nginx安装和简单配置说明

nginx安装|nginx简单配置说明

yzx 收录于类别 nginx 中间件

0001年01月01日约 1325 字预计阅读 3 分钟

nginx

1 nginx 有关参考文档

2 nginx 源码安装

注意： 本次安装测试环境为 Centos7.9

2.1 源码下载

1

wget https://nginx.org/download/nginx-1.26.2.tar.gz

2.2 安装所需依赖

1

yum install -y gcc gcc-c++ make pcre-devel pcre2-devel zlib-devel openssl-devel

2.3 源码编译

nginx 源码安装配置：nginx 源码安装配置参数参考文档

2.3.1 隐藏版本号

修改文件 src/http/ngx_http_header_filter_module.c 大概 49-51 行：

1
2
3


static u_char ngx_http_server_string[] = "Server: nginx" CRLF;
static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;

改为自定义服务和版本：

1
2
3


static u_char ngx_http_server_string[] = "Server: nginx" CRLF;
static u_char ngx_http_server_full_string[] = "Server: nginx/x.x.x" CRLF;
static u_char ngx_http_server_build_string[] = "Server: nginx/x.x.x" CRLF;

在修改文件 src/core/nginx.h 大概：

1
2
3
4
5


#define nginx_version      1026002
#define NGINX_VERSION      "1.26.2"
#define NGINX_VER          "nginx/" NGINX_VERSION

#define NGINX_VAR          "NGINX"

改为自定义版本：

1
2
3
4
5


#define nginx_version      1234567
#define NGINX_VERSION      "x.x.x"
#define NGINX_VER          "nginx/" NGINX_VERSION

#define NGINX_VAR          "NGINX"

2.3.2 编辑配置文件生成

nginx 功能类参数：

参数	说明
`--prefix=path`	默认是 /usr/local/nginx
`--with-http_ssl_module`	SSL 支持
`--with-http_v2_module`	HTTP2 支持
`--with-http_realip_module`	Nginx 反向代理时，该模块可让 Nginx 知晓真正的 IP
`--with-http_gunzip_module`	对不支持 gzip 编码的客户端解压缩响应。
`--with-http_gzip_static_module`	gzip 静态资源

nginx 编译需先配置生成 Makefile 文件，有关配置参数：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


tar -zxf nginx-1.26.2.tar.gz
cd nginx-1.26.2

./configure \
  --with-stream \
  --with-pcre \
  --with-http_ssl_module \
  --with-http_v2_module \
  --with-http_realip_module \
  --with-http_gzip_static_module \
  --with-stream_ssl_module \
  --with-stream_realip_module \
  --with-stream_realip_module \
  --with-http_stub_status_module
  

2.3.3 nginx 编译、安装：

默认会把 nginx 安装到 /usr/local/nginx 目录

1
2
3
4


# 编译
make
# 安装
make install

2.4 常用命令

1

nginx -s signal

singal 信号参数如下：

stop ：快速关闭
quit ：优雅关闭
reload ：重新加载配置，默认 /usr/local/nginx/conf/nginx.conf
reopen ：重新打开日志文件

2.5 简单启动校验

注意： 默认 nginx 配置文件路径 /usr/local/nginx/conf/nginx.conf

启动 nginx ：

1

/usr/local/nginx/sbin/nginx

测试访问：

1

curl -I http://10.10.10.90/

HTTP/1.1 200 OK Server: nginx/x.x.x Date: Mon, 13 Jan 2025 16:31:05 GMT Content-Type: text/html Content-Length: 615 Last-Modified: Mon, 13 Jan 2025 16:26:05 GMT Connection: keep-alive ETag: “67853e9d-267” Accept-Ranges: bytes

2.6 systemed 服务

nginx systemed 服务配置：/usr/lib/systemd/system/nginx.service

默认 nginx 配置文件：/usr/local/nginx/conf/nginx.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


[Unit]
Description=Nginx HTTP Server
After=network.target
Wants=network.target

[Service]
Type=forking
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s quit
Restart=on-failure
PrivateTmp=true

[Install]
WantedBy=multi-user.target

重新加载 nginx.service 服务配置：

1

systemctl daemon-reload

nginx 服务管理：

1
2


systemctl status nginx
systemctl start nginx

3 nginx 配置文件

3.1 在线配置生成链接

nginx 配置文件自动生成配置链接

nginx 配置文件自动生成配置链接1

nginx 配置文件自动生成配置链接2

3.2 默认基础配置

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31


#user  nobody;
worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    server {
        listen       80;
        server_name  localhost;

        location / {
            root   html;
            index  index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }  
    }
    
    include  /usr/local/nginx/conf/conf.d/*.conf;
}

3.3 指定 nginx 用户

创建 nginx 工作线程系统用户：

1

useradd -s /sbin/nologin -r nginx

nginx 配置：

1

user  nginx;

3.4 https/ssl配置

默认配置：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45


server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name example.com;

    # logging
    access_log  /var/log/nginx/access.log combined buffer=512k flush=1m;
    error_log   /var/log/nginx/error.log warn;

    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml application/json application/javascript;

    # SSL
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    # Mozilla Intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    # SSL
    ssl_certificate /usr/local/nginx/ssl/ssl/server.pem;
    ssl_certificate_key /usr/local/nginx/ssl/ssl/server.key;

    location / {
        root   html;
        index  index.html index.htm;
    }
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name .labs.com;

    location / {
        return 301 https://ssl.labs.com$request_uri;
    }
}

3.4.1 SSL 自签证书生成

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55


#!/bin/bash

BASE_DIR=ssl
SERVER_DOMAIN=*.labs.yzx

rm -rf ${BASE_DIR} ; mkdir -p ${BASE_DIR} ; cd ${BASE_DIR}

# create root CA
openssl genrsa -out ca.key 4096

cat <<EOF > v3_ca
[v3_ca]
basicConstraints=CA:FALSE
keyUsage=critical,keyCertSign,cRLSign
EOF

# /C=US/ST=California/L=San Francisco/O=My Root CA/CN=My Root CA
# C=国家/ST=地区或省份/L=地区局部名/O=机构名称/OU=组织单位名称/CN=网站域名/emailAddress=邮箱
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Shanghai/L=Shanghai/O=Self/OU=Self/CN=Ssl Self Sign Root CA" \
 -extensions v3_ca \
 -key ca.key \
 -out ca.pem

openssl x509 -outform der -in ca.pem -out ca.crt

# domain cert
cat <<EOF > server_ext_file 
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names

[alt_names]
DNS.1=${SERVER_DOMAIN}
EOF

openssl genrsa -out server.key 4096

openssl req -sha512 -new -nodes \
    -subj "/C=CN/ST=Shanghai/L=Shanghai/O=SelfServer/OU=SelfServer/CN=${SERVER_DOMAIN}" \
    -key server.key \
    -out server.csr

openssl x509 -req -sha512 -days 3650 \
    -extfile server_ext_file \
    -CA ca.pem -CAkey ca.key -CAcreateserial \
    -in server.csr \
    -out server.crt

openssl pkcs12 -export -clcerts -out server.p12 -inkey server.key -in server.crt

openssl x509 -inform PEM -in server.crt -out server.pem

# 需要导入 ca.crt / server.crt 到 “受信任的根证书颁发机构”

目录