nginx 使用指南

包管理器安装

https://nginx.org/en/linux_packages.html#RHEL-CentOS

cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)

yum install yum-utils

nano /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

# 默认 stable 切换成 mainline
yum-config-manager --enable nginx-mainline

yum clean all  // 清理缓存
yum makecache  // 服务器的包信息下载到本地电脑缓存起来

yum list | grep nginx
yum install nginx -y
nginx -V
rpm -ql nginx // 列出nginx的安装文件，快速定位配置文件目录

systemctl enable nginx
systemctl start nginx
systemctl status nginx

编译安装

• Nginx编译参数解析

–prefix #nginx安装目录，默认在/usr/local/nginx
–pid-path #pid问件位置，默认在logs目录
–lock-path #lock问件位置，默认在logs目录
–with-http_ssl_module #开启HTTP SSL模块，以支持HTTPS请求。
–with-http_dav_module #开启WebDAV扩展动作模块，可为文件和目录指定权限
–with-http_flv_module #支持对FLV文件的拖动播放
–with-http_realip_module #支持显示真实来源IP地址
–with-http_gzip_static_module #预压缩文件传前检查，防止文件被重复压缩
–with-http_stub_status_module #取得一些nginx的运行状态
–with-mail #允许POP3/IMAP4/SMTP代理模块
–with-mail_ssl_module #允许POP3／IMAP／SMTP可以使用SSL／TLS
–with-pcre=../pcre-8.11 #注意是未安装的pcre路径
–with-zlib=../zlib-1.2.5 #注意是未安装的zlib路径
–with-debug #允许调试日志
–http-client-body-temp-path #客户端请求临时文件路径
–http-proxy-temp-path #设置http proxy临时文件路径
–http-fastcgi-temp-path #设置http fastcgi临时文件路径
–http-uwsgi-temp-path=/var/tmp/nginx/uwsgi #设置uwsgi 临时文件路径
–http-scgi-temp-path=/var/tmp/nginx/scgi #设置scgi 临时文件路径

• 实操记录

安装依赖

yum install wget gcc gcc-c++ pcre pcre-devel openssl openssl-devel zlib zlib-devel perl-core

下载 Nginx

cd /usr/local/src
wget http://nginx.org/download/nginx-1.16.1.tar.gz
tar xf nginx-1.16.1.tar.gz

下载 openssl

cd /usr/local/src/nginx-1.16.1
wget https://www.openssl.org/source/openssl-1.1.1f.tar.gz
tar xf openssl-1.1.1f.tar.gz

创建 nginx 启动用户

groupadd -r nginx
useradd -r -g nginx -s /bin/false -M nginx

编译Nginx

$ cd /usr/local/src/nginx-1.16.1/
./configure --user=nginx \
--group=nginx \
--prefix=/usr/local/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-debug \
--with-openssl=openssl-1.1.1f

--conf-path=/etc/nginx/nginx.conf \
--sbin-path=/usr/sbin/nginx \
--error-log-path=/var/log/nginx/error_log \
--pid-path=/var/run/nginx/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--http-log-path=/var/log/nginx/access_log \

$ make
$ make install

设置nginx软链

ln -sv /usr/local/nginx/sbin/nginx /usr/local/sbin/

开机启动

wget -P /etc/init.d/ http://down.whsir.com/downloads/nginx
chmod +x /etc/init.d/nginx
chkconfig --add nginx
chkconfig nginx on
chkconfig --list

启动脚本

#! /bin/sh
# chkconfig: 2345 55 25
# Description: Startup script for nginx webserver on Debian. Place in /etc/init.d and
# run 'update-rc.d -f nginx defaults', or use the appropriate command on your
# distro. For CentOS/Redhat run: 'chkconfig --add nginx'

