Ṣẹda Awọn ọmọ ogun Foju, Awọn ilana Idaabobo Ọrọigbaniwọle ati Awọn iwe-ẹri SSL nipa lilo “Olupin Wẹẹbu Nginx” ni Arch Linux
Nkan ti Arch Linux 'LEMP' ti tẹlẹ ti kan nkan ipilẹ, lati fifi awọn iṣẹ nẹtiwọọki sii (Nginx, MySQL database ati PhpMyAdmin) ati tunto aabo to kere julọ ti o nilo fun olupin MySQL ati PhpMyadmin.
Koko yii o ni ibatan ti o ni ibatan si Fifi sori ẹrọ tẹlẹ ti LEMP lori Arch Linux ati pe yoo tọ ọ nipasẹ tito awọn atunto ti o nira sii fun akopọ LEMP, ni pataki Nginx awọn atunto olupin wẹẹbu, bii ṣiṣẹda Awọn alejo gbigba Foju , lo Awọn ilana Idaabobo Ọrọigbaniwọle , ṣẹda ati tunto HTTP Aabo Sockets Layer , HTTP awọn àtúnjúwe àtúnjúwe si HTTPS ati pe yoo tun fun ọ ni awọn iwe afọwọkọ Bash ti o wulo ti yoo mu irọrun iṣẹ naa ṣiṣẹ lori ṣiṣiṣẹ Awọn ogun Fojuwọn ati ina SSL Ijẹrisi ati Awọn bọtini .
Fi sori ẹrọ LEMP pẹlu aaye data MariaDB ni Arch Linux
Igbesẹ 1: Jeki Awọn ogun ti foju lori Nginx
Ọkan ninu ọna ti o rọrun julọ lati jẹki Awọn alejo gbigba Foju n lo pẹlu awọn alaye lori faili iṣeto Nginx akọkọ, eyiti o jẹ ki iṣẹ awọn atunto siwaju sii rọrun ati daradara nitori o le ṣẹda awọn faili to rọrun fun gbogbo agbalejo tuntun ki o ṣetọ faili atunto akọkọ.
Ọna yii n ṣiṣẹ ni ọna kanna bi lori Apache Wẹẹbu Apache , ohun akọkọ ti o nilo lati ṣe ni lati ṣafihan ọna tuntun URI nibi ti Nginx yẹ ki o ka awọn itọsọna faili.
1. Nitorinaa, ṣii nginx.conf faili akọkọ ti o wa lori ọna eto /etc/nginx/ ati ni isale, ṣaaju akọmọ iṣupọ ti o kẹhin “} ”Ṣafikun ipa-ọna nibiti awọn faili iṣeto-ogun Virtual Host iwaju yoo gbe.
$ sudo nano /etc/nginx/nginx.conf
Ni isalẹ ṣafikun alaye atẹle.
include /etc/nginx/sites-enabled/*.conf;
Itọsọna yii sọ fun Nginx pe o yẹ ki o ka gbogbo awọn faili ti o rii ni /etc/nginx/sites-enabled/ ti o pari pẹlu itẹsiwaju .conf .
2. Igbese ti n tẹle ni lati ṣẹda itọsọna awọn aaye ti o ṣiṣẹ ati omiiran, ti a pe ni awọn aaye wa-, nibi ti o ti fipamọ gbogbo awọn faili iṣeto Awọn ogun rẹ.
$ sudo mkdir /etc/nginx/sites-available /etc/nginx/sites-enabled
3. Bayi o to akoko lati ṣẹda Gbalejo Foju tuntun kan. Apẹẹrẹ yii yoo lo adirẹsi IP eto bi Orukọ Ile-iṣẹ foju, nitorinaa ṣẹda faili tuntun ti a npè ni orukọ-ip.conf .
sudo nano /etc/nginx/sites-available/name-ip.conf
Ṣafikun akoonu atẹle.
