标签归档:nginx

CentOS 7 编译安装nginx并启用TLS1.3

暂时转向caddy,caddy已经可以支持tls v1.3

更新日志

20180708
OpenSSL于2018年6月8日更新了关于tls 1.3的说明,见此wiki,本文按新wiki修改更新;
主要变化有:OpenSSL目前同时支持“draft-26”, "draft-27" and "draft-28"草案;简化流程,编译时默认开启tls 1.3,无需enable参数;加密算法表达的更新;
Chrome canary 69.0.3484.0 和 Firefox Nightly 63.0a1支持tls1.3 Draft 28。
20180411
Firefox Nightly 61.0a1支持tls1.3 Draft 26。
20180404
IESG批准将TLS 1.3 Draft 28作为TLS version 1.3 的建议标准;
至20180404,Openssl支持的标准为Draft 26。
20180312
Chrome 65正式版已经发布,支持tls1.3 Draft 23。
20180207
修正部分错误。
如果TLSv1.3如期发布,OpenSSL 1.1.1 将于2018年4月17日面向公众发布。对于服务器来说,我还是喜欢CentOS,支持周期很长,折腾一次可以用很长世间,因此以下记录一下在基于LNMP的CentOS 7 系统上启用TLSv1.3的过程。

1 升级系统

yum update

升级后的系统版本为:

cat /etc/centos-release CentOS Linux release 7.5.1804 (Core)

2 安装官方mainline版的nginx

通过官方源安装nginx的目的是:
自动生成nginx的配置文件,减少大量的工作;
获取nginx的编译参数。

配置源:

vi /etc/yum.repos.d/nginx.repo

写入如下内容:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=0
enabled=1

安装nginx:

yum install nginx -y

查看nginx版本:

nginx -v nginx version: nginx/1.15.1

获取编译参数:

nginx -V nginx version: nginx/1.15.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

修改nginx源,将enabled=1改为enabled=0,防止yum update时nginx被更新掉

vi /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/ gpgcheck=0 enabled=0

3 编译nginx

安装可能用到的依赖:

yum install -y git gcc gcc-c clang automake make autoconf libtool zlib-devel libatomic_ops-devel pcre-devel openssl-devel libxml2-devel libxslt-devel gd-devel GeoIP-devel gperftools-devel  perl-devel perl-ExtUtils-Embed

获取源码:

git clone https://github.com/nginx/nginx.git
git clone https://github.com/openssl/openssl.git
git clone https://github.com/grahamedgecombe/nginx-ct.git

nginx-ct是启用证书透明度(Certificate Transparency)策略的模块。为了启用Certificate Transparency和TLSv1.3,需要额外加入如下编译参数:

--add-module=../nginx-ct/ --with-openssl=../openssl/

加在官方编译参数后面,简单修改形成完整的编译参数:

auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-module=../nginx-ct/ --with-openssl=../openssl/

进入nginx源码目录,并输入如上完整的编译参数。
开始编译:

make

查看编译好的nginx信息:

./objs/nginx -v nginx version: nginx/1.15.2

备份已经安装好的官方mainline版,安装编译版:

mv /usr/sbin/nginx /usr/sbin/nginx.1.15.1.20180708.official.mainline
cp ./objs/nginx /usr/sbin/

4 修改nginx配置文件内的ssl_protocols和ssl_ciphers,默认启用TLSv1.3的前三项常用的加密算法

...
ssl_protocols          TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers            EECDH+CHACHA20:ECDHE+aECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:ECDHE+aECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+aECDSA+AES256+SHA384:ECDHE+aRSA+AES256+SHA384:ECDHE+aECDSA+AES256+SHA:ECDHE+aRSA+AES256+SHA;
...

重启nginx服务以使修改生效:

systemctl restart nginx

5 测试TLSv1.3是否生效

5.1 使用testssl工具
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh
./testssl.sh --help

命令为(coldawn.com需要换成自己的域名):

./testssl.sh -p coldawn.com ... Testing protocols via sockets except SPDY+HTTP2 SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) TLS 1.3 offered (OK): draft 28, draft 27, draft 26 NPN/SPDY h2, http/1.1 (advertised) ALPN/HTTP2 h2, http/1.1 (offered) ...

