Node.js is an open source Javascript runtime environment for easily building server-side and networking applications. The platform runs on Linux, OS X, FreeBSD, and Windows, and its applications are written in JavaScript. Node.js applications can be run at the command line but we will teach you how to run them as a service, so they will automatically restart on reboot or failure, so you can use them in a production environment.
Node.js是一个开源Javascript运行时环境,可轻松构建服务器端和网络应用程序。 该平台可在Linux,OS X,FreeBSD和Windows上运行,其应用程序是用JavaScript编写的。 Node.js应用程序可以在命令行运行,但是我们将教您如何将它们作为服务运行,因此它们将在重新启动或发生故障时自动重新启动,因此您可以在生产环境中使用它们。
In this tutorial, we will cover setting up a production-ready Node.js environment that is composed of two CentOS 7 servers; one server will run Node.js applications managed by PM2, while the other will provide users with access to the application through an Nginx reverse proxy to the application server.
在本教程中,我们将介绍如何设置一个由两台CentOS 7服务器组成的可生产的Node.js环境。 一台服务器将运行由PM2管理的Node.js应用程序,而另一台服务器将通过Nginx反向代理向用户提供对应用程序的访问权限。
The Ubuntu version of this tutorial can be found here.
可以在这里找到本教程的Ubuntu版本。
This guide uses two CentOS 7 servers with private networking (in the same datacenter). Private networking can be configured on new servers when they are being created (in the Select additional options
section). We will refer to them by the following names:
本指南使用两个具有专用网络的 CentOS 7服务器(在同一数据中心中)。 创建新服务器时,可以在新服务器上配置专用网络(在“ Select additional options
部分中)。 我们将使用以下名称来引用它们:
app: The server where we will install Node.js runtime, your Node.js application, and PM2.
app :我们将在其中安装Node.js运行时的服务器,您的Node.js应用程序和PM2。
web: The server where we will install the Nginx web server, which will act as a reverse proxy to your application. Users will access this server’s public IP address to get to your Node.js application.
web :我们将在其中安装Nginx Web服务器的服务器,它将充当您的应用程序的反向代理。 用户将访问该服务器的公共IP地址以访问您的Node.js应用程序。
Note: Refer to the DigitalOcean Documentation - How to Enable Private Networking on Droplets if you intend on using an existing server that doesn’t currently have private networking configured.
注意:如果打算使用当前未配置专用网络的现有服务器,请参阅DigitalOcean文档-如何在Droplet上启用专用网络 。
Before you begin this guide, you should have a regular, non-root user with sudo
privileges configured on both of your servers—this is the user that you should log in to your servers as. You can learn how to configure a regular user account by following our initial server setup guide for CentOS 7.
在开始本指南之前,您应该在两个服务器上都配置有具有sudo
特权的常规非root用户-这是您应以其身份登录到该服务器的用户。 您可以按照我们的CentOS 7初始服务器设置指南来学习如何配置常规用户帐户。
Commands executed on the app server:
在应用服务器上执行的命令:
Commands executed on the web server:
在Web服务器上执行的命令:
It is possible to use a single server for this tutorial, but you will have to make a few changes along the way. Simply use the localhost IP address, i.e. 127.0.0.1
, wherever the app server’s private IP address is used.
可以在本教程中使用单个服务器,但是在此过程中您必须进行一些更改。 只需在使用应用程序服务器的专用IP地址的地方使用localhost IP地址,即127.0.0.1
。
Here is a diagram of what your setup will be after following this tutorial:
这是完成本教程后您的设置的示意图:
If you want to be able to access your web server via a domain name, instead of its public IP address, purchase a domain name then follow these tutorials:
如果您希望能够通过域名而不是其公共IP地址来访问Web服务器,请购买域名,然后按照以下教程进行操作:
How To Set Up a Host Name with DigitalOcean
如何使用DigitalOcean设置主机名
How to Point to DigitalOcean Nameservers From Common Domain Registrars
如何从通用域注册商指向DigitalOcean域名服务器
Let’s get started by installing the Node.js runtime on the app server.
让我们开始在应用服务器上安装Node.js运行时。
We will install the latest LTS release of Node.js, on the app server.