### BEGIN INIT INFO
# Provides:          nginx
# Required-Start:    $all
# Required-Stop:     $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts the nginx web server
# Description:       starts nginx using start-stop-daemon
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
NAME=nginx
NGINX_BIN=/usr/local/nginx/sbin/$NAME
CONFIGFILE=/usr/local/nginx/conf/$NAME.conf
PIDFILE=/usr/local/nginx/logs/$NAME.pid
if [ -s /bin/ss ]; then
    StatBin=/bin/ss
else
    StatBin=/bin/netstat
fi


case "$1" in
    start)
        echo -n "Starting $NAME... "

        if $StatBin -tnpl | grep -q nginx;then
            echo "$NAME (pid `pidof $NAME`) already running."
            exit 1
        fi

        $NGINX_BIN -c $CONFIGFILE

        if [ "$?" != 0 ] ; then
            echo " failed"
            exit 1
        else
            echo " done"
        fi
        ;;

    stop)
        echo -n "Stoping $NAME... "

        if ! $StatBin -tnpl | grep -q nginx; then
            echo "$NAME is not running."
            exit 1
        fi

        $NGINX_BIN -s stop

        if [ "$?" != 0 ] ; then
            echo " failed. Use force-quit"
            exit 1
        else
            echo " done"
        fi
        ;;

    status)
        if $StatBin -tnpl | grep -q nginx; then
            PID=`pidof nginx`
            echo "$NAME (pid $PID) is running..."
        else
            echo "$NAME is stopped."
            exit 0
        fi
        ;;

    force-quit|kill)
        echo -n "Terminating $NAME... "

        if ! $StatBin -tnpl | grep -q nginx; then
            echo "$NAME is is stopped."
            exit 1
        fi

        kill `pidof $NAME`

        if [ "$?" != 0 ] ; then
            echo " failed"
            exit 1
        else
            echo " done"
        fi
        ;;

    restart)
        $0 stop
        sleep 1
        $0 start
        ;;

    reload)
        echo -n "Reload service $NAME... "

        if $StatBin -tnpl | grep -q nginx; then
            $NGINX_BIN -s reload
            echo " done"
        else
            echo "$NAME is not running, can't reload."
            exit 1
        fi
        ;;

    configtest)
        echo -n "Test $NAME configure files... "

        $NGINX_BIN -t
        ;;

    *)
        echo "Usage: $0 {start|stop|restart|reload|status|configtest|force-quit|kill}"
        exit 1
        ;;

esac

常用命令

$ nginx -t
$ nginx -s reload
$ nginx -s stop

卸载

首先输入命令 ps -ef | grep nginx 检查一下nginx服务是否在运行

kill -9 id

执行命令 find / -name nginx 查找所有名字包含nginx的文件

反代配置

location /speed/ {
        proxy_pass http://ip:port/;
        proxy_redirect off;
        proxy_set_header Host $host;  
        proxy_set_header X-Real-IP $remote_addr;  
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

TLS 1.3

ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;

ssl_protocols TLSv1.2 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:EECDH+ECDSA+AESGCM+AES128:EECDH+ECDSA+CHACHA20:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:EECDH+aRSA+AESGCM+AES128:EECDH+aRSA+CHACHA20:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;
ssl_session_timeout 5m;    

测试站点 https://www.ssllabs.com/ssltest/

包管理器编译参数

$ cd /usr/local/src/nginx-1.16.1/
./configure --user=nginx \
--group=nginx \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--with-openssl=openssl-1.1.1f \
--with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Configuration summary
  + using threads
  + using system PCRE library
  + using OpenSSL library: openssl-1.1.1f
  + using system zlib library

  nginx path prefix: "/etc/nginx"
  nginx binary file: "/usr/sbin/nginx"
  nginx modules path: "/usr/lib64/nginx/modules"
  nginx configuration prefix: "/etc/nginx"
  nginx configuration file: "/etc/nginx/nginx.conf"
  nginx pid file: "/var/run/nginx.pid"
  nginx error log file: "/var/log/nginx/error.log"
  nginx http access log file: "/var/log/nginx/access.log"
  nginx http client request body temporary files: "/var/cache/nginx/client_temp"
  nginx http proxy temporary files: "/var/cache/nginx/proxy_temp"
  nginx http fastcgi temporary files: "/var/cache/nginx/fastcgi_temp"
  nginx http uwsgi temporary files: "/var/cache/nginx/uwsgi_temp"
  nginx http scgi temporary files: "/var/cache/nginx/scgi_temp"

