一、通过源码编译安装nginx
使用configure,make(编译),make install(安装编译完成的软件)命令
1. 从官网上下载 www.nginx.org 安装包,选稳定版的比较好
安装前要确保系统中有gcc,查看系统是否安装了gcc:
rpm -q gcc
2. tar zxf nginx-1.12.0.tar.gz
3. yum install -y pcre-devel
4. yum insall -y openssl-devel
5. useradd -M -d /usr/local/lnmp/nginx -s /sbin/nologin -u 800 nginx ##创建nginx用户
6. cd nginx-1.12.0 ##congigure在此目录下
7. ./configure --prefix=/usr/local/lnmp/nginx --user=nginx --group=nginx --with-threads --with-file-aio --with-http_ssl_module --with-http_stub_status_modul##编译
[root@server1 sbin]# curl localhost -I
HTTP/1.1 200 OK
Server: nginx/1.12.0 ##版本信息会显示出来,不安全相当于告诉别人我就是这个版本,来黑呀~
Date: Wed, 19 Jul 2017 03:59:11 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 19 Jul 2017 03:57:23 GMT
Connection: keep-alive
ETag: "596ed8a3-264"
Accept-Ranges: bytes
[root@server1 nginx]# pwd
/usr/local/lnmp/nginx
[root@server1 nginx]# du -sh ##由于debug模式编译存在,因此,会比较大,可以把debug模式编译去掉,编译以后程序只有几百k
具体过程如下:
[root@server1 nginx-1.12.0]# cd src/core/
[root@server1 core]# vim nginx.h ##在这个文件中删除版本号
[root@server1 nginx-1.12.0]# cd auto/cc/
[root@server1 cc]# ls
acc bcc ccc clang conf gcc icc msvc name owc sunc
[root@server1 cc]# vim gcc ##由于debug模式编译存在,因此会比较大,可以把debug模式编译去掉
[root@server1 nginx-1.12.0]# ./configure --prefix=/usr/local/lnmp/nginx --user=nginx --group=nginx --with-threads --with-file-aio --with-http_ssl_module --with-http_stub_status_module##配置成功时,不会出现任何的报错
[root@server1 nginx-1.12.0]# make && make install
[root@server1 nginx-1.12.0]# cd /usr/local/lnmp/nginx/sbin/
[root@server1 sbin]# ./nginx ##打开nginx
[root@server1 sbin]# cd /usr/local/lnmp/nginx/
[root@server1 nginx]# du -sh
960K.
[root@server1 sbin]# pwd
/usr/local/lnmp/nginx/sbin
[root@server1 sbin]# ln -s /usr/local/lnmp/nginx/sbin/nginx /sbin/ ##做一个软链接
[root@server1 sbin]# which nginx
/sbin/nginx
[root@server1 sbin]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6060/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 900/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 976/master
tcp 0 0 172.25.38.1:22 172.25.38.250:39568 ESTABLISHED 1040/sshd
tcp 0 0 172.25.38.1:22 172.25.38.250:39572 ESTABLISHED 1067/sshd
tcp 0 0 :::22 :::* LISTEN 900/sshd
tcp 0 0 ::1:25 :::* LISTEN 976/master
测试:
[root@server1 sbin]# curl -I localhost
HTTP/1.1 200 OK
Server: nginx/
Date: Wed, 19 Jul 2017 04:07:59 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 19 Jul 2017 04:05:33 GMT
Connection: keep-alive
ETag: "596eda8d-264"
Accept-Ranges: bytes
###使用yum安装时应该要看安装时的脚本,防止一些流氓软件###
以httpd为例:
[root@server1 lnmp]# rpm -q --scripts httpd
preinstall scriptlet (using /bin/sh):###安装前执行的脚本##
# Add the "apache" user
getent group apache >/dev/null || groupadd -g 48 -r apache
getent passwd apache >/dev/null || \
useradd -r -u 48 -g apache -s /sbin/nologin \
-d /var/www -c "Apache" apache
exit 0
postinstall scriptlet (using /bin/sh):###安装后执行的脚本##
# Register the httpd service
/sbin/chkconfig --add httpd
/sbin/chkconfig --add htcacheclean
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
/sbin/service httpd stop > /dev/null 2>&1
/sbin/chkconfig --del httpd
/sbin/service htcacheclean stop > /dev/null 2>&1
/sbin/chkconfig --del htcacheclean
fi
posttrans scriptlet (using /bin/sh):
test -f /etc/sysconfig/httpd-disable-posttrans || \
/sbin/service httpd condrestart >/dev/null 2>&1 || :
[root@server1 lnmp]# rpm -qi httpd###查看httpd的信息##
Name : httpd Relocations: (not relocatable)
Version : 2.2.15 Vendor: Red Hat, Inc.
