说明
根据此文档进行编译安装 Nginx,可以将Nginx默认的功能全部安装上,读者也可以自己的根据实际情况删减需要编译的模块。
- 支持 TLSv1.3 - openssl 从 1.1.1 版本起支持最终版的TLSv1.3标准协议,详情参见:TLS1.3
- 支持 HTTP2 - Nginx 从 1.9.5 版本起支持http2,详情参见:Module ngx_http_v2_module
- 支持 Lua语法 - 详情参见:lua-nginx-module
安装
Nginx 官方资料:Building nginx from Sources
安装依赖
yum install -y vim gcc gcc-c++ make cmake cmake3 automake autoconf perl-ExtUtils-Embed openssl-devel libxml2-devel libxslt-devel GeoIP-devel luajit-devel gperftools-devel systemd-devel perl-devel libatomic_ops-devel pcre-devel gd-devel
准备源码包
# Create Directory mkdir -p /opt/down/Nginx cd /opt/down/Nginx # Get Nginx source wget https://Nginx.org/download/Nginx-1.14.0.tar.gz # Get zlib/openssl/pcre dependency wget https://zlib.net/zlib-1.2.11.tar.gz wget https://www.openssl.org/source/openssl-1.1.1.tar.gz wget https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.gz # Get Lua module and depend if you need wget -c ‘https://github.com/openresty/lua-Nginx-module/archive/v0.10.13.tar.gz‘ -O lua-Nginx-module-0.10.13.tar.gz wget -c ‘https://github.com/simplresty/ngx_devel_kit/archive/v0.3.1rc1.tar.gz‘ -O ngx_devel_kit-0.3.1rc1.tar.gz # Extract source file tar xzf Nginx-1.14.0.tar.gz tar xzf zlib-1.2.11.tar.gz tar xzf openssl-1.1.1.tar.gz tar xzf pcre-8.42.tar.gz tar xzf lua-Nginx-module-0.10.13.tar.gz tar xzf ngx_devel_kit-0.3.1rc1.tar.gz
编译与安装
- 读者可根据实际情况自定义修改编译选项中指定的路径。
- 用户与组需要执行
useradd work
提前创建,或读者自定义用户与组名。 - 这里将
Nginx-1.14.0
所有可编译的模块都加上了,读者可自定义删减。
# Configure option cd Nginx-1.14.0 ./configure --prefix=/opt/soft/Nginx --error-log-path=/opt/log/Nginx/error.log --pid-path=/opt/run/Nginx/Nginx.pid --lock-path=/opt/run/Nginx/Nginx.lock --user=work --group=work --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --http-log-path=/opt/log/Nginx/access.log --http-client-body-temp-path=/opt/soft/Nginx/temp/client_body --http-proxy-temp-path=/opt/soft/Nginx/temp/proxy --http-fastcgi-temp-path=/opt/soft/Nginx/temp/fastcgi --http-uwsgi-temp-path=/opt/soft/Nginx/temp/uwsgi --http-scgi-temp-path=/opt/soft/Nginx/temp/scgi --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-google_perftools_module --with-cpp_test_module --with-compat --with-pcre=../pcre-8.42 --with-pcre-jit --with-libatomic --with-zlib=../zlib-1.2.11 --with-openssl=../openssl-1.1.1 --with-debug --with-ld-opt=-Wl,-rpath,/usr/lib64 --add-module=../ngx_devel_kit-0.3.1rc1 --add-module=../lua-Nginx-module-0.10.13 # Compile & Install make -j2 make install
配置与启动
创建一些必要的目录,可根据实际情况自定义。
mkdir -p /opt/log/Nginx mkdir -p /opt/run/Nginx mkdir -p /opt/soft/Nginx/temp mkdir -p /opt/soft/Nginx/conf/{acl,ssl,vhosts}
主配置文件
路径:/opt/soft/Nginx/conf/Nginx.conf
基本参数已经满足大部分的应用场景,如需要额外的调整参数请参阅官方文档的 Modules reference
# Nginx main config user work work; worker_processes auto; worker_cpu_affinity auto; worker_rlimit_nofile 655350; # Loads a dynamic module. # load_module modules/ngx_stream_module.so; # Provides the configuration file context in which the directives that affect connection processing are specified. events { # Nginx will by default use the most efficient method. # use epoll; worker_connections 102400; } # Log level: debug,info,notice,warn,error,crit,alert,or emerg. error_log /opt/log/Nginx/error.log error; # PCRE JIT can speed up processing of regular expressions significantly. pcre_jit on; pid /opt/run/Nginx/Nginx.pid; http { include mime.types; default_type application/octet-stream; # Default log format - main #log_format main ‘$remote_addr - $remote_user [$time_local] "$request" ‘ # ‘$status $body_bytes_sent "$http_referer" ‘ # ‘"$http_user_agent" "$http_x_forwarded_for"‘; # Custom log format - main log_format