Nginx安装指南
1.版本选择
Nginx的安装版本分为Mainline version(主要开发版本,其实就是还处于开发版)、Stable version(当前最新稳定版)和Legacy versions(旧的稳定版),对版本选择人个的观点也是稳中求进,生产环境就不要冒险啦,生产环境强然建议使用Stable version,测试环境可以考虑使用Mainline version,为业务后期升级做技术储备,对于早期的研发的业务系统在无法改变业务平台软件架构的情况下,还是老实的使用Legacy versions(但在安全防护方面要从其它角充着手弥补)。
2.RHEL/CentOS基于官方yum源安装
-
官方安装指南:http://nginx.org/en/linux_packages.html#RHEL-CentOS
-
配置官方yum仓库
[nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true
-
执行yum repolist验证安装源是否工作正常.
[19:47:07 root@Centos8 ~]#yum repolist nginx stable repo 2.4 kB/s | 10 kB 00:04 repo id repo name status AppStream CentOS-8 - AppStream 5,089 BaseOS CentOS-8 - Base 2,843 extras CentOS-8 - Extras 3 nx-stable nginx stable repo 28 [19:47:21 root@Centos8 ~]# [19:52:58 root@Centos8 ~]#yum list |grep nginx nginx.x86_64 1:1.16.1-1.el8.ngx nx-stable nginx-all-modules.noarch 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-debuginfo.x86_64 1:1.16.1-1.el8.ngx nx-stable nginx-filesystem.noarch 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-http-image-filter.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-http-perl.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-http-xslt-filter.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-mail.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-stream.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-module-image-filter.x86_64 1:1.16.1-1.el8.ngx nx-stable nginx-module-image-filter-debuginfo.x86_64 1:1.16.1-1.el8.ngx nx-stable nginx-module-njs.x86_64 1:1.16.1.0.3.7-1.el8.ngx nx-stable nginx-module-njs-debuginfo.x86_64 1:1.16.1.0.3.7-1.el8.ngx nx-stable nginx-module-perl.x86_64 1:1.16.1-1.el8.ngx nx-stable nginx-module-perl-debuginfo.x86_64 1:1.16.1-1.el8.ngx nx-stable nginx-module-xslt.x86_64 1:1.16.1-1.el8.ngx nx-stable nginx-module-xslt-debuginfo.x86_64 1:1.16.1-1.el8.ngx nx-stable pcp-pmda-nginx.x86_64 4.3.0-3.el8 AppStream [19:53:04 root@Centos8 ~]#
-
安装Nginx执行:yum install nginx.x86_64 -y
[19:56:15 root@Centos8 ~]#yum install nginx.x86_64 -y Last metadata expiration check: 0:14:10 ago on Mon 06 Jan 2020 07:47:21 PM CST. Dependencies resolved. =========================================================================================================================================================================== Package Arch Version Repository Size =========================================================================================================================================================================== Installing: nginx x86_64 1:1.16.1-1.el8.ngx nx-stable 797 k Transaction Summary =========================================================================================================================================================================== Install 1 Package Total size: 797 k Installed size: 2.9 M Downloading Packages: [SKIPPED] nginx-1.16.1-1.el8.ngx.x86_64.rpm: Already downloaded warning: /var/cache/dnf/nx-stable-614ef03fac352fea/packages/nginx-1.16.1-1.el8.ngx.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 7bd9bf62: NOKEY nginx stable repo 582 B/s | 1.5 kB 00:02 Importing GPG key 0x7BD9BF62: Userid : "nginx signing key <signing-key@nginx.com>" Fingerprint: 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 From : https://nginx.org/keys/nginx_signing.key Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: nginx-1:1.16.1-1.el8.ngx.x86_64 1/1 Installing : nginx-1:1.16.1-1.el8.ngx.x86_64 1/1 Running scriptlet: nginx-1:1.16.1-1.el8.ngx.x86_64 1/1 ---------------------------------------------------------------------- Thanks for using nginx! Please find the official documentation for nginx here: * http://nginx.org/en/docs/ Please subscribe to nginx-announce mailing list to get the most important news about nginx: * http://nginx.org/en/support.html Commercial subscriptions for nginx are available on: * http://nginx.com/products/ ---------------------------------------------------------------------- Verifying : nginx-1:1.16.1-1.el8.ngx.x86_64 1/1 Installed: nginx-1:1.16.1-1.el8.ngx.x86_64 Complete! [20:01:37 root@Centos8 ~]#
