centos7搭建个人的git pages

发表于 | 更新于: | 分类于 | | 阅读次数:
字数统计: 2.5k | 阅读时长 ≈ 12

Git Pages是结合git服务操作的web网页托管平台。通过git提交再结合git hook脚本就能很好的将提交的文件上传到web服务虚拟目录里。但是Github、Netlify、Coding等已经提供了免费git pages服务,为什么还要自己在vps上折腾搭建git pages呢?因为这些服务商提供的git pages是有限制的,比如空间容量相对较小、对动态网页支持不完善或者没有、访问速度较慢等。那么自建的git pages的优势就显现出来了。下面就介绍怎么一步步搭建该服务。

1、安装Git

1
2
$ yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel perl-devel
$ yum install git

接下来我们 创建一个git用户组和用户,用来运行git服务:

1
2
$ groupadd git
$ useradd git -g git

2、创建ssh证书登录

收集所有需要登录的用户的公钥,公钥位于id_rsa.pub文件中,把我们的公钥导入到/home/git/.ssh/authorized_keys文件里,一行一个。

如果没有该文件创建它:

1
2
3
4
$ mkdir -p  /home/git/.ssh
$ chmod 755  /home/git/.ssh
$ touch /home/git/.ssh/authorized_keys
$ chmod 644  /home/git/.ssh/authorized_keys

客户机

1
2
#copy客户端的秘钥到vps的/home/git/.ssh/authorized_keys
$ cat ~/.ssh/id_rsa.pub

3、搭建git仓库

1
2
3
4
5
6
7
$ mkdir -p /data/git
$ chown git:git /data/git
$ chgrp -R 755 /data/git
$ cd /data/git
$ git init --bare blog.git
$ chown -R git:git blog.git
$ vim /data/git/blog.git/hooks/post-receive
1
2
#!/bin/bash
git --work-tree=/data/blog --git-dir=/data/git/blog.git checkout -f
1
$ chmod +x /data/git/blog.git/hooks/post-receive

4、搭建web服务

需要安装好nginx,可以参考我的另一篇文章《nginx学习笔记》

安装好nginx后配置nginx web服务。

1
2
3
$ mkdir -p /data/blog
$ chmod -R 777 /data/blog/
$ vim /etc/nginx/conf.d/blog.conf
1
2
3
4
5
6
7
8
server {
        listen  80;
        server_name     qcmoke.site; #填写个人域名
        location        / {
                root    /data/blog; #配置web根目录
                index   index.html;
        }
}
1
2
3
4
5
6
#启动nginx(如果没有启动的话)
$ nginx
#将nginx加入开机启动项
$ systemctl enable nginx.service
#重新加载nginx配置文件
$ nginx -s reload

5、配置https服务

这里使用letsencrypt得到免费的ssl ca证书,生成证书的步骤虽然点麻烦,但是支持通配符而且又免费,何乐而不为呢?当然你可以使用其他免费的ssl ca证书,比如阿里云的免费证书,这里就不介绍阿里云是怎样得到证书的了,有兴趣可以去阿里云官网查看。

需要获取letsencrypt证书,可以下载certbot-auto自动化工具并通过工具得到证书。

1
2
3
4
#下载certbot-auto
$ wget https://dl.eff.org/certbot-auto
#给予certbot-auto可执行权限
$ chmod a+x ./certbot-auto

交互式的配置过程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

#### 这里给qcmoke.site和*.qcmoke.site都设置ssl证书,让qcmoke.site以及其所有子域名都能使用同一个证书,注意域名改为自己的域名
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.qcmoke.site" -d "qcmoke.site" --manual --preferred-challenges dns-01 certonly
 
####  出现如下,输入个人的邮箱,用于紧急续签和安全通知
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 

####  出现如下,输入A同意
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: 

####  出现如下,输入Y同意
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 

####  出现如下,输入Y确认
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 

####  出现如下,域名添加TXT解析  添加对应的域名和值 添加好后回车继续
# dns域名解析添加txt记录:如下主机记录为_acme-challenge 记录值为apQPzp-xxxxxxxxxx_BlOSOJTYAo
#可以通过打开另外一个窗口执行命令dig -t txt _acme-challenge.qcmoke.site来校验txt记录是否成功解析,因为解析一般需要一小段时间。(如果dig命令不存在,可以通过命令yum -y install bind-utils安装)
Please deploy a DNS TXT record under the name
_acme-challenge.qcmoke.site with the following value:
apQPzp-xxxxxxxxxx_BlOSOJTYAo
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

####  出现如下即成功
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/qcmoke.site/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/qcmoke.site/privkey.pem
   Your cert will expire on 2018-12-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

配置PFS秘钥(可选)

生成Perfect Forward Security(PFS)键值,这步其实不做也可以。

1
2
3
$ mkdir /etc/ssl/private/ -p
$ cd /etc/ssl/private/
$ openssl dhparam 2048 -out dhparam.pem

配置nginx web服务

1
$ vim /etc/nginx/conf.d/blog.conf

需求:http://qcmoke.sitehttp://www.qcmoke.sitehttps://qcmoke.site都重定向到https://www.qcmoke.site,并且图片都能压缩传输。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
server {
        server_name www.qcmoke.site;
        listen 80;
        #rewrite ^ https://$server_name$request_uri? permanent;
        #rewrite ^(.*)$ https://$server_name$1 permanent;
        return 301 https://$server_name$request_uri;
}
server {
        server_name qcmoke.site;
        listen 80;
        listen 443 ssl;
	
