一、通過源碼編譯安裝nginx
使用configure,make(編譯),make install(安裝編譯完成的軟件)命令
1. 從官網上下載 www.nginx.org 安裝包,選穩定版的比較好
安裝前要確保系統中有gcc,查看系統是否安裝了gcc:
rpm -q gcc
2. tar zxf nginx-1.12.0.tar.gz
3. yum install -y pcre-devel
4. yum insall -y openssl-devel
5. useradd -M -d /usr/local/lnmp/nginx -s /sbin/nologin -u 800 nginx ##創建nginx用戶
6. cd nginx-1.12.0 ##congigure在此目錄下
7. ./configure --prefix=/usr/local/lnmp/nginx --user=nginx --group=nginx --with-threads --with-file-aio --with-http_ssl_module --with-http_stub_status_modul##編譯
[root@server1 sbin]# curl localhost -I
HTTP/1.1 200 OK
Server: nginx/1.12.0 ##版本信息會顯示出來,不安全相當於告訴別人我就是這個版本,來黑呀~
Date: Wed, 19 Jul 2017 03:59:11 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 19 Jul 2017 03:57:23 GMT
Connection: keep-alive
ETag: "596ed8a3-264"
Accept-Ranges: bytes
[root@server1 nginx]# pwd
/usr/local/lnmp/nginx
[root@server1 nginx]# du -sh ##由於debug模式編譯存在,因此,會比較大,可以把debug模式編譯去掉,編譯以後程序只有幾百k
具體過程如下:
[root@server1 nginx-1.12.0]# cd src/core/
[root@server1 core]# vim nginx.h ##在這個文件中刪除版本號
[root@server1 nginx-1.12.0]# cd auto/cc/
[root@server1 cc]# ls
acc bcc ccc clang conf gcc icc msvc name owc sunc
[root@server1 cc]# vim gcc ##由於debug模式編譯存在,因此會比較大,可以把debug模式編譯去掉
[root@server1 nginx-1.12.0]# ./configure --prefix=/usr/local/lnmp/nginx --user=nginx --group=nginx --with-threads --with-file-aio --with-http_ssl_module --with-http_stub_status_module##配置成功時,不會出現任何的報錯
[root@server1 nginx-1.12.0]# make && make install
[root@server1 nginx-1.12.0]# cd /usr/local/lnmp/nginx/sbin/
[root@server1 sbin]# ./nginx ##打開nginx
[root@server1 sbin]# cd /usr/local/lnmp/nginx/
[root@server1 nginx]# du -sh
960K.
[root@server1 sbin]# pwd
/usr/local/lnmp/nginx/sbin
[root@server1 sbin]# ln -s /usr/local/lnmp/nginx/sbin/nginx /sbin/ ##做一個軟鏈接
[root@server1 sbin]# which nginx
/sbin/nginx
[root@server1 sbin]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6060/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 900/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 976/master
tcp 0 0 172.25.38.1:22 172.25.38.250:39568 ESTABLISHED 1040/sshd
tcp 0 0 172.25.38.1:22 172.25.38.250:39572 ESTABLISHED 1067/sshd
tcp 0 0 :::22 :::* LISTEN 900/sshd
tcp 0 0 ::1:25 :::* LISTEN 976/master
測試:
[root@server1 sbin]# curl -I localhost
HTTP/1.1 200 OK
Server: nginx/
Date: Wed, 19 Jul 2017 04:07:59 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 19 Jul 2017 04:05:33 GMT
Connection: keep-alive
ETag: "596eda8d-264"
Accept-Ranges: bytes
###使用yum安裝時應該要看安裝時的腳本,防止一些流氓軟件###
以httpd爲例:
[root@server1 lnmp]# rpm -q --scripts httpd
preinstall scriptlet (using /bin/sh):###安裝前執行的腳本##
# Add the "apache" user
getent group apache >/dev/null || groupadd -g 48 -r apache
getent passwd apache >/dev/null || \
useradd -r -u 48 -g apache -s /sbin/nologin \
-d /var/www -c "Apache" apache
exit 0
postinstall scriptlet (using /bin/sh):###安裝後執行的腳本##
# Register the httpd service
/sbin/chkconfig --add httpd
/sbin/chkconfig --add htcacheclean
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
/sbin/service httpd stop > /dev/null 2>&1
/sbin/chkconfig --del httpd
/sbin/service htcacheclean stop > /dev/null 2>&1
/sbin/chkconfig --del htcacheclean
fi
posttrans scriptlet (using /bin/sh):
test -f /etc/sysconfig/httpd-disable-posttrans || \
/sbin/service httpd condrestart >/dev/null 2>&1 || :
[root@server1 lnmp]# rpm -qi httpd###查看httpd的信息##
Name : httpd Relocations: (not relocatable)
Version : 2.2.15 Vendor: Red Hat, Inc.
