1.安装依赖
yum -y install zlib pcre pcre-devel openssl openssl-devel
yum -y groupinstall "Development Tools"
2.源码编译安装 Nginx
(1)创建 Nginx 用户
[root@centos~]# useradd -s /sbin/nologin www
(2)Nginx编译参数
[root@centos ~]# tar -zxvf nginx-1.14.1.tar.gz
[root@centos ~l# cd nginx-1.14.1
[root@centos nginx-1.14.1l#
./configure \
--user=www \
--group=www \
--prefix=/usr/local/nginx \
--sbin-path=/usr/local/nginx/sbin/nginx \
--conf-path=/usr/local/nginx/conf/nginx.conf \
--error-log-path=/usr/local/nginx/logs/error.log \
--http-log-path=/usr/local/nginx/logs/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/lock/subsys/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_gzip_static_module \
--with-pcre
--user 指定启动程序所属用户
--group 指定启动程序所属组
--prefix 指定 Nginx 程序的安装路径
--sbin-path 设置 Nginx 二进制文件的路径名
--conf-path 指定 Nginx 配置文件路径
--error-log-path 指定 Nginx 错误日志文件路径
--http-log-path 指定 Nginx 访问日志文件路径
--pid-path 设置 Nginx 的 pid 文件 nginx.pid 的路径
--lock-path 设置 Nginx 的 lock 文件 nginx.lock 文件路径
--with-openssl 指定 OpenSSL 源码包的路径,如果编译的时候没有指定--with-openssl 选项,那么默认会使用系统自带的OpenSSL库
--with-pcre 设置 Nginx 启用正则表达式
--with-http_stub_status_module 安装用来监控 Nginx 状态的模块
--with-http_ssl_module 表示启用 Nginx 的 SSL 模块,此模块依赖--with-openssl 这个选项,通常一起使用
--with-http_gzip_static_module 表示启用 Nginx 的 gzip 压缩
接着,执行编译安装,操作如下
[root@centos nginx-1.14.1]# make && make install
编译与安装完成后,使用nginx -V查看版本和编译参数
[root@centos nginx-1.14.1]# /usr/local/nginx/sbin/nginx -V
----------------------------------------------------------------------------------------------
nginx.conf配置一
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
########################## vhost #############################
include vhost/*.conf;
}
vhost如下:
server {
listen 80;
server_name shilei.de;
location / {
root /data/wwwroot/shilei.de;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
----------------------------------------------------------------------------------------------
nginx.conf配置二
user www www;
worker_processes auto;
error_log /data/wwwlogs/error_nginx.log;
pid /var/run/nginx.pid;
worker_rlimit_nofile 655350;
events {
use epoll;
worker_connections 655350;
multi_accept on;
}
#include /opt/verynginx/verynginx/nginx_conf/in_external.conf;
stream {
include /opt/verynginx/openresty/nginx/conf/ports/*.conf;
}
http {
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 64k;
large_client_header_buffers 4 64k;
client_max_body_size 1024m;
client_body_buffer_size 20m;
sendfile on;
tcp_nopush on;
keepalive_timeout 120;
server_tokens off;
tcp_nodelay on;
fastcgi_connect_timeout 2400;
fastcgi_send_timeout 2400;
fastcgi_read_timeout 2400;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 128k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
#Gzip Compression
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 6;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
text/javascript application/javascript application/x-javascript
text/x-json application/json application/x-web-app-manifest+json
text/css text/plain text/x-component
font/opentype application/x-font-ttf application/vnd.ms-fontobject
image/x-icon;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
log_format main '^$remote_addr ^$http_x_real_ip ^$http_x_forwarded_for ^$remote_user ^$time_local ^$http_host '
'^$status ^$body_bytes_sent ^$http_referer '
'^$request ^$http_user_agent ^$request_time ^$upstream_status ^$upstream_addr ^$upstream_response_time ^$args ^$query_string ^$arg_NAME '
'^$cookie_userid ^$cookie_username ^$xrequestid';
access_log /data/wwwlogs/access_tengine.log main;
#If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency.
