Nginx作为反向代理服务器或Web服务器为内部业务系统提供服务,编译安装可以自定义模块,非常方便。
第一步、更新系统、下载软件包
- 编译安装需要gcc等组件支持,需要先安装编译所需的组件;
- 所有源码文件统一保存到 /usr/local/src/;
yum install -y wget gcc zlib-devel pcre-devel openssl-devel libxml2 libxml2-dev libxslt-devel gcc-c++ autoconf automake perl-devel perl-ExtUtils-Embed cd /usr/local/src wget https://nginx.org/download/nginx-1.14.2.tar.gz wget https://www.openssl.org/source/openssl-1.1.0e.tar.gz
第二步、解压缩
tar zxvf nginx-1.14.2.tar.gz tar zxvf openssl-1.1.0e.tar.gz
第三步、编译配置
本示例中是最基本的配置,并且指定了nginx安装目录为 /usr/local/nginx,如果需要其他目录,请自行修改;
./configure --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_stub_status_module --with-http_sub_module --with-http_random_index_module --with-http_degradation_module --with-http_secure_link_module --with-http_gzip_static_module --with-http_perl_module --with-file-aio --with-mail --with-mail_ssl_module --with-stream_ssl_module --with-stream --with-ld-opt="-Wl,-E" --with-openssl=/usr/local/src/openssl-1.1.0e --with-stream_ssl_preread_module
第四步、执行编译
如果编译过程中出现了缺少包等错误,请安装缺失的依赖包;
make && make install
第五步、创建nginx用户和组
groupadd -f nginx useradd -g nginx nginx
第六步、创建Systemd服务
cat >/etc/systemd/system/nginx.service <<EOF [unit] Description=Alex - web server Documentation=http://nginx.org/en/docs/ After=network.target remote-fs.target nss-lookup.target [Service] Type=forking PIDFile=/var/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t -c /usr/local/nginx/nginx.conf ExecStart=/usr/sbin/nginx -c /usr/local/nginx/nginx.conf ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s QUIT $MAINPID PrivateTmp=true [Install] WantedBy=multi-user.target EOF
第七步、配置开机启动服务
systemctl daemon-reload systemctl enable nginx nginx -t systemctl start nginx
第7步、创建conf.d配置文件目录,修改nginx.conf主配置文件
mkdir /usr/local/nginx/conf.d
mv nginx.conf nginx.conf.ORIG
cat > nginx.conf <<'EOF'
user nginx;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
error_log /var/log/nginx_error.log error;
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
# SSL
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # no sslv3 (poodle etc.)
ssl_prefer_server_ciphers on;
# Gzip Settings
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_min_length 512;
gzip_types text/plain application/x-javascript text/javascript application/javascript text/xml text/css application/font-sfnt;
include /usr/local/nginx/conf.d/*.conf;
}
EOF
第八步、创建网站配置文件
http服务配置文件
请根据实际情况进行修改,本示例中是反向代理模式,流量会转发到后台服务器处理,如果使用Nginx部署静态页面,直接使用下面的配置即可;
静态页面示例:
server {
listen 80;
server_name www.guoqiangli.com;
server_tokens off;
location / {
root guoqiangli.com;
index index.html index.htm;
}
}
反向代理示例:
cat > /usr/local/nginx/conf.d/www.guoqiangli.com.conf <<'EOF'
server {
listen 80;
server_name www.guoqiangli.com;
server_tokens off;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.100.100:8002;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 900s;
}
}
EOF
https服务配置文件(申请SSL证书后使用)
rm -rf /usr/local/nginx/conf.d/www.guoqiangli.com.conf
cat > /usr/local/nginx/conf.d/www.guoqiangli.com.conf <<'EOF'
## HTTPS host
server {
listen 443 ssl http2;
server_name www.guoqiangli.com;
server_tokens off; ## Don't show the nginx version number, a security best practice
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on;
ssl_certificate /usr/local/guoqiangli.com/fullchain.cer;
ssl_certificate_key /usr/local/guoqiangli.com/guoqiangli.com.key;
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SH
A:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
access_log /var/log/nginx/guoqiangli.com_access.log;
error_log /var/log/nginx/guoqiangli.com_error.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close.
proxy_read_timeout 900s;
}
}
server {
listen 80;
server_name www.guoqiangli.com;
location / {
return 301 https://$server_name$request_uri;
}
}
EOF
第九步、热加载Nginx配置
nginx -t
nginx -s reload
第十步、ACME申请Let's Encrypt证书
- ACME支持申请通配符证书(eg:*.guoqiangli.com)和单域名证书,如果ACME运行在Nginx服务器上,无需对Nginx进行修改即可申请证书;
- 通配符证书申请要求具备域名提供商的API访问权限;
安装ACME
创建一个目录用于安装证书,并使用在线脚本安装最新版本的ACME。
mkdir -p /usr/local/guoqiangli.com
curl https://get.acme.sh | sh
ACME通过Nginx模式申请证书(选项1)
acme.sh --issue -d www.guoqiangli.com --nginx
ACME通过DNS服务商申请通配符证书(选项2)
- Ali_Key和Ali_Scret需要通过阿里云获取;
- 可以将export命令加入到 /etc/profile 中;
export Ali_Key=""
export Ali_Scret=""
acme.sh --issue --dns dns_ali -d guoqiangli.com -d *.guoqiangli.com
ACME安装证书到指定路径(选项1)
acme.sh --install-cert -d www.guoqiangli.com --key-file /usr/local/guoqiangli.com/guoqiangli.com.key --fullchain-file /usr/local/guoqiangli.com/fullchain.cer --ca-file /usr/local/guoqiangli.com/ca.cert --reloadcmd "nginx -s reload"
ACME安装证书到指定路径(选项2)
acme.sh --install-cert -d guoqiangli.com -d *.guoqiangli.com --keyfile /usr/local/guoqiangli.com/guoqiangli.com.key --fullchain-file /use/local/guoqiangli.com/fullchain.cer --ca-file /usr/local/guoqiangli.com/ca.cert --reloadcmd "nginx -s reload"