今天吃完饭回来就在想上午的那个方案虽然可行，但是有个弊端。

就是每上一个新版本，除了上传新版本文件夹之外 还得编辑下 nginx vhost 配置，新增一个虚拟主机。

说麻烦虽然不麻烦 不过也挺烦人的。没有做到自适应，需要人工干预。

所以又折腾了一下。

配置如下：

server {
    listen       80;
    server_name  haha.17ping.cn;
    root         /data/www/sdkHoster;

    location / {
        index    index.php index.htm index.html;
        autoindex on;
    }

    location ~ /([\w\d_]+)/([\w/]*)$ {
        index    index.php index.htm index.html;
        try_files $uri $uri/ /$1/public/index.php?$query_string;
        #return 500 $1;
    }

#    location /sdk1_0 {
#       root    /data/www/sdkHoster;
#       index   index.php index.htm index.html;
#       try_files $uri $uri/ /sdk1_0/public/index.php?$query_string;
#    }

#    location /sdk1_1 {
#       root    /data/www/sdkHoster;
#       index   index.php index.htm index.html;
#       try_files $uri $uri/ /sdk1_1/public/index.php?$query_string;
#    }

    location ~ \.php$ {
        set $newurl $request_uri;
        if ($newurl ~ ^/sdk([\d_]+)(.*)$) {
                set $newurl $2;
        }
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        #fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root/$fastcgi_script_name;
        include        fastcgi_params;
        fastcgi_param REQUEST_URI $newurl;
    }

    location ~ \.(css|js|swf|php|htm|html)$ {
        add_header Cache-Control no-store;
    }

    location ~ /\.ht {
        deny  all;
    }
}

保存，重载配置。

手动复制了一份 sdk1_2 目录，重命名为sdk1_2.
访问 http://haha.17ping.cn/sdk1_2/ 成功，美滋滋。

注：本文撰写实践时参考了一下文章：
https://serverfault.com/questions/826663/nginx-location-regex-variable-not-working-with-try-file
https://stackoverflow.com/questions/33890599/nginx-match-location-with-regex
https://superuser.com/questions/330194/how-to-i-get-variables-from-location-in-nginx
http://nginx.org/en/docs/http/ngx_http_ ... l#location
http://nginx.org/en/docs/http/ngx_http_ ... log_format
http://nginx.org/en/docs/http/ngx_http_ ... tml#return
https://regex101.com/

最近公司在搞lumen 框架，需要用到一个场景。

就是
XXX.com/apiv1/controller/action
XXX.com/apiv2/controller/action
XXX.com/apiv3/controller/action
以此类推

由于lumen 比较坑，必须用项目下的public 为 server_root.

本来我们有一个很懒的解决方案就是用无限的子域名堆出无限个的virtualhost.
apiv1.XXX.com/controller/action
apiv2.XXX.com/controller/action
apiv3.XXX.com/controller/action

不过后来想到域名生效、域名子域名数量限制等问题，就放弃了。

老老实实搞nginx 配置。

经过半天的折腾，完美解决。
nginx 配置如下：

server {
    listen       80;
    server_name  haha.17ping.cn;
    root         /data/www/sdkHoster;

    location / {
        index    index.php index.htm index.html;
        autoindex on;
    }

    location /sdk1 {
        root    /data/www/sdkHoster;
        index   index.php index.htm index.html;
        try_files $uri $uri/ /sdk1/public/index.php?$query_string;
    }

    location /sdk2 {
        root    /data/www/sdkHoster;
        index   index.php index.htm index.html;
        try_files $uri $uri/ /sdk2/public/index.php?$query_string;
    }

    location ~ \.php$ {
        set $newurl $request_uri;
        if ($newurl ~ ^/sdk(\d+)(.*)$) {
                set $newurl $2;
        }
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        #fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root/$fastcgi_script_name;
        include        fastcgi_params;
        fastcgi_param REQUEST_URI $newurl;
    }

    location ~ \.(css|js|swf|php|htm|html)$ {
        add_header Cache-Control no-store;
    }

    location ~ /\.ht {
        deny  all;
    }
}

效果如下：

root@iZuf6c8x9fhxje4raqhanuZ:/data/www/sdkHoster# curl -X POST http://haha.17ping.cn/sdk1/account/index
{"code":0,"message":"OK","data":{"msg":"\u5982\u9047\u8d26\u53f7\u95ee\u9898\u8bf7\u8054\u7cfbQQ:115693753"}}

root@iZuf6c8x9fhxje4raqhanuZ:/data/www/sdkHoster# curl -X POST http://haha.17ping.cn/sdk2/account/index
{"code":0,"message":"OK","data":{"msg":"\u5982\u9047\u8d26\u53f7\u95ee\u9898\u8bf7\u8054\u7cfbQQ:115693753"}}
root@iZuf6c8x9fhxje4raqhanuZ:/data/www/sdkHoster#

