Angie: Установка и настройка

Информация на этой странице находится в доработке. Информация может добавляться и изменяться.

Содержание

Инструкция по установке и первичной настройке #Angie.

Репозиторий

Скачать и установить ключ репозитория:

1
curl -fsSLo '/etc/apt/keyrings/angie.gpg' 'https://angie.software/keys/angie-signing.gpg'

Создать файл репозитория /etc/apt/sources.list.d/angie.sources со следующим содержимым:

1
. '/etc/os-release' && echo -e "X-Repolib-Name: Angie\nEnabled: yes\nTypes: deb\nURIs: https://download.angie.software/angie/${ID}/${VERSION_ID}\nSuites: ${VERSION_CODENAME}\nComponents: main\nArchitectures: $( dpkg --print-architecture )\nSigned-By: /etc/apt/keyrings/angie.gpg\n" | tee '/etc/apt/sources.list.d/angie.sources' > '/dev/null' > '/dev/null'

Установка

Установить пакеты:

1
apt update && apt install --yes angie angie-module-brotli angie-module-zstd

Настройка

В этом разделе приведена конфигурация с моими предпочтениями.

Основная конфигурация

Сохранить оригинальный файл конфигурации:

1
f='/etc/angie/angie.conf'; [[ -f "${f}" && ! -f "${f}.orig" ]] && mv "${f}" "${f}.orig"

Создать файл основной конфигурации /etc/angie/angie.conf со следующим содержимым:

angie.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
load_module 'modules/ngx_http_brotli_filter_module.so';
load_module 'modules/ngx_http_zstd_filter_module.so';
load_module 'modules/ngx_http_zstd_static_module.so';

user www-data;
worker_processes auto;
worker_rlimit_nofile 65536;

error_log '/var/log/angie/error.log' notice;
pid '/run/angie.pid';

events {
  worker_connections 65536;
}

http {
  include '/etc/angie/mime.types';
  default_type application/octet-stream;

  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';
  log_format extended '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" rt="$request_time" '
                      '"$http_user_agent" "$http_x_forwarded_for" '
                      'h="$host" sn="$server_name" ru="$request_uri" u="$uri" '
                      'ucs="$upstream_cache_status" ua="$upstream_addr" us="$upstream_status" '
                      'uct="$upstream_connect_time" urt="$upstream_response_time"';
  access_log '/var/log/angie/access.log' main;

  include /etc/angie/conf.d/*.conf;
  include /etc/angie/http.d/*.conf;
}

Дополнительная конфигурация

Создать директорию для дополнительной конфигурации:

1
d='/etc/angie/conf.d'; [[ ! -d "${d}" ]] && mkdir "${d}"

Создать файл дополнительной конфигурации /etc/angie/conf.d/99-angie.local.conf со следующим содержимым:

angie.local.conf

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
# -------------------------------------------------------------------------------------------------------------------- #
# GENERAL
# -------------------------------------------------------------------------------------------------------------------- #

client_body_timeout 10;
client_max_body_size 64m;
keepalive_requests 100;
large_client_header_buffers 8 512k;
real_ip_header 'X-Real-IP';
real_ip_recursive off;
reset_timedout_connection on;
resolver 8.8.8.8 8.8.4.4 ipv6=off;
send_timeout 2;
sendfile on;
server_tokens off;
tcp_nopush on;
types_hash_max_size 4096;

# -------------------------------------------------------------------------------------------------------------------- #
# ACME
# -------------------------------------------------------------------------------------------------------------------- #

acme_client example 'https://acme-v02.api.letsencrypt.org/directory'
  enabled=off
  challenge=http;
acme_client_path '/etc/ssl/acme';

# -------------------------------------------------------------------------------------------------------------------- #
# HTTP 2/3
# -------------------------------------------------------------------------------------------------------------------- #

http2 on;
http3 on; quic_gso on; quic_retry on;
add_header 'Alt-Svc' 'h3=":$server_port"; ma=86400';

# -------------------------------------------------------------------------------------------------------------------- #
# SSL
# -------------------------------------------------------------------------------------------------------------------- #

ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305';
ssl_dhparam '/etc/ssl/_ssc/dhparam.pem';
ssl_ecdh_curve 'X25519:prime256v1:secp384r1';
ssl_protocols TLSv1.2 TLSv1.3;

ssl_buffer_size 8k;
ssl_early_data on;
ssl_prefer_server_ciphers off;

ssl_stapling on;
ssl_stapling_verify on;

ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 1d;

# -------------------------------------------------------------------------------------------------------------------- #
# HEADERS
# -------------------------------------------------------------------------------------------------------------------- #

add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubDomains; preload' always;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-Frame-Options' 'SAMEORIGIN';
add_header 'X-XSS-Protection' '1; mode=block';

