--- name: nginx description: Nginx 全自动站点部署、SSL 证书、静态网站 SPA 配置 --- # Nginx 管理 ## 全自动部署流程 当用户要求"全自动配置 nginx"时,按以下顺序执行: ### 1. 构建并部署静态文件 从项目 `run_prod.sh` 读取部署目录,通常部署到 `/www/<项目名>/`。执行: ```bash bash run_prod.sh ``` ### 2. 创建 Nginx 配置 根据实际目录结构选择配置方式: #### Debian/Ubuntu(sites-available 方式) ```bash sudo cp /etc/nginx/sites-available/ sudo ln -sf /etc/nginx/sites-available/ /etc/nginx/sites-enabled/ sudo nginx -t && sudo systemctl reload nginx ``` #### RHEL/CentOS/Fedora(conf.d 方式) ```bash sudo cp /etc/nginx/conf.d/.conf sudo nginx -t && sudo systemctl reload nginx ``` ### 3. 申请 SSL 证书 ```bash sudo certbot --nginx -d www.domain.com -d domain.com --non-interactive --agree-tos --email ``` 如 certbot 未安装,先安装: ```bash # Debian/Ubuntu sudo apt install -y certbot python3-certbot-nginx # RHEL/CentOS/Fedora(pip 安装) sudo pip install certbot certbot-nginx ``` ### 4. 配置自动续期 创建 systemd timer: ```bash sudo tee /etc/systemd/system/certbot-renew.timer > /dev/null << 'EOF' [Unit] Description=Run certbot renew twice daily [Timer] OnCalendar=0/12:00,12:00 RandomizedDelaySec=3600 Persistent=true [Install] WantedBy=timers.target EOF sudo tee /etc/systemd/system/certbot-renew.service > /dev/null << 'EOF' [Unit] Description=Certbot renewal After=network-online.target W Wants=network-online.target [Service] Type=oneshot ExecStart=/usr/bin/certbot renew --quiet --deploy-hook "systemctl reload nginx" PrivateTmp=true EOF sudo systemctl daemon-reload sudo systemctl enable --now certbot-renew.timer ``` ### 5. 验证部署 ```bash curl -I https://www.domain.com/ ``` ## 静态网站 SPA 配置 适用于 VitePress/Hugo 等静态站点,部署在 `/www//`: ### RHEL/CentOS/Fedora 完整配置 ```nginx server { listen 80; server_name www.domain.com domain.com; root /www/domain; index index.html; # VitePress SPA fallback location / { try_files $uri $uri.html $uri/index.html /index.html; } # 缓存静态资源 location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; } add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; access_log /var/log/nginx/domain_access.log; error_log /var/log/nginx/domain_error.log; } ``` ### 反向代理配置 用于代理本地服务(如 Node.js): ```nginx server { listen 80; server_name www.domain.com; return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name www.domain.com; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://127.0.0.1:1234; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } ``` ## 快速命令 | 命令 | 说明 | |------|------| | `sudo nginx -t` | 测试配置语法 | | `sudo systemctl reload nginx` | 热重载生效 | | `sudo nginx -T` | 查看完整加载配置 | | `sudo certbot certificates` | 查看已有证书 | | `sudo certbot renew --dry-run` | 续期测试 | ## 常见问题 | 问题 | 排查 | |------|------| | 502 Bad Gateway | `curl http://127.0.0.1:1234` 确认后端运行 | | 配置无效 | `sudo nginx -t` 检查语法 | | nginx 未启动 | `sudo systemctl start nginx` | | SSL 申请失败 | 确认 DNS 已解析到服务器 IP | | certbot 命令找不到 | pip 安装 certbot certbot-nginx |