本文旨在描述使用CADDY启用QUIC协议-
QUIC(Quick UDP Internet Connection)是谷歌制定的一种基于UDP的低时延的互联网传输层协议。在2016年11月国际互联网工程任务组(IETF)召开了第一次QUIC工作组会议,受到了业界的广泛关注。这也意味着QUIC开始了它的标准化过程,成为新一代传输层协议 。
1.安装CADDY服务器。本文采用CENTOS7.5安装。
curl https://getcaddy.com | bash -s personal http.cache,http.geoip,http.git,http.grpc
Downloading Caddy for linux/amd64... https://caddyserver.com/download/linux/amd64?plugins= Extracting... Putting caddy in /usr/local/bin (may require password) [sudo] password for sammy: Caddy 0.10.2 Successfully installed
查询caddy位置
which caddy /usr/local/bin/caddy
为了安全起见,不要以root用户身份运行Caddy二进制文件。为了使Caddy能够以非root用户身份绑定到特权端口(例如80、443),您需要运行以下setcap命令:
sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy
创建专用的系统用户和用户组caddy,创建的用户caddy只能用于管理Caddy服务,而不能用于登录.
sudo useradd -r -d /var/www -M -s /sbin/nologin caddy
设定站点主目录 /var/www
sudo mkdir -p /var/www/example.com sudo chown -R caddy:caddy /var/www
创建SSL证书存放目录,并设定权限。注意权限很重要。
sudo mkdir /etc/ssl/caddy sudo chown -R caddy:root /etc/ssl/caddy sudo chmod 0770 /etc/ssl/caddy
创建 Caddy配置文件 存储目录,并设定权限。
sudo mkdir /etc/caddy sudo chown -R root:caddy /etc/caddy
创建CADDY配置文件和设定权限,并简单设置配置文件.注意这里只是简单的配置示例文件,更多的配置设置方式可以参考官方文档。
sudo touch /etc/caddy/Caddyfile
sudo chown caddy:caddy /etc/caddy/Caddyfile
sudo chmod 444 /etc/caddy/Caddyfile
cat <<EOF | sudo tee -a /etc/caddy/Caddyfile
example.com {
root /var/www/example.com
gzip
tls admin@example.com
}
EOF
创建Caddy的systemd系统服务管理文件
sudo vi /etc/systemd/system/caddy.service
输入以下内容并保存。
[Unit] Description=Caddy HTTP/2 web server Documentation=https://caddyserver.com/docs After=network-online.target Wants=network-online.target systemd-networkd-wait-online.service [Service] Restart=on-abnormal ; User and group the process will run as. User=caddy Group=caddy ; Letsencrypt-issued certificates will be written to this directory. Environment=CADDYPATH=/etc/ssl/caddy ; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp ExecReload=/bin/kill -USR1 $MAINPID ; Use graceful shutdown with a reasonable timeout KillMode=mixed KillSignal=SIGQUIT TimeoutStopSec=5s ; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. LimitNOFILE=1048576 ; Unmodified caddy is not expected to use more than that. LimitNPROC=512 ; Use private /tmp and /var/tmp, which are discarded after caddy stops. PrivateTmp=true ; Use a minimal /dev PrivateDevices=true ; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. ProtectHome=true ; Make /usr, /boot, /etc and possibly some more folders read-only. ProtectSystem=full ; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there. ; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! ReadWriteDirectories=/etc/ssl/caddy ; The following additional security directives only work with systemd v229 or later. ; They further retrict privileges that can be gained by caddy. Uncomment if you like. ; Note that you may have to add capabilities required by any plugins in use. ;CapabilityBoundingSet=CAP_NET_BIND_SERVICE ;AmbientCapabilities=CAP_NET_BIND_SERVICE ;NoNewPrivileges=true [Install] WantedBy=multi-user.target
