Skip to main content

3 posts tagged with "nginx"

View All Tags

· 2 min read
docker create \
--name=letsencrypt \
-v "$PWD/lets":/config \
-e EMAIL=825407762@qq.com \
-e URL=825407762.com \
-e SUBDOMAINS=www \
-e VALIDATION=http \
-p 80:80 -p 443:443 \
-e TZ=PRC \
linuxserver/letsencrypt
## pfx => pem => key crt
# pfx => pem
openssl pkcs12 -in a.pfx -nodes -out a.pem
openssl rsa -in a.pem -out a.key
openssl x509 -in a.pem -out a.crt
kubectl create secret tls ccm-https --key a.key --cert a.crt --namespace=gim-uat
## k8s https 3 层
# pfx => crt
openssl pkcs12 -in a.pfx -nokeys -out a -passin 'pass:Welcome123'
# pfx => key
openssl pkcs12 -in a.pfx -nocerts -out b -nodes -passin 'pass:Welcome123'
cat a | base64 -w 0
cat b | base64 -w 0

Version 2018/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ssl.conf

session settings

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

Diffie-Hellman parameter for DHE cipher suites

ssl_dhparam /config/nginx/dhparams.pem;

ssl certs

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

protocols

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

HSTS, remove # from the line below to enable HSTS

#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

OCSP Stapling

ssl_stapling on; ssl_stapling_verify on;

certbot

certbot-auto certonly --webroot -w /alidata/www -d 825407762.com -d www.825407762.com

docker

docker run -it -v "$PWD":/mk -w /mk -v "$PWD"/__cicd__/ssl:/etc/letsencrypt certbot/certbot certonly \
--webroot --agree-tos --work-dir /mk --email 82547762@qq.com -d www.825407762.com -d 825407762.com -d hub.825407762.com

location /.well-known {
root /www/certbot;
}
docker run -it -v "$PWD":/mk -w /mk -v "$PWD"/ssl:/etc/letsencrypt certbot/certbot certonly \
--webroot --agree-tos --work-dir /mk --email 82547762@qq.com \
-d ws.bitdata.com.cn \
-d admin.bitdata.com.cn
docker run -it -v "$PWD":/mk -w /mk -v "$PWD"/ssl:/etc/letsencrypt certbot/certbot:v0.25.1 certonly \
--webroot --agree-tos --work-dir /mk --email 82547762@qq.com \
-d m.bitdata.com.cn \
-d api.bitdata.com.cn \
-d www.bitdata.com.cn \
-d download.bitdata.com.cn
-d admin.bitdata.com.cn
docker run -it -v "$PWD":/mk -w /mk -v "$PWD"/ssl:/etc/letsencrypt certbot/certbot:v0.25.1 certonly \
--webroot --agree-tos --work-dir /mk --email 82547762@qq.com \
-d bitdata.com.cn \
-d s1.bitdata.com.cn

# input 输入webroot
/mk

· 2 min read

doc

反向代理

server {
listen 80 default_server;
server_name _;
root /;
}
server {
listen 80;
server_name a.test.zx5435.com;

location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:666;
}
}

location 优先级问题

https://www.cnblogs.com/IPYQ/p/7889399.html
location ^~ /images/ {
# 匹配任何以 /images/ 开头的地址,匹配符合以后,停止往下搜索正则,采用这一条。
}

ali最佳配置

配置解释 http://blog.csdn.net/tjcyjd/article/details/50695922 配置解释 每一行 https://segmentfault.com/a/1190000016385662

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" $http_host '
'$status $request_length $body_bytes_sent "$http_referer" '
'"$http_user_agent" $request_time $upstream_response_time';

ssl最佳配置

https://gist.github.com/fotock/9cf9afc2fd0f813828992ebc4fdaad6f

user  www www;
worker_processes 1;

error_log /alidata/log/nginx/error.log crit;
pid /alidata/server/nginx/logs/nginx.pid;

worker_rlimit_nofile 65535;

events
{
use epoll;
worker_connections 65535;
}


http {
include mime.types;
default_type application/octet-stream;

#charset gb2312;

server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 8m;

sendfile on;
tcp_nopush on;

keepalive_timeout 60;

tcp_nodelay on;

fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;

gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
#limit_zone crawler $binary_remote_addr 10m;
log_format '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
include /alidata/server/nginx/conf/vhosts/*.conf;
}

· One min read

doc

cat /usr/local/etc/goaccess.conf

time-format %T
date-format %d/%b/%Y
log-format %h %^[%d:%t %^] "%r" %s %b "%R" "%u"

cat 1.sh

#!/bin/bash
fname=$1
echo $fname
cd /alidata/log/nginx/access/
goaccess -f $fname -a > /alidata/www/log/index.html
goaccess -a -f /pcmoto/log/nginx/www_access.log -p /etc/goaccess.conf > /pcmoto/web/test/index.html
Overall
Unique visitors
Requested files
Requested static files
Not found URLs
Hosts
Operating Systems
Browsers
Time Distribution
Referrers URLs
Referring sites
Status codes