前言
在Centos7默认仓库没有nginx下载源,大家可通过nginx官网下载源码包自行编译或者下载nginx官方yum仓库进行安装。这里要示范的是通过 yum源 进行安装 nginx1.14.2。
官方安装指南:http://nginx.org/en/linux_packages.html
安装nginx
安装 yum-utils
yum install yum-utils
配置nginx的repo源
新建nginx的repo源
touch /etc/yum.repos.d/nginx.repo
往 nginx.repo 文件里输入
vim /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
安装nginx
yum -y install nginx
启动nginx服务器
启动nginx服务
systemctl start nginx
检查其运行状态
systemctl status nginx
输出:
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2019-03-16 21:08:16 CST; 15s ago
Docs: http://nginx.org/en/docs/
Process: 2606 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
Main PID: 2607 (nginx)
CGroup: /system.slice/nginx.service
├─2607 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
└─2608 nginx: worker process
3月 16 21:08:16 bogon systemd[1]: Starting nginx - high performance web server...
3月 16 21:08:16 bogon systemd[1]: PID file /var/run/nginx.pid not readable (yet?) after start.
3月 16 21:08:16 bogon systemd[1]: Started nginx - high performance web server.
开机启动nginx服务
systemctl enable nginx
如果您正在运行防火墙(firewalld),则还需要打开HTTP和HTTPS端口80和443:
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload
验证安装
要验证安装,在您所选择的浏览器中打开您的服务器IP地址,您将看到默认的nginx欢迎页面,如下所示:
使用systemctl管理nginx服务
我们可以像任何其他系统单元一样管理nginx服务。
要停止nginx服务,请运行:
systemctl stop nginx
要再次启动,请键入:
systemctl start nginx
重新启动nginx服务:
systemctl restart nginx
在进行一些配置更改后重新加载nginx服务:
systemctl reload nginx
如果您想禁用nginx服务以在启动时启动:
systemctl disable nginx
并重新启用它:
systemctl enable nginx
配置nginx
nginx配置文件路径位于:/etc/nginx
nginx.conf
nginx配置文件位于:/etc/nginx/nginx.conf
虚拟主机
关于虚拟主机项目配置文件,位于/etc/nginx/conf.d目录,建议一个域名一个配置文件
虚拟主机配置文件规范:[域名].conf
虚拟主机配置文件范例:
server {
listen 80;
server_name [域名];
set $root [项目目录];
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location ~ \.php {
root /;
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^((?U).+.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $root$fastcgi_script_name;
include fastcgi_params;
}
location / {
root $root;
index index.html index.php;
if ( -f $request_filename) {
break;
}
if ( !-e $request_filename) {
rewrite ^(.*)$ /index.php/$1 last;
break;
}
}
location ~ /\.ht {
deny all;
}
}
安全配置
隐藏HTTP请求头web服务器信息
没作任何设置前,查看web服务器请求文件头:
Connection:Keep-Alive
Date:Sat, 16 Mar 2019 14:18:04 GMT
ETag:"18-583bffda946f5"
Keep-Alive:timeout=5, max=100
Server:nginx/1.14.2
几乎把web服务器详细信息都暴露出来了,如果哪个版本的nginx和php爆出严重漏洞,会给攻击者提供最有攻击价值的安全信息,这是非常危险的。
在nginx的 nginx.conf 配置文件的 http 区段插入 server_tokens off; 重新载入配置文件:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
# 隐藏版本号
server_tokens off;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
编辑php-fpm配置文件,打开 /etc/nginx/fastcgi_params 文件
找到:
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
改为:
fastcgi_param SERVER_SOFTWARE nginx;
然后重启nginx服务:
systemctl restart nginx
再次发出请求:
Connection:keep-alive
Content-Length:564
Content-Type:text/html
Date:Sat, 16 Mar 2019 14:23:24 GMT
Server:nginx
可以看到nginx版本号于已经没有了。
2002
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
