Nginx 源码安装
作者:闫涛
E-mail:coderyantao@qq.com
备注:实验环境为虚拟机,selinux、firewalld都已经关闭。此次安装面向新手,并没有提前把所有问题解决,会展示出现的问题和解决方法。
一、准备
安装gcc、gcc-c++编译工具
[root@localhost ~]# yum install gcc gcc-c++
下载Nginx、PHP、MySQL源码包
[root@localhost ~]# wget -c https://nginx.org/download/nginx-1.16.1.tar.gz
[root@localhost ~]# wget -c https://www.php.net/distributions/php-7.2.29.tar.gz
[root@localhost ~]# wget -c https://downloads.mysql.com/archives/get/p/23/file/mysql-5.6.46.tar.gz
在每次执行 ./configure、make、make install三个命令后,可使用echo $? 来判断上一步是否出错
二、Nginx
1.创建nginx系统账户
[root@localhost ~]# useradd -r -s /sbin/nologin nginx
2.解压缩
[root@localhost ~]# tar -xf nginx-1.16.1.tar.gz
[root@localhost ~]# cd nginx-1.16.1/
[root@localhost nginx-1.16.1]#
3.编译、安装
此次实验并没有指定太多的选项,仅仅指定了用户和用户组。其他功能稍后需要时再安装。
执行预编译
[root@localhost nginx-1.16.1]# ./configure --user=nginx --group=nginx
错误提示1:缺少pcre库。缺xxx库,安装xxx-devel
./configure: error: the HTTP rewrite module requires the PCRE library.
解决方法:
[root@localhost nginx-1.16.1]# yum install pcre-devel
再次执行预编译
[root@localhost nginx-1.16.1]# ./configure --user=nginx --group=nginx
错误提示2:缺少zlib库
./configure: error: the HTTP gzip module requires the zlib library.
解决方法:
[root@localhost nginx-1.16.1]# yum install zlib-devel
再次执行预编译
[root@localhost nginx-1.16.1]# ./configure --user=nginx --group=nginx
预编译成功
Configuration summary
#使用了这些库
+ using system PCRE library
+ OpenSSL library is not used
+ using system zlib library
#默认安装选项
nginx path prefix: "/usr/local/nginx"
nginx binary file: "/usr/local/nginx/sbin/nginx"
nginx modules path: "/usr/local/nginx/modules"
nginx configuration prefix: "/usr/local/nginx/conf"#配置文件目录
nginx configuration file: "/usr/local/nginx/conf/nginx.conf"#配置文件
nginx pid file: "/usr/local/nginx/logs/nginx.pid"
nginx error log file: "/usr/local/nginx/logs/error.log"
nginx http access log file: "/usr/local/nginx/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"
make 编译
[root@localhost nginx-1.16.1]# make
make install 安装
[root@localhost nginx-1.16.1]# make install
4.创建nginx软链接
#这样就不用使用绝对路径了
[root@localhost nginx-1.16.1]# ln -s /usr/local/nginx/sbin/* /usr/local/bin/
5.启动nginx
[root@localhost ~]# nginx
查看一下进程
[root@localhost ~]# netstat -antp|grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 21794/nginx: master
#nginx的master进程已经开启,可用浏览器访问虚拟机ip
查看nginx的其他命令
[root@localhost ~]# nginx -h
nginx version: nginx/1.16.1
Usage: nginx [-?hvVtTq] [-s signal] [-c filename] [-p prefix] [-g directives]
Options:
-?,-h : this help
-v : show version and exit
-V : show version and configure options then exit
-t : test configuration and exit
-T : test configuration, dump it and exit
-q : suppress non-error messages during configuration testing
-s signal : send signal to a master process: stop, quit, reopen, reload
-p prefix : set prefix path (default: /usr/local/nginx/)
-c filename : set configuration file (default: conf/nginx.conf)
-g directives : set global directives out of configuration file
6.配置文件
#备份配置文件
[root@localhost ~]# cd /usr/local/nginx/conf/
[root@localhost conf]# cp nginx.conf nginx.conf.bak
[root@localhost conf]# vim nginx.conf
#user nobody;
#nginx的进程数,通常和CPU数量相等
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
#事件模型
events {
#单个进程最大连接数(最大连接数=连接数*个进程最大连接数),根据硬件修改
worker_connections 1024;
}
#全局,下面的内容都在它里面
http {
#文件扩展名与文件类型映射表,设定mime类型,类型由mime.type文件定义
include mime.types;
#默认文件类型
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
#高效文件传输模式
sendfile on;
#防止网络阻塞
#tcp_nopush on;
#keepalive_timeout 0;
#长连接超时时间
keepalive_timeout 65;
#网页压缩
#gzip on;
#默认的网站位置设置
server {
#监听端口
listen 80;
网站名
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
#对本网站的请求 / 是允许任何请求
location / {
#网站目录
root html;
#默认文件
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
##虚拟主机配置格式
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
##https配置
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
三、实验
1.虚拟主机
为了让配置文件规范化,我们使用一个网站一个配置文件,操作步骤如下
1.1编辑主配置文件
[root@localhost conf]# vim nginx.conf
在全局设置里添加代码
http {
...