我们将在应用服务器上安装最新的LTS版本的Node.js。
SSH to your app server using the regular, non-root user with sudo
privileges.
使用具有sudo
特权的常规非root用户SSH到您的应用服务器。
On the app server, let’s use curl
to download the NodeSource RPM Repository configuration file:
在应用服务器上,让我们使用curl
下载NodeSource RPM存储库配置文件:
CURL
will use the HTTPS protocol to download the setup script to your server, with the output including information relevant to the download:
CURL
将使用HTTPS协议将设置脚本下载到您的服务器,其输出包括与下载有关的信息:
Output
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11109 100 11109 0 0 70128 0 --:--:-- --:--:-- --:--:-- 70757
Next, you should inspect the script’s contents. The following command will open the NodeSource setup script in your servers console, which you can then cross-reference with the NodeSource setup script (from the NodeSource Distributions Github repository) to confirm the script that downloaded properly:
接下来,您应该检查脚本的内容。 以下命令将在服务器控制台中打开NodeSource设置脚本,然后您可以将其与NodeSource设置脚本 (来自NodeSource Distributions Github存储库)进行交叉引用,以确认已正确下载的脚本:
Once satisfied with the file, exit vi
by typing :q
to quit
and return to the command line.
对文件满意后,通过输入:q
退出vi
quit
并返回命令行。
Now let’s run the setup script to install the NodeSource RPM Repository. This will enable us to access NodeSource’s repository from within the yum
package manager:
现在,让我们运行安装脚本以安装NodeSource RPM存储库。 这将使我们能够从yum
软件包管理器中访问NodeSource的存储库:
The script outputs information on the setup for our reference:
该脚本输出有关设置的信息供我们参考:
Output
## Installing the NodeSource Node.js 10.x repo...
## Inspecting system...
+ rpm -q --whatprovides redhat-release || rpm -q --whatprovides centos-release || rpm -q --whatprovides cloudlinux-release || rpm -q --whatprovides sl-release
+ uname -m
## Confirming "el7-x86_64" is supported...
+ curl -sLf -o /dev/null 'https://rpm.nodesource.com/pub_10.x/el/7/x86_64/nodesource-release-el7-1.noarch.rpm'
## Downloading release setup RPM...
+ mktemp
+ curl -sL -o '/tmp/tmp.2aCcULVx8n' 'https://rpm.nodesource.com/pub_10.x/el/7/x86_64/nodesource-release-el7-1.noarch.rpm'
## Installing release setup RPM...
+ rpm -i --nosignature --force '/tmp/tmp.2aCcULVx8n'
## Cleaning up...
+ rm -f '/tmp/tmp.2aCcULVx8n'
## Checking for existing installations...
+ rpm -qa 'node|npm' | grep -v nodesource
## Run `sudo yum install -y nodejs` to install Node.js 10.x and npm.
## You may also need development tools to build native addons:
sudo yum install gcc-c++ make
## To install the Yarn package manager, run:
curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | sudo tee /etc/yum.repos.d/yarn.repo
sudo yum install yarn
Before installing Node.js it is important to clean all the cached information from yum
. Clearing the cache will ensure that yum
uses the network connection to get Node.js from our new NodeSource Repository (which will prevent any potential conflicts caused by outdated packages):
在安装Node.js之前,从yum
清除所有缓存的信息很重要。 清除缓存将确保yum
使用网络连接从新的NodeSource存储库中获取Node.js(这将防止由过时的包引起的任何潜在冲突):
Next we will download and make usable all the metadata for the currently enabled yum
repos. This will ensure that our yum
queries are completed as quickly as possible:
接下来,我们将下载并启用当前启用的yum
库的所有元数据。 这将确保我们的yum
查询尽快完成:
To compile and install native add-ons from npm
we also need to install build tools:
要从npm
编译并安装本机加载项,我们还需要安装构建工具:
Now we can install the latest release of the Node.js package:
现在,我们可以安装最新版本的Node.js软件包:
Verify that Node is installed by checking its version with this command:
通过使用以下命令检查其版本来验证节点是否已安装:
Your output will show the version number you’re running:
您的输出将显示您正在运行的版本号:
Output
v10.16.3
The Node.js runtime is now installed, and ready to run an application. Let’s write a Node.js application.
