目录
一、编译安装 Nginx
1.1编译安装
[root@centos7 ~]# yum -y install gcc pcre-devel openssl-devel zlib-devel
[root@centos7 ~]#useradd -s /sbin/nologin nginx
[root@centos7 ~]#wget http://nginx.org/download/nginx-1.18.0.tar.gz
[root@centos7 ~]#tar xf nginx-1.18.0.tar.gz
[root@centos7 ~]#cd nginx-1.18.0/
[root@centos7 nginx-1.18.0]#ls
auto CHANGES CHANGES.ru conf configure contrib html LICENSE man README src
[root@centos7 nginx-1.18.0]#./configure --prefix=/apps/nginx \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module
[root@centos7 nginx-1.18.0]#make -j 2
[root@centos7 nginx-1.18.0]#make install
#修改权限
[root@centos7 nginx-1.18.0]#chown -R nginx.nginx /apps/nginx/
#nginx完成安装以后,有四个主要的目录
[root@centos7 nginx-1.18.0]# ll /apps/nginx/
总用量 0
drwxr-xr-x 2 nginx nginx 333 4月 15 14:16 conf
drwxr-xr-x 2 nginx nginx 40 4月 15 14:16 html
drwxr-xr-x 2 nginx nginx 6 4月 15 14:16 logs
drwxr-xr-x 2 nginx nginx 19 4月 15 14:16 sbin
#conf:保存nginx所有的配置文件,其中nginx.conf是nginx服务器的最核心最主要的配置文件,其他的.conf则是用来配置nginx相关的功能的,例如fastcgi功能使用的是fastcgi.conf和fastcgi_params两个文件,配置文件一般都有个样板配置文件,是文件名.default结尾,使用的使用将其复制为并将default去掉即可。
#html:保存了nginx服务器的web文件,但是可以更改为其他目录保存web文件,另外还有一个50x的web文件是默认的错误页面提示页面。
#logs:用来保存nginx服务器的访问日志错误日志等日志,logs目录可以放在其他路径,比如/var/logs/nginx里面。
#sbin:保存nginx二进制启动脚本,可以接受不同的参数以实现不同的功能。
1.2验证版本及编译参数
[root@centos7 nginx-1.18.0]#ls /apps/nginx/sbin/
nginx
[root@centos7 nginx-1.18.0]#ln -s /apps/nginx/sbin/nginx /usr/sbin/
#查看版本
[root@centos7 nginx-1.18.0]#nginx -v
nginx version: nginx/1.18.0
#查看编译参数
[root@centos7 nginx-1.18.0]#nginx -V
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
1.3创建service文件
[root@centos7 nginx-1.18.0]#vim /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/apps/nginx/run/nginx.pid
ExecStart=/apps/nginx/sbin/nginx -c /apps/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
LimitNOFILE=100000
[Install]
WantedBy=multi-user.target
#创建目录
[root@centos7 nginx-1.18.0]#mkdir /apps/nginx/run/
[root@centos7 nginx-1.18.0]#chown -R nginx.nginx /apps/nginx/run/
#修改配置文件
[root@centos7 nginx-1.18.0]#vim /apps/nginx/conf/nginx.conf
pid /apps/nginx/run/nginx.pid;
1.4验证 Nginx 自启动文件
[root@centos7 nginx-1.18.0]#systemctl daemon-reload
[root@centos7 nginx-1.18.0]#systemctl enable --now nginx
[root@centos7 nginx-1.18.0]#ll /apps/nginx/run/
total 4
-rw-r--r-- 1 root root 5 Mar 28 16:44 nginx.pid
[root@centos7 nginx-1.18.0]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 100 [::1]:25 [::]:*
1.5测试验证
[root@centos7 ~]#curl -I 10.0.0.7
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Mon, 28 Mar 2022 11:59:51 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Mon, 28 Mar 2022 07:45:26 GMT
Connection: keep-alive
ETag: "62416796-264"
Accept-Ranges: bytes
二、实现多域名
2.1新建PC web站点和Mobile web站点
#定义子配置文件路径
[root@centos7 ~]#mkdir /apps/nginx/conf/conf.d
[root@centos7 ~]#vim /apps/nginx/conf/nginx.conf
http {
server_tokens off;
include mime.types;
include /apps/nginx/conf/conf.d/*.conf; #在配置文件的最后面添加此行,注意不要放在最前面,会导致前面的命令无法生效
}
[root@centos7 ~]#mkdir /data/nginx/html/pc/ -pv
mkdir: created directory ‘/data/nginx’
mkdir: created directory ‘/data/nginx/html’
mkdir: created directory ‘/data/nginx/html/pc/’
[root@centos7 ~]#mkdir /data/nginx/html/mobile/ -pv
mkdir: created directory ‘/data/nginx/html/mobile/’
[root@centos7 ~]#tree /data/nginx/
/data/nginx/
└── html
├── mobile
└── pc
3 directories, 0 files
