今天又折腾VPS了,想在上面搞一个远程下载。拾起了一个以前就用过的组合,aria2+yaaw

背景

在VPS上配置运行aria2,在网站上搭建yaaw,这些都略去不表。都弄好了之后,yaaw和服务器的aria2连接不上,实在是让我抓狂。

奇怪的是,在作者的demo上(http://binux.github.io/yaaw/demo/),工作是完全正常的。想了一下,明白了,我的站已经是全站HTTPS了,而yaaw的RPC走的还是普通的HTTP,对于现代的浏览器来说,是一个非常危险的操作,所以失效了。

想解决这个问题,有以下几种思路:

  1. 让浏览器允许这种「混合内容」的操作。
  2. 使用HTTP版本的yaaw。
  3. 让aria2的RPC使用HTTPS。

方法1,不好,“dirty hack”。方法2,也是个无奈之举,还是让aria2的RPC支持HTTPS是正道。

让aria2的RPC支持HTTPS

在aria2的手册里相关的内容有三个:

--rpc-secure[=true|false]

RPC transport will be encrypted by SSL/TLS. The RPC clients must use https scheme to access the server. For WebSocket client, use wss scheme. Use --rpc-certificate and --rpc-private-key options to specify the server certificate and private key.

https://aria2.github.io/manual/en/html/aria2c.html?highlight=rpc%20secure#cmdoption--rpc-secure

--rpc-certificate=<FILE>

Use the certificate in FILE for RPC server. The certificate must be either in PKCS12 (.p12, .pfx) or in PEM format.
PKCS12 files must contain the certificate, a key and optionally a chain of additional certificates. Only PKCS12 files with a blank import password can be opened!
When using PEM, you have to specify the private key via --rpc-private-key as well. Use --rpc-secure option to enable encryption.

https://aria2.github.io/manual/en/html/aria2c.html?highlight=rpc%20secure#cmdoption--rpc-certificate

--rpc-private-key=<FILE>

Use the private key in FILE for RPC server. The private key must be decrypted and in PEM format. Use --rpc-secure option to enable encryption. See also --rpc-certificate option.

https://aria2.github.io/manual/en/html/aria2c.html?highlight=rpc%20secure#cmdoption--rpc-private-key

--rpc-certificate--rpc-private-key内容为何,我糊涂了。还是学艺不精啊,因为在搞HTTPS的时候就没搞清楚。不过功夫不负有心人,一通乱试,我还是搞清楚了。

比如在Nginx的配置里面有:

1
2
ssl_certificate /www/certs/chained.pem;
ssl_certificate_key /www/certs/domain.key;

那么,在aria2的配置文件里可以这么写:

1
2
3
rpc-secure=true
rpc-certificate=/www/certs/chained.pem
rpc-private-key=/www/certs/domain.key

或者,回顾一下全站HTTPS的教程,这两个文件是这么生成的:

1
2
3
4
5
openssl genrsa 4096 > /www/certs/domain.key
openssl req -new -sha256 -key /www/certs/domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:chriszheng.science,DNS:www.chriszheng.science")) > /www/certs/domain.csr
python /root/acme-tiny/acme_tiny.py --account-key /www/certs/account.key --csr /www/certs/domain.csr --acme-dir /www/challenges/ > /tmp/signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > /tmp/intermediate.pem
cat /tmp/signed.crt /tmp/intermediate.pem > /www/certs/chained.pem

嗯,虽然没搞清楚,问题是解决了。

一点感想是:VPS真好玩