CentOS 7.9安装zabbix5.0.39LTS版本

环境说明

这里使用为 CentOS 7.9版本进行测试验证，zabbix Server 采用源码包部署，数据库采用 MySQL5.7.42版本，zabbix-web使用 ，nginx+php来实现。
具体信息如下：

软件名	版本
zabbix-server	5.0.39LTS
zabbix-agent	5.0.39LTS
mysql	5.7.42
nginx	1.22.1
php	7.4.33

说明：

1，LTS版相对稳定，多用于生产正式环境。
2，mysql5.7.42，为目前5.7版本稳定版，未出现5.7版本漏洞。
3，nginx1.22.1，为目前稳定版，未出现漏洞。
4，php-7.4.33，为目前稳定版，未出现漏洞。

一，安装nginx

说明：本nginx配置可以用于 四层，七层代理，也可以用于nginx监控！

1.1，创建nginx用户和用户组：

useradd -M -s /sbin/nologin nginx

1.2，配置好系统yum源，安装如下依赖包：

yum install -y wget unzip gcc gcc-c++ autoconf automake make pcre-devel openssl openssl-devel GeoIP-devel patch

1.3，下载上传 nginx安装包和各个依赖模块包至服务器，解压文件包如下：

tar xf nginx-1.22.1.tar.gz
unzip nginx-module-vts.zip
unzip echo-nginx-module-master.zip
unzip nginx_upstream_check_module-master.zip
unzip ngx_http_proxy_connect_module-master.zip

准备好安装目录

mkdir -p /usr/local/third-module
mkdir -p /usr/local/nginx1.22.1
mv echo-nginx-module-master  nginx_upstream_check_module-master ngx_http_proxy_connect_module-master nginx-module-vts-master /usr/local/third-module

1.4，隐藏nginx信息

cd /usr/local/nginx-1.22.1

vim /usr/local/nginx-1.22.1/src/http/ngx_http_header_filter_module.c 

static u_char ngx_http_server_string[] = "Server: linux" CRLF; ##将NGINX改为Linux
static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF; 
static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;

1.5，安装编译nginx命令如下：

patch -p1  < ../third-module/ngx_http_proxy_connect_module-master/patch/proxy_connect_rewrite_102101.patch
patch -p1  < ../third-module/nginx_upstream_check_module-master/check_1.20.1+.patch

./configure --prefix=/usr/local/nginx1.22.1 \
 --with-http_ssl_module \
 --with-http_realip_module \
 --with-http_addition_module \
 --with-http_sub_module \
 --with-http_dav_module \
 --with-http_flv_module \
 --with-http_mp4_module \
 --with-http_gunzip_module \
 --with-http_gzip_static_module \
 --with-http_random_index_module \
 --with-http_secure_link_module \
 --with-http_stub_status_module \
 --with-http_auth_request_module \
 --with-http_geoip_module \
 --with-http_geoip_module=dynamic \
 --with-threads \
 --with-file-aio \
 --with-pcre \
 --with-select_module \
 --with-stream \
 --with-stream=dynamic \
 --with-stream_ssl_module \
 --with-stream_realip_module \
 --with-stream_geoip_module \
 --with-stream_geoip_module=dynamic \
 --with-stream_ssl_preread_module \
 --add-dynamic-module=../third-module/echo-nginx-module-master \
 --add-dynamic-module=../third-module/nginx-module-vts-master \
 --add-dynamic-module=../third-module/ngx_http_proxy_connect_module-master \
 --add-dynamic-module=../third-module/nginx_upstream_check_module-master
 
make && make install 

1.6，编辑配置文件

cd /usr/local/nginx1.22.1/conf
vi nginx.conf
load_module modules/模块.so; #写在全局段

load_module modules/ngx_http_geoip_module.so;
load_module modules/ngx_http_echo_module.so;
load_module modules/ngx_http_vhost_traffic_status_module.so;
load_module modules/ngx_http_proxy_connect_module.so;
load_module modules/ngx_stream_module.so;

cat>nginx.conf<<\EOF
user  nginx;
worker_processes  auto;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
error_log  logs/error.log  info;

#pid        logs/nginx.pid;

load_module modules/ngx_http_geoip_module.so;
load_module modules/ngx_http_echo_module.so;
load_module modules/ngx_http_vhost_traffic_status_module.so;
load_module modules/ngx_http_proxy_connect_module.so;
load_module modules/ngx_stream_module.so;

worker_rlimit_nofile 819200;

events {
   
    worker_connections  65535;
    use epoll;

}

# 是否以守护进程方式启动nginx进程
daemon on;

# nginx 四层调度
stream {
   
    log_format proxy '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

# include conf.d/zabbix5.conf;
}

http {
   
    include       /usr/local/nginx1.22.1/conf/soc.conf;
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

#日志格式json

log_format log_json '{
    "@timestamp": "$time_iso8601", '
'"remote_addr": "$remote_addr", '
'"referer": "$http_referer", '
'"request": "$request", '
'"status": $status, '
'"bytes": $body_bytes_sent, '
'"agent": "$http_user_agent", '
'"x_forwarded": "$http_x_forwarded_for", '
'"up_addr": "$upstream_addr",'
'"up_host": "$upstream_http_host",'
'"up_resp_time": "$upstream_response_time",'
'"request_time": $request_time s ,'
'"http_x_request_id": "$http_x_request_id"'
'
}';

#日志按天生成

    map $time_iso8601 $logdate {
   
    default 'date-not-found';
    '~^(?<ymd>\d{4}-\d{2}-\d{2})' $ymd;
    }

#监控
    vhost_traffic_status_zone;
    vhost_traffic_status_filter_by_host on;
    vhost_traffic_status_filter_by_set_key $uri uris::$server_name;

#哈希表
    variables_hash_max_size 53284;
    add_header RealServerIP $upstream_addr;
    add_header RealServerCode $upstream_status;

    # 连接超时及异常
    proxy_ignore_client_abort on;
    proxy_read_timeout 75;
    proxy_connect_timeout 120;
    proxy_http_version 1.1;
    proxy_set_header Connection "";

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    #keepalive_timeout  65;

    gzip  on;

    # 开启服务器读取文件的缓存
    open_file_cache max=200 inactive=2h;
    open_file_cache_valid 3h;
    open_file_cache_errors off;

    # 定义服务端连续两次发送响应报文给客户端的中间时差即超时时长，如果客户端在此时间内没有接收，连接就关闭
    #send_timeout 60s;

    # 定义接收客户端每个请求报文的body部分的缓冲区大小
    client_max_body_size 30m;
    client_body_buffer_size 64k;

    proxy_headers_hash_max_size 51200;
    proxy_headers_hash_bucket_size 6400;

    client_header_buffer_size 64k;
    large_client_header_buffers 4 128k;

    include conf.d/zabbix5.conf;
    #include conf.d/status.conf;
    
}
EOF

1.7，设置安全基线

cat >/usr/local/nginx1.22.1/conf/soc.conf<< 
# Nginx安全配置基线

##  一