Nginx 配置备忘

前两个月把公司生产服务器迁移云服务商的时候，对新服务器模版做了不少优化，还编译了 nginx 加入了 http2 等诸多酷炫的特性，然而当时没做笔记过几天就忘记了具体做了什么。

前些天发现自己的几台服务器年久失修，在修理的时候手滑把数据都删了……那就从头来过吧，辣鸡服务商最高只提供14.04的系统，那 DD 做个18.04，再重新加上各种优化，记笔记水几篇文章？

Nginx 源码编译安装

由于 apt 即使引入了第三方源安装 Nginx 的版本也很低，为了实践最新的特性，只好从源码编译安装 Nginx。

Nginx 依赖 openssl （SSL加密）， pcre （prel正则库）和 zlib （压缩库）。其中 openssl 更新比较快，也采用源码方式引入。

安装依赖：

sudo apt install -y build-essential libpcre3 libpcre3-dev zlib1g-dev unzip git

第三方组件

openssl

从官网下载最新版 openssl

wget https://www.openssl.org/source/openssl-1.1.1a.tar.gz
tar zxf openssl-1.1.1a

ngx_brotli

Brotli 是 Google 开源的高效的压缩算法。 性能比 gzip 好很多

git clone https://github.com/google/ngx_brotli
cd ngx_brotli
git submodule update --init

下载 Nginx 源码

从官网下载最新版 nginx

wget https://nginx.org/download/nginx-1.15.8.tar.gz
tar zxf nginx-1.15.8.tar.gz

编译Nginx

为了保持习惯（apt 安装的 nginx）一致，我指定了 nginx 的配置，日志，pid 文件路径。加入了之前下载的 ngx_brotli 和 openssl 。启用了 http_v2 和 http_ssl 这两个HTTP/2相关模块， http_gzip_static 支持预编译压缩文件（抄Jerry Qu的，自己并没有用上）， stream 支持 TCP/UDP转发

./configure \
--prefix=/etc/nginx \
--conf-path=/etc/nginx/nginx.conf \
--sbin-path=/usr/local/bin/nginx \
--pid-path=/run/nginx.pid \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \ 
--add-module=../ngx_brotli \ 
--with-openssl=../openssl-1.1.1a --with-openssl-opt='enable-tls1_3' \ 
--with-http_v2_module \
--with-http_ssl_module \
--with-http_gzip_static_module \
--with-stream

make
sudo make install

Nginx 服务管理脚本与自启动

都用18.04了，那就用 systemd 来管理吧，配置文件都是 Nginx 官网抄的

vim /etc/systemd/system/nginx.service

[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/local/bin/nginx -t
ExecStart=/usr/local/bin/nginx
ExecReload=/usr/local/bin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl start nginx
sudo systemctl status nginx  # 启动后查看下服务是否正常
sudo systemctl enable nginx  # 开机自启

Nginx 配置文件

nginx.conf

# user nobody;
worker_processes auto;
pid /run/nginx.pid;

events {
    use epoll;
    worker_connections 809044;
    accept_mutex off;
    multi_accept off;
}

http {

    ##
    # Basic Settings
    ##

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    charset    UTF-8;

    sendfile    on;
    tcp_nopush    on;
    tcp_nodelay    on;

    keepalive_timeout 65;

    types_hash_max_size 2048;
    server_names_hash_max_size 4096;
    # server_tokens off;

    server_names_hash_bucket_size 128;
    client_max_body_size 2m;
    # server_name_in_redirect off;

    server_tokens off;

    ##
    # SSL Settings
    ##

    ssl_ciphers    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:DES-CBC3-SHA;

    ssl_prefer_server_ciphers  on;

    ssl_protocols    TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    ##
    # Logging Settings
    ##

    log_format    kd_access_log    '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for" '
                    '$upstream_addr $upstream_response_time $request_time';

    access_log /var/log/nginx/access.log kd_access_log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip    on;
    gzip_vary    on;

    gzip_comp_level    6;
    gzip_buffers    16 8k;

    gzip_min_length    1000;
    gzip_proxied    any;
    gzip_disable    "msie6";

    gzip_http_version    1.0;

    gzip_types    text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

    # 如果编译时添加了 ngx_brotli 模块，需要增加 brotli 相关配置
    brotli    on;
    brotli_comp_level    6;
    brotli_types    text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

sites-available/blog

server  {
    listen 443 ssl http2 fastopen=3 reuseport;
    # 这里有个问额：第二个网站配置时只能写 listen 443; 否则会报错，但是 http2 特性也是能用的，还没找到原因

    server_name blog.kdwycz.com;
    access_log /var/log/nginx/blog.access.log kd_access_log;
    error_log /var/log/nginx/blog.error.log;

    location / {
        alias /home/kdwycz/blog/;
    }

    ssl_session_cache        shared:SSL:10m;
    ssl_session_timeout      60m;

    ssl_session_tickets      on;

    # ssl_stapling    on;
    # ssl_stapling_verify    on;
    # ssl_trusted_certificate;

    ssl_certificate /home/kdwycz/certs/cert.pem;
    ssl_certificate_key /home/kdwycz/privkey.pem;

}

server  {
    listen 80;
    server_name blog.kdwycz.com;
    if ($request_method = GET) {
        return 301 https://$server_name$request_uri;
    }
    return 308 https://$server_name$request_uri;
}