centos7.6環境下編譯安裝tengine-2.2.2的編譯安裝

centos7.6環境下編譯安裝tengine-2.2.2的編譯安裝

1.獲取tengine2.2.2的源碼包
http://tengine.taobao.org/download/tengine-2.2.2.tar.gz

2.獲取tengine的編譯參數
/usr/loca/nginx/sbin/nginx -V

# tengine2.2.2的編譯安裝

tar -zxf tengine-2.2.2.tar.gz
cd tengine-2.2.2
./configure --prefix=/usr/local/tengine-2.2.2 --with-ld-opt=-Wl,-rpath, --user=daemon --group=daemon --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_sub_module --with-http_stub_status_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_geoip_module --with-http_secure_link_module --with-http_degradation_module --with-mail_ssl_module --with-http_sysguard_module --with-http_concat_module --with-pcre=/usr/local/lab/pcre-8.34 --with-zlib=/usr/local/lab/zlib-1.2.11 --add-module=/usr/local/lab/ngx_cache_purge-2.3 --with-jemalloc --with-http_upstream_check_module --with-http_lua_module --with-luajit-lib=/usr/local/lib/ --with-luajit-inc=/usr/local/include/luajit-2.0/ --with-lua-inc=/usr/local/include/luajit-2.0/ --with-lua-lib=/usr/local/lib/ --with-openssl=/usr/local/lab/openssl-1.1.0i --add-module=/usr/local/ngx_http_geoip2_module-3.2

make && make install

# 由於openssl常常曝出一些大的漏洞，使用最新版本的openssl1.1.0i
--with-openssl=/usr/local/lab/openssl-1.1.0i

# 找到geoip相關的庫

ngx_http_geoip2_module-3.2

....


報錯的處理：

問題1：./configure預編譯報錯
configuring additional modules
adding module in /usr/local/lab/ngx_cache_purge-2.3
 + ngx_http_cache_purge_module was configured
adding module in /usr/local/ngx_http_geoip2_module-3.2
checking for MaxmindDB library ... found
 + ngx_geoip2_module was configured
adding module in modules/ngx_http_lua_module
checking for LuaJIT library in /usr/local/lib/ and /usr/local/include/luajit-2.0/ (specified by the LUAJIT_LIB and LUAJIT_INC env, with -ldl) ... found
checking for export symbols by default (-E) ... found
checking for export symbols by default (--export-all-symbols) ... not found
checking for SO_PASSCRED ... found
 + ngx_http_lua_module was configured
checking for libxslt ... found
checking for libexslt ... found
checking for GeoIP library ... not found
checking for GeoIP library in /usr/local/ ... not found
checking for GeoIP library in /usr/pkg/ ... not found
checking for GeoIP library in /opt/local/ ... not found

./configure: error: the GeoIP module requires the GeoIP library.
You can either do not enable the module or install the library.

解決辦法編譯安裝GeoIP：
cd source
wget https://github.com/maxmind/geoip-api-c/releases/download/v1.6.9/GeoIP-1.6.9.tar.gz
tar -zxvf GeoIP-1.6.9.tar.gz -C /usr/local
cd GeoIP-1.6.9
# 注意不要添加--prefix 默認便可不然沒法正常編譯安裝
./configure
make
sudo make install

問題2：
make編譯報錯：
    POSIX mem threshold ............. : 10
    Internal link size .............. : 2
    Nested parentheses limit ........ : 250
    Match limit ..................... : 10000000
    Match limit recursion ........... : MATCH_LIMIT
    Build shared libs ............... : no
    Build static libs ............... : yes
    Use JIT in pcregrep ............. : no
    Buffer size for pcregrep ........ : 20480
    Link pcregrep with libz ......... : no
    Link pcregrep with libbz2 ....... : no
    Link pcretest with libedit ...... : no
    Link pcretest with libreadline .. : no
    Valgrind support ................ : no
    Code coverage ................... : no

cd /usr/local/lab/openssl-1.1.0i \
    && if [ -f Makefile ]; then make clean; fi \
    && ./config --prefix=/usr/local/lab/openssl-1.1.0i/.openssl no-shared  \
    && make \
    && make install LIBDIR=lib
/bin/sh: line 2: ./config: No such file or directory
make[1]: *** [/usr/local/lab/openssl-1.1.0i/.openssl/include/openssl/ssl.h] Error 127
make[1]: Leaving directory `/usr/local/src/tengine-2.2.2'
make: *** [build] Error 2


