ubuntu18.04全图文助您安装nginx配置web服务,多服务块,多ssl证书
实验环境:virtualbox,虚拟机Ubuntu1804 / 腾讯云服务器ubuntu1804测试域名:stu.wuyi.fun软件使用:nginx,certbot已测试:服务器环境,家用路由内网。
·
实验环境:virtualbox,虚拟机Ubuntu1804 / 腾讯云服务器ubuntu1804
测试域名:stu.wuyi.fun
软件使用:nginx,certbot
已测试:服务器环境,家用路由内网。
目录
1.安装配置Ubuntu
看我之前教程。1804类似于2004.
记得安装增强功能:
配置网卡,使主机和虚拟机处于同一个网段之下:
做完这些记得重启。
测试主机ping虚拟机:
虚拟机内ping主机:
ping不通可能是Windows防火墙问题,也可以使用另外一台虚拟机桥接网卡进行尝试。
2.安装nginx
更新软件列表:
这里我直接用的默认的源,换源的问题同样参考我之前的文章。
sudo apt-get update
sudo apt install nginx
sudo systemctl status nginx输出应当类似是:
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: e
Active: active (running) since Thu 2023-05-18 20:30:46 CST; 28min ago
Docs: man:nginx(8)
Main PID: 12400 (nginx)
Tasks: 3 (limit: 4664)
CGroup: /system.slice/nginx.service
├─12400 nginx: master process /usr/sbin/nginx -g daemon on; master_p
├─12401 nginx: worker process
└─12402 nginx: worker process
5月 18 20:30:46 wy-VirtualBox systemd[1]: Starting A high performance web serve
5月 18 20:30:46 wy-VirtualBox systemd[1]: Started A high performance web server修改防火墙:
sudo ufw allow 'Nginx Full'sudo ufw status如果显示不活动其实可以忽略;这时候你就能在内网的http://ip看到你的ningx网站了。
主机:
部署成功。
给出常见命令:
sudo systemctl stop nginx
sudo systemctl start nginx
sudo systemctl restart nginx
sudo systemctl reload nginx
sudo systemctl disable nginx
sudo systemctl enable nginx3.部署服务块
一个服务器是可以提供多个服务块的,相当于可以配置两个站点在同一个设备上。核心自然是配置我们的nginx文件。
正常的工作环境里,首先我们要有一个域名,这里我们没有域名也可以用ip地址代替,域名的实际作用其实就是把访问这个域名的用户引导到你这个设备,所以能够提供域名服务的都是维护着dns一类基础设施的,否则没有办法把这个域名用上。虽然直接使用ip地址访问网站很奇怪,但是这不影响我们在测试环境练手,我也会尝试能否在内网环境下自己给自己分配一个使用的域名。这应该是搭建dns服务器的内容了?
我们将为要在目录中的服务器上托管的每个域创建一个单独的目录。在每个目录中,我们将创建一个存储域网站文件的目录。/var/www/domain.com/public_html
文件结构如图所示,注意,这里的test.wuyi.fun是你自己的域名或者内网下的服务名。
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8">
<title>Welcome</title>
</head>
<body>
<h1>Success! this is the home page!</h1>
</body>
</html>
给www-data用户(nginx)文件夹权限 :
sudo chown -R www-data: /var/www/test.wuyi.fun
配置服务块
/etc/nginx/sites-available/
/etc/nginx/sites-enabled/
默认配置文件:
使一个配置文件起作用的方法是从site-available中引用过去。
默认的配置文件可以看到根目录是/var/www/html
这就是我们访问给的默认文件。
server {
listen 80;
listen [::]:80;
root /var/www/test.wuyi.fun/public_html;
index index.html;
server_name test.wuyi.fun www.test.wuyi.fun;
access_log /var/log/nginx/test.wuyi.fun.access.log;
error_log /var/log/nginx/test.wuyi.fun.error.log;
location / {
try_files $uri $uri/ =404;
}
}
sudo ln -s /etc/nginx/sites-available/test.wuyi.fun /etc/nginx/sites-enabled/检测:
sudo nginx -t
sudo systemctl restart nginx由于我们是内网所以我们没法在访问test.wuyi.fun的时候连接到这个虚拟机,我的猜想是需要搭配一个dns.
下面就是真机实战
服务器:随意,我这用腾讯云。
重置密码后使用远程终端和腾讯云提供的都行。
和虚拟机内一样:
sudo apt update
sudo apt install nginx
sudo systemctl status nginx
sudo ufw allow 'Nginx Full'
sudo ufw status成功!
