nginx的基本配置

1. 安装nginx

下载源配置

vi  /etc/yum.repos.d/nginx.repo

编辑输入并保存一下内容

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key

查看版本

nginx -v

启动并设置开机启动nginx

systemctl enable nginx
systemctl start nginx

###配置防火墙
这个时候会发现服务器ip地址可以ping通，但是浏览器里面无法访问，就需要防火墙开启端口

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-ports

使用let’s encrypt配置https
记得安装必要的第三方库 lrzsz wget和git

下载

git clone https://github.com/certbot/certbot.git

cd letsencrypt

单域名

 ./certbot-auto certonly -d likui.me 

泛域名

 ./certbot-auto certonly --preferred-challenges dns --manual -d likui.me -d *.likui.me --server https://acme-v02.api.letsencrypt.org/directory

泛域名的其他配置方式

certbot的参数在这里https://www.4spaces.org/certbot-command-line-tool-usage-document/

接下来就是配置基本信息了
如果出现如下信息

 - Unable to install the certificate

说明server_name没有配置域名
出现如下信息则表示成功：

nginx配置

server {
    listen 80;
    server_name  likui.me www.likui.me *.likui.me;
    return 301 https://$server_name$request_uri;
}
server {
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    listen     443 ssl http2;
    server_name  likui.me www.likui.me *.likui.me;

    charset utf-8;
    access_log  /var/log/nginx/host.access.log  main;
        sendfile on;
        tcp_nopush  on;
        server_tokens off;      #隐藏版本号

    location / {
        root   /usr/share/nginx/html;
        index  home.html home.htm;
    }
     location ~ \.php$ {
                include snippets/fastcgi-php.conf;
        #       # With php-fpm (or other unix sockets):
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        }

    error_page  404              /404.html;
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    ssl_certificate /etc/letsencrypt/live/likui.me/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/likui.me/privkey.pem;
    #include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    ssl_session_cache shared:le_nginx_SSL:1m;
    ssl_session_timeout 1440m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "HIGH:!RC4:!3DES:!ADH:!aDSS:!aNULL:!kPSK:!kSRP:!MD5:!kRSA:!CAMELLIA:@STRENGTH:+SHA1:+kRSA";
    ssl_stapling on;
    ssl_stapling_verify on;

    
}

查看ssl_ciphers的可选择的加密套件

###测试证书正确度
使用ssllabs或者myssl来测试证书配置的强度和正确性

安装GoAccess
区分手机和pc返回不同的网页

 location / {
         root /usr/share/nginx/pc;
         if ($http_user_agent ~* '(Android|webOS|iPhone|iPod|BlackBerry)') {
            root /usr/share/nginx/mobile;
         }
         index index.html;
        }

其他配置的参考