centos7搭建个人的git pages

发表于 | 更新于: | 分类于 | | 阅读次数:
字数统计: 2.6k | 阅读时长 ≈ 12

Git Pages是结合git服务操作的web网页托管平台。通过git提交再结合git hook脚本就能很好的将提交的文件上传到web服务虚拟目录里。但是Github、Netlify、Coding等已经提供了免费git pages服务,为什么还要自己在vps上折腾搭建git pages呢?因为这些服务商提供的git pages是有限制的,比如空间容量相对较小、对动态网页支持不完善或者没有、访问速度较慢等。那么自建的git pages的优势就显现出来了。下面就介绍怎么一步步搭建该服务。

1、安装Git

1
2
yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel perl-devel
yum install git

接下来我们创建一个git用户组和用户,用来运行git服务:

1
2
3
4
5
6
7
#创建git用户组和git用户
groupadd git
useradd git -g git

#修改git用户的shell类型,设置为git-shell以使其活动限制在Git操作相关范围内,从而禁止git用户ssh登录进入系统。
vim /etc/passwd
git:x:1000:1000::/home/git:/usr/bin/git-shell

2、配置ssh秘钥登录

收集所有需要登录的用户的公钥,公钥位于id_rsa.pub文件中,把我们的公钥导入到/home/git/.ssh/authorized_keys文件里,一行一个。

如果没有该文件创建它:

1
2
3
4
5
mkdir -p  /home/git/.ssh
chmod 755  /home/git/.ssh
touch /home/git/.ssh/authorized_keys
chmod 644  /home/git/.ssh/authorized_keys
chown -R git:git /home/git

客户机

1
2
3
4
#copy客户端的秘钥到vps的/home/git/.ssh/authorized_keys
cat ~/.ssh/id_rsa.pub
#查看ssh秘钥是否配置成功
ssh -T git@服务器ip

3、搭建git仓库

1
2
3
mkdir -p /opt/blog/git
git init --bare /opt/blog/git/blog.git
vim /opt/blog/git/blog.git/hooks/post-receive
1
2
#!/bin/bash
git --work-tree=/opt/blog/web --git-dir=/opt/blog/git/blog.git checkout -f
1
2
3
4
5
chown -R git:git /opt/blog/git && chgrp -R git /opt/blog/git && chmod -R 755 /opt/blog/git
chmod +x /opt/blog/git/blog.git/hooks/post-receive

mkdir -p /opt/blog/web
chmod -R 777 /opt/blog/web

4、搭建web服务

需要安装好nginx,可以参考我的另一篇文章《nginx学习笔记》

这里已经提前通过编译安装的方式把nginx安装到了/opt/nginx目录,然后只需配置nginx即可。

1
vim /opt/nginx/conf/conf.d/blog.conf
1
2
3
4
5
6
7
8
server {
        listen  80;
        server_name     qcmoke.site; #填写个人域名
        location        / {
                root    /data/blog; #配置web根目录
                index   index.html;
        }
}
1
2
3
4
#启动nginx(如果没有启动的话)
/opt/nginx/sbin/nginx
#重新加载nginx配置文件
/opt/nginx/sbin/nginx -s reload

5、配置https服务

这里使用letsencrypt得到免费的ssl ca证书,生成证书的步骤虽然点麻烦,但是支持通配符而且又免费,何乐而不为呢?当然你可以使用其他免费的ssl ca证书,比如阿里云的免费证书,这里就不介绍阿里云是怎样得到证书的了,有兴趣可以去阿里云官网查看。