#gzip on;
#加载vhosts目录下的myweb1.conf
include vhosts/myweb1.conf;
1.2创建子配置文件
[root@localhost conf]# mkdir vhosts
[root@localhost conf]# vim vhosts/myweb1.conf
server {
listen 80;
server_name www.myweb1.com;
location / {
root html/myweb1;
index index.html index.htm;
}
}
1.3重新加载配置文件
#先检查语法
[root@localhost conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
#重新加载
[root@localhost conf]# nginx -s reload
1.4创建网站目录
[root@localhost conf]# mkdir /usr/local/nginx/html/myweb1
[root@localhost conf]# vim /usr/local/nginx/html/myweb1/index.html
#内容标识
this is myweb1
电脑上的hosts文件添加以下即可访问
192.168.1.54 www.myweb1.com
2.Nginx状态统计
要实现这个功能是需要在预编译时开启–with-http_stub_status_module的参数,我们刚才并没有开启,现在就需要重新编译一次。
#可以通过该命令查看当前编译参数
[root@localhost nginx-1.16.1]# nginx -Vnginx version: nginx/1.16.1built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) configure arguments: --user=nginx --group=nginx
2.1重新编译
#进入源码包
[root@localhost ~]# cd nginx-1.16.1/
#清除上次产生的文件
[root@localhost nginx-1.16.1]# make cleanrm -rf Makefile objs
#再次预编译,旧的参数+新的参数
[root@localhost nginx-1.16.1]# ./configure --user=nginx --group=nginx --with-http_stub_status_module
#编译
[root@localhost nginx-1.16.1]# make
2.2覆盖原程序
新编译出来的程序就在 objs目录
[root@localhost nginx-1.16.1]# cd objs/[root@localhost objs]# lsautoconf.err Makefile nginx nginx.8 ngx_auto_config.h ngx_auto_headers.h ngx_modules.c ngx_modules.o src
新的复制过去,需要停止nginx进程
[root@localhost objs]# cp nginx /usr/local/nginx/sbin/nginx
重新加载配置文件
[root@localhost objs]# nginx -s reload
这样,原来的配置操作都得以保留,新的功能也加进来了
2.3编辑虚拟主机
这里监控myweb1.com的状态
[root@localhost vhosts]# vim myweb1.conf
修改如下,看了很多帖子,都失败了,最后还是得官网http://nginx.org/en/docs/http/ngx_http_stub_status_module.html
server {
listen 80;
server_name www.myweb1.com;
location / {
root html/myweb1;
index index.html index.htm;
}
location = /basic_status {
#开启状态统计
stub_status;
}
}
浏览器访问 http://www.myweb1.com/basic_status 即可
2.4重新加载
[root@localhost myweb1]# nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@localhost myweb1]# nginx -s reload
3.目录保护
将上一个的统计页面进行保护
3.1编辑虚拟主机配置文件
[root@localhost vhosts]# vim myweb1.conf
server {
listen 80;
server_name www.myweb1.com;
location / {
root html/myweb1;
index index.html index.htm;
}
location = /basic_status {
#开启状态统计
stub_status;
#目录保护
auth_basic "Hello Admin!";#提示语
auth_basic_user_file /usr/local/nginx/html/myweb1/htpasswd.nginx;#账号文件
}
}
3.2生成账户文件
借助apache的命令生成文件
#安装httppd[root@localhost vhosts]# yum install httpd#新建账户文件,账户为 yantao[root@localhost vhosts]# htpasswd -c /usr/local/nginx/html/myweb1/htpasswd.nginx yantao#添加账户[root@localhost vhosts]# htpasswd -m /usr/local/nginx/html/myweb1/htpasswd.nginx user1
3.3重新加载
[root@localhost myweb1]# nginx -s reload
4.基于IP的身份验证
4.1写入允许IP
[root@localhost vhosts]# vim myweb1.conf
[root@localhost vhosts]# vim myweb1.conf server { listen 80; server_name www.myweb1.com; location / { root html/myweb1; index index.html index.htm; } location = /basic_status { #开启状态统计 stub_status; #目录保护 auth_basic "Hello Admin!"; auth_basic_user_file /usr/local/nginx/html/myweb1/htpasswd.nginx; #基于IP验证 allow 192.168.1.42; deny 192.168.1.0/24; }}
4.2重新加载
