# 完整交叉编译
参考:https://servertesa.wordpress.com/2011/05/22/how-to-compile-and-configure-nginx-on-openwrt/
前提:编译了一次openwrt的环境
(编译教程:【速记】openwrt - 编译、刷固件https://lawsssscat.blog.csdn.net/article/details/103744761)
Note, nginx is not on openwrt base package. So you must download additional package (feeds).
./scripts/feeds update -a
./scripts/feeds install -a
make menuconfig
On ‘make menuconfig’ select Network->nginx
Compiling nginx is very easy, thanks to openwrt developers!
make menuconfig
choose Network->Nginx
make ./package/feeds/packages/nginx/compile
The nginx package will be placed at bin/[board_arch]/packages/nginx_0.7.67-3_ar71xx.ipk . In tplink tl wr1043nd : bin/ar71xx/packages/nginx_0.7.67-3_ar71xx.ipk
Configure Nginx
create nginx root directory
mkdir /www-nginx/default -p
Edit /etc/nginx/nginx.conf:
- change the user from nobody to root
- change nginx root directory to /www-nginx/default
this is the diff file
--- nginx.conf.ori Mon Mar 14 12:21:24 2011
+++ nginx.conf Tue Apr 6 08:53:37 2010
@@ -1,5 +1,5 @@
-#user nobody;
+user root;
worker_processes 1;
#error_log logs/error.log;
@@ -41,7 +41,7 @@
#access_log logs/host.access.log main;
location / {
- root html;
+ root /www-nginx/default;
index index.html index.htm;
}
Testing the configuration
create simple html file on /www-nginx/default/index.html.
Stop openwrt default web server and start nginx
/etc/init.d/uhttpd stop
/etc/init.d/nginx star
# 完整交叉编译ssl
# OpenWrt/LEDE source
git clone https://github.com/openwrt/openwrt.git
cd openwrt
git checkout v18.06.0
# Make/Build OpenWRT
make menuconfig # Target System (Marvell Armada 37x/38x/XP) | Target Profile (Linksys WRT1900ACv2 (Cobra))
make V=s
# Make/Build nginx with SSL
./scripts/feeds update
./scripts/feeds install nginx
make menuconfig # Network > Web Servers/Proxies > nginx (M) > nginx > Configuration > Enable SSL Module (Y)
make -j5
# Copy up new package to router
scp bin/packages/arm_cortex-a9_vfpv3/packages/nginx_1.12.2-1_arm_cortex-a9_vfpv3.ipk root@router:
# SDK编译
参考:https://www.freesion.com/article/2474294226/
# 配置反向代理
问题:
https模式下,实时监控(netdata)在openwrt的luci中不显示
原因:
netdata的服务(http://192.168.1.1:19999)在http下,在https界面下无法访问
需求:
http://192.168.1.1:8880/netdata ⇒
https://192.168.1.1:8443/netdata ⇒
http://192.168.1.1:19999
效果:
配置:
/etc/config/nginx
config main global
option uci_enable 'true'
config server '_lan'
list listen '8443 ssl default_server'
list listen '[::]:8443 ssl default_server'
option server_name '_lan'
list include 'restrict_locally'
list include 'conf.d/*.locations'
option uci_manage_ssl 'self-signed'
option ssl_certificate '/etc/sslcert/nginx_lan.crt'
option ssl_certificate_key '/etc/sslcert/nginx_lan.key'
option ssl_session_cache 'shared:SSL:32k'
option ssl_session_timeout '64m'
##################
# access_log path format
# option access_log 'off; # logd openwrt'
option access_log '/var/log/nginx/access_log.log openwrt'
##################
# error_log path level
# level: debug | info | notice | warn | error | crit | alert | emerg
option error_log '/var/log/nginx/error_log.log info'
##################
config server '_redirect2ssl'
list listen '8880'
list listen '[::]:8880'
option server_name '_redirect2ssl'
option return '302 https://$host:8443$request_uri'
# write /etc/nginx/conf.d/reverse_proxy.locations
# config server '_ssl2netdata'
# list listen '19998 ssl'
# option server_name '_ssl2netdata_server_name'
# list proxy_set_header 'Host $host'
# list proxy_set_header 'X-Real-IP $remote_addr'
# list proxy_set_header 'X-Forwarded-For $proxy_add_x_forwarded_for'
# list proxy_set_header 'X-Forwarded-Proto $scheme'
# option proxy_pass 'http://localhost:19999'
/etc/nginx/uci.conf.template
# Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration.
# Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false
# For details see: https://openwrt.org/docs/guide-user/services/webserver/nginx
worker_processes auto;
user root;
events {}
http {
access_log off; # logd openwrt
log_format openwrt
'$request_method $scheme://$host$request_uri => $status'
' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';
#
# write /etc/config/nginx
#
# access_log /proc/self/fd/1 openwrt;
# access_log logd openwrt; # logd openwrt
#
# 证书
#
# ssl_certificate '/etc/sslcert/nginx_lan.crt';
# ssl_certificate_key '/etc/sslcert/nginx_lan.key';
include mime.types;
default_type application/octet-stream;
sendfile on;
client_max_body_size 128M;
large_client_header_buffers 2 1k;
gzip on;
gzip_vary on;
gzip_proxied any;
root /www;
#UCI_HTTP_CONFIG
include conf.d/*.conf;
}
/etc/nginx/conf.d/reverse_proxy.locations
location /netdata/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:19999/;
# return 302 https://$host:8443$request_uri;
}
修改页面
root@openwrt_d2550:/# find / -name netdata
/etc/init.d/netdata
/etc/netdata
/lib/upgrade/keep.d/netdata
/overlay/upper/etc/netdata
/overlay/upper/usr/lib/lua/luci/view/netdata
/overlay/upper/usr/share/netdata
/rom/etc/init.d/netdata
/rom/etc/netdata
/rom/lib/upgrade/keep.d/netdata
/rom/usr/lib/lua/luci/view/netdata
/rom/usr/lib/netdata
/rom/usr/sbin/netdata
/rom/usr/share/netdata
/tmp/cache/netdata
/tmp/lib/netdata
/tmp/log/netdata
/usr/lib/lua/luci/view/netdata
/usr/lib/netdata
/usr/sbin/netdata
/usr/share/netdata
root@openwrt_d2550:/# vim /usr/lib/lua/luci/view/netdata/netdata.htm
root@openwrt_d2550:/# cat /usr/lib/lua/luci/view/netdata/netdata.htm
<%+header%>
<div class="cbi-map">
<h2 name="content"><%=translate("NetData")%></h2>
<iframe id="netdata" style="width: 100%; min-height: 1200px; border: none; border-radius: 3px;"></iframe>
</div>
<script type="text/javascript">
// document.getElementById("netdata").src = "http://" + window.location.hostname + ":19999";
document.getElementById("netdata").src = "https://" + window.location.hostname + ":8443/netdata";
</script>
<%+footer%>
root@openwrt_d2550:/#
添加备份
https://192.168.1.1:8443/cgi-bin/luci/admin/system/flashops/backupfiles
## This file contains files and directories that should
## be preserved during an upgrade.
## this file is '/etc/sysupgrade.conf'
## what config of ipk will be backuped is indicated in '/lib/upgrade/keep.d/'
# /etc/example.conf
# /etc/openvpn/
/usr/lib/lua/luci/view/netdata/
查看备份信息是否添加成功
https://192.168.1.1:8443/cgi-bin/luci/admin/system/flashops/backupfiles?display=list
...
/usr/lib/lua/luci/view/netdata/netdata.htm
/usr/lib/lua/luci/view/netdata/netdata.htm.bak
...
备份。。。
# 群晖内置nginx配置
root@nas50:~# nginx -V
nginx version: nginx/1.16.1
TLS SNI support enabled
root@nas50:~# cat /etc/nginx/nginx.conf
# Copyright (c) 2000-2017 Synology Inc. All rights reserved.
worker_processes auto;
#worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
include conf.d/main.conf;
events {
use epoll;
multi_accept on;
accept_mutex off;
worker_connections 1024;
include conf.d/events.conf;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log off;
#access_log syslog:server=unix:/dev/log,facility=local7,tag=nginx_access,nohostname main;
error_log syslog:server=unix:/dev/log,facility=local7,tag=nginx_error,nohostname error;
tcp_nopush on;
tcp_nodelay on;
sendfile on;
server_tokens off;
proxy_request_buffering off;
fastcgi_request_buffering off;
scgi_request_buffering off;
proxy_buffering off;
fastcgi_buffering off;
scgi_buffering off;
resolver_timeout 5s;
client_header_timeout 10s;
client_body_timeout 60s;
send_timeout 60s;
keepalive_timeout 65s 20s;
client_max_body_size 0;
server_names_hash_max_size 8192;
server_names_hash_bucket_size 128;
ssl_certificate /usr/syno/etc/certificate/system/default/fullchain.pem;
ssl_certificate_key /usr/syno/etc/certificate/system/default/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_dhparam /usr/syno/etc/ssl/dh2048.pem;
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 3600s;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
set_real_ip_from 127.0.0.1;
include /var/tmp/nginx/trusted_proxy/*.conf;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server_tag "nginx";
gzip_disable "msie6";
gzip_min_length 1000;
gzip_types text/plain text/css application/javascript application/json;
gzip_vary on;
gzip_static on;
open_file_cache max=1000 inactive=60s;
open_file_cache_valid 3s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
upstream synoscgi {
