Nginx安装&升级&打补丁
主机环境
1:Centos7.9(最小化安装)
2:Nginx1.18.0,下载链接:http://nginx.org/download/nginx-1.18.0.tar.gz
Nginx安装
# 上传安装包
# 安装依赖包
[root@nginx ~]# yum -y install gcc make zlib-devel pcre pcre-devel openssl-devel
# 创建nginx用户
[root@nginx ~]# useradd nginx -r -M -s /sbin/nologin
# 创建相关目录
[root@nginx ~]# mkdir -p /app
[root@nginx ~]# tar -zxvf nginx-1.18.0.tar.gz -C /app/
# 编译(这里以带模块编译为例)
[root@nginx ~]# cd /app/nginx-1.18.0
[root@nginx ~]# ./configure --user=nginx --group=nginx --prefix=/app/nginx --with-http_ssl_module
[root@nginx nginx-1.18.0]# make && make install
[root@nginx app]# chown -R nginx:nginx /app/nginx*
# 创建软链接
ln -s /app/nginx/sbin/nginx /usr/bin/nginx
Nginx配置
这里配置文件仅做参考,具体根据实际情况来
cat /app/nginx/conf/nginx.conf
user nginx;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
error_log logs/error.log info;
pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
# 启动nginx
nginx
# 开机自启nginx
echo nginx >> /etc/rc.local
chmod a+x /etc/rc.local
Nginx常用命令
# 查看进程
ps -aux | grep nginx
# 检查配置文件
nginx -t
# 指定启动配置文件
nginx -c /app/nginx/conf/nginx.conf
# 暴力停止服务
nginx -s stop
# 优雅停止服务
nginx -s quit
# 重新加载配置文件
nginx -s reload
# 重新生成日志文件(可通过cron配置一段时间执行,防止日志过大)
nginx -s reopen
Nginx热升级
# 下载nginx1.20包并上传
# 解压升级包
tar -zxvf nginx-1.20.1.tar.gz -C /app
# 编译1.20nginx(会自动将之前nginx二进制文件改为nginx.old)
./configure --user=nginx --group=nginx --prefix=/app/nginx --with-http_ssl_module
make && make install
# 查看二进制文件
[root@nginx sbin]# ls /app/nginx/sbin/
nginx nginx.old
# 查看1.18 nginx进程
[root@nginx sbin]# ps -aux|grep nginx
root 9470 0.0 0.0 45976 1128 ? Ss 09:30 0:00 nginx: master process nginx
nginx 9471 0.0 0.1 46420 1884 ? S 09:30 0:00 nginx: worker process
root 9509 0.0 0.0 112812 976 pts/0 R+ 09:32 0:00 grep --color=auto nginx
# 让老work进程停止接受新请求,并生成新的master、work进程
kill -USR2 9470
kill -WINCH 9470
# 查看进程(可以发现,nginx1.18的master进程还是存在,但是不在处理用户请求了)
[root@nginx sbin]# ps -aux | grep nginx
root 9470 0.0 0.0 45976 1296 ? Ss 09:30 0:00 nginx: master process nginx
root 9511 0.0 0.1 45996 3128 ? S 09:35 0:00 nginx: master process nginx
nginx 9512 0.0 0.1 46452 1876 ? S 09:35 0:00 nginx: worker process
root 9514 0.0 0.0 112812 976 pts/0 S+ 09:35 0:00 grep --color=auto nginx
[root@nginx sbin]# nginx -v
nginx version: nginx/1.20.1
Nginx热回退
# 回退二进制文件
cp nginx.old nginx
kill -HUP 9470
kill -WINCH 9511
# 查看nginx进程(如果不需要nginx新版了,可以将master进程手动kill)
[root@nginx sbin]# ps -aux | grep nginx
root 9470 0.0 0.0 45976 1296 ? Ss 09:30 0:00 nginx: master process nginx
root 9511 0.0 0.1 45996 3128 ? S 09:35 0:00 nginx: master process nginx
nginx 9530 0.0 0.1 46420 1880 ? S 09:38 0:00 nginx: worker process
root 9532 0.0 0.0 112812 972 pts/0 R+ 09:38 0:00 grep --color=auto nginx
[root@nginx sbin]# nginx -v
nginx version: nginx/1.18.0
Nginx打补丁
这里以升级openssl为例
# 查看本机openssl版本
[root@nginx sbin]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
# 下载openssl升级包:https://www.openssl.org/source/openssl-1.1.1k.tar.gz
# 解压包(这里也可以不用替换系统的,仅仅编译到其他地方即可)
[root@nginx ~]# tar -zxvf openssl-1.1.1k.tar.gz -C /app/
[root@nginx ~]# cd /app/openssl-1.1.1k/
[root@nginx openssl-1.1.1k]# ./config --prefix=/usr/locl/openssl
[root@nginx openssl-1.1.1k]# make && make install
[root@nginx openssl-1.1.1k]# mv /usr/bin/openssl /usr/bin/openssl.bak
[root@nginx openssl-1.1.1k]# ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl
[root@nginx openssl-1.1.1k]# echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
[root@nginx openssl-1.1.1k]# ldconfig -v # 设置生效
# 查看openssh版本
[root@nginx openssl-1.1.1k]# openssl version
OpenSSL 1.1.1k 25 Mar 2021
# 重新编译nginx1.18
cd /app/nginx-1.18.0
./configure --user=nginx --group=nginx --prefix=/app/nginx --with-http_ssl_module --with-openssl=/usr/local/openssl
make && make install