Centos7.3搭建开源去中心化社交平台Mastodon(长毛象)、Nginx反向代理本地Apache


www.1688cad.com
前面装Nginx、Docker、Docker-compose跟上面一样
[root@Myhosts /]# rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
[root@Myhosts /]# yum install -y nginx
[root@Myhosts /]# curl -L https://github.com/docker/compose/releases/download/1.16.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
[root@Myhosts /]# chmod +x /usr/local/bin/docker-compose
[root@Myhosts /]# docker-compose -v
docker-compose version 1.16.1, build 6d1ac21
安装docker
[root@Myhosts /]# yum install -y yum-utils device-mapper-persistent-data  lvm2
[root@Myhosts /]# yum-config-manager  --add-repo https://download.docker.com/linux/centos/docker-ce.repo
[root@Myhosts /]# yum-config-manager --enable docker-ce-test
[root@Myhosts /]# yum-config-manager --disable docker-ce-edge
[root@Myhosts /]# yum install -y docker-ce
[root@Myhosts /]# docker -v
Docker version 17.10.0-ce, build f4ffd25
下面开始部署mastodon环境
[root@Myhosts /]# cd app
[root@Myhosts app]# git clone https://github.com/tootsuite/mastodon.git
[root@Myhosts app]# cd mastodon/
[root@Myhosts mastodon]# cp .env.production.sample .env.production
[root@Myhosts mastodon]# vim .env.production
[root@Myhosts mastodon]# systemctl start docker
[root@Myhosts mastodon]# docker-compose build
等
Successfully built 4cb02e93c917
Successfully tagged gargron/mastodon:latest
生成三个密钥给.env.pr...用
[root@Myhosts mastodon]# docker-compose run --rm web rake secret
334b32d535477b989d6b3d29c510f33a031b1919b466b1684b9c04b1043e6652223dca24d6fd941f45fb87553d58e23af96e7bbf073ee37d01e379898a0e8fb8
[root@Myhosts mastodon]# docker-compose run --rm web rake secret
cd1e505737edb1cc73347a7bbb95b4f259883f230113b914780baa4752f529a6d747f79d1d08c55b7ca39c8fa795908a522551552521c1c74f4e176e510cc212
[root@Myhosts mastodon]# docker-compose run --rm web rake secret
721ca8e33141653276339907e70f26bec8debe9f4b0aa6d7da134f0ec1cf01cedacf39d8aeda41ddfea28170571b6f0460a8fe7c9e2f0eec563b04572601689b
这个生成V开头的两个密钥
[root@Myhosts mastodon]# docker-compose run --rm web rake mastodon:webpush:generate_vapid_key
弹出报错,这句话写到config/initializers/devise.rb中就好,其实写进去竟然还报错,又执行几次,又写进去一句给的config.....,回头把上面三个写进去,再来执行莫名就好了
config.secret_key = '3f4a8212252d8143024c3a693d0509608f6bb737382ce555bd172e914065f37afe0b5b3e1cee9226723456ae53c1ec9f55afe07e19190983c2aaea8d45a9f37a'
[root@Myhosts mastodon]# vim config/initializers/devise.rb
[root@Myhosts mastodon]# docker-compose run --rm web rake mastodon:webpush:generate_vapid_key
VAPID_PRIVATE_KEY=ama9yZRIQshXNHzu9hCHVLlLINgQxFStfuLXmgL1YwA=
VAPID_PUBLIC_KEY=BDxXQMo5GQbnpAYodO4z1pjNZfmOquirdcEs2fe1iJ8K_372DoOwoK0xbAfMraFsvDgiwxVU3swRcOGZ4_F-WkQ=
生成数据库
[root@Myhosts mastodon]# docker-compose run --rm web rake db:migrate
竟然不用set balabala什么的,之前手动搭建每次都是必须的
编译静态文件
[root@Myhosts mastodon]# docker-compose run --rm web rake assets:precompile
报错了,从没见过:
Compilation failed:
[BABEL] Note: The code generator has deoptimised the styling of "/mastodon/node_modules/emoji-mart/dist-es/data/data.js" as it exceeds the max of "500KB".
(node:176) DeprecationWarning: Chunk.modules is deprecated. Use Chunk.getNumberOfModules/mapModules/forEachModule/containsModule instead.
