centos7搭建个人的git pages

Git Pages是结合git服务操作的web网页托管平台。通过git提交再结合git hook脚本就能很好的将提交的文件上传到web服务虚拟目录里。但是Github、Netlify、Coding等已经提供了免费git pages服务，为什么还要自己在vps上折腾搭建git pages呢？因为这些服务商提供的git pages是有限制的，比如空间容量相对较小、对动态网页支持不完善或者没有、访问速度较慢等。那么自建的git pages的优势就显现出来了。下面就介绍怎么一步步搭建该服务。

¶1、安装Git

$ yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel perl-devel
$ yum install git

接下来我们 创建一个git用户组和用户，用来运行git服务：

$ groupadd git
$ useradd git -g git

¶2、创建ssh证书登录

收集所有需要登录的用户的公钥，公钥位于id_rsa.pub文件中，把我们的公钥导入到/home/git/.ssh/authorized_keys文件里，一行一个。

如果没有该文件创建它：

$ mkdir -p  /home/git/.ssh
$ chmod 755  /home/git/.ssh
$ touch /home/git/.ssh/authorized_keys
$ chmod 644  /home/git/.ssh/authorized_keys

客户机

#copy客户端的秘钥到vps的/home/git/.ssh/authorized_keys
$ cat ~/.ssh/id_rsa.pub

¶3、搭建git仓库

$ mkdir -p /data/git
$ chown git:git /data/git
$ chgrp -R 755 /data/git
$ cd /data/git
$ git init --bare blog.git
$ chown -R git:git blog.git
$ vim /data/git/blog.git/hooks/post-receive

#!/bin/bash
git --work-tree=/data/blog --git-dir=/data/git/blog.git checkout -f

$ chmod +x /data/git/blog.git/hooks/post-receive

¶4、搭建web服务

需要安装好nginx，可以参考我的另一篇文章《nginx学习笔记》。

$ mkdir -p /data/blog
$ chmod -R 777 /data/blog/
$ vim /etc/nginx/conf.d/blog.conf

server {
        listen  80;
        server_name     qcmoke.top; #填写个人域名
        location        / {
                root    /data/blog; #配置web根目录
                index   index.html;
        }
}

$ nginx -s reload

¶5、配置https服务

#下载certbot-auto
$ wget https://dl.eff.org/certbot-auto
#给予certbot-auto可执行权限
$ chmod a+x ./certbot-auto

交互式的配置过程

#### 这里给qcmoke.top和*.qcmoke.top都设置ssl证书，让qcmoke.top以及其所有子域名都能使用同一个证书，注意域名改为自己的域名
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.qcmoke.top" -d "qcmoke.top" --manual --preferred-challenges dns-01 certonly
 
####  出现如下 输入邮箱
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 
####  输入A同意
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: 
####  输入Y同意
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 
####  输入Y确认
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 
####  域名添加TXT解析  添加对应的域名和值 添加好后回车继续
# dns域名解析添加txt记录：如下主机记录为_acme-challenge 记录值为apQPzp-xxxxxxxxxx_BlOSOJTYAo
Please deploy a DNS TXT record under the name
_acme-challenge.qcmoke.top with the following value:
apQPzp-xxxxxxxxxx_BlOSOJTYAo
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
####  出现如下即成功
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/qcmoke.top/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/qcmoke.top/privkey.pem
   Your cert will expire on 2018-12-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

配置PFS秘钥（可选）

生成Perfect Forward Security（PFS）键值，这步其实不做也可以。

$ mkdir /etc/ssl/private/ -p
$ cd /etc/ssl/private/
$ openssl dhparam 2048 -out dhparam.pem

配置nginx web服务

$ vim /etc/nginx/conf.d/blog.conf

需求：http://qcmoke.top、http://www.qcmoke.top、https://qcmoke.top都重定向到https://www.qcmoke.top，并且图片都能压缩传输。

server {
        server_name www.qcmoke.top;
        listen 80;
        #rewrite ^ https://$server_name$request_uri? permanent;
        #rewrite ^(.*)$ https://$server_name$1 permanent;
        return 301 https://$server_name$request_uri;
}
server {
        server_name qcmoke.top;
        listen 80;
        listen 443 ssl;
	
        #如果qcmoke.top和www.qcmoke.top是同一个通配符证书，那么配相同的证书即可，否则此处用qcmoke.top自个对应的证书
        #ssl_certificate        /etc/letsencrypt/live/qcmoke.top/fullchain.pem;
        #ssl_certificate_key    /etc/letsencrypt/live/qcmoke.top/privkey.pem;
        ssl_certificate	/etc/letsencrypt/live/qcmoke.top/fullchain.pem;
        ssl_certificate_key	/etc/letsencrypt/live/qcmoke.top/privkey.pem;
        rewrite ^(.*)$ https://www.$server_name$1 permanent;
}


server {
        listen 443 ssl;
        server_name www.qcmoke.top;
        charset utf-8;
        root /data/blog;
        index index.html index.htm;


	location ~ .*\.(jpg|png|gif)$ {
                # root	/data/blog/images;
                #传输压缩，压缩本身比较耗费服务端性能，但给带宽带来更好的传输。恰当的使用会增强资源的访问效率。
                gzip	on;
                gzip_http_version	1.1;
                gzip_comp_level	2;
                #压缩的文件类型，一般按需选择，但这里为了未来方便添加文件类型多选一些。具体配置参考文件/etc/nginx/mime.types
                gzip_types gzip_types text/plain application/json application/x-javascript application/css application/xml application/xml+rss text/javascript application/x-httpd-php image/jpeg image/gif image/png;
                #设置静态资源文件在客户端的缓存时间，除非客户清楚缓存或者关闭缓存或者强制访问才会再访问。
                expires 5h;
        }

        #access_log  /var/log/nginx/demo.mydomain.com_access.log;
        #error_log  /var/log/nginx/demo.mydomain.com_error.log;

        # letsencrypt生成的文件
        #ssl_certificate        /etc/letsencrypt/live/www.qcmoke.top/fullchain.pem;
        #ssl_certificate_key     /etc/letsencrypt/live/www.qcmoke.top/privkey.pem;
        ssl_certificate        /etc/letsencrypt/live/qcmoke.top/fullchain.pem;
        ssl_certificate_key     /etc/letsencrypt/live/qcmoke.top/privkey.pem;	

        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets on;

        # Perfect Forward Security路径，如果上面没有生成PFS，这一行 可以不用
        ssl_dhparam /etc/ssl/private/dhparam.pem;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        # 一般推荐使用的ssl_ciphers值: https://wiki.mozilla.org/Security/Server_Side_TLS
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
        ssl_prefer_server_ciphers on;

}

重载配置

$ nginx -s reload

¶6、测试

客户机

$ git clone git@qcmoke.top:/data/git/blog.git
$ cd blog/
$ echo "<h1>Qcmoke Bolg</h1>" >> index.html
$ git add . 
$ git commit -m "init my blog"
$ git push -u origin master

之后浏览器访问http://qcmoke.top就能访问到push到服务器的index.html页面了。