tue Dec1610:08:10 PM CST2025]Singledomain='www.a100.fun'[Tue Dec1610:08:14 PM CST2025]Getting webrootfordomain='www.a100.fun'[Tue Dec1610:08:14 PM CST2025]Verifying: www.a100.fun[Tue Dec1610:08:14 PM CST2025]Nginx modefordomain: www.a100.fun[Tue Dec1610:08:14 PM CST2025]Found config file: /etc/nginx/conf.d/goamas.conf[Tue Dec1610:08:14 PM CST2025]Backing /etc/nginx/conf.d/goamas.conf up to /root/.acme.sh/www.a100.fun_ecc/backup/www.a100.fun.nginx.conf[Tue Dec1610:08:14 PM CST2025]Checking the nginx config before setting up.[Tue Dec1610:08:14 PM CST2025]OK, setting up the nginx configfile[Tue Dec1610:08:14 PM CST2025]nginx config has been written,let's check it again. [Tue Dec 16 10:08:15 PM CST 2025] Reloading nginx [Tue Dec 16 10:08:18 PM CST 2025] Pending. The CA is processing your order, please wait. (1/30) [Tue Dec 16 10:08:25 PM CST 2025] Pending. The CA is processing your order, please wait. (2/30) [Tue Dec 16 10:08:31 PM CST 2025] Pending. The CA is processing your order, please wait. (3/30) [Tue Dec 16 10:08:35 PM CST 2025] Success [Tue Dec 16 10:08:35 PM CST 2025] Restoring from /root/.acme.sh/www.a100.fun_ecc/backup/www.a100.fun.nginx.conf to /etc/nginx/conf.d/goamas.conf [Tue Dec 16 10:08:35 PM CST 2025] Reloading nginx [Tue Dec 16 10:08:35 PM CST 2025] Verification finished, beginning signing. [Tue Dec 16 10:08:35 PM CST 2025] Let's finalize the order.[Tue Dec1610:08:35 PM CST2025]Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/2883432376/459431990706'[Tue Dec1610:08:37 PM CST2025]Downloading cert.[Tue Dec1610:08:37 PM CST2025]Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/058b24d3ef579b9998c09d7a4d80689668f6'[Tue Dec1610:08:41 PM CST2025]Cert success. -----BEGIN CERTIFICATE----- MIIDhjCCAwygAwIBAg555555555555555555555555555555555555555AMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF NzAeFw0yNTEyMTY6666666666666666666666666666666666666666VBAMTDHd3 dy5hMTAwLmZ1bjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABK1h9IzkfXeq2tbf MQ2WwHzP7Arm6DgCyMbmkuH1WB4+lb3nNmkmbEFVVjgmli+VRB47izK06wCbRtgV WA3cj3ijggIbMIICFzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUH AwEGC1111111111111111111111111111111111111111111111111idiji13ygn CT004d72azLEMB8GA1UdIwQYMBaAFK5IntyHHUSgb9qi5WB0BHjCnACAMDIGCCsG AQUFBwEBBCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL2U3LmkubGVuY3Iub3JnLzAX BgNVHREEEDAOggx3d3cuYTEwMC5mdW4wEwYDVR0gBAwwCjAIBgZngQwBAgEwLgYD VR0fBCcwJTAjoCGgH4YdaHR0cDovL2U3LmMubGVuY3Iub3JnLzExOS5jcmwwggEE BgorBgEEAdZ5AgQCBIH12222222222222222222222222222222222221B41J6vq /tUDyX3N8AAAAZsnfdYVAAAEAwBGMEQCIAhsSuck0sLduJ1cKj2zdc0UUBcSejrX B1sI2ZMIwAcnAiAqmY55bDiTNQ9VKE6LphaqEO+kXmy8Q47QAkYV/jfpPQB3AMs4 9xWJ333333333333333333333333333333333333333333333jMAAAQDAEgwRgIh AP8IMDrILJF+lan3aswcmI2xZgiwLTXdvD6Lj0Hbu6HtAiEAzxIKOUJXFpW6ljCW fSDHwcJemaxBZQIq62zH+AVg1sIwCgYIKoZIzj0EAwMDaAAwZQIxALk4c+oLk1PZ 8C+w6MQyjOozTPVC0aHBB9613Dcly2QJnDL3FIASe+EAKRvzmYNHfwIwYF5sENGE pRtF+Bj46nlfHv0RiF8OIGud+Qq+3tTEXBK5KxnwemXU7eV3dAfmI9NJ -----END CERTIFICATE-----[Tue Dec1610:08:41 PM CST2025]Your