Skip to main content

3 posts tagged with "nginx"

View All Tags

· 2 min read
docker create \
  --name=letsencrypt \
  -v "$PWD/lets":/config \
  -e EMAIL=825407762@qq.com \
  -e URL=825407762.com \
  -e SUBDOMAINS=www \
  -e VALIDATION=http \
  -p 80:80 -p 443:443 \
  -e TZ=PRC \
  linuxserver/letsencrypt
## pfx => pem => key crt
# pfx => pem
openssl pkcs12 -in a.pfx -nodes -out a.pem
openssl rsa -in a.pem -out a.key
openssl x509 -in a.pem -out a.crt
kubectl create secret tls ccm-https --key a.key --cert a.crt --namespace=gim-uat
## k8s https 3 层
# pfx => crt
openssl pkcs12 -in a.pfx -nokeys -out a -passin 'pass:Welcome123'
# pfx => key
openssl pkcs12 -in a.pfx -nocerts -out b -nodes -passin 'pass:Welcome123'
cat a | base64 -w 0
cat b | base64 -w 0

Version 2018/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ssl.conf

session settings

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

Diffie-Hellman parameter for DHE cipher suites

ssl_dhparam /config/nginx/dhparams.pem;

ssl certs

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

protocols

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

HSTS, remove # from the line below to enable HSTS

#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

OCSP Stapling

ssl_stapling on; ssl_stapling_verify on;

certbot

certbot-auto certonly --webroot -w /alidata/www -d 825407762.com -d www.825407762.com

docker

docker run -it -v "$PWD":/mk -w /mk -v "$PWD"/__cicd__/ssl:/etc/letsencrypt certbot/certbot certonly \
  --webroot --agree-tos --work-dir /mk --email 82547762@qq.com -d www.825407762.com -d 825407762.com -d hub.825407762.com

  location /.well-known {
    root /www/certbot;
  }
docker run -it -v "$PWD":/mk -w /mk -v "$PWD"/ssl:/etc/letsencrypt certbot/certbot certonly \
  --webroot --agree-tos --work-dir /mk --email 82547762@qq.com \
  -d ws.bitdata.com.cn \
  -d admin.bitdata.com.cn
docker run -it -v "$PWD":/mk -w /mk -v "$PWD"/ssl:/etc/letsencrypt certbot/certbot:v0.25.1 certonly \
  --webroot --agree-tos --work-dir /mk --email 82547762@qq.com \
  -d m.bitdata.com.cn \
  -d api.bitdata.com.cn \
  -d www.bitdata.com.cn \
  -d download.bitdata.com.cn
  -d admin.bitdata.com.cn
docker run -it -v "$PWD":/mk -w /mk -v "$PWD"/ssl:/etc/letsencrypt certbot/certbot:v0.25.1 certonly \
  --webroot --agree-tos --work-dir /mk --email 82547762@qq.com \
  -d bitdata.com.cn \
  -d s1.bitdata.com.cn

# input 输入webroot
/mk

· 2 min read

doc

反向代理

server {
    listen       80 default_server;
    server_name  _;
    root         /;
}
server {
    listen       80;
    server_name  a.test.zx5435.com;

    location / {
        proxy_redirect      off;
        proxy_set_header    Host      $host;
        proxy_set_header    X-Real-IP $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto $scheme;
        proxy_pass          http://127.0.0.1:666;
    }
}

location 优先级问题

https://www.cnblogs.com/IPYQ/p/7889399.html
location ^~ /images/ {
    # 匹配任何以 /images/ 开头的地址,匹配符合以后,停止往下搜索正则,采用这一条。
}

ali最佳配置

配置解释 http://blog.csdn.net/tjcyjd/article/details/50695922 配置解释 每一行 https://segmentfault.com/a/1190000016385662

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" $http_host '
                            '$status $request_length $body_bytes_sent "$http_referer" '
                            '"$http_user_agent"  $request_time $upstream_response_time';

ssl最佳配置

https://gist.github.com/fotock/9cf9afc2fd0f813828992ebc4fdaad6f

user  www www;
worker_processes  1;

error_log  /alidata/log/nginx/error.log crit;
pid        /alidata/server/nginx/logs/nginx.pid;

worker_rlimit_nofile 65535;

events
{
    use epoll;
    worker_connections 65535;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #charset  gb2312;

    server_names_hash_bucket_size 128;
    client_header_buffer_size 32k;
    large_client_header_buffers 4 32k;
    client_max_body_size 8m;

    sendfile on;
    tcp_nopush     on;

    keepalive_timeout 60;

    tcp_nodelay on;

    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 128k;

    gzip on;
    gzip_min_length  1k;
    gzip_buffers     4 16k;
    gzip_http_version 1.0;
    gzip_comp_level 2;
    gzip_types       text/plain application/x-javascript text/css application/xml;
    gzip_vary on;
    #limit_zone  crawler  $binary_remote_addr  10m;
    log_format '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';
    include /alidata/server/nginx/conf/vhosts/*.conf;
}

· One min read

doc

cat /usr/local/etc/goaccess.conf

time-format %T
date-format %d/%b/%Y
log-format %h %^[%d:%t %^] "%r" %s %b "%R" "%u"

cat 1.sh

#!/bin/bash
fname=$1
echo $fname
cd /alidata/log/nginx/access/
goaccess -f $fname -a > /alidata/www/log/index.html
goaccess  -a  -f /pcmoto/log/nginx/www_access.log -p /etc/goaccess.conf > /pcmoto/web/test/index.html
Overall
Unique visitors
Requested files
Requested static files
Not found URLs
Hosts
Operating Systems
Browsers
Time Distribution
Referrers URLs
Referring sites
Status codes