返回

本站Nginx配置模块化

发现了一个自动化配置nginx站点网站nginxconfig.io

模块化的好处在于如果配置多个站点文件,我们可以根据不同的需求按照模块组装,不用将每个站点文件都写得那么臃肿. 并且清晰明了,于是把本站的配置文件修改了一下.

证书

使用certbot生成证书

sudo apt-get install certbot
sudo certbot certonly --webroot -d wwww.lvmoo.com  --email [email protected] -w /srv/www/html/_letsencrypt -n --agree-tos --force-renewal

证书更新

#测试证书更新
sudo certbot renew --dry-run
#更新
sudo certbot renew --pre-hook "systemctl reload nginx

此命令会尝试续订以​​前获得的并在30天内过期的所有证书。 证书有效期超过30天的,将会跳过.

计划任务更新 每周一1点1分执行

sudo sed -i '$a\#Renewing certificates' /etc/crontab
sudo sed -i '$a\1 1     * * 1   root    /usr/bin/certbot renew --pre-hook "systemctl nginx reload"' /etc/crontab

吊销证书

sudo certbot revoke --cert-path /etc/letsencrypt/live/wwww.lvmoo.com/cert.pem --reason keycompromise

Nginx配置

主配置文件 位于/usr/local/nginx/conf/nginx.conf

user www-data;
pid logs/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;

events {
	multi_accept on;
	worker_connections 65535;
}

http {
	upstream php {
		server unix:/usr/local/php7/var/run/www-php-fpm.sock;
		server 127.0.0.1:9000 backup;
	}

	charset utf-8;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	log_not_found off;
	types_hash_max_size 2048;
	client_max_body_size 16M;

	# MIME
	include mime.types;
	default_type application/octet-stream;

	# logging
	access_log /usr/local/nginx/logs/access.log;
	error_log /usr/local/nginx/logs/error.log warn;

	# limits
	limit_req_log_level warn;
	limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;

	# SSL
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# modern configuration
	ssl_protocols TLSv1.2;
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
	ssl_prefer_server_ciphers on;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
	resolver_timeout 2s;

	# load configs
	include /srv/www/nginx/conf.d/*.conf;
	include /srv/www/nginx/sites-enabled/*;
}

模块化文件

头部\缓存\压缩设置 位于/srv/www/nginx/modul/general.conf

# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# . files
location ~ /\.(?!well-known) {
	deny all;
}

# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
	expires 7d;
	access_log off;
}

# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
	add_header Access-Control-Allow-Origin "*";
	expires 7d;
	access_log off;
}

# brotli
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css application/json application/x-javascript text/xml text/x-component application/xhtml+xml application/xml application/rss+xml application/atom+xml text/javascript application/javascript application/x-font-ttf image/svg+xml

# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;

# Getting Real IP Addresses Using CloudFlare
# https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx-
# Cloudflare IP addresses https://www.cloudflare.com/ips
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

real_ip_header CF-Connecting-IP;

letsencrypt签发证书文件认证 位于/srv/www/nginx/modul/letsencrypt.conf

# ACME-challenge
location ^~ /.well-known/acme-challenge/ {
	root /srv/www/html/_letsencrypt;
	try_files     $uri =404;
}

php_fastcgi设置 位于/srv/www/nginx/modul/php_fastcgi.conf

# split path
fastcgi_split_path_info ^(.+\.php)(/.+)$;
set $_fastcgi_path_info $fastcgi_path_info;

# 404
try_files $fastcgi_script_name =404;

# default fastcgi_params
include /usr/local/nginx/conf/fastcgi_params;

# fastcgi
fastcgi_pass                    php;
fastcgi_index                   index.php;
fastcgi_buffers                 8 32k;
fastcgi_buffer_size             32k;
fastcgi_busy_buffers_size       128k;
fastcgi_temp_file_write_size    256k;

# fastcgi params
fastcgi_param DOCUMENT_ROOT     $realpath_root;
fastcgi_param SCRIPT_FILENAME   $realpath_root$fastcgi_script_name;
fastcgi_param PATH_INFO         $_fastcgi_path_info;
fastcgi_param PHP_ADMIN_VALUE   "open_basedir=$base/:/usr/lib/php/:/tmp/";
fastcgi_intercept_errors        off;

