sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/configsetenforce 0
軟體安裝路徑 /usr/local/nginx/
軟體日誌路徑 /usr/local/nginx/logs/
軟體二進位路徑 /usr/local/nginx/sbin/
軟體緩存代理等路徑 /var/tmp/nginx/{client_body,proxy,fastcgi,uwsgi,scgi}
軟體主配置文件路徑 /usr/local/nginx/conf
軟體子配置文件路徑 /usr/local/nginx/conf/conf.d/
埠規劃 80
本節視實際情況需要操作
修改時區
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
修改系統語言環境
echo 'LANG="en_US.UTF-8"' >> /etc/profile && source /etc/profile
配置主機NTP時間同步
yum -y install ntpsystemctl enable ntpd && systemctl start ntpdecho 'server ntp1.aliyun.com' >> /etc/ntp.confecho 'server ntp2.aliyun.com' >> /etc/ntp.conf
備註:2.2章節、2.3章節與2.4章節的依賴包可使用yum直接安裝,安裝指令如下:
yum install -y pcre-devel zlib-devel openssl-devel
也可按本文檔使用源碼安裝。如何使用yum安裝,要注意nginx的安裝參數要刪除如下三行
--with-pcre=../pcre-8.44 \--with-zlib=../zlib-1.2.11 \--with-openssl=../openssl-1.1.1f \
添加用戶與用戶組(用戶名請自行定義)
groupadd -r nginx && useradd -s /sbin/nologin -r -g nginx nginx
CentOS平臺安裝依賴
yum -y install gcc gcc-c++ automake autoconf libtool make wget net-toolsyum install -y libxslt* libxml2* gd-devel perl-devel perl-ExtUtils-Embed GeoIP GeoIP-devel GeoIP-data12
下載nginx-1.19.1.tar.gz安裝包,並解壓
cd /optwget http://nginx.org/download/nginx-1.19.1.tar.gztar -zxvf nginx-1.19.1.tar.gz123
從根源上隱藏nginx版本號
(1)修改nginx.h文件如下三行配置信息變更,舉例如下
vi /opt/nginx-1.19.1/src/core/nginx.h
修改前
#define nginx_version 1019001#define NGINX_VERSION "1.19.1"#define NGINX_VER "nginx/" NGINX_VERSION
修改後
#define nginx_version 1010001#define NGINX_VERSION "618"#define NGINX_VER "WEB/" NGINX_VERSION
(2)修改ngx_http_header_filter_module.c文件的ngx_http_server_string顯示名稱與步驟1中的NGINX_VER名稱一致
vi /opt/nginx-1.19.1/src/http/ngx_http_header_filter_module.c
修改前
static u_char ngx_http_server_string[] = "Server: nginx" CRLF;static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;
修改後
static u_char ngx_http_server_string[] = "Server: WEB" CRLF;static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;
(2)修改ngx_http_special_response.c文件的ngx_http_error_tail顯示名稱與步驟1中的NGINX_VER名稱一致
vi /opt/nginx-1.19.1/src/http/ngx_http_special_response.c
修改前
static u_char ngx_http_error_tail[] ="<hr><center>nginx</center>" CRLF"</body>" CRLF"</html>" CRLF;
修改後
static u_char ngx_http_error_tail[] ="<hr><center>WEB</center>" CRLF"</body>" CRLF"</html>" CRLF;
註:修改完成後注意保存配置文件
Nginx部署環境準備
mkdir -pv /var/tmp/nginx/{client_body,proxy,fastcgi,uwsgi,scgi}mkdir -pv /usr/local/nginxchown -R nginx:nginx /var/tmp/nginxchown -R nginx:nginx /usr/local/nginx
cd /optwget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gztar -zxvf pcre-8.44.tar.gzcd pcre-8.44/./configuremake && make install
cd /optwget http://www.zlib.net/fossils/zlib-1.2.11.tar.gztar -zxvf zlib-1.2.11.tar.gzcd zlib-1.2.11./configuremake && make install
cd /optwget https://ftp.openssl.org/source/old/1.1.1/openssl-1.1.1f.tar.gztar -zxvf openssl-1.1.1f.tar.gzcd openssl-1.1.1f./configmake && make install
cd /opt/nginx-1.19.1./configure \--prefix=/usr/local/nginx \--pid-path=/var/run/nginx.pid \--lock-path=/var/lock/nginx.lock \--user=nginx \--group=nginx \--with-http_ssl_module \--with-http_v2_module \--with-http_dav_module \--with-http_flv_module \--with-http_realip_module \--with-http_addition_module \--with-http_xslt_module \--with-http_stub_status_module \--with-http_sub_module \--with-http_random_index_module \--with-http_degradation_module \--with-http_secure_link_module \--with-http_gzip_static_module \--with-http_perl_module \--with-pcre=../pcre-8.44 \--with-zlib=../zlib-1.2.11 \--with-openssl=../openssl-1.1.1f \--with-debug \--with-file-aio \--with-mail \--with-mail_ssl_module \--http-client-body-temp-path=/var/tmp/nginx/client_body \--http-proxy-temp-path=/var/tmp/nginx/proxy \--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi \--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi \--http-scgi-temp-path=/var/tmp/nginx/scgi \--with-stream \--with-ld-opt="-Wl,-E"make && make install
