2 nginx編譯安裝

一 安裝nginx

1 下載

http://nginx.org/download/nginx-1.4.7.tar.gz

1.1 解壓

# tar xf nginx-1.4.7.tar.gz

1.2 創建用戶（爲系統用戶）

# groupadd -r -g 110 nginx

# useradd -r -g 110 -u 110 nginx

1.3 解決依賴關係

    編譯安裝nginx須要事先須要安裝開發包組"Development Tools"和 "Development Libraries"。

    同時，還須要專門安裝pcre-devel包：

# yum install -y pcre-devel openssl-devel zlib-devel

2 安裝

# ./configure \

  --prefix=/usr/local/nginx \

  --conf-path=/etc/nginx/nginx.conf \

  --error-log-path=/var/log/nginx/error.log \

  --http-log-path=/var/log/nginx/access.log \

  --pid-path=/var/run/nginx/nginx.pid  \

  --lock-path=/var/lock/nginx.lock \

  --user=nginx \

  --group=nginx \

  --with-http_ssl_module \

  --with-http_flv_module \

  --with-http_stub_status_module \

  --with-http_gzip_static_module \

  --http-client-body-temp-path=/var/tmp/nginx/client/ \

  --http-proxy-temp-path=/var/tmp/nginx/proxy/ \

  --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ \

  --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi \

  --http-scgi-temp-path=/var/tmp/nginx/scgi \

  --with-pcre \

  --with-file-aio

# make && make install

3 爲nginx提供SysV init腳本:

#!/bin/sh

#

# nginx - this script starts and stops the nginx daemon

#

# chkconfig:   - 85 15 

# description:  Nginx is an HTTP(S) server, HTTP(S) reverse \

#               proxy and IMAP/POP3 proxy server

# processname: nginx

# config:      /etc/nginx/nginx.conf

# config:      /etc/sysconfig/nginx

# pidfile:     /var/run/nginx/nginx.pid

 

# Source function library.

. /etc/rc.d/init.d/functions

 

# Source networking configuration.

. /etc/sysconfig/network

 

# Check that networking is up.

[ "$NETWORKING" = "no" ] && exit 0

 

nginx="/usr/local/nginx/sbin/nginx"

prog=$(basename $nginx)

 

NGINX_CONF_FILE="/etc/nginx/nginx.conf"

 

[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

 

lockfile=/var/lock/subsys/nginx

 

make_dirs() {

   # make required directories

   user=`nginx -V 2>&1 | grep "configure arguments:" | sed 's/[^*]*--user=\([^ ]*\).*/\1/g' -`

   options=`$nginx -V 2>&1 | grep 'configure arguments:'`

   for opt in $options; do

       if [ `echo $opt | grep '.*-temp-path'` ]; then

           value=`echo $opt | cut -d "=" -f 2`

           if [ ! -d "$value" ]; then

               # echo "creating" $value

               mkdir -p $value && chown -R $user $value

           fi

       fi

   done

}

 

start() {

    [ -x $nginx ] || exit 5

    [ -f $NGINX_CONF_FILE ] || exit 6

    make_dirs

    echo -n $"Starting $prog: "

    daemon $nginx -c $NGINX_CONF_FILE

    retval=$?

    echo

    [ $retval -eq 0 ] && touch $lockfile

    return $retval

}

 

stop() {

    echo -n $"Stopping $prog: "

    killproc $prog -QUIT

    retval=$?

    echo

    [ $retval -eq 0 ] && rm -f $lockfile

    return $retval

}

 

restart() {

    configtest || return $?

    stop

    sleep 1

    start

}

 

reload() {

    configtest || return $?

    echo -n $"Reloading $prog: "

    killproc $nginx -HUP

    RETVAL=$?

    echo

}

 

force_reload() {

    restart

}

 

configtest() {

  $nginx -t -c $NGINX_CONF_FILE

}

 

rh_status() {

    status $prog

}

 

rh_status_q() {

    rh_status >/dev/null 2>&1

}

 

case "$1" in

    start)

        rh_status_q && exit 0

        $1

        ;;

    stop)

        rh_status_q || exit 0

        $1

        ;;

    restart|configtest)

        $1

        ;;

    reload)

        rh_status_q || exit 7

        $1

        ;;

    force-reload)

        force_reload

        ;;

    status)

        rh_status

        ;;

    condrestart|try-restart)

        rh_status_q || exit 0

            ;;

    *)

        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"

        exit 2

esac

爲此腳本賦予執行權限：

# chmod +x /etc/rc.d/init.d/nginx

4 添加至服務管理列表，並讓其開機自動啓動：

# chkconfig --add nginx

# chkconfig nginx on

 

5 啓動服務並測試：

# service nginx start

---

二 location

location [ = | ~ | ~* | ^~ ] uri { ... }

匹配優先級

= > ^~ > ~ ~* 

location uri {}:對當前路徑及其子路徑下的全部文件都生效

location = uri {}:精確匹配，只對當前資源生效，不包含子路徑

location ~ uri {}: 模式匹配uri，可以使用正則表達式，區分大小寫

location ~* uri {}:模式匹配uri，可以使用正則表達式，不區分大小寫

location ^~  uri {}:不使用正則表達式

location / {

    root   /web/html;

    index  index.html index.htm;