不过这个配置有个缺点，就是如果url后面不跟任何东西的话，比如(http://haha.17ping.cn/sdk2) 就会找不到index.php.
一般这种页面 lumen 是用来打印版本信息的。

如果有人觉得强迫症不爽的话，直接从public 下面复制一个 index.php 到 上一级目录，然后修改14行的

$app = require __DIR__.'/../bootstrap/app.php';
改成
$app = require __DIR__.'/./bootstrap/app.php';

把导入的相对路径调成平级就行了。效果如下：

root@iZuf6c8x9fhxje4raqhanuZ:/data/www/sdkHoster# curl -X GET http://haha.17ping.cn/sdk1/
Lumen (5.5.2) (Laravel Components 5.5.*)
root@iZuf6c8x9fhxje4raqhanuZ:/data/www/sdkHoster# curl -X GET http://haha.17ping.cn/sdk2/
Lumen (5.5.2) (Laravel Components 5.5.*)
root@iZuf6c8x9fhxje4raqhanuZ:/data/www/sdkHoster#

注：本文撰写实践时参考了一下链接：
https://stackoverflow.com/questions/37366484/is-it-possible-to-install-lumen-or-laravel-only-in-a-sub-directory
https://stackoverflow.com/questions/32186105/lumen-multisite-using-subdirectories-on-nginx
https://stackoverflow.com/questions/17805576/nginx-rewrite-in-subfolder
https://laracasts.com/discuss/channels/general-discussion/nginx-setup-for-subdirectory
https://gist.github.com/mreschke/27bfafb84add38d3bab8
https://stackoverflow.com/questions/45378367/lumen-application-workwith-trailing-slash-using-nginx-server
https://stackoverflow.com/questions/34823913/lumen-in-a-subfolder-trailing-slashes-issue

最近接到邮件，说自己SSL证书将于10日内过期，于是赶紧续期。renew.

使用 letsencrypt 官方推荐的客户端 Certbot 完成操作。

下载该工具，根据各自的系统和包管理器，下载安装。

由于我的系统比较老，所以下载了 binary 文件。

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

给了执行权限，继续操作。

[root@xzx ~]# ./certbot-auto certonly --force-renewal -d xiazhengxin.name --no-self-upgrade
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find executable apachectl in PATH: /opt/lighttpd/sbin:/opt/php/sbin:/opt/php/bin:/opt/mysql/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for xiazhengxin.name
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/xiazhengxin.name/fullchain.pem. Your cert
   will expire on 2017-07-13. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

续期成功，其实我感觉是重新生成了一份新的。
查看证书存放地址：

[root@xzx ~]# ./certbot-auto certificates --force-renewal -d xiazhengxin.name --no-self-upgrade
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following matching certs:
  Certificate Name: xiazhengxin.name
    Domains: xiazhengxin.name
    Expiry Date: 2017-07-13 09:26:00+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/xiazhengxin.name/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/xiazhengxin.name/privkey.pem
-------------------------------------------------------------------------------

现在要做的就是删除老的快过期的证书，然后用新生成的替换掉它，重启WEB SERVER即可。

[root@xzx ~]# cp /etc/letsencrypt/live/xiazhengxin.name/fullchain.pem /home/http/blog_xiazhengxin_name/ssl.pem
[root@xzx ~]# cat /etc/letsencrypt/live/xiazhengxin.name/privkey.pem >> /home/http/blog_xiazhengxin_name/ssl.pem

搞定！！！！

关于 Certbot 的用法参数说明，参见：
https://certbot.eff.org/docs/using.html#certbot-command-line-options

https://certbot.eff.org/ Certbot 官网
https://letsencrypt.org/docs/client-options/ Certbot 其他变种