Release : 29.el6_4 Build Date: Fri 02 Aug 2013 08:03:06 PM CST
Install Date: Wed 19 Jul 2017 09:34:59 AM CST Build Host: x86-002.build.bos.redhat.com
Group : System Environment/Daemons Source RPM: httpd-2.2.15-29.el6_4.src.rpm
Size : 3075393 License: ASL 2.0
Signature : RSA/8, Mon 12 Aug 2013 09:49:45 PM CST, Key ID 199e2f91fd431d51
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://httpd.apache.org/
Summary : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
-------------------------------------------------------------------------------------------------------
二、nginx綁定cpu
1 vim /usr/local/lnmp/nginx/conf/nginx.conf
內容:
worker_processes 2; ##表示開啓兩個nginx進程
worker_cpu_affinity 01 10; ##第一個進程對應第一個cpu內核,第二個進程對應第二個cpu內核
events {
worker_connections 65535;##允許連接進程的最大數,不能大與fs.file-max的數
}
2 nginx -t ##查看配置文件是否有語法錯誤
3 nginx -s reload ##重新加載nginx
4 vim /etc/security/limits.conf ##在該文件下編寫纔會生效
nginx - nofile 65535
測試:
切換到nginx用戶,執行ulimit-a
(在切換前,要將nginx用戶改成可以登入usermod -s /bin/bash nginx)
[root@server1 ~]# su - nginx
-bash-4.1$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 14868
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 65535###發現已經改變成了65535###
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 1024
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
-bash-4.1$
##nginx -s reload##有多少核就有幾位數,2核是01,四核是0001,8核是00000001,以此類推###
[root@server1 conf]# sysctl -a | grep file###sysctl -a指顯示所有的系統參數###
fs.file-nr = 5120188464
fs.file-max = 188464
--------------------------------------------------------------------------------------------------------
三、nginx建立虛擬主機
默認發佈目錄:
/usr/local/lnmp/nginx/html
1 vim /usr/local/lnmp/nginx/conf/nginx.conf
內容:注意該內容要寫在http下
server {
listen 80;##訪問80端口
server_name www.westos.org ##服務器名稱(域名)
location / { ##網頁根目錄
root /web1; ##發佈目錄
indexindex.html ##所發佈文件名
}
}
nginx -t##查看是否有語法錯誤
nginx -s reload##重新加載
2 mkdir /web1
3 vim /web1/index.html
內容:
<h1>www.westos.org</h1>
4 nginx -s reload
測試:
[root@server1 conf]# vim /etc/security/limits.conf
在最後一行添加:
nginx - nofiles 65535##添加之後會在nginx顯示open files爲65535
[root@server1 web1]# nginx -s reload
[root@server1 web1]# cd /usr/local/lnmp/
[root@server1 lnmp]# ls
nginx
[root@server1 lnmp]# cd nginx/
[root@server1 nginx]# ls
client_body_temp fastcgi_temp logs sbin uwsgi_temp
conf html proxy_temp scgi_temp
[root@server1 nginx]# cd html/
[root@server1 html]# ls
50x.html index.html
--------------------------------------------------------------------------------------------------------
四、http ----> https
端口爲443,配置前要確認安裝了openssl和openssl-devel,由於之前源碼編譯時已經安裝過,所以在這裏就不用再次安裝。
希望服務器與客戶端之間傳輸內容是加密的,防止中間監聽瀉露信息,就可以用https進行訪問的加密。如果用於內部人員的訪問,可以自己頒發證書。
頒發證書方式1:
cd /etc/pki/tls/private
openssl genrsa 2048 > localhost.key##生成密鑰
cd /etc/pki/tls/certs/
make testcert##生成證書
【過程:make testcert
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -set_serial 0
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:[email protected]
