preface
Why do you choose to build a personal blog? On the one hand, each platform often removed the original article, the other is to be familiar with the whole site construction process. Through the establishment of personal blog, we can publish articles freely without worrying about the removal of shelves, and can exercise the ability of SEO optimization, whether it is operation or operation, which is of great help to the improvement of personal technology.
This article records the website from zero to one process, I hope you can build your own website based on this article. If you have any questions, you can discuss them together.
Let’s get started.
Environment introduction
| resources | instructions |
|---|---|
| centos | version |
| docker | Rapid deployment of the project environment |
| nginx | For reverse proxy, configure the HTTPS certificate |
| halo | V1.4.2, open source blog project |
| Let’s Encrypt free certificate | Configure HTTPS |
Results demonstrate
zander
Installing the Front environment
Docker installation
Please refer to the blogger’s previous article: Centos7.2 Installing Docker, mysql, and Redis
Halo installation
Prepare the Halo profile
# download configuration file to the/home/halo /. Curl - o/home/halo halo directory /. Halo/application. The yaml - create - dirs https://dl.halo.run/config/application-template.yamlCopy the codeModify configuration file to change database to mysql, default to H2 (optional)
Halodb (mysqlip); halodB (mysqlip); halodB (mysqlip);
# check mysql container IP, mysql - prod replace mysql containers name or id docker inspect - format = '{{. NetworkSettings. IPAddress}}' mysqlCopy the codeRevised:
Download and install Halo
# pull ruibaby docker pull Ruibaby /halo # run halo # -p 8090:8090 Here is will be hosting the 8090 mapping to the docker 8090 # - v/home/halo /. Halo: / root /. Halo mount halo configuration file, We have in the previous step to download configuration file on the host machine/home/halo /. Halo docker run - rm - it - d - the name of halo - p 8090:8090 - v/home/halo /. Halo: / root /. Halo Ruibaby /halo ## Check the status of the container to confirm whether halo has been successfully started. If it failed to start, check whether the database is connected to the docker ps # Firewall-cmd --permanent --add-port=8090/ TCP # restart the firewall (modify the configuration to restart the firewall) firewall-cmd --reloadCopy the codeThe normal situation should be as follows:
The halo created by the above steps is not yet accessible through external IP, so let’s now configure an Nginx proxy
Nginx installation
Nginx run -p 80:80 --name nginx -d nginx # We need nginx to use our custom configuration /home/nginx docker container cp nginx:/etc/nginx /home/nginx Docker stop nginx docker rm nginx # alter docker default. The IP address is the local IP address location / {root /usr/share/nginx/html; index index.html index.htm; } 10.0.2.5 is the local IP address of halo: location / {proxy_pass http://10.0.2.5:8090; } # to recreate the nginx docker run - p, 80:80 - name nginx \ v/home/nginx/logs: / var/log/nginx \ - v / home/nginx/nginx. Conf: / etc/nginx/nginx. Conf \ v/home/nginx/conf. D: / etc/nginx/conf. # d \ - d nginx configuration firewall, pay attention to, Firewall-cmd --permanent --add-port=80/ TCP We can now access Halo via IPCopy the codeIf IP access is not available at this point, first make sure halo is successfully started, then check that nGINx is configured correctly, and finally check firewalls and security groups.
Domain name and website record
Currently we can only access Halo by IP, we can access halo by configuring a domain name. First of all, we have to apply for a domain name: domain name registration after the completion of the application for the record: for the record notes: 1, if in the case of work in different places, it is recommended to choose the location of the record home, and hand to have the home phone number, if you choose different, you need to provide a temporary residence permit and so on more trouble. 2, Ali Cloud record time in a week or so, generally submit the application will be someone looking for you to confirm the information, then go according to the record process.
Configure HTTPS
In general, certificates need to be purchased, but there are also some platforms that provide free certificates. Ali Cloud also has a one-year free certificate, but Ali Cloud certificate can only be used for a single domain name. If you want to buy a wildcard certificate, you need to pay. The Let’s Encrypt certificate is a free certificate application and supports wildcards, making it an ideal choice for individual developers.
Letencrypt-certbot: Git git git git git git git git git git git git git
Install git
yum install git
Copy the codeInstall certbot
# yum install epel-release yum install certbot # yum install epel-release yum install certbot #Copy the codeTo apply for the certificate
In particular, we need the host to open port 80 and port 443. We have already opened port 80, but we need to open port 443
Configure the firewall. Firewall-cmd --permanent --add-port=443/ TCPCopy the codeImportant note: To avoid the limit on operation times, add dry-run parameter to avoid operation limit. After the operation is performed correctly, the actual renew operation can be performed
Manual certificate installation + Manual renewal
Certbot certonly --email your email @qq.com -d * Domain name. Cn - d domain. Cn - manual - preferred - challenges - 01 - DNS server https://acme-v02.api.letsencrypt.org/directory - dry - run --dry-run certbot certonly --email your email @qq.com -d * Domain name. Cn - d domain. Cn - manual - preferred - challenges - 01 - DNS server https://acme-v02.api.letsencrypt.org/directory # manually renewal certbot renewCopy the codeDuring the installation process, you need to confirm the options. Here are the key points of manual installation:
After successful installation:
Note: The certificate expires after 90 days. It is troublesome to renew the certificate manually, and you need to manually go to the DNS resolution list to create the corresponding record each time. Therefore, the following automatic renewal method is recommended
Generate certificates + automatic renewal through APIKey and Secret
First obtain API key and Secret: Ali Cloud API Key and Secret official application documents, this method actually uses your open API key to call the interface provided by Ali Cloud, so to be safe, we will create a user with very small permissions.
