问题跟我想的一样,是因为加密的方式被拒绝导致的
解决方式,在nginx.conf中设置
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on;
参考下面的文章
https://imququ.com/post/why-tls-handshake-failed-with-http2-enabled.html
首先,通过下面的命令安装git和gitolite
apt-get install git-core apt-get install gitolite
添加git用户组
adduser --system --group --shell /bin/bash --disabled-password git
接下来在本地机器生成ssh密钥,使用下面的命令
ssh-keygen -t rsa -C "[email protected]"
当然,如果你想为你的gitolite分配单独的密钥,可以使用下面的命令(生成名为git-admin的密钥)
ssh-keygen -C "[email protected]" -f ~/.ssh/git-admin
如果你使用了单独分配的密钥,你需要配置你的git在连接指定域名时使用不同的密钥,比如我们这里gitolite的管理域名是admin.xxx.com 。我们在刚才的.ssh文件夹新建config 文件(没有扩展名),内容如下
Host admin.xxx.com IdentityFile ~/.ssh/git-admin
这样就可以在连接admin.xxx.com的时候使用git-admin这组密钥了
下一步,将你的ssh公钥上传到服务器的某个位置,比如/tmp/git-admin.pub
然后切换到git用户,使用这个公钥初始化gitolite
su - git gl-setup /tmp/git-admin.pub
然后在持有私钥的机器管理gitolite即可,下面是clone命令,注意修改ip地址
git clone git@git_server_IP_address:gitolite-admin
关于gitolite的官方文档在这里:http://gitolite.com/gitolite/gitolite.html
然后关于配置自动部署,首先我需要部署的网站目录权限为www-data:www-data
我把git用户添加到了www-data组中,通过后面权限设置为770保证网站和git都有足够的权限操作文件。使用下面的命令
usermod -a -G www-data git
然后网站目录,比如创建/home/nginx/xxx ,我们要把这个目录的用户组改成www-data并给予770权限,这样以后我们的git用户才能操作
然后我们切换到git用户,在/home/nginx/xxx 目录克隆本地库,使用下面的命令。注意clone后面最后有一个参数.
su - git git clone ~/repositories/xxx.git .
这样网站目录就初始化完成了,我们继续下面的操作(还是git用户的身份)
钩子文件创建在项目库的hooks文件夹~/repositories/xxx.git/hooks ,新建post-receive 文件,复制粘贴下面的内容,最后别忘了给予本脚本执行权限。就可以退出git用户身份了
#!/bin/bash while read oldrev newrev ref do branch=`echo $ref | cut -d/ -f3` echo "--- Current branch is : "$branch if [ "master" == "$branch" ]; then unset GIT_DIR NowPath=`pwd` echo "--- Now path is :"$NowPath DeployPath="/home/nginx/xxx" echo "--- Deploy path is :"$DeployPath cd $DeployPath echo "--- Go to deploy path" git add -A && git fetch origin && git reset --hard origin/master chmod -f -R 770 * chown -f -R git:www-data * echo "--- Deploy done" cd $NowPath echo "--- Fine" fi done exit 0
解释一下:
首先我们循环读取所有push的请求,当发现是push到master(也就是我们的部署分支)时,触发部署脚本,首先要清楚GIT_DIR环境变量,这样才能切换工作目录。然后我们切换到nginx的网站目录,使用git add -A && git fetch origin && git reset –hard origin/master 强制清除本地变化并更新到远程master分支。如果有网站自动生成的文件(比如用户上传的附件目录)不想被清空的,别忘了要写在.gitignore 文件里。当然网站生成的文件请确保权限在770以上,否则可能会导致git无权操作。在更新完远程master分支的代码后,更新文件权限为770,并将所有者改成www-data组(chmod使用末尾的*可以确保不会修改网站目录下.git这个隐藏目录内部的权限,同时-f用来屏蔽错误信息)
在编写本篇文章的时候感谢下面这位非常热心的博主解答我好多问题
https://argcv.com/articles/2078.c
不完全卸载可能会导致配置文件无法创建,或/etc/nginx下只有几个文件夹的问题
sudo apt-get --purge remove nginx sudo apt-get autoremove sudo apt-get --purge remove nginx-common
从这个版本以后,使用下面的配置使得Nginx支持ThinkPHP
server {
listen 80;
server_name xxx.dev.onlyke.com;
index index.html index.htm index.php;
root /home/nginx/xxx;
location ~ .*\.(gif|jpg|jpeg|png|bmp|ico|webp)$
{
expires 30d;
}
location ~ .*\.(woff|ttf|svg|otf|eot)$
{
expires 180d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location /
{
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php/$1 last;
break;
}
}
