标准化部署Nginx手册

CCOD标准化部署Nginx手册

前期工作

• 从公司下载下载nginx稳定版本1.20.2 和相关Nginx插件
• ningx作为代理服务器,服务器的文件打开数设置为最大65535

[root@localhost ~]# cat >> /etc/security/limits.conf <<EOF
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
EOF
[root@localhost ~]# echo "ulimit -SH 65535" >> /etc/rc.local
[root@localhost ~]# echo "ulimit -n 65535 "  >> /etc/profile
[root@localhost ~]# source /etc/profile
[root@localhost ~]# ulimit -a

• 注意事项：在复制时注意复制时有自动换行符，导致缺失数据。

[root@localhost ~]# cd /usr/local/src/
[root@localhost src]#  wget http://10.130.36.117/nginx/nginx-1.20.2.tar.gz
[root@localhost src]#  wget http://10.130.36.117/nginx/plug-in/naxsi-0.55.3.tar.gz
[root@localhost src]#  wget http://10.130.36.117/nginx/plug-in/nginx-code-gcc.tar.gz
[root@localhost src]#  wget http://10.130.36.117/nginx/plug-in/nginx-goodies-nginx-sticky-module-ng.zip
[root@localhost src]#  wget http://10.130.36.117/nginx/plug-in/nginx_upstream_check_module-master.zip
[root@localhost src]#  wget http://10.130.36.117/Deploymentpackage/v0.10.13.tar.gz 
[root@localhost src]#  wget http://10.130.36.117/Deploymentpackage/LuaJIT-2.0.4.tar.gz

• 安装高版本openssl
• 参考升级部署ssl文档：http://10.130.1.65:8090/pages/viewpage.action?pageId=42369582

[root@localhost src]# wget http://10.130.36.117/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
[root@localhost src]# wget http://10.130.36.117/OpenBSD/openssl/source/openssl-1.1.1g.tar.gz
[root@localhost src]# wget http://10.130.36.117/OpenBSD/zlib/zlib-1.2.11.tar.gz
[root@localhost src]# wget http://10.130.36.117/perl/perl-5.10.1.tar.bz2

• 由于openssh需要依赖openssl，所以openssh也一并需要进行升级

#解压升级包
[root@localhost src]# tar -xvf openssh-8.6p1.tar.gz
[root@localhost src]# tar -xvf openssl-1.1.1g.tar.gz
[root@localhost src]# tar -xvf zlib-1.2.11.tar.gz
[root@localhost src]# yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel 

#安装zlib
[root@localhost src]# cd zlib-1.2.11/
[root@localhost zlib-1.2.11]# ./configure --prefix=/usr/local/zlib
[root@localhost zlib-1.2.11]# make -j 4 && make install

#编译安装openssl
[root@localhost src]# cd /usr/local/src/openssl-1.1.1g/
[root@localhost openssl-1.1.1g]# ./config --prefix=/usr/local/ssl -d shared
[root@localhost openssl-1.1.1g]# make -j 4 && make install
[root@localhost openssl-1.1.1g]# echo '/usr/local/ssl/lib' >> /etc/ld.so.conf
[root@localhost openssl-1.1.1g]# ldconfig -v

#centos5.x操作系统等系列默认Perl 版本v5.8.8 OpenSSL 需要 v5.10.0版本支持。

#perl
[root@localhost openssl-1.1.1g]# cd ../
[root@portal_node_1 src]# tar xvf perl-5.10.1.tar.bz2 
[root@localhost src]# cd perl-5.10.1
[root@localhost perl-5.10.1]#./Configure -des -Dprefix=/usr/local/perl
[root@localhost perl-5.10.1]# make -j 4  && make install
[root@localhost perl-5.10.1]# mv /usr/bin/perl /usr/bin/perl.bak
[root@localhost perl-5.10.1]# ln -s /usr/local/perl/bin/perl /usr/bin/perl

#安装openssh
[root@localhost openssh-8.6p1]# cd /usr/local/src/openssh-8.6p1/
[root@localhost openssh-8.6p1]# vim version.h
#define SSH_VERSION "OpenSSH_ttxs" ##修改此处
[root@localhost openssh-8.6p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/ssl --with-privsep-path=/var/lib/sshd
[root@localhost openssh-8.6p1]# make -j 4 && make install