-
配置服务开机启动
[20:01:50 root@Centos8 ~]#systemctl enable --now nginx.service Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /usr/lib/systemd/system/nginx.service. [20:04:41 root@Centos8 ~]#
3.Ubuntu基于官方apt安装
-
官方安装指南:http://nginx.org/en/linux_packages.html#Ubuntu
-
安装必须组件:旧版本的Ubuntu需要安装组件。
sudo apt install curl gnupg2 ca-certificates lsb-release
-
配置官方apt仓库
echo "deb http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" |sudo tee /etc/apt/sources.list.d/nginx.list
-
导入nginx签名密钥
curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -
-
验证密码是否导入成功 sudo apt-key fingerprint
root@ubuntu:~# sudo apt-key fingerprint /etc/apt/trusted.gpg nginx的密钥,出于安全考虑记得跟官方发布的密码对比一下。 -------------------- pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14] 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 uid [ unknown] nginx signing key <signing-key@nginx.com> /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg ------------------------------------------------------ pub rsa4096 2012-05-11 [SC] 790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32 uid [ unknown] Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com> /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg ------------------------------------------------------ pub rsa4096 2012-05-11 [SC] 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092 uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com> /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg ------------------------------------------------------ pub rsa4096 2018-09-17 [SC] F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com> root@ubuntu:~#
-
安装nginx
执行sudo apt update(更新软件列表)、apt list |grep nginx(查看ningx)、sudo apt install nginx(安装nginx)root@ubuntu:~# apt list |grep nginx WARNING: apt does not have a stable CLI interface. Use with caution in scripts. nginx/stable 1.16.1-1~bionic amd64 nginx-dbg/stable 1.16.1-1~bionic amd64 nginx-module-geoip/stable 1.16.1-1~bionic amd64 nginx-module-geoip-dbg/stable 1.16.1-1~bionic amd64 nginx-module-image-filter/stable 1.16.1-1~bionic amd64 nginx-module-image-filter-dbg/stable 1.16.1-1~bionic amd64 nginx-module-njs/stable 1.16.1.0.3.7-1~bionic amd64 nginx-module-njs-dbg/stable 1.16.1.0.3.7-1~bionic amd64 nginx-module-perl/stable 1.16.1-1~bionic amd64 nginx-module-perl-dbg/stable 1.16.1-1~bionic amd64 nginx-module-xslt/stable 1.16.1-1~bionic amd64 nginx-module-xslt-dbg/stable 1.16.1-1~bionic amd64 nginx-nr-agent/stable 2.0.0-11 all root@ubuntu:~# root@ubuntu:~# apt install nginx Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: nginx 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 851 kB of archives. After this operation, 2,995 kB of additional disk space will be used. Get:1 http://nginx.org/packages/ubuntu bionic/nginx amd64 nginx amd64 1.16.1-1~bionic [851 kB] Fetched 851 kB in 2min 54s (4,897 B/s) Selecting previously unselected package nginx. (Reading database ... 66459 files and directories currently installed.) Preparing to unpack .../nginx_1.16.1-1~bionic_amd64.deb ... ---------------------------------------------------------------------- Thanks for using nginx! Please find the official documentation for nginx here: * http://nginx.org/en/docs/ Please subscribe to nginx-announce mailing list to get the most important news about nginx: * http://nginx.org/en/support.html Commercial subscriptions for nginx are available on: * http://nginx.com/products/ ---------------------------------------------------------------------- Unpacking nginx (1.16.1-1~bionic) ... Processing triggers for ureadahead (0.100.0-21) ... Setting up nginx (1.16.1-1~bionic) ... Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /lib/systemd/system/nginx.service. 生成服务文件,记得设置为开机启动 Processing triggers for systemd (237-3ubuntu10.24) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... Processing triggers for ureadahead (0.100.0-21) ...
