根据使用Apache2和Nginx的感受,我选择Nginx
安装 Ubuntu Manjaro安装完毕后查看是否成功
模块查看当前使用的Nginx支持的模块
1 2 3 4 5 ubuntu@VM-8-2-ubuntu:~$ nginx -V nginx version: nginx/1.18.0 (Ubuntu) built with OpenSSL 1.1.1f 31 Mar 2020 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KTLRnK/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
如果没有我们需要的就要自己编译源码了。
nginx.conf此文件默认在/etc/nginx/nginx.conf
通用设置1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 user www-data worker_processes auto; worker_rlimit_nofile 100000; pid /run/nginx.pid events { worker_connections 2048; multi_accept on; } http { sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; server_tokens off; default_type text/html; }
数据压缩在服务器端进行数据压缩,在浏览器端解压减少数据传输带宽和数据量。
添加到http{}块中
1 2 3 4 5 6 7 8 9 10 11 12 13 gzip on; gzip_vary on; gzip_comp_level 6; gzip_proxied any; gzip_min_length 1k; gzip_disable "MSIE [1-6]\.(?!.*SV1)" ; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/jpeg image/gif image/png;
default此文件位于/etc/nginx/sites-enabled/default是/etc/nginx/sites-available/default的软链接
重定向到https将ip/http/www全部重定向至https
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 server{ listen 80; listen [::]:80; server_name www.feater.top; rewrite ^(.*)$ https://feater.top$1 ; } server{ listen 80; listen [::]:80; server_name 121.5.167.61; rewrite ^(.*)$ https://feater.top$1 ; } server { listen 80; listen [::]:80; server_name feater.top; rewrite ^(.*)$ https://feater.top$1 ; } server{ listen 443; listen [::]:443; server_name 121.5.167.61; rewrite ^(.*)$ https://feater.top$1 ; } server{ listen 443; listen [::]:443; server_name www.feater.top; rewrite ^(.*)$ https://feater.top$1 ; }
后面的$1是网址参数,它会将http://wwww.feater.top/mybook.html
转换为https://feater.top/mybook.html
.
最近(2022.06.03)发现谷歌爬虫会自动爬ip网址而不是域名网址,可以使用这种方法强制转换为域名。
SSL在/etc/nginx/sites-enabled/default.conf中添加
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 server { listen 443 ssl default_server; listen [::]:443 ssl default_server; server_name feater.top; charset utf-8; root /var/www/html; index index.html index.htm; ssl_certificate cert/fullchain.pem; ssl_certificate_key cert/private.key; ssl_trusted_certificate cert/chain.pem; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_session_ticket_key /etc/nginx/ssl/session_ticket.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DSS" ; ssl_prefer_server_ciphers on; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets on; ssl_buffer_size 1400; ssl_stapling on; ssl_stapling_verify on; resolver 119.29.29.29 valid=60s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=31536000" ; add_header X-Content-Type-Options "nosniff" ; add_header X-Frame-Options "DENY" ; add_header X-XSS-Protection "1; mode=block" ; location / { autoindex on; autoindex_localtime on; try_files $uri $uri / =404; } error_page 404 https://feater.top; }
资源缓存像图片、js/css脚本之类的一般不会更新的很频繁,使用缓存技术减少每次打开网页资源获取的耗时。
1 2 3 4 5 location ~ .*\.(?:gif|jpg|jpeg|bmp|png|ico|css|js)$ { expires 30d; add_header X-Proxy-Cache $upstream_cache_status ; }
expires表示资源过期时间,每30天会从服务器获取新的数据。
PHP-FPM安装软件包
1 yaourt -S php php-cgi php-fpm
在server{}下添加
1 2 3 4 5 6 7 8 9 location ~ \.php$ { root /var/www/html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name ; include fastcgi_params; }
或者 我在Ubuntu下使用的
1 2 3 4 5 6 7 8 9 10 location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php8.1-fpm.sock; }
注意:
nginx.conf最顶部的user要和/etc/php/php-fpm.conf.d/www.conf中的user一致 fastcgi_pass值要和www.conf中listen字段的值一致 网站源文件的用户和权限要和配置文件的一致 负载均衡访问量太少,暂时没有用到这个功能
地区屏蔽先去maxmind官网下载geoip2的数据包。
在http中添加
1 2 3 4 5 6 7 8 geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb { auto_reload 5m; $geoip2_data_country_code country iso_code; } map $geoip2_data_country_code $allowed_country { default yes ; CN no; }
在server中的location下添加
1 2 3 4 5 if ($allowed_country = yes ) { return 404; }
就可以将非中国地区的ip屏蔽