Debian部署Nginx
1. nginx是什么
一个高性能的开源web服务器。高性能说明基本都够用,开源不用担心版权,比如给自己部署的 frigate, springboot, v2ray, haos等等你能在Linux上部署的各种服务都可以用它来代理。你需要一个网络良好的Linux服务器和1个域名,没有域名也没关系,下面直接部署。
2. 连接Linux服务器
ssh方式连接到debian服务器
3. 创建用户组用户
sudo groupadd -r nginx 创建nginx用户组,-r表示创建的是一个系统组
sudo useradd -r -g nginx -s /sbin/nologin -c "Nginx web server" nginx 创建一个nginx系统账户,且禁止用户登录,-c描述这个用户功能
4. 创建目录配置权限
sudo mkdir -p /var/www/html 创建目录
sudo chown -R nginx:nginx /var/www/html 调整目录所属用户
sudo chmod -R 755 /var/www/html 调整目录权限
5. 配置日志目录
sudo mkdir -p /var/log/nginx 创建日志目录
sudo chown -R nginx:nginx /var/log/nginx 调整目录所属用户
sudo chmod -R 755 /var/log/nginx 调整目录权限
6. 安装nginx
apt install -y nginx-extras 直接安装
7. 编辑nginx的配置文件1
vim /etc/nginx/snippets/general-security.conf 编辑安全配置文件,参考下方代码块,没有vim编辑器先下载vim编辑器
# Basic Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# . files
location ~ /\.(?!well-known) {
deny all;
}8. 编辑nginx的配置文件2
vim /etc/nginx/snippets/general-vhost.conf 参考下方代码块
# favicon.ico
location = /favicon.ico {
log_not_found off;
access_log off;
}
# robots.txt
location = /robots.txt {
log_not_found off;
access_log off;
}9. 编辑nginx的配置文件3
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bkp 编辑前前备份文件
vim /etc/nginx/nginx.conf 编辑文件,参考下方代码块
# Master Nginx Configuration
# User - change to nobody if using reverse proxy
#user nobody nogroup;
user www-data;
pid /var/run/nginx.pid;
worker_processes 4; # = number of CPU cores
worker_rlimit_nofile 65535;
timer_resolution 50ms;
# Include Modules
include /etc/nginx/modules-enabled/*.conf;
events {
use epoll;
worker_connections 1024;
multi_accept on;
}
http {
charset utf-8;
sendfile on;
tcp_nopush off;
log_not_found off;
# AIO Threads
aio threads;
aio_write on;
# Server Tokens
server_tokens off;
more_set_headers 'Server: My WebServer';
# MIME Types
include mime.types;
default_type application/octet-stream;
# Logging
access_log off;
error_log /var/log/nginx/error.log warn;
# Mandatory Master Settings
# Enable if using reverse proxy
#proxy_temp_path /home/nginx/proxy_temp 1 2;
#proxy_buffers 16 16k;
#proxy_buffer_size 16k;
server_names_hash_max_size 2048;
server_names_hash_bucket_size 256;
keepalive_timeout 10s;
keepalive_requests 100;
keepalive_disable msie6;
# Optional Master Settings
client_body_timeout 60;
client_header_timeout 60;
gzip on;
gzip_disable "MSIE [1-6].(?!.*SV1)";
gzip_vary on;
gzip_min_length 1000;
gzip_buffers 16 8k;
gzip_proxied expired no-cache no-store private auth;
gzip_comp_level 6;
gzip_http_version 1.0;
gzip_types text/plain text/css application/x-javascript application/javascript text/xml text/csv application/x-shockwave-flash image/svg+xml;
send_timeout 60;
# SSL Settings - https://syslink.pl/cipherlist/
# Enable (uncomment) only if SSL/HTTPS is used
#ssl_session_timeout 10m;
#ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off;
#ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
#ssl_protocols TLSv1.3;
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
#ssl_ecdh_curve secp384r1;
#ssl_stapling on;
#ssl_stapling_verify on;
#ssl_prefer_server_ciphers on;
#resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
#resolver_timeout 5s;
# Includes
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}10. 编辑nginx的域名配置文件
vim /etc/nginx/sites-available/yourdomain.com yourdomain.com即你的域名,这里以域名为配置文件的名称,下方以halo项目为例来进行配置,你需要替换代码块中的yourdomain.com,当中的CA证书则是以certbot的方式申请的,也需要替换,查看下一步。
upstream halo {
server 127.0.0.1:8090;
}
server {
listen 80;
listen [::]:80;
server_name yourdomain.com www.yourdomain.com;
client_max_body_size 1024m;
access_log /var/www/yourdomain.com/logs/access.log;
error_log /var/www/yourdomain.com/logs/error.log info;
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/www/yourdomain.com;
}
location / {
rewrite ^/(.*)$ https://$host/$1 permanent;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 ssl;
server_name yourdomain.com www.yourdomain.com;
client_max_body_size 1024m;
#charset koi8-r;
##
# Include general vhost configuration snippe
##
include /etc/nginx/snippets/general-vhost.conf;
##
# Logging
##
access_log /var/www/yourdomain.com/logs/access.log;
error_log /var/www/yourdomain.com/logs/error.log info;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_prefer_server_ciphers on;
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/www/yourdomain.com;
}
location / {
proxy_pass http://halo;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}11. 安装certbot申请CA证书
apt install certbot 安装certbot
certbot certonly --webroot -w /var/www/yourdomain.com -d yourdomain.com -d www.yourdomain.com --test-cert 使用测试环境获取证书,如果成功,换下方正式命令再获取一次
certbot certonly --webroot -w /var/www/yourdomain.com -d yourdomain.com -d www.yourdomain.com 获取正式证书
12. 创建定时任务
cd /etc/letsencrypt/live/yourdomain.com 进入证书所在路径
vim certbot-auto-renew-cron 创建自动获取证书脚本文件,脚本内容如下
0 2 1 /2 certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"crontab certbot-auto-renew-cron 添加到定时任务
crontab -l 查看添加的定时任务
13. 注意事项1
获取证书时注意
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/www/yourdomain.com;
}这个配置,如果配置异常就会导致启动的nginx一直没法访问到这个路径,导致脚本报错,Let's Encrypt的申请频率有限制,就会导致一直报错,其实就是nginx配置的问题
14. 注意事项2
启动nginx前查看配置文件是否正确
/usr/sbin/nginx -t -t表示测试配置文件,返回如下内容表示没问题
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful15. 启动nginx
/usr/sbin/nginx 直接启动