## File content ##
server {
listen 80;
server_name 192.168.1.33;
access_log /var/log/nginx/192.168.1.33.access.log;
error_log /var/log/nginx/192.168.1.33.error.log;
root /srv/http;
location / {
index index.html index.htm index.php;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
location /phpmyadmin {
rewrite ^/* /phpMyAdmin last;
}
location ~ \.php$ {
#fastcgi_pass 127.0.0.1:9000; (depending on your php-fpm socket configuration)
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
}
Itọsọna ti o mu Gbalejo foju ṣiṣẹ jẹ alaye server_name labẹ ibudo tẹtisi. Pẹlupẹlu, itọsọna pataki miiran nibi ni root alaye ti o tọka Nginx Virtual Host lati sin akoonu faili lati ọna /srv/http/.
4. Igbese ti o kẹhin ni lati ṣẹda itọsọna /srv/http/ ki o ṣe orukọ-ip.conf iṣeto faili ti o wa fun kika Nginx (lilo ọna asopọ aami), lẹhinna tun bẹrẹ daemon lati ṣe awọn atunto tuntun ti o han.
$ sudo mkdir /srv/http/ $ sudo ln -s /etc/nginx/sites-available/name-ip.conf /etc/nginx/sites-enabled/ $ sudo systemctl restart nginx
5. Lati ṣayẹwo rẹ, tọka aṣawakiri rẹ si Arch system IP adiresi ati pe o yẹ ki o rii pe akoonu wẹẹbu yatọ si http:// localhost . Nibi Mo ti ṣafikun iwe afọwọkọ php kekere kan ti o tun ṣayẹwo awọn atunto FastCGI PHP bi ninu sikirinifoto ni isalẹ.
$ sudo nano /srv/http/info.php
## File content ## <?php phpinfo(); ?>
6. Ọna miiran ti Mo ti dagbasoke ara mi lati mu ṣiṣẹ tabi mu Awọn ogun foju sori Nginx jẹ eyiti o wuyi julọ ati pe o ni atilẹyin lati iwe afọwọkọ Apache a2eniste .
Lati lo ọna yii ṣii ṣiṣatunkọ faili kan ki o ṣẹda faili tuntun, ti a pe ni n2ensite , lori ọna rẹ $HOME pẹlu akoonu isalẹ, jẹ ki o ṣee ṣe, ṣiṣe pẹlu awọn anfaani gbongbo ki o kọja bi aṣayan si orukọ Alejo tuntun rẹ laisi .conf ipari (fọwọsi ọfẹ lati yipada ni ibamu si awọn aini rẹ).
$ sudo nano n2ensite
## File content ##
#!/bin/bash
if test -d /etc/nginx/sites-available && test -d /etc/nginx/sites-enabled ; then
echo "-----------------------------------------------"
else
mkdir /etc/nginx/sites-available
mkdir /etc/nginx/sites-enabled
fi
avail=/etc/nginx/sites-available/$1.conf
enabled=/etc/nginx/sites-enabled/
site=`ls /etc/nginx/sites-available/`
if [ "$#" != "1" ]; then
echo "Use script: n2ensite virtual_site"
echo -e "\nAvailable virtual hosts:\n$site"
exit 0
else
if test -e $avail; then
sudo ln -s $avail $enabled
else
echo -e "$avail virtual host does not exist! Please create one!\n$site"
exit 0
fi
if test -e $enabled/$1.conf; then
echo "Success!! Now restart nginx server: sudo systemctl restart nginx"
else
echo -e "Virtual host $avail does not exist!\nPlease see available virtual hosts:\n$site"
exit 0
fi
fi
Mu ki o ṣiṣẹ ki o ṣiṣẹ bi iṣafihan.