】
頒發證書方式2:
make cert.pem ##同時生成密鑰和證書
mv /etc/pki/tls/certs/cert.pem /usr/local/lnmp/nginx/conf/ ###在nginx中的配置文件裏,給的是相對地址,因此要將其移到配置文件的目錄下###
vim /usr/local/lnmp/nginx/conf/nginx.conf
*************************************
server {
listen 443 ssl;
server_name localhost;
ssl_certificate cert.pem;
ssl_certificate_key cert.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
**************************************
nginx -s reload
[root@server1 conf]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 13909/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 917/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 993/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 13909/nginx ##執行完上述操作發現443端口打開了
tcp 0 0 172.25.39.1:22 172.25.39.250:35764 ESTABLISHED 1042/sshd
tcp 0 0 :::22 :::* LISTEN 917/sshd
tcp 0 0 ::1:25 :::* LISTEN 993/master
【過程:make cert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > cert.pem ; \
echo "" >> cert.pem ; \
cat $PEM2 >> cert.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
........................................................+++
..............................+++
writing new private key to '/tmp/openssl.UVFnm7'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:[email protected]
】
測試:
登入https://172.25.78.1
--------------------------------------------------------------------------------------------------------
五、網頁重定向
當訪問www.westos.org時重寫成https://www.westos.org
1 vim /usr/local/lnmp/nginx/conf/nginx.conf
內容:
server {
listen 443 ssl;
server_name www.westos.org;
ssl_certificate cert.pem;
ssl_certificate_key cert.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /web1;
index index.html index.htm;
}
}
server {
listen 80;
server_name www.westos.org;
rewrite ^(.*)$ https://www.westos.org$1 permanent;###把你輸入的url重定向成https://www.westos.org,permanent表示永久重定向,redirect表示臨時重定向###
location / {
proxy_pass http://westos;###默認是輪詢
}
}
--------------------------------------------------------------------------------------------------------
六、監控連接數
在源碼編譯nginx的時候編譯了--with-http_stub_status_modul該模塊,該模塊的應用就是nginx的監控
1 vim /usr/local/lnmp/nginx/conf/nginx.conf
內容:
server {
listen 80;
server_name localhost;
location /status { ##/status是一個監控的模塊,在源碼安裝時導入的模塊
stub_status on;
access_log off;
allow 172.25.38.2; ##允許172.25.38.2主機連接
deny all; ##拒絕除了172.25.38.2之外的其他主機連接,allow和deny有訪問的優先順序
}
}
2 nginx -s reload
測試:
訪問http://172.25.38.1/status
--------------------------------------------------------------------------------------------------------
七、負載均衡
1 vim /usr/local/lnmp/nginx/conf/nginx.conf
內容:
http {
upstream westos{ ##westos就是一個別名
server 172.25.38.2:80 ; ##訪問後端服務器的80端口
server 172.25.38.3:8080; ##訪問後端服務器的8080端口
server 127.0.0.1:8000 backup; ##當後端服務器全掛了之後,就會訪問本地的index.html文件(提示系統正在維護中。。。)
##backup功能指令,一般不開啓
server {
listen 80;
server_name www.westos.org;
location / {
proxy_pass http://westos;###默認是輪詢
}
}
2 vim /var/www/html/index.html
內容:
系統正在維護中。。。