启动Caddy服务,并使其在系统启动时自动启动:
sudo systemctl daemon-reload sudo systemctl start caddy.service sudo systemctl enable caddy.service
如果有开启防火墙,还需要设定防火墙规格 打开端口80和443端口如下:
sudo firewall-cmd --permanent --zone=public --add-service=http sudo firewall-cmd --permanent --zone=public --add-service=https sudo firewall-cmd --reload
您的网站创建测试页
echo '<h1>Hello World!</h1>' | sudo tee /var/www/example.com/index.html
启动Caddy服务以加载新 配置
sudo systemctl restart caddy.service
你将看到成功的示例首页。
2.安装php7.4
由于Centos系统默认的php版本仍然为古董的php5.6版本,目前最新版为RC的7.4版本。只能从第三方源中安装。
首先安装 EPEL 源, REMI 源 , Yum 源管理工具 ,更新yum缓存
rpm -vih http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm rpm -Uvh http://rpms.remirepo.net/enterprise/remi-release-7.rpm yum install yum-utils yum clean all && yum makecache
设置PHP默认版本为php74,如果你想安装其他版本可以设置为对应版本。如5.6,7.0,7.3,7.4等
yum-config-manager --enable remi-php74
安装php核心
yum -y install php php-fpm php-opcache
安装常用php扩展组件
yum -y install php-mysql php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-soap curl curl-devel
如果想安装php其他组件,可以按照以下查询php扩展组件
rpm -qa | grep 'php' php-json-7.4.0~RC3-5.el7.remi.x86_64 php-7.4.0~RC3-5.el7.remi.x86_64 php-xml-7.4.0~RC3-5.el7.remi.x86_64 php-gd-7.4.0~RC3-5.el7.remi.x86_64 php-common-7.4.0~RC3-5.el7.remi.x86_64 php-cli-7.4.0~RC3-5.el7.remi.x86_64 php-opcache-7.4.0~RC3-5.el7.remi.x86_64 php-process-7.4.0~RC3-5.el7.remi.x86_64 php-fedora-autoloader-1.0.0-1.el7.noarch php-mbstring-7.4.0~RC3-5.el7.remi.x86_64 php-odbc-7.4.0~RC3-5.el7.remi.x86_64 php-xmlrpc-7.4.0~RC3-5.el7.remi.x86_64 php-ldap-7.4.0~RC3-5.el7.remi.x86_64 php-soap-7.4.0~RC3-5.el7.remi.x86_64 php-pdo-7.4.0~RC3-5.el7.remi.x86_64 php-pear-1.10.9-3.el7.remi.noarch php-mysqlnd-7.4.0~RC3-5.el7.remi.x86_64 php-fpm-7.4.0~RC3-5.el7.remi.x86_64
设置php服务,设置开机启动,启动php
systemctl enable php-fpm systemctl start php-fpm
vi /etc/php-fpm.d/www.conf
变更其中的user = 和group =字段为设定的caddy服务器执行用户caddy和caddy,然后启动php
systemctl start php-fpm
一般为/etc/php-fpm.conf或者/etc/php-fpm.d/www.conf文件中
3.修改Caddy配置
mkdir /etc/caddy mkdir /etc/caddy/conf echo 'import ./conf/*' >> /etc/caddy/Caddyfile sudo mkdir /etc/ssl/caddy
4.开启caddy QUIC协议
修改 /etc/systemd/system/caddy.service ,在 ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp 后面加上 -quic ,如下。 重启服务即可启用。
vim /etc/systemd/system/caddy.service ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp -quic sudo systemctl daemon-reload sudo systemctl restart caddy.service
php启用配置文件实例。要确保PHP-FPM正在运行并侦听指定的unix套接字 ;检查 php-fpm.conf 中的 listen = 字段后面的内容,作为caddy配置后的php fastcgi监听字段。
abc.com {
tls XXX@XXX.com
root /data/wwwroot/abc.com
gzip
fastcgi / listen = 127.0.0.1:9000
rewrite {
if {path} not_match ^\/wp-admin
to {path} {path}/ /index.php?_url={uri}
}
}
注意:php在caddy中启用fastcgi接入,所以php-fpm配置文件中的用户名和监控的sock字段的listen值必须和caddy中对应。
发表回复