1.单机实验获取真实访问物理主机的ip
(1)nginx主机修改配置文件(虚拟主机做测试):
[root@server1 conf]# vim nginx.conf
[root@server1 conf]# ../sbin/nginx -t #还需要重新编译,添加模块
nginx: [emerg] unknown directive "set_real_ip_from" in /usr/local/nginx/conf/nginx.conf:128
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
(2)重新编译,添加http_realip_module模块,并重启
[root@server1 nginx-1.17.1]# ./configure --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module
[root@server1 nginx-1.17.1]# make
[root@server1 nginx-1.17.1]#cd objs 会生成该模块
[root@server1 objs] # cp -f nginx /usr/local/nginx/sbin/nginx
[root@server1 objs] # systemctl restart nginx
(2)测试:能够获取到真实物理ip
[root@server1 conf]# vim /etc/hosts
[root@server1 conf]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.33.250 foundation72.ilt.example.com
172.25.33.1 server1 server1.example.com
172.25.33.2 server2
172.25.33.3 server3
172.25.33.4 server4
172.25.33.5 server5
172.25.33.6 server6
172.25.33.7 server7
172.25.33.8 server8
[root@server1 conf]# curl -H "X_Forwarded-For: 2.2.2.2,172.25.33.1" server1.example.com
Client real ip: 172.25.33.1
2.利用另外一台nginx主机做反向代理获取真实访问物理主机的ip
(1)所需环境:
两台虚拟机:反向代理nginx主机:172.25.33.2
真实Nginx主机:172.25.33.1
(2)反向代理主机所作操作:
[root@server1 conf]# scp -r /usr/local/nginx server2:/usr/local #将安装目录传到server2主机上
[root@server2 ~]# cd /usr/local/nginx
[root@server2 nginx]# ls
client_body_temp fastcgi_temp logs sbin uwsgi_temp
conf html proxy_temp scgi_temp
[root@server2 nginx]# cd conf
[root@server2 conf]# vim nginx.conf
[root@server2 conf]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@server2 conf]# cd ..
[root@server2 nginx]# cd html
[root@server2 html]# vim index.html
[root@server2 html]# cat index.html
server2
(3)真实Nginx主机所作操作:
(4)测试:(在真机测试)
vim /etc/hosts ##先添加域名解析
172.25.33.2 www.westos.org
curl -I www.westos.org ##访问域名,查看server1的access日志
tail -f /usr/local/nginx/logs/access.log ##查看server1的日志可以看到获取到了真机的ip地址
2.Nginx图像的压缩:
(1)server1中先下载图像压缩所需要的模块
[root@server1 ~]# cd nginx-1.17.1/
[root@server1 nginx-1.17.1]# ls
auto CHANGES.ru configure html Makefile objs src
CHANGES conf contrib LICENSE man README
[root@server1 nginx-1.17.1]# ./configure --help | grep image
--with-http_image_filter_module enable ngx_http_image_filter_module
--with-http_image_filter_module=dynamic
enable dynamic ngx_http_image_filter_module
[root@server1 nginx-1.17.1]# ./configure --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module --with-stream_realip_module --with-http_image_filter_module=dynamic
#编译失败,提示需要gd library,然后重新编译下载
[root@server1 ~]# yum install gd-devel-2.0.35-26.el7.x86_64.rpm
[root@server1 nginx-1.17.1]# ./configure --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module --with-stream_realip_module --with-http_image_filter_module=dynamic
[root@server1 nginx-1.17.1]# make
(2)server1中修改配置文件
[root@server1 nginx-1.17.1]# cd objs
[root@server1 objs]# cp -f nginx /usr/local/nginx/sbin/nginx
cp: overwrite ‘/usr/local/nginx/sbin/nginx’? y
[root@server1 objs]# mkdir /usr/local/nginx/modules
[root@server1 objs]# cp ngx_http_image_filter_module.so /usr/local/nginx/modules
[root@server1 objs]# vim /usr/local/nginx/conf/nginx.conf
3.Nginx下的https访问
为了提高web应用的安全性,现在基本上都需要支持https访问,配置Https访问如下:
重新编译安装nginx
[root@server1 ~]# cd /nginx-1.17.1
[root@server1 nginx-1.17.1]# ./configure --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module --with-http_image_filter_module=dynamic --with-http_ssl_module
[root@server1 nginx-1.17.1]# make
更新主程序,并重启
[root@server1 objs]# cp -f nginx /usr/local/nginx/sbin/nginxcp: overwrite ‘/usr/local/nginx/sbin/nginx’? y
[root@server1 objs]# cp ngx_http_image_filter_module.so /usr/local/nginx/modulescp: overwrite ‘/usr/local/nginx/modules/ngx_http_image_filter_module.so’? y
[root@server1 objs]# systemctl restart nginx
[root@server1 objs]#
修改配置文件
生成证书密钥
[root@server1 conf]# cd /etc/pki/tls/certs
[root@server1 certs]# make cert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 ; \
cat $PEM1 > cert.pem ; \
echo "" >> cert.pem ; \
cat $PEM2 >> cert.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
...............................+++
.....................................................+++
writing new private key to '/tmp/openssl.sHxhnC'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:root@westos.org
/web资源下写入发布内容
[root@server1 certs]# cp cert.pem /usr/local/nginx/conf
[root@server1 certs]# cd /usr/local/nginx/conf
[root@server1 conf]# vim nginx.conf^C
[root@server1 conf]# mkdir /web
[root@server1 conf]# vim /web/index.html
[root@server1 conf]# systemctl reload nginx
测试:真机写解析, 172.25.33.1 www.westos.org
浏览器访问:https://www.westos.org,访问成功