hexo 部署到 vps

vps 环境配置

iptables 安装设置

#先检查是否安装了iptables
$ service iptables status
#安装iptables
$ yum install -y iptables
#升级iptables
$ yum update iptables

#将所有iptables以序号标记显示，执行：  
iptables -L -n --line-numbers
#比如要删除INPUT里序号为8的规则，执行：  
iptables -D INPUT 8

#常规设置
iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -s 218.92.0.0/16 -j DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save
service iptables restart

ssh 端口更改

$ vi /etc/ssh/sshd_config
$ service sshd restart

本地搭建

安装 git

# 安装git
$ scoop install git

# 配置git
$ git config --global user.name "findthewayxf"
$ git config --global user.email "findthewayxf@gmail.com"

安装 nodejs

$ scoop install nodejs

安装 hexo

$ npm install -g hexo-cli
# 初始化文件夹
$ hexo init <folder>
$ cd <folder>
$ npm install
# 安装本地服务器
$ npm install hexo-server --save
# 安装git推送
$ npm install hexo-deployer-git --save

推送设置

# 找到_config.yml文件，设置以下选项

deploy:
	type: git
	repo: ssh://root@ip:端口/home/git/blog.git
	branch: master

vps 配置

       通过在本地编辑文本，然后使用Git远程部署到VPS的Git仓库。hexo d命令实际上只deploy了本地的public文件夹，Git Hooks实际上就是当Git仓库收到最新的push时，将Git仓库接受到的内容复制到VPS上的网站目录内。相当于完成了手动将public文件夹复制到VPS的网站根目录里。

git 安装设置

$ yum install git    //#安装git
$ git --version     //#查看git版本

创建仓库

$ cd /home
$ mkdir git		     //切换到git用户目录
$ cd git
$ mkdir blog.git	 //创建git仓库文件夹，以blog.git为例
$ cd blog.git			//进入仓库目录
$ git init --bare		//使用--bare参数初始化为裸仓库，这样创建的仓库不包含工作区

配置 git hooks

$ cd /home/git/blog.git/hooks		//切换到hooks目录下
$ vi post-receive			//创建脚本，:wq保存以下内容

#!/bin/bash
GIT_REPO=/home/git/blog.git
TMP_GIT_CLONE=/tmp/blog
PUBLIC_WWW=/var/www/blog
rm -rf ${TMP_GIT_CLONE}
git clone $GIT_REPO $TMP_GIT_CLONE
rm -rf ${PUBLIC_WWW}/*
cp -rf ${TMP_GIT_CLONE}/* ${PUBLIC_WWW}

# 赋权
$ chmod +x post-receive

创建网站目录

$ cd /var/
$ rm -rf www               //删除原有www文件夹
$ mkdir www           //建立www文件夹
$ cd /var/www/				//切换目录
$ mkdir blog				//创建网站目录，以blog为例

Nginx

包管理器安装 nginx

https://nginx.org/en/linux_packages.html

nano /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

yum install nginx -y

配置 nignx

$ cd /etc/nginx/conf.d
$ cp default.conf default.bak  //备份
$ vi default.conf

server {
    listen 80;
    root /var/www/blog;
    server_name xxx.com;
    access_log  /var/log/nginx/blog_access.log;
    error_log   /var/log/nginx/blog_error.log;
    error_page 404 =  /404.html;

    location ~* ^.+\.(ico|gif|jpg|jpeg|png)$ {
    root /var/www/blog;
    access_log   off;
    expires      1d;
    }

    location ~* ^.+\.(css|js|txt|xml|swf|wav)$ {
    root /var/www/blog;
    access_log   off;
    expires      10m;
    }

    location / {
        root /var/www/blog;
        if (-f $request_filename) {
        rewrite ^/(.*)$  /$1 break;
        }
    }