#sshd_config文件修改
[root@localhost openssh-8.6p1]# vim /etc/ssh/sshd_config //修改sshd_config 配置文件
[root@localhost openssh-8.6p1]# sed -i s/"#PermitRootLogin yes"/"PermitRootLogin yes"/g /etc/ssh/sshd_config
[root@localhost openssh-8.6p1]# grep "^PermitRootLogin" /etc/ssh/sshd_config
PermitRootLogin yes
[root@localhost openssh-8.6p1]# sed -i s/"UsePAM yes"/"#UsePAM yes"/g /etc/ssh/sshd_config
[root@localhost openssh-8.6p1]# grep "UsePAM" /etc/ssh/sshd_config
 #UsePAM yes
[root@localhost openssh-8.6p1]# sed -i s/"GSSAPIAuthentication yes"/"#GSSAPIAuthentication yes"/g /etc/ssh/sshd_config
[root@localhost openssh-8.6p1]# grep "GSSAPIAuthentication" /etc/ssh/sshd_config
#GSSAPIAuthentication no
#GSSAPIAuthentication yes
[root@localhost openssh-8.6p1]# sed -i s/"GSSAPICleanupCredentials yes"/"#GSSAPICleanupCredentials yes"/g /etc/ssh/sshd_config
[root@localhost openssh-8.3p1]# grep "GSSAPICleanupCredentials" /etc/ssh/sshd_config
#GSSAPICleanupCredentials yes
#GSSAPICleanupCredentials yes
[root@localhost openssh-8.3p1]# chmod 600 /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_key /etc/ssh/ssh_host_rsa_key

#Centos6系统，启动sshd,并查看版本信息
[root@localhost openssh-8.6p1]# service sshd restart
[root@localhost openssh-8.6p1]# ssh -V
OpenSSH_ttxsp1, OpenSSL 1.1.1g  21 Apr 2020

#Centos7系统，启动sshd,并查看版本信息
[root@localhost openssh-8.6p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-8.6p1]# chmod +x /etc/init.d/sshd
[root@localhost openssh-8.6p1]# chkconfig --add sshd
[root@localhost openssh-8.6p1]# chmod +x /etc/init.d/sshd
[root@localhost openssh-8.6p1]# systemctl enable sshd
[root@localhost openssh-8.6p1]# mv /usr/lib/systemd/system/sshd.service /usr/local/
[root@localhost openssh-8.6p1]# chkconfig sshd on
注意：正在将请求转发到“systemctl enable sshd.socket”。
Created symlink from /etc/systemd/system/sockets.target.wants/sshd.socket to /usr/lib/systemd/system/sshd.socket.
[root@localhost openssh-8.6p1]# service sshd restart
Restarting sshd (via systemctl): [ 确定 ]
[root@localhost openssh-8.6p1]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: active (running) since 五 2020-08-07 18:28:28 CST; 2s ago

编译Nginx

• nginx插件打补丁,并编译安装,特殊说明openssl1.1.1版本后该功能就不支持。

[root@localhost openssh-8.6p1]# cd /usr/local/src
[root@localhost src]# unzip  nginx-goodies-nginx-sticky-module-ng.zip   
[root@localhost src]# tar xvf naxsi-0.55.3.tar.gz
[root@localhost src]# unzip  nginx_upstream_check_module-master.zip
[root@localhost src]# tar xvf nginx-code-gcc.tar.gz
[root@localhost src]# tar xvf nginx-1.20.2.tar.gz 
[root@localhost src]# tar xvf v0.10.13.tar.gz 
[root@localhost src]# tar -zxvf  LuaJIT-2.0.4.tar.gz
[root@localhost src]# cd LuaJIT-2.0.4
[root@localhost LuaJIT-2.0.4]# make -j 4 &&  make install
[root@localhost LuaJIT-2.0.4]# vim /etc/profile  #文件末尾加入环境变量
export LUAJIT_INC=/usr/local/include/luajit-2.0  #增加luajit环境变量
export LUAJIT_LIB=/usr/local/LuaJIT/lib
[root@localhost LuaJIT-2.0.4]# source /etc/profile
[root@localhost LuaJIT-2.0.4]# ln -s /usr/local/lib/libluajit-5.1.so.2  /lib64/
[root@localhost nginx-1.20.2]# cd /usr/local/src/nginx-1.20.2

#对nginx_upstream_check_module插件打补丁
[root@localhost nginx-1.20.2]# patch -p1 <   /usr/local/src/nginx_upstream_check_module-master/check_1.14.0+.patch 
patching file src/http/modules/ngx_http_upstream_hash_module.c
Hunk #2 succeeded at 241 (offset 3 lines).
Hunk #3 succeeded at 571 (offset 6 lines).
patching file src/http/modules/ngx_http_upstream_ip_hash_module.c
Hunk #2 succeeded at 211 (offset 3 lines).
patching file src/http/modules/ngx_http_upstream_least_conn_module.c
patching file src/http/ngx_http_upstream_round_robin.c
Hunk #1 succeeded at 9 with fuzz 2.
Hunk #2 succeeded at 107 (offset 6 lines).
Hunk #3 succeeded at 186 (offset 12 lines).
Hunk #4 succeeded at 263 (offset 13 lines).
Hunk #5 succeeded at 383 (offset 14 lines).
Hunk #6 succeeded at 420 (offset 14 lines).
Hunk #7 succeeded at 488 (offset 14 lines).
Hunk #8 succeeded at 588 (offset 14 lines).
patching file src/http/ngx_http_upstream_round_robin.h

