本文基于CentOS6.10
- 安装pcre-devel
- 如开启了openssl-devel,则需安装openssl-devel包【yum install openssl-devel -y】
编译安装nginx常用配置项介绍
- 属性
–prefix= :Nginx安装路径。不指定,则默认为 /usr/local/nginx。
–sbin-path= :Nginx可执行文件安装路径。只能安装时指定,不指定,默认为/sbin/nginx。
–conf-path= :没有给定-c选项下默认的nginx.conf的路径。不指定,默认为/conf/nginx.conf。
–pid-path= :nginx.conf中不指定pid指令的情况下,默认为 /logs/nginx.pid。
–lock-path= :nginx.lock文件的路径,默认为/logs/nginx.lock
–error-log-path= :nginx.conf中不指定error_log的情况下,默认错误日志的路径:/logs/error.log。
–http-log-path= - 在nginx.conf中没有指定access_log指令的情况下,默认访问日志路径: /logs/access.log。
–user= - 在nginx.conf中没有指定user指令的情况下,默认nginx使用用户为 nobody。
–group= - 在nginx.conf中没有指定grop指令的情况下,默认nginx使用nobody。 - 模块
–with-http_stub_status_module:启动server_status 页面
–with-http_ssl_module:启用ssl功能,让nginx支持https,此模块需要安装openssl-devel包
–without-http_gzip_module:禁用zip模块
#下载pcre包,此包在编译时--with-pcre中使用
https://ftp.pcre.org/pub/pcre/
#下载nginx的二进制包
[root@lotus ~]# wget http://nginx.org/download/nginx-1.20.0.tar.gz
#解压gz包
[root@lotus ~]# tar xf nginx-1.20.0.tar.gz
[root@lotus ~]# cd nginx-1.20.0
#安装pcre-devel和openssl-devel
[root@lotus nginx-1.20.0]# yum install -y pcre-devel
[root@lotus nginx-1.20.0]# yum install -y openssl-devel
#编译安装nginx
#【--prefix】表示nginx编译安装的路径,【--conf-path】表示nginx的配置文件nginx.conf的存放位置,【--with-http_ssl_module】表示支持https功能
[root@lotus nginx-1.20.0]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre=/root/pcre#(下载的pcre版本号)
[root@lotus nginx-1.20.0]# make && make install
[root@lotus nginx-1.20.0]# ls /usr/local/nginx
html logs sbin
#启动nginx服务
[root@lotus nginx-1.20.0]# cd /usr/local/nginx/sbin
[root@lotus sbin]# ls
nginx
[root@lotus sbin]# ./nginx
#nginx服务启动后,显示80端口已开启
[root@lotus sbin]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:50783 0.0.0.0:* LISTEN 1270/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1248/rpcbind
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4223/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1441/sshd
tcp 0 0 :::111 :::* LISTEN 1248/rpcbind
tcp 0 0 :::57749 :::* LISTEN 1270/rpc.statd
tcp 0 0 :::22 :::* LISTEN 1441/sshd
tcp 0 0 ::1:25 :::* LISTEN 1520/master
#编写nginx服务启动脚本
[root@lotus ~]# vim /etc/init.d/nginx
#!/bin/bash
#
# nginx startup script for nginx server
#
# chkconfig: - 85 15
# processname:nginx
# config:/etc/nginx/nginx.conf
# pidfile:/var/run/httpd.pid
# 载入函数库
. /etc/rc.d/init.d/functions
# 载入网络配置
. /etc/sysconfig/network
nginxfile=/usr/local/nginx/sbin/nginx
prog=$(basename $nginxfile)
pidfile=/usr/local/nginx/logs/nginx.pid
conffile=/etc/nginx/nginx.conf
lockfile=/var/lock/subsys/nginx
RETVAL=0
start() {
if [ -f $pidfile ];then
echo "nginx is running"
else
daemon $nginxfile -c $conffile
RETVAL=$?
echo -n $"Starting $prog:"
echo
[ $RETVAL = 0 ] && touch ${lockfile}
fi
return $RETVAL
}
stop() {
killproc $prog -QUIT
RETVAL=$?
echo -n $"Stopping $prog"
echo
[ $RETVAL -eq 0 ] && rm -rf $lockfile
return $RETVAL
}
restart() {
configtest || return $?
stop
start
}
reload() {
configtest || return $?
killproc $nginxfile -HUP
RETVAL=$?
echo -n $"Reloading $prog:"
}
configtest() {
$nginxfile -t -c $conffile
}
case "$1" in
start)
start
RETVAL=$?
;;
stop)
stop
RETVAL=$?
;;
restart)
restart
RETVAL=$?
;;
status)
status $prog
RETVAL=$?
;;
reload)
reload
RETVAL=$?
