1 基础依赖
Centos7安装Lua和OpenResty
yum -y install readline-devel pcre-devel openssl-devel gcc perl
yum install lua* -y
如果你想升级lua
tar zxf lua-5.4.3.tar.gz
cd lua-5.4.3
make all test
# 查看lua版本是否跟安装的一致
lua -v
# 如果不一致,则
rm -rf /usr/bin/lua
ln -s /application/lua-5.4.3/src/lua /usr/bin/lua
配置waf之后,nginx启动报错,如下所示:
nginx: [alert] failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file '/appdata/nginx/nginx/nginx/conf/waf/resty/core.lua'
no file '/appdata/nginx/nginx-1.21.4/site/lualib/resty/core.so'
no file '/appdata/nginx/nginx-1.21.4/lualib/resty/core.so'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/appdata/nginx/nginx-1.21.4/luajit/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/appdata/nginx/nginx-1.21.4/site/lualib/resty.so'
no file '/appdata/nginx/nginx-1.21.4/lualib/resty.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/appdata/nginx/nginx-1.21.4/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so') in /appdata/nginx/nginx-1.21.4/nginx/conf/nginx.conf:205
解决方案只需要,注意要改成你自己的目录
ln -s /appdata/nginx/nginx-1.21.4/lualib/resty /appdata/nginx/nginx/nginx/conf/waf/resty
2 openresty
tar -xvzf openresty-1.21.4.1.tar.gz
cd openresty-1.21.4.1
cd /app/openresty-1.21.4.1/bundle/nginx-1.21.4
# - 1.隐藏版本
vim src/core/nginx.h
#define NGINX_VERSION "6666"
#define NGINX_VER "FW/" NGINX_VERSION ".6"
#define NGINX_VAR "FW"
# - 2.修改头部
vim src/http/ngx_http_header_filter_module.c
# 49 static u_char ngx_http_server_string[] = "Server: FW" CRLF;
# - 3.修改错误页响应头部(response header)
vim src/http/ngx_http_special_response.c
# 22 "
FW " CRLF
# ...
# 29 "
FW " CRLF
# ...
# 36 "
FW " CRLF
#创建用户
groupadd www
useradd -s /sbin/nologin -g www -M www
./configure --prefix=/app/nginx-1.21.4 \
--with-luajit --with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--add-module=../ngx_log_if-master \
--with-pcre --with-pcre-jit
gmake
gmake install
参考史上最全nginx 安装升级安全配置
yum install git -y
cd /appdata/nginx
git clone https://github.com/yzprofile/ngx_http_dyups_module.git
git clone https://github.com/yaoweibin/nginx_upstream_check_module.git
git clone https://github.com/vozlt/nginx-module-vts.git
yum install patch -y
yum install gd gd-devel -y
# nginx_upstream_check_module 补丁
cd /appdata/nginx/openresty-1.21.4.1/bundle/nginx-1.21.4
patch -p1 < /appdata/nginx/nginx_upstream_check_module/check_1.20.1+.patch
./configure --prefix=/appdata/nginx/nginx-1.21.4 \
--with-luajit \
--with-pcre \
--with-pcre-jit \
--with-http_realip_module \
--with-http_v2_module \
--with-http_image_filter_module \
--with-http_iconv_module \
--with-stream_realip_module \
--with-stream \
--with-stream_ssl_module \
--with-http_slice_module \
--with-http_sub_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--add-module=../nginx-module-vts \
--add-module=../ngx_log_if-master \
--add-module=../ngx_http_dyups_module \
--add-module=../nginx_upstream_check_module \
--without-http_autoindex_module
ln -s /appdata/nginx/nginx-1.21.4 /appdata/nginx/nginx
3 nginx
ln -s /app/nginx-1.21.4 /app/nginx
cat /lib/systemd/system/nginx.service
> /lib/systemd/system/nginx.service
cat >> /lib/systemd/system/nginx.service <<EOF
[Unit]
Description=nginx - high performance web server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
ExecStart=/app/nginx/nginx/sbin/nginx
ExecReload=/app/nginx/nginx/sbin/nginx -s reload
ExecStop=/app/nginx/nginx/sbin/nginx -s stop
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl start nginx
systemctl status nginx
# 设置开机启动
systemctl enable nginx