详细的情况,用大写的P作为参数:

./testssl.sh -P coldawn.com

 Testing server preferences

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Cipher order
    TLSv1:     ECDHE-RSA-AES256-SHA
    TLSv1.1:   ECDHE-RSA-AES256-SHA
    TLSv1.2:   ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA
    TLSv1.3:   TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
5.2 使用现代浏览器

Chrome canary 69.0.3484.0 和 Firefox Nightly 63.0a1已经支持tls1.3 Draft 28。

CentOS 7 搭建LNMP服务器环境

CentOS漫长的支持周期使得对系统更新的需求不是那么迫切,只要用得顺手。不过,新安装的话,就应该直接安装最新版,这样就可以用很久了。Centos 7 搭建LNMP(nginx, MariaDB, PHP)服务器和在CentOS 6 搭建LNMP服务器环境大同小异,整体过程和方法都是一样的,只需将NMP的源由CentOS 6 改成CentOS 7 的,修改几条命令就可以了。

1 更新系统:

yum update -y

查看系统版本:

cat /etc/centos-release

CentOS Linux release 7.3.1611 (Core)

2 配置源:

2.1 配置MariaDB官方源
首先需要定制MariaDB的官方源
选择合适的系统,系统版本,及MariaDB版本(最新是10.2, 目前处于RC阶段),获得CentOS 7 64位系统MariaDB 10.2 RC版本的源地址。

CentOS > CentOS 7 (x86_64) > 10.2 [Release Candidate]

配置源方法

vi /etc/yum.repos.d/MariaDB.repo

填入如下内容

# MariaDB 10.2 CentOS repository list - created 2017-02-25 08:07 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.2/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

保存退出(按ESC键,输入:wq)。

2.2 配置PHP源
webtatic源更新较快,且其命名有自己的特色方式,可以避免与其他源的某些冲突:

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

2.3 配置nginx官方源
官方nginx有两个版本,mainline和stable,即开发板和稳定版,区别是前者引入新特性但可能有新bug,后者足够稳定。事实上,两者均比较稳定,nginx的网站总是运行在mainline版上。
以下提供两个版本供选择,请选择其一,推荐使用mainline版。

2.3.1 mainline 版
nginx的mainline版

vi /etc/yum.repos.d/nginx.repo

系统是CentOS 7,故写入如下内容

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=0
enabled=1

保存退出。

2.3.2 stable 版

vi /etc/yum.repos.d/nginx.repo

系统是CentOS 7,故写入如下内容


[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1

保存退出。

3 安装、启动服务及设置开机启动

3.1.1 安装MariaDB

yum install MariaDB-server -y

3.1.2 安装PHP

yum install php71w-fpm -y

安装扩展

yum install php71w-gd php71w-mysqlnd php71w-pdo php71w-mcrypt php71w-mbstring php71w-xmlrpc -y

3.1.3 安装nginx

yum install nginx -y

3.2 启动服务并设置开机启动

systemctl start nginx

systemctl start mariadb

systemctl start php-fpm

systemctl enable nginx

systemctl enable mariadb

systemctl enable php-fpm

4 配置

4.1 设置MariaDB

MariaDB对MySQL的命令具有良好的兼容性。
此步主要是MariaDB的安全设置:

mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 

因为是初次设置MariaDB,所以root密码是空的,此处直接回车

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y

设置数据库的密码

New password: 

设置密码,设置一个你自己知道的密码。

Re-enter new password: 

再次输入密码

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

4.2 配置PHP

vi /etc/php.ini

找到

;cgi.fix_pathinfo=1

去掉注释,并将1改成0

cgi.fix_pathinfo=0

保存退出。

4.3 配置nginx

4.3.1 默认配置

直接用浏览器打开你的主机空间的IP地址或者域名(假设IP地址为1.2.3.4,域名为www.urwp.com,后面也会用到),就可以看到nginx的欢迎页面,说明nginx已经在工作了。