location ~ \.php($|/)
{
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
include fastcgi_params;
}
}
#有的vps需要解决php源乱码的问题 sudo apt-get install -y language-pack-en-base vi /etc/profile export LANG=en_US.UTF-8 export LC_ALL=en_US.UTF-8 source /etc/profile #解决php源乱码的问题 ending #安装add-apt-repository apt-get install software-properties-common #安装nodejs源 curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash - #新版本Ubuntu16.04默认支持openssl 1.0.2h add-apt-repository ppa:nginx/stable #老版本Ubuntu 14.04建议使用 PPA for NGINX with HTTP/2 on Ubuntu 12.04 LTS and higher,使用下面的源可以同时升级openssl,可以开启http2 #https://launchpad.net/~ondrej/+archive/ubuntu/nginx/ add-apt-repository ppa:ondrej/nginx #下面安装php7 mysql5.7源 add-apt-repository ppa:ondrej/php add-apt-repository ppa:ondrej/mysql-5.7 apt-get update apt-get install nodejs openssl nginx mysql-server php7.3 php7.3-gd php7.3-mbstring php7.3-xml php7.3-zip php7.3-curl php7.3-fpm php7.3-mysql php7.3-bcmath php7.3-dev #查看openssl版本 openssl version
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
client_max_body_size 2m;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png font/ttf font/otf image/svg+xml;
gzip_vary on;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
server_tokens off;
proxy_hide_header X-Powered-By;
server {
listen 80 default_server;
server_name _;
return 403;
}
server {
listen 443 ssl http2 default_server;
server_name _;
ssl on;
ssl_certificate /etc/letsencrypt/live/xxx/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx/privkey.pem;
return 403;
}
#PHP Prohibit cross-Hosting fastcgi_param PHP_VALUE "open_basedir=$document_root:/tmp/";
server {
listen 80;
server_name xxxx;
root /home/nginx/xxxx;
index index.html index.htm index.php;
location ~ .*\.(gif|jpg|jpeg|png|bmp)$
{
expires 30d;
}
location ~ .*\.(woff|ttf|svg)$
{
expires 180d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location /
{
try_files $uri $uri/ =404;
}
}
server {
listen 80;
server_name xxxx;
index index.php index.html index.htm;
root /home/nginx/xxx;
location ~ .*\.(gif|jpg|jpeg|png|bmp)$
{
expires 30d;
}
location ~ .*\.(woff|ttf|svg)$
{
expires 180d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ \.php($|/)
{
try_files $uri = 404;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
#确认php.ini中的如下配置,其实默认已经为1,当框架出现问题时可以来检查一下 cgi.fix_pathinfo = 1
server {
listen 80;
server_name xxxx;
index index.html index.htm index.php;
root /home/nginx/xxxx;
location ~ .*\.(gif|jpg|jpeg|png|bmp|ico|webp)$
{
expires 30d;
}
location ~ .*\.(woff|ttf|svg|otf|eot)$
{
expires 180d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ^~ /.svn
{
deny all;
}
location ^~ /.git
{
deny all;
}
location /
{
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php/$1 last;
break;
}
}
location ~ \.php($|/)
{
fastcgi_split_path_info ^((?U).+.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 443 ssl http2;
server_name xxx;
index index.html index.htm index.php;
