DEV Community

majun
majun

Posted on

How to Build Web Services Relying on Tencent Cloud CVM

This tutorial will explain how to build cutting-edge secure and high-performance web services relying on Tencent Cloud Hosting.

0. Environment preparation

Before we start, we have prepared the following two types of resources.

  • One Tencent Cloud instance:

Created on demand in the Tencent Cloud CVM product homepage . This article uses a cloud server with the model S4.SMALL2. Note that you need to check the "free allocation of public network IP" when purchasing. The operating system we choose is CentOS 7. Of course, for other systems such as Fedora/Ubuntu, most of the steps in this article are common. All commands below are executed inside this instance.

  • One Tencent Cloud domain name:

On the Tencent Cloud domain name registration page , select Register. Pick a domain name you like ~ http://my-awesome-domain.com is used below .

1. Set domain name resolution

Adding a domain name resolution record means associating a domain name record with a cloud server on a public cloud.

Tencent Cloud's cloud resolution products can easily manage our domain name resolution work.
The addition of all parsing records can be set in the cloud parsing console .

1

  • Record type: select "A", this type of resolution record can be associated with IP and domain name;
  • Record value: the public network IP of the CVM cloud host;
  • Host record: the domain name above the third level we need, such as filling in web, that is, the domain name "web" .my-awesome-domain.com" to the specified IP.

Tencent Cloud's resolution takes effect very quickly, so we can log in to CVM through domain name records, such as:

ssh root@web.my-awesome-domain.com

2 Apply for SSL certificate

Let's apply for a Let's Encrypt certificate. It can be easily done through the official Certbot tool.Certbot is essentially a client of the ACME protocol , which is specially used for developers to automatically manage the certificate application process.

Install Certbot

yum install certbot
Enter fullscreen mode Exit fullscreen mode

At the same time, relevant dependent libraries, such as openssl, will be installed. Just use apt install under Debian/Ubuntu.

Certificate Application

certbot certonly --standalone -n -m my-email-address@example.com --agree-tos -d web.my-awesome-domain.com
Enter fullscreen mode Exit fullscreen mode

The application execution process takes about ten seconds, as shown below:

1-1

Certificate Application Result

After success, certificate-related files will be generated in the /etc/letsencrypt/live/ http://web.my-awesome-domain.com/ directory: certificate file fullchain.pem and certificate private key file privkey.pem , later in Nginx They will be used in the configuration.

The certificate that is set to automatically renew

The certificate application will expire after 90 days, but Certbot comes with a tool for re-applying (renew) certificate regularly: certbot-renew. We don't have to worry about certificate expiration by starting this scheduled task through the systemctl command.

systemctl start certbot-renew.timer
Enter fullscreen mode Exit fullscreen mode

3 Install Nginx

There are two common ways to install Nginx: through distribution package management tools, or through source code compilation and installation. If the former is used, only:

yum install nginx # Debian/Ubuntu下:apt install nginx
Enter fullscreen mode Exit fullscreen mode

Then skip this section and start the configuration process in the next section.

However, in the current mainstream distributions (such as Centos7/Ubuntu18, etc.), due to the relatively low version of nginx/openssl and other software packages, they will not be able to support features such as TLSv1.3, so please choose between features according to your needs.

Then, let's explain in detail how to install the latest version of Nginx through source code . The latest stable version is 1.16.0. Be careful to install the latest stable version as much as possible, too old versions do not support many features, such as HTTP/2 (supported after 1.10) and TLSv1.3 (supported after 1.15).

The latest version of the software is usually not in the software repository of the distribution's package management tools (such as Yum, APT), but requires us to compile and install the source code. But for us CVM players, this is not a problem at all. Let's experience greater freedom and flexibility with me.

We choose to complete the Nginx installation in the /opt directory, which is usually a suitable choice. Of course, whatever you are used to working with directory is fine.

cd /opt
Enter fullscreen mode Exit fullscreen mode

Installation related dependencies

Here are mainly compilers, PCRE packages and zlib packages

yum install gcc pcre-devel zlib-devel
Enter fullscreen mode Exit fullscreen mode

(It needs to be done with apt install under Debian/Ubuntu system, and the corresponding package names are libpcre3-dev and zlib1g-dev)

Download the openssl source code

To download the latest version of the openssl library, version 1.1.1b. This is because the TLS protocol and encryption and decryption in Nginx are done by external libraries (such as libssl/libcrypto, etc.), and they are all implemented in the openssl project. The default openssl of the system is relatively old and cannot support the latest HTTP/2 and TLS features.

It only takes two steps: download and unzip. No need to compile and install.

wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz
tar -zxvf openssl-1.1.1b.tar.gz
Enter fullscreen mode Exit fullscreen mode

Source code to compile Nginx

Download, compile and install Nginx, version 1.16.0.

wget http://nginx.org/download/nginx-1.16.0.tar.gz
tar -zxvf nginx-1.16.0.tar.gz
cd nginx-1.16.0
Enter fullscreen mode Exit fullscreen mode

Configure the compilation options, note that here we need to specify the code directory of openssl, and Nginx will compile the parts required for compiling openssl by the way. Its options here focus on enabling the http/2 and ssl modules. For other options, if you want to make changes later, you only need to reconfigure and compile. The source installation is so convenient and willful.

./configure \
  --pid-path=/run/nginx.pid   \
  --with-http_v2_module      \
  --with-http_ssl_module     \
  --with-openssl=/opt/openssl-1.1.1b
Enter fullscreen mode Exit fullscreen mode

Compile and install

make && make install
Enter fullscreen mode Exit fullscreen mode

Nginx will be installed by default in the /usr/local/nginx directory (also specified by the prefix compile option).

At this point, we have completed the installation of Nginx. actually implement

/usr/local/nginx/sbin/nginx
Enter fullscreen mode Exit fullscreen mode

The Nginx service can be started. But wait, let's get the job done a little more gracefully.

Configure the Nginx service as a systemd system service

Edit the file: /lib/systemd/system/nginx.service , add the following content

[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/bin/rm -f /run/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true

[Install]
WantedBy=multi-user.target
Enter fullscreen mode Exit fullscreen mode

then execute

systemctl daemon-reload
systemctl enable nginx.service
Enter fullscreen mode Exit fullscreen mode

We can then manage Nginx services through systemctl commands, such as restart, reload, etc.

systemctl restart nginx.service
Enter fullscreen mode Exit fullscreen mode

4. Configure Nginx

Edit the server section in nginx.conf (or similar configuration file), set ssl-related parameters such as certificate/key, and redirect the HTTP service of port 80 to port 443 of HTTPS. details as follows:

server {
    listen       443 ssl http2;
    server_name  web.my-awesome-domain.com;

    ssl_certificate "/etc/letsencrypt/live/web.my-awesome-domain.com/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/web.my-awesome-domain.com/privkey.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000";

    location / {
        root   html;
        index  index.html;
    }
}

server {
    listen       80;
    server_name  web.my-awesome-domain.com;
    if ($host = web.my-awesome-domain.com) {
        return 301 https://$host$request_uri;
    }
}
Enter fullscreen mode Exit fullscreen mode

Note: We support http2, and for the SSL protocol, we support both the current stable TLSv1.2 and the latest TLSv1.3.

systemctl restart nginx.service
Enter fullscreen mode Exit fullscreen mode

Then restart the service and you're done!

This article is from Tencent Cloud Computing Community, please indicate the source for reprinting: https://computeinit.com/archives/2405

Top comments (0)