Nginx 安装部署 & 项目实践
Nginx 官方文档(中文) (opens new window)
# 编译安装
# 1.安装依赖
需要 ROOT 权限和可访问的 YUM 源
yum install gcc gcc-c++ openssl openssl-devel pcre pcre-devel zlib zlib-devel patch make
1
# 2.编译安装
解压相应的 tar.gz 二进制包(ngx_http_proxy_connect_module 是正向代理访问 https 所需模块),然后将模块放在固定的位置,进入 nginx-1.20.1
mkdir -pv /app/service/nginx/modules && mkdir -pv /app/logs/nginx
tar -zxvf nginx-1.20.1.tar.gz && tar -zxvf ngx_http_proxy_connect_module-0.0.2.tar.gz
mv ngx_http_proxy_connect_module-0.0.2 /app/service/nginx/modules/ngx_http_proxy_connect
cd nginx-1.20.1
patch -p1 < /app/service/nginx/modules/ngx_http_proxy_connect/patch/proxy_connect_rewrite_1018.patch
1
2
3
4
5
2
3
4
5
打完补丁以后,进行编译安装
./configure \
--prefix=/app/service/nginx \
--conf-path=/app/conf/nginx/nginx.conf \
--error-log-path=/app/logs/nginx/error.log \
--http-log-path=/app/logs/nginx/access.log \
--user=app \
--group=app \
--with-compat \
--with-file-aio \
--with-threads \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--add-dynamic-module=/app/service/nginx/modules/ngx_http_proxy_connect
make && make install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
安装完成以后,上面已经指定了安装目录,我们 -v、-D 查看下版本信息和编译信息
/app/service/nginx/sbin/nginx -v
1
# 配置文件
# 1.基本结构
main ##全局配置,对全局生效 ├── events ##配置影响 Nginx 服务器或与用户的网络连接 ├── http ##配置代理,缓存,日志定义等绝大多数功能和第三方模块的配置 │ ├── upstream ##配置后端服务器具体地址,负载均衡配置不可或缺的部分 │ ├── server ##配置虚拟主机的相关参数,一个 http 块中可以有多个 server 块 │ ├── server │ │ ├── location ##server 块可以包含多个 location 块,location 指令用于匹配 uri │ │ ├── location │ │ └── ... │ └── ... └── ...
# 2.语法规则
- 配置文件由指令与指令块构成
- 每条指令以“;”分号结尾,指令与参数间以空格符号分隔
- 指令块以 {} 大括号将多条指令组织在一起
- include 语句允许组合多个配置文件以提升可维护性
- 通过 ## 符号添加注释,提高可读性
- 通过 $ 符号使用变量
- 部分指令的参数支持正则表达式,例如常用的 location 指令
# 3.内置变量
常用的内置全局变量,可以在配置中随意使用
# 4.配置实例
配置文件:vi /app/conf/nginx/nginx.conf
worker_processes auto;
error_log /app/logs/nginx/error.log notice;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
##access_log /wechat/logs/nginx/error.log main;
sendfile on;
##tcp_nopush on;
##隐藏错误页版本号
server_tokens off;
client_max_body_size 100m;
client_body_buffer_size 128k;
client_header_buffer_size 256k;
large_client_header_buffers 4 256k;
types_hash_max_size 3096;
keepalive_timeout 60s;
keepalive_requests 80920;
##支持 WebSocket
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
proxy_connect_timeout 60;
proxy_send_timeout 60;
proxy_read_timeout 65;
proxy_buffer_size 4k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_max_temp_file_size 128m;
proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 5;
gzip_proxied any;
gzip_types text/css application/javascript application/xml text/plain application/x-font-ttf ;
server {
server_name localhost;
listen 80;
##日志文件
access_log /app/logs/nginx/eteng_access.log main;
error_log /app/logs/nginx/eteng_log error;
if ($request_uri ~* .*\.\.\/.* ) {
return 403 "forbidden";
}
##默认主页
location / {
root html;
index index.html index.htm;
}
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# 正向代理
PS.要使用到 Nginx 的正向代理功能访问 https 网站需要在编译时添加 ngx_http_proxy_connect_module 模块
mkdir /app/conf/nginx/vhost
vi /app/conf/nginx/vhost/proxy.conf
1
2
2
# 1.配置文件
server {
resolver 223.5.5.5 114.114.114.114;
resolver_timeout 10s;
listen 10086;
access_log /app/logs/nginx/https_proxy_access.log;
error_log /app/logs/nginx/https_proxy_error.log;
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
proxy_set_header Host $host;
proxy_pass $scheme://$host$request_uri;
proxy_buffers 256 4k;
proxy_max_temp_file_size 0k;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_next_upstream error timeout invalid_header http_502;
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# 2.使用验证
然后去其他机器进行测试:
curl -v https://qyapi.weixin.qq.com/cgi-bin/gettoken -x xxx.xxx.xxx.xxx:10086
1
设置当前用户环境变量:~/.bashrc,继承 /etc/profile 中的变量
echo 'export https_proxy=xxx.xxx.xxx.xxx:10086' >> ~/.bashrc
echo 'export no_proxy="localhost, 127.0.0.1, ::1"' >> ~/.bashrc
echo 'export no_proxy="xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx"' >> ~/.bashrc
source ~/.bashrc
1
2
3
4
2
3
4
# 日常运维
# 1.开机自启
创建开机启动命令脚本文件(需要 ROOT 权限):vi /etc/init.d/nginx
##! /bin/bash
## chkconfig: - 85 15
PATH=/app/service/nginx
DESC="nginx daemon"
NAME=nginx
DAEMON=$PATH/sbin/$NAME
CONFIGFILE=/app/conf/$NAME.conf
PIDFILE=$PATH/$NAME.pid
scriptNAME=/etc/init.d/$NAME
set -e
[ -x "$DAEMON" ] || exit 0
do_start() {
$DAEMON -c $CONFIGFILE || echo -n "nginx already running"
}
do_stop() {
$DAEMON -s stop || echo -n "nginx not running"
}
do_reload() {
$DAEMON -s reload || echo -n "nginx can't reload"
}
case "$1" in
start)
echo -n "Starting $DESC: $NAME"
do_start
echo "."
;;
stop)
echo -n "Stopping $DESC: $NAME"
do_stop
echo "."
;;
reload|graceful)
echo -n "Reloading $DESC configuration..."
do_reload
echo "."
;;
restart)
echo -n "Restarting $DESC: $NAME"
do_stop
do_start
echo "."
;;
*)
echo "Usage: $scriptNAME {start|stop|reload|restart}" >&2
exit 3
;;
esac
exit 0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# 2.其他命令
##创建软连接(root 权限运行)
ln -s /app/midware/nginx/sbin/nginx /usr/bin/
##启动 Nginx
nginx
##重载 Nginx
nginx -s reload
##重启 Nginx
nginx -s reopen
##关闭 Nginx
nginx -s stop
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
SSL 网站
server {
listen 443 ssl; ## TCP listener for HTTP/1.1
listen 443 http3 reuseport; ## UDP listener for QUIC+HTTP/3
ssl_protocols TLSv1.3; ## QUIC requires TLS 1.3
ssl_certificate ssl/www.example.com.crt;
ssl_certificate_key ssl/www.example.com.key;
add_header Alt-Svc 'quic=":443"'; ## Advertise that QUIC is available
add_header QUIC-Status $quic; ## Sent when QUIC was used
}
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
网页编辑 (opens new window)
最近提交: 2023/03/22, 11:52:35