Skip to content

Instantly share code, notes, and snippets.

@slanterns

slanterns/The-PUJI-Introduction-to-NGINX-ver-2019-11.md

Last active April 9, 2023 07:45
Show Gist options
  • Save slanterns/4ce056f52dbb20d6cf5292ba1ca8e15a to your computer and use it in GitHub Desktop.
Save slanterns/4ce056f52dbb20d6cf5292ba1ca8e15a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
The-PUJI-Introduction-to-NGINX-ver-2019-11.md
title date updated tags categories permalink
The PUJI Introduction to NGINX ver.2019.11
2019-10-28 15:51:24 -0700
2023-04-09 08:42:59 -0700
Hexo
nginx
TLS/HTTPS
Let's Encrypt
博客
技术
The-PUJI-Introduction-to-NGINX-ver-2019-11/

前一版是在第一次选考尝到甜头后写的,花了很多很多的技术课中午休晚饭时自习课周末假。然鹅好长时间过去了,看内核才 4.18 大概是英语首考前摸的小鱼(捂脸);之后发生了好多事(比如我现在不是快乐高中生而是高考成功的败犬了),各大软件也经过了很多的版本迭代。因为这一篇内容差异会有些大,所以重开了一篇,顺便把一些很早就计划要做但是咕掉的事情整完. 一些在上一篇里讲过的原因 / 细节略去. 偏旧的技术删去.


MAINLINE

BUILD NGINX

# 安装必要工具
apt install build-essential libpcre3 libpcre3-dev zlib1g-dev unzip git autoconf libtool automake

# 创建编译目录
mkdir build_ngx && cd build_ngx

# https://zhuanlan.zhihu.com/p/62682475, 新的 kernel aio 实现
wget  https://github.com/axboe/liburing/archive/liburing-2.3.zip
unzip liburing-2.3.zip
cd liburing-liburing-2.3/
./configure
make && make install  # https://www.livelu.com/201908360.html
cd ..

# brotli
git clone --recursive https://github.com/google/ngx_brotli.git

# patches
git clone https://github.com/kn007/patch.git
git clone https://github.com/hakasenyang/openssl-patch  # 感谢 kn007、CarterLi、hakasenyang

# OpenSSL
wget -O openssl.tar.gz -c https://www.openssl.org/source/openssl-3.1.0.tar.gz
tar zxf openssl.tar.gz
mv openssl-3.1.0/ openssl

# nginx
wget -c https://nginx.org/download/nginx-1.23.4.tar.gz
tar zxf nginx-1.23.4.tar.gz

# patch
cd nginx-1.23.4
patch -p1 < ../patch/nginx.patch
patch -p1 < ../openssl-patch/nginx_io_uring.patch  # https://github.com/hakasenyang/openssl-patch/pull/22

# make
./configure --with-cc-opt='-m64 -O3 -DTCP_FASTOPEN=23 -ffast-math -march=native -flto -fuse-ld=gold' --add-module=../ngx_brotli --with-openssl=../openssl --with-openssl-opt='no-ssl no-ssl3 no-tls1 no-tls1_1 no-tls1_2 no-ssl3-method no-tls1-method no-tls1_1-method no-tls1_2-method -m64 -O3 -ffast-math -march=native -flto -fuse-ld=gold' --with-http_v2_module --with-http_ssl_module --with-http_v2_hpack_enc --with-file-aio --with-http_sub_module --without-http_ssi_module --without-http_scgi_module --without-http_uwsgi_module --without-http_gzip_module --without-http_auth_basic_module --without-http_autoindex_module --without-http_geo_module --without-http_map_module --without-http_split_clients_module --without-http_referer_module --without-http_memcached_module --without-http_limit_req_module --without-http_empty_gif_module --without-http_upstream_ip_hash_module --without-http_access_module --without-http_mirror_module --without-http_grpc_module --without-http_limit_conn_module --without-http_upstream_hash_module --without-http_upstream_least_conn_module --without-http_upstream_zone_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --without-stream_limit_conn_module --without-stream_access_module --without-stream_geo_module --without-stream_map_module --without-stream_split_clients_module --without-stream_return_module --without-stream_upstream_hash_module --without-stream_upstream_least_conn_module --without-stream_upstream_zone_module  # https://kn007.net/topics/my-nginx-compilation-tour/
make
make install

systemd

提供一种比 service start xxx 更优雅的方式。

nginx.service 丢到 /etc/systemd/system,内容照抄前一篇:

[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network.target

[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/local/nginx/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/local/nginx/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /usr/local/nginx/logs/nginx.pid
TimeoutStopSec=5
KillMode=mixed

[Install]
WantedBy=multi-user.target

然后 systemctl enable nginx; 之后可用 systemctl start|reload|stop ngnix.


Certificate

wget -O -  https://get.acme.sh | sh
. "/root/.acme.sh/acme.sh.env"
acme.sh --upgrade --auto-upgrade
acme.sh --set-default-ca --server letsencrypt  # 恢复以 LE 作为 CA
export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Email="[email protected]"  # 其他 DNS 解析商见 https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md
acme.sh --issue --dns dns_cf -d slanterns.net -d *.slanterns.net --keylength ec-256 --renew-hook "systemctl reload nginx"

A still simple static website

使用修改过的 identity 主题,将其上传至/var/www/uuz-h5theme-min.