-
设置开机启动
systemctl enable nginx.service
4.编译安装
nginx官方提供众多模块,同时也提供了集成三方模块的功能,用户可根据生产需求采用编译安装的方式来定制部署nginx,通过执行./configure --help 可以查看nginx有众多模块,这里总结一下规律:
官方源码安装参考:http://nginx.org/en/docs/configure.html
编译安装通用配置选项,nginx也不例外,只不过是选项名称不同,以下为大部分软件编译安装时选项
–prefix= 指定安装的路径()
–sysconfdir= 或–conf-path= 指定配置文件目录
–enable-feature 启用某个特性
–disable-fecture 禁用特性
–with-function 启用某功能
–without-function 禁用某功能
1. 通用安装选项
–prefix=PATH 指定安装路径,不指定默认目录为/usr/local/nginx,以下目录如果不具体指定则自动在prefix目录下创建相应的子目录。
–sbin-path=PATH 指定可执行文件路径
–modules-path=PATH 指定nginx动态模块存储路径
–conf-path=PATH 指定配置文件路径
–error-log-path=PATH 指定日志文件路径
–pid-path=PATH 指定PID文件路径
–lock-path=PATH 提定lock文件路径
–user=USER 指定运行nginx worker进程用户
–group=GROUP 指定运行nginx worker进程组
2. 模块分类
./configure --help这里看到的模块在官方都有明确的介绍和使用说明,参看http://nginx.org/en/docs/ 页面中的Modules reference。
HTTP相关模块:以–with-http开头的为HTTP相关模块
四层代理模块:以–with-stream开头的模块为四层代理模块
邮件代理模块 :以–with-mail开头的模块
七层代理模块:http_proxy、http_fastcgi、http_uwsgi等
负载均衡:包含upstream关键字的为负载均衡模块
注意:四层、七层代理功能均需结合各自的upstream模块实现负载均衡模块
3. 开启关闭模块
./configure --help看到模块基本上都有两个关键词–with和–without,总结如下:
开启模块:–with (如果不明确指定,则默认关闭)
关闭模块:–without (如果不确确指定则这类模块默认开启,一般都是某一类模块的扩展功能)
–with-debug 对nginx异常定位排查比较有用,可以定义errorlog级别,输出详细信息。
4. HTTP扩展模块
–with-http_ssl_module 支持HTTPS
–with-http_v2_module 支持HTTPv2
–with-http_flv_module 允许客户端观看FLV视频,并且支持播放进度拖拽功能
–with-http_mp4_module 允许客户端观看MP4视频、并且支持播放进度拖拽功能
–with-http_image_filter_module 启用nginx大图功能
–with-http_dav_module 启动WEBDAV,支持文件上传、复制、删除功能,建议不要启用。
–with-http_gzip_static_module 如果服务器启用了gzip压缩响应体功能,则启用该模块支持,该功能可以重复利用客户端之前请求过的压缩资源,即多个用户在请求同一个资源时,如果压缩,则只需压缩一份就可以多次利用,降低CPU消耗。
–with-http_stub_status_module 启用nginx内置状态页功能。统计并发连接等信息
–with-http_geoip_module 基于MaxMind GeoIP的地址库识别客户端的IP地址归属,可以实再基于地域调度。
5.三方模块扩展及定制安装
–with-pcre 启用PCRE正则表达式,可以实现定制安装。
–with-libatomic 启用原子操作
–with-openssl 启用Openssl 可以实现OpenSSL的升级功能
–add-module 通用集成三方模块的方法
–with-zlib 定制安装zlib
4.1集成三方模块编译安装nginx
-
获取nginx源码包及nginx三方模块 echo-nginx-module
wget http://nginx.org/download/nginx-1.16.1.tar.gz git clone https://github.com/openresty/echo-nginx-module.git
-
解压缩包
tar xvf nginx-1.16.1.tar.gz -C /usr/local/src/ mv ./echo-nginx-module /usr/local/src/
-
安装编译环境
找个测试环境安装逐个测试需要哪些库,yum provides 逐个查找并安装,一般都需要安装devel包,注意GeoIP这个组件需要epel源yum install gcc pcre-devel.x86_64 make openssl-devel libxslt-devel gd-devel.x86_64 GeoIP-devel.x86_64
-
cd进入nginx源码解压缩后的路径
cd /usr/local/src/nginx-1.16.1
-
执行configure
集成三方模块通用方法:–add-module=/usr/local/src/echo-nginx-module 指定三方模块源码存储路径./configure --prefix=/apps/nginx --user=nginx --group=nginx --build=vmlab --with-threads --with-file-aio --with-debug --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_flv_module --with-http_mp4_module --with-http_stub_status_module --add-module=/usr/local/src/echo-nginx-module
以下信息最好记录一下,对以后有用:
