0x0 前言
本页所有内容基于以下环境部署:
- 操作系统: Ubuntu 20.04.3 LTS
- 系统内核: GNU/Linux 5.4.0-97-generic x86_64
- nginx版本: 1.21.6
注: 文章中两种安装方式二选一即可。
1x0 通过软件源安装
使用 Ubuntu 官方源 :
注意: 该方法安装的nginx为长期支持版(LTS),并非最新版
1
| apt update && apt install nginx-full -y
|
2x0 通过源码编译安装
这里演示了 Nginx 全部的编译安装方式,并为所有的编译选项添加注释。如需要更多自定义,可参看其官方文档。
//这里只演示相对基本的 Nginx 编译安装方式,并为其启用了 HTTP/2 支持、添加了 OpenSSL 库使其支持 TLS 连接、添加了 ngx_brotli 模块使其支持 Brotli 压缩。如你需要更多自定义,可参看其官方文档。
这里默认操作用户为 root,操作目录为/opt。
2x1 安装编译依赖
1
| apt install build-essential git libpcre3 libpcre3-dev zlib1g-dev libxml2 libxml2-dev libxslt1-dev libgd-dev libgeoip-dev libgoogle-perftools-dev libatomic-ops-dev -y
|
首先定位到源码目录
2x2 获取 Nginx 源文件
(截至 2022-01-25,Nginx 的主线版本为 1.21.6)
1
2
3
4
5
6
7
8
9
| wget https://nginx.org/download/nginx-1.21.6.tar.gz
tar -xzf nginx-1.21.6.tar.gz && rm nginx-1.21.6.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1m.tar.gz
tar -xzf openssl-1.1.1m.tar.gz && rm openssl-1.1.1m.tar.gz
mv openssl* openssl
git clone https://github.com/google/ngx_brotli.git
cd ngx_brotli && git submodule update --init && cd ..
|
2x3 修改 Nginx 标头(可选)
为了个性化标识(好看),你可以修改 Nginx 默认发送的 HTTP 响应头中的 Server: nginx 字段为其他值,只需修改以下文件:
- src/core/nginx.h
1
| #define NGINX_VER "nginx/" NGINX_VERSION
|
- src/http/ngx_http_header_filter_module.c
1
| static u_char ngx_http_server_string[] = "Server: nginx" CRLF;
|
- src/http/ngx_http_special_response.c
1
| static u_char ngx_http_error_tail[] = "<hr><center>nginx</center>" CRLF
|
- src/http/v2/ngx_http_v2_filter_module.c
1
2
3
4
5
| static const u_char nginx[5] = "\x84\xaa\x63\x55\xe7"; #这里是经 hpack 编码后的字段,你可以使用 https:
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, fc->log, 0,
"http2 output header: \"server: nginx\"");
}
pos = ngx_http_v2_write_header_str("server", "nginx");
|
2x4 开始编译
编译选项介绍
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| --prefix=/usr/bin
--sbin-path=/usr/sbin
--modules-path=/etc/nginx/modules
--conf-path=/etc/nginx/nginx.conf
--error-log-path=/etc/nginx/error.log
--http-log-path=/etc/nginx/access.log
--pid-path=/run/nginx.pid
--lock-path=/var/lock/nginx.lock
--http-client-body-temp-path=/etc/nginx/temp/body
--http-fastcgi-temp-path=/etc/nginx/temp/fastcgi
--http-proxy-temp-path=/etc/nginx/temp/proxy
--http-scgi-temp-path=/etc/nginx/temp/scgi
--http-uwsgi-temp-path=/etc/nginx/temp/uwsgi
--user=root
--group=root
--with-threads
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
| cd nginx-1.21.6
./configure \
--prefix=/usr/bin \
--sbin-path=/usr/sbin \
--modules-path=/etc/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/etc/nginx/error.log \
--http-log-path=/etc/nginx/access.log \
--pid-path=/run/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--http-client-body-temp-path=/etc/nginx/temp/body \
--http-fastcgi-temp-path=/etc/nginx/temp/fastcgi \
--http-proxy-temp-path=/etc/nginx/temp/proxy \
--http-scgi-temp-path=/etc/nginx/temp/scgi \
--http-uwsgi-temp-path=/etc/nginx/temp/uwsgi \
--user=root \
--group=root \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-stream_ssl_preread_module \
--with-google_perftools_module \
--with-cpp_test_module \
--with-compat \
--with-cc-opt='-g -O2 -fPIE -fstack-protector' \
--with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' \
--with-libatomic \
--with-debug \
--with-openssl=../openssl \
--add-module=../ngx_brotli
make && make install
|
3x0 修改 Nginx 配置项
该部分所使用的 Nginx 均为上一步编译安装产生,并且在这里对不同的配置文件进行了划分。
3x1 全局配置
Nginx 配置文件位于/etc/nginx/nginx.conf,以下是配置内容及一些相关说明:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
