lighttpd https SSL 配置参数优化 

前端时间从 freessl.org 搞了一个免费的SSL证书,给自己的一个站点用上了。

https://sb.caonima.pw

不过部署好了后我这边一直访问不了。一直以为是SSL的配置没配好。

今天参照着 myssl.com 提供的优化建议把配置弄了一下,如下:

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
#ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2")
ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE"
ssl.honor-cipher-order = "enable"
ssl.pemfile = "/home/ftp/.ssl/ssl.pem"
ssl.ca-file = "/home/ftp/.ssl/ca.pem"
server.name = "sb.caonima.pw"
server.document-root = "/home/ftp"
}
ssl.disable-client-renegotiation = "enable"


重启lighttpd,看了一下,评级从之前的B升到了A。

https://myssl.com/sb.caonima.pw

但是,貌似我本地还是不能访问。

VPS里面倒是可以,

[root@sharl-centos ~]# curl -vI https://sb.caonima.pw
* About to connect() to sb.caonima.pw port 443 (#0)
* Trying 104.236.147.24... connected
* Connected to sb.caonima.pw (104.236.147.24) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=sb.caonima.pw
* start date: Feb 24 00:00:00 2018 GMT
* expire date: Feb 24 12:00:00 2019 GMT
* common name: sb.caonima.pw
* issuer: CN=TrustAsia TLS RSA CA,OU=Domain Validated SSL,O="TrustAsia Technologies, Inc.",C=CN
> HEAD / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: sb.caonima.pw
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Content-Length: 6705
Content-Length: 6705
< Date: Fri, 02 Mar 2018 09:10:51 GMT
Date: Fri, 02 Mar 2018 09:10:51 GMT
< Server: lighttpd
Server: lighttpd

<
* Connection #0 to host sb.caonima.pw left intact
* Closing connection #0


此外我还试了ssllibs,
https://www.ssllabs.com/ssltest/analyze.html?d=sb.caonima.pw

好像也没啥问题。敢情除了我自己,其他人都能访问我的站点,我日!!!!

这个问题还要继续研究。

注:本文撰写实践参考了以下链接:
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
https://www.openssl.org/docs/manmaster/man1/ciphers.html
[ ] ( 4104 次浏览 ) 永久链接 ( 3 / 1816 )
nginx 设置反向代理 揭示板套图网站 

揭示板这个套图网站我一直很喜欢,不过一直被墙,域名也一直再换。

虽然订阅了它的域名发布页:http://www.anonymous-fan.com

不过还是觉得麻烦。

特别是手机浏览器(移动4G网络)打开网页看不到图片,也很烦。

所以最近就觉得用DO闲置的VPS搞个代理。主意不错!!!

经过一番研究,主要需要代理三个方面。

我挑选了 地址二:http://www.1press.info 这个域名。

1.网站首页
nginx 配置如下:

location / {
proxy_set_header Host 'www.1press.info';
proxy_set_header Referer 'www.1press.info';
proxy_pass http://www.1press.info;
sub_filter 'www.1press.info' 'dsb.caonima.pw:81';
sub_filter '27.255.79.40' 'dsb.caonima.pw:81/img1';
sub_filter '174.139.202.79' 'dsb.caonima.pw:81/img2';
sub_filter_once off;
}


2.套图CDN
nginx 配置如下:

location ~/img2(.*)$ {
proxy_pass_request_headers on;
proxy_pass_request_body off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host 'www.1press.info';
proxy_set_header Referer 'www.1press.info';
proxy_pass http://174.139.202.79$1;
}

3.其他图片资源
nginx 配置如下:

location ~/img1(.*)$ {
proxy_pass_request_headers on;
proxy_pass_request_body off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host 'www.1press.info';
proxy_set_header Referer 'www.1press.info';
proxy_pass http://27.255.79.40$1;
}


保存配置,刷新nginx 配置。

访问 http://dsb.caonima.pw:81,一切OK。美滋滋~
[ ] ( 2499 次浏览 ) 永久链接 ( 3 / 1885 )
lumen 部署在nginx 子目录下配置 IDC增强版 