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

4.3.2 配置nginx,以支持PHP

vi /etc/nginx/conf.d/default.conf

修改前的默认配置是这样的:

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

修改如下区块,取消注释,并修改部分内容:

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        root           /usr/share/nginx/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

4.3.3 测试PHP是否正常运行

vi /usr/share/nginx/html/phpinfo.php

写入如下代码,并保存

<?php
phpinfo();
?>

重启nginx和PHP

systemctl restart nginx
systemctl restart php-fpm

再次访问你的主机地址或域名:

http://1.2.3.4/phpinfo.php

或者

http://www.urwp.com/phpinfo.php

可见到php相关信息,说明PHP和nginx已经配合工作了。
此时LNMP网络服务环境就已初步搭建了。

接下来,可以部署自己的网站,或者开个简单的博客,比如WordPress
部署好LNMP后,不管是CentOS 6,还是CentOS 7,安装WordPress步骤都是一样的:CentOS 6系统LNMP环境下安装WordPress

使用Let’s Encrypt的Certbot为ngxin生成ECDSA证书

更新

20170312 本文是以CentOS 6.8系统为基础的,而对于CentOS 7系统,certbot则包含在了EPEL源中,可以启用EPEL后直接安装,且命令也由certbot-auto改为了certbot,但是两者的命令参数是通用的。
256位的ECDSA密钥提供的安全性和3072位的RSA密钥相当,而对于大多数网站来说,2048位RSA密钥提供的安全性已经足够。ECDSA证书在算法和密钥长度上的优势可以提供更快的HTTPS访问速度,但浏览器和平台的支持度不如后者广泛。Nginx 1.11.0版本即开始支持ECDSA和RSA双证书配置,可以通过同时配置RSA证书来解决ECDSA证书的兼容性问题。以下内容主要是记录一下如何用Let's Encrypt官方推荐的Certbot生成ECDSA证书,亦为ECC证书。取得Certbot环境、全自动生成和更新RSA证书和注意事项,不再赘述。
主要参考:
Status of and instructions for EC certification generation using CertBot?

详细步骤:
1 进入Certbot工作目录

cd /etc/certbot/

2 生成ECDSA私钥
使用secp384r1曲线算法

openssl ecparam -genkey -name secp384r1 > ec.key

3 生成支持多域名的证书请求文件CSR
certbot目前只能以–csr的方式加载证书请求文件来生成ECDSA的证书,并且要求csr为der格式csr已支持der和pem格式
使用–csr时,要将需要申请证书的域名全部包含在csr中,如co1dawn.com和www.co1dawn.com,即需要生成多域名的CSR。
3.1 方法一(推荐直接使用方法二)

cp /usr/local/ssl/openssl.cnf /etc/certbot/
vi openssl.cnf

在[ req ]区块找到并去掉注释“#”:

req_extensions = v3_req # The extensions to add to a certificate request

在[ v3_req ] 加入如下内容:

subjectAltName = @alt_names
[ alt_names ]
DNS.1 = co1dawn.com
DNS.2 = www.co1dawn.com

修改后的样子:

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = co1dawn.com
DNS.2 = www.co1dawn.com

通过openssl使用-config参数生成多域名证书请求文件:

openssl req -new -sha384 -key ec.key -out ec-der.csr -outform der -config /etc/certbot/openssl.cnf

只需填入Common Name (e.g. server FQDN or YOUR name) []:co1dawn.com即可。前几项输入“.”,即为空;最后后两项留空即可。

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:co1dawn.com
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3.2 方法二,更为简单,为推荐使用的方法

按需要做相应更改:

openssl req -new -sha384 -key ec.key -subj "/CN=co1dawn.com" -reqexts SAN -config <(cat /usr/local/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:co1dawn.com,DNS:www.co1dawn.com")) -outform der -out ec-der.csr

/usr/local/ssl/openssl.cnf为openssl编译安装时所在位置,根据实际情况更改,考虑到安全性和兼容性,请编译升级到最新版的openssl 1.0.2
3.3查看csr是否正确

openssl req -inform der -in ec-der.csr -noout -text
        ...
        Subject: CN=co1dawn.com
        ...
            X509v3 Subject Alternative Name:
                DNS:co1dawn.com, DNS:www.co1dawn.com
        ...

