|
本文介绍使用Nginx和Letsencrypt SSL在CentOS 7操作系统上安装Wekan开源看板的详细步骤,在CentOS 7上安装Wekan Kanban最简单方法是使用snap包安装。
第1步:在CentOS 7上安装snap 通过运行以下命令在CentOS 7上安装snap: sudo yum makecache fast sudo yum install yum-plugin-copr epel-release sudo yum copr enable ngompa/snapcore-el7 sudo yum install snapd sudo systemctl enable --now snapd.socket
第2步:在CentOS 7上安装wekan 安装snap包后,使用它来安装wekan: sudo snap install wekan 为wekan设置web URL根目录: sudo snap set wekan root-url="https://wekan.example.com" 你可以在标准的http端口80或不同的端口上运行Wekan,例如3001,像Nginx这样的代理服务器后面运行Wekan时自定义端口很有用: sudo snap set wekan port='3001' sudo systemctl restart snap.wekan.mongodb sudo systemctl restart snap.wekan.wekan 检查状态: # ss -tunelp | grep 3001 tcp LISTEN 0 128 *:3001 *:* users:(("node",pid=25724,fd=14)) ino:4125584 sk:ffff8b01487ab640 <-> # systemctl status snap.wekan.wekan
其systemd服务单元文件是/etc/systemd/system/snap.wekan.wekan.service。 1、禁用并启用wekan服务 使用以下snap命令在CentOS 7服务器上启用和禁用wekan: sudo snap disable wekan sudo snap enable wekan 如果将mongodb端口用于其他应用程序,那么也要更改它: sudo snap set wekan mongodb-port=27019 2、访问MongoDB CLI以进行管理 要使用MongoDB CLI,需要安装MongoDB 3.2.x工具,并在CLI上运行: $ mongo --port 27019 3、更改后重新启动Wekan 如果需要在进行更改时重新启动Wekan,请使用以下命令: sudo systemctl restart snap.wekan.wekan
第3步:设置Snap自动更新 在02:00 AM到04:00 AM之间自动安装所有Snap更新: snap set core refresh.schedule=02:00-04:00 自动升级发生在Wekan发布后,或在预定时间,或者: sudo snap refresh
第4步:配置Wekan电子邮件设置(可选) 配置Admin通知邮件,这是可选的,因为Wekan不需要电子邮件配置也能运行: sudo snap set wekan mail-url='smtps://user:pass@mailserver.example.com:453' sudo snap set wekan mail-from='Wekan Boards <wekan@example.com>'
第5步:获取Letsencrypt SSL证书 参考:HTTPS加密简介以及Nginx安装Let’s Encrypt免费SSL/TLS证书。 请求将在Wekan nginx配置文件上使用的certbot ssl证书,由于端口80用于此目的,请确保它在防火墙上打开: sudo firewall-cmd --add-service=http --permanent sudo firewall-cmd --reload 使用scriptcertbot-auto请求证书,提供有效的电子邮件地址,用于到期通知和用于Wekan的有效域: wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto mv certbot-auto /usr/local/bin export DOMAIN="wekan.example.com" export EMAIL="domain-manager@example.com" certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring
第6步:配置Nginx代理 安装Nginx,它将作为Wekan的反向代理: sudo yum install nginx 安装后,配置如下: sudo vim /etc/nginx/conf.d/wekan.conf 记住并修改内容以适合你的使用,要更改的重要设置是Wekan域名,因此请将所有出现的example.com替换为你的域名: # this section is needed to proxy web-socket connections map $http_upgrade $connection_upgrade { default upgrade; '' close; } # HTTP server { listen 80; # if this is not a default server, remove "default_server" listen [::]:80 ipv6only=on; server_name example.com; # redirect non-SSL to SSL location / { rewrite ^ https://example.com$request_uri? permanent; } } # HTTPS server server { listen 443 ssl http2; # we enable HTTP/2 here (previously SPDY) server_name example.com; # this domain must match Common Name (CN) in the SSL certificate ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update # This works because IE 11 does not present itself as MSIE anymore if ($http_user_agent ~ "MSIE" ) { return 303 https://browser-update.org/update.html; } # Pass requests to Wekan. # If you have Wekan at https://example.com/wekan , change location to: # location /wekan { location / { proxy_pass http://127.0.0.1:3001; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; # allow websockets proxy_set_header Connection $connection_upgrade; proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP # this setting allows the browser to cache the application in a way compatible with Meteor # on every applicaiton update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days) # the root path (/) MUST NOT be cached #if ($uri != '/wekan') { # expires 30d; #} } } 对于默认的Nginx配置,以下是推荐的设置: user nginx; worker_processes auto; pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; types_hash_max_size 2048; server_tokens off; set_real_ip_from 0.0.0.0/32; # All addresses get a real IP. real_ip_header X-Forwarded-For; limit_conn_zone $binary_remote_addr zone=arbeit:10m; client_body_timeout 60; client_header_timeout 60; keepalive_timeout 10 10; send_timeout 60; reset_timedout_connection on; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:30m; ssl_session_timeout 1d; ssl_ciphers x(如下图,请设置成自己的数据)
ssl_ecdh_curve secp384r1; ssl_stapling on; ssl_stapling_verify on; add_header X-XSS-Protection '1; mode=block'; add_header X-Frame-Options SAMEORIGIN; add_header Strict-Transport-Security 'max-age=31536000'; add_header X-Content-Options nosniff; add_header X-Micro-Cache $upstream_cache_status; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; gzip_buffers 16 8k; gzip_comp_level 1; gzip_http_version 1.1; gzip_min_length 10; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf; gzip_vary on; gzip_proxied any; # Compression for all requests. ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } 启动nginx服务并启用它以在启动时启动: $ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful 如果配置正常,请通过启动nginx服务来使用它: sudo systemctl start nginx sudo systemctl enable nginx 你可以通过运行以下命令查看wekan帮助页面: wekan.help
第7步:添加Wekan UI用户 转到你的Wekan网址,例如https://example.com/sign-up页面,对于全新安装,需要注册才能获得管理员帐户:
注册用户名,电子邮件地址和密码,第一个要注册的用户具有管理员权限,下一个用户将是普通用户,如果还想要其他管理员,可以在管理员面板上将其权限更改为管理员:
注意:如果你收到有关电子邮件设置的错误,可以忽略它,电子邮件不是必需的,Wekan无需设置电子邮件即可工作。 创建帐户后。通过https://example.com/sign-in登录Wekan。 附:注册普通用户 默认情况下,其他用户可以通过访问https://example.com/sign-up页面并创建帐户来注册自己。如果要禁用自行注册,请导航至管理控制台>设置>注册> [X]禁用自行注册,然后可改成通过电子邮件地址邀请新用户注册的方式。
结语 通过以上步骤在CentOS 7上安装Wekan看板已经完成,我们进一步使用Letsencrypt SSL证书配置了Nginx反向代理,此设置适合在生产环境中部署应用。
相关主题 |