最近跟风SSL，便搞了一个SSL证书到自己的网站。

到 https://startssl.com/Certificates 注册会员，验证邮箱和域名。

然后申请 Class 1 (Not Validated) 的 DV SSL Certificate for Free User (Not Validated)，这是给初级别用户的证书，因为不用验证身份证，拍照啥的。

1.Please enter the full hostname for SSL certificate (e.g: mail.domain.com):

输入自己的域名，可以是好几个子域名，换行隔开。

2.Please submit your Certificate Signing Request (CSR):

选择第一个 Generated by Myself。

在shell 执行 “openssl req -newkey rsa:2048 -keyout xxx.key -out xxx.csr ”，需要安装openssl 套件。

cat xxx.csr

把内容贴入下方的文本域，点击提交。

如下：

[root@xzx ssl]# openssl req -newkey rsa:2048 -keyout blog.key -out blog.csr
Generating a 2048 bit RSA private key
..............................................................................................................................................+++
..................+++
writing new private key to 'blog.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:Sharl Jimh Tsin
Organizational Unit Name (eg, section) []:Sharl
Common Name (eg, your name or your server's hostname) []:xiazhengxin.name
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xiazhengxin
An optional company name []:
[root@xzx ssl]# cat blog.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC/zCCAecCAQAwgZ0xCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhTaGFuZ2hhaTER
MA8GA1UEBwwIU2hhbmdoYWkxGDAWBgNVBAoMD1NoYXJsIEppbWggVHNpbjEOMAwG
A1UECwwFU2hhcmwxGTAXBgNVBAMMEHhpYXpoZW5neGluLm5hbWUxIzAhBgkqhkiG
9w0BCQEWFHh6eEB4aWF6aGVuZ3hpbi5uYW1lMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAt7s1Nhtmt5ZeIkOXnMeH3fFl1neUjxun/aqf52If5tTkpVqp
UuKpkzOk8nXOYiFfHsdhormo57bTuDdnG/e2mz5KXR0uE2k3zqMGGFvRfeRQHGTz
eI/xP1GhLTI8KWfN2VP9hjV6KOd992OJkceoQ+qr8wmOpt+QEbMXi7taA/q5eBEc
vjEEeFRT8V0yV6CZcylQaKAtmcM73iR5siPi8DJap4WAkKgNdlC+XymO1eDY4TDY
JzzPPDo88+6+Y6DwfbDRSEjDS40byA0SovkDShLYFkxa5vHgLWsrFGEZzgyxa4ob
Ih0VxyrEFCdFVaQlnVIL38OCBw0fdWaa5FmzbwIDAQABoBwwGgYJKoZIhvcNAQkH
MQ0MC3hpYXpoZW5neGluMA0GCSqGSIb3DQEBBQUAA4IBAQBBo5b03ATzyMjaEYfk
uSoZV3dGNydqZvcUUnaV4TxkZnjG3TntUmrCqF9lja9XqjaKk4gRClUQqivGes6S
DcfTfCcleenAhgvCAOafuhEMfK0fSx7X9c9+Mrtntmdcx8By0dhEekVRJIO2f0KE
LO19OzVCKCLcaqMwShEAjeRzfd63LhU79xFZqsPT3XgRQQJuUlId6MakbvGUTGej
1z5n+ty/uKsh/VJXIhhFrkY1rSSeSWf9qYHzQwag41XrJ9JUCS9+cLmEnGKdLmYi
Kg1/QAyTluxjYW2NVvshvbhgL5Kx+WnO9DZcghqyV8UxBDGr+sbTN6p0TmTfr+rS
mE0F
-----END CERTIFICATE REQUEST-----

跳转页面后就可以下载对应的 xxxxx.xxx.pem 文件。也可以到 首页 的 Tool Box 下面的 Certificate List 页面去下载。

170112183726840 	xiazhengxin.name 	Class 1 SSL 	2017-01-12  2020-01-12 	Issued  “下载按钮”

