一、安装
1.下载编译需要的资源
[root@server1 ~]# yum install openssl-devel gd-devel-2.0.35-26.el7.x86_64.rpm -y
2.解压资源并进行编译
[root@server1 ~]# ls
nginx-1.15.8 nginx-1.15.8.tar.gz nginx-1.16.0.tar.gz
[root@server1 ~]# tar zxf nginx-1.16.0.tar.gz
[root@server1 ~]# cd nginx-1.16.0
[root@server1 nginx-1.16.0]# ./configure --prefix=/usr/local/nginx --with-http_realip_module --with-http_image_filter_module=dynamic --with-http_ssl_module
3.安装并检查
[root@server1 nginx-1.16.0 ]# make && make install
[root@server1 ~]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.16.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_realip_module --with-http_image_filter_module=dynamic --with-http_ssl_module
二、配置日志使客户端访问本地资源时实施监控
20
21 log_format main '$remote_addr - $remote_user [$time_local] "$re quest" '
22 '$status $body_bytes_sent "$http_referer" '
23 '"$http_user_agent" "$http_x_forwarded_for"';
24
45 access_log logs/redhat.access.log main;
[root@server1 nginx]# sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@server1 nginx]# sbin/nginx -s reload
在客户端访问
[root@foundation80 ~]# curl -I 172.25.80.1/search/vim.jpg
三、realip获取真实IP
server2安装nginx用来作负载均衡
[root@server2 ~]# ls
nginx-1.16.0.tar.gz
[root@server2 ~]# tar zxf nginx-1.16.0.tar.gz
[root@server2 ~]# ls
gd-devel-2.0.35-26.el7.x86_64.rpm nginx-1.16.0 nginx-1.16.0.tar.gz
[root@server2 ~]# yum install gd-devel-2.0.35-26.el7.x86_64.rpm gcc pcre-devel.x86_64 openssl-devel.x86_64 -y
[root@server2 nginx-1.16.0]# cd nginx-1.16.0
[root@server2 nginx-1.16.0]# ./configure --prefix=/usr/local/nginx --with-http_realip_module --with-http_image_filter_module=dynamic --with-http_ssl_module
[root@server2 nginx-1.16.0]# make && make install
[root@server2 nginx-1.16.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
[root@server2 nginx-1.16.0]# useradd nginx
1.修改作为web服务器的nginx配置文件
116 server {
117 listen 80;
118 server_name localhost;
119 set_real_ip_from 172.25.80.2;
120 real_ip_header X-Forwarded-For;
121 real_ip_recursive on;
122 }
vim /usr/local/nginx/conf/nginx.conf
修改:
2 user nginx nginx;
3 worker_processes 2;
17 http {
18 include mime.types;
19 default_type application/octet-stream;
20 upstream westos {
21 server 172.25.75.1:80;
22 }
98 server { #添加虚拟主机
99 listen 80;
100 server_name www.westos.org;
101
102 location / {
103 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
104 proxy_pass http://westos;
105 }
106 }
测试
[root@foundation80 ~]# curl www.westos.org
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
查看日志,可以看到真实访问的ip来源而非代理ip
[root@server1 nginx]# cat logs/redhat.access.log
172.25.80.250 - - [09/May/2019:20:20:09 +0800] "HEAD /search/vim.jpg HTTP/1.1" 200 0 "-" "curl/7.29.0" "-"
172.25.80.250 - - [09/May/2019:22:03:43 +0800] "GET / HTTP/1.1" 200 12288 "-" "curl/7.29.0" "-"
172.25.80.250 - - [09/May/2019:22:04:41 +0800] "GET / HTTP/1.1" 200 4096 "-" "curl/7.29.0" "-"
四、ssl加密配置
1.编辑配文件
111 server {
112 listen 443 ssl;
113 server_name www.westos.org;
114
115 ssl_certificate cert.pem;
116 ssl_certificate_key cert.pem;
117
118 ssl_session_cache shared:SSL:1m;
119 ssl_session_timeout 5m;
120
121 ssl_ciphers HIGH:!aNULL:!MD5;
122 ssl_prefer_server_ciphers on;
123
124 location / {
125 root /web;
126 index index.html index.htm;
127 }
128 }
129 server {
130 listen 80;
131 server_name www.westos.org;
132
133 location / {
134 root /web;
135 index index.html;
136 }
137 }
2.编写默认发布页
[root@server1 nginx]# mkdir /web
[root@server1 nginx]# vim /web/index.html
[root@server1 nginx]# cat /web/index.html
www.westos.com
3.制作证书
[root@server1 nginx]# cd /etc/pki/tls/certs/
