Skip to content

Instantly share code, notes, and snippets.

@apalevich

apalevich/1-server.md

Created October 31, 2023 14:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save apalevich/a383e233c48e631bd639d443bf72b2b8 to your computer and use it in GitHub Desktop.
Save apalevich/a383e233c48e631bd639d443bf72b2b8 to your computer and use it in GitHub Desktop.
Download ZIP
Веб-сервер на Ubuntu 20 с нуля: nginx, HTTPS, Brotli и HTTP/2 - fixed
Raw
1-server.md

Сервер

Подключает

ssh root@ip

Обновляет систему

apt update -y

Меняет пароль root

passwd

Ставит зависимости

apt install dpkg-dev build-essential gnupg2 git gcc cmake libpcre3 libpcre3-dev zlib1g zlib1g-dev openssl libssl-dev curl unzip libbrotli-dev -y

Добавляет GPG ключ nginx

curl -L https://nginx.org/keys/nginx_signing.key | apt-key add -

Добавляет репозитории nginx

nano /etc/apt/sources.list.d/nginx.list

deb http://nginx.org/packages/ubuntu/ focal nginx
deb-src http://nginx.org/packages/ubuntu/ focal nginx

Обновляет репозитории

apt update -y

Скачивает исходники nginx

cd /usr/local/src
apt source nginx=1.20.0-1~focal

Ставит зависимости для сборки

apt build-dep nginx=1.20.0-1~focal -y

Скачивает Brotli

git clone --recursive https://github.com/google/ngx_brotli.git

Обновляет правила сборки

cd /usr/local/src/nginx-*/
nano debian/rules

Найти блоки

  • config.env.nginx
  • config.env.nginx_debug

Добавить новый ключ в каждом ./configure

--add-module=/usr/local/src/ngx_brotli

Компилирует и собирает nginx

dpkg-buildpackage -b -uc -us

Проверяет deb-файлы

ls /usr/local/src/*.deb

Устанавливает nginx из deb-файлов

dpkg -i /usr/local/src/*.deb

Настраивает nginx

nano /etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /var/run/nginx.pid;

events {
    worker_connections 768;
}

include /etc/nginx/sites-enabled/*.stream;

http {

    # Basic

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    types_hash_max_size 2048;
    server_tokens off;
    ignore_invalid_headers on;

    # Decrease default timeouts to drop slow clients

    keepalive_timeout 40s;
    send_timeout 20s;
    client_header_timeout 20s;
    client_body_timeout 20s;
    reset_timedout_connection on;

    # Hash sizes

    server_names_hash_bucket_size 64;

    # Mime types

    default_type  application/octet-stream;
    include /etc/nginx/mime.types;

    # Logs

    log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $bytes_sent "$http_referer" "$http_user_agent" "$gzip_ratio"';
    access_log /var/log/nginx/access.log main;
    error_log /var/log/nginx/error.log warn;

    # Limits

    limit_req_zone  $binary_remote_addr  zone=dos_attack:20m   rate=30r/m;

    # Gzip

    gzip on;
    gzip_disable "msie6";
    gzip_vary off;
    gzip_proxied any;
    gzip_comp_level 5;
    gzip_min_length 1000;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types
        application/atom+xml
        application/javascript
        application/json
        application/ld+json
        application/manifest+json
        application/rss+xml
        application/vnd.geo+json
        application/vnd.ms-fontobject
        application/x-font-ttf
        application/x-web-app-manifest+json
        application/xhtml+xml
        application/xml
        font/opentype
        image/bmp
        image/svg+xml
        image/x-icon
        text/cache-manifest
        text/css
        text/plain
        text/vcard
        text/vnd.rim.location.xloc
        text/vtt
        text/x-component
        text/x-cross-domain-policy;

    # Brotli

    brotli on;
    brotli_comp_level 6;
    brotli_types
        text/xml
        image/svg+xml
        application/x-font-ttf
        image/vnd.microsoft.icon
        application/x-font-opentype
        application/json
        font/eot
        application/vnd.ms-fontobject
        application/javascript
        font/otf
        application/xml
        application/xhtml+xml
        text/javascript
        application/x-javascript
        text/$;

    # Virtual Hosts

    include /etc/nginx/sites-enabled/*;

    # Configs

    include /etc/nginx/conf.d/*.conf;
    include /usr/share/nginx/modules/*.conf;

}

Проверяет конфиг nginx

nginx -t

Запускает nginx

systemctl start nginx
systemctl status nginx

Фиксит ошибку с PID

mkdir /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload
systemctl restart nginx

Проверяет Brotli

curl -H 'Accept-Encoding: br' -I http://localhost

Content-Encoding: br

Устанавливает файрвол

apt install ufw

Добавляет nginx

nano /etc/ufw/applications.d/nginx.ini

[Nginx HTTP]
title=Web Server
description=Enable NGINX HTTP traffic
ports=80/tcp

[Nginx HTTPS] \
title=Web Server (HTTPS) \
description=Enable NGINX HTTPS traffic
ports=443/tcp

[Nginx Full]
title=Web Server (HTTP,HTTPS)
description=Enable NGINX HTTP and HTTPS traffic
ports=80,443/tcp

Проверяет список приложений

ufw app list

Включает файрвол

ufw enable

Разрешает сервисы

ufw allow 'Nginx Full'
ufw allow 'OpenSSH'

Проверяет статус

ufw status

Status: active

To                         Action      From
--                         ------      ----
Nginx Full                 ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
Nginx Full (v6)            ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment