一、准备工作:
首先这是一篇授人以鱼的文章,那么,直入主题,先买台虚拟主机并注册一个域名,当然根据实际情况,只是个人博客,不推荐太高配置,笔者在腾讯云花费了136元/年的价格在腾讯云买了一个套餐,配置如下:
系统:CentOS7
CPU:1核
内存:2GB
硬盘:高性能云硬盘40G
带宽:1Mbps
IP地址一个:129.211.45.64
CN域名一个:http://songxc.cn
域名先设置一条A记录www --> 129.211.45.64,设置完成后10分钟左右,通过ping http://www.songxc.cn来验证。
下面,开始操作腾讯云主机,首次使用设置root密码,登陆进去后,需确认以下信息:
1、selinux关闭状态:
[root@VM_0_12_centos ~]# getenforce
Disabled
[root@VM_0_12_centos ~]#
#Disbled表示已经永久关闭
2、防火墙关闭状态:
[root@VM_0_12_centos ~]# service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@VM_0_12_centos ~]#
#Active:inactive (dead) 表示防火墙已经关闭
selinux开启会诸多麻烦,防火墙关闭是为了确保网络全通,安全策略可在腾讯云的网络选项中进行配置。
二、Ghost博客 docker安装
2.1 先安装docker环境
#安装docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install docker-ce docker-ce-cli containerd.io
#启动docker并设置为开机启动
systemctl start docker
systemctl enable docker
#结果验证
[root@VM_0_12_centos ~]# service docker status
Redirecting to /bin/systemctl status docker.service
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2020-01-17 11:16:37 CST; 1 months 1 days ago
Docs: https://docs.docker.com
#Active:active (running) 表示服务已经启动
2.2 安装ghost
#下载最新的ghost docker镜像
docker pull ghost:lastest
#验证结果能够看到该镜像已经在清单中:
[root@VM_0_12_centos ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ghost latest 0dcdf17e783b 4 weeks ago 396MB
#创建并运行容器
docker run -d --name ghost -e url=http://www.songxc.cn:65534 -p 65534:2368 ghost
## ghost容器启动后默认端口号为tcp2368,映射的目标端口号可根据实际需求进行修改
#验证结果:STATUS提示为Up
[root@VM_0_12_centos ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
52d0bb9a6b8f ghost "docker-entrypoint.s…" 45s ago Up 40s 0.0.0.0:65534->2368/tcp ghost
#验证结果:可通过浏览器访问 http://www.songxc.cn:65534
2.3 博客初始化及设置
此处略,按照实际需求进行设置和配置,如果不考虑https配置,至此,博客已经安装完成了,访问时浏览器会提示连接不安全。
如果需要配置https,请继续往下看。
三、https的配置
3.1 Nginx镜像下载
# 下载最近版本的nginx镜像
docker pull nginx:latest
# 结果验证:
docker image ps
[root@VM_0_12_centos ~]# docker image ls | grep nginx
nginx latest 2073e0bcb60e 50 s ago 127MB
3.2 Nginx容器运行
#运行nginx容器
[root@VM_0_12_centos ~]# docker run --name nginx -p 4430:443 -d nginx
#端口号可选,由于站点未备案,暂使用4430作为演示
#结果验证: nginx与ghost容器同时运行状态
[root@VM_0_12_centos ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e0ce88dd3d82 nginx "nginx -g 'daemon of…" 8 seconds ago Up 6 seconds 80/tcp, 0.0.0.0:4430->443/tcp nginx
52d0bb9a6b8f ghost "docker-entrypoint.s…" 4 weeks ago Up 4 weeks 0.0.0.0:65534->2368/tcp ghost
3.3 Nginx配置
配置nginx
#进入docker容器shell
[root@VM_0_12_centos ~]# docker exec -it nginx /bin/bash
root@e0ce88dd3d82:/#
#编辑nginx默认配置文件
root@e0ce88dd3d82:/# cd /etc/nginx/
root@e0ce88dd3d82:/etc/nginx# vim nginx.conf
bash: vim: command not found
#!!!这里提示vim命令未找到,需要我们安装vim,使用apt-get update 和 apt-get install vim 来进行安装:
root@e0ce88dd3d82:/etc/nginx# apt-get update
Get:2 http://deb.debian.org/debian buster InRelease [122 kB]
Get:1 http://security-cdn.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:3 http://security-cdn.debian.org/debian-security buster/updates/main amd64 Packages [177 kB]
Get:4 http://deb.debian.org/debian buster-updates InRelease [49.3 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7907 kB]
21% [5 Packages 181 kB/7907 kB 2%]
#进入了漫长的等待...................................
然后
root@e0ce88dd3d82:/etc/nginx# apt-get install vim
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libgpm2 vim-common vim-runtime xxd
Suggested packages:
gpm ctags vim-doc vim-scripts
The following NEW packages will be installed:
libgpm2 vim vim-common vim-runtime xxd
0 upgraded, 5 newly installed, 0 to remove and 9 not upgraded.
Need to get 7425 kB of archives.
After this operation, 33.8 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian buster/main amd64 xxd amd64 2:8.1.0875-5 [140 kB]
1% [1 xxd 90.4 kB/140 kB 65%] 12.4 kB/s 9min 50s
#再次等待,最终是安装完成了。
vim /etc/nginx/nginx.conf
可以看到conf文件就算正常了
上面遇到了些小问题,浪费了点时间,下面继续,看看两个容器的IP地址:
[root@VM_0_12_centos ~]# ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 172.17.0.12/20 brd 172.17.15.255 scope global eth0
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
inet 172.18.0.1/16 brd 172.18.255.255 scope global docker0
valid_lft forever preferred_lft forever
[root@VM_0_12_centos ~]# docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' nginx
172.18.0.3
[root@VM_0_12_centos ~]# docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ghost
172.18.0.2
#宿主机IP地址为172.18.0.1
#nginx容器IP地址为172.18.0.3
#ghost容器IP地址为172.18.0.2
编辑nginx.conf文件,编辑完成后,如下所示(部分注释行和空行已经过滤显示):
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name www.songxc.cn;
rewrite ^(.*)$ https://www.songxc.cn:4433 permanent;
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 4433 ssl http2 default_server;
server_name www.songxc.cn;
#证书文件存放位置,证书的申请,见下文
ssl_certificate "/usr/local/nginx/conf/ssl/fullchain.crt";
#私钥存放路径,证书的申请,见下文
ssl_certificate_key "/usr/local/nginx/conf/ssl/private.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://172.18.0.1:65534;
#也可以是proxy_pass http://172.18.0.2:2368;
proxy_set_header Host $host;
}
error_page 404 /404.html;
location = /40x.html {
}
}
}
nginx.conf编辑完成后,重启容器
docker restart nginx
然后,通过https://www.songxc.cn:4430 来访问博客,浏览器显示安全的连接。
关于证书的申请
Let's Encrypt免费证书申请
电脑访问https://letsencrypt.osfipin.com/,然后点击右上角的注册,按照提示完成注册。
个人信息-->申请证书-->输入域名songxc.cn-->勾上泛域名*.http://songxc.cn都可用-->默认选择RSA加密-->申请证书
网页弹到一个位置显示未验证,选择DNS验证,方式是在你所申请的域名上,添加一个txt的解析记录,解析值为他提供的一个值。做好配置后,使用nslookup -qt=txt http://_acme-challenge.songxc.cn,查看解析是否成功,成功后,提交验证,这时候就能够进行下载了。
下载得到一个压缩包,解压缩后,你会得到所需的证书文件。
证书有效期三个月,记得更新证书!!!