目录
1.编译安装nginx
NGINX_VERSION=1.22.1
NGINX_FILE=nginx-${NGINX_VERSION}.tar.gz
NGINX_URL=http://nginx.org/download/
NGINX_INSTALL_DIR=/apps/nginx
SRC_DIR=/usr/local/src
CPUS=`lscpu |awk '/^CPU\(s\)/{print $2}'`
. /etc/os-release
color () {
RES_COL=60
MOVE_TO_COL="echo -en \\033[${RES_COL}G"
SETCOLOR_SUCCESS="echo -en \\033[1;32m"
SETCOLOR_FAILURE="echo -en \\033[1;31m"
SETCOLOR_WARNING="echo -en \\033[1;33m"
SETCOLOR_NORMAL="echo -en \E[0m"
echo -n "$1" && $MOVE_TO_COL
echo -n "["
if [ $2 = "success" -o $2 = "0" ] ;then
${SETCOLOR_SUCCESS}
echo -n $" OK "
elif [ $2 = "failure" -o $2 = "1" ] ;then
${SETCOLOR_FAILURE}
echo -n $"FAILED"
else
${SETCOLOR_WARNING}
echo -n $"WARNING"
fi
${SETCOLOR_NORMAL}
echo -n "]"
echo
}
check () {
[ -e ${NGINX_INSTALL_DIR} ] && { color "nginx 已安装,请卸载后再安装" 1; exit; }
cd ${SRC_DIR}
if [ -e ${NGINX_FILE}${TAR} ];then
color "相关文件已准备好" 0
else
color '开始下载 nginx 源码包' 0
wget ${NGINX_URL}${NGINX_FILE}${TAR}
[ $? -ne 0 ] && { color "下载 ${NGINX_FILE}${TAR}文件失败" 1; exit; }
fi
}
install () {
color "开始安装 nginx" 0
if id nginx &> /dev/null;then
color "nginx 用户已存在" 1
else
useradd -s /sbin/nologin -r nginx
color "创建 nginx 用户" 0
fi
color "开始安装 nginx 依赖包" 0
if [ $ID == "centos" ] ;then
if [[ $VERSION_ID =~ ^7 ]];then
yum -y install gcc make pcre-devel openssl-devel zlib-devel perl-ExtUtils-Embed
elif [[ $VERSION_ID =~ ^8 ]];then
yum -y install make gcc-c++ libtool pcre pcre-devel zlib zlib-devel openssl openssl-devel perl-ExtUtils-Embed
else
color '不支持此系统!' 1
exit
fi
elif [ $ID == "rocky" ];then
yum -y install gcc make gcc-c++ libtool pcre pcre-devel zlib zlib-devel openssl openssl-devel perl-ExtUtils-Embed
else
apt update
apt -y install gcc make libpcre3 libpcre3-dev openssl libssl-dev zlib1g-dev
fi
[ $? -ne 0 ] && { color "安装依赖包失败" 1; exit; }
cd $SRC_DIR
tar xf ${NGINX_FILE}
NGINX_DIR=`echo ${NGINX_FILE}| sed -nr 's/^(.*[0-9]).*/\1/p'`
cd ${NGINX_DIR}
./configure --prefix=${NGINX_INSTALL_DIR} --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
make -j $CPUS && make install
[ $? -eq 0 ] && color "nginx 编译安装成功" 0 || { color "nginx 编译安装失败,退出!" 1 ;exit; }
chown -R nginx.nginx ${NGINX_INSTALL_DIR}
ln -s ${NGINX_INSTALL_DIR}/sbin/nginx /usr/local/sbin/nginx
echo "PATH=${NGINX_INSTALL_DIR}/sbin:${PATH}" > /etc/profile.d/nginx.sh
cat > /lib/systemd/system/nginx.service <<EOF
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=${NGINX_INSTALL_DIR}/logs/nginx.pid
ExecStartPre=/bin/rm -f ${NGINX_INSTALL_DIR}/logs/nginx.pid
ExecStartPre=${NGINX_INSTALL_DIR}/sbin/nginx -t
ExecStart=${NGINX_INSTALL_DIR}/sbin/nginx
ExecReload=/bin/kill -s HUP \$MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
LimitNOFILE=100000
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now nginx &> /dev/null
systemctl is-active nginx &> /dev/null || { color "nginx 启动失败,退出!" 1 ; exit; }
color "nginx 安装完成" 0
}
main () {
check
install
}