Process: 1. For security, we need to create a RAM user and configure a user with low permission; 2. Configure AliyunDNSFullAccess for the newly created user. 3. Get apiKey and secret.
# Create a target, Mkdir /home/certbot CD /home/certbot git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au cd Certbot -letencrypt-wildcardcredential-alydns-au chmod 0777 au. Join the key which we apply for vi au. Sh # fill in ali cloud the AccessKey ID and the AccessKey Secret # how to apply for https://help.aliyun.com/knowledge_detail/38738.html ALY_KEY="" ALY_TOKEN="" The script directory is /home/certbot-certbot-letencrypt-wildcardcredential-alydns-au certbot certonly -d *.yangwq. Cn -d Yangwq. Cn --manual --preferred-challenges DNS-01 --email [email protected] --manual-auth-hook "/ script directory /au Add "--manual-cleanup-hook "/ script directory /au. Sh python aly clean" --dry-run; /etc/crontab = /etc/crontab = /etc/crontab 0 0 * * 0 root certbot renew --manual --preferred-challenges DNS --deploy-hook "docker restart nginx" root certbot renew --manual --preferred-challenges DNS --deploy-hook "docker restart nginx" --manual-auth-hook "/ script directory /au. Sh python aly add" --manual-cleanup-hook "/ script directory /au. --manual-public-ip-logging-ok;Copy the codeTo this certificate we generate a success, also stored in the/etc/letsencrypt/live/yangwq. Cn/directory, pay attention to the file here is soft links, we actually files in the/etc/letsencrypt/archive/yangwq. Cn directory
Nginx installs certificates
Conf server {listen 80 default; server_name yangwq.cn; Rewrite ^(.*)$https://$host$1 permanent; } server { listen 443 ssl; server_name yangwq.cn; # certificate file configuration site address ssl_certificate/etc/letsencrypt/archive/yangwq. Cn/fullchain1 pem. # configuration certificate private key ssl_certificate_key/etc/letsencrypt/archive/yangwq. Cn/privkey1 pem; Ssl_ciphers ssl_ciphers ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECD HE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-A ES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES 256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DH E-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA38 4:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:! DSS'; Ssl_prefer_server_ciphers on ssl_prefer_server_ciphers on # SSL version available SSLv2, SSLv3, TLSv1 TLSv1.1, TLSv1.2 # ie6 support only SSLv2, SSLv3 but security problems, so does not support ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m; Ssl_session_timeout 1D; # load balance Here temporarily shut down See https://imququ.com/post/optimize-tls-handshake.html # 1.5.9 and above support ssl_session_tickets off; The browser may validate the certificate online when establishing a TLS connection, blocking the TLS handshake and slowing down the overall speed. OCSP Stapling is an optimization that allows the server to encapsulate the OCSP (Online Certificate Status Protocol) response of the Certificate authority in the Certificate chain so that the browser can skip Online queries. On the one hand, OCSP retrieval is faster on the server (because the server generally has a better network environment), On the other hand can better cache more content from https://imququ.com/post/my-nginx-conf-for-wpo.html # 1.3.7 and above support ssl_stapling on; ssl_stapling_verify on; # root certificate + middle ssl_trusted_certificate/etc/letsencrypt/archive/yangwq. Cn/fullchain1 pem. # HSTS can tell the browser that the domain name is always accessed via HTTPS within the specified max-age. Even if the user enters an HTTP address or clicks an HTTP link, The browser will be replaced by locally add_header HTTPS requests related configuration again see https://imququ.com/post/sth-about-switch-to-https.html Strict-Transport-Security max-age=60; # configure the halo port to be forwarded to the host. The IP address is the IP address of the host. Use IP addr to view the local IP proxy_pass http://171.11.3.13:8080; } error_page 500 502 503 504 /50x.html; Location = /50x.html {# redirects the error page to /50x.html root /usr/share/nginx/html; }}Copy the codeNote: replace the path associated with yangwq. Cn with your domain name path. Proxy_pass’s IP address should be the machine’s IP address. Do not use 127.0.0.1. Use IP addr to check the local IP address.
# in order for nginx to access the certificate we just generated, Docker run -p 80:80 -p 443:443 --name nginx docker run -p 80:80 -p 443:443 --name nginx docker run -p 80:80 -p 443:443 \ -v /home/nginx/logs:/var/log//nginx \ -v /home/nginx/nginx.conf:/etc/nginx/nginx.conf \ -v /home/nginx/conf.d:/etc/nginx/conf.d \ -v /etc/letsencrypt/archive/:/etc/letsencrypt/archive/ \ -d nginxCopy the codeAt this point we can access the project through HTTPS domain name, and at this point we can also create a secondary domain name to access the project (secondary domain name is also HTTPS).
conclusion
In the actual deployment process, bloggers encounter many problems, such as project access failure, HTTPS certificate failure, secondary domain name does not take effect, and so on. This article is the process obtained after practice. If there is any problem, please comment below and we can solve it together. The next article will cover how to automatically publish halo projects using Jenkins Pipeline and the use of secondary domain names.
Source: author: yangyqonly links: blog.csdn.net/a52233014/article/details/111087121 CSDN