目录:
一:Nginx编译安装
1.1:准备编译安装的基础环境
1.2:下载Nginx源码包
1.3:编译安装Nginx
1.4:创建nginx用户
1.5:创建unitfile,以使用systemd进行管理
1.6:创建nginx命令软链
二:自定义404错误页面
2.1:配置站点
2.2:自定义404错误页面
三:配置json格式的访问日志
四:配置https站点
4.1:生成自签名CA证书
4.2:生成私钥key和证书申请csr
4.3:充当CA机构给自己签发证书
4.4:Nginx的https配置4.5:通过https访问站点
一:Nginx编译安装
1.1:准备编译安装的基础环境
编译安装Nginx前,需要安装一些基础程序包:
- gcc:C语言编译器,因为Nginx是由C语言开发的;
- automake:从Makefile.am文件自动生成Makefile.in的工具;
- pcre、pcre-devel:提供正则表达式语法支持,因为Nginx的rewrite模块和HTTP核心模块会使用正则表达式实现一些匹配功能;
- zlib-devel:nginx启用压缩功能时,需要此模块的支持;
- openssl、openssl-devel:开启SSL以实现https时,需要此模块的支持;
- ……
执行下方命令准备编译基础环境:
yum install -y vim lrzsz tree screen psmisc lsof tcpdump wget ntpdate gcc gcc-c++ glibc glibc-devel pcre pcre-devel openssl openssl-devel systemd-devel net-tools iotop bc zip unzip zlib-devel bash-completion nfs-utils automake libxml2 libxml2-devel libxslt libxslt-devel perl perl-ExtUtils-Embed
1.2:下载Nginx源码包
官方下载地址:https://nginx.org/en/download.html
Nginx官网提供了三个类型的版本:
- Mainline version:Mainline 是 Nginx 目前主力在做的版本,可以说是开发版
- Stable version:最新稳定版,生产环境上建议使用的版本
- Legacy versions:遗留的老版本的稳定版
1.jpg
这里下载nginx-1.18.0这个稳定版本,下载完成后传至要安装的Linux主机,准备进行编译安装。
也可以右键复制链接地址,在Linux主机上直接wget进行下载。
1.3:编译安装Nginx
1.准备源码包,按惯例会把源码包放在/usr/local/src下:
~]# cd /usr/local/src
src]# wget https://nginx.org/download/nginx-1.18.0.tar.gz
src]# tar zxf nginx-1.18.0.tar.gz
src]# ll
drwxr-xr-x 8 1001 1001 147 Apr 21 2020 nginx-1.18.0
2.执行configure生成Makefile
src]# cd nginx-1.18.0/
nginx-1.18.0]# ./configure --prefix=/apps/nginx-1.18.0 \
--user=nginx \
--user=nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module
#编译参数意为:
#--prefix=/apps/nginx-1.18.0:安装目录为/apps/nginx-1.18.0,为区分各版本,最好加上版本号;
#--user=nginx、--user=nginx:指定nginx进程的启动用户及用户组为nginx、nginx;
#--with-……:指定要启用的Nginx模块,这里启用的有ssl(支持https)、stub_status(提供nginx状态页)、pcre(正则表达式)、stream(四层负载均衡)等模块。
#./configure后,Makefile文件中会生成如下内容,make会根据Makefile的内容进行编译
nginx-1.18.0]# cat Makefile
default: build
clean:
rm -rf Makefile objs
build:
$(MAKE) -f objs/Makefile
install:
$(MAKE) -f objs/Makefile install
modules:
$(MAKE) -f objs/Makefile modules
upgrade:
/apps/nginx-1.18.0/sbin/nginx -t
kill -USR2 `cat /apps/nginx-1.18.0/logs/nginx.pid`
sleep 1
test -f /apps/nginx-1.18.0/logs/nginx.pid.oldbin
kill -QUIT `cat /apps/nginx-1.18.0/logs/nginx.pid.oldbin`
3.执行make进行编译
nginx-1.18.0]# make
4.执行make install进行安装
nginx-1.18.0]# make install
#验证Nginx版本及编译参数:
nginx-1.18.0]# /apps/nginx-1.18.0/sbin/nginx -V
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx-1.18.0 --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
#通过-V参数可以看到nginx版本以及安装过程中的编译参数,这些编译参数可以在日后更改编译参数时使用。
1.4:创建nginx用户
useradd nginx -s /sbin/nologin -u 2000
chown nginx.nginx -R /apps/nginx-1.18.0/
#创建nginx用户最好指定UID,以便管理,并安全起见,使用nologin
1.5:创建unitfile,以使用systemd进行管理
一般需要在unitfile中修改的参数有:
- PIDFile:指定PID文件,PIDFile必须和nginx.conf中的pid保持一致;
- ExecStartPre:启动nginx前需要执行的命令;
- ExecStart:启动命令。
#unitfile文件名取nginx-1180.service,以区分版本
~]# vim /usr/lib/systemd/system/nginx-1180.service
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/apps/nginx-1.18.0/logs/nginx.pid
