Centos7 nginx反向代理gitea和grafana&钉钉告警
1 安装nginx
yum install -y gcc make pcre-devel zlib-devel openssl-devel
wget https://nginx.org/download/nginx-1.20.1.tar.gz
tar -zxvf nginx-1.20.1.tar.gz
cd nginx-1.20.1
./configure --prefix=/usr/local/nginx --with-http_ssl_module
make
make install
vi /etc/systemd/system/nginx.service
=======================================================
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | [Unit]Description=nginx - high performance web serverAfter=network.target remote-fs.target nss-lookup.target[Service]Type=forkingExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.confExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.confExecReload=/usr/local/nginx/sbin/nginx -s reloadExecStop=/usr/local/nginx/sbin/nginx -s stopPrivateTmp=true[Install]WantedBy=multi-user.target |
=======================================================
#设置权限和属主:
chmod 644 /etc/systemd/system/nginx.service
chown root:root /etc/systemd/system/nginx.service
2 创建nginx代理gitea和grafana的配置文件:不需要改nginx主配置文件,nginx会读取这个:
vi /etc/nginx/sites-available/gitea.conf
===================================================
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | server { listen 80; server_name gitea.sinsenliu.top; location / { return 301 https://$server_name$request_uri; }}server { listen 443 ssl; server_name sinsenliu.top; access_log /usr/local/nginx/logs/gitea_access.log; error_log /usr/local/nginx/logs/gitea_error.log; ssl_certificate /usr/local/keys/www.sinsenliu.top.pem; ssl_certificate_key /usr/local/keys/www.sinsenliu.top.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_pass http://192.168.238.10:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; }} |
===================================================
vi /etc/nginx/sites-available/grafana.conf
===================================================
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | server { listen 80; server_name granfana.sinsenliu.top; location / { return 301 https://$server_name$request_uri; }}server { listen 443 ssl; server_name grafana.sinsenliu.top; access_log /usr/local/nginx/logs/grafana_access.log; error_log /usr/local/nginx/logs/grafana_error.log; ssl_certificate /usr/local/keys/grafana.sinsenliu.top.pem; ssl_certificate_key /usr/local/keys/grafana.sinsenliu.top.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_pass http://192.168.238.11:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; }} |
===================================================
/usr/local/nginx/sbin/nginx -t #检查nginx配置文件语法
/usr/local/nginx/sbin/nginx -s reload # 企业环境一般不重启,而是reload
浏览器分别访问:
gitea.sinsenliu.top
granfana.sinsenliu.top
-----
-----------------------------------------------------------------------------------
3 监控上述https证书到期时间,剩余时间小于10天报警到钉钉:
vi /usr/local/scripts/certcheck.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | #!/bin/bash# 设置证书文件路径CERT_FILE="/usr/local/keys/www.sinsenliu.top.pem"# 设置域名DOMAIN="sinsenliu.top"# 设置钉钉机器人 WebhookWEBHOOK_URL="https://oapi.dingtalk.com/robot/send?access_token=d5cf34808fecf21f2906fa1ef9b28b07cddda6ca4e20b6c858ea3d05eb394446"# 获取证书到期时间(以秒为单位)expiry_date=$(openssl x509 -noout -enddate -in $CERT_FILE | cut -d= -f 2)# 打印证书到期时间echo "Certificate for $DOMAIN expires on: $expiry_date"# 将到期时间转换为时间戳expiry_timestamp=$(date -d "$expiry_date" +%s)# 获取当前时间(以秒为单位)current_timestamp=$(date +%s)# 计算到期时间与当前时间的差值(以天为单位)days_until_expiry=$(( ($expiry_timestamp - $current_timestamp) / 86400 ))# 如果到期时间小于 400 天,则触发钉钉告警if [ $days_until_expiry -lt 400 ]; then # 发送钉钉告警,消息中包含关键词 "OMG" message="{\"msgtype\": \"text\",\"text\": {\"content\": \"域名 $DOMAIN 的证书 $CERT_FILE 到期时间小于 400 天,剩余天数:$days_until_expiry OMG\"}}" curl -H "Content-Type: application/json" -d "$message" $WEBHOOK_URLfi |
#赋权限:
chmod +x /usr/local/scripts/certcheck.sh
#创建定时任务
crontab -e #内容如下:
1 | 0 10 * * * /bin/bash /usr/local/scripts/certcheck.sh #每天上午10点运行脚本 |
#效果:(为让运行脚本后立刻报警,就设定400天)
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了