需要获取letsencrypt ca证书,可以通过安装certbot自动化工具来获取。

1
2
yum -y install epel-release
yum install certbot

交互式的配置过程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#### 这里给qcmoke.site和www.qcmoke.site都设置ssl证书(经测试这里只有一个域名的时候才能在后期使用certbot renew续期,否则要重新申请证书)
certbot --server https://acme-v02.api.letsencrypt.org/directory -d "www.qcmoke.site" -d "qcmoke.site" --manual --preferred-challenges dns-01 certonly
#使用通配符域名可以如下:
#给qcmoke.site和*.qcmoke.site都设置ssl证书,让qcmoke.site以及其所有子域名都能使用同一个证书
#certbot --server https://acme-v02.api.letsencrypt.org/directory -d "*.qcmoke.site" -d "qcmoke.site" --manual --preferred-challenges dns-01 certonly

####  出现如下,输入个人的邮箱,用于紧急续签和安全通知
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): qcmoke@gmail.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017-w-v1.3-notice.pdf.
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for www.qcmoke.site and qcmoke.site
Performing the following challenges:
dns-01 challenge for qcmoke.site
dns-01 challenge for www.qcmoke.site


####  出现如下,则需要域名解析添加TXT记录,添加好后回车继续(注意多域名下面会提示添加多个txt记录,如:_acme-challenge.qcmoke.site、_acme-challenge.www.qcmoke.site),只需根据提示操作即可。
#可以通过打开另外一个窗口执行命令dig -t txt _acme-challenge.qcmoke.site来校验txt记录是否成功解析,因为解析一般需要一小段时间。(如果dig命令不存在,可以通过命令yum -y install bind-utils安装)

#添加txt记录,主机记录:_acme-challenge.qcmoke.site 记录值:DYmZf1ItQNOrG9J83k6FNxzCxic0UjnsChJnE_KkjrI
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.qcmoke.site with the following value:

DYmZf1ItQNOrG9J83k6FNxzCxic0UjnsChJnE_KkjrI

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue


#添加txt记录,主机记录:_acme-challenge.www.qcmoke.site 记录值:KI3BRnhU64snmReZupg7U1f8-DIMg_uc4KnDVmqGnHI
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.www.qcmoke.site with the following value:

KI3BRnhU64snmReZupg7U1f8-DIMg_uc4KnDVmqGnHI

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: qcmoke@gmail.com).
Starting new HTTPS connection (1): supporters.eff.org

####  出现如下即成功
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.qcmoke.site/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.qcmoke.site/privkey.pem
   Your certificate will expire on 2022-11-23. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

配置nginx web服务

1
vim /opt/nginx/conf/conf.d/blog.conf

需求:http://qcmoke.sitehttp://www.qcmoke.sitehttps://qcmoke.site都重定向到https://www.qcmoke.site,并且图片都能压缩传输。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
server {
        server_name www.qcmoke.site;
        listen 80;
        #rewrite ^ https://$server_name$request_uri? permanent;
        #rewrite ^(.*)$ https://$server_name$1 permanent;
        return 301 https://$server_name$request_uri;
}
server {
        server_name qcmoke.site;
        listen 80;
        listen 443 ssl;
	
        #如果qcmoke.site和www.qcmoke.site是同一个通配符证书,那么配相同的证书即可,否则此处用qcmoke.site自个对应的证书
        ssl_certificate	/etc/letsencrypt/live/www.qcmoke.site/fullchain.pem;
        ssl_certificate_key	/etc/letsencrypt/live/www.qcmoke.site/privkey.pem;
        rewrite ^(.*)$ https://www.$server_name$1 permanent;
}


server {
        listen 443 ssl;
        server_name www.qcmoke.site;
        charset utf-8;
        root /opt/blog/web;
        index index.html index.htm;


	location ~ .*\.(jpg|png|gif)$ {
                # root	/opt/blog/web/images;
                #传输压缩,压缩本身比较耗费服务端性能,但给带宽带来更好的传输。恰当的使用会增强资源的访问效率。
                gzip	on;
                gzip_http_version	1.1;
                gzip_comp_level	2;
                #压缩的文件类型,一般按需选择,但这里为了未来方便添加文件类型多选一些。具体配置参考文件/etc/nginx/mime.types
                gzip_types gzip_types text/plain application/json application/x-javascript application/css application/xml application/xml+rss text/javascript application/x-httpd-php image/jpeg image/gif image/png;
                #设置静态资源文件在客户端的缓存时间,除非客户清楚缓存或者关闭缓存或者强制访问才会再访问。
                expires 5h;
        }