cert is in: /root/.acme.sh/www.a100.fun_ecc/www.a100.fun.cer[Tue Dec1610:08:41 PM CST2025]Your cert key is in: /root/.acme.sh/www.a100.fun_ecc/www.a100.fun.key[Tue Dec1610:08:41 PM CST2025]The intermediate CA cert is in: /root/.acme.sh/www.a100.fun_ecc/ca.cer[Tue Dec1610:08:41 PM CST2025]And the full-chain cert is in: /root/.acme.sh/www.a100.fun_ecc/fullchain.cer[root@ygremoteserver ~]# ls /root/.acme.sh/www.a100.fun_ecc/fullchain.cer/root/.acme.sh/www.a100.fun_ecc/fullchain.cer[root@ygremoteserver ~]#[root@ygremoteserver ~]# mkdir -p /etc/nginx/ssl/www.a100.fun[root@ygremoteserver ~]#[root@ygremoteserver ~]#[root@ygremoteserver ~]# acme.sh --install-cert -d www.a100.fun \>--key-file /etc/nginx/ssl/www.a100.fun/privkey.pem\>--fullchain-file /etc/nginx/ssl/www.a100.fun/fullchain.pem\>--reloadcmd"systemctl reload nginx"[Wed Dec1712:03:43 PM CST2025]The domain'www.a100.fun'seems to already have an ECC cert, let's use it.[Wed Dec1712:03:43 PM CST2025]Installing key to: /etc/nginx/ssl/www.a100.fun/privkey.pem[Wed Dec1712:03:43 PM CST2025]Installing full chain to: /etc/nginx/ssl/www.a100.fun/fullchain.pem[Wed Dec1712:03:43 PM CST2025]Running reload cmd: systemctl reload nginx[root@ygremoteserver ~]# ls -lh /etc/nginx/ssl/www.a100.fun/total8.0K -rw-r--r--1root root2.8K Dec1712:03 fullchain.pem -rw-------1root root227Dec1712:03 privkey.pem3、nginx
3.1、nginx调gunicorn.sock文件目录创建
有用到proxy_pass http://unix:/opt/GOAMAS/gunicorn.sock;所以
mkdir -p /opt/GOAMAS
chown run:nginx /opt/GOAMAS
3.2、授予访问static的权限
改web工程所放用户的700为755即可。
chmod 755 /app/run
3.3、nginx配置文件 /etc/nginx/conf.d/goamas.conf
# HTTP:统一跳转到 HTTPSserver{listen80;server_name www.a100.fun a100.fun;return301https://www.a100.fun$request_uri;}# HTTPS 主站server{listen443ssl http2;server_name www.a100.fun;ssl_certificate /etc/nginx/ssl/www.a100.fun/fullchain.pem;ssl_certificate_key /etc/nginx/ssl/www.a100.fun/privkey.pem;ssl_protocols TLSv1.2 TLSv1.3;ssl_prefer_server_ciphers on;# Django 静态文件location /static/{alias/app/run/proj/GOAMAS/staticfiles/;access_log off;expires 30d;}# Django 反向代理location /{proxy_pass http://unix:/opt/GOAMAS/gunicorn.sock;proxy_set_header Host$host;proxy_set_header X-Real-IP$remote_addr;proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto https;proxy_redirect off;}}3.4、nginx启动
[root@ygremoteserver ~]# nginx -tnginx: the configurationfile/etc/nginx/nginx.conf syntax is ok nginx: configurationfile/etc/nginx/nginx.conftestis successful[root@ygremoteserver ~]# systemctl reload ngin3.5、查看nginx运行情况
[root@ygremoteserver app]# netstat -an|grep 443tcp000.0.0.0:4430.0.0.0:* LISTEN[root@ygremoteserver opt]# tail -f /var/log/nginx/error.log2025/12/18 03:04:36[crit]704724#704724: *667 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 206.168.34.39, server: 0.0.0.0:4432025/12/18 06:18:19[crit]704724#704724: *748 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 156.229.21.54, server: 0.0.0.0:4432025/12/18 09:12:57[crit]704724#704724: *823 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 185.242.226.119, server: 0.0.0.0:4433.6、效果
https能正常打开网站:
