Tải mã nguồn cần thiết

Trước tiên, tải OpenResty và OpenSSL phiên bản tương thích:

wget https://openresty.org/download/openresty-1.15.8.2.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2t.tar.gz

Cài đặt các thư viện phụ thuộc

Đảm bảo hệ thống có đầy đủ công cụ biên dịch và thư viện hỗ trợ GeoIP:

yum install -y GeoIP-devel GeoIP gcc-c++ make gcc

Biên dịch và cài đặt OpenResty

Chạy lệnh cấu hình với các tùy chọn module cần thiết, chú ý đường dẫn OpenSSL:

./configure --prefix=/opt/openresty \
  --user=nobody --group=nobody \
  --http-client-body-temp-path=client_temp \
  --http-proxy-temp-path=proxy_temp \
  --http-fastcgi-temp-path=fastcgi_temp \
  --http-uwsgi-temp-path=uwsgi_temp \
  --with-http_ssl_module \
  --with-http_gunzip_module \
  --with-http_gzip_static_module \
  --with-file-aio \
  --with-openssl=/root/openssl-1.0.2t \
  --with-poll_module \
  --with-http_geoip_module \
  --with-http_sub_module \
  --with-http_v2_module \
  --with-pcre \
  --with-stream \
  --with-http_realip_module \
  --with-http_stub_status_module \
  --with-mail \
  --with-http_mp4_module \
  --with-http_flv_module \
  --with-http_auth_request_module \
  --with-http_image_filter_module

make && make install

Cấu hình nginx.conf cơ bản

Thiết lập hiệu năng, bảo mật và nén dữ liệu cho server:

user                   nobody;
worker_processes        auto;
worker_rlimit_nofile    65535;
error_log               logs/error.log crit;
pid                     /var/run/nginx.pid;

events {
    worker_connections  1024;
    use                 epoll;
    multi_accept        on;
}

http {
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    client_header_timeout           1m;
    client_body_timeout             1m;
    client_header_buffer_size       2k;
    client_body_buffer_size         256k;
    client_max_body_size            1024M;
    large_client_header_buffers     4 8k;
    send_timeout                    30;
    keepalive_timeout               60 60;
    reset_timedout_connection       on;
    server_tokens                   off;
    server_name_in_redirect         off;

    log_format main '$remote_addr - $remote_user [$time_local] $request '
                    '"$status" $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log off;
    include mime.types;
    default_type application/octet-stream;

    gzip                on;
    gzip_comp_level     9;
    gzip_min_length     512;
    gzip_buffers        8 64k;
    gzip_types          text/plain text/css application/json application/javascript text/xml;
    gzip_proxied        any;
    gzip_disable        "MSIE [1-6]\.";

    proxy_redirect      off;
    proxy_set_header    Host            $host;
    proxy_set_header    X-Real-IP       $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_connect_timeout   90;
    proxy_send_timeout  90;
    proxy_read_timeout  90;
    proxy_buffers       32 4k;

    real_ip_header      CF-Connecting-IP;

    ssl_session_cache   shared:SSL:10m;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256";

    error_page 403 /error/403.html;
    error_page 404 /error/404.html;
    error_page 502 503 504 /error/50x.html;

    proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
    proxy_cache_key "$host$request_uri $cookie_user";
    proxy_temp_path /var/cache/nginx/temp;
    proxy_ignore_headers Expires Cache-Control;
    proxy_cache_use_stale error timeout invalid_header http_502;
    proxy_cache_valid any 1d;

    map $http_cookie $no_cache {
        default 0;
        ~SESS 1;
        ~wordpress_logged_in 1;
    }

    open_file_cache max=10000 inactive=30s;
    open_file_cache_valid 60s;
    open_file_cache_min_uses 2;
    open_file_cache_errors off;

    add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
    add_header Access-Control-Allow-Credentials 'true';

    include vhost/*.conf;
}

Cấp phát chứng chỉ SSL tự động

Sử dụng Dehydrated để cấp chứng chỉ Let’s Encrypt:

git clone https://github.com/lukas2511/dehydrated.git /opt/dehydrated
mkdir -p /var/www/dehydrated

/opt/dehydrated/dehydrated --register --accept-terms
/opt/dehydrated/dehydrated -c -d yourdomain.com

Cấu hình Virtual Host với HTTPS

Thiết lập server block hỗ trợ HTTP/2, chuyển hướng sang HTTPS và proxy ngược:

upstream backend_app {
    server 127.0.0.1:8080 max_fails=1 fail_timeout=30s;
}

server {
    listen 80;
    server_name yourdomain.com;

    location ^~ /.well-known/acme-challenge/ {
        alias /var/www/dehydrated/;
    }

    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name yourdomain.com;

    ssl_certificate /etc/dehydrated/certs/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/dehydrated/certs/yourdomain.com/privkey.pem;
    ssl_session_timeout 5m;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2 TLSv1.3;

    location / {
        proxy_pass http://backend_app;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size 10m;
        proxy_send_timeout 90;
        proxy_buffer_size 4k;
        proxy_buffers 4 32k;

        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header Cache-Control "no-cache, no-store";
    }

    location /static {
        root /var/www/app/;
        expires 1d;
        add_header Cache-Control public;
        access_log off;
    }
}