[root@localhost nginx-1.20.2]# ./configure --prefix=/usr/local/nginx --with-http_v2_module --with-http_stub_status_module --with-http_ssl_module --add-module=/usr/local/src/nginx-code-gcc/ngx_devel_kit-0.3.0  --add-module=/usr/local/src/lua-nginx-module-0.10.13/ --add-module=/usr/local/src/nginx-goodies-nginx-sticky-module-ng-08a395c66e42 --add-module=/usr/local/src/nginx_upstream_check_module-master --add-module=/usr/local/src/naxsi-0.55.3/naxsi_src/ --with-openssl=/usr/local/src/openssl-1.1.1g --with-stream 

[root@localhost nginx-1.20.2]# make -j 4
[root@localhost nginx-1.20.2]# make install

#查看编译信息
[root@localhost sbin]# cd /usr/local/nginx/sbin
[root@localhost sbin]# ./nginx -V
nginx version: nginx/1.20.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC) 
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_v2_module --with-http_stub_status_module --with-http_ssl_module --add-module=/usr/local/src/nginx-code-gcc/ngx_devel_kit-0.3.0  --add-module=/usr/local/src/lua-nginx-module-0.10.13/ --add-module=/usr/local/src/nginx-goodies-nginx-sticky-module-ng-08a395c66e42 --add-module=/usr/local/src/nginx_upstream_check_module-master --add-module=/usr/local/src/naxsi-0.55.3/naxsi_src/ --with-openssl=/usr/local/src/openssl-1.1.1g --with-stream 

Nginx配置

• 以下相关配置文件，对应提供模板进行参考,请根据实际的进行修改和调整。

• 主配置文件

[root@localhost conf]# vim nginx.conf
user  root;
worker_processes  4;
error_log  logs/error.log;
pid        sbin/nginx.pid;

events {
    use epoll;
    worker_connections  65535;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$upstream_addr"';
    access_log  logs/access.log  main;
    sendfile        on;
    keepalive_timeout  65;
    fastcgi_buffers 8 128k;
    proxy_connect_timeout 1000;
    proxy_send_timeout 1000;
    proxy_read_timeout 1000;
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    client_max_body_size 200m;
    server_tokens  off;
    #add_header Set-Cookie "HttpOnly";
    #add_header Set-Cookie "Secure";
    #add_header X-Frame-Options SAMEORIGIN;
    include    vhosts/local_upstream.conf;
    include    vhosts/server.conf;
}

#创建vhosts目录
[root@localhost conf]# mkdir vhosts

#vhosts目录文件
[root@localhost vhosts]# vim server.conf 
server {
    listen 80 default_server;
    server_name  ccod.com;
    include    vhosts/local.conf;
    error_page  404              /error.html;
    error_page   500 502 503 504  /error.html;
    location = /error.html {
        root   html;
    }
}

#正向代理，用于非公网访问,使用yum安装
server{
        listen 80;
        server_name    mirrors.aliyun.com;
        location ~ ^/*{
                 proxy_redirect off;
                 proxy_set_header Host $host;
                 proxy_set_header X-Forwarded-Host $host;
                 proxy_set_header X-Forwarded-Server $host;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_buffering off;
                 chunked_transfer_encoding       off;
                 proxy_pass     http://mirrors.aliyun.com;
                 client_max_body_size 512m;
        }
    }

server {
    listen 443 ssl http2;
    ssl_certificate /usr/local/nginx/conf/crt/3669866__ccod.com.pem;
    ssl_certificate_key /usr/local/nginx/conf/crt/3669866__ccod.com.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:100m;
    ssl_session_tickets off;
    #ssl_dhparam /path/to/dhparam;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    server_name  *.ccod.com;
    include    vhosts/local.conf;
    error_page  404              /error.html;
    error_page   500 502 503 504  /error.html;
    location = /error.html {
        root   html;
    }
}

[root@localhost vhosts]# vim local.conf 
      location /qnstatus{
                  check_status;
                  access_log off;
        }

      location /gls/{
        proxy_pass      http://gls;
        proxy_set_header Host $host;
    }
   
[root@localhost vhosts]# vim   local_upstream.conf 
       upstream        gls{
                sticky;
                server  open.ccod.com:80;
                check interval=3000 rise=3 fall=5 timeout=1000 type=tcp;  #健康探测
        }
        