main ‘[$time_local] $remote_addr $http_x_connecting_ip "$http_x_forwarded_for" ‘ ‘$scheme $http_host "$request" $body_bytes_sent $request_time $status "$http_referer" ‘ ‘"$http_user_agent" $upstream_addr $upstream_response_time $upstream_status ‘; access_log /opt/log/Nginx/access.log main; # client_body_buffer_size 8k|16k; # client_body_timeout 120s; # client_header_buffer_size 1k; # client_header_timeout 120s; # client_max_body_size 10m; keepalive_timeout 75s; send_timeout 60s; sendfile on; server_tokens off; tcp_nodelay on; tcp_nopush on; # Enables or disables the use of underscores in client request header fields. # underscores_in_headers off; gzip on; gzip_comp_level 6; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+RSS text/javascript; # Module ngx_http_fastcgi_module setting. # fastcgi_buffer_size 8k; # fastcgi_buffering on; # fastcgi_buffers 8 256k; # fastcgi_connect_timeout 120s; # fastcgi_read_timeout 120s; # fastcgi_send_timeout 120s; include vhosts/*.conf; }
默认的虚拟主机
配置默认虚拟主机,禁止直接IP请求及针对未绑定域名的请求跳转。
路径:/opt/soft/Nginx/conf/vhosts/default.conf
# vhosts - default server { listen 80 default_server; server_name _; # underscores_in_headers on; if ($host ~ "\d+\.\d+\.\d+\.\d+") { return 404; } if ($host ~ "fandenggui.com") { return https://www.fandenggui.com; } location / { return https://www.fandenggui.com; } }
正式虚拟主机配置
很多细节,需要读者了解配置的作用自行修改,这里不做过多的解释。
server { listen 80; listen 443 ssl http2; server_name www.fandenggui.com; # Access control # include acl/your_acl_rule.conf; # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate ssl/fandenggui.com.pem; ssl_certificate_key ssl/fandenggui.com.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers ‘ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-poly1305:ECDHE-RSA-CHACHA20-poly1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS‘; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp384r1; # Requires Nginx >= 1.1.0 ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires Nginx >= 1.5.9 # OCSP Stapling --- Requires Nginx >= 1.3.7 # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; # DHParaM: openssl dhparam -out /opt/soft/Nginx/conf/dhparam.pem 4096 # ssl_dhparam /opt/soft/Nginx/conf/dhparam.pem; # resolver $DNS-IP-1 $DNS-IP-2 valid=300s; # resolver_timeout 5s; # add_header x-frame-options DENY; # add_header X-Content-Type-Options nosniff; # add_header X-XSS-Protection "1; mode=block"; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) # add_header Strict-Transport-Security max-age=15768000; # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; # Forced to use HTTPS # if ( $scheme = "http") { # return 301 https://$host$request_uri; # } location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { access_log off; log_not_found off; } access_log /opt/log/Nginx/www.fandenggui.com_access.log main; error_log /opt/log/Nginx/www.fandenggui.com_error.log error; location / { # 根据实际情况配置反向代理 # …… } }
创建 Nginx.service
路径:/usr/lib/systemd/system/Nginx.service
[Unit] Description=The Nginx HTTP and reverse proxy server After=network.target remote-fs.target nss-lookup.target [Service] Type=forking PIDFile=/opt/run/Nginx/Nginx.pid ExecStartPre=/usr/bin/rm -f /opt/run/Nginx/Nginx.pid ExecStartPre=/opt/soft/Nginx/sbin/Nginx -t ExecStart=/opt/soft/Nginx/sbin/Nginx ExecReload=/bin/kill -s HUP $MAINPID KillSignal=SIGQUIT TimeoutStopSec=5 KillMode=process PrivateTmp=true [Install] WantedBy=multi-user.target
启动服务 & 设置开机启动
# Check Nginx config. /opt/soft/Nginx/sbin/Nginx -t systemctl start Nginx systemctl enable Nginx
参考与工具
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。