阿里云:轻量应用服务器,2核心CPU,0.5G内存,峰值带宽200M,系统为纯净debian11.3。
声明:请注意,由于夜梦星尘使用的服务器内存配置过低,故本文不使用MySQL数据库,本文使用的sqlite方法仅适用于个人博客(小流量小范围),如配置不当有泄露风险!
本文纯命令行操作,不使用宝塔面板。同时解决阿里云debian11.3系统可能存在的apt源报错,以及安装过程中目录权限、上传目录无法写入等问题。
前期准备工作可以参考夜梦写的远古文章:
apt update && apt upgrade -y若执行apt update报错“无Release file”,先执行以下命令更换官方安全源,避免后续安装失败:
mv /etc/apt/sources.list /etc/apt/sources.list.bak
cat > /etc/apt/sources.list << EOF
deb http://deb.debian.org/debian bullseye main contrib non-free
deb http://deb.debian.org/debian bullseye-updates main contrib non-free
deb http://deb.debian.org/debian-security bullseye-security main contrib non-free
EOF
apt updateapt install wget unzip -yapt install nginx -y
# 设置开机自启并启动Nginx
systemctl enable nginx
systemctl start nginx验证:此步完成后可浏览器访问服务器公网IP,如果看到Nginx默认欢迎页,即为安装成功。
PHP版本推荐7.4,适配typecho1.3。
apt install php7.4-fpm php7.4-sqlite3 php7.4-gd php7.4-mbstring php7.4-xml php7.4-curl -y
# 设置开机自启并启动PHP-FPM
systemctl enable php7.4-fpm
systemctl start php7.4-fpmtypecho官网:Download – Typecho Official Site
cd /tmp
wget https://github.com/typecho/typecho/releases/latest/download/typecho.zip在www目录下创建typecho文件夹,用来放我们的网站程序:
# 创建Typecho根目录
mkdir -p /var/www/html/typecho
# 移动压缩包到根目录
mv /tmp/typecho.zip /var/www/html/typecho/解压网站程序zip:
cd /var/www/html/typecho
# 解压压缩包
unzip typecho.zip设置755权限,安全配置(仅给上传目录可写权限):
chmod -R 755 /var/www/html/typecho/usr/uploads
chown -R www-data:www-data /var/www/html/typecho/usr/uploads创建nginx配置文件,此处需要域名:
vim /etc/nginx/sites-available/typecho请注意,一定要按此文件进行配置,可多不少,这样别人爆破了数据库地址也下载不了,会返回403。
配置文件内容如下,可直接复制后修改使用,按i进入编辑模式,完成后按Esc退出编辑模式,并输入:wq保存、退出编辑。
| 配置项 | 是否必须修改 | 示例内容 | 说明 |
|---|---|---|---|
server_name | 必须 | example.com www.example.com | 修改为自己的域名 |
root | 必须 | /var/www/site | 修改为自己的网站目录 |
ssl_certificate | 必须 | /etc/letsencrypt/live/example.com/fullchain.pem | 修改为自己的 SSL 证书路径 |
ssl_certificate_key | 必须 | /etc/letsencrypt/live/example.com/privkey.pem | 修改为自己的 SSL 私钥路径 |
fastcgi_pass | 必须 | unix:/run/php/php-fpm.sock | 修改为自己服务器对应的 PHP-FPM 版本 |
access_log | 可选 | /var/log/nginx/site_access.log | 可改为自己的日志文件名 |
error_log | 可选 | /var/log/nginx/site_error.log | 可改为自己的错误日志文件名 |
listen 443 ssl http2 | 可选 | listen 443 ssl http2; | 新版 Nginx 推荐开启 HTTP2 |
Strict-Transport-Security | 可选 | max-age=31536000 | 确认 HTTPS 正常后再开启 HSTS |
具体配置内容如下:
# =====================================================
# HTTP -> HTTPS
# =====================================================
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
# =====================================================
# HTTPS
# =====================================================
server {
listen 443 ssl;
listen [::]:443 ssl;
# 如果确认 HTTP2 没问题,可以改回:
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
server_name example.com www.example.com;
root /var/www/site;
index index.php index.html;
charset utf-8;
# =====================================================
# SSL
# =====================================================
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# =====================================================
# 基础安全
# =====================================================
server_tokens off;
autoindex off;
client_max_body_size 20m;
# =====================================================
# 安全 Header
# =====================================================
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# HSTS(确认 HTTPS 正常后再保留)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# 必须单行,避免 HTTP2 协议错误
