环境准备
- CentOS Linux release 7.X
- nginx-1.20.1.tar.gz
安装过程
安装nginx的方式有很多种,官方推荐我们用yum的方式来安装。
http://nginx.org/en/linux_packages.html#RHEL-CentOS
而我们这一次将以源码包的方式进行安装。
1、下载源码包
cd /usr/local/src/
wget http://nginx.org/download/nginx-1.20.1.tar.gz
这个时候,我们在/usr/local/src/的目录下就有了nginx-1.20.1.tar.gz。
2、解压文件夹,编译安装。
tar -zxvf nginx-1.20.1.tar.gz
cd nginx-1.20.1
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
make && make install
到了这个时候,nginx的安装基本完成。接下来,检查一下nginx是否安装成功。
cd /usr/local/nginx
./sbin/nginx -V
3、配置nginx.conf。接下来,我们需要做四步操作。
一、先手动创建一个叫nginx,并且不允许登陆的用户帐号。(这个在Linux里是规定好了,nginx服务被入侵的时候,由于nginx用户是低权限的不可登陆用户,基本上不会有任何安全问题)
useradd nginx -s /sbin/nologin
二、使用openssl生成证书.
mkdir /usr/local/ssl
cd /usr/local/ssl/
openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /usr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt
三、创建nginx的运行日志和错误日志目录。
mkdir /var/log/nginx
四、nginx.conf内容替换以下下面全部内容。
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
# Load modules
include /etc/nginx/modules-enabled/*.conf;
events {
multi_accept on;
worker_connections 65535;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 2048;
types_hash_bucket_size 64;
client_max_body_size 128M;
# MIME
include mime.types;
default_type application/octet-stream;
# Logging
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $remote_addr $proxy_forwarded_elem {
# IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
# IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
# Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
# If the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
# Otherwise, replace it
default "$proxy_forwarded_elem";
}
# Load configs
include /etc/nginx/conf.d/*.conf;
# example.com
server {
listen 8443 ssl;
listen [::]:80;
server_name example.com;
ssl_certificate /usr/local/ssl/nginx.crt;
ssl_certificate_key /usr/local/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}
# reverse proxy
location / {
proxy_pass http://127.0.0.1:8000;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Proxy timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
# favicon.ico
location = /favicon.ico {
log_not_found off;
access_log off;
}
# robots.txt
location = /robots.txt {
log_not_found off;
access_log off;
}
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
}
}
其中,
server {
listen 8443 ssl; # ipv4的监听端口
listen [::]:80; # ipv6的监听端口
server_name example.com; # 域名
# SSL的加密配置
ssl_certificate /usr/local/ssl/nginx.crt;
ssl_certificate_key /usr/local/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
}
#下面的"/"代表路由URL路径,表示URL地址:http://127.0.0.1:8000/XXX,都可以进行代理监听。
location / {
proxy_pass http://127.0.0.1:8000;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
}
这个时候,我们检查一下nginx.conf的配置文件是否正确。
cd /usr/local/nginx
./sbin/nginx -t
运行nginx
启动nginx
cd /usr/local/nginx
./sbin/nginx
关闭nginx
./sbin/nginx -s stop
重启nginx
./sbin/nginx -s reload (必须在启动的状态才能重启哦)
注意事项
不同的设备在安装的过程中可能会遇到缺失一些安装依赖。
例如:可能会缺乏openssl等依赖。如有疑问,请添加QQ:3045707312。
yum -y install openssl openssl-devel
最后感言
勉励自己,告诉自己,并不是因为看到希望才坚持,而是坚持了才有机会看到希望。