        #如果qcmoke.site和www.qcmoke.site是同一个通配符证书,那么配相同的证书即可,否则此处用qcmoke.site自个对应的证书
        #ssl_certificate        /etc/letsencrypt/live/qcmoke.site/fullchain.pem;
        #ssl_certificate_key    /etc/letsencrypt/live/qcmoke.site/privkey.pem;
        ssl_certificate	/etc/letsencrypt/live/qcmoke.site/fullchain.pem;
        ssl_certificate_key	/etc/letsencrypt/live/qcmoke.site/privkey.pem;
        rewrite ^(.*)$ https://www.$server_name$1 permanent;
}


server {
        listen 443 ssl;
        server_name www.qcmoke.site;
        charset utf-8;
        root /data/blog;
        index index.html index.htm;


	location ~ .*\.(jpg|png|gif)$ {
                # root	/data/blog/images;
                #传输压缩,压缩本身比较耗费服务端性能,但给带宽带来更好的传输。恰当的使用会增强资源的访问效率。
                gzip	on;
                gzip_http_version	1.1;
                gzip_comp_level	2;
                #压缩的文件类型,一般按需选择,但这里为了未来方便添加文件类型多选一些。具体配置参考文件/etc/nginx/mime.types
                gzip_types gzip_types text/plain application/json application/x-javascript application/css application/xml application/xml+rss text/javascript application/x-httpd-php image/jpeg image/gif image/png;
                #设置静态资源文件在客户端的缓存时间,除非客户清楚缓存或者关闭缓存或者强制访问才会再访问。
                expires 5h;
        }

        #access_log  /var/log/nginx/demo.mydomain.com_access.log;
        #error_log  /var/log/nginx/demo.mydomain.com_error.log;

        # letsencrypt生成的文件
        #ssl_certificate        /etc/letsencrypt/live/www.qcmoke.site/fullchain.pem;
        #ssl_certificate_key     /etc/letsencrypt/live/www.qcmoke.site/privkey.pem;
        ssl_certificate        /etc/letsencrypt/live/qcmoke.site/fullchain.pem;
        ssl_certificate_key     /etc/letsencrypt/live/qcmoke.site/privkey.pem;	

        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets on;

        # Perfect Forward Security路径,如果上面没有生成PFS,这一行 可以不用
        ssl_dhparam /etc/ssl/private/dhparam.pem;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        # 一般推荐使用的ssl_ciphers值: https://wiki.mozilla.org/Security/Server_Side_TLS
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
        ssl_prefer_server_ciphers on;

}

重载配置

1
$ nginx -s reload

6、测试

客户机

1
2
3
4
5
6
$ git clone git@qcmoke.site:/data/git/blog.git
$ cd blog/
$ echo "<h1>Qcmoke Bolg</h1>" >> index.html
$ git add . 
$ git commit -m "init my blog"
$ git push -u origin master

之后浏览器访问http://qcmoke.site就能访问到push到服务器的index.html页面了。

7、ssl续期

Let’s Encrypt 默认情况下只提供三个月的有效期,在有效期剩余半个月的时候,Let’s Encrypt 会发送邮件给你,提醒你需要做证书的续期操作。或者我们也可以通过以下命令查看证书的剩余有效期限:

1
$ /data/ssl/certbot-auto certificates

手动续期

1
$ /data/ssl/certbot-auto  renew   -v

如果使用的是通配符域名,那么很不幸,无法直接使用 certbot-auto renew 的方式快速进行续期。可以尝试使用如下命令续期:

1
2
3
$ /data/ssl/certbot-auto --server https://acme-v02.api.letsencrypt.org/directory \
-d "*.qcmoke.site" -d "qcmoke.site" \
--manual --preferred-challenges dns-01 certonly

完整操作如下(具体类似上文首次申请证书差不多):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[root@iz2ze4uom6jrktiqj54y48z ~]# /data/ssl/certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.qcmoke.site" -d "qcmoke.site" --manual --preferred-challenges dns-01 certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for qcmoke.site

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: (Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.qcmoke.site with the following value:

HEvkEIqlCexoTLgrKGsCslDaPUKU3lCtiPGy4lEbJK4

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/qcmoke.site/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/qcmoke.site/privkey.pem
   Your cert will expire on 2020-10-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
1
$ nginx -s reload

自动续期

对于通配符域名,则比较麻烦,因为需要人为地进行TXT记录域名解析,所以实现过程比较繁琐,这里就不介绍了。

如果不是申请通配符域名,那么可以通过Linux的定时任务来完成自动续期的需求。

1
sudo crontab -e

在最后添加

1
0 3 1 * * /data/ssl/certbot-auto renew --renew-hook "sudo nginx -s reload"

可通过sudo crontab -l命令查看一下是否存在刚才添加的定时任务中。

📚 参考

https://www.jianshu.com/p/23aa1eef5b23

https://juejin.im/post/5c935d7c6fb9a070b24b11a6



----------- 本文结束 -----------




如果你觉得我的文章对你有帮助,你可以打赏我哦~
0%