今天吃完饭回来就在想上午的那个方案虽然可行,但是有个弊端。

就是每上一个新版本,除了上传新版本文件夹之外 还得编辑下 nginx vhost 配置,新增一个虚拟主机。

说麻烦虽然不麻烦 不过也挺烦人的。没有做到自适应,需要人工干预。

所以又折腾了一下。

配置如下:

server {
listen 80;
server_name haha.17ping.cn;
root /data/www/sdkHoster;

location / {
index index.php index.htm index.html;
autoindex on;
}

location ~ /([\w\d_]+)/([\w/]*)$ {
index index.php index.htm index.html;
try_files $uri $uri/ /$1/public/index.php?$query_string;
#return 500 $1;
}

# location /sdk1_0 {
# root /data/www/sdkHoster;
# index index.php index.htm index.html;
# try_files $uri $uri/ /sdk1_0/public/index.php?$query_string;
# }

# location /sdk1_1 {
# root /data/www/sdkHoster;
# index index.php index.htm index.html;
# try_files $uri $uri/ /sdk1_1/public/index.php?$query_string;
# }

location ~ \.php$ {
set $newurl $request_uri;
if ($newurl ~ ^/sdk([\d_]+)(.*)$) {
set $newurl $2;
}
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
include fastcgi_params;
fastcgi_param REQUEST_URI $newurl;
}

location ~ \.(css|js|swf|php|htm|html)$ {
add_header Cache-Control no-store;
}

location ~ /\.ht {
deny all;
}
}


保存,重载配置。

手动复制了一份 sdk1_2 目录,重命名为sdk1_2.
访问 http://haha.17ping.cn/sdk1_2/ 成功,美滋滋。

注:本文撰写实践时参考了一下文章:
https://serverfault.com/questions/826663/nginx-location-regex-variable-not-working-with-try-file
https://stackoverflow.com/questions/33890599/nginx-match-location-with-regex
https://superuser.com/questions/330194/how-to-i-get-variables-from-location-in-nginx
http://nginx.org/en/docs/http/ngx_http_ ... l#location
http://nginx.org/en/docs/http/ngx_http_ ... log_format
http://nginx.org/en/docs/http/ngx_http_ ... tml#return
https://regex101.com/
[ ] ( 10684 次浏览 ) 永久链接 ( 2.9 / 1935 )
lumen 部署在nginx 子目录下配置 

最近公司在搞lumen 框架,需要用到一个场景。

就是
XXX.com/apiv1/controller/action
XXX.com/apiv2/controller/action
XXX.com/apiv3/controller/action
以此类推

由于lumen 比较坑,必须用项目下的public 为 server_root.

本来我们有一个很懒的解决方案就是用无限的子域名堆出无限个的virtualhost.
apiv1.XXX.com/controller/action
apiv2.XXX.com/controller/action
apiv3.XXX.com/controller/action

不过后来想到域名生效、域名子域名数量限制等问题,就放弃了。

老老实实搞nginx 配置。

经过半天的折腾,完美解决。
nginx 配置如下:

server {
listen 80;
server_name haha.17ping.cn;
root /data/www/sdkHoster;

location / {
index index.php index.htm index.html;
autoindex on;
}

location /sdk1 {
root /data/www/sdkHoster;
index index.php index.htm index.html;
try_files $uri $uri/ /sdk1/public/index.php?$query_string;
}

location /sdk2 {
root /data/www/sdkHoster;
index index.php index.htm index.html;
try_files $uri $uri/ /sdk2/public/index.php?$query_string;
}

location ~ \.php$ {
set $newurl $request_uri;
if ($newurl ~ ^/sdk(\d+)(.*)$) {
set $newurl $2;
}
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
include fastcgi_params;
fastcgi_param REQUEST_URI $newurl;
}

location ~ \.(css|js|swf|php|htm|html)$ {
add_header Cache-Control no-store;
}

location ~ /\.ht {
deny all;
}
}

效果如下:

root@iZuf6c8x9fhxje4raqhanuZ:/data/www/sdkHoster# curl -X POST http://haha.17ping.cn/sdk1/account/index
{"code":0,"message":"OK","data":{"msg":"\u5982\u9047\u8d26\u53f7\u95ee\u9898\u8bf7\u8054\u7cfbQQ:115693753"}}

root@iZuf6c8x9fhxje4raqhanuZ:/data/www/sdkHoster# curl -X POST http://haha.17ping.cn/sdk2/account/index
{"code":0,"message":"OK","data":{"msg":"\u5982\u9047\u8d26\u53f7\u95ee\u9898\u8bf7\u8054\u7cfbQQ:115693753"}}
root@iZuf6c8x9fhxje4raqhanuZ:/data/www/sdkHoster#


