Centos7.x 编译安装全功能的Nginx

mouse

说明
　　根据此文档进行编译安装 Nginx，可以将Nginx默认的功能全部安装上，读者也可以自己的根据实际情况删减需要编译的模块。
　　支持的特色功能如下：

• 支持 TLSv1.3  - openssl 从 1.1.1 版本起支持最终版的TLSv1.3标准协议，详情参见：TLS1.3
  
• 支持 HTTP2 - Nginx 从 1.9.5 版本起支持http2，详情参见：Module ngx_http_v2_module
  
• 支持 Lua语法 - 详情参见：lua-nginx-module
  

安装
　　Nginx 官方资料：Building nginx from Sources

安装依赖

yum install -y \
vim gcc gcc-c++ make cmake cmake3 automake autoconf perl-ExtUtils-Embed \
openssl-devel libxml2-devel libxslt-devel GeoIP-devel luajit-devel \
gperftools-devel systemd-devel perl-devel libatomic_ops-devel pcre-devel gd-devel
准备源码包

# Create Directory
mkdir -p /opt/down/nginx
cd /opt/down/nginx
# Get nginx source
wget https://nginx.org/download/nginx-1.14.0.tar.gz
# Get zlib/openssl/pcre dependency
wget https://zlib.net/zlib-1.2.11.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1.tar.gz
wget https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.gz
# Get Lua module and depend if you need
wget -c 'https://github.com/openresty/lua-nginx-module/archive/v0.10.13.tar.gz' -O lua-nginx-module-0.10.13.tar.gz
wget -c 'https://github.com/simplresty/ngx_devel_kit/archive/v0.3.1rc1.tar.gz' -O ngx_devel_kit-0.3.1rc1.tar.gz
# Extract source file
tar xzf nginx-1.14.0.tar.gz
tar xzf zlib-1.2.11.tar.gz
tar xzf openssl-1.1.1.tar.gz
tar xzf pcre-8.42.tar.gz
tar xzf lua-nginx-module-0.10.13.tar.gz
tar xzf ngx_devel_kit-0.3.1rc1.tar.gz
编译与安装

• 读者可根据实际情况自定义修改编译选项中指定的路径。
  
• 用户与组需要执行useradd work提前创建，或读者自定义用户与组名。
  
• 这里将nginx-1.14.0所有可编译的模块都加上了，读者可自定义删减。
  

# Configure option
cd nginx-1.14.0
./configure \
--prefix=/opt/soft/nginx \
--error-log-path=/opt/log/nginx/error.log \
--pid-path=/opt/run/nginx/nginx.pid \
--lock-path=/opt/run/nginx/nginx.lock \
--user=work \
--group=work \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_geoip_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module=dynamic \
--http-log-path=/opt/log/nginx/access.log \
--http-client-body-temp-path=/opt/soft/nginx/temp/client_body \
--http-proxy-temp-path=/opt/soft/nginx/temp/proxy \
--http-fastcgi-temp-path=/opt/soft/nginx/temp/fastcgi \
--http-uwsgi-temp-path=/opt/soft/nginx/temp/uwsgi \
--http-scgi-temp-path=/opt/soft/nginx/temp/scgi \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module=dynamic \
--with-stream_ssl_preread_module \
--with-google_perftools_module \
--with-cpp_test_module \
--with-compat \
--with-pcre=../pcre-8.42 \
--with-pcre-jit \
--with-libatomic \
--with-zlib=../zlib-1.2.11 \
--with-openssl=../openssl-1.1.1 \
--with-debug \
--with-ld-opt=-Wl,-rpath,/usr/lib64 \
--add-module=../ngx_devel_kit-0.3.1rc1 \
--add-module=../lua-nginx-module-0.10.13
# Compile & Install
make -j2
make install
配置与启动
　　创建一些必要的目录，可根据实际情况自定义。

mkdir -p /opt/log/nginx
mkdir -p /opt/run/nginx
mkdir -p /opt/soft/nginx/temp
mkdir -p /opt/soft/nginx/conf/{acl,ssl,vhosts}
主配置文件
　　路径：/opt/soft/nginx/conf/nginx.conf  
基本参数已经满足大部分的应用场景，如需要额外的调整参数请参阅官方文档的 Modules reference