main
2.nginx平滑升级
先使用上面脚本安装nginx
1.下载最新的nginx版本
[19:09:09root@ubuntu ~]# wget https://nginx.org/download/nginx-1.24.0.tar.gz
[19:09:09root@ubuntu ~]# tar xvf nginx-1.24.0.tar.gz
[19:09:57root@ubuntu ~]# cd nginx-1.24.0/
2.查看nginx旧版本的编译选项
[19:10:11root@ubuntu nginx-1.24.0]# nginx -V
nginx version: nginx/1.22.1
built by gcc 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
3.开始编译新版本
[19:10:31root@ubuntu nginx-1.24.0]# ./configure --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
[19:13:09root@ubuntu nginx-1.24.0]# make
#只执行make不执行make install
[19:13:59root@ubuntu nginx-1.24.0]# objs/nginx -v
nginx version: nginx/1.24.0 #新版本
#查看两个nginx的版本
[19:14:35root@ubuntu nginx-1.24.0]# ll objs/nginx /apps/nginx/sbin/nginx
-rwxr-xr-x 1 nginx nginx 8073792 Apr 5 18:09 /apps/nginx/sbin/nginx*
-rwxr-xr-x 1 root root 8131784 Apr 5 19:13 objs/nginx*
#把旧版本的nginx命令备份
[19:14:48root@ubuntu nginx-1.24.0]# cp /apps/nginx/sbin/nginx /opt/nginx.old
#把新版本的nginx命令复制过去覆盖旧版本程序文件,注意:需要加 -f 选项强制覆盖,否则会提示Text
file busy
[19:15:50root@ubuntu nginx-1.24.0]# cp -f ./objs/nginx /apps/nginx/sbin/
#检测新版本的nginx配置是否兼容
[19:16:44root@ubuntu nginx-1.24.0]# /apps/nginx/sbin/nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
#发送信号USR2 平滑升级可执行程序,将存储有旧版本主进程PID的文件重命名为nginx.pid.oldbin,并启动新的nginx
[19:17:09root@ubuntu nginx-1.24.0]# kill -USR2 `cat /apps/nginx/logs/nginx.pid`
#先关闭旧nginx的worker进程,而不关闭旧nginx主进程方便回滚
#向原老的Nginx主进程发送WINCH信号,它会平滑关闭老的工作进程(主进程不退出),这时所有新请求都会由新版Nginx处理
[19:18:46root@ubuntu nginx-1.24.0]# kill -WINCH `cat /apps/nginx/logs/nginx.pid.oldbin`
#经过一段时间测试,新版本服务没问题,最后发送QUIT信号,退出老的master,完成全部升级过程
[19:20:24root@ubuntu nginx-1.24.0]# kill -QUIT `cat /apps/nginx/logs/nginx.pid.oldbin`
3.nginx核心配置,并实现nginx多虚拟主机
1.nginx核心配置
#user nobody; #启动Nginx工作进程的用户和组
worker_processes 1; #启动Nginx工作进程的数量,一般设为和CPU核心数相同
#error_log logs/error.log; #错误日志记录配置
events {
worker_connections 1024; #设置单个工作进程的最大并发连接数,默认1024,生产建议根据性能修改更大的值
http {
include mime.types; #导入支持的文件类型
default_type application/octet-stream; #除mime.types中文件类型外,设置其它文件默认类型,访问其它类型时会提示下载不匹配的类型文件
sendfile on; #是一种零拷贝技术,用于将文件内容发送给客户端,它可以显著提高文件传输的性能和效率
keepalive_timeout 65; #设置会话保持时间,第二个值为响应首部:keepAlived:timeout=65,可以和第一个值不同
}
server {
listen 80; #设置监听地址和端口,多个虚拟机时当前是否是默认的虚拟主机,default_server表示是默认主机,否则排在前面server为默认主机
server_name localhost; #设置server name
location / {
root html; #定义访问/时的界面
index index.html index.htm; 默认界面
}
}
2.实现多个虚拟主机
# 虚拟主机配置
server {
listen 80;
server_name luomu.com;
location / {
root /var/www/example.com;
index index.html index.htm;
}
}
server {
listen 80;
server_name wang.com;
location / {
root /var/www/example2.com;
index index.html index.htm;
}
}
4.nginx日志格式定制
通过配置日志格式来自定义日志的输出格式,以满足不同需求。以下是定制 Nginx 日志格式的主要步骤和一些常用的日志格式字段
1.定义日志格式:在 Nginx 配置文件中使用 log_format 指令来定义日志格式
log_format format_name '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
2.使用定义的日志格式:在 access_log 指令中使用定义的日志格式