Release : 29.el6_4 Build Date: Fri 02 Aug 2013 08:03:06 PM CST
Install Date: Wed 19 Jul 2017 09:34:59 AM CST Build Host: x86-002.build.bos.redhat.com
Group : System Environment/Daemons Source RPM: httpd-2.2.15-29.el6_4.src.rpm
Size : 3075393 License: ASL 2.0
Signature : RSA/8, Mon 12 Aug 2013 09:49:45 PM CST, Key ID 199e2f91fd431d51
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://httpd.apache.org/
Summary : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
-------------------------------------------------------------------------------------------------------
二、nginx绑定cpu
1 vim /usr/local/lnmp/nginx/conf/nginx.conf
内容:
worker_processes 2; ##表示开启两个nginx进程
worker_cpu_affinity 01 10; ##第一个进程对应第一个cpu内核,第二个进程对应第二个cpu内核
events {
worker_connections 65535;##允许连接进程的最大数,不能大与fs.file-max的数
}
2 nginx -t ##查看配置文件是否有语法错误
3 nginx -s reload ##重新加载nginx
4 vim /etc/security/limits.conf ##在该文件下编写才会生效
nginx - nofile 65535
测试:
切换到nginx用户,执行ulimit-a
(在切换前,要将nginx用户改成可以登入usermod -s /bin/bash nginx)
[root@server1 ~]# su - nginx
-bash-4.1$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 14868
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 65535###发现已经改变成了65535###
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 1024
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
-bash-4.1$
##nginx -s reload##有多少核就有几位数,2核是01,四核是0001,8核是00000001,以此类推###
[root@server1 conf]# sysctl -a | grep file###sysctl -a指显示所有的系统参数###
fs.file-nr = 5120188464
fs.file-max = 188464
--------------------------------------------------------------------------------------------------------
三、nginx建立虚拟主机
默认发布目录:
/usr/local/lnmp/nginx/html
1 vim /usr/local/lnmp/nginx/conf/nginx.conf
内容:注意该内容要写在http下
server {
listen 80;##访问80端口
server_name www.westos.org ##服务器名称(域名)
location / { ##网页根目录
root /web1; ##发布目录
indexindex.html ##所发布文件名
}
}
nginx -t##查看是否有语法错误
nginx -s reload##重新加载
2 mkdir /web1
3 vim /web1/index.html
内容:
<h1>www.westos.org</h1>
4 nginx -s reload
测试:
[root@server1 conf]# vim /etc/security/limits.conf
在最后一行添加:
nginx - nofiles 65535##添加之后会在nginx显示open files为65535
[root@server1 web1]# nginx -s reload
[root@server1 web1]# cd /usr/local/lnmp/
[root@server1 lnmp]# ls
nginx
[root@server1 lnmp]# cd nginx/
[root@server1 nginx]# ls
client_body_temp fastcgi_temp logs sbin uwsgi_temp
conf html proxy_temp scgi_temp
[root@server1 nginx]# cd html/
[root@server1 html]# ls
50x.html index.html
--------------------------------------------------------------------------------------------------------
四、http ----> https
端口为443,配置前要确认安装了openssl和openssl-devel,由于之前源码编译时已经安装过,所以在这里就不用再次安装。
希望服务器与客户端之间传输内容是加密的,防止中间监听泻露信息,就可以用https进行访问的加密。如果用于内部人员的访问,可以自己颁发证书。
颁发证书方式1:
cd /etc/pki/tls/private
openssl genrsa 2048 > localhost.key##生成密钥
cd /etc/pki/tls/certs/
make testcert##生成证书
【过程:make testcert
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -set_serial 0
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:root@westos.org
】
颁发证书方式2:
make cert.pem ##同时生成密钥和证书
