Nginx安装与配置
1 卸载nginx
如果单板上已经安装了nginx,需要先卸载nginx:
1) 关闭nginx服务
ps ef | grep nginx
kill –QUIT 主进程号
2) 删除nginx安装目录
cd /usr/local
rm –rf nginx
rm –rf nginx-1.7.10
2 安装nginx依赖组件
1)安装pcre
tar -zxvf pcre-8.36.tar.gz
cd pcre-8.36
./configure
make
make install
2)安装zlib
tar -zxvf zlib-1.2.8.tar.gz
cd zlib-1.2.8
./configure
make
make install
3)安装openssl
tar -zxvf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config
make
make install
注意:低版本的openssl有漏洞,前台需要使用较高版本的openssl(1.0.1g以上版本)。一般Linux系统都自带openssl组件,此处安装不会覆盖系统自带的openssl,如果要覆盖系统自带的openssl,可以按如下步骤操作(可以不执行):
mv /usr/bin/openssl /usr/bin/openssl.OFF
mv /usr/include/openssl /usr/include/openssl.OFF
ln –s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln –s /usr/local/ssl/include/openssl /usr/include/openssl
3 安装nginx
tar -zxvf nginx-1.7.10.tar.gz
cd nginx-1.7.10
./configure --prefix=/usr/local/nginx --with-pcre=/usr/local/pcre-8.36 --with-zlib=/usr/local/zlib-1.2.8 --with-openssl=/usr/local/openssl-1.0.1g --with-http_ssl_module
make
make install
注意:安装nginx时一定要安装HTTPS模块(--with-http_ssl_module),否则无法使用nginx的HTTPS代理。编译过程比较慢,请耐心等候。
4 生成https证书
cd /usr/local/nginx/conf
openssl genrsa -des3 -out server.key 1024 (此步骤需要设置密码)
openssl req -new -key server.key -out server.csr (此步骤需要输入密码)
openssl rsa -in server.key -out server_nopwd.key
openssl x509 -req -days 365 -in server.csr -signkey server_nopwd.key -out server.crt
5 配置nginx
nginx主要配置如下:
1)http请求分发
server {
listen 80;
server_name 10.176.88.120;
access_log logs/host.access.log main;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_body_buffer_size 512k;
proxy_connect_timeout 300;
proxy_read_timeout 300;
proxy_send_timeout 300;
proxy_buffer_size 16k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
location / {
proxy_pass http://10.176.88.120:29330;
proxy_set_header Host $host:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Via "nginx";
}
location ~ ^/WEB-INF/ {
deny all;
}
set $resp_body "";
}
2)https请求分发
server {
listen 443;
server_name 10.176.88.120;
ssl on;
ssl_certificate /usr/local/nginx/conf/server.crt;
ssl_certificate_key /usr/local/nginx/conf/server.key;
location / {
proxy_pass https:// 10.176.88.120:29440;
proxy_set_header Host $host:443;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Via "nginx";
}
}
3)http向https跳转
server {
listen 29440;
rewrite ^(.*) https://$server_name$1 permanent;
ssl on;
ssl_certificate /usr/local/nginx/conf/server.crt;
ssl_certificate_key /usr/local/nginx/conf/server.key;
}
4)https向http跳转
server {
listen 29330;
server_name 10.176.88.121;
rewrite ^(.*) http://$server_name$1 permanent;
}
6 启动nginx
cd /usr/local/nginx/sbin
./nginx (https模块启动时需要多次输入密码,即生成https证书时设置的密码,)
ps –ef | grep nginx (查看nginx是否启动)
7 附录:
Nginx完整的配置样例:
#user nobody;
worker_processes 2;
error_log /usr/local/nginx/logs/error.log warn;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" "$request_body" "$resp_body"'
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /usr/local/nginx/logs/access.log main;
#sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
#Upload file size limit
client_header_buffer_size 32k;
#Slow setting request
large_client_header_buffers 4 64k;
#Server name hash table size
server_names_hash_bucket_size 128;
# Set the requested relief
client_max_body_size 8m;
#if used to download applications such as disk IO heavy load applications, can be set off,
#in order to balance the disk and network I / O processing speed and reduce the load on the system.
#Note: If the picture is not displayed properly put this into off
sendfile on;
#Prevent network congestion
tcp_nopush on;
tcp_nodelay on;
#Open access directory listing, download the appropriate server, the default is off.
autoindex on;
#keepalive_timeout 0; Long connection timeout in seconds
keepalive_timeout 300;
#gzip on;
server {
listen 80;
server_name 10.176.88.120;
access_log logs/host.access.log main;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_body_buffer_size 512k;
proxy_connect_timeout 300;
proxy_read_timeout 300;
proxy_send_timeout 300;
proxy_buffer_size 16k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
location / {
proxy_pass http:// 10.176.88.120:29330;
proxy_set_header Host $host:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Via "nginx";
}
location ~ ^/WEB-INF/ {
deny all;
}
set $resp_body "";
}
# HTTPS server
#
server {
listen 443;
server_name 10.176.88.120;
ssl on;
ssl_certificate /usr/local/nginx/conf/server.crt;
ssl_certificate_key /usr/local/nginx/conf/server.key;
location / {
proxy_pass https:// 10.176.88.120:29440;
proxy_set_header Host $host:443;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Via "nginx";
}
}
#http to https
server {
listen 29440;
server_name 10.176.88.121;
rewrite ^(.*) https://$server_name$1 permanent;
ssl on;
ssl_certificate /usr/local/nginx/conf/server.crt;
ssl_certificate_key /usr/local/nginx/conf/server.key;
}
#https to http
server {
listen 29330;
server_name 10.176.88.121;
rewrite ^(.*) http://$server_name$1 permanent;
}
}
- 点赞
- 收藏
- 关注作者
评论(0)