说明

根据此文档进行编译安装 Nginx,可以将Nginx默认的功能全部安装上,读者也可以自己的根据实际情况删减需要编译的模块。

支持的特色功能如下:

  • 支持 TLSv1.3 - openssl 从 1.1.1 版本起支持最终版的TLSv1.3标准协议,详情参见:TLS1.3
  • 支持 HTTP2 - Nginx 从 1.9.5 版本起支持http2,详情参见:Module ngx_http_v2_module
  • 支持 Lua语法 - 详情参见:lua-nginx-module

安装

Nginx 官方资料:Building nginx from Sources

安装依赖

yum install -y \
vim gcc gcc-c++ make cmake cmake3 automake autoconf perl-ExtUtils-Embed \
openssl-devel libxml2-devel libxslt-devel GeoIP-devel luajit-devel \
gperftools-devel systemd-devel perl-devel libatomic_ops-devel pcre-devel gd-devel

准备源码包

# Create Directory
mkdir -p /opt/down/nginx
cd /opt/down/nginx

# Get nginx source
wget https://nginx.org/download/nginx-1.14.0.tar.gz

# Get zlib/openssl/pcre dependency
wget https://zlib.net/zlib-1.2.11.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1.tar.gz
wget https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.gz

# Get Lua module and depend if you need
wget -c 'https://github.com/openresty/lua-nginx-module/archive/v0.10.13.tar.gz' -O lua-nginx-module-0.10.13.tar.gz
wget -c 'https://github.com/simplresty/ngx_devel_kit/archive/v0.3.1rc1.tar.gz' -O ngx_devel_kit-0.3.1rc1.tar.gz

# Extract source file
tar xzf nginx-1.14.0.tar.gz

tar xzf zlib-1.2.11.tar.gz
tar xzf openssl-1.1.1.tar.gz
tar xzf pcre-8.42.tar.gz

tar xzf lua-nginx-module-0.10.13.tar.gz
tar xzf ngx_devel_kit-0.3.1rc1.tar.gz

编译与安装

  • 读者可根据实际情况自定义修改编译选项中指定的路径。
  • 用户与组需要执行useradd work提前创建,或读者自定义用户与组名。
  • 这里将nginx-1.14.0所有可编译的模块都加上了,读者可自定义删减。
# Configure option
cd nginx-1.14.0
./configure \
--prefix=/opt/soft/nginx \
--error-log-path=/opt/log/nginx/error.log \
--pid-path=/opt/run/nginx/nginx.pid \
--lock-path=/opt/run/nginx/nginx.lock \
--user=work \
--group=work \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_geoip_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module=dynamic \
--http-log-path=/opt/log/nginx/access.log \
--http-client-body-temp-path=/opt/soft/nginx/temp/client_body \
--http-proxy-temp-path=/opt/soft/nginx/temp/proxy \
--http-fastcgi-temp-path=/opt/soft/nginx/temp/fastcgi \
--http-uwsgi-temp-path=/opt/soft/nginx/temp/uwsgi \
--http-scgi-temp-path=/opt/soft/nginx/temp/scgi \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module=dynamic \
--with-stream_ssl_preread_module \
--with-google_perftools_module \
--with-cpp_test_module \
--with-compat \
--with-pcre=../pcre-8.42 \
--with-pcre-jit \
--with-libatomic \
--with-zlib=../zlib-1.2.11 \
--with-openssl=../openssl-1.1.1 \
--with-debug \
--with-ld-opt=-Wl,-rpath,/usr/lib64 \
--add-module=../ngx_devel_kit-0.3.1rc1 \
--add-module=../lua-nginx-module-0.10.13

# Compile & Install
make -j2
make install

配置与启动

创建一些必要的目录,可根据实际情况自定义。

mkdir -p /opt/log/nginx
mkdir -p /opt/run/nginx
mkdir -p /opt/soft/nginx/temp
mkdir -p /opt/soft/nginx/conf/{acl,ssl,vhosts}

主配置文件

路径:/opt/soft/nginx/conf/nginx.conf
基本参数已经满足大部分的应用场景,如需要额外的调整参数请参阅官方文档的 Modules reference

# nginx main config
user    work work;

worker_processes     auto;
worker_cpu_affinity  auto;
worker_rlimit_nofile 655350;

