centos7安裝Nginx 以及配置SSL模塊

yum install gcc-c++
yum install -y pcre pcre-devel
yum install -y zlib zlib-devel
yum install -y openssl openssl-devel

官網：https://nginx.org/en/download.html

選擇安裝包右鍵複製鏈接地址。執行wget -c "複製的鏈接地址"，例如：

wget -c https://nginx.org/download/nginx-1.17.0.tar.gz
tar -zxvf nginx-1.17.0.tar.gz
cd nginx-1.17.0
./configure
make
make install

查看安裝路徑：

whereis nginx

啓動、停止nginx

cd /usr/local/nginx/sbin/
./nginx 
./nginx -s stop
./nginx -s quit
./nginx -s reload

./nginx -s quit:此方式停止步驟是待nginx進程處理任務完畢進行停止。
./nginx -s stop:此方式相當於先查出nginx進程id再使用kill命令強制殺掉進程。

查詢nginx進程：

ps aux|grep nginx

開機自啓動

即在rc.local增加啓動代碼就可以了。

vi /etc/rc.local

增加一行 /usr/local/nginx/sbin/nginx
設置執行權限：

chmod 755 rc.local

打開/usr/local/nginx/conf/nginx.conf可以看到nginx默認端口爲80，防火牆開放80端口並重啓：

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload

在瀏覽器輸入http://ip:80查看

 

配置Nginx的SSL模塊

Nginx如果未開啓SSL模塊，配置Https時提示錯誤

1，cd到源碼包

cd /data/nginx/

2，查看nginx原有模塊

/usr/local/nginx/sbin/nginx -V

3，配置並編譯

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
make

4，這裏不進行make install操作，否則會覆蓋安裝，可以先備份原來的nginx

cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak

5，將剛剛編譯好的nginx覆蓋掉原有的nginx（這個時候nginx要停止狀態）

cp ./objs/nginx /usr/local/nginx/sbin/

6，然後啓動nginx，仍可以通過第二步的命令查看是否已經加入成功

 

Nginx SSL性能調優

1 2 3 4 5

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;

最後附上部分nginx配置

    server {
        listen 80;
        server_name test.com;
        rewrite ^(.*)$ https://$server_name$1 permanent;
    }

    server {
        listen       443 ssl;
        server_name  test.com;

        ssl_certificate      ../cert/test.pem;
        ssl_certificate_key  ../cert/test.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }

    server {
        listen 80;
        server_name son.test.com;
        rewrite ^(.*)$ https://$server_name$1 permanent;
    }

    server {
        listen       443 ssl;
        server_name  son.test.com;

        ssl_certificate      ../cert/son.pem;
        ssl_certificate_key  ../cert/son.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            tcp_nodelay on;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://localhost:18001;
        }
    }