Перевести биллинговую систему АСР Казна-39 на веб сервер nginx не составляет особого труда, но необходимо установить FastCGI и отредактировать пару файлов.
После перезда на nginx будут изменены порты биллинга:
Личный кабинет останется на стандартном
Админка уедет на 9443
Платёжные системы на 9442 (или на тот порт, который вы укажете сами, в целях допзащиты)
| Блок кода |
|---|
apt update
apt install nginx php php-fpm fcgiwrap spawn-fcgi |
Проверяем состояние:
| Блок кода |
|---|
systemctl status nginx |
...
Нстраиваем юнит:
| Блок кода |
|---|
...
service fcgiwrap startПроверяем работу fcgiwrap
| Блок кода |
|---|
service fcgiwrap status
* Checking status of FastCGI wrapper fcgiwrap [ OK ] |
Оптимизируем работу:
| Блок кода | ||
|---|---|---|
| ||
worker_processes 1;
worker_connections 1024;
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
keepalive_timeout 65;
client_max_body_size 10M;
server_tokens off; |
Настраиваем конфиги хостов:
| Блок кода |
|---|
/etc/nginx/sites-available/ktk_admin.conf
/etc/nginx/sites-available/ktk_user.conf
/etc/nginx/sites-available/ktk_paysys.conf |
Приводим в такой вид:
...
| language | php |
|---|---|
| title | nano /etc/nginx/sites-available/ktk_admin.conf |
...
| ||||
[Unit]
Description=Simple CGI Server
After=nss-user-lookup.target
Requires=fcgiwrap.socket
[Service]
Environment=DAEMON_OPTS=-f
Environment=DAEMON_PROCS=100
EnvironmentFile=-/etc/default/fcgiwrap
ExecStart=/usr/sbin/fcgiwrap ${DAEMON_OPTS} -c ${DAEMON_PROCS}
User=www-data
Group=www-data
[Install]
Also=fcgiwrap.socket
|
После применяем
| Блок кода | ||
|---|---|---|
| ||
systemctl daemon-reload |
Запускаем fcgiwrap:
| Блок кода |
|---|
service fcgiwrap start |
Проверяем работу fcgiwrap
| Блок кода |
|---|
service fcgiwrap status
* Checking status of FastCGI wrapper fcgiwrap [ OK ] |
Оптимизируем работу:
| Блок кода | ||
|---|---|---|
| ||
worker_processes 1;
worker_connections 1024;
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
keepalive_timeout 65;
client_max_body_size 10M;
server_tokens off; |
Настраиваем конфиги хостов:
| Блок кода |
|---|
/etc/nginx/sites-available/ktk_admin.conf
/etc/nginx/sites-available/ktk_user.conf
/etc/nginx/sites-available/ktk_paysys.conf |
Приводим в такой вид:
| Блок кода | ||||
|---|---|---|---|---|
| ||||
server {
listen lk.it39.su:9443 default_server ssl;
charset utf-8;
autoindex off;
server_name "lk.it39.su";
root "/usr/abills/cgi-bin";
index index.cgi;
# include letsencrypt;
# ssl_certificate /etc/letsencrypt/live/lk.it39.su/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/lk.it39.su/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/lk.it39.su/chain.pem;
ssl_certificate /usr/abills/Certs/server.crt;
ssl_certificate_key /usr/abills/Certs/server.key;
access_log /var/log/ktk-39/nginx/lk_user/access.log;
error_log /var/log/ktk-39/nginx/lk_user/error.log;
location / {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
root "/usr/abills/cgi-bin/";
index index.cgi;
}
location ~* \.php$ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
|
...
|
...
|
...
fastcgi_index index.php; |
...
fastcgi_read_timeout 360; |
...
include fastcgi_params; } location ~* \. |
...
cgi|pm$ { add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; fastcgi_pass unix:/var/run/ |
...
fcgiwrap.socket; fastcgi_index index. |
...
cgi; fastcgi_ |
...
pass_ |
...
header |
...
Authorization; |
...
fastcgi_param HTTP_CGI_AUTHORIZATION $http_authorization; |
...
...
|
...
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_ |
...
read_timeout 360; include fastcgi_ |
...
params; } location /styles/ { |
...
add_ |
...
header |
...
Content-Security-Policy "script-src 'self' 'unsafe-inline'"; root /usr/abills/cgi-bin/; } |
...
location /img/calculator/ { add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; root /usr/abills/cgi-bin/; } location /admin/ { |
...
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; alias "/usr/abills/cgi-bin/admin/"; |
...
index index.cgi; } location |
...
^~ /api.cgi { add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; try_files |
...
$uri / |
...
api.cgi$is_args$args; |
...
|
...
|
...
|
...
|
...
|
...
|
...
allow |
...
all; |
...
gzip off; fastcgi_param |
...
HTTPS |
...
on; |
...
|
...
fastcgi_pass unix:/var/run/fcgiwrap.socket; |
...
fastcgi_ |
...
index index.cgi; fastcgi_param HTTP_CGI_AUTHORIZATION $http_authorization; |
...
|
...
fastcgi_param SCRIPT_FILENAME |
...
/usr/abills/cgi-bin$fastcgi_script_name; include fastcgi_ |
...
params; } location |
...
^~ |
...
/ |
...
img/ { |
...
add_header Content-Security-Policy |
...