4 使用certbot生成ECDSA证书

./certbot-auto certonly --webroot -w /var/www/html/ -d co1dawn.com -d www.co1dawn.com --email "youremail@youremail.com" --csr "/etc/certbot/ec-der.csr"

具体命令的意义可参照之前的部分

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/certbot/0001_chain.pem. Your cert will expire on
   2016-11-29. To obtain a new or tweaked version of this certificate
   in the future, simply run certbot-auto again. To non-interactively
   renew *all* of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

如不指定获取的证书存放目录时,默认放在cerbot程序所在目录,即/etc/certbot/。
生成三个证书:

0000_cert.pem  0000_chain.pem   0001_chain.pem

与certbot自动化生成并更新的RSA证书的对应关系是:

   0000_cert.pem   = cert.pem
   0000_chain.pem  = chain.pem
   0001_chain.pem  = fullchain.pem

在nginx中用到的是0000_chain.pem和0001_chain.pem,具体使用方法和前面一致

使用cloudflare的chacha20/poly1305补丁编译nginx,在ngxin中配置ECDSA和RSA双证书后,需要提供并提升ECDSA和chacha20/poly1305的优先级,ssl_ciphers可参考该文进行配置:

ssl_ciphers 'ECDHE+aECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:ECDHE+aECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+aECDSA+AES256+SHA384:ECDHE+aRSA+AES256+SHA384:ECDHE+aECDSA+AES256+SHA:ECDHE+aRSA+AES256+SHA';

5 局限性
5.1 OCSP stapling
目前Let’s encrypt使用的中间证书和RSA证书是同一个,因此如果同时使用certbot生成的ECDSA和RSA双证书时,在nginx的OCSP stapling配置部分的ssl_trusted_certificate用0000_chain.pem或者chain.pem都可以,目前这两个中间证书其实是同一个证书。官方预计在2017年3月31日前使用ECDSA算法的中间证书;
5.2 无法自动更新
现在certbot还不能像RSA证书那样智能化的生成并更新ECDSA证书,只能手动运行,而且再次运行时文件名会递增,需要更改文件名或在nginx中更改证书位置。
6 展望
Certbot的作者们早已在github上讨论直接生成双证书的可行性,那将大大简化配置双证书的复杂度,只是还没有具体的时间表。

在CentOS 6 的LNMP服务器上部署Let’s Encrypt的SSL证书

Let's Encrypt官方推荐的客户端certbot自2016年2月3日#2344开始真正支持Python 2.6,而在此之前需要Python 2.7,盲目升级CentOS 6 自带的Python 2.6到2.7,可能导致yum不能使用等问题。certbot-auto作为certbot的自动化脚本可以自动安装依赖并自动配置运行环境,使得获取Let's Encrypt证书简便快捷。

系统要求:本文是在CentOS 6.8已经部署好LNMP的服务器上部署certbot-auto,需要拥有服务器的root权限,在certbot准备运行环境阶段需要的内存较大,实测至少需要240M以上的内存
主要参考:
Let’s Encrypt and Nginx
建立个人博客,推荐使用搬瓦工年付19.99美元KVM虚拟VPS,512M内存,10G硬盘,500G月流量。

详细步骤:

1 取得 certbot-auto

访问https://certbot.eff.org/,在

I'm using Software on System.