[root@server1 certs]# ls
ca-bundle.crt make-dummy-cert renew-dummy-cert
ca-bundle.trust.crt Makefile
[root@server1 certs]# make cert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > cert.pem ; \
echo "" >> cert.pem ; \
cat $PEM2 >> cert.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
..........................+++
........+++
writing new private key to '/tmp/openssl.tq7GgB'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi`an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:root@westos.org
[root@server1 certs]# ls
ca-bundle.crt cert.pem Makefile
ca-bundle.trust.crt make-dummy-cert renew-dummy-cert
[root@server1 certs]# cp cert.pem /usr/local/nginx/conf/
[root@server1 certs]# cd /usr/local/nginx/conf/
[root@server1 conf]# ls
cert.pem koi-win scgi_params.default
fastcgi.conf mime.types uwsgi_params
fastcgi.conf.default mime.types.default uwsgi_params.default
fastcgi_params nginx.conf win-utf
fastcgi_params.default nginx.conf.default
koi-utf scgi_params
[root@server1 nginx]# sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@server1 nginx]# sbin/nginx -s reload
4.更改客户端本地解析
[root@foundation80 ~]# vim /etc/hosts
4 172.25.80.1 server1 www.westos.com
5 172.25.80.2 server2 www.westos.org
5.测试
在客户端浏览器输入:https://www.westos.com
ssl加密完成
五、Nginx重定向
1.临时重定向
修改配置文件
使访问www.westos.com时重定向到https://www.westos.com
123
124 location / {
125 root /web;
126 index index.html index.htm;
127 }
128 }
129 server {
130 listen 80;
131 server_name www.westos.com;
132
133 rewrite ^/(.*)$ https://www.westos.com/$1;
134
135 location / {
136 root /web;
137 index index.html;
138 }
139 }
在客户端测试
[root@foundation80 ~]# curl -I www.westos.com
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.16.0
Date: Thu, 09 May 2019 14:51:57 GMT
Content-Type: text/html
Content-Length: 145
Connection: keep-alive
Location: https://www.westos.com/
[root@foundation80 ~]# curl -I www.westos.com/index.html
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.16.0
Date: Thu, 09 May 2019 14:52:13 GMT
Content-Type: text/html
Content-Length: 145
Connection: keep-alive
Location: https://www.westos.com/index.html
2.永久重定向
我们首先添加一个虚拟主机,这样可以在一台服务器同一个ip部署两个web服务。
129 server {
130 listen 80;
131 server_name www.westos.com;
132
133 rewrite ^/(.*)$ https://www.westos.com/$1;
134
135 }
136
137 server {
138 listen 80;
139 server_name bbs.westos.com;
140
141 location / {
142 root /bbs;
143 index index.html;
144 }
145 }
[root@server1 nginx]# mkdir /bbs
[root@server1 nginx]# vim /bbs/index.html
[root@server1 nginx]# cat /bbs/index.html
bbs.westos.com
[root@server1 nginx]# sbin/nginx -s reload
在客户端添加本地解析:
[root@foundation80 ~]# vim /etc/hosts
4 172.25.80.1 server1 www.westos.com bbs.westos.com
测试
[root@foundation80 ~]# curl bbs.westos.com
bbs.westos.com
[root@foundation80 ~]# curl -I bbs.westos.com
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Thu, 09 May 2019 15:13:50 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Thu, 09 May 2019 15:11:24 GMT
Connection: keep-alive
ETag: "5cd4431c-f"
Accept-Ranges: bytes
将/bbs结尾的永久重定向到bbs.westos.com
[root@server1 nginx]# vim conf/nginx.conf
129 server {
130 listen 80;
131 server_name www.westos.com;
132
133 # rewrite ^/(.*)$ https://www.westos.com/$1;
134 rewrite ^/bbs$ http://bbs.westos.com permanent;
135 }
[root@server1 nginx]# sbin/nginx -s reload
在客户端测试:
[root@foundation80 ~]# curl -I www.westos.com/bbs
HTTP/1.1 301 Moved Permanently ##表示永久重定向
Server: nginx/1.16.0
Date: Thu, 09 May 2019 15:18:34 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://bbs.westos.com