My big EOIOfficial website Officially launched! In order to build the company's first officially launched public site, we have spent a lot of thought, one of which is how to make it fast and safe. We use Nuxt SSR was done and enabled PWA module Lighthouse scored more than 90 points. On the basis of guaranteeing IE9 compatibility, the official website also uses new features such as Interaction Observer to improve its speed.
Another point is security. Although it's an introductory website, HTTPS still needs to be accessed. I think I've been on fire lately. Let's Engypt Free certificates not only save the company money, but also save the trouble of applying for certificates.
This time, we are using Nginx, the world's fastest Web server, and Let's Engypt certificates, which are free and easy to use, to create some records of our company's official website, or to share them with our hearts.
Compile Nginx
The company uses Aliyun server, CentOS system. CentOS 7 comes with OpenSSL 1.0.1e and does not support ALPN. HTTP 2 cannot be enabled on the new Chrome browser.
I chose to compile Nginx myself, so that I could br compression module and Certificate Transparency Module It's also compiled. Of course, if you don't need the last two modules, you can compile the rpm package directly with foreign netizens: https://brouken.com/repo
Download OpenSSL source code
First download OpenSSL and unpack
$ wget https://www.openssl.org/source/openssl-1.1.0f.tar.gz $ tar -zxvf openssl-1.1.0f.tar.gz $ cd openssl-1.1.0f
I also played. Cloudflare's SL patch
$ wget https://github.com/cloudflare/sslconfig/raw/master/patches/openssl__1.1.0_chacha20_poly1305.patch $ patch -p1 < openssl__1.1.0_chacha20_poly1305.patch
Download the third-party Nginx module
Download ngx_brotli to support br compression
$ git clone https://github.com/google/ngx_brotli.git
Download nginx-ct to support Certificate Transparency
$ git clone https://github.com/grahamedgecombe/nginx-ct.git
Incidentally, easy-to-use headers-more-nginx-module is also compiled
$ git clone https://github.com/openresty/headers-more-nginx-module.git
Download and compile Nginx
Download Nginx source code
$ wget http://nginx.org/download/nginx-1.13.4.tar.gz $ tar -zxvf nginx-1.13.4.tar.gz $ cd nginx-1.13.4.tar.gz
Patch up
$ wget https://github.com/cloudflare/sslconfig/raw/master/patches/nginx_1.13.1_http2_hpack.patch $ patch -p1 < nginx_1.13.1_http2_hpack.patch
Compile Nginx. I chose to use official compilation parameters to add specific modules and directly replace Nginx executable files to support system CTL startup as a service. OpenSSL is compiled into Nginx by static links to avoid interference with other programs in the system.
$ ./configure --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock \ --http-client-body-temp-path=/var/cache/nginx/client_temp \ --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ --user=nginx --group=nginx --with-file-aio --with-threads --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-stream_realip_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -Wl,-E' --with-openssl=`realpath ../openssl` --with-openssl-opt="enable-ec_nistp_64_gcc_128 enable-weak-ssl-ciphers" --add-module=`realpath ../ngx_brotli` --add-module=`realpath ../nginx-ct` --add-module=`realpath ../headers-more-nginx-module` $ make
Replace the official Nginx. Make sure it's pre-installed Official rpm package
$ sudo mv /usr/sbin/nginx /usr/sbin/nginx.old $ sudo cp objs/nginx /usr/sbin/nginx
Application certificate
Let's Engypt's official certbot had various dependency problems on the CentOS system and gave up after various attempts. After searching for information on the Internet, we used the compact acme.sh.
acme.sh It is written in pure Shell script and can apply for new ECC certificate, which is very convenient to use.
First download the acme.sh source code
$ git clone https://github.com/Neilpang/acme.sh.git $ cd acme.sh
www.eoitek.com uses RSA/ECC dual certificates
$ ./acme.sh --issue -d www.eoitek.com -w /home/eoi/eoi-portal $ ./acme.sh --issue -d www.eoitek.com -w /home/eoi/eoi-portal --keylength ec-256