Configuration summary + using threads + using system PCRE library + using system OpenSSL library + using system zlib library nginx path prefix: "/apps/nginx" nginx binary file: "/apps/nginx/sbin/nginx" nginx modules path: "/apps/nginx/modules" nginx configuration prefix: "/apps/nginx/conf" nginx configuration file: "/apps/nginx/conf/nginx.conf" nginx pid file: "/apps/nginx/logs/nginx.pid" nginx error log file: "/apps/nginx/logs/error.log" nginx http access log file: "/apps/nginx/logs/access.log" nginx http client request body temporary files: "client_body_temp" nginx http proxy temporary files: "proxy_temp" nginx http fastcgi temporary files: "fastcgi_temp" nginx http uwsgi temporary files: "uwsgi_temp" nginx http scgi temporary files: "scgi_temp" [12:04:44 root@Centos8 nginx-1.16.1]#
-
执行安装
make&&make install
-
创建nginx账号
useradd -r -s /sbin/nologin nginx
-
更必nginx prefi目录属主属组为nginx
chown -R nginx:nginx /apps/nginx/
-
创建服务脚本
vim /usr/lib/systemd/system/nginx.service[Unit] Description=nginx - high performance web server Documentation=http://nginx.org/en/docs/ After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] Type=forking PIDFile=/var/run/nginx.pid ExecStart=/apps/nginx/sbin/nginx -c /apps/nginx/conf/nginx.conf ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s TERM $MAINPID [Install] WantedBy=multi-user.target
-
修改nginx配置文件中的pid存储位置,确保和服务脚本位置一致。
vim /apps/nginx/conf/nginx.confpid /var/run/nginx.pid;
-
加载nginx服务配置文件,向systemd注册服务,自动生成依存关系
systemctl daemon-reload
-
设置开机自动启动
systemctl enable nginx.service
4.2 nginx openssl模块升级
该场景一般应对openssl出现安全漏洞时,对nginx服务集成的openssl进行升级
-
获取openssl源码包
wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
-
解压源码包
tar xvf openssl-1.1.1d.tar.gz -C /usr/local/src/
-
基于现存nginx编译安装配置,重新编译安装nginx集成最新openssl
安装前停止nginx服务:systemctl stop nginx.serivce
执行nginx -V 查看现存Nginx安装配置,如下所示OpenSSL版本为1.1.1 FIPS。 configure arguments即是当时nginx编译安装时的配置选项,我们只需要原来安装选项的基础上加上openssl的源码路径,执行configure,然后重新make&&make install即可。[14:47:15 root@Centos8 ~]#/apps/nginx/sbin/nginx -V nginx version: nginx/1.16.1 (vmlab) built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC) built with OpenSSL 1.1.1 FIPS 11 Sep 2018 TLS SNI support enabled configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --build=vmlab --with-threads --with-file-aio --with-debug --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_flv_module --with-http_mp4_module --with-http_stub_status_module --add-module=/usr/local/src/echo-nginx-module [14:47:43 root@Centos8 ~]# [14:59:40 root@Centos8 nginx-1.16.1]#./configure --prefix=/apps/nginx --user=nginx --group=nginx --build=vmlab --with-threads --with-file-aio --with-debug --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_flv_module --with-http_mp4_module --with-http_stub_status_module --add-module=/usr/local/src/echo-nginx-module --with-openssl=/usr/local/src/openssl-1.1.1d
-
重新安装
make&&make install
-
启动nginx服务
systemctl start nginx.service
4.3 隐藏Nginx版本号
更改nginx源码信息并重新编译Nginx,可以修改nginx的版本号及显示名称,为渗透者设置一些迷障。
- 编译nginx源码文件:/src/http/ngx_http_header_filter_module.c
- 修改第49行:static u_char ngx_http_server_string[] = “Server: nginx” CRLF;将nginx改为想要的字符,保存即退出。
- 重新执行编译安装
- 编译配置文件:添加server_tokens off;
- 测试如下:
5.官方参考文献
- 基于官方源安装手册:http://nginx.org/en/linux_packages.html#RHEL-CentOS
- 编译安装安装手册:http://nginx.org/en/docs/configure.html
- 管理手册:https://docs.nginx.com/nginx/admin-guide/
- 进程管理说明:http://nginx.org/en/docs/control.html
- I/O模型介绍:http://nginx.org/en/docs/events.html