systemctl stop nginx
systemctl restart nginx
systemctl status nginx
4 nginx的配置
user www www;
#user root;
#user nginx nginx;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
error_log logs/error.log error;
#pid 默认地址 /application/nginx/logs
#pid logs/nginx.pid;
#pid /var/run/nginx.pid;
worker_processes 4;
worker_cpu_affinity 0001 0010 0100 1000;
worker_rlimit_nofile 65535 ;
events {
use epoll;
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
server {
listen 80 default;
rewrite ^(.*) http://www.xxx.com/ permanent;
}
sub_filter '鄂ICP备xxx号'
'鄂ICP备xxx号-1';
sub_filter_once on;
#拿到用户真实IP
map $http_x_forwarded_for $clientRealIp {
"" $remote_addr;
~^(?P<firstAddr>[0-9\.]+),?.*$ $firstAddr;
}
#log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$remote_addr" ';
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent $request_body "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for" ';
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for" '
# '$connection $upstream_addr '
# '$upstream_response_time $request_time';
log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$remote_addr" '
'$connection $upstream_addr '
'$upstream_response_time $request_time';
#################################################
#定义日志格式logstash_json
#################################################
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_headerX_FORWARDED_PROTOhttps;
#proxy_set_headerHost $host;
#proxy_set_header X-Real-IP $remote_addr; # 针对首层代理,拿到真实IP
#proxy_set_header X-Real-IP $http_x_real_ip; # 针对非首层代理,一直传下去
log_format logstash_json '{"@timestamp":"$time_iso8601",'
'"@source":"$server_addr",'
'"hostname":"$hostname",'
'"ip":"$clientRealIp",'
'"client":"$remote_addr",'
'"request_method":"$request_method",'
'"scheme":"$scheme",'
'"domain":"$server_name",'
'"referer":"$http_referer",'
'"request":"$request_uri",'
'"args":"$args",'
'"size":$body_bytes_sent,'
'"status": $status,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamaddr":"$upstream_addr",'
'"http_user_agent":"$http_user_agent",'
'"https":"$https",'
'"@version":"1",'
'"http_host":"$host",'
'"url":"$uri"'
'}';
#################################################
#WAF 防火墙
#################################################
#lua_shared_dict limit 200m;
#lua_package_path "/application/nginx/nginx/conf/waf/?.lua";
#init_by_lua_file "/application/nginx/nginx/conf/waf/init.lua";
#access_by_lua_file "/application/nginx/nginx/conf/waf/access.lua";
#################################################
#IP限速 nginx配置limit_conn_zone来限制并发连接数以及下载带宽
#################################################
limit_conn_zone $clientRealIp zone=perip:130m;
limit_conn_zone $server_name zone=perserver:130m;
#定义一个名为conn的limit_conn_zone用来存储session,大小是20M内存,1M能存储16000个状态;
#$clientRealIp 表示以客户端ip作为键值来进行限制
#$server_name是限制同一server最大并发数;
###safe setting to limit the request number per second
limit_req_status 599;
limit_req_zone $clientRealIp zone=allips:200m rate=1000r/s;
#zone=allips:70m 表示生成一个大小为100M,名字为 allips 的存储区域,用来存储访问频率
#session池大小70M,如果限制的ip很多 那可以调小,如果限制的ip很少,那可访问的ip很多则要调大
#每秒20个请求(PV 一个网页也许不止20个PV 要实际测试),这个也是根据情况调节的,20个是比较合适或者说偏大一点点的。
#rate=20r/s:表示限定客户端的访问频率为每秒20次
#然后修改www.xxoo.com.conf(这是lnmp针对每个虚拟主机都有个配置文件)server里面,location上面添加如下一行:
#limit_req zone=allips burst=20 nodelay;
#limit_conn perip 500 ;
#limit_conn perserver 3000 ;
#limit_rate 100k;
#burst=20 表示每IP最大延迟请求数量不大于20 rate=20r/s + 20 就是40次。
#perip 表示最大并发连接数 500
#perserver 表示该服务提供的总连接数不得超过3000,超过请求的会被拒绝
