Centos7 nginx反向代理gitea和grafana&钉钉告警

1 安装nginx

yum install -y gcc make pcre-devel zlib-devel openssl-devel
wget https://nginx.org/download/nginx-1.20.1.tar.gz
tar -zxvf nginx-1.20.1.tar.gz
cd nginx-1.20.1
./configure --prefix=/usr/local/nginx --with-http_ssl_module
make
make install

vi /etc/systemd/system/nginx.service
=======================================================

[Unit]
Description=nginx - high performance web server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
PrivateTmp=true

[Install]
WantedBy=multi-user.target

 

=======================================================

#设置权限和属主：
chmod 644 /etc/systemd/system/nginx.service
chown root:root /etc/systemd/system/nginx.service

2 创建nginx代理gitea和grafana的配置文件：不需要改nginx主配置文件，nginx会读取这个：

vi /etc/nginx/sites-available/gitea.conf
===================================================

server {
    listen 80;
    server_name gitea.sinsenliu.top;

    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name sinsenliu.top;
    access_log  /usr/local/nginx/logs/gitea_access.log;
    error_log   /usr/local/nginx/logs/gitea_error.log;
    ssl_certificate     /usr/local/keys/www.sinsenliu.top.pem;
    ssl_certificate_key /usr/local/keys/www.sinsenliu.top.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        proxy_pass http://192.168.238.10:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

　　

===================================================

vi /etc/nginx/sites-available/grafana.conf
===================================================

server {
    listen 80;
    server_name granfana.sinsenliu.top;

    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name grafana.sinsenliu.top;
    access_log  /usr/local/nginx/logs/grafana_access.log;
    error_log   /usr/local/nginx/logs/grafana_error.log;
    ssl_certificate     /usr/local/keys/grafana.sinsenliu.top.pem;
    ssl_certificate_key /usr/local/keys/grafana.sinsenliu.top.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://192.168.238.11:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

===================================================

/usr/local/nginx/sbin/nginx -t #检查nginx配置文件语法

/usr/local/nginx/sbin/nginx -s reload # 企业环境一般不重启，而是reload

浏览器分别访问：
gitea.sinsenliu.top
granfana.sinsenliu.top

 

-----

 

 

-----------------------------------------------------------------------------------

3 监控上述https证书到期时间，剩余时间小于10天报警到钉钉：
vi /usr/local/scripts/certcheck.sh

#!/bin/bash

# 设置证书文件路径
CERT_FILE="/usr/local/keys/www.sinsenliu.top.pem"

# 设置域名
DOMAIN="sinsenliu.top"

# 设置钉钉机器人 Webhook
WEBHOOK_URL="https://oapi.dingtalk.com/robot/send?access_token=d5cf34808fecf21f2906fa1ef9b28b07cddda6ca4e20b6c858ea3d05eb394446"

# 获取证书到期时间（以秒为单位）
expiry_date=$(openssl x509 -noout -enddate -in $CERT_FILE | cut -d= -f 2)

# 打印证书到期时间
echo "Certificate for $DOMAIN expires on: $expiry_date"

# 将到期时间转换为时间戳
expiry_timestamp=$(date -d "$expiry_date" +%s)

# 获取当前时间（以秒为单位）
current_timestamp=$(date +%s)

# 计算到期时间与当前时间的差值（以天为单位）
days_until_expiry=$(( ($expiry_timestamp - $current_timestamp) / 86400 ))

# 如果到期时间小于 400 天，则触发钉钉告警
if [ $days_until_expiry -lt 400 ]; then
  # 发送钉钉告警，消息中包含关键词 "OMG"
  message="{\"msgtype\": \"text\",\"text\": {\"content\": \"域名 $DOMAIN 的证书 $CERT_FILE 到期时间小于 400 天，剩余天数：$days_until_expiry OMG\"}}"
  curl -H "Content-Type: application/json" -d "$message" $WEBHOOK_URL
fi

#赋权限：
chmod +x /usr/local/scripts/certcheck.sh

 

#创建定时任务
crontab -e #内容如下：

0 10 * * * /bin/bash /usr/local/scripts/certcheck.sh #每天上午10点运行脚本

#效果：（为让运行脚本后立刻报警，就设定400天）