记得:ECS服务器-安全组-访问规则-(按需要)开放端口,比如80、443、5000等
2023-11-2 优化命名,有文件夹(mini)作为名字空间,具体名字就不用mini.sock了,而统一用uwsgi.sock,改起来方便
uwsgi
应用1
[uwsgi]
#源码目录
chdir=/www/crm/source
module=app
callable=app
master=true
processes=4
http=0.0.0.0:5000
socket=/www/crm/uwsgi/uwsgi.sock
buffer-size=65535
pidfile=/www/crm/uwsgi/uwsgi.pid
chmod-socket=777
logfile-chmod=644
daemonize=/www/crm/uwsgi/uwsgi.log
static-map = /static=/www/crm/source/static
应用2(改一下端口号和路径里的应用名)
[uwsgi]
#源码目录
chdir=/www/mini/source
module=app
callable=app
master=true
processes=4
http=0.0.0.0:5001
socket=/www/mini/uwsgi/uwsgi.sock
buffer-size=65535
pidfile=/www/mini/uwsgi/uwsgi.pid
chmod-socket=777
logfile-chmod=644
daemonize=/www/mini/uwsgi/uwsgi.log
static-map = /static=/www/mini/source/static
nginx
安装
yum install nginx
启动-关闭-查看
service nginx start
service nginx stop
ps -ef | grep nginx
fuser -n tcp 80
反向代理
实现将子域名映射到不同的端口号
创建一个配置文件reverse_proxy.conf,放到/etc/nginx/conf.d
server
{
listen 80;
server_name uns.xsource.cc;
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:5000;
}
}
server
{
listen 80;
server_name mini.xsource.cc;
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:5001;
}
}
改用socket模式(socket里就有端口号信息),据说这样更快;并配置静态资源,又能再快点
(renew时,重复这一步:改为监听80端口;ssl on改为ssl off;其它不用变;重启nginx)
server
{
listen 80;
server_name uns.xsource.cc;
location / {
include uwsgi_params;
uwsgi_pass unix:/www/crm/uwsgi/uwsgi.sock;
uwsgi_read_timeout 1800;
uwsgi_send_timeout 300;
}
location /static {
alias /www/crm/source/static/;
}
}
server
{
listen 80;
server_name mini.xsource.cc;
location / {
include uwsgi_params;
uwsgi_pass unix:/www/mini/uwsgi/uwsgi.sock;
uwsgi_read_timeout 1800;
uwsgi_send_timeout 300;
}
location /static {
alias /www/mini/source/static/;
}
}
ssl
安装openssl
装过执行下面命令就是检查
[root@xsource ssl]# yum install openssl
Nothing to do.
[root@xsource ssl]# yum install openssl-devel
Installed:
keyutils-libs-devel-1.5.10-9.al8.x86_64 krb5-devel-1.18.2-22.0.1.al8.x86_64 libcom_err-devel-1.45.6-4.0.1.al8.x86_64 libkadm5-1.18.2-22.0.1.al8.x86_64 libselinux-devel-2.9-5.1.al8.x86_64
libsepol-devel-2.9-3.0.1.al8.x86_64 libverto-devel-0.3.2-2.al8.x86_64 openssl-devel-1:1.1.1k-7.0.1.al8.x86_64 pcre2-devel-10.32-3.0.1.al8.x86_64 pcre2-utf16-10.32-3.0.1.al8.x86_64
pcre2-utf32-10.32-3.0.1.al8.x86_64
申请ssl证书
不知道啥意思,依次执行就行;hostname不要填错了
[root@xsource ssl]# openssl genrsa 4096 > account.key
Generating RSA private key, 4096 bit long modulus (2 primes)
[root@xsource ssl]# openssl genrsa 4096 > domain.key
Generating RSA private key, 4096 bit long modulus (2 primes)
[root@xsource ssl]# openssl req -new -sha256 -key domain.key -out domain.csr
Common Name (eg, your name or your server's hostname) []:mini.xsource.cc
创建challenges文件夹
mkdir /www/mini/challenges
并配置到nginx,config文件里每个server各自添加;必须先配置,否则后面acme-tiny脚本执行不成功。(记得flask的登录拦截里,要放行前缀/.well-known的url;并重启uwsgi、ngnix)
location /.well-known/acme-challenge/ {
alias /www/mini/challenges/;
try_files $uri =404;
}
下载并执行acme-tiny
(renew时,重复这一步:python3.6 ... )
我安装了python3.11,不要用3.11来执行,会报错;用系统的3.6
这步我在前面生成密码文件时,域名填错了一个字母(少写个r),排查了3个小时。。。
(如果下面这个wget卡住了,就挂代理,下载后,上传到阿里云)
[root@xsource ssl]# wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
[root@xsource ssl]# python3.6 acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir ../challenges/ > ./signed.crt
Parsing account key...
Parsing CSR...
Found domains: mini.xsource.cc
Getting directory...
Directory found!
Registering account...
Registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/913134437
Creating new order...
Order created!
Verifying mini.xsource.cc...
mini.xsource.cc verified!
Signing certificate...
Certificate signed!
继续合并几个密码文件
不懂照做就行,以后研究吧(总之,最后有9个文件)
(renew时,重复这一步:只执行前两句就行,wget和cat )
(然后再恢复nginx配置文件,并重启)
[root@xsource ssl]# wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
[root@xsource ssl]# cat signed.crt intermediate.pem > chained.pem
[root@xsource ssl]# wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem
[root@xsource ssl]# cat intermediate.pem root.pem > full_chained.pem
[root@xsource ssl]# ls
account.key chained.pem domain.key intermediate.pem signed.crt
acme_tiny.py domain.csr full_chained.pem root.pem
nginx里配置https
前面全是准备,就等这最后一下(多个子域名server就重复多次,各自申请各自的证书)
server
{
listen 443;
server_name mini.xsource.cc;
ssl on;
ssl_certificate /www/mini/ssl/chained.pem;
ssl_certificate_key /www/mini/ssl/domain.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
ssl_session_cache shared:SSL:50m;
location / {
include uwsgi_params;
uwsgi_pass unix:/www/mini/uwsgi/uwsgi.sock;
uwsgi_read_timeout 1800;
uwsgi_send_timeout 300;
}
location /static {
alias /www/mini/source/static/;
}
location /.well-known/acme-challenge {
alias /www/mini/challenges/;
}
}