配置一个好用的nginx

First Post:
Last Update:

0x0 前言

本页所有内容基于以下环境部署:

  • 操作系统: Ubuntu 20.04.3 LTS
  • 系统内核: GNU/Linux 5.4.0-97-generic x86_64
  • nginx版本: 1.21.6

注: 文章中两种安装方式二选一即可。

1x0 通过软件源安装

使用 Ubuntu 官方源 :
注意: 该方法安装的nginx为长期支持版(LTS),并非最新版

1
apt update && apt install nginx-full -y

2x0 通过源码编译安装

这里演示了 Nginx 全部的编译安装方式,并为所有的编译选项添加注释。如需要更多自定义,可参看其官方文档。

//这里只演示相对基本的 Nginx 编译安装方式,并为其启用了 HTTP/2 支持、添加了 OpenSSL 库使其支持 TLS 连接、添加了 ngx_brotli 模块使其支持 Brotli 压缩。如你需要更多自定义,可参看其官方文档。

这里默认操作用户为 root,操作目录为/opt。

2x1 安装编译依赖

1
apt install build-essential git libpcre3 libpcre3-dev zlib1g-dev libxml2 libxml2-dev libxslt1-dev libgd-dev libgeoip-dev libgoogle-perftools-dev libatomic-ops-dev -y

首先定位到源码目录

1
cd /opt

2x2 获取 Nginx 源文件

(截至 2022-01-25,Nginx 的主线版本为 1.21.6)

1
2
3
4
5
6
7
8
9
wget https://nginx.org/download/nginx-1.21.6.tar.gz
tar -xzf nginx-1.21.6.tar.gz && rm nginx-1.21.6.tar.gz
# 获取 OpenSSL
wget https://www.openssl.org/source/openssl-1.1.1m.tar.gz
tar -xzf openssl-1.1.1m.tar.gz && rm openssl-1.1.1m.tar.gz
mv openssl* openssl
# 获取 ngx_brotli 模块
git clone https://github.com/google/ngx_brotli.git
cd ngx_brotli && git submodule update --init && cd ..

2x3 修改 Nginx 标头(可选)

为了个性化标识(好看),你可以修改 Nginx 默认发送的 HTTP 响应头中的 Server: nginx 字段为其他值,只需修改以下文件:

  • src/core/nginx.h
    1
    #define NGINX_VER          "nginx/" NGINX_VERSION
  • src/http/ngx_http_header_filter_module.c
    1
    static u_char ngx_http_server_string[] = "Server: nginx" CRLF;
  • src/http/ngx_http_special_response.c
    1
    static u_char ngx_http_error_tail[] = "<hr><center>nginx</center>" CRLF
  • src/http/v2/ngx_http_v2_filter_module.c
    1
    2
    3
    4
    5
    static const u_char nginx[5] = "\x84\xaa\x63\x55\xe7"; #这里是经 hpack 编码后的字段,你可以使用 https://yuankan.co/tools/hpack 提供的工具进行编码
    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, fc->log, 0,
    "http2 output header: \"server: nginx\"");
    }
    pos = ngx_http_v2_write_header_str("server", "nginx");

2x4 开始编译

编译选项介绍

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
--prefix=/usr/bin                               #设置安装路径
--sbin-path=/usr/sbin #设置 nginx binary 路径
--modules-path=/etc/nginx/modules #设置 modules 路径
--conf-path=/etc/nginx/nginx.conf #设置 nginx.conf 路径
--error-log-path=/etc/nginx/error.log #设置 error.log 路径
--http-log-path=/etc/nginx/access.log #设置 access.log 路径
--pid-path=/run/nginx.pid #设置 nginx.pid 路径
--lock-path=/var/lock/nginx.lock #设置 nginx.lock 路径

--http-client-body-temp-path=/etc/nginx/temp/body #设定http客户端请求临时文件路径
--http-fastcgi-temp-path=/etc/nginx/temp/fastcgi #设定http fastcgi临时文件路径
--http-proxy-temp-path=/etc/nginx/temp/proxy #设定http代理临时文件路径
--http-scgi-temp-path=/etc/nginx/temp/scgi #设定http scgi临时文件路径
--http-uwsgi-temp-path=/etc/nginx/temp/uwsgi #设定http uwsgi临时文件路径

--user=root #设置运行用户
--group=root #设置运行用户组


--with-threads #启用thread功能,带有--with-的于此相同

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
cd nginx-1.21.6
./configure \
--prefix=/usr/bin \
--sbin-path=/usr/sbin \
--modules-path=/etc/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/etc/nginx/error.log \
--http-log-path=/etc/nginx/access.log \
--pid-path=/run/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--http-client-body-temp-path=/etc/nginx/temp/body \
--http-fastcgi-temp-path=/etc/nginx/temp/fastcgi \
--http-proxy-temp-path=/etc/nginx/temp/proxy \
--http-scgi-temp-path=/etc/nginx/temp/scgi \
--http-uwsgi-temp-path=/etc/nginx/temp/uwsgi \
--user=root \
--group=root \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-stream_ssl_preread_module \
--with-google_perftools_module \
--with-cpp_test_module \
--with-compat \
--with-cc-opt='-g -O2 -fPIE -fstack-protector' \
--with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' \
--with-libatomic \
--with-debug \
--with-openssl=../openssl \
--add-module=../ngx_brotli
make && make install