分别选择nginx,CentOS 6,将弹出安装使用的详细方法。
1.1 首先需要安装certbot所依赖的源

yum install epel-release

1.2 下载certbot,并赋予运行权限
假设将certbot放在 /etc/certbot/目录下,

mkdir /etc/certbot/ && cd /etc/certbot/
wget https://dl.eff.org/certbot-auto

赋予运行权限:

chmod +x ./certbot-auto

安装依赖并配置自动运行环境:

./certbot-auto

2 运行certbot-auto取得证书

对于正常运行的LNMP服务器来说,推荐使用–webroot插件来获取证书,可以不必停止nginx的服务器的正常运行,否则需要停止nginx。
2.1 取得证书的命令如下:

/etc/certbot/certbot-auto certonly --webroot -w /var/www/html/ -d co1dawn.com -d www.co1dawn.com --staple-ocsp --hsts --rsa-key-size 4096 -m youremail@youremail.com

上述命令详解如下:

certonly     生成证书,但不安装。对于nginx,安装模式目前支持尚不完善,我们自己在nginx中配置证书。

–webroot   借助正在运行nginx的网站所在目录来生成证书请求的临时文件,例:/var/www/html/.well-known/

-w               用来指定目前正常运行nginx的服务器的网站所在目录,假设为:/var/www/html/

-d                co1dawn.com,www.co1dawn.com是两个不同的域名,根据自己的实际情况填写。

–staple-ocsp   开启证书的OCSP验证。

–hsts             强制浏览器使用加密连接访问网站。

–rsa-key-size 4096  请求4096bit的证书,默认为2048位已经足够。

-m                 自己的电子邮件地址。

2.2 可能碰到的错误

If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

需要在nginx的配置文件中SSL区块中指定certbot的临时目录

       location ~ /.well-known {
                   allow all; 
       }

2.3 生成的证书位置
顺利的话,会给出成功的提示,并显示证书所在位置。

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/co1dawn.com/fullchain.pem (success)

3 在nginx中配置证书

共获得一枚私钥,三枚证书,我们需要用到其中的三个,在nginx的配置文件中SSL区块配置如下L:

...
ssl on;
ssl_certificate /etc/letsencrypt/live/co1dawn.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/co1dawn.com/privkey.pem;

#Enable SSL stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/co1dawn.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
...

然后重启nginx服务:

service nginx restart

4 自动更新证书

90天的时间还是太短,因此需要自动更新证书
4.1 测试是否能自动更新

/etc/certbot/certbot-auto renew --dry-run

成功后有提示,但不会真正生成新的证书。
4.2 安装定时任务crontab

yum install -y vixie-cron

或者

yum install -y cronie

启动定时任务

service crond start

设crontab为开机自动启动

chkconfig crond on

4.3 将certbot-auto renew 加入定时运行

crontab -e

写入下列任务并保存退出:

14 06 * * * /etc/certbot/certbot-auto renew --post-hook "sudo service nginx reload" --quiet >> /var/log/certbot.log

如果出现

Unable to find post-hook command sudo in the PATH.
(PATH is /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)

说明是以root权限运行的,可以去掉sudo,或者建立非root用户再运行。
这样每天早上6点14分,自动运行证书更新请求,并将运行日志记录在 /var/log/certbot.log,方便查看。

CentOS 6 系统LNMP环境下安装WordPress

Changes: 
2016-08-19
nginx-1.11.3 mainline或nginx-1.10.1, MariaDB 10.1.16, PHP 7.0.9,同样适用。
2016-05-04
nginx-1.9.15 mainline或nginx-1.10.0, MariaDB 10.1.13, PHP 7.0.5,同样适用。
2016-02-21
nginx 1.9.11, PHP 7.0.3,同样适用。
WordPress博客虽然越来越臃肿,但是与其功能不断丰富不无关系,目前是个人博客较好的选择。
本文介绍如何在CentOS 6系统的LNMP环境下安装WordPress。
说明:
1 本文从准备好的LNMP环境开始,成功的关键点在于要修改部分权限、用户名和用户组。
2 参考教程:
How To Install WordPress with nginx on CentOS 6
Nginx, PHP5, MySQL Support In CentOS 6.5

详细过程:
1 建立wordpress站点的数据库

登录MariaDB,密码是之前设置的

mysql -u root -p

下面举例的数据库、用户、密码分别为:“wordpress”、“wpuser”、“wppw”。可自定义。

建立名为“wordpress”的数据库

CREATE DATABASE wordpress;
Query OK, 1 row affected (0.00 sec)

建立名为“wpuser”的用户,并设置密码为“wppw”