现在已安装Node.js运行时,并准备运行应用程序。 让我们编写一个Node.js应用程序。
Now we will create a Hello World application that simply returns "Hello World"
to any HTTP requests. This is a sample application that will help you get Node.js set up, which you can replace with your own application—just make sure that you modify your application to listen on the appropriate IP addresses and ports.
现在,我们将创建一个Hello World应用程序,该应用程序仅向任何HTTP请求返回"Hello World"
。 这是一个示例应用程序,可以帮助您设置Node.js,可以将其替换为自己的应用程序-只需确保修改应用程序以侦听适当的IP地址和端口即可。
Because we want our Node.js application to serve requests that come from our reverse proxy server (web) we will use our app server’s private network interface for inter-server communication. Look up your app server’s private network address.
因为我们希望Node.js应用程序能够处理来自反向代理服务器( web )的请求,所以我们将使用应用程序服务器的专用网络接口进行服务器之间的通信。 查找您的应用服务器的专用网络地址。
If you are using a DigitalOcean Droplet as your server, you may look up the server’s private IP address through the Metadata service. On the app server, use the curl
command to retrieve the IP address now:
如果您使用DigitalOcean Droplet作为服务器,则可以通过元数据服务查找服务器的私有IP地址。 在应用服务器上,使用curl
命令立即检索IP地址:
You will want to copy the output (the private IP address), as it will be used to configure the Node.js application.
您将要复制输出(私有IP地址),因为它将用于配置Node.js应用程序。
Next, create and open your Node.js application for editing. For this tutorial, we will use vi
to edit a sample application called hello.js
:
接下来,创建并打开您的Node.js应用程序进行编辑。 在本教程中,我们将使用vi
编辑一个名为hello.js
的示例应用程序:
Insert the following code into the file, and be sure to substitute the app server’s private IP address for both of the highlighted APP_PRIVATE_IP_ADDRESS
items. If you want to, you may also replace the highlighted port, 8080
, in both locations (be sure to use a non-admin port, i.e. 1024
or greater):
将以下代码插入文件中,并确保用突出显示的APP_PRIVATE_IP_ADDRESS
项替换应用服务器的专用IP地址。 如果需要,您也可以在两个位置都替换突出显示的端口8080
(确保使用非管理员端口,即1024
或更大):
var http = require('http');
http.createServer(function (req, res) {
res.writeHead(200, {'Content-Type': 'text/plain'});
res.end('Hello World\n');
}).listen(8080, 'APP_PRIVATE_IP_ADDRESS');
console.log('Server running at http://APP_PRIVATE_IP_ADDRESS:8080/');
Now save and exit by pressing ESC
to exit --INSERT--
mode, followed by :wq
to write
and quit
in a single command.
现在保存并退出,方法是按ESC
退出--INSERT--
模式,然后按:wq
在单个命令中write
并quit
。
This Node.js application simply listens on the specified IP address and port, and returns "Hello World"
with a 200
HTTP success code. This means that the application is only reachable from servers on the same private network, such as our web server.
此Node.js应用程序仅侦听指定的IP地址和端口,并返回带有200
HTTP成功代码的"Hello World"
。 这意味着只能从同一专用网络上的服务器(例如我们的Web服务器)访问该应用程序。
If you want to test if your application works, run this node
command on the app server:
如果要测试应用程序是否正常运行,请在应用服务器上运行以下node
命令:
Note: Running a Node.js application in this manner will block additional commands until the application is killed by pressing CTRL+C
.
注意:以这种方式运行Node.js应用程序将阻止其他命令,直到按CTRL+C
将其杀死。
It will save a lot of Nginx debugging if we first test that our web server is able to communicate with the Node.js application on app.
