vi /usr/local/etc/goaccess.conf修改 goaccess.conf的 log-format
log-format %h %^[%d:%t %^] "%r" %s %b "%R" "%u" %^ %^ %T修改 nginx.conf 的 log_format
vi /etc/nginx/nginx.conf
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" $request_time $upstream_response_time';
修改後, 重啟 nginx
nginx -s reloadlog檔路徑
vi /var/log/nginx/access.log
本地連到 server_hostname(如 10.123.123.11) ssh-keygen -t rsa 或 ssh-keygen -d (dsa) => 產生出 id_rsa, id_rsa.pub chmod 0600 id_rsa scp -P 22 id_rsa.pub user@server_hostname:~/.ssh/authorized_keys ssh -P user@server_hostname ls 注意: remote(hostname) 端如 /home/user/.ssh不存在 mkdir -p /home/user/.ssh 後, 記得執行 chmod 700 /home/user/.ssh chmod 600 /home/user/authorized_keys chmod 755 /home/user chown user:user -R /home/user authorized_keys 文件必须是600权限(也就是-rw——-)或者644 .ssh目录必须是700权限(也就是drwx——) /home/work目录 必须是 755权限 即drwxr-xr-x
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
stream {
server {
listen 1433;
proxy_pass mssql:1433;
}
}
查看模組(例如apache) # semanage module -l 該模組的設定會放在 /etc/selinux/targeted/active/modules 查看埠號類型 # semanage port -l 和http有關的埠號 # semanage port -l | grep 'http' 把5353埠加入http_port_t的type中 # semanage port -a -t http_port_t -p tcp 5353
docker exec -it proxy /bin/sh -c "[ -e /bin/bash ] && /bin/bash || /bin/sh" #cd /etc/nginx/conf.d #cat default.conf #cd /usr/share/nginx/html/ #ls -l #cd /var/log/nginx #ls access.log #ls error.log
apt update apt upgrade apt install -y net-tools ifconfig apt install -y iputils-ping apt install -y telnet
upstream backend {
server localhost:1080;
}
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_session_cache shared:SSL:9m;
ssl_session_cache shared:ssl_session_cache:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_stapling on;
ssl_stapling_verify on;
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location ~ /\.ht {
deny all;
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /image/ {
proxy_pass http://backend/;
# 注意 /image及 http:/backend是沒作用的, 記得要用/image/及 http:/backend/ 才行
# 定義 header 變數, 記錄使用者的 IP
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_max_temp_file_size 0;
}
}
cd /etc/nginx/ssl openssl dhparam -out dhparams.pem 4096 cat certificate.crt > server.crt echo -e "\n" >> server.crt cat ca_bundle.crt >> server.crt
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_session_cache shared:SSL:9m;
ssl_session_cache shared:ssl_session_cache:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_stapling on;
ssl_stapling_verify on;
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location ~ /\.ht {
deny all;
}
}