说明
根据此文档进行编译安装 Nginx,可以将Nginx默认的功能全部安装上,读者也可以自己的根据实际情况删减需要编译的模块。
支持的特色功能如下:
- 支持 TLSv1.3 - openssl 从 1.1.1 版本起支持最终版的TLSv1.3标准协议,详情参见:TLS1.3
- 支持 HTTP2 - Nginx 从 1.9.5 版本起支持http2,详情参见:Module ngx_http_v2_module
- 支持 Lua语法 - 详情参见:lua-nginx-module
安装
Nginx 官方资料:Building nginx from Sources
安装依赖
yum install -y \
vim gcc gcc-c++ make cmake cmake3 automake autoconf perl-ExtUtils-Embed \
openssl-devel libxml2-devel libxslt-devel GeoIP-devel luajit-devel \
gperftools-devel systemd-devel perl-devel libatomic_ops-devel pcre-devel gd-devel
准备源码包
# Create Directory
mkdir -p /opt/down/nginx
cd /opt/down/nginx
# Get nginx source
wget https://nginx.org/download/nginx-1.14.0.tar.gz
# Get zlib/openssl/pcre dependency
wget https://zlib.net/zlib-1.2.11.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1.tar.gz
wget https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.gz
# Get Lua module and depend if you need
wget -c 'https://github.com/openresty/lua-nginx-module/archive/v0.10.13.tar.gz' -O lua-nginx-module-0.10.13.tar.gz
wget -c 'https://github.com/simplresty/ngx_devel_kit/archive/v0.3.1rc1.tar.gz' -O ngx_devel_kit-0.3.1rc1.tar.gz
# Extract source file
tar xzf nginx-1.14.0.tar.gz
tar xzf zlib-1.2.11.tar.gz
tar xzf openssl-1.1.1.tar.gz
tar xzf pcre-8.42.tar.gz
tar xzf lua-nginx-module-0.10.13.tar.gz
tar xzf ngx_devel_kit-0.3.1rc1.tar.gz
编译与安装
- 读者可根据实际情况自定义修改编译选项中指定的路径。
- 用户与组需要执行
useradd work
提前创建,或读者自定义用户与组名。 - 这里将
nginx-1.14.0
所有可编译的模块都加上了,读者可自定义删减。
# Configure option
cd nginx-1.14.0
./configure \
--prefix=/opt/soft/nginx \
--error-log-path=/opt/log/nginx/error.log \
--pid-path=/opt/run/nginx/nginx.pid \
--lock-path=/opt/run/nginx/nginx.lock \
--user=work \
--group=work \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_geoip_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module=dynamic \
--http-log-path=/opt/log/nginx/access.log \
--http-client-body-temp-path=/opt/soft/nginx/temp/client_body \
--http-proxy-temp-path=/opt/soft/nginx/temp/proxy \
--http-fastcgi-temp-path=/opt/soft/nginx/temp/fastcgi \
--http-uwsgi-temp-path=/opt/soft/nginx/temp/uwsgi \
--http-scgi-temp-path=/opt/soft/nginx/temp/scgi \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module=dynamic \
--with-stream_ssl_preread_module \
--with-google_perftools_module \
--with-cpp_test_module \
--with-compat \
--with-pcre=../pcre-8.42 \
--with-pcre-jit \
--with-libatomic \
--with-zlib=../zlib-1.2.11 \
--with-openssl=../openssl-1.1.1 \
--with-debug \
--with-ld-opt=-Wl,-rpath,/usr/lib64 \
--add-module=../ngx_devel_kit-0.3.1rc1 \
--add-module=../lua-nginx-module-0.10.13
# Compile & Install
make -j2
make install
配置与启动
创建一些必要的目录,可根据实际情况自定义。
mkdir -p /opt/log/nginx
mkdir -p /opt/run/nginx
mkdir -p /opt/soft/nginx/temp
mkdir -p /opt/soft/nginx/conf/{acl,ssl,vhosts}
主配置文件
路径:/opt/soft/nginx/conf/nginx.conf
基本参数已经满足大部分的应用场景,如需要额外的调整参数请参阅官方文档的 Modules reference
# nginx main config
user work work;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 655350;
