Nginx 配置

A little Mew
2021-09-21 12:37
70
0
  1. 下载解压 Nginx 源码解压
cd /user/local/src/

wget nginx-1.18.0.tar.gz
wget openssl-1.1.1l.tar.gz
wget zlib-1.2.11.tar.gz

tar -zxvf nginx-1.18.0.tar.gz
tar -zxvf openssl-1.1.1l.tar.gz
tar -zxvf zlib-1.2.11.tar.gz
  1. 移除默认环境&安装环境
rpm -aq |grep mariadb
rpm -aq |grep openssl
#
yum remove openssl openssl-devel
yum install gcc-c++
yum install -y pcre pcre-devel
yum install -y zlib zlib-devel
yum install -y openssl-devel
  1. 编译安装 编译安装 Openssl
cd /usr/local/src/openssl-1.1.1l
./config  --prefix=/usr/local/openssl
make
make install 
## 出错了试试:
make clean
  1. 编译安装 Nginx
cd /usr/local/src/nginx-1.18.0
./configure \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-http_v2_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_addition_module \
--with-http_sub_module \
--with-threads \
--with-openssl-opt='enable-tls1_3' \
--prefix=/usr/local/nginx \
--with-openssl=../openssl-1.1.1l \
--with-zlib=../zlib-1.2.11
#--add-module=../ngx-fancyindex/
make
make install
## \ 可以换行,看起来清爽一点
  1. 使用systemctl 管理 nginx
/usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx
After=network.target
  
[Service]
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s quit
PrivateTmp=true
  
[Install]
WantedBy=multi-user.target
  1. 修改 nginx 名称

修改 Nginx 内部名称 vim src/core/nginx.h

#define NGINX_VERSION      "macOS 11.5.2 (20G95)"
#define NGINX_VER          "Apple/" NGINX_VERSION

修改 HTTP Response Header vim src/http/ngx_http_header_filter_module.c

static u_char ngx_http_server_string[] = "Server: Apple" CRLF;

修改错误页的底部 Footer vim src/http/ngx_http_special_response.c

static u_char ngx_http_error_tail[] =
"<hr><center>Apple: macOS 11.5.2 (20G95)</center>" CRLF
"</body>" CRLF
"</html>" CRLF
;
  1. 自动分割日志

vim /etc/nginx/conf/cutlog.sh

#!/bin/sh

systemctl stop nginx

touch "/usr/local/nginx/logs/error.log"
touch "/usr/local/nginx/logs/nginx.json"
touch "/usr/local/nginx/logs/zhuihoude.json"

mv "/usr/local/nginx/logs/error.log"        "/etc/nginx/conf/logs/error_$(date -d "yesterday" +%G.%m.%d).txt"
mv "/usr/local/nginx/logs/nginx.json"       "/etc/nginx/conf/logs/nginx_$(date -d "yesterday" +%G.%m.%d).json"
mv "/usr/local/nginx/logs/zhuihoude.json"   "/etc/nginx/conf/logs/zhuihoude_$(date -d "yesterday" +%G.%m.%d).json"

systemctl start nginx
  1. 配置

vim /usr/local/nginx/conf/nginx.conf

#这个文件在 /usr/local/nginx/conf/nginx.conf
worker_processes                            2;
worker_cpu_affinity                         01 10;
worker_rlimit_nofile                        65535;
# pid /usr/local/nginx/logs/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
events{
  use                                       epoll;
  worker_connections                        1024;
  multi_accept                              on;
}
http{
include                                     mime.types;
default_type                                application/octet-stream;
server_names_hash_bucket_size               128;
client_header_buffer_size                   32k;
large_client_header_buffers                 4 32k;
client_max_body_size                        50m;
sendfile                                    on;
tcp_nopush                                  on;
tcp_nodelay                                 on;
index                                       index.html;

proxy_connect_timeout                       3s;
proxy_read_timeout                          60s;
proxy_send_timeout                          90s;

keepalive_timeout                           120;
keepalive_requests                          1000;
fastcgi_connect_timeout                     300;
fastcgi_send_timeout                        300;
fastcgi_read_timeout                        300;
fastcgi_buffer_size                         64k;
fastcgi_buffers 64                          64k;
fastcgi_busy_buffers_size                   128k;
fastcgi_temp_file_write_size                256k;
fastcgi_intercept_errors                    on;

gzip                                        on;
gzip_comp_level                             6;
gzip_min_length                             1k;
gzip_types                                  text/plain text/css text/xml text/javascript text/x-component application/json application/javascript application/x-javascript application/xml application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;
gzip_disable                                "MSIE [1-6].(?!.*SV1)";

log_format log_json
                                            '{\n"timestamp":"$time_iso8601",\n'
                                            '"x_forwarded":"$http_x_forwarded_for",\n'
                                            '"remote_addr":"$remote_addr",\n'
                                            '"upstream_response_time": "$upstream_response_time",\n'
                                            '"request_time": "$request_time",\n'
                                            '"request_url":"$scheme://$host:$Server_port$request_uri",\n'
                                            '"request_method_status":"$request_method$status",\n'
                                            '"referer":"$http_referer",\n'
                                            '"user_agent":"$http_user_agent"\n'
                                            '}\n';

access_log                                  /usr/local/nginx/logs/nginx.json log_json;
#error_log                                  /usr/local/nginx/logs/error.json warn;

include                                     /etc/nginx/*.conf;
}

vim /etc/nginx/conf/public.conf

## proxy_hide_header                         WWW-Authenticate; 
## proxy_set_header                          Authorization "Basic YWRtaW46YWRtaW4=";#base64(admin:admin)
## autoindex_format                          json;