如果我们首先测试我们的Web服务器能够与app上的Node.js应用程序通信,它将节省大量Nginx调试。
In order to test the application, open another terminal session and connect to your web server. Because the web server is on the same private network, it should be able to reach the private IP address of the app server using curl
. Be sure to substitute in the app server’s private IP address for APP_PRIVATE_IP_ADDRESS
, and the port if you changed it:
为了测试该应用程序,请打开另一个终端会话并连接到Web服务器。 由于Web服务器位于同一专用网络上,因此它应该能够使用curl
到达应用程序服务器的专用IP地址。 确保将应用服务器的专用IP地址APP_PRIVATE_IP_ADDRESS
为APP_PRIVATE_IP_ADDRESS
和端口(如果已更改):
curl http://APP_PRIVATE_IP_ADDRESS:8080
卷曲http:// APP_PRIVATE_IP_ADDRESS : 8080
If you see the following output, the application is working properly and listening on the proper IP address and port:
如果看到以下输出,则表明应用程序运行正常,并且正在侦听正确的IP地址和端口:
Node Application Output
Hello World
If you do not see the proper output, make sure that your Node.js application is running, and configured to listen on the proper IP address and port.
如果看不到正确的输出,请确保您的Node.js应用程序正在运行,并配置为侦听正确的IP地址和端口。
On the app server, be sure to kill the application by pressing CTRL+C
.
在应用程序服务器上,请确保通过按CTRL+C
应用程序。
Now we will install PM2, which is a process manager for Node.js applications. PM2 provides an easy way to manage and daemonize applications (run them as a service).
现在,我们将安装PM2,它是Node.js应用程序的流程管理器。 PM2提供了一种简单的方法来管理和守护应用程序(将它们作为服务运行)。
We will use Node Packaged Modules (NPM), which is basically a package manager for Node modules that installs with Node.js, to install PM2 on our app server. Use this command to install PM2:
我们将使用Node Packaged Modules(NPM)(它基本上是与Node.js一起安装的Node模块的软件包管理器)在我们的应用服务器上安装PM2。 使用以下命令安装PM2:
We will cover a few basic uses of PM2.
我们将介绍PM2的一些基本用法。
The first thing you will want to do is use the pm2 start
command to run your application, hello.js
, in the background:
您要做的第一件事是使用hello.js
pm2 start
命令在后台运行您的应用程序hello.js
:
pm2 start hello.js
pm2启动hello.js
This also adds your application to PM2’s process list, which is outputted every time you start an application:
这还将您的应用程序添加到PM2的进程列表中,该列表在每次启动应用程序时输出:
Output
┌──────────┬────┬──────┬───────┬────────┬─────────┬────────┬─────────────┬──────────┐
│ App name │ id │ mode │ pid │ status │ restart │ uptime │ memory │ watching │
├──────────┼────┼──────┼───────┼────────┼─────────┼────────┼─────────────┼──────────┤
│ hello │ 0 │ fork │ 30099 │ online │ 0 │ 0s │ 14.227 MB │ disabled │
└──────────┴────┴──────┴───────┴────────┴─────────┴────────┴─────────────┴──────────┘
As you can see, PM2 automatically assigns an App name (based on the filename, without the .js
extension) and a PM2 id. PM2 also maintains other information, such as the PID of the process, its current status, and memory usage.
如您所见,PM2自动分配一个应用程序名称 (基于文件名,不带.js
扩展名)和一个PM2 id 。 PM2还维护其他信息,例如进程的PID ,其当前状态和内存使用情况。
Applications that are running under PM2 will be restarted automatically if the application crashes or is killed, but an additional step needs to be taken to get the application to launch on system startup (boot or reboot). Luckily, PM2 provides an easy way to do this, the startup
subcommand.
如果PM2下运行的应用程序崩溃或被杀死,它将自动重新启动,但是还需要采取其他步骤来使应用程序在系统启动(启动或重新启动)时启动。 幸运的是, startup
子命令PM2提供了一种简单的方法。
The startup
subcommand generates and configures a startup script to launch PM2 and its managed processes on server boots. You must also specify the init system you are running on, which is systemd
, in our case:
startup
子命令生成并配置启动脚本,以在服务器启动时启动PM2及其托管进程。 在本例中,还必须指定正在运行的初始化系统systemd
:
You will see output like the following, which indicates that the PM2 service has been installed:
您将看到类似以下的输出,表明已安装PM2服务:
Output
[PM2] Generating system init script in /etc/systemd/system/pm2.service
[PM2] Making script booting at startup...