解決方案：
打開nginx源文件下的/usr/local/src/tengine-2.2.2/auto/lib/openssl/conf文件：
找到這麼一段代碼：
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
修改爲如下代碼：
CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
 而後再進行Nginx的編譯安裝便可


問題3：
make報錯：
make[2]: *** No rule to make target `distclean'.  Stop
make[2]: *** [/usr/local/lab/zlib-1.2.11/libz.a] Error 2

問題分析：
/usr/local/lab/zlib-1.2.11/下沒有libz.a文件，當時編譯的時候是--prefix的，源碼沒有拷貝過來

解決辦法：
將以前的編譯目錄拷貝過去便可：
cp -ar /usr/loca/src/zlib-1.2.11/* /usr/local/lab/zlib-1.2.11/


#####################################

tengine升級爲2.2.3

# tengine2.2.3的編譯安裝

tar -zxf tengine-2.2.3.tar.gz
cd tengine-2.2.3
./configure --prefix=/usr/local/tengine-2.2.3 --with-ld-opt=-Wl,-rpath, --user=daemon --group=daemon --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_sub_module --with-http_stub_status_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_geoip_module --with-http_secure_link_module --with-http_degradation_module --with-mail_ssl_module --with-http_sysguard_module --with-http_concat_module --with-pcre=/usr/local/lab/pcre-8.34 --with-zlib=/usr/local/lab/zlib-1.2.11 --add-module=/usr/local/lab/ngx_cache_purge-2.3 --with-jemalloc --with-http_upstream_check_module --with-http_lua_module --with-luajit-lib=/usr/local/lib/ --with-luajit-inc=/usr/local/include/luajit-2.0/ --with-lua-inc=/usr/local/include/luajit-2.0/ --with-lua-lib=/usr/local/lib/ --with-openssl=/usr/local/lab/openssl-1.1.0i --add-module=/usr/local/ngx_http_geoip2_module-3.2


# 報錯

    Use JIT in pcregrep ............. : no
    Buffer size for pcregrep ........ : 20480
    Link pcregrep with libz ......... : no
    Link pcregrep with libbz2 ....... : no
    Link pcretest with libedit ...... : no
    Link pcretest with libreadline .. : no
    Valgrind support ................ : no
    Code coverage ................... : no

cd /usr/local/lab/openssl-1.1.0i \
    && if [ -f Makefile ]; then make clean; fi \
    && ./config --prefix=/usr/local/lab/openssl-1.1.0i/.openssl no-shared  \
    && make \
    && make install LIBDIR=lib
/bin/sh: line 2: ./config: No such file or directory
make[1]: *** [/usr/local/lab/openssl-1.1.0i/.openssl/include/openssl/ssl.h] Error 127
make[1]: Leaving directory `/usr/local/src/tengine-2.2.3'
make: *** [build] Error 2


解決方案：
打開nginx源文件下的/usr/local/src/tengine-2.2.2/auto/lib/openssl/conf文件：
找到這麼一段代碼：
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
修改爲如下代碼：
CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
 而後再進行Nginx的編譯安裝便可

 

沒法解析SSI報錯以下：Nginx: unsafe URI detected while sending response

現象：# 相似 <!--#include virtual="../library/header.html"--><div id="blog"> html語法沒法解析，致使網站頭部尾部不能正常展現

<!--#include virtual="library/header.html"--> 能夠解析沒有問題


# 代碼片斷
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<link rel="shortcut icon" href="http://blog.chinasoft.com/static/favicon.ico" />
<title>Influencer Marketing Tips</title>
<meta name="description" content="Learn more about the helpful influencer marketing tips for your brand, products or business on chinasoft blog center." />
</head>
<body>

<!--#include virtual="../library/header.html"--><div id="blog">
  <div>
    <div class="container py-lg-5" style="max-width:1200px">
      <div class="bg-light rounded py-4 px-5 mx-auto">