cat >>/etc/profile<<EOFNGINX_HOME=/usr/local/nginxPATH=\$NGINX_HOME/sbin:\$PATHEOFsource /etc/profile
1、添加nginx系統服務啟動腳本
vi /etc/init.d/nginx#!/bin/bash## nginx - this script starts and stops the nginx daemon## chkconfig: 2345 85 15# description: Nginx is an HTTP(S) server, HTTP(S) reverse \# proxy and IMAP/POP3 proxy server## processname: nginx# config: /usr/local/nginx/conf/nginx.conf# pidfile: /var/run/nginx.pid# Source function library.. /etc/rc.d/init.d/functions# Source networking configuration.. /etc/sysconfig/network# Check that networking is up.[ "$NETWORKING" = "no" ] && exit 0nginx="/usr/local/nginx/sbin/nginx"prog=$(basename $nginx)NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginxlockfile=/var/lock/nginx.lockstart() { [ -x $nginx ] || exit 5 [ -f $NGINX_CONF_FILE ] || exit 6 echo -n "Starting $prog: " daemon $nginx -c $NGINX_CONF_FILE retval=$? echo [ $retval -eq 0 ] && touch $lockfile return $retval}stop() { echo -n "Stopping $prog: " killproc $prog -QUIT retval=$? echo [ $retval -eq 0 ] && rm -f $lockfile return $retval}restart() { configtest || return $? stop sleep 1 start}rh_status() { status $prog}rh_status_q() { rh_status >/dev/null 2>&1}case "$1" in start) rh_status_q && exit 0 $1 ;; stop) rh_status_q || exit 0 $1 ;; restart) $1 ;; status) rh_status ;; *) echo $"Usage: $0 {start|stop|status|restart}" exit 2 ;;esac
2、配置nginx系統服務及自啟動
chmod +x /etc/init.d/nginxchkconfig --add nginx && chkconfig nginx onchkconfig --list nginx
3、啟動與停止nginx服務
service nginx start 或使用 systemctl start nginxservice nginx status 或使用 systemctl status nginxps -ef|grep nginxservice nginx stop 或使用 systemctl stop nginx
配置作業系統防火牆(埠號根據實際添加)
針對CentOS6:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT service iptables save
針對CentOS7:
firewall-cmd --permanent --zone=public --add-port=80/tcpfirewall-cmd --reload
啟用錯誤日誌#錯誤日誌error_log logs/error.log; 啟用訪問日誌#訪問日誌log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer"' '"$http_user_agent" "$http_x_forwarded_for"' '"$request_time" "$upstream_response_time"';#日誌緩存 access_log logs/access.log main buffer=64k flush=60s; open_log_file_cache max=300 inactive=20s valid=1m min_uses=2;
在nginx.conf配置文件中添加隱藏nginx版本的參數
# hide nginx versionserver_tokens off;
在fastcgi.conf配置文件中添加#注釋如下配置隱藏php中nginx的版本信息
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
配置防盜鏈,在nginx.conf對應的server中配置以下參數(根據實際環境需要配置)
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip)$ { valid_referers none blocked 域名; if ($invalid_referer) { return 403; break; } access_log off;}
把error.html放在nginx/html下。在nginx.conf的http中配置以下參數
error_page 404 500 502 503 504 505 /error.html;
防止點擊劫持,防止ie內容嗅探,防止xss,只能從本域名加載資源(外部腳本無法執行),在nginx.conf的server中配置以下參數(根據實際環境需要配置)
add_header X-Frame-Options SAMEORIGIN;add_header X-Content-Type-Options nosniff;add_header X-XSS-Protection 1;#add_header Content-Security-Policy "default-src 'self'";
不使用SSL和TLS1.1以下,使用TLS1.2以上版本,在nginx.conf的server中配置以下參數(在啟用https的場景中配置)