## proxy_set_header                          Host $host;
## listen                                    1443 ssl http2 fastopen=3 reuseport;
## proxy_redirect                            default;
## add_after_body                            /page/footer.html;

  ssl                                       on;
  ssl_dhparam                               /etc/nginx/conf/certificate/dhparam.pem;
  ssl_protocols                             SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; #使用安全的TLSv1.3
  ssl_session_cache                         shared:SSL:10m;  #缓存大小
  ssl_session_tickets                       on;              #浏览器缓存
  ssl_session_timeout                       10m;             #缓存超时
  keepalive_timeout                         120s;            #TCP 保持
  keepalive_requests                        1000;
  ssl_prefer_server_ciphers                 on;              #使用服务器密码
  ssl_ciphers                               ECDHE:!CBC:!NULL:!aNULL:!eNULL:!MD5:!ADH:!RC4:!DH:!DHE;
  ssl_early_data                            on;              #开启 1.3 o-RTT

# OCSP Stapling 用于在线查询证书吊销情况
  ssl_stapling                              on;
  ssl_stapling_verify                       on;
  ssl_trusted_certificate                   /etc/nginx/conf/certificate/w.crt;
  resolver                                  8.8.8.8 208.67.220.220 valid=240s;
  resolver_timeout                          10s;

# proxy_set_header                          Host $host;
  proxy_set_header                          X-Real-IP $remote_addr;
  proxy_set_header                          X-Forwarded-For $proxy_add_x_forwarded_for;
# 调试参数,可以查看当前访问域名和 IP
  add_header                                your_host $host;
  add_header                                your_addr $remote_addr;

  proxy_hide_header                         Strict-Transport-Security;
  add_header                                Strict-Transport-Security "max-age=126144000; includeSubdomains; preload";
# 禁止 iframe
  proxy_hide_header                         X-Frame-Options;
  add_header                                X-Frame-Options SAMEORIGIN;
# 防止 MIME 类型混淆攻击
  proxy_hide_header                         X-Content-Type-Options;
  add_header                                X-Content-Type-Options nosniff;
# 安全性-升级引用文件 http 为 https
  proxy_hide_header                         Content-Security-Policy;
  add_header                                Content-Security-Policy upgrade-insecure-requests;

# 跨域
  proxy_hide_header                         Access-Control-Allow-Origin;
  add_header                                Access-Control-Allow-Origin *;
  proxy_hide_header                         Access-Control-Allow-Methods;
  add_header                                Access-Control-Allow-Methods 'GET, POST, OPTIONS';
  proxy_hide_header                         Access-Control-Allow-Headers;
  add_header                                Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';

  error_page 400                            /page/400.html;
  error_page 401                            /page/401.html;
  error_page 403                            /page/403.html;
  error_page 404                            /page/404.html;
  error_page 502                            /page/502.html;
  error_page 504                            /page/504.html;
  error_page 506 =200                       /page/666.html;
# 一律跳转到当前端口的 https
  error_page 497                            https://$host:$Server_port$request_uri?request_error_http_497=$scheme://$host:$Server_port;

#-----BEGIN Public-----
location /page/ {
  root                                      /etc/nginx/conf/;
  autoindex                                 on;
  charset                                   utf-8;
  autoindex_localtime                       on;
  add_after_body                            /page/footer.html;
  access_log                                /usr/local/nginx/logs/nginx.json log_json;
}
location                                    ~^/(favicon.ico|robots.txt) { root /etc/nginx/conf/page/;}
location /status 		                        { stub_status on; }
#-----END Public-----
location /logs/ {
  root                                      /etc/nginx/conf/;
  autoindex                                 on;
  charset                                   utf-8;
  autoindex_localtime                       on;
  access_log                                /usr/local/nginx/logs/nginx.json log_json;
}

vim /etc/nginx/1.conf

## 本配置不允许错误的域名,直接跳转到zhuihoude.com
server {
include                                     /etc/nginx/conf/public.conf;
  ssl_certificate                           /etc/nginx/conf/certificate/all.crt;
  ssl_certificate_key                       /etc/nginx/conf/certificate/all.key;
  server_name                               default;
  listen                                    80 ssl http2;
  listen                                    443 ssl http2;
  listen                                    1443 ssl http2;
  listen                                    8888 ssl http2;
  return                                    https://zhuihoude.com$request_uri?request_error_domain=$scheme://$host:$Server_port;
}

vim /usr/local/nginx/conf/mime.types 添加:

    application/vnd.apple.pages                      pages;
    application/vnd.apple.numbers                    numbers;
    application/vnd.apple.keynote                    keynote;
    application/vnd.apple.installer+xml              pkg mpkg;
    vnd.SimTech-MindMapper                           mm;
    text/markdown                                    md markdown;
    text/plain                                       log;

全部评论