        #access_log  /var/log/nginx/demo.mydomain.com_access.log;
        #error_log  /var/log/nginx/demo.mydomain.com_error.log;

        # letsencrypt生成的文件
        ssl_certificate        /etc/letsencrypt/live/www.qcmoke.site/fullchain.pem;
        ssl_certificate_key     /etc/letsencrypt/live/www.qcmoke.site/privkey.pem;	

        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets on;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        # 一般推荐使用的ssl_ciphers值: https://wiki.mozilla.org/Security/Server_Side_TLS
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
        ssl_prefer_server_ciphers on;

}

重载配置

1
/opt/nginx/sbin/nginx -s reload

6、测试

客户机

1
2
3
4
5
6
git clone git@qcmoke.site:/opt/blog/git/blog.git
cd blog/
echo "<h1>Qcmoke Bolg</h1>" >> index.html
git add . 
git commit -m "init my blog"
git push -u origin master

之后浏览器访问http://qcmoke.site就能访问到push到服务器的index.html页面了。

7、ssl续期

Let’s Encrypt 默认情况下只提供三个月的有效期,在有效期剩余半个月的时候,Let’s Encrypt 会发送邮件给你,提醒你需要做证书的续期操作。或者我们也可以通过以下命令查看证书的剩余有效期限:

1
certbot certificates

手动续期

1
certbot  renew   -v

如果使用的是通配符域名,那么很不幸,无法直接使用 certbot renew 的方式快速进行续期。只需使用如下命令重新生成证书即可:

1
2
3
certbot --server https://acme-v02.api.letsencrypt.org/directory \
-d "*.qcmoke.site" -d "qcmoke.site" \
--manual --preferred-challenges dns-01 certonly

具体类似上文首次申请证书差不多,操作完成后重启nginx即可。

自动续期

如果不是申请通配符域名,那么可以通过Linux的定时任务来完成自动续期的需求。

1
sudo crontab -e

在最后添加

1
0 3 1 * * certbot renew --renew-hook "sudo nginx -s reload"

可通过sudo crontab -l命令查看一下是否存在刚才添加的定时任务中。

对于通配符域名,则比较麻烦,因为需要人为地进行TXT记录域名解析,所以实现过程比较繁琐,这里就不介绍了。

8、通配符证书自动续期

实现通配符证书自动续期其实也可以通过调用域名提供商的Api接口来实现,不过会比较麻烦,但也是总是有解决办法:

https://zhuanlan.zhihu.com/p/354241539

https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au

9. 错误解决方案

(1)如果使用的是certbot-auto,发现certbot-auto一直卡在“Installing Python packages…”?

1
2
3
4
vim /data/ssl/certbot-auto
#替换以下
#DEFAULT_INDEX_BASE = 'https://pypi.python.org'
DEFAULT_INDEX_BASE = 'https://mirrors.aliyun.com/pypi'

(2)解决Couldn‘t download https://raw.githubusercontent.com的方法

方式1:

在更新命令后加 --no-self-upgrade即可不更新执行。

方式2:

1
2
3
cat >> /etc/hosts <<-EOF
199.232.4.133 raw.githubusercontent.com
EOF

(3)出现错误An unexpected error occurred: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/

因为操作失败太多次导致会被限制一段时间不允许再操作,为了解除限制可以删除/etc/letsencrypt/accounts的所有内容,然后就可继续申请了。

1
rm -rf /etc/letsencrypt/accounts/*

📚 参考

https://www.jianshu.com/p/23aa1eef5b23

https://juejin.im/post/5c935d7c6fb9a070b24b11a6



----------- 本文结束 -----------




如果你觉得我的文章对你有帮助,你可以打赏我哦~
0%