Apache转nginx


之前对Web服务不了解,随便安装了一个 apache,现在这台ECS上服务建立的较多,每次反代理设置不如 nginx 方便,故现在将 apache 更换为 nginx ,下面是记录的过程。

1. 备份

先将原网站的配置、证书文件、.htaccess 备份下,以防万一。

mkdir ~/apacheBak
# 配置
cp -r /etc/apache2/sites-available ~/apacheBak
# 证书
cp -r /etc/apache2/cert ~/apacheBak
# htaccess
cp -r /var/www/html/.htaccess ~/apacheBak

2. 卸载 apache

# 停止
/etc/init.d/apache2 stop
# 卸载
apt remove apache*
apt autoremove
# 删除配置,也包括了 /etc/init.d
find /etc -name "*apache*" |xargs  rm -rf

3. 安装 nginx

apt clean all && apt update && apt upgrade
apt install nginx

4. 配置

4.1 vim nginx高亮

先使 vim 支持 nginx 语法高亮,高亮配置使用 github repo: chr4/nginx.vim

# 下载与移动配置文件
git clone https://github.com/chr4/nginx.vim
mkdir ~/.vim
mv ./nginx.vim/syntax ~/.vim
rm -rf ./nginx.vim

# 关联 nginx 配置文件
cat > ~/.vim/filetype.vim <<EOF
au BufRead,BufNewFile /etc/nginx/*,/etc/nginx/conf.d/*,/usr/local/nginx/conf/*,*/conf/nginx.conf if &ft == '' | setfiletype nginx | endif
EOF

4.2 nginx 配置 80 与 443

重新下载 nginx 版的证书,证书配置参考 阿里云/在Nginx/Tengine服务器上安装证书

/etc/init.d/nginx stop
# 防火墙允许 80 与 443
ufw allow "Nginx Full"

nginx 配置文件

server {
    listen 80;
    server_name brothereye.cn, www.brothereye.cn;
    rewrite ^(.*)https://host1 permanent;
    location / {
        index index.html index.htm;
    }
}

server {
    listen 443 ssl;
    server_name www.brothereye.cn;

    root /var/www/html;

    index index.php index.html index.htm;

    ssl_certificate cert/your.pem;  #自己证书文件, pem。
    ssl_certificate_key cert/your.key;  #自己证书文件, key
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    # 这种写法也可以防止直接访问文件夹,推荐!
    location / {
        # add_header Content-Type text/plain;  # debug
        # return 200host:debug;  # debug
        try_files uriuri/ /index.php;
    }

    # 防止 xmlrpc.php 攻击,对 wordpress 至关重要!
    location ~* /xmlrpc.php{
        allow 127.0.0.1;
        deny all;
    }

    # 禁止访问隐藏文件
    location ~ /\. {
        deny all;
    }

    location ~ .*\.php(\/.*)* {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        fastcgi_index index.php;
        include fastcgi.conf;
    }

    # 引入网站根目录下的配置。用不到时建议注释。
    location ~ /nginx.conf {
        deny all;
    }
    include /var/www/html/nginx.conf;
}

4.3 nginx gzip 压缩

参考博客: 加速nginx: 开启gzip和缓存

修改 /etc/nginx/nginx.conf http 下的字段:

# /etc/nginx/nginx.conf
# http 注释原 gzip 配置,添加下面配置

gzip on;
gzip_min_length 1k;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png font/ttf font/otf image/svg+xml;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";

4.4 隐藏 nginx 与 php 版本号

隐藏 nginx 版本号:在 nginx.conf 文件(通常目录是 /etc/nginx/nginx.conf)中 http 字段下添加或取消注释 server_tokens off

隐藏 php 版本号:在 php.ini 文件中修改 expose_phpOff

php.ini 文件目录,通常在 /etc/php/{版本号}/fpm/php.ini,可以通过建立下面文件让客户端访问来查看配置文件的目录。

<?php
echo phpinfo();

5. 反代理其他服务

5.1 反代理 jupyterhub 到二级域名

我这里将自己的 jupyterhub 反代理到二级域名 xx.brothereye.cn,配置信息参考jupyterhub /Using a reverse proxy

为了方便管理,推荐将每个独立的服务新建一个配置文件:

# 在 sites-available 下创建配置文件
touch /etc/nginx/sites-available/jupyterhub.conf
# 创建软连接到 site-enabled
ln -s /etc/nginx/sites-available/jupyterhub.conf /etc/nginx/sites-enabled/jupyterhub.conf

# 编辑文件配置如下信息
vim /etc/nginx/sites-available/jupyterhub.conf

配置文件内容:

# top-level http config for websocket headers
# If Upgrade is defined, Connection = upgrade
# If Upgrade is empty, Connection = close
map http_upgradeconnection_upgrade {
    default upgrade;
    ''      close;
}

# HTTP server to redirect all 80 traffic to SSL/HTTPS
server {
    listen 80;
    server_name xx.brothereye.cn;
    # Tell all requests to port 80 to be 302 redirected to HTTPS
    return 302 https://hostrequest_uri;
}

# HTTPS server to handle JupyterHub
server {
    listen 443 ssl;

    server_name xx.brothereye.cn;

    access_log /var/log/nginx/xx.access.log;
    error_log /var/log/nginx/xx.error.log;

    ssl_certificate cert/your.pem;  #自己证书文件, pem。
    ssl_certificate_key cert/your.key;  #自己证书文件, key
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security max-age=15768000;

    # Managing literal requests to the JupyterHub front end
    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header X-Real-IP remote_addr;
        proxy_set_header Hosthost;
        proxy_set_header X-Forwarded-For proxy_add_x_forwarded_for;

        # websocket headers
        proxy_set_header Upgradehttp_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    # Managing requests to verify letsencrypt host
    location ~ /.well-known {
        allow all;
    }
}

5.2 反代理 frp 到三级域名

见下篇:frp内网穿透以及nginx反代理

评论
还没有评论
    发表评论 说点什么