$ sudo chmod +x n2ensite $ sudo ./n2ensite your_virtual_host
7. Lati mu Awọn ogun Foju ṣiṣẹda faili tuntun n2dissite pẹlu akoonu atẹle ati lo awọn eto kanna bi loke.
$ sudo nano n2dissite
## File content ##
#!/bin/bash
avail=/etc/nginx/sites-enabled/$1.conf
enabled=/etc/nginx/sites-enabled
site=`ls /etc/nginx/sites-enabled/`
if [ "$#" != "1" ]; then
echo "Use script: n2dissite virtual_site"
echo -e "\nAvailable virtual hosts: \n$site"
exit 0
else
if test -e $avail; then
sudo rm $avail
else
echo -e "$avail virtual host does not exist! Exiting!"
exit 0
fi
if test -e $enabled/$1.conf; then
echo "Error!! Could not remove $avail virtual host!"
else
echo -e "Success! $avail has been removed!\nPlease restart Nginx: sudo systemctl restart nginx"
exit 0
fi
fi
8. Bayi o le lo awọn iwe afọwọkọwe meji yii lati jẹki tabi mu eyikeyi Gbalejo Foju ṣugbọn ti o ba fẹ lo o bi awọn aṣẹ jakejado eto kan da awọn iwe afọwọkọ mejeeji si /usr/local/bin/ lẹhinna o le lo laisi titọ ọna.
$ sudo cp n2ensite n2dissite /usr/local/bin/
Igbesẹ 2: Jeki SSL pẹlu Awọn ọmọ ogun foju lori Nginx
SSL ( Secure Sockets Layer ) jẹ ilana-iṣe ti a ṣe apẹrẹ lati paroko awọn isopọ HTTP lori awọn nẹtiwọọki tabi Intanẹẹti, eyiti o jẹ ki ṣiṣan data lati tan kaakiri lori ikanni to ni aabo nipa lilo awọn bọtini cryptology ti asimetric/asymmetric ati pe a pese ni Arch Linux nipasẹ apo OpenSSL.
$ sudo pacman -S openssl
9. Lati jẹki awọn isopọ HTTPS pẹlu Nginx akọkọ ti o ro pe o nilo lati ṣe ni lati ṣe awọn bọtini Awọn alejo Alaboye. Pẹlupẹlu, lati jẹ ki awọn nkan rọrun, Mo ti ṣe agbekalẹ awọn iwe afọwọkọ kekere kan ti o ṣe agbejade awọn bọtini cryptographic laifọwọyi lori ọna itọsọna /etc/nginx/ssl , ni lilo Orukọ Ile-iṣẹ foju bi awọn orukọ bọtini.
Ṣẹda faili ti a npè ni nginx_gen_ssl ki o ṣafikun akoonu atẹle.
$ sudo nano nginx_gen_ssl
## File content ## #!/bin/bash mkdir /etc/nginx/ssl cd /etc/nginx/ssl echo -e "Enter your virtual host FQDN: \nThis will generate the default name for Nginx SSL certificate!" read cert openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out $cert.key chmod 600 $cert.key openssl req -new -key $cert.key -out $cert.csr openssl x509 -req -days 365 -in $cert.csr -signkey $cert.key -out $cert.crt echo -e " The certificate $cert has been generated!\nPlease link it to nginx ssl available website!" ls -all /etc/nginx/ssl exit 0
10. Lẹhin ti a ti ṣẹda iwe afọwọkọ append awọn igbanilaaye ipaniyan, ṣiṣe rẹ ki o pese awọn aṣayan Ijẹrisi rẹ, eyi ti o ṣe pataki julọ ni aaye Orukọ Apapọ .
$ sudo chmod +x nginx_gen_ssl $ sudo ./nginx_gen_ssl
Ni opin awọn bọtini ti o npese iṣẹ ṣiṣe, atokọ kan pẹlu gbogbo awọn bọtini to wa labẹ ilana Nginx ssl yoo han.
Paapaa ti o ba fẹ iwe afọwọkọ yii bi lati ṣee lo bi aṣẹ eto, daakọ tabi gbe si /usr/local/bin/.
