CentOS安装Nginx及https证书相关的一切
在安装nginx前,需要确保系统安装了g++、gcc、openssl-devel、pcre-devel和zlib-devel软件。安装必须软件:
yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel gcc
ubuntu:
sudo apt-get install libpcre3 libpcre3-dev libssl-dev zlib1g-dev
下载 解压:
wget http://nginx.org/download/nginx-x.y.z.tar.gz tar -zvxf nginx-1.14.2.tar.gz
解压后,配置:
cd nginx-1.14.2
./configure --user=www --group=www --prefix=/main/server/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-pcre --with-pcre-jit --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-stream --with-stream_ssl_module
Configuration summary + using system PCRE library + OpenSSL library is not used + using builtin md5 code + sha1 library is not found + using system zlib library nginx path prefix: "/usr/local/nginx" nginx binary file: "/usr/local/nginx/sbin/nginx" nginx configuration prefix: "/usr/local/nginx/conf" nginx configuration file: "/usr/local/nginx/conf/nginx.conf" nginx pid file: "/usr/local/nginx/logs/nginx.pid" nginx error log file: "/usr/local/nginx/logs/error.log" nginx http access log file: "/usr/local/nginx/logs/access.log" nginx http client request body temporary files: "client_body_temp" nginx http proxy temporary files: "proxy_temp" nginx http fastcgi temporary files: "fastcgi_temp" nginx http uwsgi temporary files: "uwsgi_temp" nginx http scgi temporary files: "scgi_temp"
然后编译安装:
make make install
make -f objs/Makefile install make[1]: Entering directory `/usr/local/nginx-1.6.0' test -d '/usr/local/nginx' || mkdir -p '/usr/local/nginx' test -d '/usr/local/nginx/sbin' || mkdir -p '/usr/local/nginx/sbin' test ! -f '/usr/local/nginx/sbin/nginx' || mv '/usr/local/nginx/sbin/nginx' '/usr/local/nginx/sbin/nginx.old' cp objs/nginx '/usr/local/nginx/sbin/nginx' test -d '/usr/local/nginx/conf' || mkdir -p '/usr/local/nginx/conf' cp conf/koi-win '/usr/local/nginx/conf' cp conf/koi-utf '/usr/local/nginx/conf' cp conf/win-utf '/usr/local/nginx/conf' test -f '/usr/local/nginx/conf/mime.types' || cp conf/mime.types '/usr/local/nginx/conf' cp conf/mime.types '/usr/local/nginx/conf/mime.types.default' test -f '/usr/local/nginx/conf/fastcgi_params' || cp conf/fastcgi_params '/usr/local/nginx/conf' cp conf/fastcgi_params '/usr/local/nginx/conf/fastcgi_params.default' test -f '/usr/local/nginx/conf/fastcgi.conf' || cp conf/fastcgi.conf '/usr/local/nginx/conf' cp conf/fastcgi.conf '/usr/local/nginx/conf/fastcgi.conf.default' test -f '/usr/local/nginx/conf/uwsgi_params' || cp conf/uwsgi_params '/usr/local/nginx/conf' cp conf/uwsgi_params '/usr/local/nginx/conf/uwsgi_params.default' test -f '/usr/local/nginx/conf/scgi_params' || cp conf/scgi_params '/usr/local/nginx/conf' cp conf/scgi_params '/usr/local/nginx/conf/scgi_params.default' test -f '/usr/local/nginx/conf/nginx.conf' || cp conf/nginx.conf '/usr/local/nginx/conf/nginx.conf' cp conf/nginx.conf '/usr/local/nginx/conf/nginx.conf.default' test -d '/usr/local/nginx/logs' || mkdir -p '/usr/local/nginx/logs' test -d '/usr/local/nginx/logs' || mkdir -p '/usr/local/nginx/logs' test -d '/usr/local/nginx/html' || cp -R html '/usr/local/nginx' test -d '/usr/local/nginx/logs' || mkdir -p '/usr/local/nginx/logs' make[1]: Leaving directory `/usr/local/nginx-1.6.0'
创建www用户
/usr/sbin/groupadd -f www
/usr/sbin/useradd -g www www
另,如果要给nginx 从源码安装模块,在config的时候指定模块的源码路径:
./configure --prefix=/usr/local/nginx --add-module=/usr/local/fastdfs-nginx-module/src
有的moudle比如TCP代理的需要打patch 否则会编译失败
patch -p1 < /main/nginx_tcp_proxy_module-0.4.5/tcp.patch
然后再configure make make install
今天就到这里吧,改天补一个安装缓存模块的。
生成自签名IP 证书并配置https服务代理jupyter:
可以参考这里生成ip自签名证书: https://www.cnblogs.com/qiyueqi/p/11551238.html
先生成根证书:
openssl genrsa -out local.key 2048 openssl req -new -key local.key -out local.csr openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
再自签名一个证书:
openssl genrsa -out my_server.key 2048 openssl req -new -key my_server.key -out my_server.csr openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt
配置nginx的https证书:
server { listen 9999 ssl; server_name localhost; #ssl_certificate /main/nginx/conf/keys/fullchain.pem; #ssl_certificate_key /main/nginx/conf/keys/privkey.pem; ssl_certificate /main/nginx/conf/keys/my_server.crt; ssl_certificate_key /main/nginx/conf/keys/my_server.key; ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; location /jupyter { proxy_pass http://127.0.0.1:8888; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_redirect off; } location / { deny all; root html; index index.html index.htm; } }
cloudflare上单独certbot生成证书,推荐docker模式:
- 先下载镜像certbot/dns-cloudflare
- 再获取一个可以编辑dns的token,放到secrets下的cloudflare.ini 中,具体参见:https://blog.sofunnyai.com/article/certbot-docker.html
- 最后docker运行如下命令即可生成证书:
docker run -it --rm --name certbot \ -v "/main/letsencrypt:/etc/letsencrypt" \ -v "/main/letsencrypt/var/lib:/var/lib/letsencrypt" \ -v "/main/letsencrypt/secrets:/root/.secrets" \ certbot/dns-cloudflare certonly \ --dns-cloudflare \ --dns-cloudflare-credentials /root/.secrets/cloudflare.ini \ --dns-cloudflare-propagation-seconds 60 \ --server https://acme-v02.api.letsencrypt.org/directory \ -d xxx.com -d '*.xxx.com'