CREATE USER 'wpuser'@'localhost' IDENTIFIED BY 'wppw';
Query OK, 0 rows affected (0.00 sec)

修复权限

GRANT ALL PRIVILEGES ON wordpress.* TO 'wpuser'@'localhost';
Query OK, 0 rows affected (0.00 sec)

exit,退出。

2 配置nginx与PHP

2.1 假设把网站文件放在 /var/www/wordpress 目录下:

mkdir -p /var/www/wordpress

2.1 配置站点文件的路径,并启用unix socket通信

vi /etc/nginx/conf.d/default.conf

如下修改,保存

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
        root   /var/www/wordpress;
        index  index.php index.html index.htm;
        try_files $uri $uri/ /index.php$is_args$args;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
         root /var/www/wordpress;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
         fastcgi_index index.php;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
         }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    # deny all;
    #}
}

“try_files $uri $uri/ /index.php$is_args$args;”,伪静态。

2.2 配置PHP,开启unix socket通信,并修改用户名和用户组

vi /etc/php-fpm.d/www.conf

2.2.1 修改unix socket通信,找到

listen = 127.0.0.1:9000

并修改为

listen = /var/run/php-fpm/php-fpm.sock

2.2.2 找到如下字段,去掉注释,并将nobody改为nginx,否则unix socket通信功能无效,nginx将无法与PHP连接。

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
;listen.owner = nobody
;listen.group = nobody
;listen.mode = 0660

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = nginx
listen.group = nginx
;listen.mode = 0660

2.2.3 找到如下字段,将user和group的apache改为nginx

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
; RPM: apache Choosed to be able to access some dir as httpd
user = apache
; RPM: Keep a group allowed to write in log dir.
group = apache

修改user和group为nginx

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
; RPM: apache Choosed to be able to access some dir as httpd
user = nginx
; RPM: Keep a group allowed to write in log dir.
group = nginx

如果忽略,会出现安装插件时需要输入用户名和密码的尴尬

Connection Information

To perform the requested action, WordPress needs to access your web server. Please enter your FTP credentials to proceed. If you do not remember your credentials, you should contact your web host.

2.3 重启nginx、php-fpm

service nginx restart
service php-fpm restart

3 安装WordPress

3.1 下载并配置

cd /tmp && wget wordpress.org/latest.tar.gz

tar xvzf latest.tar.gz && cp -rf wordpress/* /var/www/wordpress/

cp /var/www/wordpress/wp-config-sample.php /var/www/wordpress/wp-config.php

3.2 将WordPress连接至已经建好的数据库

找到数据库的配置字段,并按“1 建立wordpress的数据库”时所设置的数据库、用户名、密码进行修改:

vi /var/www/wordpress/wp-config.php

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'wpuser');

/** MySQL database password */
define('DB_PASSWORD', 'wppw');

3.3 修复网站所在文件夹的权限,

cd /var/www/

chown nginx:nginx * -R
usermod -a -G nginx nginx

如不进行此步,则在安装插件时,会出现和“2.2.3”相同的情况:

Connection Information

To perform the requested action, WordPress needs to access your web server. Please enter your FTP credentials to proceed. If you do not remember your credentials, you should contact your web host.

3.4 用浏览器访问如下地址(假设站点IP为1.2.3.4,域名为www.urwp.com),并启动安装WordPress。

1.2.3.4/wp-admin/install.php

www.urwp.com/wp-admin/install.php

上一篇:CentOS 6 搭建LNMP服务器环境

CentOS 6 搭建LNMP服务器环境

更新: 
2017-05-26
1 CentOS 6支持时程的完整更新已于2016年第2季度结束,维护更新持续到2020-11-30,虽然还有3年多的时间,但请及时升级到CentOS 7。
2 如仍停留在CentOS 6,本教程仍然有效,可安装/升级至最新版的LNMP。

2017-05-25
1 更新至nginx 1.13.0,MariaDB 10.2.6,PHP 7.1.5。

2017-02-25
1 CentOS 7搭建LNMP请参考这篇文章。 

2016-08-19
1 nginx-1.11.3 mainline或nginx-1.10.1, MariaDB 10.1.16, PHP 7.0.9,同样适用。
2 目前centos 6 64位已升至6.8,同样适用。

