Submitted by gouki on 2020, September 24, 12:08 AM
服务器又做了一个处理。
原来是Caddy + apache ,想着是自动签名。但caddy对泛域名的签名是从dns走的。即使我设置了dnspod的key/secret,也签名失败。
但是,如果一个个签,就没问题。所以起初的时候就忍忍了。
我另外一台服务器上,其实就是用的nginx+acme.sh+apache。乘着今天拉肚子,做其他事情没有精力,就折腾了一下。反正弄这事,不需要动脑
现在切成了nginx+php-fpm。中间还被 .user.ini 折腾了半天。
你没看错, .user.ini,这是因为我用了lnmp的套件(又是一个偷懒的行为,但目前看来,还是可以的)。而且lnmp套件,也支持多PHP版本(虽然我现在用的是php 7.3,感觉也够了。。。)
lnmp也自带签名。我就不用管不用处理了。至于还自带了什么ftp/mysql,我都不要。。。只要nginx,php-fpm,ssl,足够了!
Tags: nginx
Misc | 评论:0
| 阅读:6562
Submitted by gouki on 2019, January 21, 10:14 PM
如题的组合。由于本地写代码,比较不方便搞成SSL,毕竟自签名证书现在大部分浏览器都不认了。而且现在微信开发(小程序)、APP等都只认SSL。所以才有了利用frp来进行SSL穿透。
步骤我说的简单一点。不详细 说了
如果不需要内网穿透,其实就是 nginx + acme.sh 就Over了,只是nginx需要配置一下(记得泛域名使用的是fullchain.cer,普通 的单域名是用的xxx.domain.cer)
如果需要内网穿透,步骤简要如下
1、frps -> 设置vhost_http_port(本次假定为8888) ,然后利用supervisor 管理frp (可以使得frp异常崩溃后能够重启)【或者使用systemd,各人喜欢】
2、设置nginx,server_name 为 *.app.neatstudio.com (以app.neatstudio.com为例),在proxy_pass中选择使用upstream,设置为刚才的vhost_http_port,例:
XML/HTML代码
- upstream app.neatstudio.com {
- server 127.0.0.1:8888;
- }
-
- server {
- listen 80;
- server_name *.app.neatstudio.com;
-
- listen 443 ssl;
- ssl on;
- ssl_certificate /etc/nginx/ssl/*.app.neatstudio.com.fullchain.cer;
- ssl_certificate_key /etc/nginx/ssl/*.app.neatstudio.com.key;
-
- ssl_session_cache shared:SSL:20m;
- ssl_session_timeout 10m;
-
- ssl_prefer_server_ciphers on;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
-
- # turn on the OCSP Stapling and verify
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate /etc/nginx/ssl/*.app.neatstudio.com.fullchain.cer;
-
-
-
- add_header Strict-Transport-Security "max-age=31536000";
-
- location / {
- proxy_pass http://app.neatstudio.com;
- include /etc/nginx/proxy_params;
- }
- }
3、在本地(或者任意一台想有https的服务器上)安装frpc,设置subdomain就行了,例:
XML/HTML代码
- [test.app.ns.com]
- type=http
- port=80
- subdomain=test
这样就OK了。[]里的test.app.ns.com,为什么取这个名字?是因为。。。frp的客户端中的任意[]包含的TAG,都不能重名(切记)
然后一切Over(因为我使用mac+mamp,所以会更方便的管理域名)
Tags: frp, acme.sh, nginx, mamp
Linux | 评论:1
| 阅读:12753
Submitted by gouki on 2017, August 7, 10:53 AM
用了nginx(proxy)+apache后,提交数据偶尔会出现:upstream sent too big header while reading response header from upstream,这个其实比较好解决
修改proxy_params文件在里面加入:
XML/HTML代码
- proxy_buffer_size 128k;
- proxy_buffers 4 256k;
- proxy_busy_buffers_size 256k;
修改完后nginx -s reload一下就直接搞定了。
如果发现还是搞不定,加大后面的数字吧
在stackoverflow上,有人还是提出了,如果你是长链接的话,设置proxy_buffering off吧。参考:https://stackoverflow.com/questions/23844761/upstream-sent-too-big-header-while-reading-response-header-from-upstream
Tags: nginx, proxy, upstream
Linux | 评论:0
| 阅读:16528
Submitted by gouki on 2013, September 3, 11:13 PM
有人在stackoverflow上面提问:
http://stackoverflow.com/questions/17776584/webserver-for-go-golang-webservices-using-nginx-or-not
- I am writing some webservices returning JSON data, which have lots of users.
- Would you recommend to use NGINX as a webserver or it is good enough to use the standard http server of Go?
于是有人就回答了:
XML/HTML代码
- It depends.
-
- Out of the box, putting nginx in front as a reverse proxy is going to give you:
-
- Access logs
- Error logs
- Easy SSL termination
- SPDY support
- gzip support
- Easy ways to set HTTP headers for certain routes in a couple of lines
- Very fast static asset serving (if you're serving off S3/etc. though, this isn't that relevant)
- The Go HTTP server is very good, but you will need to reinvent the wheel to do some of these things (which is fine: it's not meant to be everything to everyone).
-
- I've always found it easier to put nginx in front—which is what it is good at—and let it do the "web server" stuff. My Go application does the application stuff, and only the bare minimum of headers/etc. that it needs to. Don't look at putting nginx in front as a "bad" thing.
还有人回答:
XML/HTML代码
- The standard http server of Go is fine. If your application mostly/only are "dynamic" requests/responses, then it's really the best way.
-
- You could use nginx to serve static assets, but most likely the standard Go one is fine for that, too. If you need higher performance you should just use a CDN or cache as much as you can with Varnish (for example).
-
- If you need to serve different applications off the same IP address, nginx is a fine choice for a proxy to distribute requests between the different applications; though I'd more often get Varnish or HAProxy out of the toolbox for that sort of thing.
这回你觉得呢?你还会用nginx吗?还是只用go做http server/???
Tags: nginx, go
Go | 评论:0
| 阅读:20062
Submitted by gouki on 2013, April 17, 8:52 PM
有时候,服务器上用的DNS其实并不是我想要的,有些DNS其实速度慢,而且解析更慢,更新也慢。所以这时候就想要换一个快一点的dns了。
第一个想到要改的是resolv.conf,在里面加入nameserver 114.114.114.114,但改完后,过一阵子看,却发现文件又空了。找了下资料,原来不能这样。。
直接改/etc/network/interface ,在里面加入:dns-nameservers 114.114.114.114 8.8.8.8
看好了,这里是dns开头,而且是复数。完了重启networking即可
参考:http://blog.jsdan.com/3743
因为上面是台湾网站,如果打不开,请看这个PDF:[ubuntu] 修改 resolv.pdf
Tags: nginx, resolv
Linux | 评论:1
| 阅读:16381