Nginx 配置备忘

栏目: 服务器 · Nginx · 发布时间: 5年前

内容简介:前两个月把公司生产服务器迁移云服务商的时候,对新服务器模版做了不少优化,还编译了 nginx 加入了 http2 等诸多酷炫的特性,然而当时没做笔记过几天就忘记了具体做了什么。前些天发现自己的几台服务器年久失修,在修理的时候手滑把数据都删了……那就从头来过吧,辣鸡服务商最高只提供14.04的系统,那 DD 做个18.04,再重新加上各种优化,记笔记水几篇文章?由于 apt 即使引入了第三方源安装 Nginx 的版本也很低,为了实践最新的特性,只好从源码编译安装 Nginx。

前两个月把公司生产服务器迁移云服务商的时候,对新服务器模版做了不少优化,还编译了 nginx 加入了 http2 等诸多酷炫的特性,然而当时没做笔记过几天就忘记了具体做了什么。

前些天发现自己的几台服务器年久失修,在修理的时候手滑把数据都删了……那就从头来过吧,辣鸡服务商最高只提供14.04的系统,那 DD 做个18.04,再重新加上各种优化,记笔记水几篇文章?

Nginx 源码编译安装

由于 apt 即使引入了第三方源安装 Nginx 的版本也很低,为了实践最新的特性,只好从源码编译安装 Nginx。

Nginx 依赖 openssl (SSL加密), pcre (prel正则库)和 zlib (压缩库)。其中 openssl 更新比较快,也采用源码方式引入。

安装依赖:

sudo apt install -y build-essential libpcre3 libpcre3-dev zlib1g-dev unzip git

第三方组件

openssl

从官网下载最新版 openssl

wget https://www.openssl.org/source/openssl-1.1.1a.tar.gz
tar zxf openssl-1.1.1a

ngx_brotli

Brotli 是 Google 开源的高效的压缩算法。 性能比 gzip 好很多

git clone https://github.com/google/ngx_brotli
cd ngx_brotli
git submodule update --init

下载 Nginx 源码

从官网下载最新版 nginx

wget https://nginx.org/download/nginx-1.15.8.tar.gz
tar zxf nginx-1.15.8.tar.gz

编译Nginx

为了保持习惯(apt 安装的 nginx)一致,我指定了 nginx 的配置,日志,pid 文件路径。加入了之前下载的 ngx_brotliopenssl 。启用了 http_v2http_ssl 这两个HTTP/2相关模块, http_gzip_static 支持预编译压缩文件(抄Jerry Qu的,自己并没有用上), stream 支持 TCP/UDP转发

./configure \
--prefix=/etc/nginx \
--conf-path=/etc/nginx/nginx.conf \
--sbin-path=/usr/local/bin/nginx \
--pid-path=/run/nginx.pid \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \ 
--add-module=../ngx_brotli \ 
--with-openssl=../openssl-1.1.1a --with-openssl-opt='enable-tls1_3' \ 
--with-http_v2_module \
--with-http_ssl_module \
--with-http_gzip_static_module \
--with-stream

make
sudo make install

Nginx 服务管理脚本与自启动

都用18.04了,那就用 systemd 来管理吧,配置文件都是 Nginx 官网抄的

vim /etc/systemd/system/nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/local/bin/nginx -t
ExecStart=/usr/local/bin/nginx
ExecReload=/usr/local/bin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl start nginx
sudo systemctl status nginx  # 启动后查看下服务是否正常
sudo systemctl enable nginx  # 开机自启

Nginx 配置文件

nginx.conf

# user nobody;
worker_processes auto;
pid /run/nginx.pid;

events {
    use epoll;
    worker_connections 809044;
    accept_mutex off;
    multi_accept off;
}

http {

    ##
    # Basic Settings
    ##

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    charset    UTF-8;

    sendfile    on;
    tcp_nopush    on;
    tcp_nodelay    on;

    keepalive_timeout 65;

    types_hash_max_size 2048;
    server_names_hash_max_size 4096;
    # server_tokens off;

    server_names_hash_bucket_size 128;
    client_max_body_size 2m;
    # server_name_in_redirect off;

    server_tokens off;

    ##
    # SSL Settings
    ##

    ssl_ciphers    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:DES-CBC3-SHA;

    ssl_prefer_server_ciphers  on;

    ssl_protocols    TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    ##
    # Logging Settings
    ##

    log_format    kd_access_log    '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for" '
                    '$upstream_addr $upstream_response_time $request_time';

    access_log /var/log/nginx/access.log kd_access_log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip    on;
    gzip_vary    on;

    gzip_comp_level    6;
    gzip_buffers    16 8k;

    gzip_min_length    1000;
    gzip_proxied    any;
    gzip_disable    "msie6";

    gzip_http_version    1.0;

    gzip_types    text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

    # 如果编译时添加了 ngx_brotli 模块,需要增加 brotli 相关配置
    brotli    on;
    brotli_comp_level    6;
    brotli_types    text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

sites-available/blog

server  {
    listen 443 ssl http2 fastopen=3 reuseport;
    # 这里有个问额:第二个网站配置时只能写 listen 443; 否则会报错,但是 http2 特性也是能用的,还没找到原因

    server_name blog.kdwycz.com;
    access_log /var/log/nginx/blog.access.log kd_access_log;
    error_log /var/log/nginx/blog.error.log;

    location / {
        alias /home/kdwycz/blog/;
    }

    ssl_session_cache        shared:SSL:10m;
    ssl_session_timeout      60m;

    ssl_session_tickets      on;

    # ssl_stapling    on;
    # ssl_stapling_verify    on;
    # ssl_trusted_certificate;

    ssl_certificate /home/kdwycz/certs/cert.pem;
    ssl_certificate_key /home/kdwycz/privkey.pem;

}

server  {
    listen 80;
    server_name blog.kdwycz.com;
    if ($request_method = GET) {
        return 301 https://$server_name$request_uri;
    }
    return 308 https://$server_name$request_uri;
}

以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

Building Web Reputation Systems

Building Web Reputation Systems

Randy Farmer、Bryce Glass / Yahoo Press / 2010 / GBP 31.99

What do Amazon's product reviews, eBay's feedback score system, Slashdot's Karma System, and Xbox Live's Achievements have in common? They're all examples of successful reputation systems that enable ......一起来看看 《Building Web Reputation Systems》 这本书的介绍吧!

RGB HSV 转换
RGB HSV 转换

RGB HSV 互转工具

HEX HSV 转换工具
HEX HSV 转换工具

HEX HSV 互换工具