}

error_page  404              /404.html; # 訪問不存在的資源，錯誤返回頁， 的或禁止訪問

location /bbs {

    root   /web;

    index  index.html index.htm; # 此處註釋後，仍能夠正常訪問

}

和httpd對比

filesystem path

    <DocumentRoot "">

    </DocumentRoot>

uri path

    <location "">

    </localtion>

---

三 基於ip的訪問控制

    默認是容許全部，若部分容許需定義deny all

location / {

    deny  192.168.1.1;

    allow 192.168.1.0/24;

    allow 10.1.1.0/16;

    allow 2001:0db8::/32;

    deny  all;

}

---

四 基於用戶的訪問控制

location / {

    auth_basic           "closed site";

    auth_basic_user_file  /etc/nginx/.htpasswd ;

}

生成密碼文件需藉助於htpasswd工具

# htpasswd -c -m /etc/nginx/.htpasswd tom

使用curl -u user：passwd url可測試，也能夠在瀏覽器測試

---

五 索引index

location /download {

            root /web;

            index home.html;

            autoindex on; # 自動索引默認爲關閉，打開較爲不安全

        }

Syntax:    autoindex on | off;

Default:    autoindex off;

Context:    http, server, location

Enables or disables the directory listing output.

 

Syntax:    autoindex_exact_size on | off;

Default:    autoindex_exact_size on;

Context:    http, server, location

 

Syntax:    autoindex_localtime on | off;

Default:    autoindex_localtime off;

Context:    http, server, location

---

六 狀態信息

location /nginx_status {

                stub_status on;

              

                access_log off;

                   allow ip；

                    deny all；

        }

狀態信息解讀

Active connections: 3 
server accepts handled requests
 154 154 153 
Reading: 0 Writing: 1 Waiting: 2 

Active connections

   
   
   
   

    
    
    
    The current number of active client connections including Waiting connections.
   
   
   
   
   
   
   
   

    
    
    
    活動的鏈接數（包括等待的鏈接）
   
   
   
   
   
   
   
   

    
    
    
    accepts
   
   
   
   
   
   
   
   

    
    
    
    The total number of accepted client connections.
   
   
   
   
   
   
   
   

    
    
    
    已經接收的鏈接數
   
   
   
   
   
   
   
   

    
    
    
    handled
   
   
   
   
   
   
   
   

    
    
    
    The total number of handled connections. Generally, the parameter value is the same as accepts unless some resource limits have been reached (for example, the worker_connections limit).
   
   
   
   
   
   
   
   

    
    
    
    已經處理的鏈接數
   
   
   
   
   
   
   
   

    
    
    
    requests
   
   
   
   
   
   
   
   

    
    
    
    The total number of client requests.
   
   
   
   
   
   
   
   

    
    
    
    已處理的請求數
   
   
   
   
   
   
   
   

    
    
    
    Reading
   
   
   
   
   
   
   
   

    
    
    
    The current number of connections where nginx is reading the request header.
   
   
   
   
   
   
   
   

    
    
    
    nginx正在讀取其請求首部的的鏈接個數
   
   
   
   
   
   
   
   

    
    
    
    Writing
   
   
   
   
   
   
   
   

    
    
    
    The current number of connections where nginx is writing the response back to the client.
   
   
   
   
   
   
   
   

    
    
    
    nginx正在讀取其請求主體的鏈接數/正在處理請求內容的鏈接數/正在向其發送響應的鏈接數
   
   
   
   
   
   
   
   

    
    
    
    Waiting
   
   
   
   
   
   
   
   

    
    
    
    The current number of idle client connections waiting for a request.
   
   
   
   
   
   
   
   

    
    
    
    空閒的鏈接數
   
   
   
   
   
   
   
   

    
    
    
    

   
   
   
   
   
   
   
   

    
    
    
    七 開啓ssl功能
   
   
   
   

1 nginx的配置

server {

        listen       443;

        server_name  localhost;

 

        ssl                  on;

        ssl_certificate      /etc/nginx/ssl/nginx_ssl.crt;

        ssl_certificate_key  /etc/nginx/ssl/nginx_ssl.key;

 

        ssl_session_timeout  5m;

 

        ssl_protocols  SSLv2 SSLv3 TLSv1;

        ssl_ciphers  HIGH:!aNULL:!MD5;

        ssl_prefer_server_ciphers   on;

 

        location / {

            root   /web/html;

            index  index.html index.htm;

        }

    }

2 openssl服務端配置文件

# vim /etc/pki/tls/openssl.cnf   

dir             = /etc/pki/CA

2.1 生成CA私鑰

# (umask 077 ;openssl genrsa 2048 > private/cakey.pem）

# openssl req -new -x509 -key private/cakey.pem -out cacert.pem

2.2 建立CA證書

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:HA

Locality Name (eg, city) [Default City]:SH

Organization Name (eg, company) [Default Company Ltd]: HIYANG

Organizational Unit Name (eg, section) []:TECH

Common Name (eg, your name or your server's hostname) []:ca.node1.test.com

Email Address []:caadmin@test.com

# echo 01 > serial

# touch index.txt

3 CA客戶端

3.1 建立私鑰

# cd /etc/nginx/ssl/

# (umask 077;openssl genrsa 1024 > nginx_ssl.key)

3.2 發起認證請求

# openssl req -new -key nginx_ssl.key -out nginx_ssl.csr

4 簽署認證

# openssl ca -in nginx_ssl.csr -out nginx_ssl.crt -days 3650

---

八 虛擬主機

server {

        listen 80;

        server_name www.hiyang.com;

        location / {

                root /web/hiyang/;

                index index .html;

        }

}

來自爲知筆記(Wiz)