@cdmonkey
2019-08-07T06:16:16.000000Z
字数 7069
阅读 1377
Nginx
http://www.tuicool.com/articles/vuiQry
http://www.educity.cn/net/1617736.html
http://freeloda.blog.51cto.com/2033581/1288553
http://jicki.blog.51cto.com/1323993/1742270
https://www.nginx.com/resources/wiki/modules/healthcheck/
http://seanlook.com/2015/05/28/nginx-ssl
http://nginx.org/en/docs/http/ngx_http_upstream_module.html#health_check
http://tengine.taobao.org/nginx_docs/cn/docs/http/configuring_https_servers.html
http://www.blogways.net/blog/2013/10/22/nginx-3.html
http://havee.me/internet/2015-08/nginx-redirect-http-request-to-https.html
https://aotu.io/notes/2016/08/16/nginx-https
http://io.upyun.com/2015/03/10/strong-ssl-security
需要安装两个第三方模块:健康检查模块及
yum install -y patch unzip# Extract Nginx upstream_check module:[root@test-ngx tools]# unzip nginx_upstream_check_module-master.zip# Extract Nginx sticky module:[root@test-ngx tools]# unzip nginx-goodies-nginx-sticky-module-ng-08a395c66e42.zip[root@test-ngx tools]# mv nginx-goodies-nginx-sticky-module-ng-08a395c66e42 nginx-sticky-module------------------[root@test-ngx tools]# tar zxvf nginx-1.12.2.tar.gz[root@test-ngx tools]# cd nginx-1.12.2# Patch upstream_check module:patch -p1 < ../nginx_upstream_check_module-master/check_1.12.1+.patchpatching file src/http/modules/ngx_http_upstream_hash_module.cpatching file src/http/modules/ngx_http_upstream_ip_hash_module.cpatching file src/http/modules/ngx_http_upstream_least_conn_module.cpatching file src/http/ngx_http_upstream_round_robin.cpatching file src/http/ngx_http_upstream_round_robin.h# Patch[root@test-ngx nginx-1.11.5]# cd ../nginx-sticky-module/[root@test-ngx nginx-sticky-module]# patch -p0 < ../nginx_upstream_check_module-master/nginx-sticky-module.patchpatching file ngx_http_sticky_module.cHunk #1 succeeded at 15 with fuzz 2 (offset 5 lines).Hunk #2 succeeded at 304 (offset 12 lines).Hunk #3 succeeded at 330 (offset 12 lines).Hunk #4 succeeded at 352 (offset 12 lines).
[root@test-ngx ~]# yum install -y wget gcc gcc-c++ make openssl-devel[root@test-ngx ~]# useradd -s /sbin/nologin -M nginx
http://tianshili.blog.51cto.com/5050423/1709119
http://ju.outofmemory.cn/entry/219981
编译安装 nginx 时,默认使用系统自带的 OpenSSL 库,但是一般版本相对老旧,不能够支持一些新功能。其实是能够指定使用 OpenSSL 的版本,但使用 --with-openssl 参数虽然可指定具体路径,但是只支持使用解压后的源代码,而不支持已编译安装好的 OpenSSL,这就有些麻烦了。
解决方案:https://www.sinosky.org/compile-nginx-with-a-custom-openssl-library.html
[root@test-ngx tools]# tar zxvf pcre-8.39.tar.gz[root@test-ngx tools]# tar zxvf openssl-1.0.1t.tar.gz[root@test-ngx tools]# cd nginx-1.11.5[root@test-ngx nginx-1.11.5]# ./configure \--prefix=/usr/local/nginx \--user=nginx \--group=nginx \--with-http_ssl_module \--with-openssl=/root/tools/openssl-1.0.1t \--with-http_gunzip_module \--with-http_stub_status_module \--with-pcre=/root/tools/pcre-8.39 \--with-http_realip_module \--add-module=/root/tools/nginx_upstream_check_module-master \--add-module=/root/tools/nginx-sticky-module[root@test-ngx nginx-1.11.5]# make[root@test-ngx nginx-1.11.5]# make install# Create soft link:ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/nginx
生产中的配置:
./configure \--prefix=/usr/local/nginx \--user=nginx \--group=nginx \--with-openssl=/root/tools/openssl-1.0.2l \--with-http_ssl_module \--with-http_gunzip_module \--with-http_gzip_static_module \--with-http_stub_status_module \--with-pcre=/root/tools/pcre-8.39 \--with-http_realip_module \--add-module=/root/tools/nginx_upstream_check_module-master \--add-module=/root/tools/nginx-sticky-module