access_log /var/log/nginx/access.log format_name;
3.常用的日志格式字段:
$remote_addr:客户端 IP 地址
$remote_user:客户端用户名
$time_local:本地时间,格式为 [day/month/year:hour:minute:second zone]
$request:请求方法、URL 和协议
$status:HTTP 状态码
$body_bytes_sent:响应体大小(字节数)
$http_referer:引用页 URL
$http_user_agent:客户端用户代理
5.nginx反向代理及https安全加密
5.1 Nginx反向代理
reverse proxy,指的是代理外网用户的请求到内部的指定的服务器,并将数据返回给
用户的一种方式,这是用的比较多的一种方式
5.2Http 协议反向代理
Nginx 可以基于ngx_http_proxy_module模块提供http协议的反向代理服务
官方文档:
https://nginx.org/en/docs/http/ngx_http_proxy_module.html
反向代理配置参数
http {
upstream backend1 {
server 192.168.1.101:8080;
server 192.168.1.102:8080;
}
upstream backend2 {
server 192.168.1.103:8080;
server 192.168.1.104:8080;
}
server {
listen 80;
location /app1/ {
proxy_pass http://backend1;
}
location /app2/ {
proxy_pass http://backend2;
}
}
}
5.3 https安全加密
Web网站的登录页面通常都会使用https加密传输的,加密数据以保障数据的安全,HTTPS能够加密信
息,以免敏感信息被第三方获取,所以很多银行网站或电子邮箱等等安全级别较高的服务都会采用
HTTPS协议,HTTPS其实是有两部分组成:HTTP + SSL / TLS,也就是在HTTP上又加了一层处理加密信
息的模块。服务端和客户端的信息传输都会通过TLS进行加密,所以传输的数据都是加密后的数据
nginx 的https 功能基于模块ngx_http_ssl_module实现
https://nginx.org/en/docs/http/ngx_http_ssl_module.html
准备证书文件,创建自签名证书
#证书存放目录
[ -d /data ] || mkdir /data
DIR=/data
#每个证书信息
declare -A CERT_INFO
CERT_INFO=([subject0]="/O=heaven/CN=ca.god.com" \
[keyfile0]="cakey.pem" \
[crtfile0]="cacert.pem" \
[key0]=2048 \
[expire0]=3650 \
[serial0]=0 \
[subject1]="/C=CN/ST=hubei/L=wuhan/O=Central.Hospital/CN=master.liwenliang.org" \
[keyfile1]="master.key" \
[crtfile1]="master.crt" \
[key1]=2048 \
[expire1]=365
[serial1]=1 \
[csrfile1]="master.csr" \
[subject2]="/C=CN/ST=hubei/L=wuhan/O=Central.Hospital/CN=slave.liwenliang.org" \
[keyfile2]="slave.key" \
[crtfile2]="slave.crt" \
[key2]=2048 \
[expire2]=365 \
[serial2]=2 \
[csrfile2]="slave.csr" )
COLOR="echo -e \\E[1;32m"
END="\\E[0m"
#证书编号最大值
N=`echo ${!CERT_INFO[*]} |grep -o subject|wc -l`
cd $DIR
for((i=0;i<N;i++));do
if [ $i -eq 0 ] ;then
openssl req -x509 -newkey rsa:${CERT_INFO[key${i}]} -subj ${CERT_INFO[subject${i}]} \
-set_serial ${CERT_INFO[serial${i}]} -keyout ${CERT_INFO[keyfile${i}]} -nodes \
-days ${CERT_INFO[expire${i}]} -out ${CERT_INFO[crtfile${i}]} &>/dev/null
else
openssl req -newkey rsa:${CERT_INFO[key${i}]} -nodes -subj ${CERT_INFO[subject${i}]} \
-keyout ${CERT_INFO[keyfile${i}]} -out ${CERT_INFO[csrfile${i}]} &>/dev/null
openssl x509 -req -in ${CERT_INFO[csrfile${i}]} -CA ${CERT_INFO[crtfile0]} \
-CAkey ${CERT_INFO[keyfile0]} -set_serial ${CERT_INFO[serial${i}]} \
-days ${CERT_INFO[expire${i}]} -out ${CERT_INFO[crtfile${i}]} &>/dev/null
fi
$COLOR"**************************************生成证书信息**************************************"$END
openssl x509 -in ${CERT_INFO[crtfile${i}]} -noout -subject -dates -serial
echo
done
chmod 600 *.key
echo "证书生成完成"
$COLOR"**************************************生成证书文件如下**************************************"$END
echo "证书存放目录: "$DIR
echo "证书文件列表: "`ls $DIR`