#限速为 100KB/秒
#################################################
include extra/base.conf;
include extra/gzip.conf;
include extra/fastcgi.conf;
include extra/proxy.conf;
##-----------------------------------------------------###
##----------------------配置域名----------------------###
##-----------------------------------------------------###
include upstream/xxxx.com_.conf;
}
base.conf
#优化hash 表
# 服务器名称哈希表的最大值,更多信息请参考nginx部分优化。
server_names_hash_max_size 512 ;
######################################
#开启高效的传输模式
sendfile on;
# 告诉nginx在一个数据包里发送所有头文件,而不一个接一个的发送
tcp_nopush on;
tcp_nodelay on;
######################################
#隐藏版本信息
server_tokens off;
######################################
# 设置连接超时
#设置客户端连接保持会话的超时世间,超过这个世间,服务器关闭该连接
keepalive_timeout 600;
#设置客户端请求头读取超时世间,如果超过这个世间,客户端没有发送任何数据,nginx 将返回 "Request time out 408"
client_header_timeout 600;
#客户端请求主体读取超时世间,客户端没有发送任何数据,nginx 将返回 "Request time out 408"
client_body_timeout 600;
#客户端的响应超时时间。这个设置不会用于整个转发器,而是在两次客户端读取操作之间。如果在这段时间内,客户端没有读取任何数据,nginx就会关闭连接。
send_timeout 600;
######################################
#########文件上传#####################################
client_max_body_size 105m;
##缓冲区代理缓冲用户端请求的最大字节数
client_body_buffer_size 32M;
##############################################
gzip.conf
######################################
#开启压缩
gzip on;
#设置对数据启用压缩的最少字节数。大于1k才压缩
gzip_min_length 1k;
#打开 4个单位为16k 的缓存流用作压缩
gzip_buffers 4 16k;
#gzip_http 版本选择默认即可 现在的版本基本支持
#gzip_http_version 1.0;
# 设置数据的压缩等级。这个等级可以是1-9之间的任意数值,9是最慢但是压缩比最大的。
gzip_comp_level 3;
# 设置需要压缩的数据格式 文本 JavaScript 等。
#gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_types text/css text/xml application/javascript application/atom+xml application/rss+xml text/plain ;
# vary header 支持, 该选项让前端缓存服务器能缓存经过gzip压缩界面
gzip_vary on;
# 为指定的客户端禁用gzip功能。我们设置成IE6或者更低版本以使我们的方案能够广泛兼容。
gzip_disable "MSIE [1-6]\.";
#允许或者禁止压缩基于请求和响应的响应流。我们设置为any,意味着将会压缩所有的请求
gzip_proxied any;
#fire fox 安装firebug yslow 看看有没有压缩
fastcgi.conf
#ceshi_config
server_names_hash_bucket_size 128;
client_header_buffer_size 500k;
large_client_header_buffers 8 32k;
#指定链接到后端的超时时间
fastcgi_connect_timeout 600;
#向fastcgi 发送请求的超时时间,指两次捂手后向fastcgi 传输请求的超时时间
fastcgi_send_timeout 600;
#fastcgi 应答超时时间
fastcgi_read_timeout 600;
#fastcgi 应答需要多大的缓冲区
fastcgi_buffer_size 128k;
#fastcgi 应答 指定本地需要用多少个和多大的缓冲区来缓冲
fastcgi_buffers 8 128k;
#fastcgi 繁忙的时候buffers 大小
fastcgi_busy_buffers_size 256k;
#fastcgi 临时文件大小
fastcgi_temp_file_write_size 256k;
proxy.conf
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $http_x_forwarded_for;
#跟后端服务器连接的超时时间_发起握手等候响应超时时间
proxy_connect_timeout 1500;
#连接成功后_等候后端服务器响应的时间_其实已经进入后端的排队之中等候处理
proxy_send_timeout 1500;
#后端服务器数据回传时间_就是在规定时间内后端服务器必须传完所有数据
proxy_read_timeout 1500;
#代理请求缓存区_这个缓存区间会保存用户的头信息以供Nginx进行规则处理_一般只要能保存下头信息即可
proxy_buffer_size 128k;
#同上 告诉Nginx保存单个用的几个Buffer最大用多大空间
proxy_buffers 4 128k;
#高负荷下缓冲大小
#如果系统很忙的时候可以申请更大的 proxy_buffers 官方推荐*2(proxy_buffers*2)
proxy_busy_buffers_size 128k;
#proxy缓存临时文件的大小
proxy_temp_file_write_size 128k;
proxy_temp_path /app/nginx/nginx/temp;
#用于指定本地目录来缓冲较大的代理请求
proxy_cache_path /app/nginx/nginx/cache levels=1:2 keys_zone=cache_one:5000m inactive=1d max_size=20g;
#设置web缓存区名为cache_one,内存缓存空间大小为 5000 M,自动清除超过15天没有被访问过的缓存数据,硬盘缓存空间大小 20g
#proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
#设定缓存文件夹大小,大于这个值,将从upstream服务器传
#proxy_max_temp_file_size 128m;
proxy_store on;
proxy_store_access user:rw group:rw all:r;
upstream xxx.com_pssl {
ip_hash;
server 10.101.10.123:9000 max_fails=3 fail_timeout=5s;
