- 安装nginx
下载源配置
vi /etc/yum.repos.d/nginx.repo
编辑输入并保存一下内容
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
查看版本
nginx -v
启动并设置开机启动nginx
systemctl enable nginx
systemctl start nginx
###配置防火墙
这个时候会发现服务器ip地址可以ping通,但是浏览器里面无法访问,就需要防火墙开启端口
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-ports
使用let’s encrypt配置https
记得安装必要的第三方库 lrzsz wget和git
下载
git clone https://github.com/certbot/certbot.git
cd letsencrypt
单域名
./certbot-auto certonly -d likui.me
泛域名
./certbot-auto certonly --preferred-challenges dns --manual -d likui.me -d *.likui.me --server https://acme-v02.api.letsencrypt.org/directory
泛域名的其他配置方式
certbot的参数在这里https://www.4spaces.org/certbot-command-line-tool-usage-document/
接下来就是配置基本信息了
如果出现如下信息
- Unable to install the certificate
说明server_name没有配置域名
出现如下信息则表示成功:
nginx配置
server {
listen 80;
server_name likui.me www.likui.me *.likui.me;
return 301 https://$server_name$request_uri;
}
server {
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
listen 443 ssl http2;
server_name likui.me www.likui.me *.likui.me;
charset utf-8;
access_log /var/log/nginx/host.access.log main;
sendfile on;
tcp_nopush on;
server_tokens off; #隐藏版本号
location / {
root /usr/share/nginx/html;
index home.html home.htm;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# # With php-fpm (or other unix sockets):
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
ssl_certificate /etc/letsencrypt/live/likui.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/likui.me/privkey.pem;
#include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "HIGH:!RC4:!3DES:!ADH:!aDSS:!aNULL:!kPSK:!kSRP:!MD5:!kRSA:!CAMELLIA:@STRENGTH:+SHA1:+kRSA";
ssl_stapling on;
ssl_stapling_verify on;
}
查看ssl_ciphers的可选择的加密套件
###测试证书正确度
使用ssllabs或者myssl来测试证书配置的强度和正确性
安装GoAccess
区分手机和pc返回不同的网页
location / {
root /usr/share/nginx/pc;
if ($http_user_agent ~* '(Android|webOS|iPhone|iPod|BlackBerry)') {
root /usr/share/nginx/mobile;
}
index index.html;
}
其他配置的参考