root /home/nginx/xxx;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 60m;
ssl_session_tickets on;
ssl_certificate /etc/letsencrypt/live/xxx/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx/privkey.pem;
location ~ .*\.(gif|jpg|jpeg|png|bmp|ico|webp)$
{
expires 30d;
}
location ~ .*\.(woff|ttf|svg|otf|eot)$
{
expires 180d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ^~ /.svn
{
deny all;
}
location ^~ /.git
{
deny all;
}
location /
{
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php/$1 last;
break;
}
}
location ~ \.php($|/)
{
fastcgi_split_path_info ^((?U).+.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
打开nginx,conf,在http { 内添加如下内容
gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_comp_level 2; gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png font/ttf font/otf image/svg+xml; gzip_vary on;
决定是否开启gzip模块
Param: on|off
Example: gzip on;
设置gzip申请内存的大小,其作用是按块大小的倍数申请内存空间
Param1: int
Param2: int(k) 后面单位是k
Example: gzip_buffers 4 8k;
设置gzip压缩等级,等级越底压缩速度越快文件压缩比越小,反之速度越慢文件压缩比越大
Param: 1-9
Example: gzip_com_level 1;
当返回内容大于此值时才会使用gzip进行压缩,以K为单位,当值为0时,所有页面都进行压缩
Param: int
Example: gzip_min_length 1000;
用于识别http协议的版本,早期的浏览器不支持gzip压缩,用户会看到乱码,所以为了支持前期版本加了此选项,目前此项基本可以忽略
Param: 1.0|1.1
Example: gzip_http_version 1.0
Nginx做为反向代理的时候启用,
设置需要压缩的MIME类型,非设置值不进行压缩
搭建环境:
Nginx-1.8.0,安装目录:/usr/local/nginx
PHP-7.0,虚拟主机目录在/home/vhosts/
首先,我们进入虚拟主机目录,新建一个wordpress目录,下载wordpress并解压
cd /home/vhosts/ mkdir wordpress cd wordpress wget https://cn.wordpress.org/wordpress-4.4-zh_CN.zip unzip wordpress-4.4-zh_CN.zip
然后我们把wordpress解压文件夹里面的文件移动到外面来,删除刚才下载的压缩包和wordpress-4.4-zh_CN.zip
mv wordpress/* ./ rm -rf wordpress*
然后我们把wordpress文件夹的权限和所有者更改一下(当前目录还为/home/vhosts/wordpress )
这里演示的是Nginx和php-fpm的用户和用户组均为nginx
chmod -R 755 ./ chown -R nginx.nginx ./
然后,我们到Nginx的安装目录,到你虚拟主机的配置文件目录中增加一份配置(这里我新建了一个专门的目录来放虚拟主机配置文件,在/usr/local/nginx/vhosts 下)
cd /usr/local/nginx/vhosts vi wordpress.conf
把下面的配置文件内容粘贴进去(用Windows的注意下回车和编码)
注意,其中的root目录为你wordpress虚拟主机的目录
server_name为监听的域名,这里用www.yourdomain.com做演示
server {
listen 80;
server_name www.yourdomain.com;
index index.html index.htm index.php;
root /home/vhosts/wordpress;
location ~ .*\.(gif|jpg|jpeg|png|bmp|ico|webp)$
{
expires 30d;
}
location ~ .*\.(woff|ttf|svg|otf|eot)$
{
expires 180d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location /
{
#支持wordpress的rewrite
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php/$1 last;
break;
}
}
location ~ \.php($|/)
{
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
接着按下Esc,输入:wq 退出vi
然后我们进入mysql
mysql -u root -p
输入你的密码之后,创建wordpress数据库
create database wordpress;
接着创建一个wordpress数据库的帐号,账号名为wp,密码为123456(修改成你自己的)
grant all privileges on wordpress.* to wp@localhost identified by '123456';
然后我们重载入nginx
service nginx reload
现在,访问www.yourdomain.com,用刚才创建的数据库用户名和密码安装wordpress吧
目前Let’s Encrypt在Windows XP下总共遇到了两种问题
第一种是因为不支持SNI,SNI允许HTTPS在握手的时候发送主机名,从而使得每个虚拟主机可以根据域名配置不同的证书,如下图所示
第二种,可能是因为交叉信任的原因,导致的是证书不信任,但是名称正确
总之,还是淘汰XP系统吧