修改 /usr/local/nginx/conf/nginx.conf:

user  www-data;
worker_processes  1;
events {
    worker_connections  1024;
}

http {
    include            /usr/local/nginx/conf/sites-enabled/*;
    include            mime.types;
    include            compression.conf;

    default_type       application/octet-stream;

    charset            UTF-8;

    aio                on;  # 在有 TLS 的情况下 Sendfile 废掉了(加密肯定要丢到用户态完成,除非有 KTLS),不如去开 aio. 参见:https://blog.csdn.net/dog250/article/details/53868519
    sendfile           off;
    tcp_nopush         on;
    tcp_nodelay        on;

    keepalive_timeout  65;
}

新建 compression.conf

brotli             on;
brotli_comp_level  6;
brotli_types       application/xml+rss text/xml application/x-javascript application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/javascript text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

创建sites-enabled目录,添加slanterns.net(为例):

server {
    listen 443 ssl http2 fastopen=3 default_server reuseport;
    server_name slanterns.net;

    include /usr/local/nginx/conf/ssl.conf;

    root /var/www/uuz-h5theme-min;
    index index.htm;
    location / {
	    try_files $uri $uri/ /index.htm;

	    http2_push /m.css;  # 没人用的 server push
	    http2_push /m.jpg;
	    http2_push /b.jpg;
	    http2_push /f.woff2;
	    http2_push /a.woff2;
	    http2_push /favicon.ico;
    }
}

添加 /usr/local/nginx/conf/ssl.conf:

ssl_certificate             /root/.acme.sh/slanterns.net_ecc/fullchain.cer;
ssl_certificate_key         /root/.acme.sh/slanterns.net_ecc/slanterns.net.key;

#https://github.com/cloudflare/sslconfig/blob/master/conf
ssl_ecdh_curve              X25519:P-256:P-384:P-521;

ssl_prefer_server_ciphers   on;
ssl_protocols               TLSv1.3;

ssl_session_cache           shared:SSL:50m;
ssl_session_timeout         1d;

#https://imququ.com/post/optimize-tls-handshake.html#toc-3-1
ssl_session_tickets         on;
ssl_early_data              on;

ssl_stapling                on;
ssl_stapling_verify         on;

resolver                    8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout            10s;

ssl_conf_command   Options  PrioritizeChaCha;

add_header                  Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

因为没有 TLS 1.2 评级掉到 A 了,不过自然不必照顾到现在还在用着不支持 TLS 1.3 的浏览器的人,不是大事。


Hexo

wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.1/install.sh | bash
export NVM_DIR="$HOME/.nvm"
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
[ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"

nvm install v18.6.0 && nvm use v18.6.0  # 希望 https://github.com/hexojs/hexo/issues/5022 已经修掉了
npm install hexo-cli -g
hexo init /var/www/hexo
cd /var/www/hexo
npm install

npm install hexo-generator-feed hexo-generator-seo-friendly-sitemap  --save

之后就没什么新东西了(逃)


0-rtt

看到一组系列文章 讲 TLS 写的不错,根据其中《HTTPS 温故知新(四) —— 直观感受 TLS 握手流程(下)》 补充一下如何在本地验证 0-rtt.

{% lazy_gist 6c36dc92727e271c26d011c1224df153 %}

其中 req.txt 内容为:

GET / HTTP/1.1
HOST: halfrost.com
Early-Data: 657567765

第一次连接时在 read R BLOCK 时可能会卡一段时间,等等就行。第二次连接应该可以找到 Early data was accepted.


MISC

Net

/etc/sysctl.conf:

net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_congestion_control = bbr
net.core.default_qdisc = cake

sysctl -p.


Google Analytics

2022/07/31: 删掉了,感兴趣的可以看看 通过 Nginx 转发 Google Analytics. 不过 Universal Analytics 已经停止服务了可能下次还得看看怎么迁移到 GA4.


UFW

Vultr 上的 uuu 22.04 镜像自带了一个 drop 除 22 外所有入站的 ufw 规则(好坑啊),查看后关闭.

ufw status
ufw disable

自动备份

由于我现在都是先本地写完了再上传,所以暂时用不上。有兴趣的可以看看这里


Todo

  • Seventeen theme
  • TLS 1.3
  • migrate old posts
  • 待写填坑
  • service worker
  • better code highlight
  • psk (TLS,0-rtt)
  • inline SVG
  • 代码框边距
  • QUIC / HTTP/3
  • Nginx 裁剪
  • ipv6(等我有了 v6 再说)
  • 友链

只花了一天就结束了,真是顺利得出奇。


历史

历史版本见 Gist.

  • 2019/12/24

Upgrade 到 5.3.0-24-generic x86_64 之后出现蜜汁问题,所有浏览器都打不开,本机 curl 也没用排除网络问题。于是更新一通重新构建又好了。

  • 2021-09-12

更新构建脚本;通过在 nginx 侧配置 ssl_conf_command Options PrioritizeChaCha 实现优先 chacha20.

(这个指令提供了极高的配置自由度,比如能通过 ssl_conf_command ciphersuites TLS_CHACHA20_POLY1305_SHA256 来解决 TLS 1.3 ciphersuits 不能通过 ssl_ciphers 配置的问题;详情见 SSL_CONF_cmd.)

  • 2022/6/9

参考 cloudflare/sslconfig 移除 P-224;移动 HSTS header 至 ssl.conf(之前我为啥非得在每个 site 里放一遍); 添加 acme.sh 保持使用 LE 提示.

  • 2022/7/31

Cleanup; 更新构建脚本,添加 no-{ssl3|tls1|tls1_1|tls1_2}-method. 添加 ufw & net 章节.

  • 2023/4/9

更新构建脚本.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment