openresty 编译安装
安装
wget https://openresty.org/download/openresty-1.15.8.2.tar.gz wget https://www.openssl.org/source/openssl-1.0.2t.tar.gz
安装缺失环境
yum install GeoIP-devel GeoIP -y yum insetall gcc-c++ make gcc -y
编译
./configure --prefix=/opt/openresty \ --user=nobody --group=nobody \ --http-client-body-temp-path=client_temp \ --http-proxy-temp-path=proxy_temp \ --http-fastcgi-temp-path=fastcgi_temp \ --http-uwsgi-temp-path=uwsgi_temp \ --with-http_ssl_module --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-file-aio \ --with-openssl=/root/openssl-1.0.2t \ --with-poll_module \ --with-http_geoip_module \ --with-http_sub_module \ --with-http_v2_module \ --with-pcre \ --with-stream \ --with-http_realip_module \ --with-http_stub_status_module \ --with-http_geoip_module --with-mail \ --with-http_mp4_module \ --with-http_flv_module \ --with-http_auth_request_module \ --with-http_realip_module \ --with-http_image_filter_module
nginx.conf 配置
user nobody;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log logs/error.log crit;
pid /var/run/nginx.pid;
# Worker config
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
# Main settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 1m;
client_body_timeout 1m;
client_header_buffer_size 2k;
client_body_buffer_size 256k;
client_max_body_size 1024M;
large_client_header_buffers 4 8k;
send_timeout 30;
keepalive_timeout 60 60;
reset_timedout_connection on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 512;
# Log format
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format bytes '$body_bytes_sent';
#access_log /var/log/nginx/access.log main;
access_log off;
# Mime settings
include mime.types;
default_type application/octet-stream;
# Compression
gzip on;
gzip_comp_level 9;
gzip_min_length 512;
gzip_buffers 8 64k;
gzip_types text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.";
# Proxy settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
real_ip_header CF-Connecting-IP;
# SSL PCI Compliance
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
# Error pages
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 502 503 504 /error/50x.html;
# Cache settings
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
proxy_cache_key "$host$request_uri $cookie_user";
proxy_temp_path /var/cache/nginx/temp;
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_valid any 1d;
# Cache bypass
map $http_cookie $no_cache {
default 0;
~SESS 1;
~wordpress_logged_in 1;
}
# File cache settings
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers X-Requested-With;
add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken';
add_header PS 1;
# Wildcard include
include vhost/*.conf;
}
ssl证书签发
ssl.conf 前面文件
server {
listen 80;
server_name xx.xxx.xxx;
location ^~ /.well-known/acme-challenge/ {
alias /var/www/dehydrated/;
}
}
签发工具
git clone https://github.com/lukas2511/dehydrated.git /etc/dehydrated/dehydrated -c -d xx.xxx.xx 第一次执行 mdkir /var/www/dehydrated 提示创建 /etc/dehydrated/dehydrated --register --accept-terms 服务器证书生成 /etc/dehydrated/dehydrated -c -d docs.notescn.cn 最后签发
ssl域名配置
upstream docs {
server 127.0.0.1:8080 max_fails=1 fail_timeout=30s weight=9;
}
server {
listen 80;
server_name xxx.xxx.xxx;
location ^~ /.well-known/acme-challenge/ {
alias /var/www/dehydrated/;
}
location / {
rewrite ^/(.*)$ https://$server_name/$1 permanent;
}
}
server {
listen 443 ssl http2;
server_name xxx.xxx.xxx;
ssl_certificate /etc/dehydrated/certs//xxx.xxx.xxx/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs//xxx.xxx.xxx/privkey.pem;
ssl_session_timeout 5m;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
proxy_pass http://docs/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_send_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_cache_valid 200 302 1m;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Cache-Control no-cache;
add_header Cache-Control no-store;
#expires 888s;
}
location /static {
root /var/www/wiki/; # MM-Wiki 的根目录
expires 1d;
add_header Cache-Control public;
access_log off;
}
}