重启就好了
。。。
启动docker下的mastodon
[root@Myhosts mastodon]# docker-compose up -d
由于美服本身有apache,现在安装上nginx,决定把apache端口换成8080,然后用nginx转发80
[root@Myhosts app]# cat apache2/conf/httpd.conf|grep Listen  httpd监听端口换8080
Listen 8080
[root@Myhosts app]# cat /home/apache2/conf/extra/httpd-vhosts.conf  所有之前的域名绑定到8080端口
<VirtualHost *:8080>
    DocumentRoot "/home/web/minicad"
    ServerName   www.1688cad.com
    ServerAlias  www.1688cad.com
    ErrorLog "|/home/apache2/bin/rotatelogs /home/apache2/logs/%Y_%m_%d_usa.pcw268.com_error_log 86400 480"
    CustomLog "|/home/apache2/bin/rotatelogs /home/apache2/logs/%Y_%m_%d_usa.pcw268.com_access_log 86400 480" combined
</VirtualHost>
然后去nginx做端口转发
[root@Myhosts app]# cat /etc/nginx/conf.d/apache_proxy.conf
upstream server_a {
    server 127.0.0.1:8080;
}
server
{
    listen 80;
    server_name www.1688cad.com;
    location /
    {
        proxy_set_header Host  $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_pass http://server_a;
    }
}
重启服务
[root@Myhosts app]# service apache restart
Redirecting to /bin/systemctl restart  apache.service
[root@Myhosts app]# service nginx restart
Redirecting to /bin/systemctl restart  nginx.service
访问正常转发到httpd
下面开始给mastodon配置nginx文件
[root@Myhosts mastodon]# cat /etc/nginx/conf.d/test.conf
map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}
server {
  listen 80;
  listen [::]:80;
  server_name www.1688cad.com;
  # Useful for Let's Encrypt
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }
}
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name www.1688cad.com;
  ssl_protocols TLSv1.2;
  ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_certificate     /etc/letsencrypt/live/forxu.cn/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/forxu.cn/privkey.pem;
  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 0;
  root /home/mastodon/public;
  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
  add_header Strict-Transport-Security "max-age=31536000";
  location / {
    try_files $uri @proxy;
  }
  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
    add_header Cache-Control "public, max-age=31536000, immutable";
    try_files $uri @proxy;
  }
  location /sw.js {
    add_header Cache-Control "public, max-age=0";
    try_files $uri @proxy;
  }
  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass_header Server;
    proxy_pass http://127.0.0.1:3000;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    tcp_nodelay on;
  }
  location /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass http://127.0.0.1:4000;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    tcp_nodelay on;
  }
  error_page 500 501 502 503 504 /500.html;
}
常见问题:
突然不行了,docker up启动不了,
重新下载git吧
[root@Myhosts mastodon]# docker-compose up
Starting mastodon_redis_1 ...
Starting mastodon_redis_1
Starting mastodon_db_1 ...
Starting mastodon_db_1 ... error
Starting mastodon_redis_1 ... error
ERROR: for mastodon_redis_1  Cannot start service redis: container is marked for removal and cannot be started
ERROR: for redis  Cannot start service redis: container is marked for removal and cannot be started
ERROR: for db  Cannot start service db: container is marked for removal and cannot be started
ERROR: Encountered errors while bringing up the project.
解决方法
[root@Myhosts mastodon]# docker-compose rm
Going to remove mastodon_streaming_1, mastodon_web_1, mastodon_sidekiq_1, mastodon_db_1, mastodon_redis_1
Are you sure? [yN] y
Removing mastodon_streaming_1 ... done
Removing mastodon_web_1       ... done
Removing mastodon_sidekiq_1   ... done
Removing mastodon_db_1        ... done
Removing mastodon_redis_1     ... done
[root@Myhosts mastodon]# docker-compose up -d
Creating mastodon_redis_1 ...
Creating mastodon_db_1 ...
Creating mastodon_redis_1
Creating mastodon_db_1 ... done
Creating mastodon_sidekiq_1 ...
Creating mastodon_web_1 ...
Creating mastodon_sidekiq_1
Creating mastodon_streaming_1 ...
Creating mastodon_web_1
Creating mastodon_web_1 ... done
注意注意:以后再停服务用这个:docker-compose stop就好了 不能用down选项,不然就出现上面情况
这个时候就可以访问了,手机访问不了,不知道为什么
防火墙问题,
首先 遇到以下错误,service docker restart即可
[root@Myhosts mastodon]# docker-compose start
Starting redis     ... done
Starting db        ... done
Starting streaming ... error
Starting sidekiq   ... done
Starting web       ... error
ERROR: for web  Cannot start service web: driver failed programming external connectivity on endpoint mastodon_web_1 (8ca53d58bd4c096dfe49e7d8281e4e9ef5dc1d0d120cd87b7f1e76b01699ab4f):  (iptables failed: iptables --wait -t filter -A DOCKER ! -i br-6d95b9a9937f -o br-6d95b9a9937f -p tcp -d 192.168.16.4 --dport 3000 -j ACCEPT: iptables: No chain/target/match by that name.
(exit status 1))
ERROR: for streaming  Cannot start service streaming: driver failed programming external connectivity on endpoint mastodon_streaming_1 (468cecf16845a80427eee0bff544a416ddbbea3ca08a2aa0224163f0d70d0ecc):  (iptables failed: iptables --wait -t filter -A DOCKER ! -i br-6d95b9a9937f -o br-6d95b9a9937f -p tcp -d 192.168.16.5 --dport 4000 -j ACCEPT: iptables: No chain/target/match by that name.
(exit status 1))
[root@Myhosts mastodon]# systemctl restart docker
[root@Myhosts mastodon]# docker-compose start
Starting redis     ... done
Starting db        ... done
Starting streaming ... done
Starting sidekiq   ... done
Starting web       ... done
果然防火墙问题 对应的端口暂时还不知道,全部开开了:
[root@Myhosts mastodon]# iptables -P INPUT ACCEPT
[root@Myhosts mastodon]# iptables -P OUTPUT ACCEPT
然后外网就可以访问了
开始证书安装
[root@Myhosts mastodon]# systemctl stop nginx
[root@Myhosts mastodon]# chmod a+x certbot-auto
[root@Myhosts mastodon]# ./certbot-auto
[root@Myhosts mastodon]# mv certbot-auto ../  && cd ..
[root@Myhosts app]# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: www.1688cad.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.1688cad.com
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/conf.d/www.1688cad.com.conf for set(['www.1688cad.com';])
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://www.1688cad.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.1688cad.com
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.1688cad.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.1688cad.com/privkey.pem
   Your cert will expire on 2018-01-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
好了!
下面是效果图真实可用的哦,欢迎前来注册


I only do what I like, and this is ideal life.