代理设置 位于/srv/www/nginx/modul/proxy.conf

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_cache_bypass $http_upgrade;

typecho设置 位于/srv/www/nginx/modul/typecho.conf

# Typecho:deny usr/uploads nasty stuff
location ~* ^/usr/uploads/.*\.(?:s?html?|php|js|swf)$ {
	deny all;
}

# Typecho:deny usr/plugins (except earlier rules)
location ~ ^/usr/plugins {
	deny all;
}

# Typecho:deny general stuff
location ~* ^/(?:xmlrpc\.php|config\.inc\.php|install\.php|readme\.html|LICENSE\.txt)$ {
	deny all;
}

# Typecho:throttle admin.php
location = /admin/login.php {
	limit_req zone=login burst=2 nodelay;
	include /srv/www/nginx/modul/php_fastcgi.conf;
}

自定义设置 位于/srv/www/nginx/modul/my.conf

#rewrite
if (!-e $request_filename) {
	rewrite ^/archives/([0-9]+)\.html$ /$1.love permanent;
}
#
if ($http_user_agent ~* "python|curl|java|wget|httpclient|okhttp") {
	return 403;
}
location /ping {
          default_type text/html;
          return 200 '<script>alert("pong");</script>';
}

站点配置文件

单个站点配置文件位于/srv/www/nginx/sites-available

并进行软链接操作

ln -s /srv/www/nginx/sites-available/wwww.lvmoo.com.conf /srv/www/nginx/sites-enabled/wwww.lvmoo.com.conf
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name wwww.lvmoo.com;
	set $base /srv/www/html;
	root $base/wwww;

	# SSL
	ssl_certificate /etc/letsencrypt/live/wwww.lvmoo.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/wwww.lvmoo.com/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/wwww.lvmoo.com/chain.pem;

	# logging
	access_log /usr/local/nginx/logs/wwww.lvmoo.com.access.log;

	# index.php
	index index.php;

	# index.php fallback
	location / {
		try_files $uri $uri/ /index.php?$query_string;
	}

	# handle .php
	location ~ [^/]\.php(/|$) {
		include /srv/www/nginx/modul/php_fastcgi.conf;
	}

	include /srv/www/nginx/modul/general.conf;
	include /srv/www/nginx/modul/typecho.conf;
	include /srv/www/nginx/modul/my.conf;
}

# subdomains redirect
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name *.wwww.lvmoo.com;

	# SSL
	ssl_certificate /etc/letsencrypt/live/wwww.lvmoo.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/wwww.lvmoo.com/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/wwww.lvmoo.com/chain.pem;

	return 301 https://wwww.lvmoo.com$request_uri;
}

# HTTP redirect
server {
	listen 80;
	listen [::]:80;

	server_name .wwww.lvmoo.com;

	include /srv/www/nginx/modul/letsencrypt.conf;

	location / {
		return 301 https://wwww.lvmoo.com$request_uri;
	}
}

命令总结

# Virtual host: create symbolic link
ln -s /srv/www/nginx/sites-available/wwww.lvmoo.com.conf /srv/www/nginx/sites-enabled

# HTTPS - certbot (before first run): create ACME-challenge common directory
mkdir -p /srv/www/html/_letsencrypt && chown www-data /srv/www/html/_letsencrypt

# HTTPS - certbot (before first run): disable SSL directives
sed -i -r 's/(listen .*443)/\1;#/g; s/(ssl_(certificate|certificate_key|trusted_certificate) )/#;#\1/g' /etc/nginx/sites-available/wwww.lvmoo.com.conf

# HTTPS - certbot: obtain certificates
certbot certonly --webroot -d wwww.lvmoo.com  --email [email protected] -w /srv/www/html/_letsencrypt -n --agree-tos --force-renewal

# HTTPS - certbot (after first run): enable SSL directives
sed -i -r 's/#?;#//g' /srv/www/nginx/sites-available/wwww.lvmoo.com.conf

以上!

Licensed under CC BY-NC-SA 4.0
最后更新于 May 08, 2019 16:46 UTC