openresty 编译安装

安装

wget https://openresty.org/download/openresty-1.15.8.2.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2t.tar.gz 

安装缺失环境

yum install   GeoIP-devel GeoIP  -y
yum insetall gcc-c++ make gcc -y

编译

./configure  --prefix=/opt/openresty  \ 
  --user=nobody  --group=nobody \
  --http-client-body-temp-path=client_temp  \  
  --http-proxy-temp-path=proxy_temp \
  --http-fastcgi-temp-path=fastcgi_temp \
  --http-uwsgi-temp-path=uwsgi_temp  \
  --with-http_ssl_module  
  --with-http_gunzip_module     \
  --with-http_gzip_static_module    \
  --with-file-aio    \
  --with-openssl=/root/openssl-1.0.2t    \
  --with-poll_module       \
  --with-http_geoip_module       \
  --with-http_sub_module      \
  --with-http_v2_module      \
  --with-pcre       \
  --with-stream    \ 
  --with-http_realip_module \
  --with-http_stub_status_module     \
  --with-http_geoip_module --with-mail \
  --with-http_mp4_module  \
  --with-http_flv_module \
  --with-http_auth_request_module  \ 
  --with-http_realip_module  \ 
  --with-http_image_filter_module
  

nginx.conf  配置

user                   nobody;
worker_processes        auto;
worker_rlimit_nofile    65535;
error_log               logs/error.log crit;
pid                     /var/run/nginx.pid;


# Worker config
events {
        worker_connections  1024;
        use                 epoll;
        multi_accept        on;
}


http {
    # Main settings
    sendfile                        on;
    tcp_nopush                      on;
    tcp_nodelay                     on;
    client_header_timeout           1m;
    client_body_timeout             1m;
    client_header_buffer_size       2k;
    client_body_buffer_size         256k;
    client_max_body_size            1024M;
    large_client_header_buffers     4   8k;
    send_timeout                    30;
    keepalive_timeout               60 60;
    reset_timedout_connection       on;
    server_tokens                   off;
    server_name_in_redirect         off;
    server_names_hash_max_size      512;
    server_names_hash_bucket_size   512;


    # Log format
    log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                        '"$status" $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
    log_format  bytes   '$body_bytes_sent';
    #access_log          /var/log/nginx/access.log main;
    access_log off;


    # Mime settings
    include             mime.types;
    default_type        application/octet-stream;


    # Compression
    gzip                on;
    gzip_comp_level     9;
    gzip_min_length     512;
    gzip_buffers        8 64k;
    gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
    gzip_proxied        any;
    gzip_disable        "MSIE [1-6]\.";


    # Proxy settings
    proxy_redirect      off;
    proxy_set_header    Host            $host;
    proxy_set_header    X-Real-IP       $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass_header   Set-Cookie;
    proxy_connect_timeout   90;
    proxy_send_timeout  90;
    proxy_read_timeout  90;
    proxy_buffers       32 4k;


    real_ip_header     CF-Connecting-IP;


    # SSL PCI Compliance
    ssl_session_cache   shared:SSL:10m;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";


    # Error pages
    error_page          403          /error/403.html;
    error_page          404          /error/404.html;
    error_page          502 503 504  /error/50x.html;


    # Cache settings
    proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
    proxy_cache_key "$host$request_uri $cookie_user";
    proxy_temp_path  /var/cache/nginx/temp;
    proxy_ignore_headers Expires Cache-Control;
    proxy_cache_use_stale error timeout invalid_header http_502;
    proxy_cache_valid any 1d;


    # Cache bypass
    map $http_cookie $no_cache {
        default 0;
        ~SESS 1;
        ~wordpress_logged_in 1;
    }


    # File cache settings
    open_file_cache          max=10000 inactive=30s;
    open_file_cache_valid    60s;
    open_file_cache_min_uses 2;
    open_file_cache_errors   off;
    add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Headers X-Requested-With;
    add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
    add_header 'Access-Control-Allow-Credentials' 'true';
    add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken';
    add_header PS 1;

    # Wildcard include
    include             vhost/*.conf;

}

  

ssl证书签发


 

ssl.conf 前面文件

server {
    listen 80;
    server_name xx.xxx.xxx;
location ^~ /.well-known/acme-challenge/ {
    alias /var/www/dehydrated/;
      }

} 

  

签发工具

git clone https://github.com/lukas2511/dehydrated.git

/etc/dehydrated/dehydrated  -c -d xx.xxx.xx 第一次执行 

mdkir  /var/www/dehydrated 提示创建

/etc/dehydrated/dehydrated --register --accept-terms 服务器证书生成

 /etc/dehydrated/dehydrated  -c -d docs.notescn.cn 最后签发

  

 

ssl域名配置

upstream  docs {
server 127.0.0.1:8080  max_fails=1 fail_timeout=30s weight=9;
}
server {
    listen 80;
    server_name xxx.xxx.xxx;
location ^~ /.well-known/acme-challenge/ {
    alias /var/www/dehydrated/;
      }
  location / {
  rewrite ^/(.*)$ https://$server_name/$1 permanent;
   }
}    
server {
    listen 443 ssl http2;
    server_name xxx.xxx.xxx;
    ssl_certificate /etc/dehydrated/certs//xxx.xxx.xxx/fullchain.pem;
    ssl_certificate_key /etc/dehydrated/certs//xxx.xxx.xxx/privkey.pem;
    ssl_session_timeout  5m;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers  on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
    proxy_pass http://docs/;
    proxy_redirect   off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    client_max_body_size 10m;
    client_body_buffer_size    128k;
    proxy_send_timeout 90;
    proxy_buffer_size 4k;
    proxy_buffers     4 32k;
    proxy_busy_buffers_size    64k;
    proxy_temp_file_write_size 64k;
    proxy_cache_valid 200 302 1m;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header Cache-Control no-cache;
    add_header Cache-Control no-store;
    #expires     888s;

    }
    location /static {
        root        /var/www/wiki/; # MM-Wiki 的根目录
        expires     1d;
        add_header  Cache-Control public;
        access_log  off;
    }
}

  

 

 

 

posted @ 2019-10-07 12:53  Boks  阅读(1984)  评论(0编辑  收藏  举报