2016-05-04
1 加入 nginx 的 mainline 和 stable 两个版本供安装选择,标题中总是选择mainline版,详见如下步骤。
2 经测试,该教程适用于nginx-1.9.15 mainline 或者 nginx-1.10.0 stable, MariaDB 10.1.13, PHP 7.0.5,按本教程新装则自动为最新版本;
3 如按本教程安装过老版本,可直接通过如下命令升级即可升级为最新版,无需额外步骤:

     yum update 2016-02-21 1 经测试,同样适用于nginx 1.9.11, PHP 7.0.3, 按本教程新装则自动为最新版本; 2 按本教程安装了nginx 1.9.10 PHP 7.0.2,可直接通过“yum update”命令升级即可,无需额外步骤。
以LNMP(Linux+nginx+MySQL+PHP)来搭建网络环境越来越流行,MariaDB也有逐渐取代MySQL的趋势。
说明:
1 本文以CentOS 6.7 64位系统为基础,安装nginx、MariaDB、PHP来搭建网络环境。
2 尽量采用yum方式,避免出现需要手动编写配置文件的棘手问题。
3 参考教程:
 How To Install Linux, nginx, MySQL, PHP (LEMP) stack on CentOS 6
 Ultimate Guide To Installing Nginx, MySQL, PHP5, PHP-FPM In CentOS 6.5

详细步骤:
1 更新系统是第一件事:

yum update -y

并查看系统版本:

head -1 /etc/issue

CentOS release 6.7 (Final)

2 配置源:
2.1 配置MariaDB官方源
首先需要定制MariaDB的官方源
选择合适的系统,系统版本,及MariaDB版本(最新是10.1)

CentOS > CentOS 6(64bit) > 10.1

从而获得CentOS 6 64位系统MariaDB 10.1版本的源地址,配置源方法

vi /etc/yum.repos.d/MariaDB.repo

填入如下内容

# MariaDB 10.1 CentOS repository list - created 2016-02-03 13:17 UTC
# http://mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos6-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

保存退出(按ESC键,输入:wq)。

2.2 配置PHP源
webtatic源更新较快,且其命名有自己的特色方式,可以避免与其他源的某些冲突:

rpm -Uvh https://mirror.webtatic.com/yum/el6/latest.rpm

2.3 配置nginx官方源
官方nginx有两个版本,mainline和stable,即开发板和稳定版,区别是前者引入新特性但可能有新bug,后者足够稳定。事实上,两者均比较稳定,nginx的网站总是运行在mainline版上。
以下提供两个版本供选择,请选择其一,推荐使用mainline版。

2.3.1 mainline 版
nginx的mainline版

vi /etc/yum.repos.d/nginx.repo

系统是CentOS 6,故写入如下内容

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/6/$basearch/
gpgcheck=0
enabled=1

保存退出。

2.3.2 stable 版

vi /etc/yum.repos.d/nginx.repo

系统是CentOS 6,故写入如下内容

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/6/$basearch/
gpgcheck=0
enabled=1

保存退出。

3 安装、启动服务及设置开机启动

3.1.1 安装MariaDB

yum install MariaDB-server -y

3.1.2 安装PHP

yum install php70w-fpm -y

安装扩展

yum install php70w-gd php70w-mysqlnd php70w-pdo php70w-mcrypt php70w-mbstring php70w-xmlrpc -y

3.1.3 安装nginx

yum install nginx -y

3.2 启动服务并设置开机启动

service nginx start

service mysql start

service php-fpm start

chkconfig --level 235 nginx on

chkconfig --level 235 mysql on

chkconfig --level 235 php-fpm on

4 配置

4.1 设置MariaDB

作为生来就是要接替MySQL的MariaDB,对MySQL的命令具有良好的兼容性。
此步主要是MariaDB的安全设置:

mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 

因为还未设置MariaDB的数据库,所以root密码也是空的,此处直接回车

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y

设置数据库的密码

New password: 

