带有快速和端口转发功能的greenlock(让加密) [英] greenlock (lets'encrypt) with express and port forwarding

问题描述

我正在尝试设置letsencrypt(显然现在是greenlock)，以便通过express进行端口转发.

I am trying to set up letsencrypt (now greenlock apparently) for port forwarding with express.

我有第一个问题我解决的问题:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3000
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 3443

问题是，现在，我得到了:

The issue is that, now, I get:

Fetching certificate for 'xxx' to use as default for HTTPS server...
[acme-v2] handled(?) rejection as errback:
Error: connect ECONNREFUSED 127.0.1.1:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1126:14)
Error loading/registering certificate for 'xxx':
Error: connect ECONNREFUSED 127.0.1.1:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1126:14) {
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '127.0.1.1',
  port: 80
}

我的应用现在就是这样:

My app is like that right now:

require("greenlock-express")
    .create({
    server: "https://acme-staging-v02.api.letsencrypt.org/directory",
        email: "xxx@gmail.com", // The email address of the ACME user / hosting provider
        agreeTos: true, // You must accept the ToS as the host which handles the certs
        configDir: "~/.config/acme/", // Writable directory where certs will be saved
        communityMember: true, // Join the community to get notified of important updates
        telemetry: true, // Contribute telemetry data to the projec
    store: require('greenlock-store-fs'),
    approveDomains: ['xxx.xxx.xxx'],
        // Using your express app:
        // simply export it as-is, then include it here
        app: require("../app.js")

        //, debug: true
    })
    .listen(3000, 3443);

显然我不能将80和443端口与nodeJS一起使用，但是我不能将任何其他端口与greenlock一起使用...解决方法是什么?

Apparently I cannot use ports 80 and 443 with nodeJS, but I cannot either use any other port with greenlock... What is the workaround?

推荐答案

我是Greenlock的作者.

I'm the author of Greenlock.

Let's Encrypt是其免费SSL服务的EFF品牌.

Let's Encrypt is a brand name of the EFF for their Free SSL service.

Greenlock是我为我的JavaScript客户端提供服务的商标.

Greenlock is the brand name I use for my JavaScript client to their service.

当他们开始为Let's Encrypt申请商标时，我更改了名称.

I changed the name when they began pursuing a trademark for Let's Encrypt.

如果遵循Greenlock快速入门，则不会失败.:)

If you follow the Greenlock QuickStart, you cannot fail. :)

• 带有Greenlock的免费SSL(让我们为Node.js加密v2)-第1部分(快速入门)

也是老歌，但也是好东西:

Also, an oldie, but a goodie:

• 15分钟安全VPS访问指南(针对偏执狂)

• VPS
• netcap
• systemd

在普通 VPS(例如 Digital Ocean、Linode、Vultr 或 Scaleway)上，其中磁盘是永久性的，请使用"netcap".这将允许非root用户绑定到特权端口:

On a normal VPS (such as Digital Ocean, Linode, Vultr, or Scaleway), where the disk is persistent, use "netcap". This will allow a non-root user to bind to privileged ports:

sudo setcap 'cap_net_bind_service=+ep' $(which node)

TADA！现在，您可以以普通用户身份运行 node ./server.js --port 80 ！

TADA! Now you can run node ./server.js --port 80 as a normal user!

在旁边:

您还可以使用 systemd 停止和启动服务.由于 systemd 有时是皮塔饼，所以我在Go中编写了包装器脚本这使得部署节点项目非常容易:

You can also use systemd to stop and start your service. Since systemd is sometimes a p.i.t.a., I wrote a wrapper script in Go that makes it really easy to deploy node projects:

# Install
curl https://rootprojects.org/serviceman/dist/linux/amd64/serviceman -o serviceman
chmod +x ./serviceman
sudo serviceman /usr/local/bin

# Use
cd ./my/node/project
sudo serviceman --username $(whoami) --cap-net-bind add npm start

或者，如果您的服务器未称为"server.js"(事实上的标准)，或其他选项:

or, if your server isn't called 'server.js' (de facto standard), or extra options:

cd ./my/node/project
sudo serviceman --username $(whoami) --cap-net-bind add node ./my-server-thing.js -- --my-options

所有要做的就是使用默认值为您创建 systemd 文件.我建议您也查看 systemd 文档，但是它有点难以理解，与简单易懂的教程相比，可能有更多令人困惑的，不好的教程.

All that does is create your systemd file for you with sane defaults. I'd recommend you check out the systemd documentation as well, but it is a bit hard to grok and there are probably more confusing and otherwise bad tutorials than there are simple and otherwise good tutorials.

我回答了您提到的问题: https://stackoverflow.com/a/58388665/151312

I responded to that question you mentioned: https://stackoverflow.com/a/58388665/151312

它可能会从AWS顽固派那里得到很多赞誉...但是:

It'll probably get a bunch of downvotes from AWS die-hards... but:

请勿使用AWS.使用VPS.

Don't use AWS. Use a VPS.

我真的很喜欢 Digital Ocean 和 Vultr .

此外，这两个产品都有Greenlock DNS-01插件.这将使您的生活变得真正轻松.

Also, there are Greenlock DNS-01 plugins for both of those. That will make your life real easy.

Greenlock的默认验证必须通过端口80上的HTTP进行.这是规范的一部分.他们不能通过HTTPS或任何其他端口进行访问.

The default validations for Greenlock MUST go over HTTP on port 80. That's part of the spec. They CANNOT go over HTTPS, or over any other port.

但是，如果您需要SSL/TLS来进行私有网络(这可能不是您的问题)，则可以使用DNS-01插件.如上所述，与Digital Ocean，Vultr和许多其他产品集成非常简单:

However, if you need SSL / TLS for private networking (which is probably not your issue), you can use DNS-01 plugins. As mentioned above, it's really simple to integrate with Digital Ocean, Vultr, and a number of others:

• acme-dns-01-digitalocean
• acme-dns-01-vultr

大约有十二种不同的插件.除了通配符域和专用网络外，您没有拥有使用它们，但是如果您认为在同一位置管理DNS和VPS对您会有所帮助，我强烈建议您使用DNS-01代替HTTP-01.

There are about a dozen different plugins. You don't have to use them except for wildcard domains and private networking, but if you think managing the DNS and your VPS in the same place would be a benefit to you, I highly recommend using DNS-01 instead of HTTP-01.

除非您是专家并且知道自己在做什么以及为什么，否则不要移植.您会遇到困难，并且事情将无法按预期进行.

Don't port-forward unless you're an expert and you know what you're doing and why. You're gonna have a hard time and things aren't going to work as you expect.

您如何成为专家...很多方式(而且不是困难)...但是据我所知，它并不能真正帮助您实现最大目标近期目标.

How do you become an expert... lots of ways (and it's not hard)... but, as I understand it, it isn't really going to help you achieve your most immediate goal.

对不起，我无法提供更多帮助，但这是一个大话题.

Sorry I can't be more helpful than that, but it's a big topic.

这篇关于带有快速和端口转发功能的greenlock(让加密)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！