$ sudo mv nginx_gen_ssl /usr/local/bin
11. Lẹhin ti a ti ṣe awọn bọtini ti o ṣe pataki fun Nginx SSL Virtual Host o to akoko lati ṣẹda faili iṣeto Virtual Host Virtual SSL gangan. Lo adirẹsi IP eto kanna fun Alejo ti foju bi loke lori itọsọna olupin_orukọ ṣugbọn, yipada ni orukọ faili Oluṣakoso Koko-ọrọ nipa fifin ssl ṣaaju .conf , lati leti si ọ pe faili yii duro fun orukọ-ip SSL Virtual Host.
$ sudo nano /etc/nginx/sites-availabe/name-ip-ssl.conf
Lori ayipada faili yii tẹtisi alaye ibudo si 443 ssl ki o pese SSL ati awọn ọna bọtini awọn iwe-ẹri pẹlu awọn ti a ṣẹda tẹlẹ lati dabi ni isalẹ ayokuro.
## File content ##
server {
listen 443 ssl;
server_name 192.168.1.33;
ssl_certificate /etc/nginx/ssl/192.168.1.33.crt;
ssl_certificate_key /etc/nginx/ssl/192.168.1.33.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/192.168.1.33-ssl.access.log;
error_log /var/log/nginx/192.168.1.33-ssl.error.log;
root /srv/http;
location / {
index index.html index.htm index.php;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
location /phpmyadmin {
rewrite ^/* /phpMyAdmin last;
}
location ~ \.php$ {
#fastcgi_pass 127.0.0.1:9000; (depending on your php-fpm socket configuration)
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
}
12. Lẹhin ti a ti ṣẹda faili naa lo n2ensite iwe afọwọkọ tabi laini aṣẹ ln lati muu ṣiṣẹ (ṣẹda ọna asopọ aami apẹẹrẹ faili kan ninu awọn aaye ti o mu ṣiṣẹ ), lẹhinna tun bẹrẹ Nginx daemon lati lo awọn eto.
$ sudo ./n2ensite name-ip-ssl OR $ sudo ln -s /etc/nginx/sites-available/name-ip-ssl.conf /etc/nginx/sites-enabled/ $ sudo systemctl restart nginx
13. Lẹẹkansi tọka aṣawakiri rẹ si Arch IP URL ṣugbọn ni akoko yii ni lilo ilana HTTPS - https://192.168.1.33 lori eto mi- ati asopọ kan Asopọ ti a ko gbẹkẹle/b> Aṣiṣe aabo yẹ ki o han ( Fikun ati Ṣeduro Iyatọ Aabo lati lọ siwaju loju iwe).
Bi o ṣe le rii Nginx Virtual Host rẹ ti n ṣe iranṣẹ akoonu kanna bi ti iṣaaju orukọ-ip olugbalejo ṣugbọn akoko yii ni lilo isopọ to ni aabo HTTP.
Igbesẹ 3: Wọle si PhpMyAdmin nipasẹ Oluṣowo Onigbọwọ
Ti o ba jẹ pe Olupilẹṣẹ foju ṣiṣẹ lori Nginx, a ko ni iraye si http:// localhost awọn akoonu ti ọna (localhost nigbagbogbo ṣe iṣẹ akoonu nipa lilo adiresi IP loopback tabi adiresi IP eto ti ko ba tunto ni bibẹkọ) nitori a ni lo Arch system IP bi olupin_orukọ nitorinaa ọna akoonu wa ti yipada.
14. Ọna ti o rọrun julọ lati ni iraye si PhpMyAdmin nipasẹ oju opo wẹẹbu ni lati ṣẹda ọna asopọ aami laarin ọna /usr/share/webapps/phpMyAdmin/ ati ọna tuntun ti a ti ṣalaye Onile-iṣẹ foju wa (/srv/http ).
$ sudo ln -s /usr/share/webapps/phpMyAdmin/ /srv/http/
15. Lẹhin ti o pa aṣẹ ti o wa loke, sọ oju-iwe rẹ di mimọ ati pe iwọ yoo wo folda tuntun phpMyAdmin ti o han, ti autoindex alaye ba ṣiṣẹ lori Nginx Virtual Host tabi tọka URL rẹ taara si folda PhpMyAdmin https:/arch_IP/phpMyAdmin .