# Nginx will fail to start if /run/nginx.pid already exists but has the wrong
# SELinux context. This might happen when running `nginx -t` from the cmdline.
# https://bugzilla.redhat.com/show_bug.cgi?id=1268621
ExecStartPre=/usr/bin/rm -f /apps/nginx-1.18.0/logs/nginx.pid
ExecStartPre=/apps/nginx-1.18.0/sbin/nginx -t
ExecStart=/apps/nginx-1.18.0/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
[Install]
WantedBy=multi-user.target
#核对或更改nginx.conf中的pid
~]# vim /apps/nginx-1.18.0/conf/nginx.conf
#pid logs/nginx.pid;
# 验证unitfile
~]# systemctl daemon-reload
~]# systemctl start nginx-1180
~]# systemctl status nginx-1180
~]# systemctl stop nginx-1180
1.6:创建nginx命令软链
~]# ln -sv /apps/nginx-1.18.0/sbin/nginx /usr/sbin/nginx-1180
#测试命令软链
~]# nginx-1180 -t
nginx: the configuration file /apps/nginx-1.18.0/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx-1.18.0/conf/nginx.conf test is successful
至此,nginx编译安装完成。
二:自定义404错误页面
2.1:配置站点
利用Nginx配置文件模块化的功能,配置一个域名为www.yqc.com的站点:
#创建模块化配置文件目录:
~]# cd /apps/nginx-1.18.0/
nginx-1.18.0]# mkdir conf.d
#配置使nginx识别模块化配置文件,并更改默认站点的端口为8080,以与后边的测试不冲突:
nginx-1.18.0]# vim conf/nginx.conf
……
http {
……
include /apps/nginx-1.18.0/conf.d/*.conf;
……
server {
listen 8080;
……
}
#配置站点:
nginx-1.18.0]# vim conf.d/yqc.conf
server {
listen 80;
server_name www.yqc.com;
location / {
root /data/nginx/html;
index index.html index.htm;
}
}
#创建测试页面
~]# mkdir /data/nginx/html/
~]# vim /data/nginx/html/index.html
yqc page
#启动nginx并访问:
nginx-1.18.0]# nginx-1180 -t
nginx-1.18.0]# systemctl start nginx-1180
#客户端使用curl命令进行访问:
~]# vim /etc/hosts
192.168.43.219 www.yqc.com
~]# curl www.yqc.com
yqc page
2.2:自定义404错误页面
nginx-1.18.0]# vim conf.d/yqc.conf
server {
listen 80;
server_name www.yqc.com;
error_page 404 /404.html;
location / {
root /data/nginx/html;
index index.html index.htm;
}
}
#检查配置并重置
nginx-1.18.0]# nginx-1180 -t
nginx-1.18.0]# nginx-1180 -s reload
#创建404错误页面
nginx-1.18.0]# vim /data/nginx/html/404.html
404 error
#因为404表示访问的页面不存在,所以在客户端随便访问一个不存在的页面进行测试:
~]# curl www.yqc.com/hehe.html
404 error
三:配置json格式的访问日志
一般在主配置文件的http模块定义日志格式,这样各站点的配置文件就都可以调用了:
#主配置文件定义json日志格式
#注意日志格式要配置在include之上,否则因为顺序检查的原因,在检查到conf.d/yqc.conf时,会报没有access_json这个日志格式的错误
nginx-1.18.0]# vim conf/nginx.conf
……
http {
……
log_format access_json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"uri":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"tcp_xff":"$proxy_protocol_addr",'
'"http_user_agent":"$http_user_agent",'
'"status":"$status"}';
include /apps/nginx-1.18.0/conf.d/*.conf;
……
}
#站点配置文件进行调用:
nginx-1.18.0]# vim conf.d/yqc.conf
server {
listen 80;
server_name www.yqc.com;
error_page 404 /404.html;
access_log /apps/ngins-1.18.0/logs/access_json.log;
location / {
root /data/nginx/html;
index index.html index.htm;
}
}
#检查配置并重置
nginx-1.18.0]# nginx-1180 -t
nginx-1.18.0]# nginx-1180 -s reload
#打开json格式的日志文件,并用客户端访问,查看效果:
nginx-1.18.0]# tail -f logs/access_json.log
{"@timestamp":"2020-06-08T18:43:11+08:00","host":"192.168.43.219","clientip":"192.168.43.102","size":9,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.yqc.com","uri":"/index.html","domain":"www.yqc.com","xff":"-","referer":"-","tcp_xff":"-","http_user_agent":"curl/7.29.0","status":"200"}