server unix:/run/synoscgi.sock;
}
index index.html index.htm index.php;
server {
listen 5000 default_server;
listen [::]:5000 default_server;
server_name _;
gzip on;
include app.d/alias.*.conf;
root /usr/syno/synoman;
index index.cgi;
ignore_invalid_headers off;
include app.d/dsm.*.conf;
include /usr/syno/share/nginx/conf.d/dsm.*.conf;
include conf.d/dsm.*.conf;
location = / {
try_files $uri /index.cgi$is_args$query_string;
}
location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
internal;
root /;
open_file_cache off;
include app.d/x-accel.*.conf;
include conf.d/x-accel.*.conf;
}
location ~ /webman/modules/(PersonalSettings|ExternalDevices|FileBrowser)/index_ds.php$ {
alias /usr/syno/share/OAuth/index_ds.php;
default_type text/html;
}
location ~ \.cgi {
include scgi_params;
scgi_pass synoscgi;
scgi_read_timeout 3600s;
}
error_page 403 404 500 502 503 504 @error_page;
location @error_page {
root /usr/syno/share/nginx;
rewrite (.*) /error.html break;
allow all;
}
location ~ ^/webman/modules/Indexer/ {
deny all;
}
location ~ ^/webapi/lib/ {
deny all;
}
location ~ ^/webapi/(:?(:?.*)\.lib|(:?.*)\.api|(:?.*)\.auth|lib.def)$ {
deny all;
}
location ~ /\. { access_log off; log_not_found off; deny all; }
location ~* \.(?:js|css|png|jpg|gif|ico)$ {
access_log off;
log_not_found off;
}
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
allow all;
access_log off;
log_not_found off;
}
}
server {
listen 5001 default_server ssl;
listen [::]:5001 default_server ssl;
server_name _;
include app.d/alias.*.conf;
root /usr/syno/synoman;
index index.cgi;
ignore_invalid_headers off;
include app.d/dsm.*.conf;
include /usr/syno/share/nginx/conf.d/dsm.*.conf;
include conf.d/dsm.*.conf;
location = / {
try_files $uri /index.cgi$is_args$query_string;
}
location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
internal;
root /;
open_file_cache off;
include app.d/x-accel.*.conf;
include conf.d/x-accel.*.conf;
}
location ~ /webman/modules/(PersonalSettings|ExternalDevices|FileBrowser)/index_ds.php$ {
alias /usr/syno/share/OAuth/index_ds.php;
default_type text/html;
}
location ~ \.cgi {
include scgi_params;
scgi_pass synoscgi;
scgi_read_timeout 3600s;
}
error_page 403 404 500 502 503 504 @error_page;
location @error_page {
root /usr/syno/share/nginx;
rewrite (.*) /error.html break;
allow all;
}
location ~ ^/webman/modules/Indexer/ {
deny all;
}
location ~ ^/webapi/lib/ {
deny all;
}
location ~ ^/webapi/(:?(:?.*)\.lib|(:?.*)\.api|(:?.*)\.auth|lib.def)$ {
deny all;
}
location ~ /\. { access_log off; log_not_found off; deny all; }
location ~* \.(?:js|css|png|jpg|gif|ico)$ {
access_log off;
log_not_found off;
}
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
allow all;
access_log off;
log_not_found off;
}
}
server {
listen 80 default_server;
listen [::]:80 default_server;
gzip on;
server_name _;
location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
internal;
root /;
open_file_cache off;
include app.d/x-accel.*.conf;
include conf.d/x-accel.*.conf;
}
include app.d/www.*.conf;
include app.d/alias.*.conf;
include /usr/syno/share/nginx/conf.d/www.*.conf;
include conf.d/www.*.conf;
location = /webdefault/images/logo.jpg {
alias /usr/syno/share/nginx/logo.jpg;
}
error_page 403 404 500 502 503 504 @error_page;
location @error_page {
root /usr/syno/share/nginx;
rewrite (.*) /error.html break;
allow all;
}
location ^~ /.well-known/acme-challenge {
root /var/lib/letsencrypt;
default_type text/plain;
}
include app.d/.location.webstation.conf*;
location / {
rewrite ^ / redirect;
}
location ~ ^/$ {
rewrite / http://$host:5000/ redirect;
}
}
server {
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
server_name _;
location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
internal;
root /;
open_file_cache off;
include app.d/x-accel.*.conf;
include conf.d/x-accel.*.conf;
}
include app.d/www.*.conf;
include app.d/alias.*.conf;
include /usr/syno/share/nginx/conf.d/www.*.conf;
include conf.d/www.*.conf;
location = /webdefault/images/logo.jpg {
alias /usr/syno/share/nginx/logo.jpg;
}
error_page 403 404 500 502 503 504 @error_page;
location @error_page {
root /usr/syno/share/nginx;
rewrite (.*) /error.html break;
allow all;
}
location ^~ /.well-known/acme-challenge {
root /var/lib/letsencrypt;
default_type text/plain;
}
include app.d/.location.webstation.conf*;
location / {
rewrite ^ / redirect;
}
location ~ ^/$ {
rewrite / https://$host:5001/ redirect;
}
}
include conf.d/http.*.conf;
include app.d/server.*.conf;
include sites-enabled/*;
}