下一步就是给我的网站搞个域名了
SSL与服务块
服务块创建
注意:请把所有的stu.wuyi.fun切换成你的域名
sudo mkdir -p /var/www/stu.wuyi.fun/public_html在这个目录底下创建index.html
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8">
<title>Welcome to example.com</title>
</head>
<body>
<h1>Success! example.com home page!</h1>
</body>
</html>
sudo chown -R www-data: /var/www/stu.wuyi.fun
cd /etc/nginx/sites-available/stu.wuyi.fun
sudo vim stu.wuyi.fun内容:
server {
listen 80;
listen [::]:80;
root /var/www/stu.wuyi.fun/public_html;
index index.html;
server_name stu.wuyi.fun www.stu.wuyi.fun;
access_log /var/log/nginx/stu.wuyi.fun.access.log;
error_log /var/log/nginx/stu.wuyi.fun.error.log;
location / {
try_files $uri $uri/ =404;
}
}
链接配置文件到sites-enabled文件夹:
sudo ln -s /etc/nginx/sites-available/stu.wuyi.fun /etc/nginx/sites-enabled/sudo nginx -t
sudo systemctl restart nginx
成功!
记得给你的域名添加解析。
SSL申请和部署
安装认证机器人,生成dh组
sudo apt update
sudo apt install certbot
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048申请证书
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencryptsudo nano /etc/nginx/snippets/letsencrypt.conf内容:
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
sudo nano /etc/nginx/snippets/ssl.conf内容:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
sudo nano /etc/nginx/sites-available/stu.wuyi.fun.conf内容:
server {
listen 80;
server_name stu.wuyi.fun www.stu.wuyi.fun;
include snippets/letsencrypt.conf;
}sudo ln -s /etc/nginx/sites-available/stu.wuyi.fun.conf /etc/nginx/sites-enabled/确保万无一失:输入nginx -t,若出错,使用sudo nginx -t
sudo systemctl restart nginx同样确保万无一失:输入nginx -t,若出错,使用sudo nginx -t
sudo certbot certonly --agree-tos --email wuyi51io@outlook.com --webroot -w /var/lib/letsencrypt/ -d stu.wuyi.fun -d www.stu.wuyi.fun
成功!
证书申请到了之后就可以进一步配置我们的配置文件。
配置HTTPS
sudo nano /etc/nginx/sites-available/stu.wuyi.fun.confserver {
listen 80;
server_name www.stu.wuyi.fun stu.wuyi.fun;
include snippets/letsencrypt.conf;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name www.stu.wuyi.fun;
ssl_certificate /etc/letsencrypt/live/stu.wuyi.fun/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stu.wuyi.fun/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stu.wuyi.fun/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
return 301 https://stu.wuyi.fun$request_uri;
}
server {
listen 443 ssl http2;
server_name stu.wuyi.fun;
ssl_certificate /etc/letsencrypt/live/stu.wuyi.fun/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stu.wuyi.fun/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stu.wuyi.fun/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
# . . . other code
}
和我们的原配置组合起来:
server {
listen 80;
listen [::]:80;
server_name www.stu.wuyi.fun stu.wuyi.fun;
include snippets/letsencrypt.conf;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name www.stu.wuyi.fun;
ssl_certificate /etc/letsencrypt/live/stu.wuyi.fun/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stu.wuyi.fun/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stu.wuyi.fun/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
return 301 https://stu.wuyi.fun$request_uri;
}
server {
listen 443 ssl http2;
server_name stu.wuyi.fun;
ssl_certificate /etc/letsencrypt/live/stu.wuyi.fun/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stu.wuyi.fun/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stu.wuyi.fun/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
# . . . other code
root /var/www/stu.wuyi.fun/public_html;
index index.html;
access_log /var/log/nginx/stu.wuyi.fun.access.log;
error_log /var/log/nginx/stu.wuyi.fun.error.log;
location / {
try_files $uri $uri/ =404;
}
}
记得sudo nginx -t
再运行:
sudo systemctl restart nginx证书无忧
修改certbot文件使其在更新证书文件之后自动重启nginx:
sudo nano /etc/cron.d/certbot把下面这行内容添加到文件中,注意是添加:
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"
测试,若无报错则成功,出现异常记得老样子检查配置文件然后nginx -t,之后运行重启nginx:
sudo certbot renew --dry-run
到这我们的域名就部署了ssl访问:
多服务块也是如此,本文章内使用的方法是针对单个域名,单个服务块的单独配置,多个服务块原理上就是重复我的操作,certbot申请证书是可以为非本地服务器域名申请的,这一点值得注意,所以你用一台主机专门提供该服务或许也是可行的,详情请看官网文档,那么我这篇文章就告一段落,感谢你的观看。
华为开发者空间,是为全球开发者打造的专属开发空间,汇聚了华为优质开发资源及工具,致力于让每一位开发者拥有一台云主机,基于华为根生态开发、创新。
更多推荐
3
0- 0
已为社区贡献2条内容
所有评论(0)