Web Service Setup¶
Nginx¶
- Prepare nginx reposistory
add below conten
[nginx-stable]
name=nginx stable repo
baseurl=https://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
create cache
- Install nginx
- Edit config file
for http
#user nginx;
worker_processes auto;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#gzip on;
#include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name localhost;
root /data/www;
index index.html index.htm;
autoindex on;
location / {
try_files $uri $uri/ =404;
}
}
}
for https
#user nginx;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name wzs-yum.wistron.com;
return 301 https://wzs-yum.wistron.com$request_uri;
rewrite ^(.*)$ https://$server_name/$1 permanent;
}
# HTTPS server
server {
listen 443 ssl;
server_name wzs-yum.wistron.com;
ssl_certificate /root/ssl_key/wzs-yum.wistron.com.crt;
ssl_certificate_key /root/ssl_key/wzs-yum.wistron.com.key;
ssl_session_timeout 8m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
root /data/www;
index index.html index.htm;
autoindex on;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 8000 ssl;
server_name wzs-yum.wistron.com;
ssl_certificate /root/ssl_key/wzs-yum.wistron.com.crt;
ssl_certificate_key /root/ssl_key/wzs-yum.wistron.com.key;
ssl_session_timeout 8m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
}
}
}
- Start nginx service
Caddy¶
自动ssl且支持自动延期SSL证书(域名需在外网能正常解析),适合外网发布
- Install caddy (for RockyLinux)
- Install caddy (for Ubuntu)
apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
chmod o+r /usr/share/keyrings/caddy-stable-archive-keyring.gpg
chmod o+r /etc/apt/sources.list.d/caddy-stable.list
apt update
apt install caddy
- Config caddy
config
itk34.com {
redir https://www.itk34.com{uri} permanent
}
www.itk34.com {
root * /data/www
file_server
# 启用gzip压缩
encode gzip zstd
# 安全头
header {
# 防止点击劫持
X-Frame-Options "SAMEORIGIN"
# 防止 MIME 类型嗅探
X-Content-Type-Options "nosniff"
# XSS 保护
X-Xss-Protection "1; mode=block"
# 引用策略
Referrer-Policy "strict-origin-when-cross-origin"
# 内容安全策略
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com; img-src 'self' https://images-1253632557.cos.ap-guangzhou.myqcloud.com data:; connect-src 'self'"
#Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com; connect-src 'self'"
# 日志
log {
output file /var/log/caddy/login-access.log
format console
}
}
}
images.itk34.com {
root * /data/images
file_server browse
}
docs.itk34.com {
reverse_proxy http://127.0.0.1:8000
}