This tutorial will explain how to build cutting-edge secure and high-performance web services relying on Tencent Cloud Hosting.
0. Environment preparation
Before we start, we have prepared the following two types of resources.
- One Tencent Cloud instance:
Created on demand in the Tencent Cloud CVM product homepage . This article uses a cloud server with the model S4.SMALL2. Note that you need to check the "free allocation of public network IP" when purchasing. The operating system we choose is CentOS 7. Of course, for other systems such as Fedora/Ubuntu, most of the steps in this article are common. All commands below are executed inside this instance.
- One Tencent Cloud domain name:
On the Tencent Cloud domain name registration page , select Register. Pick a domain name you like ~ http://my-awesome-domain.com is used below .
1. Set domain name resolution
Adding a domain name resolution record means associating a domain name record with a cloud server on a public cloud.
Tencent Cloud's cloud resolution products can easily manage our domain name resolution work.
The addition of all parsing records can be set in the cloud parsing console .
- Record type: select "A", this type of resolution record can be associated with IP and domain name;
- Record value: the public network IP of the CVM cloud host;
- Host record: the domain name above the third level we need, such as filling in web, that is, the domain name "web" .my-awesome-domain.com" to the specified IP.
Tencent Cloud's resolution takes effect very quickly, so we can log in to CVM through domain name records, such as:
ssh root@web.my-awesome-domain.com
2 Apply for SSL certificate
Let's apply for a Let's Encrypt certificate. It can be easily done through the official Certbot tool.Certbot is essentially a client of the ACME protocol , which is specially used for developers to automatically manage the certificate application process.
Install Certbot
yum install certbot
At the same time, relevant dependent libraries, such as openssl, will be installed. Just use apt install under Debian/Ubuntu.
Certificate Application
certbot certonly --standalone -n -m my-email-address@example.com --agree-tos -d web.my-awesome-domain.com
The application execution process takes about ten seconds, as shown below:
Certificate Application Result
After success, certificate-related files will be generated in the /etc/letsencrypt/live/ http://web.my-awesome-domain.com/ directory: certificate file fullchain.pem and certificate private key file privkey.pem , later in Nginx They will be used in the configuration.
The certificate that is set to automatically renew
The certificate application will expire after 90 days, but Certbot comes with a tool for re-applying (renew) certificate regularly: certbot-renew. We don't have to worry about certificate expiration by starting this scheduled task through the systemctl command.
systemctl start certbot-renew.timer
3 Install Nginx
There are two common ways to install Nginx: through distribution package management tools, or through source code compilation and installation. If the former is used, only:
yum install nginx # Debian/Ubuntu下:apt install nginx
Then skip this section and start the configuration process in the next section.
However, in the current mainstream distributions (such as Centos7/Ubuntu18, etc.), due to the relatively low version of nginx/openssl and other software packages, they will not be able to support features such as TLSv1.3, so please choose between features according to your needs.
Then, let's explain in detail how to install the latest version of Nginx through source code . The latest stable version is 1.16.0. Be careful to install the latest stable version as much as possible, too old versions do not support many features, such as HTTP/2 (supported after 1.10) and TLSv1.3 (supported after 1.15).
The latest version of the software is usually not in the software repository of the distribution's package management tools (such as Yum, APT), but requires us to compile and install the source code. But for us CVM players, this is not a problem at all. Let's experience greater freedom and flexibility with me.
We choose to complete the Nginx installation in the /opt directory, which is usually a suitable choice. Of course, whatever you are used to working with directory is fine.
cd /opt
Installation related dependencies
Here are mainly compilers, PCRE packages and zlib packages
yum install gcc pcre-devel zlib-devel
(It needs to be done with apt install under Debian/Ubuntu system, and the corresponding package names are libpcre3-dev and zlib1g-dev)
Download the openssl source code
To download the latest version of the openssl library, version 1.1.1b. This is because the TLS protocol and encryption and decryption in Nginx are done by external libraries (such as libssl/libcrypto, etc.), and they are all implemented in the openssl project. The default openssl of the system is relatively old and cannot support the latest HTTP/2 and TLS features.
It only takes two steps: download and unzip. No need to compile and install.
wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz
tar -zxvf openssl-1.1.1b.tar.gz
Source code to compile Nginx
Download, compile and install Nginx, version 1.16.0.
wget http://nginx.org/download/nginx-1.16.0.tar.gz
tar -zxvf nginx-1.16.0.tar.gz
cd nginx-1.16.0
Configure the compilation options, note that here we need to specify the code directory of openssl, and Nginx will compile the parts required for compiling openssl by the way. Its options here focus on enabling the http/2 and ssl modules. For other options, if you want to make changes later, you only need to reconfigure and compile. The source installation is so convenient and willful.
./configure \
--pid-path=/run/nginx.pid \
--with-http_v2_module \
--with-http_ssl_module \
--with-openssl=/opt/openssl-1.1.1b
Compile and install
make && make install
Nginx will be installed by default in the /usr/local/nginx directory (also specified by the prefix compile option).
At this point, we have completed the installation of Nginx. actually implement
/usr/local/nginx/sbin/nginx
The Nginx service can be started. But wait, let's get the job done a little more gracefully.
Configure the Nginx service as a systemd system service
Edit the file: /lib/systemd/system/nginx.service , add the following content
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/bin/rm -f /run/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
[Install]
WantedBy=multi-user.target
then execute
systemctl daemon-reload
systemctl enable nginx.service
We can then manage Nginx services through systemctl commands, such as restart, reload, etc.
systemctl restart nginx.service
4. Configure Nginx
Edit the server section in nginx.conf (or similar configuration file), set ssl-related parameters such as certificate/key, and redirect the HTTP service of port 80 to port 443 of HTTPS. details as follows:
server {
listen 443 ssl http2;
server_name web.my-awesome-domain.com;
ssl_certificate "/etc/letsencrypt/live/web.my-awesome-domain.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/web.my-awesome-domain.com/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000";
location / {
root html;
index index.html;
}
}
server {
listen 80;
server_name web.my-awesome-domain.com;
if ($host = web.my-awesome-domain.com) {
return 301 https://$host$request_uri;
}
}
Note: We support http2, and for the SSL protocol, we support both the current stable TLSv1.2 and the latest TLSv1.3.
systemctl restart nginx.service
Then restart the service and you're done!
This article is from Tencent Cloud Computing Community, please indicate the source for reprinting: https://computeinit.com/archives/2405
Top comments (0)