HTTPS!

After being continuously locked up by GFW for a whole week I decide to change my site into a real https site. Given the fact that I can only use port 80 and 443 for all the activities across GFW, I have to make port 443 for both nginx and ShadowsocksR (for scurity reason). Thus, ssr will divide the inbound packages into two parts, one for itself and another redirected to port xxx for nginx, as following.

Installing Certificate

A common HTTP challenge features automatic renew.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
certbot certonly --webroot -w /var/www/example -d www.example1.com -d www.example2.com

A wildcard installation allows batch installing, but the install and renew requires manual update of DNS records, i.e. through DNS challenge.

certbot certonly --manual --cert-name example.com -d example.com -d "*.example.com" --preferred-challenges=dns

wp-config.php

define('WP_HOME','https://www.mkmark.net');
define('WP_SITEURL','https://www.mkmark.net');

Nginx - nginx.conf

server
    {
        listen 80;
        #listen [::]:80 default_server ipv6only=on;

        server_name www.mkmark.net;
        return 301 https://$server_name$request_uri;
    }

server
    {
        listen xxx;
        server_name www.mkmark.net;

        ssl                  on;   
        ssl_certificate      /path/to/fullchain.pem;    
        ssl_certificate_key  /path/to/privkey.pem;  
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ShadowsocksR - user-config.json

"redirect": ":443#127.0.0.1:xxx",

Cron

crontab -e
i
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && ./path/to/certbot-auto renew
[esc]
:wq!

Reference

https://certbot.eff.org/ https://certbot.eff.org/docs/using.html#webroot https://xtboke.cn/jsjc/273.html