发现了一个自动化配置nginx站点网站nginxconfig.io
模块化的好处在于如果配置多个站点文件,我们可以根据不同的需求按照模块组装,不用将每个站点文件都写得那么臃肿.
并且清晰明了,于是把本站的配置文件修改了一下.
证书
使用certbot生成证书
1
2
|
sudo apt-get install certbot
sudo certbot certonly --webroot -d wwww.lvmoo.com --email admin@lvmoo.com -w /srv/www/html/_letsencrypt -n --agree-tos --force-renewal
|
证书更新
1
2
3
4
|
#测试证书更新
sudo certbot renew --dry-run
#更新
sudo certbot renew --pre-hook "systemctl reload nginx
|
此命令会尝试续订以前获得的并在30天内过期的所有证书。
证书有效期超过30天的,将会跳过.
计划任务更新
每周一1点1分执行
1
2
|
sudo sed -i '$a\#Renewing certificates' /etc/crontab
sudo sed -i '$a\1 1 * * 1 root /usr/bin/certbot renew --pre-hook "systemctl nginx reload"' /etc/crontab
|
吊销证书
1
|
sudo certbot revoke --cert-path /etc/letsencrypt/live/wwww.lvmoo.com/cert.pem --reason keycompromise
|
Nginx配置
主配置文件
位于/usr/local/nginx/conf/nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
user www-data;
pid logs/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
events {
multi_accept on;
worker_connections 65535;
}
http {
upstream php {
server unix:/usr/local/php7/var/run/www-php-fpm.sock;
server 127.0.0.1:9000 backup;
}
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 2048;
client_max_body_size 16M;
# MIME
include mime.types;
default_type application/octet-stream;
# logging
access_log /usr/local/nginx/logs/access.log;
error_log /usr/local/nginx/logs/error.log warn;
# limits
limit_req_log_level warn;
limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;
# SSL
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
# load configs
include /srv/www/nginx/conf.d/*.conf;
include /srv/www/nginx/sites-enabled/*;
}
|
模块化文件
头部\缓存\压缩设置
位于/srv/www/nginx/modul/general.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}
# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
expires 7d;
access_log off;
}
# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
expires 7d;
access_log off;
}
# brotli
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css application/json application/x-javascript text/xml text/x-component application/xhtml+xml application/xml application/rss+xml application/atom+xml text/javascript application/javascript application/x-font-ttf image/svg+xml
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
# Getting Real IP Addresses Using CloudFlare
# https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx-
# Cloudflare IP addresses https://www.cloudflare.com/ips
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;
|
letsencrypt签发证书文件认证
位于/srv/www/nginx/modul/letsencrypt.conf
1
2
3
4
5
|
# ACME-challenge
location ^~ /.well-known/acme-challenge/ {
root /srv/www/html/_letsencrypt;
try_files $uri =404;
}
|
php_fastcgi设置
位于/srv/www/nginx/modul/php_fastcgi.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
# split path
fastcgi_split_path_info ^(.+\.php)(/.+)$;
set $_fastcgi_path_info $fastcgi_path_info;
# 404
try_files $fastcgi_script_name =404;
# default fastcgi_params
include /usr/local/nginx/conf/fastcgi_params;
# fastcgi
fastcgi_pass php;
fastcgi_index index.php;
fastcgi_buffers 8 32k;
fastcgi_buffer_size 32k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
# fastcgi params
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param PATH_INFO $_fastcgi_path_info;
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
fastcgi_intercept_errors off;
|
代理设置
位于/srv/www/nginx/modul/proxy.conf
1
2
3
4
5
6
7
8
9
10
|
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_cache_bypass $http_upgrade;
|
typecho设置
位于/srv/www/nginx/modul/typecho.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
# Typecho:deny usr/uploads nasty stuff
location ~* ^/usr/uploads/.*\.(?:s?html?|php|js|swf)$ {
deny all;
}
# Typecho:deny usr/plugins (except earlier rules)
location ~ ^/usr/plugins {
deny all;
}
# Typecho:deny general stuff
location ~* ^/(?:xmlrpc\.php|config\.inc\.php|install\.php|readme\.html|LICENSE\.txt)$ {
deny all;
}
# Typecho:throttle admin.php
location = /admin/login.php {
limit_req zone=login burst=2 nodelay;
include /srv/www/nginx/modul/php_fastcgi.conf;
}
|
自定义设置
位于/srv/www/nginx/modul/my.conf
1
2
3
4
5
6
7
8
9
10
11
12
|
#rewrite
if (!-e $request_filename) {
rewrite ^/archives/([0-9]+)\.html$ /$1.love permanent;
}
#
if ($http_user_agent ~* "python|curl|java|wget|httpclient|okhttp") {
return 403;
}
location /ping {
default_type text/html;
return 200 '<script>alert("pong");</script>';
}
|
站点配置文件
单个站点配置文件位于/srv/www/nginx/sites-available
并进行软链接操作
1
|
ln -s /srv/www/nginx/sites-available/wwww.lvmoo.com.conf /srv/www/nginx/sites-enabled/wwww.lvmoo.com.conf
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name wwww.lvmoo.com;
set $base /srv/www/html;
root $base/wwww;
# SSL
ssl_certificate /etc/letsencrypt/live/wwww.lvmoo.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wwww.lvmoo.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/wwww.lvmoo.com/chain.pem;
# logging
access_log /usr/local/nginx/logs/wwww.lvmoo.com.access.log;
# index.php
index index.php;
# index.php fallback
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# handle .php
location ~ [^/]\.php(/|$) {
include /srv/www/nginx/modul/php_fastcgi.conf;
}
include /srv/www/nginx/modul/general.conf;
include /srv/www/nginx/modul/typecho.conf;
include /srv/www/nginx/modul/my.conf;
}
# subdomains redirect
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.wwww.lvmoo.com;
# SSL
ssl_certificate /etc/letsencrypt/live/wwww.lvmoo.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wwww.lvmoo.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/wwww.lvmoo.com/chain.pem;
return 301 https://wwww.lvmoo.com$request_uri;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name .wwww.lvmoo.com;
include /srv/www/nginx/modul/letsencrypt.conf;
location / {
return 301 https://wwww.lvmoo.com$request_uri;
}
}
|
命令总结
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# Virtual host: create symbolic link
ln -s /srv/www/nginx/sites-available/wwww.lvmoo.com.conf /srv/www/nginx/sites-enabled
# HTTPS - certbot (before first run): create ACME-challenge common directory
mkdir -p /srv/www/html/_letsencrypt && chown www-data /srv/www/html/_letsencrypt
# HTTPS - certbot (before first run): disable SSL directives
sed -i -r 's/(listen .*443)/\1;#/g; s/(ssl_(certificate|certificate_key|trusted_certificate) )/#;#\1/g' /etc/nginx/sites-available/wwww.lvmoo.com.conf
# HTTPS - certbot: obtain certificates
certbot certonly --webroot -d wwww.lvmoo.com --email admin@lvmoo.com -w /srv/www/html/_letsencrypt -n --agree-tos --force-renewal
# HTTPS - certbot (after first run): enable SSL directives
sed -i -r 's/#?;#//g' /srv/www/nginx/sites-available/wwww.lvmoo.com.conf
|
以上!