centos7搭建个人的git pages

Git Pages是结合git服务操作的web网页托管平台。通过git提交再结合git hook脚本就能很好的将提交的文件上传到web服务虚拟目录里。但是Github、Netlify、Coding等已经提供了免费git pages服务，为什么还要自己在vps上折腾搭建git pages呢？因为这些服务商提供的git pages是有限制的，比如空间容量相对较小、对动态网页支持不完善或者没有、访问速度较慢等。那么自建的git pages的优势就显现出来了。下面就介绍怎么一步步搭建该服务。

¶1、安装Git

$ yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel perl-devel
$ yum install git

接下来我们 创建一个git用户组和用户，用来运行git服务：

$ groupadd git
$ useradd git -g git

¶2、创建ssh证书登录

收集所有需要登录的用户的公钥，公钥位于id_rsa.pub文件中，把我们的公钥导入到/home/git/.ssh/authorized_keys文件里，一行一个。

如果没有该文件创建它：

$ mkdir -p  /home/git/.ssh
$ chmod 755  /home/git/.ssh
$ touch /home/git/.ssh/authorized_keys
$ chmod 644  /home/git/.ssh/authorized_keys

客户机

#copy客户端的秘钥到vps的/home/git/.ssh/authorized_keys
$ cat ~/.ssh/id_rsa.pub

¶3、搭建git仓库

$ mkdir -p /data/git
$ chown git:git /data/git
$ chgrp -R 755 /data/git
$ cd /data/git
$ git init --bare blog.git
$ chown -R git:git blog.git
$ vim /data/git/blog.git/hooks/post-receive

#!/bin/bash
git --work-tree=/data/blog --git-dir=/data/git/blog.git checkout -f

$ chmod +x /data/git/blog.git/hooks/post-receive

¶4、搭建web服务

需要安装好nginx，可以参考我的另一篇文章《nginx学习笔记》。

安装好nginx后配置nginx web服务。

$ mkdir -p /data/blog
$ chmod -R 777 /data/blog/
$ vim /etc/nginx/conf.d/blog.conf

server {
        listen  80;
        server_name     qcmoke.site; #填写个人域名
        location        / {
                root    /data/blog; #配置web根目录
                index   index.html;
        }
}

#启动nginx（如果没有启动的话）
$ nginx
#将nginx加入开机启动项
$ systemctl enable nginx.service
#重新加载nginx配置文件
$ nginx -s reload

¶5、配置https服务

这里使用letsencrypt得到免费的ssl ca证书，生成证书的步骤虽然点麻烦，但是支持通配符而且又免费，何乐而不为呢？当然你可以使用其他免费的ssl ca证书，比如阿里云的免费证书，这里就不介绍阿里云是怎样得到证书的了，有兴趣可以去阿里云官网查看。

需要获取letsencrypt证书，可以下载certbot-auto自动化工具并通过工具得到证书。

#下载certbot-auto
$ wget https://dl.eff.org/certbot-auto
#给予certbot-auto可执行权限
$ chmod a+x ./certbot-auto

交互式的配置过程

#### 这里给qcmoke.site和*.qcmoke.site都设置ssl证书，让qcmoke.site以及其所有子域名都能使用同一个证书，注意域名改为自己的域名
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.qcmoke.site" -d "qcmoke.site" --manual --preferred-challenges dns-01 certonly
 
####  出现如下，输入个人的邮箱，用于紧急续签和安全通知
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 

####  出现如下，输入A同意
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: 

####  出现如下，输入Y同意
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 

####  出现如下，输入Y确认
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 

####  出现如下，域名添加TXT解析  添加对应的域名和值 添加好后回车继续
# dns域名解析添加txt记录：如下主机记录为_acme-challenge 记录值为apQPzp-xxxxxxxxxx_BlOSOJTYAo
#可以通过打开另外一个窗口执行命令dig -t txt _acme-challenge.qcmoke.site来校验txt记录是否成功解析，因为解析一般需要一小段时间。（如果dig命令不存在，可以通过命令yum -y install bind-utils安装）
Please deploy a DNS TXT record under the name
_acme-challenge.qcmoke.site with the following value:
apQPzp-xxxxxxxxxx_BlOSOJTYAo
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

####  出现如下即成功
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/qcmoke.site/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/qcmoke.site/privkey.pem
   Your cert will expire on 2018-12-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

配置PFS秘钥（可选）

生成Perfect Forward Security（PFS）键值，这步其实不做也可以。

$ mkdir /etc/ssl/private/ -p
$ cd /etc/ssl/private/
$ openssl dhparam 2048 -out dhparam.pem

配置nginx web服务

$ vim /etc/nginx/conf.d/blog.conf

需求：http://qcmoke.site、http://www.qcmoke.site、https://qcmoke.site都重定向到https://www.qcmoke.site，并且图片都能压缩传输。

server {
        server_name www.qcmoke.site;
        listen 80;
        #rewrite ^ https://$server_name$request_uri? permanent;
        #rewrite ^(.*)$ https://$server_name$1 permanent;
        return 301 https://$server_name$request_uri;
}
server {
        server_name qcmoke.site;
        listen 80;
        listen 443 ssl;
	