# Loads a dynamic module.
# load_module modules/ngx_stream_module.so;

# Provides the configuration file context in which the directives that affect connection processing are specified.
events {
    # nginx will by default use the most efficient method.
    # use epoll;
    worker_connections  102400;
}

# Log level: debug, info, notice, warn, error, crit, alert, or emerg.
error_log   /opt/log/nginx/error.log error;

# PCRE JIT can speed up processing of regular expressions significantly.
pcre_jit on;

pid /opt/run/nginx/nginx.pid;

http {
    include       mime.types;
    default_type  application/octet-stream;

    # Default log format - main
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    # Custom log format - main
    log_format main   '[$time_local] $remote_addr $http_x_connecting_ip "$http_x_forwarded_for" '
                      '$scheme $http_host "$request" $body_bytes_sent $request_time $status "$http_referer" '
                      '"$http_user_agent" $upstream_addr $upstream_response_time $upstream_status ';

    access_log  /opt/log/nginx/access.log main;

    # client_body_buffer_size 8k|16k;
    # client_body_timeout 120s;
    # client_header_buffer_size 1k;
    # client_header_timeout 120s;
    # client_max_body_size 10m;

    keepalive_timeout 75s;

    send_timeout    60s;
    sendfile        on;
    server_tokens   off;
    tcp_nodelay     on;
    tcp_nopush      on;

    # Enables or disables the use of underscores in client request header fields.
    # underscores_in_headers off;
    gzip  on;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    # Module ngx_http_fastcgi_module setting.
    # fastcgi_buffer_size 8k;
    # fastcgi_buffering on;
    # fastcgi_buffers 8 256k;
    # fastcgi_connect_timeout 120s;
    # fastcgi_read_timeout 120s;
    # fastcgi_send_timeout 120s;

    include vhosts/*.conf;
}

默认的虚拟主机

配置默认虚拟主机,禁止直接IP请求及针对未绑定域名的请求跳转。
路径:/opt/soft/nginx/conf/vhosts/default.conf

# vhosts - default
server {
    listen  80  default_server;
    server_name _;

    # underscores_in_headers on;

    if ($host ~ "\d+\.\d+\.\d+\.\d+") {
        return 404;
    }

    if ($host ~ "fandenggui.com") {
        return https://www.fandenggui.com;
    }

    location / {
        return https://www.fandenggui.com;
    }
}

正式虚拟主机配置

很多细节,需要读者了解配置的作用自行修改,这里不做过多的解释。

server {
    listen 80;
    listen 443 ssl http2;
    server_name www.fandenggui.com;

    # Access control
    # include acl/your_acl_rule.conf;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate     ssl/fandenggui.com.pem;
    ssl_certificate_key ssl/fandenggui.com.key;
    ssl_session_timeout 1d;
    ssl_session_cache   shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9

    # OCSP Stapling --- Requires nginx >= 1.3.7
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    # DHPARAM: openssl dhparam -out /opt/soft/nginx/conf/dhparam.pem 4096
    # ssl_dhparam /opt/soft/nginx/conf/dhparam.pem; 

    # resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
    # resolver_timeout 5s; 

    # add_header X-Frame-Options DENY;
    # add_header X-Content-Type-Options nosniff;
    # add_header X-XSS-Protection "1; mode=block";

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    # add_header Strict-Transport-Security max-age=15768000;
    # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    # Forced to use HTTPS
    # if ( $scheme = "http") {
    #     return 301 https://$host$request_uri;
    # }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log /opt/log/nginx/www.fandenggui.com_access.log main;
    error_log /opt/log/nginx/www.fandenggui.com_error.log error;

    location / {
        # 根据实际情况配置反向代理
        # ……
    }
}

创建 nginx.service

路径:/usr/lib/systemd/system/nginx.service

[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/opt/run/nginx/nginx.pid
ExecStartPre=/usr/bin/rm -f /opt/run/nginx/nginx.pid
ExecStartPre=/opt/soft/nginx/sbin/nginx -t
ExecStart=/opt/soft/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true

[Install]
WantedBy=multi-user.target

启动服务 & 设置开机启动

# Check Nginx config.
/opt/soft/nginx/sbin/nginx -t

systemctl start nginx
systemctl enable nginx

参考与工具

  • Mozilla SSL Configuration Generator
  • Strong Ciphers for nginx
  • SSL Server Test