[PM2] -systemd- Using the command:
su root -c "pm2 dump && pm2 kill" && su root -c "systemctl daemon-reload && systemctl enable pm2 && systemctl start pm2"
[PM2] Dumping processes
[PM2] Stopping PM2...
[PM2] All processes have been stopped and deleted
[PM2] PM2 stopped
[PM2] Done.
To ensure PM2 knows which applications to start on boot, we need to save the current process list. To save the list:
为了确保PM2知道要在启动时启动的应用程序,我们需要保存当前进程列表。 要保存列表:
You will see output like the following, which indicates that the PM2 process list has been saved:
您将看到类似以下的输出,表明PM2进程列表已保存:
Output
[PM2] Saving current process list...
[PM2] Successfully saved in /home/deployer/.pm2/dump.pm2
Now your PM2-managed applications should start automatically on boot.
现在,由PM2管理的应用程序应在启动时自动启动。
PM2 provides many subcommands that allow you to manage or look up information about your applications. Note that running pm2
without any arguments will display a help page, including example usage, that covers PM2 usage in more detail than this section of the tutorial.
PM2提供了许多子命令,这些子命令使您可以管理或查找有关应用程序的信息。 请注意,不带任何参数运行pm2
将显示帮助页面,包括示例用法,该页面比本教程的这一部分更详细地介绍了PM2的用法。
Stop an application with this command (specify the PM2 App name
or id
):
使用以下命令停止应用程序(指定PM2 App name
或id
):
pm2 stop example
pm2停止示例
Restart an application with this command (specify the PM2 App name
or id
):
使用以下命令重新启动应用程序(指定PM2 App name
或id
):
pm2 restart example
pm2重新启动示例
The list of applications currently managed by PM2 can also be looked up with the list
subcommand:
PM2当前管理的应用程序列表也可以使用list
子命令来查找:
More information about a specific application can be found by using the info
subcommand (specify the PM2 App name or id):
可以使用info
子命令(指定PM2 App名称或id )找到有关特定应用程序的更多信息:
pm2 info example
pm2信息示例
The PM2 process monitor can be pulled up with the monit
subcommand. This displays the application status, CPU, and memory usage:
可以使用monit
子命令拉起PM2过程监视器。 这将显示应用程序状态,CPU和内存使用情况:
Note: Running PM2’s monit
command will block additional commands until the application is killed by pressing CTRL+C
.
注意:运行PM2的monit
命令将阻止其他命令,直到通过按CTRL+C
monit
应用程序。
Now that your Node.js application is running, and managed by PM2, let’s set up the reverse proxy.
现在您的Node.js应用程序正在运行,并由PM2管理,让我们设置反向代理。
Now that your application is running, and listening on a private IP address, you need to set up a way for your users to access it. We will set up an Nginx web server as a reverse proxy for this purpose. This tutorial will set up an Nginx server from scratch. If you already have an Nginx server setup, you can just copy the location
block into the server block of your choice (make sure the location does not conflict with any of your web server’s existing content).
现在您的应用程序正在运行,并且正在侦听专用IP地址,您需要设置一种让用户访问它的方式。 为此,我们将Nginx Web服务器设置为反向代理。 本教程将从头开始设置Nginx服务器。 如果您已经具有Nginx服务器设置,则只需将location
块复制到您选择的服务器块中(确保位置不与您的Web服务器的任何现有内容冲突)。
On the web server, let’s install the epel-release
package using yum:
在Web服务器上,让我们使用yum安装epel-release
软件包:
Then install Nginx:
然后安装Nginx:
Now open the Nginx configuration file for editing:
现在打开Nginx配置文件进行编辑:
First, find the line where server_name
is defined, within the default server block. It should look something like this:
首先,在默认服务器块中找到定义了server_name
的行。 它看起来应该像这样:
server_name _;
Update the server name to substitute the underscore (_
) with your own domain name for the server_name
directive (or IP address if you don’t have a domain set up).
