一 安装nginx
1 下载
http://nginx.org/download/nginx-1.4.7.tar.gz
1.1 解压
# tar xf nginx-1.4.7.tar.gz
1.2 建立用户(为系统用户)
# groupadd -r -g 110 nginx
# useradd -r -g 110 -u 110 nginx
1.3 解决依赖关系
编译安装nginx需要事先需要安装开发包组"Development Tools"和 "Development Libraries"。
同时,还需要专门安装pcre-devel包:
# yum install -y pcre-devel openssl-devel zlib-devel
2 安装
# ./configure \
--prefix=/usr/local/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_flv_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--http-client-body-temp-path=/var/tmp/nginx/client/ \
--http-proxy-temp-path=/var/tmp/nginx/proxy/ \
--http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ \
--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi \
--http-scgi-temp-path=/var/tmp/nginx/scgi \
--with-pcre \
--with-file-aio
# make && make install
3 为nginx提供SysV init脚本:
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /etc/nginx/nginx.conf
# config: /etc/sysconfig/nginx
# pidfile: /var/run/nginx/nginx.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
nginx="/usr/local/nginx/sbin/nginx"
prog=$(basename $nginx)
NGINX_CONF_FILE="/etc/nginx/nginx.conf"
[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx
lockfile=/var/lock/subsys/nginx
make_dirs() {
# make required directories
user=`nginx -V 2>&1 | grep "configure arguments:" | sed 's/[^*]*--user=\([^ ]*\).*/\1/g' -`
options=`$nginx -V 2>&1 | grep 'configure arguments:'`
for opt in $options; do
if [ `echo $opt | grep '.*-temp-path'` ]; then
value=`echo $opt | cut -d "=" -f 2`
if [ ! -d "$value" ]; then
# echo "creating" $value
mkdir -p $value && chown -R $user $value
fi
fi
done
}
start() {
[ -x $nginx ] || exit 5
[ -f $NGINX_CONF_FILE ] || exit 6
make_dirs
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
configtest || return $?
stop
sleep 1
start
}
reload() {
configtest || return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
}
force_reload() {
restart
}
configtest() {
$nginx -t -c $NGINX_CONF_FILE
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart|configtest)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
exit 2
esac
为此脚本赋予执行权限:
# chmod +x /etc/rc.d/init.d/nginx
4 添加至服务管理列表,并让其开机自动启动:
# chkconfig --add nginx
# chkconfig nginx on
5 启动服务并测试:
# service nginx start
二 location
location [ = | ~ | ~* | ^~ ] uri { ... }
匹配优先级
= > ^~ > ~ ~*
location uri {}:对当前路径及其子路径下的所有文件都生效
location = uri {}:精确匹配,只对当前资源生效,不包含子路径
location ~ uri {}:
模式匹配uri,可使用正则表达式,区分大小写
location ~* uri {}:模式匹配uri,可使用正则表达式,不区分大小写
location ^~
uri {}:不使用正则表达式
location / {
root /web/html;
index index.html index.htm;
}
error_page 404 /404.html; # 访问不存在的资源,错误返回页,
的或禁止访问
location /bbs {
root /web;
index index.html index.htm; # 此处注释后,仍可以正常访问
}
和httpd对比
filesystem path
uri path
三 基于ip的访问控制
默认是允许所有,若部分允许需定义deny all
location / {
deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
deny all;
}
四 基于用户的访问控制
location / {
auth_basic "closed site";
auth_basic_user_file
/etc/nginx/.htpasswd
;
}
生成密码文件需借助于htpasswd工具
# htpasswd -c -m /etc/nginx/.htpasswd tom
使用curl -u user:passwd url可测试,也可以在浏览器测试
五 索引index
location /download {
root /web;
index home.html;
autoindex on; # 自动索引默认为关闭,打开较为不安全
}
Syntax: autoindex on | off;
Default:
autoindex off;
Context: http, server, location
Enables or disables the directory listing output.
Syntax: autoindex_exact_size on | off;
Default:
autoindex_exact_size on;
Context: http, server, location
Syntax: autoindex_localtime on | off;
Default:
autoindex_localtime off;
Context: http, server, location
六 状态信息
location /nginx_status {
stub_status on;
access_log off;
allow ip;
deny all;
}
状态信息解读
Active connections: 3 server accepts handled requests 154 154 153 Reading: 0 Writing: 1 Waiting: 2
Active connections
The current number of active client connections including Waiting connections.
活动的连接数(包括等待的连接)
accepts
The total number of accepted client connections.
已经接收的连接数
handled
The total number of handled connections. Generally, the parameter value is the same as accepts unless some resource limits have been reached (for example, the worker_connections limit).
已经处理的连接数
requests
The total number of client requests.
已处理的请求数
Reading
The current number of connections where nginx is reading the request header.
nginx正在读取其请求首部的的连接个数
Writing
The current number of connections where nginx is writing the response back to the client.
nginx正在读取其请求主体的连接数/正在处理请求内容的连接数/正在向其发送响应的连接数
Waiting
The current number of idle client connections waiting for a request.
空闲的连接数
七 开启ssl功能
1 nginx的配置
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate
/etc/nginx/ssl/nginx_ssl.crt;
ssl_certificate_key
/etc/nginx/ssl/nginx_ssl.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /web/html;
index index.html index.htm;
}
}
2 openssl服务端配置文件
# vim /etc/pki/tls/openssl.cnf
dir = /etc/pki/CA
2.1 生成CA私钥
# (umask 077 ;openssl genrsa 2048 > private/cakey.pem)
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
2.2 创建CA证书
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:
HIYANG
Organizational Unit Name (eg, section) []:TECH
Common Name (eg, your name or your server's hostname) []:ca.node1.test.com
Email Address []:[email protected]
# echo 01 > serial
# touch index.txt
3 CA客户端
3.1 创建私钥
# cd /etc/nginx/ssl/
# (umask 077;openssl genrsa 1024 > nginx_ssl.key)
3.2 发起认证请求
# openssl req -new -key nginx_ssl.key -out nginx_ssl.csr
4 签署认证
# openssl ca -in nginx_ssl.csr -out nginx_ssl.crt -days 3650
八 虚拟主机
server {
listen 80;
server_name www.hiyang.com;
location / {
root /web/hiyang/;
index index
.html;
}
}
来自为知笔记(Wiz)