环境说明
这里使用为 CentOS 7.9版本进行测试验证,zabbix Server 采用源码包部署,数据库采用 MySQL5.7.42版本,zabbix-web使用 ,nginx+php来实现。
具体信息如下:
软件名 | 版本 |
---|---|
zabbix-server | 5.0.39LTS |
zabbix-agent | 5.0.39LTS |
mysql | 5.7.42 |
nginx | 1.22.1 |
php | 7.4.33 |
说明:
1,LTS版相对稳定,多用于生产正式环境。
2,mysql5.7.42,为目前5.7版本稳定版,未出现5.7版本漏洞。
3,nginx1.22.1,为目前稳定版,未出现漏洞。
4,php-7.4.33,为目前稳定版,未出现漏洞。
一,安装nginx
说明:本nginx配置可以用于 四层,七层代理,也可以用于nginx监控!
1.1,创建nginx用户和用户组:
useradd -M -s /sbin/nologin nginx
1.2,配置好系统yum源,安装如下依赖包:
yum install -y wget unzip gcc gcc-c++ autoconf automake make pcre-devel openssl openssl-devel GeoIP-devel patch
1.3,下载上传 nginx安装包和各个依赖模块包至服务器,解压文件包如下:
tar xf nginx-1.22.1.tar.gz
unzip nginx-module-vts.zip
unzip echo-nginx-module-master.zip
unzip nginx_upstream_check_module-master.zip
unzip ngx_http_proxy_connect_module-master.zip
准备好安装目录
mkdir -p /usr/local/third-module
mkdir -p /usr/local/nginx1.22.1
mv echo-nginx-module-master nginx_upstream_check_module-master ngx_http_proxy_connect_module-master nginx-module-vts-master /usr/local/third-module
1.4,隐藏nginx信息
cd /usr/local/nginx-1.22.1
vim /usr/local/nginx-1.22.1/src/http/ngx_http_header_filter_module.c
static u_char ngx_http_server_string[] = "Server: linux" CRLF; ##将NGINX改为Linux
static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;
1.5,安装编译nginx命令如下:
patch -p1 < ../third-module/ngx_http_proxy_connect_module-master/patch/proxy_connect_rewrite_102101.patch
patch -p1 < ../third-module/nginx_upstream_check_module-master/check_1.20.1+.patch
./configure --prefix=/usr/local/nginx1.22.1 \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-http_auth_request_module \
--with-http_geoip_module \
--with-http_geoip_module=dynamic \
--with-threads \
--with-file-aio \
--with-pcre \
--with-select_module \
--with-stream \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-stream_geoip_module=dynamic \
--with-stream_ssl_preread_module \
--add-dynamic-module=../third-module/echo-nginx-module-master \
--add-dynamic-module=../third-module/nginx-module-vts-master \
--add-dynamic-module=../third-module/ngx_http_proxy_connect_module-master \
--add-dynamic-module=../third-module/nginx_upstream_check_module-master
make && make install
1.6,编辑配置文件
cd /usr/local/nginx1.22.1/conf
vi nginx.conf
load_module modules/模块.so; #写在全局段
load_module modules/ngx_http_geoip_module.so;
load_module modules/ngx_http_echo_module.so;
load_module modules/ngx_http_vhost_traffic_status_module.so;
load_module modules/ngx_http_proxy_connect_module.so;
load_module modules/ngx_stream_module.so;
cat>nginx.conf<<\EOF
user nginx;
worker_processes auto;
#error_log logs/error.log;
#error_log logs/error.log notice;
error_log logs/error.log info;
#pid logs/nginx.pid;
load_module modules/ngx_http_geoip_module.so;
load_module modules/ngx_http_echo_module.so;
load_module modules/ngx_http_vhost_traffic_status_module.so;
load_module modules/ngx_http_proxy_connect_module.so;
load_module modules/ngx_stream_module.so;
worker_rlimit_nofile 819200;
events {
worker_connections 65535;
use epoll;
}
# 是否以守护进程方式启动nginx进程
daemon on;
# nginx 四层调度
stream {
log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
# include conf.d/zabbix5.conf;
}
http {
include /usr/local/nginx1.22.1/conf/soc.conf;
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
#日志格式json
log_format log_json '{
"@timestamp": "$time_iso8601", '
'"remote_addr": "$remote_addr", '
'"referer": "$http_referer", '
'"request": "$request", '
'"status": $status, '
'"bytes": $body_bytes_sent, '
'"agent": "$http_user_agent", '
'"x_forwarded": "$http_x_forwarded_for", '
'"up_addr": "$upstream_addr",'
'"up_host": "$upstream_http_host",'
'"up_resp_time": "$upstream_response_time",'
'"request_time": $request_time s ,'
'"http_x_request_id": "$http_x_request_id"'
'
}';
#日志按天生成
map $time_iso8601 $logdate {
default 'date-not-found';
'~^(?<ymd>\d{4}-\d{2}-\d{2})' $ymd;
}
#监控
vhost_traffic_status_zone;
vhost_traffic_status_filter_by_host on;
vhost_traffic_status_filter_by_set_key $uri uris::$server_name;
#哈希表
variables_hash_max_size 53284;
add_header RealServerIP $upstream_addr;
add_header RealServerCode $upstream_status;
# 连接超时及异常
proxy_ignore_client_abort on;
proxy_read_timeout 75;
proxy_connect_timeout 120;
proxy_http_version 1.1;
proxy_set_header Connection "";
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
#keepalive_timeout 65;
gzip on;
# 开启服务器读取文件的缓存
open_file_cache max=200 inactive=2h;
open_file_cache_valid 3h;
open_file_cache_errors off;
# 定义服务端连续两次发送响应报文给客户端的中间时差即超时时长,如果客户端在此时间内没有接收,连接就关闭
#send_timeout 60s;
# 定义接收客户端每个请求报文的body部分的缓冲区大小
client_max_body_size 30m;
client_body_buffer_size 64k;
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
client_header_buffer_size 64k;
large_client_header_buffers 4 128k;
include conf.d/zabbix5.conf;
#include conf.d/status.conf;
}
EOF
1.7,设置安全基线
cat >/usr/local/nginx1.22.1/conf/soc.conf<<
# Nginx安全配置基线
## 一