;;
*)
echo "USAGE:$0 {start|stop|reload|restart|status}"
exit 1
esac
exit $RETVAL
[root@lotus ~]# chmod +x /etc/init.d/nginx
访问服务器,结果如下:
nginx配置文件详解
#如果负载以CPU密集型应用为主,如SSL或压缩应用,则woker数量与CPU数量保持一致,如负载以IO密集型为主,如响应大量内容给客户端,则worker_process数应为CPU个数的1.5倍或2倍
worker_processes 1;
#每个worker_processes能支持的连接数,最终能支持的连接数为worker_processes*worker_connections
events {
worker_connections 1024;
}
#错误日志
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#
http {
# include指定包含的文件
include mime.types;
#默认支持的类型
default_type application/octet-stream;
#log_format定义日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#access_log定义访问日志
#access_log logs/access.log main;
#高效文件传输模式
sendfile on;
#tcp_nopush不做推送??
#tcp_nopush on;
#开启gzip压缩,
#gzip on;
#来指定 KeepAlive 的超时时间(timeout)--[keepalive_timeout详细内容请参考]()
keepalive_timeout 65;
#每一个server代表一个虚拟主机
server {
#主机监听的端口
listen 80;
#主机名称
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
#location定义网页页面所在位置,/表示URI
location / {
#root定义/【URI】路径下位于本地文件系统中的路径,html为相对路径
root html;
#表示首页文件
index index.html index.htm;
#autoindex如果无主页面,则会列出所有页面,默认为关闭
#autoindex on
#拒绝访问地址,可以使用网段地址,默认情况是允许所有地址访问
deny 192.168.0.135;
#实现基本认证
auth_basic "Restricted";
#需借助apache的htpassword工具生成此文件
auth_basic_user_file htpasswd;
}
#显示状态信息
location /nginx_status {
stub_status on;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
#支持https
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/ssl/nginx.cert;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/local/nginx/html/ssl;
index index.html index.htm;
}
}
}
#通过htpasswd工具生成用户文件
[root@mysql2 ~]# htpasswd -c -m /etc/nginx/.users tom
New password:
Re-type new password:
Adding password for user tom
#生成私钥
[root@mysql2 CA]# (umask 077;openssl genrsa 2048 > private/cakey.pem )
Generating RSA private key, 2048 bit long modulus
.........................................................+++
....+++
e is 65537 (0x10001)
#生成自签证书
[root@mysql2 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:Tye
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.tye.com
Email Address []:caadmin@tye.com
#生成服务器私钥,并生成证书
[root@mysql2 ~]# cd /etc/nginx/ssl
[root@mysql2 ssl]# ls
[root@mysql2 ssl]# (umask 077;openssl genrsa 2048 > nginx.key)
Generating RSA private key, 2048 bit long modulus
.............................+++
........................................................................................+++
e is 65537 (0x10001)
[root@mysql2 ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:Tye
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:www.tye.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#对服务器证书进行签发
[root@mysql2 ssl]# openssl ca -in nginx.csr -out nginx.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 12 19:22:59 2021 GMT
Not After : Apr 10 19:22:59 2031 GMT
Subject:
countryName = CN
stateOrProvinceName = HN
organizationName = Tye
organizationalUnitName = Tech
commonName = www.tye.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
52:C6:FB:98:11:E1:41:1F:49:F7:09:7E:F8:6F:6E:AD:8B:66:BB:03
X509v3 Authority Key Identifier:
keyid:29:E1:2A:81:CF:84:1E:7A:FF:0A:21:28:37:E5:14:F0:7B:77:6E:10
Certificate is to be certified until Apr 10 19:22:59 2031 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
location介绍
location [=||*|^~] /uri/ {… }
location URI {} 对当前路径及子路径下的所有对象都生效
location = URI {} 精确匹配指定路径,只对当前路径生效
location ~ URI {} 模式匹配,区分字符大小写,此处的URI可使用正则表达式
location ~* URI{} 模式匹配,不区分大小写,此处的URI可使用正则表达式
location ^~ URI{} 不使用正则表达式
location优先级:= > ^~ > |* >不加信息的URI
Active connections:当前处于活动的连接数
server accepts handled request:表示当前nginx已经处理过请求个数,第一个参数:接收到的连接数,第二个参数:处理过的连接数,第三个参数:处理过的请求数
Reading:正在读请求首部的个数,即正在接收进来的请求个数
Writing:正在读请求主体的个数,正在处理请求内容的个数或正在发送至客户端
Waiting:处于长连接状态的连接个数
Nginx配置文件详解
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
#日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#访问日志
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#配置负载均衡
upstream backend {
#ip_hash;
server 192.168.0.135 weight=1 max_fails=2 fail_timeout=2;
server 192.168.0.136 weight=1 max_fails=2 fail_timeout=2;
#此服务器为备份服务器,如果两台主的服务器都down了,可以给出提示信息
server 127.0.0.1:8080 backup;
}
#配置缓存
proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=one:10m;
server {
#add_header添加响应首部
add_header X-via $server_addr;
add_header X-Cache $upstream_cache_status;
location / {
proxy_pass http://backend;
#启用缓存
proxy_cache one;
#缓存生效后的保留时长
proxy_cache_valid 200 302 10m;
}
}
server {
listen 8080;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html;
}
}
# include /etc/nginx/conf.d/*.conf;
}