16. Ti o ba fẹ sọ di mimọ okun phpMyAdmin lori ẹrọ aṣawakiri ṣatunkọ awọn faili Awọn ogun Foju rẹ ki o ṣafikun akoonu atẹle yii labẹ idena olupin.
location /phpmyadmin {
rewrite ^/* /phpMyAdmin last;
}
Igbesẹ 4: Jeki Itọsọna Idaabobo Ọrọigbaniwọle lori Nginx
Ko dabi Apache, Nginx nlo modulu HttpAuthBasic lati jẹki Awọn ilana Idaabobo Ọrọigbaniwọle ṣugbọn ko pese awọn irinṣẹ kankan lati ṣẹda faili ti paroko .htpasswd .
17. Lati ṣaṣeyọri aabo ọrọ igbaniwọle liana pẹlu Nginx lori Arch Linux fi olupin ayelujara Apache sori ẹrọ ati lo awọn irinṣẹ rẹ lati ṣe ina faili ti paroko .htaccess .
$ sudo pacman -S apache
18. Lẹhin ti o ti fi sii Apache ṣẹda itọsọna tuntun labẹ /etc/nginx/ ti a npè ni passwd ni ojulowo nibiti faili .htpasswd yoo wa ni fipamọ ati lo htpasswd paṣẹ pẹlu yipada –c lori olumulo ti a ṣafikun akọkọ lati ṣe ina faili, lẹhinna ti o ba fẹ ṣafikun awọn olumulo diẹ sii lo htpasswd laisi iyipada –c .
$ sudo mkdir /etc/nginx/passwd $ sudo htpasswd -c /etc/nginx/passwd/.htpasswd first_user $ sudo htpasswd /etc/nginx/passwd/.htpasswd second_user $ sudo htpasswd /etc/nginx/passwd/.htpasswd third_user
19. Lati le daabobo orukọ-ip-ssl gbongbo Olugbeleyin foju /srv/http/ ipa ọna ti o ṣiṣẹ pẹlu gbogbo awọn folda kekere ati awọn faili nisalẹ rẹ ṣafikun awọn ilana wọnyi ninu rẹ Àkọsílẹ olupin olupin foju labẹ itọsọna root ki o tọka si ọna pipe faili .htpasswd .
auth_basic "Restricted Website"; auth_basic_user_file /etc/nginx/passwd/.htpasswd;
20. Lẹhin ti o tun bẹrẹ iṣẹ Nginx, oju-iwe atuntun ati Ijeri Ti a beere agbejade yẹ ki o han bibeere fun awọn iwe eri rẹ.
Nisisiyi o ti ṣaṣeyọri Nginx Awọn ilana Idaabobo Ọrọigbaniwọle ṣugbọn mọ pe akoko kanna ti a fi olupin ayelujara Apache sori ẹrọ ninu eto rẹ nitorina rii daju pe o duro alaabo ati ni ọna eyikeyi maṣe bẹrẹ nitori pe o le ja si awọn ibudo ori gbarawọn pẹlu Nginx.
Igbesẹ 5: Ṣe atunṣe HTTP si HTTPS lori Nginx
21. Ti o ba fẹran fun awọn aṣàwákiri lati ṣe atunṣe gbogbo awọn ibeere HTTP ti ko ni aabo si ilana HTTPS ṣii ati ṣatunkọ o jẹ ti kii ṣe ssl Olugbele foju ki o ṣafikun ilana atẹle labẹ itọsọna olupin_name .
rewrite ^ https://$server_name$request_uri? permanent;
Gbogbo awọn eto ti a gbekalẹ lori nkan yii nibiti a ṣe labẹ eto Arch Linux ti o ṣe bi olupin kan, ṣugbọn ọpọlọpọ ninu wọn, paapaa awọn ti o kan awọn faili atunto Nginx, wa lori ọpọlọpọ awọn eto Linux pẹlu awọn iyatọ diẹ.