更新服务器名称,用您自己的域名替换下划线( _
)作为server_name
指令的域名(如果未设置域,则为IP地址)。
server_name your-domain;
Then, find the line where location /
is defined (usually a few lines below the server_name), within the same default server block. It should look something like this:
然后,在同一默认服务器块中找到定义location /
的行(通常在server_name下面几行)。 它看起来应该像这样:
location / {
}
Replace it with the following code block and be sure to substitute the app server private IP address for the APP_PRIVATE_IP_ADDRESS
. Additionally, change the port (8080
) if your application is set to listen on a different port:
将其替换为以下代码块,并确保将APP_PRIVATE_IP_ADDRESS
替换为应用服务器专用IP地址。 此外,如果您的应用程序设置为侦听其他端口,则更改端口( 8080
):
location / {
proxy_pass http://APP_PRIVATE_IP_ADDRESS:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
This configures the web server to respond to requests at its root. Assuming our server is available at your-domain
, accessing http://your-domain/
via a web browser would send the request to the application server’s private IP address on port 8080
, which would be received and replied to by the Node.js application.
这会将Web服务器配置为响应其根目录的请求。 假设我们的服务器在your-domain
可用,那么通过Web浏览器访问http://your-domain/
会将请求发送到端口8080
上的应用程序服务器的私有IP地址,Node.js会接收并回复该请求。应用。
You can add additional location
blocks to the same server block to provide access to other applications on the same web server. For example, if you were also running another Node.js application on the app server on port 8081
, you could add this location block to allow access to it via http://your-domain/app2
:
您可以将其他location
块添加到同一服务器块,以提供对同一Web服务器上其他应用程序的访问。 例如,如果您还在端口8081
的应用程序服务器上运行另一个Node.js应用程序,则可以添加此位置块以允许通过http://your-domain/app2
对其进行访问:
location /app2 {
proxy_pass http://APP_PRIVATE_IP_ADDRESS:8081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
Once you are done editing the location block(s) for your application(s), save and exit by pressing ESC
to exit --INSERT--
mode, followed by :wq
to write
and quit
in a single command.
编辑完应用程序的位置块后,请按ESC
退出--INSERT--
模式,然后按:wq
在单个命令中write
并quit
,以保存并退出。
On the web server, restart Nginx:
在Web服务器上,重新启动Nginx:
Next we want to ensure that Nginx runs whenever the server restarts:
接下来,我们要确保服务器重新启动时Nginx可以运行:
The enable
command should provide the following Output
enable
命令应提供以下输出
Output
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
You can also confirm that Nginx is running and is enabled, by requesting its status from systemctl
:
您还可以通过从systemctl
请求其状态来确认Nginx正在运行并已启用:
The status command will output configuration information for the Nginx service:
status命令将输出Nginx服务的配置信息:
Output
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2019-10-14 09:37:23 UTC; 3min 29s ago
Main PID: 12818 (nginx)
CGroup: /system.slice/nginx.service
├─12818 nginx: master process /usr/sbin/nginx
└─12819 nginx: worker process
Oct 14 09:37:23 centos-s-1vcpu-1gb-sgp1-01 systemd[1]: Starting The nginx HTTP and reverse proxy server...
Oct 14 09:37:23 centos-s-1vcpu-1gb-sgp1-01 nginx[12814]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Oct 14 09:37:23 centos-s-1vcpu-1gb-sgp1-01 nginx[12814]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Oct 14 09:37:23 centos-s-1vcpu-1gb-sgp1-01 systemd[1]: Failed to read PID from file /run/nginx.pid: Invalid argument
Oct 14 09:37:23 centos-s-1vcpu-1gb-sgp1-01 systemd[1]: Started The nginx HTTP and reverse proxy server.
Finally, provide Nginx with the ability to relay traffic through Security-Enhanced Linux (SELinux). SELinux provides a security layer that implements Mandatory Access Control (MAC) in the Linux Kernel. Each operating system object (process, file descriptor, file, etc.) is labeled with an SELinux context that defines the permissions and operations the object can perform.