上传证书文件并启动服务验证

• 上传证书

[root@localhost vhosts]# cd /usr/local/nginx/conf/
[root@localhost conf]# wget http://10.130.36.117/Deploymentpackage/crt.tar.gz 
[root@localhost conf]# tar xvf crt.tar.gz 

[root@localhost conf]# cd /usr/local/nginx/sbin
[root@localhost sbin]# ./nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost sbin]# ./nginx 

Nginx模板

• 下载可以直接配置文件进行修改并使用 http://10.130.36.117/nginx/plug-in/nginx.tar.gz

• 健康探测访问

  
  image.png

Nginx限流

• Nginx官方版本限制IP的连接和并发分别有两个模块

  • limit_req_zone 用来限制单位时间内的请求数，即速率限制,采用的漏桶算法 “leaky bucket”，作用域：http、server、location。
  • limit_req_conn 用来限制同一时间连接数，即并发限制,作用域：http、server、location，用来限制单个IP的请求数。并非所有的连接都被计数。只有在服务器处理了请求并且已经读取了整个请求头时，连接才被计数。
  • limit_req 用来控制流量下载速度作用域：http、server、location。

• limit_req_zone案例说明

关键字说明：
   1、$binary_remote_addr 表示通过remote_addr这个标识来做限制，“binary_”的目的是缩写内存占用量，是限制同一客户端ip地址。
   2、one=one:10m表示生成一个大小为10M，名字为one的内存区域，用来存储访问的频次信息。
   3、rate=1000r/s表示允许相同标识的客户端的访问频次，这里限制的是每秒1000次
   4、limit_req zone=one burst=5 nodelay; #zone=one 设置使用哪个配置区域来做限制，与上面limit_req_zone 里的name对应。
   5、burst=5，重点说明一下这个配置，burst爆发的意思，这个配置的意思是设置一个大小为5的缓冲区当有大量请求（爆发）过来时，超过了访问频次限制的请求可以先放到这个缓冲区内。
    6、nodelay，如果设置，超过访问频次而且缓冲区也满了的时候就会直接返回503，如果没有设置，则所有请求会等待排队。

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=1000r/s;
    server {
        location /group1/ {
        limit_req zone=one burst=5 nodelay;
        }
    }      
}

• limit_conn结合limit_req案例说明

关键字说明：
   1、limit_conn限制单个ip并发的请求数量
   2、limit_rate限制网络的速度
   3、limit_rate_after限制超过多少了开始限速
   
location /group1/ {
     limit_conn 10;
     limit_rate_after 500k;
     limit_rate 100k
}

Nginx限制访问

• allow和deny配置段为： http、server、location

• 案例

  • 从上到下的顺序，类似iptables。匹配到了便跳出。如上的例子先禁止了192.168.128.10，接下来允许了2个网段，最后未匹配的IP全部禁止访问. 在实际生产环境中，我们也会使用nginx 的geo模块配合使用

location / {
deny  192.168.128.10;
allow 192.168.128.0/24;
allow 10.100.0.0/24;
deny  all;
}

Tengine 根据时间段来限流

• 需要重编译阿里云开发 Tengine 程序包，该版本是基于nginx-1.18版本更新的
• 编译操作和nginx是一致的
• 相关配置限流配置

[root@portal_node_1 conf]# vim nginx.conf #在http块中添加如下配置,其中rate值可以使用变量的方式来设置
    limit_req_zone $binary_remote_addr $request_uri zone=four:3m rate=$limit_count;

#下面案例是针对gls门户访问，在工作时间每秒限制一次访问，非工作时间每秒10000次的访问
[root@portal_node_1 conf]# vim vhosts/local_location.conf 
        location /gls/{
        if ($hour  ~*  "08|09|10|11|12|13|14|15|16") {
           set $limit_count "1r/s";
        }

        if ($hour  ~* "17|18|19|20|21|22|23|00|01|02|03|04|05|06|07") {
            set $limit_count "10000r/s";
        }

        limit_req zone=four burst=3 forbid_action=@test2;
        proxy_pass      http://gls;
        proxy_set_header Host $host;
       }

• 根据时间段限制流量访问用于下载录音

    location /group1 {
        if ($hour  ~*  "08|09|10|11|12|13|14|15|16") {
           set $bandwidth "300k";
           set $exceeding "50k";
        }

        if ($hour  ~* "17|18|19|20|21|22|23|00|01|02|03|04|05|06|07") {
            set $bandwidth "3000k";
            set $exceeding "300k";
        }

        limit_rate_after $bandwidth;
        limit_rate $exceeding;
        proxy_pass   http://server_group1;
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Headers X-Requested-With;
        add_header Access-Control-Allow-Methods GET,POST;
        add_header   Content-Type application/X-download;
    }