[root@test-ngx ~]# mkdir /usr/local/nginx/conf/extra[root@test-ngx ~]# vim /usr/local/nginx/conf/extra/upstream.confupstream vbill {server 172.16.135.115 weight=1 max_fails=3 fail_timeout=30s;}server {listen 8080;server_name bbs.etiantian.org;index index.php index.html index.htm;location / {proxy_pass http://vbill;proxy_set_header Host $host;proxy_set_header X-Forwarded-For $remote_addr;}error_page 500 502 503 504 /50x.html;location = /50x.html {root /data0/www/cms;}}[root@test-ngx ~]# vim /usr/local/nginx/conf/nginx.confinclude extra/upstream.conf;# Check the configure file:[root@test-ngx ~]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful#[root@test-ngx ~]# /usr/local/nginx/sbin/nginx#[root@test-ngx nginx-1.9.15]# /usr/local/nginx/sbin/nginx -s reload
示例:
[root@test-ngx ~]# cat /usr/local/nginx/conf/extra/vbill.confupstream vbill {server 172.16.136.115:8080;check interval=5000 rise=1 fall=3 timeout=4000;}server {listen 8080;return 301 https://$host$request_uri;}server {listen 80;return 301 https://$host$request_uri;}server {listen 443 ssl;server_name test.vbill.cn;ssl on;#ssl_password_file /root/key/test.vbill.cn.pass;ssl_certificate /root/key/test.vbill.cn_bundle.crt;ssl_certificate_key /root/key/test.vbill.cn.key;ssl_session_cache shared:SSL:1m;index index.php index.html index.htm;location / {proxy_pass http://vbill;proxy_set_header Host $host;proxy_set_header X-Forwarded-For $remote_addr;}location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|js|css|html)$ {proxy_pass http://vbill;proxy_set_header Host $host;proxy_set_header X-Forwarded-For $remote_addr;proxy_cache my_cache;proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;proxy_cache_valid 200 302 304 5m;}location /status {check_status;access_log off;allow 172.16.80.135;deny all;}error_page 500 502 503 504 /50x.html;#location = /50x.html {# root /data0/www/cms;# }}
https://github.com/yaoweibin/nginx_upstream_check_module
Nginx 单IP下 配置多个server https 的问题
http://t.cn/R5agALy
比较全面的安全配置:http://rhyzx.im/2015-10-11-nginx-configuration-for-production
http://www.cnblogs.com/chenpingzhao/p/4971308.html
http://tengine.taobao.org/nginx_docs/cn/docs/http/ngx_http_limit_conn_module.html#limit_conn
http://www.163py.com/pages/122/130/545/article_index.html
http://blog.chinaunix.net/uid-2330196-id-3289522.html
http://itindex.net/blog/2015/01/16/1421343060000.html?utm_source=tuicool&utm_medium=referral
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache
https://linux.cn/article-5945-1.html
# Create a cache directory:[root@test-ngx ~]# mkdir -p /data/proxy-cache
我们只需要两个命令就能够启用基本的缓存:
proxy_cache_path:用来设定缓存的路径及配置。proxy_cache:用来启用缓存。
[root@test-ngx ~]# vim /usr/local/nginx/conf/nginx.conf# 使用下面的指令来设置缓存的路径和配置:# Web cache:proxy_temp_path /data/temp;proxy_cache_path /data/proxy-cache levels=1:2 keys_zone=my_cache:50m inactive=10m use_temp_path=off max_size=20g;
server {...proxy_cache my_cache; # 定义一个共享的内存区域用来缓存。proxy_cache_revalidate on;proxy_cache_min_uses 3;proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;proxy_cache_lock on;}
那么如何将缓存的内容放至内存中呢?因为“Nginx”本身不提供缓存到内存的功能,不过可通过使用/dev/shm这个内存中的文件系统来实施该功能。
首先要创建相应的缓存目录:
[root@PBSNGX01 ~]# mkdir /dev/shm/nginx_cache
http://www.qiansw.com/f5-nginx-proxy-user-ip.html
http://www.ttlsa.com/nginx/nginx-get-user-real-ip
最需要注意的就是如何能够获得客户端的真实地址。首先“F5”上要开启该功能,其次要于Nginx上进行设定。
https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
https://cipherli.st
./configure \--prefix=/usr/local/nginx \--user=nginx \--group=nginx \--with-http_ssl_module \--with-openssl=/root/tools/openssl-1.0.1t \--with-http_gunzip_module \--with-http_stub_status_module \--with-pcre=/root/tools/pcre-8.39 \--with-http_realip_module \--add-module=/root/tools/nginx_upstream_check_module-master