Nginx編譯安裝與常用配置模板

Nginx編譯安裝與常用配置模板

---

背景

是在受不了每次都是先去百度,找模板了.
這次將幾個常用模板整理一下, 
以後不管在哪裏可以直接使用.
注意: 不能直接用於生產, 可用於測試與POC

---

第一部分編譯

第一部分文件目錄存放:
地址 19服務器 /nginx 目錄.
-rw-r--r--  1 root root  335 9月  27 18:50 config.txt
drwxr-xr-x  9 root root  186 12月  4 2019 nginx-1.17.3
drwxr-xr-x  9 root root  186 9月  27 15:14 nginx-1.22.0
drwxr-xr-x  9 root root  186 7月  18 14:45 nginx-1.23.0
drwxr-xr-x  9 root root  186 9月  27 15:05 nginx-1.23.1
drwxr-xr-x  4 root root  207 8月   9 2016 nginx-sticky
drwxrwxr-x 19 root root 4096 9月  27 15:57 openssl-1.1.1b
drwxr-xr-x  9 root root 8192 9月  27 15:57 pcre-8.43
drwxr-xr-x 14 root root 4096 9月  27 15:58 zlib-1.2.11

---

第一部分編譯

關於安裝的說明:
不需要單獨編譯zlib openssl之類的內容.
直接在nginx 下面 config 添加就會自動編譯.
注意可以放到arm目錄上面進行編譯出來的製品就可以在國產環境上面運行
注意prefix的路徑 建議設定好. 便於維護. 

---

第一部分編譯

./configure --prefix=/data/nginx \
--sbin-path=/data/nginx/nginx \
--conf-path=/data/nginx/nginx.conf \
--pid-path=/data/nginx/nginx.pid \
--with-http_ssl_module \
--with-pcre=../pcre-8.43 \
--with-zlib=../zlib-1.2.11 \
--with-openssl=../openssl-1.1.1b \
--with-stream \
--with-stream_ssl_preread_module \
--add-module=../nginx-sticky

---

Nginx 配置節模板

• 簡單的前端文件
• 可以用來進行前後端分離時, nignx暴露前端頁面.

user  root;
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    sendfile        on;
    gzip  on;
    server {
        listen       80;
        server_name  localhost;
        location / {
            root /myapp/web/ ;
            index  index.html index.htm;
        }
    }
}

---

Nginx配置模板

• 七層反向代理的模板
• 可以實現簡單的應用負載均衡.
• 注意 upstream 的名字跟proxy_pass的處理.

user  root;
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    upstream myapp {
        sticky;|ip_hash;
        server 10.x.x.x:5200;
        server 10.2x.x.x:5200;
    }
    server {
     listen  80;
     server_name ip;|localhost|somename;
    location / {
         add_header 'Access-Control-Allow-Origin' "$http_origin";
         add_header 'Access-Control-Allow-Credentials' "true";
         proxy_pass http://myapp ;
        }
    }
}

---

Nginx配置模板

• 四層反向代理
• configure 裏面必須帶 with-stream
• 需要注意, http替換成了stream 並且沒有location的字段.

worker_processes 1;
events {
    worker_connections  1024;
}
stream {
    upstream backend {
        hash $remote_addr consistent;
        server 127.0.0.1:12346 weight=5;
        server 127.0.0.1:12347            max_fails=3 fail_timeout=30s;
        server 127.0.0.1:12348            max_fails=3 fail_timeout=30s;
    }
    server {
        listen 12345;
        proxy_connect_timeout 1s;
        proxy_timeout 3s;
        proxy_pass backend;
    }
}

---

Nginx配置模板

• 四層不用證書反向代理HTTPS網站
• 注意必須使用ssl_preread的模塊, 注意可以同時反向代理多個站點.
• 可以在其他服務器上面修改DNS的方式進行使用.