3x0 修改 Nginx 配置项

该部分所使用的 Nginx 均为上一步编译安装产生,并且在这里对不同的配置文件进行了划分。

3x1 全局配置

Nginx 配置文件位于/etc/nginx/nginx.conf,以下是配置内容及一些相关说明:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

worker_processes auto;
worker_rlimit_nofile 65535;

events {
accept_mutex off;
multi_accept on;
use epoll;
worker_connections 65535;
}

http {
include /etc/nginx/mime.types;

client_header_buffer_size 4k;
default_type application/octet-stream;
keepalive_timeout 300s 300s;#可以酌情降低此数值
keepalive_requests 65535;
send_timeout 10s;
sendfile on;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_bucket_size 64;
server_name_in_redirect off;
ssl_buffer_size 4k;
#支持的 TLS 协议
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384;#仅支持现代的、更安全的浏览器
#支持的 TLS 版本
ssl_protocols TLSv1.2 TLSv1.3;#仅支持现代的、更安全的浏览器
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets on;
ssl_session_timeout 1d;#你可以酌情降低此数值
#OCSP Stapling 参数,与下文站点配置中的 ssl_trusted_certificate 参数相关联
ssl_stapling on;
ssl_stapling_verify on;


brotli on;
brotli_buffers 32 4k;
brotli_comp_level 11;
brotli_min_length 32;
brotli_static on;
brotli_types text/css text/javascript text/mathml text/plain text/x-component text/xml text/vnd.wap.wml application/x-httpd-php image/svg+xml image/x-icon application/javascript application/x-javascript application/json application/xml application/atom+xml application/rss+xml application/xhtml+xml application/xspf+xml font/opentype application/x-font-ttf application/font-woff application/font-woff2 application/msword application/rtf application/x-cocoa application/x-makeself application/x-perl application/x-pilot application/x-tcl application/x-x509-ca-cert application/vnd.ms-excel application/vnd.ms-fontobject application/vnd.google-earth.kml+xml application/vnd.google-earth.kmz image/vnd.microsoft.icon;
brotli_window 1m;

gzip on;
gzip_buffers 32 4k;
gzip_comp_level 9;
gzip_disable "msie6";
gzip_http_version 1.1;
gzip_min_length 32;
gzip_proxied off;
gzip_static on;
gzip_types text/css text/javascript text/mathml text/plain text/x-component text/xml text/vnd.wap.wml application/x-httpd-php image/svg+xml image/x-icon application/javascript application/x-javascript application/json application/xml application/atom+xml application/rss+xml application/xhtml+xml application/xspf+xml font/opentype application/x-font-ttf application/font-woff application/font-woff2 application/msword application/rtf application/x-cocoa application/x-makeself application/x-perl application/x-pilot application/x-tcl application/x-x509-ca-cert application/vnd.ms-excel application/vnd.ms-fontobject application/vnd.google-earth.kml+xml application/vnd.google-earth.kmz image/vnd.microsoft.icon;
gzip_vary on;

open_file_cache_errors on;
open_file_cache max=65535 inactive=30s;
open_file_cache_min_uses 2;
open_file_cache_valid 30s;

#这里引用外部的站点配置
include /etc/nginx/sites/*.conf;
}

3x2 站点配置

因我有数个不同功能的子域名,所以为了方便及减小配置文件大小,我将 HTTP/HTTPS 的共用配置与站点的个体功能实现部分的配置进行了分离,

这里假设我有一www.example.com域名及数个子域,所有站点配置文件均存在于/etc/nginx/sites/目录中,以下是配置示例。

子域配置示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#创建新文件:/etc/nginx/sites/www.example.com.conf
server {
listen 80;
listen 80 default;
listen 443 ssl http2 default;
server_name www.example.com;
server_name _;#当直接通过 ip 访问时进行转发

#启用ssl证书
ssl_certificate /etc/nginx/ca/ssl_fullchain.crt;
ssl_certificate_key /etc/nginx/ca/ssl.key;
ssl_trusted_certificate /etc/nginx/ca/ssl_fullchain.crt;

#屏蔽一些无意义的蜘蛛
if ($http_user_agent ~* "AdIdxBot|AhrefsBot|Bytespider|coccocbot|DotBot|EasouSpider|ia_archiver|iaskspider|MBCrawler|MJ12bot|MSNot-media|Semrush|Teoma|YandexBot|YisouSpider|^$") {
return 444;
}

location / {
root /var/www;
index index.html;
}
}

4x0 结语

当前互联网版本更新快速,如有过时,请提示及时补充。

生活不易,给点打赏可好?
支付宝 | Alipay
微信 | WeChat