1.更新镜像
sudo yum update
报错:
One of the configured repositories failed (EPEL for redhat/centos 7 - x86_64),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:
1. Contact the upstream for the repository and get them to fix the problem.
2. Reconfigure the baseurl/etc. for the repository, to point to a working
upstream. This is most often useful if you are using a newer
distribution release than is supported by the repository (and the
packages for the previous distribution release still work).
3. Run the command with the repository temporarily disabled
yum --disablerepo=epel ...
4. Disable the repository permanently, so yum won't use it by default. Yum
will then just ignore the repository until you permanently enable it
again or use --enablerepo for temporary usage:
yum-config-manager --disable epel
or
subscription-manager repos --disable=epel
5. Configure the failing repository to be skipped, if it is unavailable.
Note that yum will try to contact the repo. when it runs most commands,
so will have to try and fail each time (and thus. yum will be be much
slower). If it is a very temporary problem though, this is often a nice
compromise:
yum-config-manager --save --setopt=epel.skip_if_unavailable=true
failure: repodata/repomd.xml from epel: [Errno 256] No more mirrors to try.
http://mirrors.tencentyun.com/epel/7/x86_64/repodata/repomd.xml: [Errno 14] curl#6 - "Could not resolve host: mirrors.tencenty原因:
yum源 epel错误
[epel] 或 [epel-testing] 等标签内的 baseurl 中指定的镜像源地址不可以正常访问
移除 这个标签内的所有内容,或是修改为正确的镜像源地址
镜像源位置:/etc/yum.repos.d/
2.安装nginx
2.1 添加nginx 镜像源
rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
2.2 安装nginx
yum install -y nginx
2.3 修改nginx 配置文件
默认位置 :/etc/nginx/conf.d
server {
listen 80;
listen [::]:80;
server_name xxx.cn; # 需要代理的域名
location / {
#配置客户端请求体最大值
client_max_body_size 20M;
#配置请求体缓存区大小
client_body_buffer_size 10m;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8080/;
}
}2.4 启动nginx 并查看状态
systemctl start nginx 启动
systemctl status nginx 查看状态
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since 二 2024-04-30 19:44:09 CST; 27s ago
Docs: http://nginx.org/en/docs/
Process: 22290 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
Main PID: 22291 (nginx)
Tasks: 5
Memory: 3.3M
CGroup: /system.slice/nginx.service
├─22291 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
├─22292 nginx: worker process
├─22293 nginx: worker process
├─22294 nginx: worker process
└─22295 nginx: worker process
4月 30 19:44:09 VM-16-12-centos systemd[1]: Starting nginx - high performance web server...
4月 30 19:44:09 VM-16-12-centos systemd[1]: Started nginx - high performance web server.此时可以通过域名访问网站了,记得使用http 而非 https http://xxx.cn/
2.5 设置nginx 开机自启
systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
创建了符号链接,会根据系统启动而启动
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
# HTTP 服务器块 - 处理证书验证和重定向
server {
listen 80;
server_name eucliwoodhellscythe.cn;
# ACME 挑战路径(证书颁发/续期)
location /.well-known/acme-challenge/ {
root /var/www/certbot;
allow all;
}
# 其他所有 HTTP 请求重定向到 HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# HTTPS 服务器块 - 主服务配置
server {
listen 443 ssl http2;
server_name eucliwoodhellscythe.cn;
# SSL 证书配置
ssl_certificate /etc/letsencrypt/live/eucliwoodhellscythe.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/eucliwoodhellscythe.cn/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# 安全响应头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
# 静态文件根目录(根据实际情况修改)
root /usr/share/nginx/html;
index index.html;
# 自定义错误页面(可选)
error_page 404 /404.html;
location = /404.html {
internal;
}
# 反向代理
location / {
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
}3.使用 Certbot 实现自动续期
3.1 添加镜像源 yum install epel-release -y
3.2 安装 yum install certbot python2-certbot-nginx [or] sudo yum install certbot python3-certbot-nginx -y
3.3 申请ssl证书 sudo certbot --nginx -d xxx.cn
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):
输入邮箱地址,后续一直y3.3.1 报错
查看 80 or 433 端口是否开放
域名是否解析到当前服务器 命令: dig +short 域名
域名dns解析是否正常
[root frp]# sudo certbot --nginx -d eucliwoodhellscythe.cn
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for eucliwoodhellscythe.cn
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: eucliwoodhellscythe.cn
Type: connection
Detail: 1.94.27.177: Fetching http://eucliwoodhellscythe.cn/.well-known/acme-challenge/DEvI18UbjfaetODQJKnRk_si5FgGDFBsBWN9sT4uZBc: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.3.4 配置证书自动更新,默认证书持续时间为90天
手动更新:certbot renew
3.4.1 测试续期功能
sudo certbot renew --dry-run
输出:Congratulations, all renewals succeeded 则配置正常
报错
Failed to renew certificate eucliwoodhellscythe.cn with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/eucliwoodhellscythe.cn/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
# 1.查看文件夹是否存在 /var/www/certbot/.well-known/acme-challenge/
# 2.查看权限是否正确 如:都为755
# 3.查看nginx.conf 是否配置正确如果还是报错 直接使用 sudo certbot renew --force-renewal 查看真实效果
3.4.2 添加自动更新
sudo crontab -e
# 每月凌晨 2 点自动续期并重启 Nginx
0 2 * * * /usr/bin/certbot renew --quiet && /usr/sbin/nginx -s reload
# 日志记录:添加 >> /var/log/certbot-renew.log 2>&1 跟踪执行情况4.使用 acme.sh 实现自动续期
1.下载安装
curl https://get.acme.sh | sh -s email=your_email@example.com
# 替换 your_email@example.com 为你的邮箱
# 安装完成后,重启终端或执行 source ~/.bashrc 加载 acme.sh 命令2.切换默认 CA
acme.sh --set-default-ca --server letsencrypt
3.生成 SSL 证书
acme.sh --issue -d example.com --nginx
证书默认保存在
~/.acme.sh/example.com/
涩图time