最后,为Nginx提供通过安全增强型Linux (SELinux)中继流量的功能。 SELinux提供了一个安全层,可在Linux内核中实现强制访问控制(MAC)。 每个操作系统对象(进程,文件描述符,文件等)都标记有SELinux上下文,该上下文定义了对象可以执行的权限和操作。
Nginx is labelled with the httpd_t
context and as a result, has a number of configurations blocked by SELinux unless explicitly allowed. To demonstrate this, run the following command to confirm the Nginx service is labelled httpd_t
:
Nginx带有httpd_t
上下文标记,因此,除非明确允许,否则它会有许多配置被SELinux阻止。 为了证明这一点,请运行以下命令以确认Nginx服务被标记为httpd_t
:
This command provides process status information, search for the Nginx specific process information to see the label. You will see the httpd_t
, in a similar manner to the following:
该命令提供了进程状态信息,搜索Nginx特定的进程信息以查看标签。 您将以类似于以下内容的方式看到httpd_t
:
Output
...
system_u:system_r:httpd_t:s0 10208 ? 00:00:00 nginx
system_u:system_r:httpd_t:s0 10209 ? 00:00:00 nginx
...
Now let’s check the status of the default booleans related to the httpd_t
SELinux label. We can show this information by running the following command:
现在,让我们检查与httpd_t
SELinux标签有关的默认布尔值的状态。 我们可以通过运行以下命令来显示此信息:
We are only interested in the httpd
related booleans for this tutorial:
我们只对本教程中与httpd
相关的布尔值感兴趣:
Output
...
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
...
The two booleans of particular note, are httpd_can_network_connect
and httpd_can_network_relay
. The Redhat Documentation provides detail on each of the httpd
booleans and their associated function (should you wish to find out more about each boolean), although following are the explanations of the two booleans that relate to this tutorial:
需要特别注意的两个布尔值是httpd_can_network_connect
和httpd_can_network_relay
。 Redhat文档提供了有关每个httpd
布尔值及其关联函数的详细信息(您希望了解有关每个布尔值的更多信息),尽管以下是与本教程相关的两个布尔值的说明:
...
httpd_can_network_connect: When disabled, this Boolean prevents HTTP scripts and modules from initiating a connection to a network or remote port. Enable this Boolean to allow this access.
httpd_can_network_relay: Enable this Boolean when httpd is being used as a forward or reverse proxy.
...
Since our configuration is only relaying traffic, we just need to tell SELinux that the httpd
server, in our case Nginx, can use the network to relay traffic in the reverse proxy configuration that we have set up. We will use the -P
flag, to ensure that the changes are permanent (omitting this flag will result in httpd_can_network_relay
reverting to its default state, off, upon restart of the server):
由于我们的配置仅中继流量,因此我们只需要告诉SELinux, httpd
服务器(在我们的示例中为Nginx)可以使用网络以已设置的反向代理配置中继流量。 我们将使用-P
标志,以确保更改是永久的(省略该标志将导致httpd_can_network_relay
在服务器重新启动时恢复为其默认状态,即关闭):
Assuming that your Node.js application is running, and your application and Nginx configurations are correct, you should be able to access your application via the reverse proxy of the web server. Try it out by accessing your web server’s URL (its public IP address or domain name).
假设您的Node.js应用程序正在运行,并且您的应用程序和Nginx配置正确,那么您应该能够通过Web服务器的反向代理访问您的应用程序。 通过访问Web服务器的URL(其公共IP地址或域名)进行尝试。
Note: If you were also planning on using your web server to host other sites (as conventional virtual hosts), then you will also need to set the httpd_can_network_connect
to on.
注意:如果您还打算使用Web服务器托管其他站点(作为常规虚拟主机),则还需要将httpd_can_network_connect
设置为on。
You now have your Node.js application running behind an Nginx reverse proxy. This reverse proxy setup is flexible enough to provide your users access to other applications or static web content that you want to share.
现在,您的Node.js应用程序在Nginx反向代理后面运行。 这种反向代理设置足够灵活,可以为您的用户提供对您要共享的其他应用程序或静态Web内容的访问权限。
Also, if you are looking to encrypt transmissions between your web server and your users, here is a tutorial that will help you get HTTPS (TLS/SSL) support set up.
此外,如果您希望对Web服务器和用户之间的传输进行加密,那么这里的教程将帮助您设置HTTPS(TLS / SSL)支持 。
翻译自: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-node-js-application-for-production-on-centos-7