server 10.101.10.124:9000 max_fails=3 fail_timeout=5s;
server 10.101.10.125:9000 max_fails=3 fail_timeout=5s;
server 10.101.10.126:9000 max_fails=3 fail_timeout=5s;
}
include xxx/xxx.com_.conf;
带证书的配置
server {
listen 80;
server_name mi.xxx.com;
return 301 https://$server_name$request_uri;
}
server {
#listen 80;
listen 443 ssl http2;
client_max_body_size 100M;
charset utf-8;
#ssl on;
#ssl off;
limit_req zone=allips burst=50 nodelay;
limit_conn perip 2000 ;
limit_conn perserver 3000 ;
limit_rate 300k;
server_name mi.xxx.com;
ssl_certificate /app/nginx/nginx/conf/xxx.com/crt/8813129_mi.xxx.com.pem;
ssl_certificate_key /app/nginx/nginx/conf/xxx.com/crt/8813129_mi.xxx.com.key;
ssl_session_cache shared:SSL:10m;
#ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
index index.jsp default.jsp index.do default.do index.html index.htm index.php forum.php;
#nginx日志
#json日志
access_log jsonlogs/mi.xxx.com.log logstash_json;
location / {
proxy_pass http://mi.xxx.com_pssl;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico|svg|flv|xml|webp)(.*)$
{
expires 15d;
proxy_pass http://mi.xxx.com_pssl;
}
location ~ .*\.(js|css|gzcss|gzjs)(.*)$
{
expires 5d;
proxy_pass http://mi.xxx.com_pssl;
}
location /(WEB-INF)/ {
deny all;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico|svg|flv|js|css|gzcss|gzjs|webp)?$
{
if (-f $request_filename) {
expires 5d;
break;
}
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
5 时区
#删除系统里的当地时间链接
sudo rm -fr /etc/localtime
#编辑文件 /etc/sysconfig/clock
cat << EOF > /etc/sysconfig/clock
Zone=Asia/Shanghai
EOF
#更新时区信息
sudo ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
#更新硬件时钟(RTC)
hwclock -w
#NTP 服务介绍
#在 Linux 系统中,可以通过 ntpdate 和 ntpd 两种方式实现 NTP 时间同步,ntpdate 为断点更新,ntpd 为步进式地逐渐调整时间。
#对于新服务器,可以使用 ntpdate 同步时间,对于已经承载有运行中业务的服务器,建议使用 ntpd 同步时间。
yum install -y ntp ntpdate
sleep 2
ntpdate -u ntp2.aliyun.com
# 配置自定义 NTP 服务
#sudo vi /etc/ntp.conf
cat > /etc/ntp.conf <<EOF
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server ntp2.aliyun.com iburst
server ntp3.aliyun.com iburst
server ntp4.aliyun.com iburst
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
EOF
ntpdate cn.pool.ntp.org
#提醒:启用服务前,请务必配置好防火墙和安全组,开放端口 123 协议 UDP
#开机自动启动
sudo service ntpd start
sudo systemctl enable ntpd
6 nginx错误日志
6.1 mkdir() rename()
nginx中error.log存在大量的相同的错误信息,这是什么原因造成的呢?
2022/12/30 15:51:23 [crit] 26809#0: *6116 mkdir() "/appdata/nginx/nginx-1.21.4/nginx/html/xd/code2Session" failed (13: Permission denied) while reading upstream, client: 222.182.0.45, server: bsel.bsspirit.cn, request: "POST /xd/code2Session HTTP/1.1", upstream: "http://192.168.0.8:8352/xd/code2Session", host: "bsel.bsspirit.cn", referrer: "https://servicewechat.com/wx6e1b2f6e41df803b/30/page-frame.html"
2022/12/30 15:58:45 [crit] 26810#0: *45765 rename() "/appdata/nginx/nginx/nginx/temp/0000022147" to "/appdata/nginx/nginx-1.21.4/nginx/html/bsmgr/bskj" failed (13: Permission denied) while reading upstream, client: 121.60.87.242, server: bs.bsspirit.cn, request: "POST /bsmgr/bskj HTTP/1.1", upstream: "http://192.168.0.103:8080/bsmgr/bskj", host: "bs.bsspirit.cn"
2022/12/30 15:58:45 [crit] 26808#0: *45569 rename() "/appdata/nginx/nginx/nginx/temp/0000022148" to "/appdata/nginx/nginx-1.21.4/nginx/html/bsmgr/bskj" failed (13: Permission denied) while reading upstream, client: 183.93.17.160, server: bs.bsspirit.cn, request: "POST /bsmgr/bskj HTTP/1.1", upstream: "http://192.168.0.103:8080/bsmgr/bskj", host: "bs.bsspirit.cn"
^C