设置密码,设置一个你自己知道的密码。

Re-enter new password: 

再次输入密码

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

4.2 配置PHP

vi /etc/php.ini

找到

;cgi.fix_pathinfo=1

去掉注释,并将1改成0

cgi.fix_pathinfo=0

保存退出。

4.3 配置nginx

4.3.1 默认配置的情况下,直接用浏览器打开你的主机空间的IP地址或者域名(假设IP地址为1.2.3.4,域名为www.urwp.com,后面也会用到),就可以看到nginx的欢迎页面,说明nginx已经在工作了。

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

4.3.2 配置nginx,以支持PHP

vi /etc/nginx/conf.d/default.conf

修改前的默认配置是这样的:

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

按下面内容修改,取消注释,并修改部分内容:

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        root           /usr/share/nginx/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

4.3.3 测试PHP是否正常运行

vi /usr/share/nginx/html/phpinfo.php

写入如下代码,并保存

<?php
phpinfo();
?>

重启nginx和PHP

service nginx restart
service php-fpm restart

再次访问你的主机地址或域名:

http://1.2.3.4/phpinfo.php

或者

http://www.urwp.com/phpinfo.php

可见到php相关信息,说明PHP和nginx已经配合工作了。
此时LNMP网络服务环境就已初步搭建了。
接下来,可以部署自己的网站,或者开个简单的博客,比如WordPress
下一篇:CentOS 6系统LNMP环境下安装WordPress

在CentOS6.5基于nginx1.9.9和StartSSL证书建立的SSL服务器上启用OCSP stapling的简单方法

鉴于Let's Encrypt日益成熟,请转向:
使用Let’s Encrypt的Certbot为ngxin生成ECDSA证书
在CentOS 6 的LNMP服务器上部署Let’s Encrypt的SSL证书

CentOS 6.5 64位,nginx 1.9.9,StartSSL的1年免费服务器证书,OpenSSL运行库。

1.查看是否已经启用OCSP stapling(否),同时或者证书颁发者的名字(StartCom Class 1 DV Server CA),有两个网站,任选其一,digicert速度较快。

1.1 Qualys
测试后,得到两个信息:
一是没有启用OCSP stapling:
OCSP stapling No
二是得到证书颁发者的名称:
Issuer StartCom Class 1 DV Server CA

1.2 digicert
测试后,得到两个信息:
一是没有启用OCSP stapling:
OCSP Staple: Not Enabled
二是得到中间证书(INTERMEDIATE CERTIFICATE)的名称:
Subject StartCom Class 1 DV Server CA

2.获得StartSSL根证书和中间证书的下载地址。
打开StartSSL证书网站,如下,并找到pem格式的证书。
https://www.startssl.com/root

2.1点击“Root CA Certificates”,找到根证书ca.crt(pem),得到下载地址,不用下载:

https://www.startssl.com/certs/ca.pem

2.2点击“Intermediate CA Certificates”,进入中间证书下载地址,第一步中已经知道中间证书的名称:“Class 1 DV SSL certificate”,可以找到“StartCom Class 1 DV Server CA(pem)(SHA-2)”,获得下载地址,不用下载:

https://www.startssl.com/certs/sca.server1.crt

3.下载并将根证书和中间证书合并
进入自己管理证书或者喜欢的地方,比如:

cd /etc/ssl/

输入以下命令,已经改好了根证书和中间证书的下载地址,命令参考了digitalocean这篇文章,ca-certs.pem可以改为自己喜欢的名字。

wget -O - https://www.startssl.com/certs/ca.pem https://www.startssl.com/certs/sca.server1.crt | tee -a ca-certs.pem> /dev/null

获得ca-certs.pem文件,如下:

/etc/ssl/ca-certs.pem

4.编辑nginx的配置文件,在SSL相关字段中输入,如下:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/starssl/ca-certs.pem;

:wq,保存退出编辑器。

5.重启nginx

service nginx restart

6.重复第一步的测试,这时OCSP stapling功能已经顺利开启。