下载源配置
vi /etc/yum.repos.d/nginx.repo编辑输入并保存一下内容
[nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key查看版本
nginx -v启动并设置开机启动nginx
systemctl enable nginx systemctl start nginx###配置防火墙 这个时候会发现服务器ip地址可以ping通,但是浏览器里面无法访问,就需要防火墙开启端口
firewall-cmd --zone=public --add-port=80/tcp --permanent firewall-cmd --zone=public --add-port=8080/tcp --permanent firewall-cmd --zone=public --add-port=443/tcp --permanent firewall-cmd --zone=public --add-port=22/tcp --permanent firewall-cmd --reload firewall-cmd --zone=public --list-ports使用let’s encrypt配置https 记得安装必要的第三方库 lrzsz wget和git
下载
git clone https://github.com/certbot/certbot.git cd letsencrypt单域名
./certbot-auto certonly -d likui.me泛域名
./certbot-auto certonly --preferred-challenges dns --manual -d likui.me -d *.likui.me --server https://acme-v02.api.letsencrypt.org/directory泛域名的其他配置方式
certbot的参数在这里https://www.4spaces.org/certbot-command-line-tool-usage-document/
接下来就是配置基本信息了 如果出现如下信息
- Unable to install the certificate说明server_name没有配置域名 出现如下信息则表示成功:
nginx配置
server { listen 80; server_name likui.me www.likui.me *.likui.me; return 301 https://$server_name$request_uri; } server { add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; listen 443 ssl http2; server_name likui.me www.likui.me *.likui.me; charset utf-8; access_log /var/log/nginx/host.access.log main; sendfile on; tcp_nopush on; server_tokens off; #隐藏版本号 location / { root /usr/share/nginx/html; index home.html home.htm; } location ~ \.php$ { include snippets/fastcgi-php.conf; # # With php-fpm (or other unix sockets): fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; } error_page 404 /404.html; error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } ssl_certificate /etc/letsencrypt/live/likui.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/likui.me/privkey.pem; #include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_session_cache shared:le_nginx_SSL:1m; ssl_session_timeout 1440m; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "HIGH:!RC4:!3DES:!ADH:!aDSS:!aNULL:!kPSK:!kSRP:!MD5:!kRSA:!CAMELLIA:@STRENGTH:+SHA1:+kRSA"; ssl_stapling on; ssl_stapling_verify on; }查看ssl_ciphers的可选择的加密套件
###测试证书正确度 使用ssllabs或者myssl来测试证书配置的强度和正确性
安装GoAccess 区分手机和pc返回不同的网页
location / { root /usr/share/nginx/pc; if ($http_user_agent ~* '(Android|webOS|iPhone|iPod|BlackBerry)') { root /usr/share/nginx/mobile; } index index.html; }其他配置的参考