    location /nginx_status {
        stub_status on;
        access_log off;
    }

}

docker nginx 部署配置

docker run -d --name=nginx --net=host --restart=always \
-v /etc/localtime:/etc/localtime \
-v /etc/nginx/nginx.conf:/etc/nginx/nginx.conf \
-v /etc/nginx/conf.d/:/etc/nginx/conf.d/ \
-v /var/www/blog/:/var/www/html/ \
-v /etc/nginx/ssl/:/var/www/ssl/ \
jacyl4/de_gwd_nginx:1.19.4

server {
  listen 80;
  server_name harlon.me;
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 quic reuseport;
  listen 443 ssl http2 fastopen=128 reuseport;
  server_name harlon.me;
  root /var/www/html;
  index index.php index.html index.htm;

  ssl_certificate /var/www/ssl/harlon.me.cer;
  ssl_certificate_key /var/www/ssl/harlon.me.key;

  add_header alt-svc 'quic=":443"; h3-27=":443"; h3-25=":443"; h3-T050=":443"; h3-Q050=":443"; h3-Q049=":443"; h3-Q048=":443"; h3-Q046=":443"; h3-Q043=":443"; ma=86400';
  
  add_header Referrer-Policy                    no-referrer;
  add_header X-Content-Type-Options             nosniff;
  add_header X-Download-Options                 noopen;
  add_header X-Frame-Options                    SAMEORIGIN;
  add_header X-Permitted-Cross-Domain-Policies  none;
  add_header X-Robots-Tag                       none;
  add_header X-XSS-Protection                   "1; mode=block";
  add_header Strict-Transport-Security          "max-age=63072000" always;
  
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:EECDH+ECDSA+AESGCM+AES128:EECDH+ECDSA+CHACHA20:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:EECDH+aRSA+AESGCM+AES128:EECDH+aRSA+CHACHA20:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;
  ssl_session_timeout 10m;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 4k;

  ssl_early_data on;
  proxy_set_header Early-Data $ssl_early_data;
 
  error_page 404 =  /404.html;
  location = /404.html {
      root /var/www/ssl/error;
  }

  location ~* ^.+\.(ico|gif|jpg|jpeg|png)$ {
  root /var/www/html;
  access_log   off;
  expires      1d;
  }

  location ~* ^.+\.(css|js|txt|xml|swf|wav)$ {
  root /var/www/html;
  access_log   off;
  expires      10m;
  }

  location / {
      root /var/www/html;
      if (-f $request_filename) {
      rewrite ^/(.*)$  /$1 break;
      }
  }  
  
  location /nginx_status {
      stub_status on;
      access_log off;
  }

}

user  www-data www-data;
pid   /run/nginx.pid;

worker_processes auto;
worker_rlimit_nofile 100000;

events {
    worker_connections  100000;
    multi_accept on;
    use epoll;
}

http {
  include mime.types;
  default_type application/octet-stream;

  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 64 4k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  fastcgi_intercept_errors on;

  server_tokens             off;
  sendfile                  on;
  tcp_nodelay               on;
  tcp_nopush                on;

  client_header_timeout     60;
  client_body_timeout       60;
  reset_timedout_connection on;
  types_hash_max_size       2048;

  gzip                      on;
  gzip_disable              "MSIE [1-6]\.";
  gzip_vary                 on;
  gzip_proxied              any;
  gzip_comp_level           4;
  gzip_min_length           256;
  gzip_buffers              16 8k;
  gzip_http_version         1.0;
  gzip_types    text/plain
                text/javascript
                text/css
                text/js
                text/xml
                text/x-component
                text/x-json
                font/opentype
                application/x-font-ttf
                application/javascript
                application/x-javascript
                application/x-web-app-manifest+json
                application/json
                application/atom+xml
                application/xml
                application/xml+rss
                application/xhtml+xml
                application/vnd.ms-fontobject
                image/svg+xml
                image/x-icon;

  brotli                    on;
  brotli_static             on;
  brotli_comp_level         6;
  brotli_buffers            16 8k;
  brotli_min_length         20;
  brotli_window             16m;
  brotli_types              *;

  access_log off;
  error_log off;
  log_not_found off;

  include /etc/nginx/conf.d/*.conf;
}