[root@centos7 ~]#echo "pc website" > /data/nginx/html/pc/index.html
[root@centos7 ~]#echo "mobile website" > /data/nginx/html/mobile/index.html
#创建PC网站配置
[root@centos7 ~]#vim /apps/nginx/conf/conf.d/pc.conf
server{
listen 80;
server_name www.linux2022.com;
location / {
root /data/nginx/html/pc;
}
}
[root@centos7 ~]#nginx -t
[root@centos7 ~]#nginx -s reload
#测试访问
[root@ubuntu1804 ~]#vim /etc/hosts
10.0.0.7 www.linux2022.com
[root@ubuntu1804 ~]#curl www.linux2022.com
pc website
#创建Mobile网站配置
[root@centos7 ~]#cd /apps/nginx/conf/conf.d/
[root@centos7 conf.d]#ls
pc.conf
[root@centos7 conf.d]#cp pc.conf mobile.conf
[root@centos7 conf.d]#vim mobile.conf
server{
listen 80;
server_name m.linux2022.com;
location / {
root /data/nginx/html/mobile;
}
}
[root@centos7 conf.d]#nginx -s reload
#测试访问
[root@ubuntu1804 ~]#vim /etc/hosts
10.0.0.7 www.linux2022.com m.linux2022.com
[root@ubuntu1804 ~]#curl m.linux2022.com
mobile website
三、实现多域名 https
nginx 的https 功能基于模块ngx_http_ssl_module实现,因此如果是编译安装的nginx要使用参数ngx_http_ssl_module开启ssl功能,但是作为nginx的核心功能,yum安装的nginx默认就是开启的,编译安装的nginx需要指定编译参数–with-http_ssl_module开启
Nginx 支持基于单个IP实现多域名的功能,并且还支持单IP多域名的基础之上实现HTTPS,其实是基于Nginx的 SNI(Server Name Indication)功能实现,SNI是为了解决一个Nginx服务器内使用一个IP绑定多个域名和证书的功能,其具体功能是客户端在连接到服务器建立SSL链接之前先发送要访问站点的域名(Hostname),这样服务器再根据这个域名返回给客户端一个合适的证书。
[root@centos7 ~]#nginx -V
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
配置参数如下:
ssl on | off;
#为指定的虚拟主机配置是否启用ssl功能,此功能在1.15.0废弃,使用listen [ssl]替代
listen 443 ssl;ssl_certificate /path/to/file;
#指向包含当前虚拟主机和CA的两个证书信息的文件,一般是crt文件ssl_certificate_key /path/to/file;
#当前虚拟主机使用的私钥文件,一般是key文件ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2];
#支持ssl协议版本,早期为ssl现在是TLS,默认为后三个ssl_session_cache off | none | [builtin[:size]] [shared:name:size];
#配置ssl缓存
off: #关闭缓存
none: #通知客户端支持ssl session cache,但实际不支持
builtin[:size]:#使用OpenSSL内建缓存,为每worker进程私有
[shared:name:size]:#在各worker之间使用一个共享的缓存,需要定义一个缓存名称和缓存空间大小,一兆可以存储4000个会话信息,多个虚拟主机可以使用相同的缓存名称ssl_session_timeout time;
#客户端连接可以复用ssl session cache中缓存的有效时长,默认5m
3.1生成PC站点自签名证书
[root@centos7 ~]#cd /apps/nginx/conf/conf.d/
[root@centos7 conf.d]#ls
mobile.conf pc.conf
[root@centos7 conf.d]#pwd
/apps/nginx/conf/conf.d
[root@centos7 conf.d]#mkdir ssl
[root@centos7 conf.d]#cd ssl/
#脚本实现自签名证书
[root@centos7 ssl]#cat certificate.sh
#!/bin/bash
CA_SUBJECT="/O=linux2022/CN=ca.linux2022.com"
SUBJECT="/C=CN/ST=guangdong/L=guangzhou/O=linux2022/CN=www.linux2022.com"
SERIAL=34
EXPIRE=3650
FILE=linux2022.com
openssl req -x509 -newkey rsa:2048 -subj $CA_SUBJECT -keyout ca.key -nodes -days 3650 -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout ${FILE}.key -subj $SUBJECT -out ${FILE}.csr
openssl x509 -req -in ${FILE}.csr -CA ca.crt -CAkey ca.key -set_serial $SERIAL -days $EXPIRE -out ${FILE}.crt
chmod 600 ${FILE}.key ca.key
[root@centos7 ssl]#bash -n certificate.sh
[root@centos7 ssl]#bash certificate.sh
[root@centos7 ssl]#ls
ca.crt ca.key certificate.sh linux2022.com.crt linux2022.com.csr linux2022.com.key
#合并CA和服务器证书成一个文件,注意服务器证书在前
[root@centos7 ssl]#cat linux2022.com.crt ca.crt > www.linux2022.com.crt
[root@centos7 ssl]#mv linux2022.com.key www.linux2022.com.key
[root@centos7 ssl]#ll www.linux2022.com.*
-rw-r--r-- 1 root root 2279 Mar 30 10:24 www.linux2022.com.crt
-rw------- 1 root root 1708 Mar 30 10:12 www.linux2022.com.key
3.2 PC web站点https 配置
[root@centos7 ssl]#cd ..
