openresty

作者: 顶儿响叮当 | 来源:发表于2018-01-18 16:49 被阅读170次

Docker 安装 openresty
技术收藏簿_系统篇
Ansible Role WEB 之【openresty】
lapis 框架安装试用
Openresty-1.11.2.2安装
Mac搭建openresty的坑
OpenResty(nginx+lua) 开发入门
openresty起步
OpenResty+Lua+Redis+Canal实现多级缓存架
OpenResty+Lua+Redis 高性能后端接口

1、openResty安装

centos 安装

    ### yum安装
    yum -y install readline-devel pcre-devel openssl-devel
    sudo yum install -y yum-utils
    sudo yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
    sudo yum install -y openresty
    
    ### 源码编译
    #  172.24.138.8 
    yum install -y gcc gcc-c++ pcre-devel openssl openssl-devel
    cd /data
    curl -O http://mirrors.d.com/software/openresty/1.13.6/openresty-1.13.6.1.tar.gz
    tar -zxvf openresty-1.13.6.1.tar.gz
    cd openresty-1.13.6.1
    #./configure 
    # 指定libressl  tls1.3  http2
    ./configure  --with-openssl=/usr/local/libressl-2.6.4 --with-openssl-opt=enable-tls1_3 --with-http_v2_module
    make 
    sudo  make install 

    #默认安装在/usr/local/openresty目录下

    #将conf  和  log目录移到/data/openresty下
    mkdir -p /data/openresty
    cp -R /usr/local/openresty/nginx/conf  /data/openresty
    rm -rf /usr/local/openresty/nginx/conf
    ln -s /data/openresty/conf /usr/local/openresty/nginx/conf

    mkdir -p /data/openresty/logs
    rm -rf /usr/local/openresty/nginx/logs
    ln -s /data/openresty/logs /usr/local/openresty/nginx/logs

    #启动
    /usr/local/openresty/nginx/sbin/nginx
    #检查配置是否正确
    # /usr/local/openrestry/nginx/sbin/nginx  -t
    #重新加载配置文件
    # /usr/local/openrestry/nginx/sbin/nginx  -s reload

2、openresty配置

nginx匹配规则

=       # 精确匹配
~       # 正则匹配  区分大小写
~*      # 正则匹配 不区分大小写
^~      # 普通字符匹配，

location  = / {
 # 只匹配"/".
 [ configuration A ] 
}
location  / {
 # 匹配任何请求，因为所有请求都是以"/"开始
 # 但是更长字符匹配或者正则表达式匹配会优先匹配
 [ configuration B ] 
}
location ^~ /images/ {
 # 匹配任何以 /images/ 开始的请求，并停止匹配 其它location
 [ configuration C ] 
}
location ~* .(gif|jpg|jpeg)$ {
 # 匹配以 gif, jpg, or jpeg结尾的请求. 
 # 但是所有 /images/ 目录的请求将由 [Configuration C]处理.   
 [ configuration D ] 
}

服务端获得客户端的真实ip

location /{  
                proxy_pass http://192.168.1.111:8080;  
                proxy_set_header Host $host;  
                proxy_set_header X-Real-IP $remote_addr;  
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }  

## node 
var real_ip = req.get("X-Real-IP") || req.get("X-Forwarded-For") || req.ip;

openresty 隐藏服务器名称及版本，复写http server头

http{
    server_tokens off;  #隐藏server版本
}

location / {
        #复写http server
        header_filter_by_lua 'ngx.header.server = "apache/2.4"';
}

图片服务，静态文件

    server {
        listen       80;
        server_name  10.0.12.75;

        #charset koi8-r;
        #access_log  logs/host.access.log  main;
        ###  path  /data/image/test.jpg 

        location /image {

            add_header 'Access-Control-Allow-Origin' '*';
            add_header Cache-Control no-store;

            root   /data/;
            autoindex on;   #预览
            #index  index.html index.htm;
        }
    }

配置强制跳转到https

server{

    listen 80;
    server_name www.m.com;
    return 301 https://$server_name/$request_uri;

}

server{
    listen 443 ssl http2;
    server_name www.m.com;
    ssl on;
    ssl_certificate cert/www.m.com.crt;
    ssl_certificate_key cert/www.m.com.key;
    #内部跳转 307
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    ssl_protocols  TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!3DES:!DHE";
    ssl_prefer_server_ciphers on;

    location / {

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        expires 1h;
        root  /data/volume/DMP/frontend/dist;
        error_page  404 400           /404.html;
    }
    #location ~* .(js|jpg|jpeg)$ {
    #   root  /data/volume/DMP/frontend/dist;
    #    error_page  404 400           /404.html;
    #    expires 3h;
    #}

    location = /404.html {
            root html;
    }
}

注意：请求的url匹配 listen端口和server_name，如果能匹配端口但是没有server_name与之对应的，会匹配第一个listen端口，忽视server_name，如上面的配置，直接访问http://ip会跳转到https://www.m.com
注意：chrome浏览器在开发者模式选中disable cache情况下，301跳转仍然继续会用 cache from disk，需手动清除缓存 ctrl + shift +delete，chrome的缓存可通过chrome://net-internals/查看。

内部跳转到https

在网站全站HTTPS后，如果用户手动敲入网站的HTTP地址，或者从其它地方点击了网站的HTTP链接，通常依赖于服务器端的301/302重定向跳转才能使用HTTPS服务。而第一次的HTTP请求就有可能被劫持，导致请求无法到达服务器，从而构成HTTPS降级劫持。这个问题目前可以通过HSTS(HTTP Strict Transport Security，RFC6797)来解决。
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

3、缓存

nginx设置浏览器缓存
nginx设置代理缓存

4、https

openssl安装

#下载openssl
curl -O https://www.openssl.org/source/openssl-1.0.2n.tar.gz

#解压
#指定安装目录
./config --prefix=/usr/local/openssl
./config -t
make
make install

#将/usr/local/openssl/bin添加到环境变量
# vim  /etc/profile
export OPENSSL_HOME=/usr/local/openssl
export PATH=$PATH:$OPENSSL_HOME/bin
# source /etc/profile

# openssl version