{"@timestamp":"2020-06-08T18:43:12+08:00","host":"192.168.43.219","clientip":"192.168.43.102","size":9,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.yqc.com","uri":"/index.html","domain":"www.yqc.com","xff":"-","referer":"-","tcp_xff":"-","http_user_agent":"curl/7.29.0","status":"200"}
{"@timestamp":"2020-06-08T18:43:12+08:00","host":"192.168.43.219","clientip":"192.168.43.102","size":9,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.yqc.com","uri":"/index.html","domain":"www.yqc.com","xff":"-","referer":"-","tcp_xff":"-","http_user_agent":"curl/7.29.0","status":"200"}
{"@timestamp":"2020-06-08T18:43:13+08:00","host":"192.168.43.219","clientip":"192.168.43.102","size":10,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.yqc.com","uri":"/404.html","domain":"www.yqc.com","xff":"-","referer":"-","tcp_xff":"-","http_user_agent":"curl/7.29.0","status":"404"}
{"@timestamp":"2020-06-08T18:43:15+08:00","host":"192.168.43.219","clientip":"192.168.43.102","size":10,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.yqc.com","uri":"/404.html","domain":"www.yqc.com","xff":"-","referer":"-","tcp_xff":"-","http_user_agent":"curl/7.29.0","status":"404"}
#已经可以获取到json格式的访问日志了。
四:配置https站点
实际应用中,需要将证书申请文件csr提交给专门的CA机构,CA机构根据自己的私钥和CA证书来制作相应的证书crt;
这里是自己生成自签名的CA证书,充当CA机构来完成自己的证书制作。
4.1:生成自签名CA证书
~]# mkdir /apps/nginx-1.18.0/certs
~]# cd /apps/nginx-1.18.0/certs
#生成自签名的CA证书(这里指CA机构自己的证书)
certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
#查看已生成的CA证书和私钥
certs]# ll
total 8
-rw-r--r--. 1 root root 2049 Jun 8 22:16 ca.crt
-rw-r--r--. 1 root root 3272 Jun 8 22:16 ca.key
4.2:生成私钥key和证书申请csr
certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.yqc.com.key -out www.yqc.com.csr
# 注意“A challenge password []:” 这一步不要输入密码,不然配置了ssl后,nginx每一次重载配置都要输入该密码。
4.3:充当CA机构给自己签发证书
实际中,相当于把csr交给CA机构,由他们来签发证书。
certs]# openssl x509 -req -days 3650 -in www.yqc.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.yqc.com.crt
#可以使用下列命令来查看证书中的信息,验证证书:
certs]# openssl x509 -in www.yqc.com.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b8:36:13:cf:c2:68:a5:9e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=SX, L=TY, O=YQC, OU=YQC, CN=yqc.ca/emailAddress=20251839@qq.com
Validity
Not Before: Jun 8 14:26:13 2020 GMT
Not After : Jun 6 14:26:13 2030 GMT
Subject: C=CN, ST=SX, L=TY, O=YQC, OU=YQC, CN=www.yqc.com/emailAddress=20251839@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
……
4.4:Nginx的https配置
实际中,相当于CA机构将签发好的证书交给我们,就是www.yqc.com.crt这个文件;
然后结合我们的私钥www.yqc.com.key,就可以实现https功能了。
#在www.yqc.com站点上配置https:
#指定监听端口为443,并声明使用ssl,指定证书和私钥,就可以实现站点的https访问了。
#额外再为https配置会话缓存,缓存名称为sslcache,大小为20m;https会话超时时间为10m。
nginx-1.18.0]# vim conf.d/yqc.conf
server {
listen 80;
listen 443 ssl;
ssl_certificate /apps/nginx-1.18.0/certs/www.yqc.com.crt;
ssl_certificate_key /apps/nginx-1.18.0/certs/www.yqc.com.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
server_name www.yqc.com;
error_page 404 /404.html;
access_log /apps/nginx-1.18.0/logs/access_json.log access_json;
location / {
root /data/nginx/html;
index index.html index.htm;
}
}
#检查配置并重载
nginx-1.18.0]# nginx-1180 -t
nginx-1.18.0]# nginx-1180 -s reload
4.5:通过https访问站点
#在windows的HOSTS文件中添加一条解析记录
C:\Windows\System32\drivers\etc\HOSTS
192.168.43.219 www.yqc.com
客户端浏览器访问https://www.yqc.com,验证配置
1.jpg
点击继续前往,可以访问到www.yqc.com的主页:
1.jpg
网友评论