# nginx main config
user    work work;
worker_processes     auto;
worker_cpu_affinity  auto;
worker_rlimit_nofile 655350;
# Loads a dynamic module.
# load_module modules/ngx_stream_module.so;
# Provides the configuration file context in which the directives that affect connection processing are specified.
events {
# nginx will by default use the most efficient method.
# use epoll;
worker_connections  102400;
}
# Log level: debug, info, notice, warn, error, crit, alert, or emerg.
error_log   /opt/log/nginx/error.log error;
# PCRE JIT can speed up processing of regular expressions significantly.
pcre_jit on;
pid /opt/run/nginx/nginx.pid;
http {
include       mime.types;
default_type  application/octet-stream;
# Default log format - main
#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
#                  '$status $body_bytes_sent "$http_referer" '
#                  '"$http_user_agent" "$http_x_forwarded_for"';
# Custom log format - main
log_format main   '[$time_local] $remote_addr $http_x_connecting_ip "$http_x_forwarded_for" '
'$scheme $http_host "$request" $body_bytes_sent $request_time $status "$http_referer" '
'"$http_user_agent" $upstream_addr $upstream_response_time $upstream_status ';
access_log  /opt/log/nginx/access.log main;
# client_body_buffer_size 8k|16k;
# client_body_timeout 120s;
# client_header_buffer_size 1k;
# client_header_timeout 120s;
# client_max_body_size 10m;
keepalive_timeout 75s;
send_timeout    60s;
sendfile        on;
server_tokens   off;
tcp_nodelay     on;
tcp_nopush      on;
# Enables or disables the use of underscores in client request header fields.
# underscores_in_headers off;
gzip  on;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Module ngx_http_fastcgi_module setting.
# fastcgi_buffer_size 8k;
# fastcgi_buffering on;
# fastcgi_buffers 8 256k;
# fastcgi_connect_timeout 120s;
# fastcgi_read_timeout 120s;
# fastcgi_send_timeout 120s;
include vhosts/*.conf;
}
默认的虚拟主机
　　配置默认虚拟主机，禁止直接IP请求及针对未绑定域名的请求跳转。
路径：/opt/soft/nginx/conf/vhosts/default.conf

# vhosts - default
server {
listen  80  default_server;
server_name _;
# underscores_in_headers on;
if ($host ~ "\d+\.\d+\.\d+\.\d+") {
return 404;
}
if ($host ~ "fandenggui.com") {
return https://www.fandenggui.com;
}
location / {
return https://www.fandenggui.com;
}
}
正式虚拟主机配置
　　很多细节，需要读者了解配置的作用自行修改，这里不做过多的解释。

server {
listen 80;
listen 443 ssl http2;
server_name www.fandenggui.com;
# Access control
# include acl/your_acl_rule.conf;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate     ssl/fandenggui.com.pem;
ssl_certificate_key ssl/fandenggui.com.key;
ssl_session_timeout 1d;
ssl_session_cache   shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# OCSP Stapling --- Requires nginx >= 1.3.7
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
# ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# DHPARAM: openssl dhparam -out /opt/soft/nginx/conf/dhparam.pem 4096
# ssl_dhparam /opt/soft/nginx/conf/dhparam.pem;
# resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
# resolver_timeout 5s;
# add_header X-Frame-Options DENY;
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
# add_header Strict-Transport-Security max-age=15768000;
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# Forced to use HTTPS
# if ( $scheme = "http") {
#     return 301 https://$host$request_uri;
# }
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt  { access_log off; log_not_found off; }
access_log /opt/log/nginx/www.fandenggui.com_access.log main;
error_log /opt/log/nginx/www.fandenggui.com_error.log error;
location / {
# 根据实际情况配置反向代理
# ……
}
}
创建 nginx.service
　　路径：/usr/lib/systemd/system/nginx.service

[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/opt/run/nginx/nginx.pid
ExecStartPre=/usr/bin/rm -f /opt/run/nginx/nginx.pid
ExecStartPre=/opt/soft/nginx/sbin/nginx -t
ExecStart=/opt/soft/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
[Install]
WantedBy=multi-user.target
　　启动服务 & 设置开机启动

# Check Nginx config.
/opt/soft/nginx/sbin/nginx -t
systemctl start nginx
systemctl enable nginx
参考与工具

• Mozilla SSL Configuration Generator
  
• Strong Ciphers for nginx
  
• SSL Server Test