#合并CA和服务器证书成一个文件,注意服务器证书必须在前,ca证书在后,否则会出错
[root@centos8 certs]#cat www.wang.org.crt ca.crt > www.wang.org.pem
https配置
server {
listen 80;
listen 443 ssl http2;
server_name www.wang.org;
ssl_certificate /apps/nginx/certs/www.wang.org.pem;
ssl_certificate_key /apps/nginx/certs/www.wang.org.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
root /data/nginx/html;
}
实现访问http转到https
server {
listen 80;
listen 443 ssl;
server_name www.wang.org;
ssl_certificate /apps/nginx/certs/www.wang.org.crt;
ssl_certificate_key /apps/nginx/certs/www.wang.org.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
location / { #针对全站跳转
root /data/nginx/html/pc;
index index.html;
if ($scheme = http ){ #如果没有加条件判断,会导致死循环
return https://www.wang.org$request_uri; #默认302
}
}
location /login { #针对特定的URL进行跳转https
if ($scheme = http ){ #如果没有加条件判断,会导致死循环
rewrite ^/(.*) https://$host/$1 redirect; #302
#rewrite / https://$host/login redirect;
}
}
}
6.完成基于LNMP和Redis的phpmyadmin的会话保持
10.0.0.20代理服务器配置:
#使用上面脚本安装nginx
#使用上面脚本生成密钥
[16:34:03root@ubuntu ~]# ll /apps/nginx/ssl/www.luomu.org.
www.luomu.org.key www.luomu.org.pem #pem密钥是上级ca的公钥和自己公钥组合
[16:59:58root@ubuntu ~]# cat /apps/nginx/conf/nginx.conf
http {
include /apps/nginx/conf.d/*.conf;
[16:59:54root@ubuntu ~]# cat /apps/nginx/conf.d/proxy-www.luomu.org.conf
upstream webservers {
server 10.0.0.20:80;
server 10.0.0.8:80;
}
server {
listen 80;
root /data/www;
server_name www.luomu.org;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name www.luomu.org;
ssl_certificate /apps/nginx/ssl/www.luomu.org.pem;
ssl_certificate_key /apps/nginx/ssl/www.luomu.org.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
location / {
proxy_pass http://webservers;
proxy_set_header Host $http_host;
}
}
LNP服务器1和2:
#使用上面脚本安装nginx
#修改配置文件
user www-data;
server {
listen 80;
server_name localhost;
root /data/www/;
index index.php;
client_max_body_size 20m;
proxy_set_header Host $proxy_host;
location ~ \.php$|/ping|/php-status {
#root /data/www/;
fastcgi_pass 127.0.0.1:9000 ;
#fastcgi_pass unix:/run/php/php8.1-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
#charset koi8-r;
}
#安装需要的包文件
apt -y install php-fpm php-mysql php-redis php-json php-mbstring
##配置链接到redis服务器配置
[17:21:07root@ubuntu www]# vim /etc/php/8.1/fpm/pool.d/www.conf
php_value[session.save_handler] = redis
php_value[session.save_path] = "tcp://10.0.0.24:6379"
#设置完成可以链接服务器测试
mysql服务器:
#安装mysql
[15:52:24root@ubuntu ~]# apt update && apt -y install mysql-server
[17:05:06root@ubuntu ~]# vim /etc/mysql/mysql.conf.d/mysqld.cnf
#bind-address = 127.0.0.1
#mysqlx-bind-address = 127.0.0.1 #修改配置文件允许远程链接
mysql> create user admin@'10.0.0.%' identified with mysql_native_password by
'123456';
mysql> grant all on *.* to admin@'10.0.0.%'; #创建账号
redis服务器:
[17:06:47root@ubuntu ~]# apt -y install redis #安装redis
[16:48:52root@ubuntu ~]# vim /etc/redis/redis.conf #修改配置文件远程链接
bind 0.0.0.0