不过这个配置有个缺点,就是如果url后面不跟任何东西的话,比如(http://haha.17ping.cn/sdk2) 就会找不到index.php.
一般这种页面 lumen 是用来打印版本信息的。

如果有人觉得强迫症不爽的话,直接从public 下面复制一个 index.php 到 上一级目录,然后修改14行的

$app = require __DIR__.'/../bootstrap/app.php';
改成
$app = require __DIR__.'/./bootstrap/app.php';

把导入的相对路径调成平级就行了。效果如下:

root@iZuf6c8x9fhxje4raqhanuZ:/data/www/sdkHoster# curl -X GET http://haha.17ping.cn/sdk1/
Lumen (5.5.2) (Laravel Components 5.5.*)
root@iZuf6c8x9fhxje4raqhanuZ:/data/www/sdkHoster# curl -X GET http://haha.17ping.cn/sdk2/
Lumen (5.5.2) (Laravel Components 5.5.*)
root@iZuf6c8x9fhxje4raqhanuZ:/data/www/sdkHoster#


注:本文撰写实践时参考了一下链接:
https://stackoverflow.com/questions/37366484/is-it-possible-to-install-lumen-or-laravel-only-in-a-sub-directory
https://stackoverflow.com/questions/32186105/lumen-multisite-using-subdirectories-on-nginx
https://stackoverflow.com/questions/17805576/nginx-rewrite-in-subfolder
https://laracasts.com/discuss/channels/general-discussion/nginx-setup-for-subdirectory
https://gist.github.com/mreschke/27bfafb84add38d3bab8
https://stackoverflow.com/questions/45378367/lumen-application-workwith-trailing-slash-using-nginx-server
https://stackoverflow.com/questions/34823913/lumen-in-a-subfolder-trailing-slashes-issue
[ ] ( 2360 次浏览 ) 永久链接 ( 2.9 / 1666 )
let's encrypt SSL证书续期 

最近接到邮件,说自己SSL证书将于10日内过期,于是赶紧续期。renew.

使用 letsencrypt 官方推荐的客户端 Certbot 完成操作。

下载该工具,根据各自的系统和包管理器,下载安装。

由于我的系统比较老,所以下载了 binary 文件。


wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto


给了执行权限,继续操作。


[root@xzx ~]# ./certbot-auto certonly --force-renewal -d xiazhengxin.name --no-self-upgrade
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find executable apachectl in PATH: /opt/lighttpd/sbin:/opt/php/sbin:/opt/php/bin:/opt/mysql/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for xiazhengxin.name
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xiazhengxin.name/fullchain.pem. Your cert
will expire on 2017-07-13. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le


续期成功,其实我感觉是重新生成了一份新的。
查看证书存放地址:

[root@xzx ~]# ./certbot-auto certificates --force-renewal -d xiazhengxin.name --no-self-upgrade
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following matching certs:
Certificate Name: xiazhengxin.name
Domains: xiazhengxin.name
Expiry Date: 2017-07-13 09:26:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/xiazhengxin.name/fullchain.pem
Private Key Path: /etc/letsencrypt/live/xiazhengxin.name/privkey.pem
-------------------------------------------------------------------------------


现在要做的就是删除老的快过期的证书,然后用新生成的替换掉它,重启WEB SERVER即可。


[root@xzx ~]# cp /etc/letsencrypt/live/xiazhengxin.name/fullchain.pem /home/http/blog_xiazhengxin_name/ssl.pem
[root@xzx ~]# cat /etc/letsencrypt/live/xiazhengxin.name/privkey.pem >> /home/http/blog_xiazhengxin_name/ssl.pem


搞定!!!!

关于 Certbot 的用法参数说明,参见:
https://certbot.eff.org/docs/using.html#certbot-command-line-options

https://certbot.eff.org/ Certbot 官网
https://letsencrypt.org/docs/client-options/ Certbot 其他变种
[ ] ( 1858 次浏览 ) 永久链接 ( 3 / 1962 )

<< <上一页 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 下一页> >>