青雀笔记萨摩的编排可以支持 TLS 1.3 + QUIC ,轻轻松松拿 SSL Lab A
首先是安装 docker-ce 和 docker-compose
curl -fsSL https://get.docker.com -o get-docker.sh sudo sh get-docker.sh curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
然后就是拉取萨摩的编排模板惹
git clone https://github.com/metowolf/docker-lemp.git && cd docker-lemp
接下来我们就可以调整编排的配置了
cp .env.example .env && cp docker-compose.example.yml docker-compose.yml
在 .env 文件中可以修改各种容器的版本还有 MySQL 的密码,在 docker-compose.yml 可以修改需要的容器
在这里我们一步到位,直接挂上 Nginx 的 brotli 模块
首先创建 nginx.conf 文件 (etc/nginx/nginx.conf)
user nginx; worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; # 挂载 brotli 模块 load_module modules/ngx_http_brotli_filter_module.so; load_module modules/ngx_http_brotli_static_module.so; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; }
然后创建 brotli 的配置文件 (etc/nginx/config/brotli.conf)
brotli on; brotli_comp_level 6; brotli_types application/x-httpd-php application/javascript application/x-javascript application/xml application/json text/plain text/javascript text/css text/xml image/jpeg image/gif image/png image/svg+xml;
接下来在 docker-compose.yml 里挂载上 nginx.conf 就可以惹
--- docker-compose.yml +++ docker-compose.yml @@ -11,6 +11,7 @@ - php-fpm volumes: - ./log/nginx:/var/log/nginx:rw + - ./etc/nginx/nginx.conf:/etc/nginx/nginx.conf:rw - ./etc/nginx/config:/etc/nginx/conf.d:rw - ./etc/ssl:/etc/nginx/ssl:rw - ./wwwroot:/var/www:rw @@ -65,6 +66,8 @@
brotli 弄好之后我们就开始弄网站配置了,下面是小霖博客用的 nginx 配置(伪静态是WordPress的),其中第二个 add_header 是为了提醒浏览器尝试连接 443 udp 端口上的 Caddy 以使用 quic 服务,一会会写到哒
server { listen 443 ssl http2; server_name xiaolin.in; set $base /var/www/xiaolin.in; root $base; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header alt-svc 'quic=":443"; ma=2592000; v="44,43,39"'; # SSL ssl_certificate /etc/nginx/ssl/_.xiaolin.in.crt; ssl_certificate_key /etc/nginx/ssl/_.xiaolin.in.key; # index.php index index.php; location / { # This is cool because no php is touched for static content. # include the "?$args" part so non-default permalinks doesn't break when using query string try_files $uri $uri/ /index.php?$args; } # handle .php location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass php-fpm:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ { expires 30d; access_log off; } location ~ .*\.(js|css)?$ { expires 7d; access_log off; } location ~ /\.ht { deny all; } } server { listen 80; listen [::]:80; server_name xiaolin.in; return 301 https://xiaolin.in$request_uri; }
为了使用 quic 特性,我们需要用 Caddy 在 UDP 端口反代一下网站 (etc/nginx/caddy/Caddyfile)
https://xiaolin.in { gzip tls /ssl/_.xiaolin.in.crt /ssl/_.xiaolin.in.key proxy / https://nginx { insecure_skip_verify transparent websocket } }
最后在 wwwroot/你的网站名 下放好程序就可以输入以下命令开始部署了
sudo docker-compose up -d
启动成功后如果不出意料的话就可以看见熟悉的界面了
尾声
MySQL 的话可能在小机机上需要添加 SWAP 内存,不然可能会爆 InnoDB: mmap(137363456 bytes) failed; errno 12 这种玩意儿
至于更新的话,萨摩自己都说了自己是「追新族」了hhh,那就不用担心容器太旧的问题了,至于更新的话,执行下面第一行代码修改后再执行第二行代码就可以了
git pull && cp .env.example .env && cp docker-compose.example.yml docker-compose.yml sudo docker-compose up -d --no-deps --build