到这里，startssl 网站的工作就搞完了。把 pem 文件上传到自己的服务器，把它和自己的私钥合并。

[root@xzx ssl]# cat blog.key xiazhengxin.name.pem > ssl.pem
[root@xzx ssl]# cp ssl.pem /home/http/blog_xiazhengxin_name/
[root@xzx ssl]# cd /home/http/blog_xiazhengxin_name/
[root@xzx blog_xiazhengxin_name]# ll
total 92
drwxrwx--- 5 http web   4096 Apr 11  2011 admin
-rwxrwx--- 1 http web   1547 Apr 23  2013 config.inc.php
-rwxrwx--- 1 http web     53 Dec  1  2010 google7a48cd06bd7c1d66.html
-rwxrwx--- 1 http web    685 Jul  2  2009 index.php
-rwxrwx--- 1 http web  37235 Jun 21  2010 install.php
-rwxrwx--- 1 http web  15255 May 14  2008 license.txt
lrwxrwxrwx 1 http web     30 Nov  8  2014 pub -> ../static_xiazhengxin_name/pub
-rw-r--r-- 1 root root  4285 Jan 12 18:43 ssl.pem
drwxrwx--- 5 http web   4096 Apr 11  2011 usr
drwxrwx--- 5 http web   4096 Aug 15  2010 var
[root@xzx blog_xiazhengxin_name]# chmod 777 ssl.pem
[root@xzx blog_xiazhengxin_name]# chmod a-x ssl.pem

之后就是配置 lighttpd 了。确认编译lighttpd 的时候启用了 openssl 模块。

[root@xzx sbin]# ./lighttpd -V
lighttpd/1.4.35 (ssl) - a light and fast webserver
Build-Date: Nov  7 2014 02:06:04

Event Handlers:

        + select (generic)
        + poll (Unix)
        - rt-signals (Linux 2.4+)
        + epoll (Linux 2.6)
        - /dev/poll (Solaris)
        - eventports (Solaris)
        - kqueue (FreeBSD)
        - libev (generic)

Network handler:

        + linux-sendfile
        - freebsd-sendfile
        - solaris-sendfilev
        + writev
        + write
        - mmap support

Features:

        + IPv6 support
        + zlib support
        + bzip2 support
        + crypt support
        + SSL Support
        + PCRE support
        + mySQL support
        - LDAP support
        - memcached support
        + FAM support
        - LUA support
        + xml support
        + SQLite support
        + GDBM support

编辑位于 etc 下面的 lighttpd.conf 文件，加入以下配置：

$SERVER["socket"] == ":443" {
     ssl.engine                  = "enable"
     ssl.pemfile                 = "/home/http/blog_xiazhengxin_name/ssl.pem"
     server.name                 = "xiazhengxin.name"
     server.document-root        = "/home/http/blog_xiazhengxin_name"
}

重启 lighttpd,输入 密钥的短口令，启动成功。

[root@xzx blog_xiazhengxin_name]# service myservice start
*******starting Services*********
php-fpm Started
mysqld Started
NOW SLEEP 5 seconds for MySQL ready
170112 18:50:37 mysqld_safe Logging to '/var/log/mysqld.log'.
170112 18:50:37 mysqld_safe Starting mysqld daemon with databases from /var/mysql
vsftpd Started
Enter PEM pass phrase:
lighttpd Started
*******all services Started*********

访问 https://xiazhengxin.name/ 显示正常。就是由于是 Class 1 级别的SSL证书所以有警告。

注：文章撰写和实践时参考了一下连接
http://redmine.lighttpd.net/projects/li ... i/Docs_SSL
https://startssl.com/Support?v=33

自从苹果宣布2017年元旦开始强制使用SSL/TLS 证书之后，国内所有的网站一夜之间忽然从HTTP 转变成了 HTTPS。

斗鱼也不例外，不过最近打开斗鱼的网站一直属于残疾的状态，可是IE下面是正常的。

仔细查看LOG原来是斗鱼的部分子域名(JS/CSS 静态资源)使用了自签名的SSL证书，默认被chromium ban 掉了.

又不能挨个打开URL 确认安全例外，只好设置全部允许。

打开chromium 配置页，

chrome://flags/#allow-insecure-localhost

对于从本地主机加载的资源，允许使用无效的证书。 Mac, Windows, Linux, Chrome OS, Android
允许通过 HTTPS 向本地主机发送请求（即使提供的证书无效）。 #allow-insecure-localhost

点击启用，重启浏览器生效。

ok!熟悉的斗鱼又回来了。

注：本文撰写参考了以下链接
http://stackoverflow.com/questions/7580 ... ertificate