如何使用Nginx和Letsencrypt SSL在CentOS 7上安装Wekan开源看板
时间:2020-02-23 14:31:18 来源:igfitidea点击:
Wekan是具有MIT许可证的开源看板板应用程序。
Wekan是无与伦比的工具,可保持事情井井有条,无论是工作任务,假期计划,准备个人待办事项列表,管理其他人员等等。
它使我们可以直观地了解项目的当前状态,从而使我们可以专注于最重要的几个项目,从而确保了工作效率。
Wekan看板的功能
我们可以使用页面顶部的快捷方式列出所有公共和私人董事会,无需浏览器按钮即可在桌面上使用全屏或者窗口,而在移动Firefox上则可以使用全屏。
右下角有键盘快捷键用户管理模块我们可以还原存档的板我们可以添加,加星号,观看,存档和删除板导入Trello板:文本,标签,图像,注释,列表。
尚未导入:贴纸等导出Wekan板剪贴板和拖放功能提供REST API身份验证,管理面板,SMTP设置等。
在CentOS 7服务器上安装Wekan看板板平台的最简单方法是使用 snap和snap软件包必须单独安装。
步骤1:在CentOS 7上安装管理单元
通过运行以下命令在CentOS 7上安装snap:
sudo yum makecache fast sudo yum install yum-plugin-copr epel-release sudo yum copr enable ngompa/snapcore-el7 sudo yum install snapd sudo systemctl enable --now snapd.socket
步骤2:在CentOS 7上安装wekan
安装snap软件包后,请使用它来安装wekan。
sudo snap install wekan
为wekan设置Web URL根目录:
sudo snap set wekan root-url="https://wekan.example.com"
我们可以在标准的http端口上运行Wekan 80或者在其他端口上。 3001在像Nginx这样的代理后面运行Wekan时,自定义端口非常有用
sudo snap set wekan port='3001' sudo systemctl restart snap.wekan.mongodb sudo systemctl restart snap.wekan.wekan
检查状态
# ss -tunelp | grep 3001
tcp LISTEN 0 128 *:3001 *:* users:(("node",pid=25724,fd=14)) ino:4125584 sk:ffff8b01487ab640 <->
# systemctl status snap.wekan.wekan
● snap.wekan.wekan.service - Service for snap application wekan.wekan
Loaded: loaded (/etc/systemd/system/snap.wekan.wekan.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2016-08-18 09:08:44 UTC; 8s ago
Main PID: 25621 (wekan-control)
CGroup: /system.slice/snap.wekan.wekan.service
├─25621 /bin/bash /snap/wekan/249/bin/wekan-control
└─25724 /snap/wekan/249/bin/node main.js
Aug 18 09:08:44 centos-01 wekan.wekan[25621]: BROWSER_POLICY_ENABLED=true (default value)
Aug 18 09:08:44 centos-01 wekan.wekan[25621]: TRUSTED_URL= (default value)
Aug 18 09:08:44 centos-01 wekan.wekan[25621]: MONGO_URL=mongodb:///var/snap/wekan/249/share/mongodb-27019.sock/wekan
Aug 18 09:08:45 centos-01 wekan.wekan[25621]: Presence started serverId=XxH7mx9v3uaiBPFTS
Aug 18 09:08:45 centos-01 wekan.wekan[25621]: Note: you are using a pure-JavaScript implementation of bcrypt.
Aug 18 09:08:45 centos-01 wekan.wekan[25621]: While this implementation will work correctly, it is known to be
Aug 18 09:08:45 centos-01 wekan.wekan[25621]: approximately three times slower than the native implementation.
Aug 18 09:08:45 centos-01 wekan.wekan[25621]: In order to use the native implementation instead, run
Aug 18 09:08:45 centos-01 wekan.wekan[25621]: meteor npm install --save bcrypt
Aug 18 09:08:45 centos-01 wekan.wekan[25621]: in the root directory of your application.