網站頭部不能加載影響美觀

[root@eus_mp_web01:/data/www/vhosts/blog.chinasoft.com/httpdocs/influencer-marketing-tips]# tail -f /data/www/logs/nginx_log/error/blog.com_error.log
2019/05/28 01:29:53 [error] 5660#0: *1777504 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
2019/05/28 01:29:54 [error] 5660#0: *1777504 open() "/data/www/vhosts/blog.chinasoft.com/httpdocs/static/favicon.ico" failed (2: No such file or directory), client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /static/favicon.ico HTTP/1.1", host: "blog.chinasoft.com", referrer: "https://blog.chinasoft.com/influencer-marketing-tips/"
2019/05/28 01:31:08 [error] 5659#0: *1777565 unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
2019/05/28 01:31:08 [error] 5659#0: *1777565 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
2019/05/28 01:31:25 [error] 5660#0: *1777568 unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
2019/05/28 01:31:25 [error] 5660#0: *1777568 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
2019/05/28 01:34:00 [error] 7513#0: *23 unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
2019/05/28 01:34:00 [error] 7513#0: *23 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
2019/05/28 01:41:02 [error] 7907#0: *13 unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
2019/05/28 01:41:02 [error] 7907#0: *13 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"

2019/05/28 01:41:26 [error] 7905#0: *28 unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
2019/05/28 01:41:26 [error] 7905#0: *28 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"

關於Nginx的SSI(包含路徑)
若是shtml裏面的網頁代碼包含語句寫成以下： 
<!--#include virtual="/test.html"-->
這樣是沒有問題，能夠包含的，可是若是寫成這樣：

<!--#include virtual="../test.html"-->
因爲須要包含當前代碼文件所在目錄路徑的上級目錄文件，nginx會爲此請求產生的子請求uri爲/../test.html，默認nginx會認爲這個uri並非安全的，日誌(error_log)會輸入以下錯誤：

2019/05/28 01:29:53 [error] 5660#0: *1777504 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"

不能正確包含文件，頁面會輸出[an error occurred while processing the directive]，解決方法是找到nginx源代碼目錄的unsafe uri檢查函數並強制使其返回一個NGX_OK

# 解決辦法：

# 修改源文件tengine-2.2.3/src/http/ngx_http_parse.c
# 找到ngx_http_parse_unsafe_uri 函數，直接返回 NGX_OK

ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
    ngx_str_t *args, ngx_uint_t *flags)
{
    return NGX_OK;            # 新增return NGX_OK;
    u_char      ch, *p, *src, *dst;
    size_t      len;
    ngx_uint_t  quoted;

    len = uri->len;
    p = uri->data;
    quoted = 0;

    if (len == 0 || p[0] == '?') {
        goto unsafe;
    }

    if (p[0] == '.' && len > 1 && p[1] == '.'
        && (len == 2 || ngx_path_separator(p[2])))
    {
        goto unsafe;
    }

    for ( /* void */ ; len; len--) {

        ch = *p++;

        if (ch == '%') {
            quoted = 1;
            continue;
        }

        if (usual[ch >> 5] & (1 << (ch & 0x1f))) {
            continue;
        }

        if (ch == '?') {
            args->len = len - 1;
            args->data = p;
            uri->len -= len;

            break;
        }


# 從新編譯便可

./configure --prefix=/usr/local/tengine-2.2.3_ssi --with-ld-opt=-Wl,-rpath, --user=daemon --group=daemon --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_sub_module --with-http_stub_status_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_geoip_module --with-http_secure_link_module --with-http_degradation_module --with-mail_ssl_module --with-http_sysguard_module --with-http_concat_module --with-pcre=/usr/local/lab/pcre-8.34 --with-zlib=/usr/local/lab/zlib-1.2.11 --add-module=/usr/local/lab/ngx_cache_purge-2.3 --with-jemalloc --with-http_upstream_check_module --with-http_lua_module --with-luajit-lib=/usr/local/lib/ --with-luajit-inc=/usr/local/include/luajit-2.0/ --with-lua-inc=/usr/local/include/luajit-2.0/ --with-lua-lib=/usr/local/lib/ --with-openssl=/usr/local/lab/openssl-1.1.0i --add-module=/usr/local/ngx_http_geoip2_module-3.2

# make && make install


從新編譯之後nginx能夠包含上級目錄的文件，固然，帶來的後果是安全性的降低