mv /etc/pki/tls/certs/cert.pem /usr/local/lnmp/nginx/conf/ ###在nginx中的配置文件里,给的是相对地址,因此要将其移到配置文件的目录下###
vim /usr/local/lnmp/nginx/conf/nginx.conf
*************************************
server {
listen 443 ssl;
server_name localhost;
ssl_certificate cert.pem;
ssl_certificate_key cert.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
**************************************
nginx -s reload
[root@server1 conf]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 13909/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 917/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 993/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 13909/nginx ##执行完上述操作发现443端口打开了
tcp 0 0 172.25.39.1:22 172.25.39.250:35764 ESTABLISHED 1042/sshd
tcp 0 0 :::22 :::* LISTEN 917/sshd
tcp 0 0 ::1:25 :::* LISTEN 993/master
【过程:make cert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > cert.pem ; \
echo "" >> cert.pem ; \
cat $PEM2 >> cert.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
........................................................+++
..............................+++
writing new private key to '/tmp/openssl.UVFnm7'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:root@westos.org
】
测试:
登入https://172.25.78.1
--------------------------------------------------------------------------------------------------------
五、网页重定向
当访问www.westos.org时重写成https://www.westos.org
1 vim /usr/local/lnmp/nginx/conf/nginx.conf
内容:
server {
listen 443 ssl;
server_name www.westos.org;
ssl_certificate cert.pem;
ssl_certificate_key cert.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /web1;
index index.html index.htm;
}
}
server {
listen 80;
server_name www.westos.org;
rewrite ^(.*)$ https://www.westos.org$1 permanent;###把你输入的url重定向成https://www.westos.org,permanent表示永久重定向,redirect表示临时重定向###
location / {
proxy_pass http://westos;###默认是轮询
}
}
--------------------------------------------------------------------------------------------------------
六、监控连接数
在源码编译nginx的时候编译了--with-http_stub_status_modul该模块,该模块的应用就是nginx的监控
1 vim /usr/local/lnmp/nginx/conf/nginx.conf
内容:
server {
listen 80;
server_name localhost;
location /status { ##/status是一个监控的模块,在源码安装时导入的模块
stub_status on;
access_log off;
allow 172.25.38.2; ##允许172.25.38.2主机连接
deny all; ##拒绝除了172.25.38.2之外的其他主机连接,allow和deny有访问的优先顺序
}
}
2 nginx -s reload
测试:
访问http://172.25.38.1/status
--------------------------------------------------------------------------------------------------------
七、负载均衡
1 vim /usr/local/lnmp/nginx/conf/nginx.conf
内容:
http {
upstream westos{ ##westos就是一个别名
server 172.25.38.2:80 ; ##访问后端服务器的80端口
server 172.25.38.3:8080; ##访问后端服务器的8080端口
server 127.0.0.1:8000 backup; ##当后端服务器全挂了之后,就会访问本地的index.html文件(提示系统正在维护中。。。)
##backup功能指令,一般不开启
server {
listen 80;
server_name www.westos.org;
location / {
proxy_pass http://westos;###默认是轮询
}
}
2 vim /var/www/html/index.html
内容:
系统正在维护中。。。
本文转自AELY木博客51CTO博客,原文链接http://blog.51cto.com/12768057/1950228如需转载请自行联系原作者
AELY木