SSL_Protocols TLSv1.2;
限制ip訪問(因公網訪問nginx,建議不設置。除非有惡意ip嘗試cc攻擊或暴力破解等非法操作)(根據實際環境需要配置)
location / { deny 192.168.1.1; #拒絕IP allow 192.168.1.0/24; #允許IP allow 10.1.1.0/16; #允許IP deny all; #拒絕其他所有IP}
在nginx.conf的server中配置以下參數,只允許GET、POST兩個http請求方式
location / { if ($request_method !~* GET|POST) { return 403; } }
一般設置CPU的核心或者核心數x2(worker_processes最多開啟8個)
grep ^processor /proc/cpuinfo | wc -l //獲取cpu核心數worker_processes 4;
比如2核配置worker_processes 2;worker_cpu_affinity 01 10; 比如4核配置worker_processes 4;worker_cpu_affinity 0001 0010 0100 1000; 比如8核配置worker_processes 8;worker_cpu_affinity 00000001 00000010 00000100 0000100000010000 00100000 01000000 10000000;
cat >>/etc/sysctl.conf<<EOFfs.file-max = 6815744net.ipv4.ip_forward = 0net.ipv4.conf.default.rp_filter = 1net.ipv4.conf.default.accept_source_route = 0kernel.sysrq = 0kernel.core_uses_pid = 1net.ipv4.tcp_syncookies = 1kernel.msgmnb = 65536kernel.msgmax = 65536kernel.shmmax = 68719476736kernel.shmall = 4294967296net.ipv4.tcp_max_tw_buckets = 6000net.ipv4.tcp_sack = 1net.ipv4.tcp_window_scaling = 1net.ipv4.tcp_rmem = 10240 87380 12582912net.ipv4.tcp_wmem = 10240 87380 12582912net.core.wmem_default = 8388608net.core.rmem_default = 8388608net.core.rmem_max = 16777216net.core.wmem_max = 16777216net.core.netdev_max_backlog = 262144net.core.somaxconn = 40960net.ipv4.tcp_max_orphans = 3276800net.ipv4.tcp_max_syn_backlog = 262144net.ipv4.tcp_timestamps = 0net.ipv4.tcp_synack_retries = 1net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_mem = 94500000 915000000 927000000net.ipv4.tcp_fin_timeout = 1net.ipv4.tcp_keepalive_time = 30net.ipv4.ip_local_port_range = 1024 65000EOFsysctl -pcat >>/etc/security/limits.conf<<EOF* soft nofile 65535* hard nofile 65535* soft noproc 65535* hard noproc 65535EOF
啟用epoll模型以提高處理效率
events { use epoll; worker_connections 65535; multi_accept on;}
sendfile on;tcp_nopush on;
保護伺服器資源,CPU,內存與控制連接數
keepalive_timeout 60;tcp_nodelay on;client_header_buffer_size 4k;open_file_cache max=102400 inactive=20s;open_file_cache_valid 30s;open_file_cache_min_uses 1;client_header_timeout 60;client_body_timeout 60;reset_timedout_connection on;send_timeout 20;client_max_body_size 10m;
不同的服務配置單獨的conf文件,提高運維效率,以nginx.conf配置文件添加include參數
mkdir /usr/local/nginx/conf/conf.dinclude /usr/local/nginx/conf/conf.d/*.conf;
使用gzip壓縮功能,可能為我們節約帶寬,加快傳輸速度
gzip on;gzip_min_length 2k;gzip_buffers 4 32k;gzip_http_version 1.1;gzip_comp_level 6;gzip_typestext/plain text/css text/javascriptapplication/json application/javascript application/x-javascriptapplication/xml;gzip_vary on;gzip_proxied any;
緩存,主要針對於圖片,css,js等元素更改機會比較少的情況下使用,特別是圖片,佔用帶寬大,可以設置圖片在瀏覽器本地緩存365d,css,js,html可以緩存個10來天。
location ~* \.(ico|jpe?g|gif|png|bmp|swf|flv)$ { expires 30d; #log_not_found off; access_log off;}location ~* \.(js|css)$ { expires 7d; log_not_found off; access_log off;}
<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><title>網頁訪問不了</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><link rel="stylesheet" type="text/css" href="404/error_all.css?t=201303212934"></head><body class="error-404"><div id="doc_main"> <section class="bd clearfix"> <div class="module-error"> <div class="error-main clearfix"> <div class="label"></div> <div class="info"> <h3 class="title">抱歉!該網站可能因為以下原因無法訪問!</h3> <div class="reason"> <p>1.您訪問的域名未綁定主機;</p> <p>2.您正在使用IP訪問,請嘗試使用域名訪問;</p> <p>3.該網站已被網站管理員停止。</p> </div> </div> </div> </div> </section></div> </body></html>