#!/bin/bash # 定义颜色 GREEN='\033[0;32m' RED='\033[0;31m' YELLOW='\033[1;33m' NC='\033[0m' # No Color echo -e "${GREEN}=================================================${NC}" echo -e "${GREEN} Nginx SSL 配置优化与批量检查脚本${NC}" echo -e "${GREEN}=================================================${NC}" # 1. 创建通用配置片段 SNIPPET_FILE="/etc/nginx/snippets/ssl-bwyysss.conf" mkdir -p /etc/nginx/snippets echo -e "${YELLOW}[步骤 1] 正在创建通用 SSL 配置片段...${NC}" cat > $SNIPPET_FILE <<'EOF' # 通用 SSL 证书配置 (bwyysss.com) ssl_certificate /root/bwyysss.com.crt; ssl_certificate_key /root/bwyysss.com.key; # SSL 安全优化参数 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1d; EOF if [ $? -eq 0 ]; then echo -e "${GREEN}✓ 通用片段已创建: $SNIPPET_FILE${NC}" else echo -e "${RED}✗ 创建通用片段失败!${NC}" exit 1 fi # 2. 批量修改子域名配置 echo -e "${YELLOW}[步骤 2] 正在扫描并修改 sites-available 中的配置文件...${NC}" # 遍历 sites-available 下的所有文件 for conf in /etc/nginx/sites-available/*; do # 跳过 default 文件(除非你确定要改它) if [[ "$(basename $conf)" == "default" ]]; then continue fi # 检查文件是否包含 ssl_certificate 关键字(说明是 HTTPS 站点) if grep -q "ssl_certificate" "$conf"; then echo -e " 正在处理: ${YELLOW}$(basename $conf)${NC}" # 备份原文件 cp "$conf" "${conf}.bak" # 使用 sed 进行替换: # 1. 删除原有的 ssl_certificate 行 # 2. 删除原有的 ssl_certificate_key 行 # 3. 删除原有的 ssl_protocols, ssl_ciphers 等优化行(防止冲突) sed -i '/ssl_certificate /d; /ssl_certificate_key /d; /ssl_protocols /d; /ssl_ciphers /d; /ssl_prefer_server_ciphers /d; /ssl_session_cache /d; /ssl_session_timeout /d' "$conf" # 4. 在 listen 443 行下面插入 include 指令 # 注意:这里使用了一个简单的 sed 技巧,在 listen 443 后追加 sed -i '/listen 443/a\ include /etc/nginx/snippets/ssl-bwyysss.conf;' "$conf" echo -e " ${GREEN}→ 已替换为引用通用片段${NC}" fi done # 3. 验证配置 echo -e "${YELLOW}[步骤 3] 正在验证 Nginx 配置语法...${NC}" if sudo nginx -t; then echo -e "${GREEN}✓ Nginx 配置语法检查通过!${NC}" # 询问是否重载 read -p "是否立即重载 Nginx 使配置生效? (y/n): " -n 1 -r echo if [[ $REPLY =~ ^[Yy]$ ]]; then sudo systemctl reload nginx echo -e "${GREEN}✓ Nginx 已重载!${NC}" fi else echo -e "${RED}✗ Nginx 配置语法检查失败!请检查上述报错。${NC}" echo -e "${YELLOW}提示:已为你备份了原配置文件(.bak),你可以手动恢复。${NC}" exit 1 fi # 4. 最终检查 echo -e "${GREEN}=================================================${NC}" echo -e "${GREEN} 批量检查报告${NC}" echo -e "${GREEN}=================================================${NC}" for conf in /etc/nginx/sites-available/*; do if [[ "$(basename $conf)" != "default" ]] && grep -q "ssl_certificate" "$conf" 2>/dev/null; then if grep -q "include /etc/nginx/snippets/ssl-bwyysss.conf" "$conf"; then echo -e " $(basename $conf): ${GREEN}✅ 已引用通用片段${NC}" else echo -e " $(basename $conf): ${RED}❌ 配置未更新,请手动检查${NC}" fi fi done