[root@centos7 conf.d]#pwd
/apps/nginx/conf/conf.d
[root@centos7 conf.d]#ls
mobile.conf pc.conf ssl
[root@centos7 conf.d]#vim pc.conf
server{
listen 80;
listen 443 ssl;
ssl_certificate /apps/nginx/conf/conf.d/ssl/www.linux2022.com.crt;
ssl_certificate_key /apps/nginx/conf/conf.d/ssl/www.linux2022.com.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
server_name www.linux2022.com;
location / {
root /data/nginx/html/pc;
}
}
[root@centos7 conf.d]#nginx -t
[root@centos7 conf.d]#nginx -s reload
3.3PC web站点https访问验证
[root@ubuntu1804 ~]#curl https://www.linux2022.com -k
pc website
3.4生成Mobile站点自签名证书
[root@centos7 ssl]#pwd
/apps/nginx/conf/conf.d/ssl
[root@centos7 ssl]#vim certificate.sh
#!/bin/bash
CA_SUBJECT="/O=linux2022/CN=ca.linux2022.com"
SUBJECT="/C=CN/ST=guangdong/L=guangzhou/O=linux2022/CN=m.linux2022.com"
SERIAL=34
EXPIRE=3650
FILE=m.linux2022.com
openssl req -x509 -newkey rsa:2048 -subj $CA_SUBJECT -keyout ca.key -nodes -days 3650 -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout ${FILE}.key -subj $SUBJECT -out ${FILE}.csr
openssl x509 -req -in ${FILE}.csr -CA ca.crt -CAkey ca.key -set_serial $SERIAL -days $EXPIRE -out ${FILE}.crt
chmod 600 ${FILE}.key ca.key
[root@centos7 ssl]#rm -f ca*
[root@centos7 ssl]#rm -f linux2022.com.c*
[root@centos7 ssl]#ls
certificate.sh www.linux2022.com.crt www.linux2022.com.key
[root@centos7 ssl]#bash -n certificate.sh
[root@centos7 ssl]#bash certificate.sh
[root@centos7 ssl]#ls
ca.crt certificate.sh m.linux2022.com.csr www.linux2022.com.crt
ca.key m.linux2022.com.crt m.linux2022.com.key www.linux2022.com.key
#合并证书文件
[root@centos7 ssl]#cat m.linux2022.com.crt ca.crt > m.linux2022.com.pem
3.5Mobile web站点https 配置
[root@centos7 ssl]#cd ..
[root@centos7 conf.d]#pwd
/apps/nginx/conf/conf.d
[root@centos7 conf.d]#ls
mobile.conf pc.conf ssl
[root@centos7 conf.d]#vim mobile.conf
server{
listen 80;
listen 443 ssl;
ssl_certificate /apps/nginx/conf/conf.d/ssl/m.linux2022.com.pem;
ssl_certificate_key /apps/nginx/conf/conf.d/ssl/m.linux2022.com.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
server_name m.linux2022.com;
location / {
root /data/nginx/html/mobile;
}
}
[root@centos7 conf.d]#nginx -t
[root@centos7 conf.d]#nginx -s reload
3.6Mobile web站点https访问验证
[root@ubuntu1804 ~]#curl https://m.linux2022.com -k
mobile website