"script-src 'self' 'unsafe-inline'"; alias /usr/abills/cgi-bin/img/; |
...
|
...
|
...
location ~* \.(ico|jpg|gif|png|css|js|JPG|GIF)$ { |
...
|
...
|
...
allow all; } |
...
deny |
...
all; } location ^~ / |
...
images/ { add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; alias /usr/abills/ |
...
ACP/ |
...
templates/; location ~* \.( |
...
jpg|gif|png|css|js|JPG|GIF)$ {
allow all;
|
...
|
...
}
deny all;
|
...
}
|
...
| Блок кода | ||||
|---|---|---|---|---|
| ||||
server { listen lk.it39.su; |
...
access_log off; error_log |
...
off; # include letsencrypt; |
...
server_name lk.it39.su; location |
...
/ { |
...
...
| language | php |
|---|---|
| title | nano /etc/nginx/sites-available/ktk_user.conf |
...
try_files $uri $uri/ =404; |
...
return 301 "https://lk.it39.su/"; |
...
} } server { listen |
...
lk.it39.su:443 ssl; autoindex |
...
on; |
...
|
...
server_name "lk.it39.su"; |
...
# include letsencrypt; |
...
root |
...
"/usr/abills/cgi-bin"; # |
...
ssl_certificate /etc/letsencrypt/live/lk.it39.su/fullchain.pem; # |
...
ssl_certificate_ |
...
key /etc/letsencrypt/live/lk.it39.su/privkey.pem; # |
...
ssl_trusted_certificate /etc/letsencrypt/live/lk.it39.su/ |
...
chain.pem; ssl_certificate |
...
/usr/abills/Certs/server.crt; ssl_certificate_key /usr/abills/Certs/server.key; access_log /var/log/ktk-39/nginx/lk_user/access.log; |
...
error_ |
...
log /var/log/ktk-39/nginx/lk_user/error.log; # |
...
limit_req zone=peripreq burst=300 nodelay; |
...
location |
...
/ { add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; root "/usr/abills/cgi-bin/"; |
...
|
...
|
...
index index.cgi; } |
...
|
...
location |
...
~* \.cgi|pm$ { add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; fastcgi_param REMOTE_ADDR $http_x_real_ip; |
...
fastcgi_pass unix:/var/run/fcgiwrap.socket; fastcgi_index index.cgi; |
...
|
...
fastcgi_read_timeout 360; fastcgi_param |
...
HTTP_CGI_ |
...
AUTHORIZATION $http_ |
...
authorization; fastcgi_param SCRIPT_ |
...
FILENAME $realpath_root$fastcgi_script_name; include fastcgi_ |
...
params; } |
...
location /styles/ { add_header Content-Security-Policy |
...
"script-src 'self' 'unsafe-inline'"; root /usr/abills/cgi-bin/; |
...
} location /admin/ { |
...
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; return 301 "https://lk.it39.su/"; } location |
...
= |
...
/paysys_check.cgi { |
...
add_header |
...
Content-Security-Policy "script-src 'self' 'unsafe-inline'"; |
...
fastcgi_param REMOTE_ADDR $http_x_real_ip; |
...
|
...
fastcgi_pass unix:/var/run/fcgiwrap.socket; |
...
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
...
include fastcgi_params; |
...
|
...
|
...
# Если нужно разрешить доступ только с определенных IP |
...
|
...
# allow 1.2.3.4; # deny |
...
all; } |
...
...
location /Telegramldkfjoiertjnvsfkjg984578kdjfg/ { add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; |
...
root /usr/abills/cgi-bin/; |
...
allow all; } location ^~ /img/ { add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; |
...
alias /usr/abills/cgi-bin/img/; location ~* \.(ico|jpg|gif|png|css|js|JPG|GIF)$ { allow all; } deny all; } location ^~ /images/ { add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; alias /usr/abills/ |
...
ACP/templates/; location ~* \.(jpg|gif|png|css|js|JPG|GIF)$ { allow all; } deny all; } } |
| Блок кода | ||
|---|---|---|
| ||
server { listen lk.it39.su:9442 default_server ssl; access_log /var/log/nginx/abills_paysys/access.log; error_log /var/log/nginx/abills_paysys/error.log; autoindex off; server_name "lk.it39.su"; root "/usr/abills/cgi-bin"; # ssl_certificate /etc/letsencrypt/live/lk.it39.su/fullchain.pem; # ssl_certificate_key /etc/letsencrypt/live/lk.it39.su/privkey.pem; # ssl_trusted_certificate /etc/letsencrypt/live/lk.it39.su/chain.pem; # limit_req zone=peripreq_paysys burst=10 nodelay; ssl_certificate /usr/abills/Certs/server.crt; ssl_certificate_key /usr/abills/Certs/server.key; location / { add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; root "/usr/abills/cgi-bin/"; index paysys_check.cgi; if ( $request_method ~ ^(GET|HEAD)$ ) { return 403; } } location ~* \.cgi$ { add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; fastcgi_param REMOTE_ADDR $http_x_real_ip; fastcgi_pass unix:/var/run/fcgiwrap.socket; fastcgi_index index.cgi; fastcgi_read_timeout 360; include fastcgi_params; } location /admin/ { add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'"; return 301 "https://lk.it39.su/"; } } |
Генерируем сертификаты для АСР Казна-39 в папку /usr/abills/Certs/
Устанавливаем CertBot, для использования сертификатов LetsEncrypt
| Информация |
|---|
Обязательно!!! Включаем в config.pl параметр - $conf{API_NGINX}=1; |
Перезапускаем nginx:
| Блок кода |
|---|
service nginx restart |
Все должно работать.