add_header Content-Security-Policy "default-src 'self' https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; form-action 'self';" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always;
# =====================================================
# 限制请求方法
# =====================================================
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 403;
}
# =====================================================
# 隐藏文件
# =====================================================
location ~ /\.(?!well-known).* {
deny all;
}
# =====================================================
# 禁止数据库文件访问
# =====================================================
location ~* \.(db|sqlite|sqlite3|db3|sql|wal|shm)$ {
deny all;
}
# =====================================================
# 禁止敏感文件
# =====================================================
location ~* \.(ini|conf|log|sh|bak|env)$ {
deny all;
}
# =====================================================
# Typecho 核心保护
# =====================================================
location ^~ /usr/var/ {
deny all;
}
location ^~ /var/ {
deny all;
}
# =====================================================
# 上传目录禁止 PHP 执行
# =====================================================
location ~* /(usr/uploads|uploads|files|backup|temp)/.*\.(php|php5|phtml|phar)$ {
deny all;
}
# =====================================================
# 静态资源缓存
# =====================================================
location ~* \.(jpg|jpeg|png|gif|ico|css|js|webp|svg|woff|woff2)$ {
expires 30d;
access_log off;
add_header Cache-Control "public";
}
# =====================================================
# Typecho 伪静态
# =====================================================
location / {
try_files $uri $uri/ /index.php?$args;
}
# =====================================================
# PHP 解析
# =====================================================
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
# 根据自己的 PHP 版本修改
fastcgi_pass unix:/run/php/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_read_timeout 300;
}
# =====================================================
# 禁止访问 composer / git
# =====================================================
location ~* /(composer\.(json|lock)|package\.json|yarn\.lock|\.git) {
deny all;
}
# =====================================================
# 日志
# =====================================================
access_log /var/log/nginx/site_access.log;
error_log /var/log/nginx/site_error.log;
}下图仅为示例,和实际代码不同。
# 启用站点(创建软链接)
ln -s /etc/nginx/sites-available/typecho /etc/nginx/sites-enabled/
# 检查配置是否有误
nginx -t
# 重启Nginx,使配置生效
systemctl restart nginx若nginx -t提示“test is successful”,说明配置无误;若报错,检查域名替换是否正确、配置文件语法是否有误。
阿里云服务器默认开放443与80端口,如果没开可以手动操作一下。
ufw allow 80
ufw allow 443
ufw enable提示“Command may disrupt existing ssh connections.”,按y确认即可。
浏览器输入你的域名(如:http://yemengstar.top),会自动进入Typecho安装向导。
直接选择sqlite原生函数适配器,别的配置默认不动。
点击“确认,开始安装”,继续下一步。
点击“完成安装”,提示“安装成功”后,即可进入Typecho后台(域名/admin)。
进入Typecho后台 → 设置 → 永久链接 → “是否使用地址重写功能” → 开启保存,链接会更简洁。
强烈建议开启SSL!把www.yemengstar.top和yemengstar.top修改成你自己的域名。
apt install certbot python3-certbot-nginx -y
# 自动配置SSL,替换成自己的域名
certbot --nginx -d yemengstar.top -d www.yemengstar.top按提示操作,输入你的邮箱、同意协议(Y),完成后会自动配置HTTPS,重启Nginx生效,浏览器访问会显示“小锁”图标。
重启nginx:
systemctl restart nginx完成。
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。