Перевести биллинговую систему АСР Казна-39 на веб сервер nginx не составляет особого труда, но необходимо установить FastCGI и отредактировать пару файлов.
После перезда на nginx будут изменены порты биллинга:
Личный кабинет останется на стандартном
Админка уедет на 9443
Платёжные системы на 9442 (или на тот порт, который вы укажете сами, в целях допзащиты)
apt update apt install nginx php php-fpm fcgiwrap spawn-fcgi
Проверяем состояние:
systemctl status nginx
Нстраиваем юнит:
/usr/lib/systemd/system/fcgiwrap.service
[Unit]
Description=Simple CGI Server
After=nss-user-lookup.target
Requires=fcgiwrap.socket
[Service]
Environment=DAEMON_OPTS=-f
Environment=DAEMON_PROCS=100
EnvironmentFile=-/etc/default/fcgiwrap
ExecStart=/usr/sbin/fcgiwrap ${DAEMON_OPTS} -c ${DAEMON_PROCS}
User=www-data
Group=www-data
[Install]
Also=fcgiwrap.socket
После применяем
systemctl daemon-reload
Запускаем fcgiwrap:
service fcgiwrap start
Проверяем работу fcgiwrap
service fcgiwrap status * Checking status of FastCGI wrapper fcgiwrap [ OK ]
Оптимизируем работу:
nano /etc/nginx/nginx.conf
worker_processes 1; worker_connections 1024; gzip on; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; keepalive_timeout 65; client_max_body_size 10M; server_tokens off;
Настраиваем конфиги хостов:
/etc/nginx/sites-available/ktk_admin.conf /etc/nginx/sites-available/ktk_user.conf /etc/nginx/sites-available/ktk_paysys.conf
Приводим в такой вид:
nano /etc/nginx/sites-available/ktk_admin.conf
server {
listen lk.it39.su:9443 default_server ssl;
charset utf-8;
autoindex off;
server_name "lk.it39.su";
root "/usr/abills/cgi-bin";
index index.cgi;
# include letsencrypt;
# ssl_certificate /etc/letsencrypt/live/lk.it39.su/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/lk.it39.su/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/lk.it39.su/chain.pem;
ssl_certificate /usr/abills/Certs/server.crt;
ssl_certificate_key /usr/abills/Certs/server.key;
access_log /var/log/ktk-39/nginx/lk_user/access.log;
error_log /var/log/ktk-39/nginx/lk_user/error.log;
location / {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
root "/usr/abills/cgi-bin/";
index index.cgi;
}
location ~* \.php$ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
fastcgi_index index.php;
fastcgi_read_timeout 360;
include fastcgi_params;
}
location ~* \.cgi|pm$ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_index index.cgi;
fastcgi_pass_header Authorization;
fastcgi_param HTTP_CGI_AUTHORIZATION $http_authorization;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 360;
include fastcgi_params;
}
location /styles/ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
root /usr/abills/cgi-bin/;
}
location /img/calculator/ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
root /usr/abills/cgi-bin/;
}
location /admin/ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
alias "/usr/abills/cgi-bin/admin/";
index index.cgi;
}
location ^~ /api.cgi {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
try_files $uri /api.cgi$is_args$args;
allow all;
gzip off;
fastcgi_param HTTPS on;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_index index.cgi;
fastcgi_param HTTP_CGI_AUTHORIZATION $http_authorization;
fastcgi_param SCRIPT_FILENAME /usr/abills/cgi-bin$fastcgi_script_name;
include fastcgi_params;
}
location ^~ /img/ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
alias /usr/abills/cgi-bin/img/;
location ~* \.(ico|jpg|gif|png|css|js|JPG|GIF)$ {
allow all;
}
deny all;
}
location ^~ /images/ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
alias /usr/abills/ACP/templates/;
location ~* \.(jpg|gif|png|css|js|JPG|GIF)$ {
allow all;
}
deny all;
}
nano /etc/nginx/sites-available/ktk_user.conf
server {
listen lk.it39.su;
access_log off;
error_log off;
# include letsencrypt;
server_name lk.it39.su;
location / {
try_files $uri $uri/ =404;
return 301 "https://lk.it39.su/";
}
}
server {
listen lk.it39.su:443 ssl;
autoindex on;
server_name "lk.it39.su";
# include letsencrypt;
root "/usr/abills/cgi-bin";
# ssl_certificate /etc/letsencrypt/live/lk.it39.su/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/lk.it39.su/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/lk.it39.su/chain.pem;
ssl_certificate /usr/abills/Certs/server.crt;
ssl_certificate_key /usr/abills/Certs/server.key;
access_log /var/log/ktk-39/nginx/lk_user/access.log;
error_log /var/log/ktk-39/nginx/lk_user/error.log;
# limit_req zone=peripreq burst=300 nodelay;
location / {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
root "/usr/abills/cgi-bin/";
index index.cgi;
}
location ~* \.cgi|pm$ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
fastcgi_param REMOTE_ADDR $http_x_real_ip;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_index index.cgi;
fastcgi_read_timeout 360;
fastcgi_param HTTP_CGI_AUTHORIZATION $http_authorization;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
}
location /styles/ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
root /usr/abills/cgi-bin/;
}
location /admin/ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
return 301 "https://lk.it39.su/";
}
location = /paysys_check.cgi {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
fastcgi_param REMOTE_ADDR $http_x_real_ip;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
# Если нужно разрешить доступ только с определенных IP
# allow 1.2.3.4;
# deny all;
}
location /Telegramldkfjoiertjnvsfkjg984578kdjfg/ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
root /usr/abills/cgi-bin/;
allow all;
}
location ^~ /img/ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
alias /usr/abills/cgi-bin/img/;
location ~* \.(ico|jpg|gif|png|css|js|JPG|GIF)$ {
allow all;
}
deny all;
}
location ^~ /images/ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
alias /usr/abills/ACP/templates/;
location ~* \.(jpg|gif|png|css|js|JPG|GIF)$ {
allow all;
}
deny all;
}
}
nano /etc/nginx/sites-available/ktk_paysys.conf
server {
listen lk.it39.su:9442 default_server ssl;
access_log /var/log/nginx/abills_paysys/access.log;
error_log /var/log/nginx/abills_paysys/error.log;
autoindex off;
server_name "lk.it39.su";
root "/usr/abills/cgi-bin";
# ssl_certificate /etc/letsencrypt/live/lk.it39.su/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/lk.it39.su/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/lk.it39.su/chain.pem;
# limit_req zone=peripreq_paysys burst=10 nodelay;
ssl_certificate /usr/abills/Certs/server.crt;
ssl_certificate_key /usr/abills/Certs/server.key;
location / {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
root "/usr/abills/cgi-bin/";
index paysys_check.cgi;
if ( $request_method ~ ^(GET|HEAD)$ ) {
return 403;
}
}
location ~* \.cgi$ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
fastcgi_param REMOTE_ADDR $http_x_real_ip;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_index index.cgi;
fastcgi_read_timeout 360;
include fastcgi_params;
}
location /admin/ {
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
return 301 "https://lk.it39.su/";
}
}
Генерируем сертификаты для АСР Казна-39 в папку /usr/abills/Certs/
Устанавливаем CertBot, для использования сертификатов LetsEncrypt
Обязательно!!! Включаем в config.pl параметр - $conf{API_NGINX}=1;
Перезапускаем nginx:
service nginx restart
Все должно работать.