        #如果qcmoke.site和www.qcmoke.site是同一个通配符证书，那么配相同的证书即可，否则此处用qcmoke.site自个对应的证书
        #ssl_certificate        /etc/letsencrypt/live/qcmoke.site/fullchain.pem;
        #ssl_certificate_key    /etc/letsencrypt/live/qcmoke.site/privkey.pem;
        ssl_certificate	/etc/letsencrypt/live/qcmoke.site/fullchain.pem;
        ssl_certificate_key	/etc/letsencrypt/live/qcmoke.site/privkey.pem;
        rewrite ^(.*)$ https://www.$server_name$1 permanent;
}


server {
        listen 443 ssl;
        server_name www.qcmoke.site;
        charset utf-8;
        root /data/blog;
        index index.html index.htm;


	location ~ .*\.(jpg|png|gif)$ {
                # root	/data/blog/images;
                #传输压缩，压缩本身比较耗费服务端性能，但给带宽带来更好的传输。恰当的使用会增强资源的访问效率。
                gzip	on;
                gzip_http_version	1.1;
                gzip_comp_level	2;
                #压缩的文件类型，一般按需选择，但这里为了未来方便添加文件类型多选一些。具体配置参考文件/etc/nginx/mime.types
                gzip_types gzip_types text/plain application/json application/x-javascript application/css application/xml application/xml+rss text/javascript application/x-httpd-php image/jpeg image/gif image/png;
                #设置静态资源文件在客户端的缓存时间，除非客户清楚缓存或者关闭缓存或者强制访问才会再访问。
                expires 5h;
        }

        #access_log  /var/log/nginx/demo.mydomain.com_access.log;
        #error_log  /var/log/nginx/demo.mydomain.com_error.log;

        # letsencrypt生成的文件
        #ssl_certificate        /etc/letsencrypt/live/www.qcmoke.site/fullchain.pem;
        #ssl_certificate_key     /etc/letsencrypt/live/www.qcmoke.site/privkey.pem;
        ssl_certificate        /etc/letsencrypt/live/qcmoke.site/fullchain.pem;
        ssl_certificate_key     /etc/letsencrypt/live/qcmoke.site/privkey.pem;	

        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets on;

        # Perfect Forward Security路径，如果上面没有生成PFS，这一行 可以不用
        ssl_dhparam /etc/ssl/private/dhparam.pem;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        # 一般推荐使用的ssl_ciphers值: https://wiki.mozilla.org/Security/Server_Side_TLS
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
        ssl_prefer_server_ciphers on;

}

重载配置

$ nginx -s reload

¶6、测试

客户机

$ git clone git@qcmoke.site:/data/git/blog.git
$ cd blog/
$ echo "<h1>Qcmoke Bolg</h1>" >> index.html
$ git add . 
$ git commit -m "init my blog"
$ git push -u origin master

之后浏览器访问http://qcmoke.site就能访问到push到服务器的index.html页面了。

¶7、ssl续期

Let’s Encrypt 默认情况下只提供三个月的有效期，在有效期剩余半个月的时候，Let’s Encrypt 会发送邮件给你，提醒你需要做证书的续期操作。或者我们也可以通过以下命令查看证书的剩余有效期限：

$ /data/ssl/certbot-auto certificates

💁‍♂提示：可以提供在命令末尾添加--no-self-upgrade来防止certbot-auto脚本自动更新。

手动续期

$ /data/ssl/certbot-auto  renew   -v

如果使用的是通配符域名，那么很不幸，无法直接使用 certbot-auto renew 的方式快速进行续期。可以尝试使用如下命令续期：

$ /data/ssl/certbot-auto --server https://acme-v02.api.letsencrypt.org/directory \
-d "*.qcmoke.site" -d "qcmoke.site" \
--manual --preferred-challenges dns-01 certonly

完整操作如下（具体类似上文首次申请证书差不多）：

[root@iz2ze4uom6jrktiqj54y48z ~]# /data/ssl/certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.qcmoke.site" -d "qcmoke.site" --manual --preferred-challenges dns-01 certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for qcmoke.site

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: (Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.qcmoke.site with the following value:

HEvkEIqlCexoTLgrKGsCslDaPUKU3lCtiPGy4lEbJK4

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/qcmoke.site/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/qcmoke.site/privkey.pem
   Your cert will expire on 2020-10-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

$ nginx -s reload

自动续期

对于通配符域名，则比较麻烦，因为需要人为地进行TXT记录域名解析，所以实现过程比较繁琐，这里就不介绍了。

如果不是申请通配符域名，那么可以通过Linux的定时任务来完成自动续期的需求。

sudo crontab -e

在最后添加

0 3 1 * * /data/ssl/certbot-auto renew --renew-hook "sudo nginx -s reload"

可通过sudo crontab -l命令查看一下是否存在刚才添加的定时任务中。

¶8. 错误解决方案

发现certbot-auto 一直卡在“Installing Python packages…”？

$ vim /data/ssl/certbot-auto
#替换以下
#DEFAULT_INDEX_BASE = 'https://pypi.python.org'
DEFAULT_INDEX_BASE = 'https://mirrors.aliyun.com/pypi'

¶9. 解决Couldn‘t download https://raw.githubusercontent.com的方法

方式1：

在更新命令后加 --no-self-upgrade即可不更新执行。

方式2：

cat >> /etc/hosts <<-EOF
199.232.4.133 raw.githubusercontent.com
EOF

📚 参考

https://www.jianshu.com/p/23aa1eef5b23

https://juejin.im/post/5c935d7c6fb9a070b24b11a6