博客搭建参考 搭建博客(1)Hexo 生成与使用 gulp 压缩提速

Nginx 部署

Nginx 安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 添加 CentOS Nginx 最新稳定版源
nano /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key

# 安装
yum install nginx

# 启动与设置自启
systemctl start nginx
systemctl enable nginx

# 检测输入域名或 ip 成功即会看到页面 “Welcome to nginx!”

rsync 部署

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Arch Linux 安装 rsync
sudo pacman -S rsync
# 安装 Hexo rsync 插件
npm install hexo-deployer-rsync --save

# 站点 _config.yml 添加配置
deploy:
- type: rsync
host: fxtaoo.com # 域名或 ip
user: root
root: /var/website/duxing/ # 博客网页资源存放位置
port: 22 # ssh 端口
delete: true

# vps 创建文件夹
mkdir -p /var/website/duxing/

# 部署
hexo d

Nginx 配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
cd /etc/nginx/conf.d
# 备份与删除默认配置
mv default.conf default.conf.backup

# 添加配置
nano duxing.conf

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /var/website/duxing/; # 博客网页资源存放位置
}

# nginx 重启
nginx -t && nginx -s reload

# 验证 输入 ip
# 或输入 http://域名/ 注意是 http

acme.sh 申请证书 [1][4]

申请 SSL 证书,简单的讲就是可以用 https 访问,不然会是 http 浏览器会提示不安全。

acme.sh 安装

1
2
3
4
5
6
# CentOS 安装
yum -y install wget socat
wget -O - https://get.acme.sh | sh
source ~/.bashrc
# 自动更新
acme.sh --upgrade --auto-upgrad

dns 方式申请证书 [2]

在域名上添加一条 txt 解析记录, 验证域名所有权。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# 获取 DNS API  [3]
# 以域名注册商 GoDaddy 为例
# https://sso.godaddy.com/login?realm=idp&app=developer&path=%2Fkeys%2F

# 添加 DNS API
export GD_Key="xxx"
export GD_Secret="xxx"

# fxtaoo.com 替换成你自己的
# 申请域名证书
acme.sh --issue --dns dns_gd -k ec-256 -d fxtaoo.com
# 申请泛域名证书
acme.sh --issue --dns dns_gd -k ec-256 -d *.fxtaoo.com

# 创建证书存储位置
mkdir -p /var/website/ssl/
# 证书安装
# 注意 fxtaoo.com 的替换
acme.sh --install-cert --ecc -d fxtaoo.com \
--key-file /var/website/ssl/fxtaoo.com.key \
--fullchain-file /var/website/ssl/fxtaoo.com.crt

acme.sh --install-cert --ecc -d *.fxtaoo.com \
--key-file /var/website/ssl/*.fxtaoo.com.key \
--fullchain-file /var/website/ssl/*.fxtaoo.com.crt

# 使用 openssl dhparam
# 注意替换存储位置
openssl dhparam -out /var/website/ssl/dhparam.pem 2096

Nginx 证书配置

nginx 配置参考

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
server {
listen 443 ssl http2 fastopen=3;
server_name fxtaoo.com;

location / {
root /var/www/duxing/;
index index.html index.htm index.php;
}

ssl_dhparam /var/www/ssl/dhparam.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;

# 证书文件
ssl_certificate /var/www/ssl/fxtaoo.com.crt;
ssl_certificate_key /var/www/ssl/fxtaoo.com.key;

# HSTS Preload 支持
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

# access_log /var/log/nginx/example.com.access.log;
error_log /var/log/nginx/example.com.error.log;
}

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;

# http 跳转到 https
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
1
2
3
4
5
# nginx 重启
nginx -t && nginx -s reload

# 验证 输入 ip
# 或输入 http://域名/ 注意是 http

更新记录

2019-03-24 配置文件使用 gist 外链

参考拓展

1 acme.sh
2 acme.sh 中文说明
3 acme.sh DNS API 说明
4 Linux 下使用 acme.sh 配置 Let’s Encrypt 免费 SSL 证书 + 通配符证书