worker_processes  2;
events {
    worker_connections  10240;
}
stream {
  map $ssl_preread_server_name $backend_pool {
      www.baidu.com baidu;
      www.163.com  163;
  }
  upstream baidu {
  server www.baidu.com:443;
  }
  upstream 163 {
  server www.163.com:443;
  }
    server {
        listen 443;
        ssl_preread on;
        proxy_pass $backend_pool;
        proxy_connect_timeout 15s;
        proxy_timeout 15s;
        proxy_next_upstream_timeout 15s;
    }
}

---

Nginx配置模板

• Https以及80跳轉443的寫法

worker_processes  auto;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile on;
    gzip  on;
    access_log off;
    client_max_body_size 20m;
    client_header_buffer_size 64k;
    large_client_header_buffers 4 64k;
    client_body_buffer_size 100m;
    gzip_buffers 16 8k;
    proxy_buffer_size 64k;
    proxy_buffers 4 128k;
    proxy_busy_buffers_size 256k;
    keepalive_timeout 6000;
    fastcgi_connect_timeout 600;
    fastcgi_send_timeout 600;
    fastcgi_read_timeout 600;
    proxy_connect_timeout 600s;
    proxy_send_timeout 1200;
    proxy_read_timeout 1200;
    server_tokens off;

 upstream myapp{
     ip_hash;|sticky;
     server 127.0.0.1:5200 ;   
     server 127.0.0.1:5300 ;   
   }
  server {
     listen  80;
     server_name your.site.com ;
     rewrite ^(.*) https://$server_name$1 permanent; 
        }
    server {
        listen       443 ssl;
        server_name your.site.com ;
        error_page 497 https://$http_host$request_uri;
        ssl_certificate cert/server.crt;
        ssl_certificate_key cert/server.key;
        ssl_session_cache  shared:SSL:1m;
        ssl_session_timeout 5m;
        proxy_buffer_size   128k;
        proxy_buffers   4 256k;
        proxy_busy_buffers_size   256k;
        proxy_set_header        Host            $http_host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        valid_referers none blocked server_names; 
        if ($invalid_referer = "1") {
            return 403;
        }
       location / {
         add_header 'Access-Control-Allow-Origin' "$http_origin";
         add_header 'Access-Control-Allow-Credentials' "true";
         proxy_pass http://myapp ;
        }
        location ^~ /api/runtime/sys/v1.0/messagecenter {
            proxy_pass  http://myapp/api/runtime/sys/v1.0/messagecenter;
                    proxy_http_version 1.1;
                    proxy_read_timeout 3600s;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
        }
    }
}

---

Nginx配置模板

• 雙向SSL認證模板

worker_processes  auto;
events {
    worker_connections  10240;
}
http {
    client_header_timeout 600;
    client_body_timeout 600;
    client_max_body_size 300m;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
    include       mime.types;
    default_type  application/octet-stream;
    access_log off;
    sendfile        on;
    keepalive_timeout  65;
    gzip on;
    gzip_min_length 1k;
    gzip_buffers 4 16k;
    gzip_comp_level 8;
    gzip_types text/plain application/javascript text/css application/json text/javascript image/svg+xml image/png;
    gzip_vary off;
    upstream myapp {
          ip_hash;
          server 127.0.0.1:5200 weight=5 max_fails=1000 fail_timeout=10s;
    }
   server {
    listen 80;
    server_name www.myapp.com;
    rewrite ^(.*)$ https://${server_name}$1 permanent;
     }
    server {
        listen       443 ssl;
        server_name  www.myapp.com;
        add_header Strict-Transport-Security "max-age=172800; includeSubDomains" ;
        ssl_certificate      /opt/myapp/cert/server.crt;  # server證書公鑰 或阿里雲證書pem
        ssl_certificate_key  /opt/myapp/cert/server.key;  # server私鑰 或阿里雲證書key
        ssl_client_certificate /opt/myapp/cert/ca.crt;  # 根級證書公鑰，用於驗證各個二級client
        ssl_verify_client on;  # 開啓客戶端證書驗證
        ssl_prefer_server_ciphers  on;
        ssl_early_data on;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_protocols TLSv1.3 ;
        ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        location ^~ /  {
            proxy_pass  http://myapp/;
        }
   }
}