Luotianyi

「[模块化]本站Nginx配置」

| 日常,技巧向 | 239字

发现了一个自动化配置nginx站点网站nginxconfig.io
logo-light.png
模块化的好处在于如果配置多个站点文件,我们可以根据不同的需求按照模块组装,不用将每个站点文件都写得那么臃肿.
并且清晰明了,于是把本站的配置文件修改了一下.

证书

使用certbot生成证书

sudo apt-get install certbot
sudo certbot certonly --webroot -d wwww.lvmoo.com  --email admin@lvmoo.com -w /srv/www/html/_letsencrypt -n --agree-tos --force-renewal

证书更新

#测试证书更新
sudo certbot renew --dry-run
#更新
sudo certbot renew --pre-hook "systemctl reload nginx

此命令会尝试续订以​​前获得的并在30天内过期的所有证书。
证书有效期超过30天的,将会跳过.

计划任务更新
每周一1点1分执行

sudo sed -i '$a\#Renewing certificates' /etc/crontab
sudo sed -i '$a\1 1     * * 1   root    /usr/bin/certbot renew --pre-hook "systemctl nginx reload"' /etc/crontab

吊销证书

sudo certbot revoke --cert-path /etc/letsencrypt/live/wwww.lvmoo.com/cert.pem --reason keycompromise

Nginx配置

主配置文件
位于/usr/local/nginx/conf/nginx.conf

user www-data;
pid logs/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;

events {
    multi_accept on;
    worker_connections 65535;
}

http {
    upstream php {
        server unix:/usr/local/php7/var/run/www-php-fpm.sock;
        server unix:/var/run/php/php7.2-fpm.sock backup;
    }

    charset utf-8;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    log_not_found off;
    types_hash_max_size 2048;
    client_max_body_size 16M;

    # MIME
    include mime.types;
    default_type application/octet-stream;

    # logging
    access_log /usr/local/nginx/logs/access.log;
    error_log /usr/local/nginx/logs/error.log warn;

    # limits
    limit_req_log_level warn;
    limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;

    # SSL
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # modern configuration
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers on;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
    resolver_timeout 2s;

    # load configs
    include /srv/www/nginx/conf.d/*.conf;
    include /srv/www/nginx/sites-enabled/*;
}

模块化文件

头部缓存压缩设置
位于/srv/www/nginx/modul/general.conf

# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# . files
location ~ /\. {
    deny all;
}

# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
    expires 7d;
    access_log off;
}

# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
    add_header Access-Control-Allow-Origin "*";
    expires 7d;
    access_log off;
}

# brotli
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css application/json application/x-javascript text/xml text/x-component application/xhtml+xml application/xml application/rss+xml application/atom+xml text/javascript application/javascript application/x-font-ttf image/svg+xml

# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;

# Getting Real IP Addresses Using CloudFlare
# https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx-
# Cloudflare IP addresses https://www.cloudflare.com/ips
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

real_ip_header CF-Connecting-IP;

letsencrypt签发证书文件认证
位于/srv/www/nginx/modul/letsencrypt.conf

# ACME-challenge
location ^~ /.well-known/acme-challenge/ {
    root /srv/www/html/_letsencrypt;
    try_files     $uri =404;
}

php_fastcgi设置
位于/srv/www/nginx/modul/php_fastcgi.conf

try_files $uri =404;

# fastcgi
fastcgi_pass                php;
fastcgi_index                index.php;
fastcgi_split_path_info        ^(.+\.php)(/.+)$;
fastcgi_param                SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param                PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/;
fastcgi_intercept_errors    off;

fastcgi_buffer_size                128k;
fastcgi_buffers                    256 16k;
fastcgi_busy_buffers_size        256k;
fastcgi_temp_file_write_size    256k;

# default fastcgi_params
include /usr/local/nginx/conf/fastcgi_params;

代理设置
位于/srv/www/nginx/modul/proxy.conf

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_cache_bypass $http_upgrade;

typecho设置
位于/srv/www/nginx/modul/typecho.conf

# Typecho:deny usr/uploads nasty stuff
location ~* ^/usr/uploads/.*\.(?:s?html?|php|js|swf)$ {
    deny all;
}

# Typecho:deny usr/plugins (except earlier rules)
location ~ ^/usr/plugins {
    deny all;
}

# Typecho:deny general stuff
location ~* ^/(?:xmlrpc\.php|config\.inc\.php|install\.php|readme\.html|LICENSE\.txt)$ {
    deny all;
}

# Typecho:throttle admin.php
location = /admin/login.php {
    limit_req zone=login burst=2 nodelay;
    include /srv/www/nginx/modul/php_fastcgi.conf;
}

自定义设置
位于/srv/www/nginx/modul/my.conf

#rewrite
if (!-e $request_filename) {
    rewrite ^/archives/([0-9]+)\.html$ /$1.love permanent;
}
#
if ($http_user_agent ~* "python|curl|java|wget|httpclient|okhttp") {
    return 503;
}

站点配置文件

单个站点配置文件位于/srv/www/nginx/sites-available

并进行软链接操作

ln -s /srv/www/nginx/sites-available/wwww.lvmoo.com.conf /srv/www/nginx/sites-enabled/wwww.lvmoo.com.conf
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name wwww.lvmoo.com;
    set $base /srv/www/html;
    root $base/wwww;

    # SSL
    #ssl_certificate /srv/www/ssl/lvmoo.com.rsa.crt;
    #ssl_certificate_key /srv/www/ssl/lvmoo.com.key;
    #ssl_trusted_certificate /srv/www/ssl/lvmoo.com.rsa.crt;
    ssl_certificate /etc/letsencrypt/live/wwww.lvmoo.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/wwww.lvmoo.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/wwww.lvmoo.com/fullchain.pem;

    # logging
    access_log /usr/local/nginx/logs/wwww.lvmoo.com.access.log;

    # index.php
    index index.php;

    # index.php fallback
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # handle .php
    location ~ \.php$ {
        include /srv/www/nginx/modul/php_fastcgi.conf;
    }

    include /srv/www/nginx/modul/general.conf;
    include /srv/www/nginx/modul/typecho.conf;
    include /srv/www/nginx/modul/my.conf;
}

# subdomains redirect
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name *.wwww.lvmoo.com;

    # SSL
    #ssl_certificate /srv/www/ssl/lvmoo.com.rsa.crt;
    #ssl_certificate_key /srv/www/ssl/lvmoo.com.key;
    #ssl_trusted_certificate /srv/www/ssl/lvmoo.com.rsa.crt;
    ssl_certificate /etc/letsencrypt/live/wwww.lvmoo.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/wwww.lvmoo.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/wwww.lvmoo.com/fullchain.pem;

    return 301 https://wwww.lvmoo.com$request_uri;
}

# HTTP redirect
server {
    listen 80;
    listen [::]:80;

    #server_name *.wwww.lvmoo.com;
    server_name wwww.lvmoo.com;

    include /srv/www/nginx/modul/letsencrypt.conf;

    location / {
        return 301 https://wwww.lvmoo.com$request_uri;
    }
}

-EOF-

上一篇: 没有了

下一篇: 开始使用WireGuard

Kay

@2018-11-29 12:46:10

nginx 配置
文章有 3 条评论
  1. 夏目贵志

    lnmp 搞证书真的哭死 自己配置 麻烦的要死 还是面板舒服点自动申请部署

    不过我现在用的 caddy 反正小博客 没干啥 够用~

    1. Kay

      够用就行哇,文章里面提到的证书可以理解成就是certbot自己申请了⌇●﹏●⌇

  2. 沙缸过滤器

    博主加油

评论的人最可爱~