# -------------------------------------------------------------------------------------------------------------------- #
# PROXY
# -------------------------------------------------------------------------------------------------------------------- #

# proxy_connect_timeout 300;
# proxy_http_version '1.1';
# proxy_read_timeout 300;
# proxy_redirect off;

# proxy_set_header 'Host' $http_host;
# proxy_set_header 'Upgrade' $http_upgrade;
# proxy_set_header 'X-Forwarded-For' $proxy_add_x_forwarded_for;
# proxy_set_header 'X-Forwarded-Proto' $scheme;
# proxy_set_header 'X-Forwarded-Ssl' on;
# proxy_set_header 'X-Real-IP' $remote_addr;

# -------------------------------------------------------------------------------------------------------------------- #
# BROTLI
# -------------------------------------------------------------------------------------------------------------------- #

brotli on;
brotli_comp_level 6;
brotli_types
  application/atom+xml
  application/javascript
  application/json
  application/rss+xml
  application/vnd.ms-fontobject
  application/x-font-opentype
  application/x-font-truetype
  application/x-font-ttf
  application/x-javascript
  application/xhtml+xml
  application/xml
  font/eot
  font/opentype
  font/otf
  font/truetype
  image/svg+xml
  image/vnd.microsoft.icon
  image/x-icon
  image/x-win-bitmap
  text/css
  text/javascript
  text/plain
  text/xml
  text/$;

# -------------------------------------------------------------------------------------------------------------------- #
# GZIP
# -------------------------------------------------------------------------------------------------------------------- #

gzip on;
gzip_buffers 16 8k;
gzip_comp_level 5;
gzip_disable 'msie6';
gzip_http_version '1.1';
gzip_proxied any;
gzip_static on;
gzip_vary off;
gzip_types
  application/atom+xml
  application/javascript
  application/json
  application/ld+json
  application/manifest+json
  application/rss+xml
  application/vnd.geo+json
  application/vnd.ms-fontobject
  application/x-font-ttf
  application/x-web-app-manifest+json
  application/xhtml+xml
  application/xml
  font/opentype
  image/bmp
  image/svg+xml
  image/x-icon
  text/cache-manifest
  text/css
  text/javascript
  text/plain
  text/vcard
  text/vnd.rim.location.xloc
  text/vtt
  text/x-component
  text/x-cross-domain-policy
  text/$;

# -------------------------------------------------------------------------------------------------------------------- #
# ZSTD
# -------------------------------------------------------------------------------------------------------------------- #

zstd on;
zstd_comp_level 3;
zstd_types
  application/atom+xml
  application/javascript
  application/json
  application/rss+xml
  application/vnd.ms-fontobject
  application/x-font-opentype
  application/x-font-truetype
  application/x-font-ttf
  application/x-javascript
  application/xhtml+xml
  application/xml
  font/eot
  font/opentype
  font/otf
  font/truetype
  image/svg+xml
  image/vnd.microsoft.icon
  image/x-icon
  image/x-win-bitmap
  text/css
  text/javascript
  text/plain
  text/xml
  text/$;

Сайты

Сохранить оригинальный файл стандартного сайта:

1
f='/etc/angie/http.d/default.conf'; [[ -f "${f}" && ! -f "${f}.orig" ]] && mv "${f}" "${f}.orig"

Создать файл стандартного сайта (80) /etc/angie/http.d/default.conf со следующим содержимым:

angie.http.default.conf

1
2
3
4
5
6
server {
  listen 80 default_server;
  server_name _;

  return 301 https://$host$request_uri;
}

Создать файл стандартного сайта (443) /etc/angie/http.d/default.ssl.conf со следующим содержимым:

angie.http.default.ssl.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
server {
  # listen 443 quic reuseport default_server;
  # listen 443 ssl default_server;
  # server_name _;

  # root '/var/www/html';
  # index index.php index.html;

  # acme 'example';
  # ssl_certificate $acme_cert_example;
  # ssl_certificate_key $acme_cert_key_example;

  # ssl_certificate '/etc/ssl/_ssc/auth.server.crt';
  # ssl_certificate_key '/etc/ssl/_ssc/auth.server.key';

  # location / { try_files $uri $uri/ =404; }
  # location ~ /\.ht { deny all; }

  # Pass the PHP scripts to FastCGI server listening on 'unix:/run/php/php-fpm.sock'.
  # location ~ \.php$ {
  #   include fastcgi_params;
  #   fastcgi_index index.php;
  #   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  #   fastcgi_pass unix:/run/php/php-fpm.sock;
  # }
}

Авторы

Kai Kimera

Смотрите также

Мета

Лицензия

ID файла

UUID

Системный путь

Тип

Статистика

Количество слов

Время чтения

мин.