补充:
在运行容器之前,需要给openresty创建对应目录,上传openresty配置文件和ssl证书,下面提供一份参考。
1 创建目录和主配置文件
mkdir -p /data/openresty/conf
mkdir -p /data/openresty/conf/conf.d
mkdir -p /data/openresty/ssl
mkdir -p /data/logs/openresty
mkdir -p /data/openresty/www/blog.qianshaer.cn
tee /data/openresty/conf/nginx.conf > /dev/null << 'EOF'
worker_processes 2;
error_log logs/error.log;
events {
worker_connections 4096;
use epoll;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
server_tokens off;
# 启用SSL会话缓存以提高性能
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 优化SSL配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
gzip on;
# 在主配置文件中包含其他配置文件,放在 http { ... } 块内
include /usr/local/openresty/nginx/conf.d/*.conf;
}
EOF
2 默认站点配置文件
tee /data/openresty/conf/conf.d/blog.qianshaer.cn.conf > /dev/null << 'EOF'
# HTTP 重定向到 HTTPS
server {
listen 80 ;
listen [::]:80 ; # IPv6 监听
server_name blog.qianshaer.cn;
return 301 https://$host$request_uri;
}
# HTTPS 服务器配置
server {
listen 443 ssl ;
listen [::]:443 ssl ; # IPv6 监听
http2 on;
server_name blog.qianshaer.cn;
root /usr/local/openresty/nginx/www/blog.qianshaer.cn;
index index.html index.htm;
# 全局上传文件大小限制(128MB)
client_max_body_size 128M;
# SSL证书配置
ssl_certificate /data/openresty/ssl/blog.qianshaer.cn.crt;
ssl_certificate_key /data/openresty/ssl/blog.qianshaer.cn.key;
# 启用HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 安全相关头部
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_redirect off;
proxy_pass http://172.20.22.10;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Cookie $http_cookie;
proxy_cookie_path / "/; HTTPOnly; Secure";
}
# 配置静态缓存,加速静态资源加载,减低服务器负载
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|webp|woff|woff2|ttf|eot)$ {
proxy_redirect off;
proxy_pass http://172.20.22.10;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Cookie $http_cookie;
# 缓存头设置
expires 30d;
add_header Cache-Control "public, immutable";
add_header X-Content-Type-Options "nosniff";
# 代理优化
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
}
# 安全优化
location ~ /\.(ht|git|svn|env) { # 扩展隐藏文件保护
deny all;
access_log off;
log_not_found off;
return 404;
}
# 禁止访问常见敏感文件
location ~* ^/(README.md|composer.lock|package.json|\.gitignore|\.env.example) {
deny all;
return 403;
}
access_log logs/blog.qianshaer.cn-access.log main;
error_log logs/blog.qianshaer.cn-error.log warn;
}
EOF
3 上传证书
上传证书到/data/openresty/ssl目录
例如:
/data/openresty/ssl/blog.qianshaer.cn.key
/data/openresty/ssl/blog.qianshaer.cn.crt
附件:blog.zip