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
#add_header X-Frame-Options SAMEORIGIN;
include expire.conf;
# include /opt/verynginx/verynginx/nginx_conf/in_http_block.conf;
######################## default ############################
server {
listen 80;
server_name _;
#access_log /alidata/wwwlogs/access_nginx.log combined;
#root /alidata/wwwroot/default;
#root /alidata/text_data;
index index.html index.htm index.php;
#error_page 404 /404.html;
#error_page 502 /502.html;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location ~ [^/]\.php(/|$) {
#fastcgi_pass remote_php_ip:9000;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ /\.ht {
deny all;
}
}
########################## verynginx #############################
# server {
# listen 9999;
# include /opt/verynginx/verynginx/nginx_conf/in_server_block.conf;
# server_name 47.96.254.192;
# #access_log /data/wwwlogs/access_tengine.log main;
# #root /data/wwwroot/default;
# #root /data/text_data;
# index index.html index.htm index.php;
# #error_page 404 /404.html;
# #error_page 502 /502.html;
# location ~ [^/]\.php(/|$) {# #fastcgi_pass remote_php_ip:9000;
# #fastcgi_pass remote_php_ip:9000;
# fastcgi_pass unix:/dev/shm/php-cgi.sock;
# fastcgi_index index.php;
# include fastcgi.conf;
# }
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
# expires 30d;
# access_log off;
# }
# location ~ .*\.(js|css)?$ {
# expires 7d;
# access_log off;
# }
# location ~ /\.ht {
# deny all;
# }
# }
########################## vhost #############################
include vhost/*.conf;
}
upstream shilei.de{
ip_hash;
# server 172.22.0.20:8008 weight=1;
server 172.22.0.20:8008 weight=1;
}
vhost如下:
server {
listen 80;
listen 443 ssl http2;
charset utf-8;
# include /opt/verynginx/verynginx/nginx_conf/in_server_block.conf;
ssl_certificate /opt/verynginx/openresty/nginx/conf/ssl/shilei.de.pem;
ssl_certificate_key /opt/verynginx/openresty/nginx/conf/ssl/shilei.de.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
ssl_stapling on;
ssl_stapling_verify on;
##防止XSS,下面3行
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Strict-Transport-Security max-age=15768000;
server_name shilei.de www.shilei.de;
index index.html index.htm index.php;
# rewrite ^(.*)$ https://$server_name$1 permanent;
# root /data/wwwroot/meeting.yaozh.com/public;
# include blocksip.conf;
# if ($http_host ~ "^leiuk.com$") {
# rewrite ^(.*) https://leiuk.com$1 permanent;
# }
# if ($host != 'leiuk.com') { return 403; }
if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
# if ($http_x_forwarded_host != '') { return 403; }
# set $allow true;
# if ($http_x_real_ip !~ "119.86.*.0*|222.176.*.*|222.182.*.*|106.83.*.*|14.105.*.*|218.79.251.*|221.181.219.53"){
# set $allow false;
# }
# if ($allow = false){
# return 403;
# }
set $xrequestid $request_id;
# include /opt/verynginx/openresty/nginx/conf/rewrite/thinkphp.conf;
# expires $expires;
# #如果我是第一层nginx,所以只取$remote_addr,而且X-Forwarded-For造假.
# set $http_x_real_ip $remote_addr;
# location / {
# proxy_headers_hash_max_size 51200;
# proxy_headers_hash_bucket_size 6400;
# proxy_set_header Host $host;
# #proxy_set_header Host $proxy_host;
# #proxy_set_header Host $host:$proxy_port;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $remote_addr;
# #proxy_set_header Upgrade $http_upgrade; #这是webSocket的配置,WebSockets应用程序会在客户端和服务器之间建立一个长连接
# #proxy_set_header Connection "upgrade"; #这是webSocket的配置,WebSockets应用程序会在客户端和服务器之间建立一个长连接
# proxy_pass https://dataservice-dev.yaozh.com;
# }
##如果我是阿里的WAF,ALB,SLB后面,因为阿里已经弄好了$http_x_forwarded_for的第一个ip为客户端ip
location / {
add_header Content-Security-Policy upgrade-insecure-requests; #这个就是处理https反向代理资源
proxy_set_header xrequestid $xrequestid;
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
proxy_set_header Host $host;
#proxy_set_header Host $proxy_host;
#proxy_set_header Host $host:$proxy_port;
proxy_set_header X-Real-IP $http_x_real_ip;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Upgrade $http_upgrade; #这是webSocket的配置,WebSockets应用程序会在客户端和服务器之间建立一个长连接
#proxy_set_header Connection "upgrade"; #这是webSocket的配置,WebSockets应用程序会在客户端和服务器之间建立一个长连接
proxy_next_upstream error timeout http_502;
proxy_next_upstream_tries 1;
proxy_pass http://shilei.de;
}
# location ~ [^/]\.php(/|$) {
# #fastcgi_pass remote_php_ip:9000;
# fastcgi_pass unix:/dev/shm/php-cgi.sock;
# fastcgi_index index.php;
# include fastcgi.conf;
#
# #fastcgi_split_path_info ^(.+\.php)(/.+)$;
# #fastcgi_param PATH_INFO $fastcgi_path_info;
# #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# }
location ~ /\.ht {
deny all;
}
location ~ /\.git {
deny all;
}
}