# Loads a dynamic module.
# load_module modules/ngx_stream_module.so;
# Provides the configuration file context in which the directives that affect connection processing are specified.
events {
# nginx will by default use the most efficient method.
# use epoll;
worker_connections 102400;
}
# Log level: debug, info, notice, warn, error, crit, alert, or emerg.
error_log /opt/log/nginx/error.log error;
# PCRE JIT can speed up processing of regular expressions significantly.
pcre_jit on;
pid /opt/run/nginx/nginx.pid;
http {
include mime.types;
default_type application/octet-stream;
# Default log format - main
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
# Custom log format - main
log_format main '[$time_local] $remote_addr $http_x_connecting_ip "$http_x_forwarded_for" '
'$scheme $http_host "$request" $body_bytes_sent $request_time $status "$http_referer" '
'"$http_user_agent" $upstream_addr $upstream_response_time $upstream_status ';
access_log /opt/log/nginx/access.log main;
# client_body_buffer_size 8k|16k;
# client_body_timeout 120s;
# client_header_buffer_size 1k;
# client_header_timeout 120s;
# client_max_body_size 10m;
keepalive_timeout 75s;
send_timeout 60s;
sendfile on;
server_tokens off;
tcp_nodelay on;
tcp_nopush on;
# Enables or disables the use of underscores in client request header fields.
# underscores_in_headers off;
gzip on;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Module ngx_http_fastcgi_module setting.
# fastcgi_buffer_size 8k;
# fastcgi_buffering on;
# fastcgi_buffers 8 256k;
# fastcgi_connect_timeout 120s;
# fastcgi_read_timeout 120s;
# fastcgi_send_timeout 120s;
include vhosts/*.conf;
}
默认的虚拟主机
配置默认虚拟主机,禁止直接IP请求及针对未绑定域名的请求跳转。
路径:/opt/soft/nginx/conf/vhosts/default.conf
# vhosts - default
server {
listen 80 default_server;
server_name _;
# underscores_in_headers on;
if ($host ~ "\d+\.\d+\.\d+\.\d+") {
return 404;
}
if ($host ~ "fandenggui.com") {
return https://www.fandenggui.com;
}
location / {
return https://www.fandenggui.com;
}
}
正式虚拟主机配置
很多细节,需要读者了解配置的作用自行修改,这里不做过多的解释。
server {
listen 80;
listen 443 ssl http2;
server_name www.fandenggui.com;
# Access control
# include acl/your_acl_rule.conf;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate ssl/fandenggui.com.pem;
ssl_certificate_key ssl/fandenggui.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# OCSP Stapling --- Requires nginx >= 1.3.7
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
# ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# DHPARAM: openssl dhparam -out /opt/soft/nginx/conf/dhparam.pem 4096
# ssl_dhparam /opt/soft/nginx/conf/dhparam.pem;
# resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
# resolver_timeout 5s;
# add_header X-Frame-Options DENY;
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
# add_header Strict-Transport-Security max-age=15768000;
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# Forced to use HTTPS
# if ( $scheme = "http") {
# return 301 https://$host$request_uri;
# }
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log /opt/log/nginx/www.fandenggui.com_access.log main;
error_log /opt/log/nginx/www.fandenggui.com_error.log error;
location / {
# 根据实际情况配置反向代理
# ……
}
}
创建 nginx.service
路径:/usr/lib/systemd/system/nginx.service
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/opt/run/nginx/nginx.pid
ExecStartPre=/usr/bin/rm -f /opt/run/nginx/nginx.pid
ExecStartPre=/opt/soft/nginx/sbin/nginx -t
ExecStart=/opt/soft/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
[Install]
WantedBy=multi-user.target
启动服务 & 设置开机启动
# Check Nginx config.
/opt/soft/nginx/sbin/nginx -t
systemctl start nginx
systemctl enable nginx
参考与工具
- Mozilla SSL Configuration Generator
- Strong Ciphers for nginx
- SSL Server Test