nano /usr/lib/systemd/system/nginx.service

[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID

[Install]
WantedBy=multi-user.target

docker 运行

• 参考

docker login

nano Dockerfile
docker build -t nginx:v1 ./

docker commit [容器ID] [image name]

docker tag [容器ID] [用户名]/[images name]
docker tag [image name]:[版本 tag] [用户名]/[iamge name]:[版本 tag]

docker push findthewayxf/[image name]:[版本 tag]

• 运行

docker run -d --name=nginx --net=host --restart=always \
-v /etc/localtime:/etc/localtime \
-v /etc/nginx/nginx.conf:/etc/nginx/nginx.conf \
-v /etc/nginx/conf.d/default.conf:/etc/nginx/conf.d/default.conf \
-v /var/www/html/:/var/www/html/ \
-v /var/www/ssl/:/var/www/ssl/ \
findthewayxf/my-nginx:latest

• 映射配置文件

user  www-data www-data;
pid   /run/nginx.pid;

worker_processes auto;
worker_rlimit_nofile 100000;

events {
    worker_connections  100000;
    multi_accept on;
    use epoll;
}

http {
  include mime.types;
  default_type application/octet-stream;

  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 64 4k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  fastcgi_intercept_errors on;

  server_tokens             off;
  sendfile                  on;
  tcp_nodelay               on;
  tcp_nopush                on;
  keepalive_timeout         60;
  client_header_timeout     60;
  client_body_timeout       60;
  reset_timedout_connection on;
  types_hash_max_size       2048;

  gzip                      on;
  gzip_disable              "MSIE [1-6]\.";
  gzip_vary                 on;
  gzip_proxied              any;
  gzip_comp_level           4;
  gzip_min_length           256;
  gzip_buffers              16 8k;
  gzip_http_version         1.0;
  gzip_types    text/plain
                text/javascript
                text/css
                text/js
                text/xml
                text/x-component
                text/x-json
                font/opentype
                application/x-font-ttf
                application/javascript
                application/x-javascript
                application/x-web-app-manifest+json
                application/json
                application/atom+xml
                application/xml
                application/xml+rss
                application/xhtml+xml
                application/vnd.ms-fontobject
                image/svg+xml
                image/x-icon;

  brotli                    on;
  brotli_static             on;
  brotli_comp_level         6;
  brotli_buffers            16 8k;
  brotli_min_length         20;
  brotli_window             16m;
  brotli_types              *;

  access_log off;
  error_log off;

  include /etc/nginx/conf.d/*.conf;
}

server {
  listen 80;
  server_name harlon.me;
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl reuseport;
  server_name harlon.me;
  root /var/www/html;
    
  ssl_certificate /var/www/ssl/harlon.me.cer;
  ssl_certificate_key /var/www/ssl/harlon.me.key;
    
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:EECDH+ECDSA+AESGCM+AES128:EECDH+ECDSA+CHACHA20:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:EECDH+aRSA+AESGCM+AES128:EECDH+aRSA+CHACHA20:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;
        
  ssl_session_timeout 10m;
  ssl_session_cache shared:le_nginx_SSL:10m;
  ssl_buffer_size 1400;
	

  location ~* ^.+\.(ico|gif|jpg|jpeg|png)$ {
    root /var/www/blog;
    access_log   off;
    expires      1d;
  }

  location ~* ^.+\.(css|js|txt|xml|swf|wav)$ {
    root /var/www/html;
    access_log   off;
    expires      10m;
  }

  location / {
    root /var/www/html;
    if (-f $request_filename) {
    rewrite ^/(.*)$  /$1 break;
    }
  }

  location /nginx_status {
    stub_status on;
    access_log off;
  }

}