worker_processes auto;
worker_rlimit_nofile 65535;
events {
accept_mutex off;
multi_accept on;
use epoll;
worker_connections 65535;
}
http {
include /etc/nginx/mime.types;
client_header_buffer_size 4k;
default_type application/octet-stream;
keepalive_timeout 300s 300s;#可以酌情降低此数值
keepalive_requests 65535;
send_timeout 10s;
sendfile on;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_bucket_size 64;
server_name_in_redirect off;
ssl_buffer_size 4k;
#支持的 TLS 协议
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384;#仅支持现代的、更安全的浏览器
#支持的 TLS 版本
ssl_protocols TLSv1.2 TLSv1.3;#仅支持现代的、更安全的浏览器
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets on;
ssl_session_timeout 1d;#你可以酌情降低此数值
#OCSP Stapling 参数,与下文站点配置中的 ssl_trusted_certificate 参数相关联
ssl_stapling on;
ssl_stapling_verify on;
brotli on;
brotli_buffers 32 4k;
brotli_comp_level 11;
brotli_min_length 32;
brotli_static on;
brotli_types text/css text/javascript text/mathml text/plain text/x-component text/xml text/vnd.wap.wml application/x-httpd-php image/svg+xml image/x-icon application/javascript application/x-javascript application/json application/xml application/atom+xml application/rss+xml application/xhtml+xml application/xspf+xml font/opentype application/x-font-ttf application/font-woff application/font-woff2 application/msword application/rtf application/x-cocoa application/x-makeself application/x-perl application/x-pilot application/x-tcl application/x-x509-ca-cert application/vnd.ms-excel application/vnd.ms-fontobject application/vnd.google-earth.kml+xml application/vnd.google-earth.kmz image/vnd.microsoft.icon;
brotli_window 1m;
gzip on;
gzip_buffers 32 4k;
gzip_comp_level 9;
gzip_disable "msie6";
gzip_http_version 1.1;
gzip_min_length 32;
gzip_proxied off;
gzip_static on;
gzip_types text/css text/javascript text/mathml text/plain text/x-component text/xml text/vnd.wap.wml application/x-httpd-php image/svg+xml image/x-icon application/javascript application/x-javascript application/json application/xml application/atom+xml application/rss+xml application/xhtml+xml application/xspf+xml font/opentype application/x-font-ttf application/font-woff application/font-woff2 application/msword application/rtf application/x-cocoa application/x-makeself application/x-perl application/x-pilot application/x-tcl application/x-x509-ca-cert application/vnd.ms-excel application/vnd.ms-fontobject application/vnd.google-earth.kml+xml application/vnd.google-earth.kmz image/vnd.microsoft.icon;
gzip_vary on;
open_file_cache_errors on;
open_file_cache max=65535 inactive=30s;
open_file_cache_min_uses 2;
open_file_cache_valid 30s;
#这里引用外部的站点配置
include /etc/nginx/sites/*.conf;
}
|
3x2 站点配置
因我有数个不同功能的子域名,所以为了方便及减小配置文件大小,我将 HTTP/HTTPS 的共用配置与站点的个体功能实现部分的配置进行了分离,
这里假设我有一www.example.com域名及数个子域,所有站点配置文件均存在于/etc/nginx/sites/目录中,以下是配置示例。
子域配置示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| #创建新文件:/etc/nginx/sites/www.example.com.conf
server {
listen 80;
listen 80 default;
listen 443 ssl http2 default;
server_name www.example.com;
server_name _;#当直接通过 ip 访问时进行转发
#启用ssl证书
ssl_certificate /etc/nginx/ca/ssl_fullchain.crt;
ssl_certificate_key /etc/nginx/ca/ssl.key;
ssl_trusted_certificate /etc/nginx/ca/ssl_fullchain.crt;
#屏蔽一些无意义的蜘蛛
if ($http_user_agent ~* "AdIdxBot|AhrefsBot|Bytespider|coccocbot|DotBot|EasouSpider|ia_archiver|iaskspider|MBCrawler|MJ12bot|MSNot-media|Semrush|Teoma|YandexBot|YisouSpider|^$") {
return 444;
}
location / {
root /var/www;
index index.html;
}
}
|
4x0 结语
当前互联网版本更新快速,如有过时,请提示及时补充。
