1 安装nginx
yum install -y gcc make pcre-devel zlib-devel openssl-devel
wget https://nginx.org/download/nginx-1.20.1.tar.gz
tar -zxvf nginx-1.20.1.tar.gz
cd nginx-1.20.1
./configure --prefix=/usr/local/nginx --with-http_ssl_module
make
make install
vi /etc/systemd/system/nginx.service
=======================================================
[Unit] Description=nginx - high performance web server After=network.target remote-fs.target nss-lookup.target [Service] Type=forking ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf ExecReload=/usr/local/nginx/sbin/nginx -s reload ExecStop=/usr/local/nginx/sbin/nginx -s stop PrivateTmp=true [Install] WantedBy=multi-user.target
=======================================================
#设置权限和属主:
chmod 644 /etc/systemd/system/nginx.service
chown root:root /etc/systemd/system/nginx.service
2 创建nginx代理gitea和grafana的配置文件:不需要改nginx主配置文件,nginx会读取这个:
vi /etc/nginx/sites-available/gitea.conf
===================================================
server {
listen 80;
server_name gitea.sinsenliu.top;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
server_name sinsenliu.top;
access_log /usr/local/nginx/logs/gitea_access.log;
error_log /usr/local/nginx/logs/gitea_error.log;
ssl_certificate /usr/local/keys/www.sinsenliu.top.pem;
ssl_certificate_key /usr/local/keys/www.sinsenliu.top.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://192.168.238.10:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
===================================================
vi /etc/nginx/sites-available/grafana.conf
===================================================
server {
listen 80;
server_name granfana.sinsenliu.top;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
server_name grafana.sinsenliu.top;
access_log /usr/local/nginx/logs/grafana_access.log;
error_log /usr/local/nginx/logs/grafana_error.log;
ssl_certificate /usr/local/keys/grafana.sinsenliu.top.pem;
ssl_certificate_key /usr/local/keys/grafana.sinsenliu.top.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://192.168.238.11:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
===================================================
/usr/local/nginx/sbin/nginx -t #检查nginx配置文件语法
/usr/local/nginx/sbin/nginx -s reload # 企业环境一般不重启,而是reload
浏览器分别访问:
gitea.sinsenliu.top
granfana.sinsenliu.top
-----
-----------------------------------------------------------------------------------
3 监控上述https证书到期时间,剩余时间小于10天报警到钉钉:
vi /usr/local/scripts/certcheck.sh
#!/bin/bash
# 设置证书文件路径
CERT_FILE="/usr/local/keys/www.sinsenliu.top.pem"
# 设置域名
DOMAIN="sinsenliu.top"
# 设置钉钉机器人 Webhook
WEBHOOK_URL="https://oapi.dingtalk.com/robot/send?access_token=d5cf34808fecf21f2906fa1ef9b28b07cddda6ca4e20b6c858ea3d05eb394446"
# 获取证书到期时间(以秒为单位)
expiry_date=$(openssl x509 -noout -enddate -in $CERT_FILE | cut -d= -f 2)
# 打印证书到期时间
echo "Certificate for $DOMAIN expires on: $expiry_date"
# 将到期时间转换为时间戳
expiry_timestamp=$(date -d "$expiry_date" +%s)
# 获取当前时间(以秒为单位)
current_timestamp=$(date +%s)
# 计算到期时间与当前时间的差值(以天为单位)
days_until_expiry=$(( ($expiry_timestamp - $current_timestamp) / 86400 ))
# 如果到期时间小于 400 天,则触发钉钉告警
if [ $days_until_expiry -lt 400 ]; then
# 发送钉钉告警,消息中包含关键词 "OMG"
message="{\"msgtype\": \"text\",\"text\": {\"content\": \"域名 $DOMAIN 的证书 $CERT_FILE 到期时间小于 400 天,剩余天数:$days_until_expiry OMG\"}}"
curl -H "Content-Type: application/json" -d "$message" $WEBHOOK_URL
fi
#赋权限:
chmod +x /usr/local/scripts/certcheck.sh
#创建定时任务
crontab -e #内容如下:
0 10 * * * /bin/bash /usr/local/scripts/certcheck.sh #每天上午10点运行脚本
#效果:(为让运行脚本后立刻报警,就设定400天)
标签:ssl,gitea,grafana,Centos7,nginx,usr,server,local,proxy From: https://www.cnblogs.com/sinsenliu/p/17828970.html