其系统服务单元文件是 /etc/systemd/system/snap.wekan.wekan.service
禁用和启用wekan服务
使用以下snap命令在CentOS 7服务器上启用和禁用wekan。
sudo snap disable wekan sudo snap enable wekan
如果我们将mongodb端口用于另一个应用程序,则也要对其进行更改:
sudo snap set wekan mongodb-port=27019
访问MongoDB CLI进行管理
要使用MongoDB CLI,我们需要安装MongoDB 3.2.x工具,并在CLI上运行:
$mongo --port 27019
更改后重新启动Wekan
如果我们需要在进行更改时重新启动Wekan,请使用以下命令:
sudo systemctl restart snap.wekan.wekan
步骤3:设定Snap自动更新
两次之间自动安装所有Snap更新 02:00 AM和 04:00 AM
snap set core refresh.schedule=02:00-04:00
自动升级发生在Wekan发布后的某个时间,或者在预定的时间,或者通过以下方式进行:
sudo snap refresh
步骤4:配置Wekan电子邮件设置(可选)
配置管理员通知电子邮件。
这是可选的,因为Wekan不需要电子邮件配置即可运行。
sudo snap set wekan mail-url='smtps://user:Hyman@theitroad:453' sudo snap set wekan mail-from='Wekan Boards <Hyman@theitroad>'
步骤5:获取Letsencrypt SSL证书
请求将在Wekan nginx配置文件上使用的certbot ssl证书。
由于使用端口80,因此请确保在防火墙上将其打开:
sudo firewall-cmd --add-service=http --permanent sudo firewall-cmd --reload
使用脚本请求证书 certbot-auto。
提供到期通知的有效电子邮件地址和用于Wekan的有效域。
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto mv certbot-auto /usr/local/bin export DOMAIN="wekan.example.com" export EMAIL="Hyman@theitroad" certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring
步骤6:配置Nginx代理
安装Nginx,它将用作Wekan的反向代理。
sudo yum install nginx
安装完成后,按如下所示进行配置:
sudo vim /etc/nginx/conf.d/wekan.conf
记住并修改内容以适合使用。
更改的重要设置是Wekan域名,因此请替换所有出现的 example.com与域名。
# this section is needed to proxy web-socket connections
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# HTTP
server {
listen 80; # if this is not a default server, remove "default_server"
listen [::]:80 ipv6only=on;
server_name example.com;
# redirect non-SSL to SSL
location/{
rewrite ^ https://example.com$request_uri? permanent;
}
}
# HTTPS server
server {
listen 443 ssl http2; # we enable HTTP/2 here (previously SPDY)
server_name example.com; # this domain must match Common Name (CN) in the SSL certificate
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
# This works because IE 11 does not present itself as MSIE anymore
if ($http_user_agent ~ "MSIE" ) {
return 303 https://browser-update.org/update.html;
}
# Pass requests to Wekan.
# If you have Wekan at https://example.com/wekan , change location to:
# location /wekan {
location/{
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; # allow websockets
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP
# this setting allows the browser to cache the application in a way compatible with Meteor
# on every applicaiton update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days)
# the root path (/) MUST NOT be cached
#if ($uri != '/wekan') {
# expires 30d;
#}
}
}
对于默认的Nginx配置,以下是建议的设置:
user nginx;
worker_processes auto;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
server_tokens off;
set_real_ip_from 0.0.0.0/32; # All addresses get a real IP.
real_ip_header X-Forwarded-For;
limit_conn_zone $binary_remote_addr zone=arbeit:10m;
client_body_timeout 60;
client_header_timeout 60;
keepalive_timeout 10 10;
send_timeout 60;
reset_timedout_connection on;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 1d;
ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+SHA384:ECDH+aRSA+SHA256:ECDH:EDH+CAMELLIA:EDH+aRSA:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA;
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
add_header X-XSS-Protection '1; mode=block';
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security 'max-age=31536000';
add_header X-Content-Options nosniff;
add_header X-Micro-Cache $upstream_cache_status;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_buffers 16 8k;
gzip_comp_level 1;
gzip_http_version 1.1;
gzip_min_length 10;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf;
gzip_vary on;
gzip_proxied any; # Compression for all requests.
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
启动nginx服务并启用它以在启动时启动:
$sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
如果config没问题,请通过启动nginx服务来使用它:
sudo systemctl start nginx sudo systemctl enable nginx
我们可以通过运行以下命令查看wekan帮助页面:
wekan.help
步骤7:添加Wekan UI用户
转到Wekan URL,例如https://example.com/sign-up页面。
对于全新安装,我们需要注册以获取管理员帐户。
注册用户名,电子邮件地址和密码。
第一个要注册的用户具有管理员权限,下一个将是普通用户。
如果我们还需要其他管理员,则可以在管理面板上将其权限更改为admin。
注意:如果我们在电子邮件设置方面遇到一些错误,则可以将其忽略。
不需要工作电子邮件。
Wekan无需设置电子邮件即可工作。
创建帐户后。
通过https://example.com/sign-in登录到Wekan
注册普通用户:
默认情况下,其他用户可以通过访问页面https://example.com/sign-up并创建一个帐户来注册自己。
如果要禁用自我注册,请导航至管理面板>设置>注册> [X]禁用自我注册。
然后通过电子邮件地址邀请新用户加入选定的委员会。