[root@localhost myweb1]# nginx -t[root@localhost myweb1]# nginx -s reload
5.反向代理
5.1搭建一台apache
5.2新增nginx虚拟主机
修改主配置文件
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf#添加如下内容include vhosts/myweb2.conf;
创建子配置文件
[root@localhost ~]# vim /usr/local/nginx/conf/vhosts/myweb2.conf #添加如下内容server { listen 80; server_name www.myweb2.com; location / { proxy_pass http://192.168.1.49:80;#apache的IP }}
重新加载配置
[root@localhost ~]# nginx -t[root@localhost ~]# nginx -s reload
修改电脑hosts,新增
192.168.1.54 www.myweb2.com
此时访问www.myweb2.com就会访问到apache
6.负载均衡
6.1再准备一台apache
6.2编辑虚拟主机
[root@localhost ~]# vim /usr/local/nginx/conf/vhosts/myweb2.conf
#资源池upstream abc{ server 192.168.1.49:80; server 192.168.1.47:80;}server { listen 80; server_name www.myweb2.com; location / { proxy_pass http://abc; proxy_set_header Host $host;#为了二级目录能正常使用,设置的变量 }}
浏览器访问www.myweb2.com就会在两个apache之间切换
6.3rr算法实现轮询
upstream abc{ server 192.168.1.49:80 weight=1; server 192.168.1.47:80 weight=2;}server { listen 80; server_name www.myweb2.com; location / { proxy_pass http://abc; proxy_set_header Host $host; }}
这样两台apache出现的比例为1:2
7.nginx实现https
nginx实现https在编译时需要开启 --with-http_ssl_module,我们当初没有开启,所以需要重新编译安装,过程参看实验2。
7.1生成服务器私钥
[root@localhost ~]# cd /usr/local/nginx/conf/[root@localhost conf]# openssl genrsa -out myweb1.key 1024Generating RSA private key, 1024 bit long modulus.......++++++..++++++e is 65537 (0x10001)
7.2生成证书
[root@localhost conf]# openssl req -new -key myweb1.key -out myweb1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:LN
Locality Name (eg, city) [Default City]:SY
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:PHP
Common Name (eg, your name or your server's hostname) []:www.myweb1.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
7.3生成签字证书
实验为自签证书,并不会被浏览器信任。生产环境是想CA厂商购买的。
[root@localhost conf]# openssl x509 -req -days 365 -sha256 -in myweb1.csr -signkey myweb1.key -out myweb1.crt
Signature ok
subject=/C=CN/ST=LN/L=SY/O=Company/OU=PHP/CN=www.myweb1.com
Getting Private key
server {
listen 80;
server_name www.myweb1.com;
#重写功能,80请求转为443请求
rewrite ^(.*)$ https://${server_name}$1 permanent;
location / {
root html/myweb1;
index index.html index.htm;
}
location = /basic_status {
#开启状态统计
stub_status;
#目录保护
auth_basic "Hello Admin!";
auth_basic_user_file /usr/local/nginx/html/myweb1/htpasswd.nginx;
#基于IP验证
allow 192.168.1.42;
deny 192.168.1.0/24;
}
}
server {
listen 443 ssl;#1.5版本开始使用此写法
server_name www.myweb1.com;
root html/myweb1;
index index.html;
ssl_certificate /usr/local/nginx/conf/myweb1.crt;
ssl_certificate_key /usr/local/nginx/conf/myweb1.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;#这里格式有问题
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
重新加载配置文件之后,访问 www.myweb1.com 即可跳转为 https
8.隐藏版本号
如果修改主配置文件就是隐藏全部虚拟主机的版本号。
全部隐藏
[root@localhost conf]# vim nginx.conf#在http标签添加server_tokens off;
单个隐藏
[root@localhost conf]# vim vhosts/myweb2.conf #在server标签添加server_tokens off;
或者在安装之前修改源码
[root@localhost ~]# cd nginx-1.16.1/src/core/
[root@localhost core]# vim nginx.h
#define NGINX_VERSION "1.16.1"
#define NGINX_VER "nginx/" NGINX_VERSION
#修改如下,即可混淆
define NGINX_VERSION "1.0"
define NGINX_VER "IIS/" NGINX_VERSION