溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
Nginx (engine x) 是一個高性能的HTTP和反向代理web服務器,同時也提供了IMAP/POP3/SMTP服務。Nginx是由伊戈爾·賽索耶夫為俄羅斯訪問量第二的Rambler.ru站點(俄文:Рамблер)開發的,第一個公開版本0.1.0發布于2004年10月4日。
其將源代碼以類BSD許可證的形式發布,因它的穩定性、豐富的功能集、示例配置文件和低系統資源的消耗而聞名。2011年6月1日,nginx 1.0.4發布。
Nginx是一款輕量級的Web 服務器/反向代理服務器及電子郵件(IMAP/POP3)代理服務器,在BSD-like 協議下發行。其特點是占有內存少,并發能力強,事實上nginx的并發能力在同類型的網頁服務器中表現較好
Nginx優點
Nginx 可以在大多數 UnixLinux OS 上編譯運行,并有 Windows 移植版。 Nginx 的1.4.0穩定版已經于2013年4月24日發布,一般情況下,對于新建站點,建議使用最新穩定版作為生產版本,已有站點的升級急迫性不高。
Nginx 的源代碼使用 2-clause BSD-like license。
Nginx 是一個很強大的高性能Web和反向代理服務,它具有很多非常優越的特性:
在連接高并發的情況下,Nginx是Apache服務不錯的替代品:Nginx在美國是做虛擬主機生意的老板們經常選擇的軟件平臺之一。能夠支持高達 50,000 個并發連接數的響應,感謝Nginx為我們選擇了 epoll and kqueue作為開發模型。
在編譯的時候需要添加--with-http_stub_status_module參數
配置案例:
[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf
server {
listen 80;
server_name www.hechunping.tech;
location /nginx_status {
stub_status;
allow 192.168.7.0/24;
allow 127.0.0.1;
deny all;
}
}
[root@CentOS7-01 ~]#systemctl reload nginx
訪問測試
[root@CentOS7-01 ~]#curl www.hechunping.tech/nginx_status
Active connections: 1
server accepts handled requests
32 32 36 #這三個數字分別對應accepts,handled,requests三個值
Reading: 0 Writing: 1 Waiting: 0
相關解釋:
Active connections: 當前處于活動狀態的客戶端連接數,包括連接等待空閑連接數。
accepts: 統計總值,Nginx?啟動后已經接受的客戶端請求的總數。
handled: 統計總值,Nginx?啟動后已經處理完成的客戶端請求的總數,通常等于accepts,除?有因worker_connections限制等被拒絕的連接。
requests:統計總值,Nginx?啟動后客戶端發來的總的請求數。
Reading: 當前狀態,正在讀取客戶端請求報??部的連接的連接數。
Writing: 當前狀態,正在向客戶端發送響應報?過程中的連接數。
Waiting: 當前狀態,正在等待客戶端發出請求的空閑連接數,開啟 keep-alive的情況下,這個值等于 active – (reading+writing)。第三模塊是對nginx的功能擴展,第三?模塊需要在編譯安裝Nginx的時候使?參數--add-module=PATH指定路徑添加,有的模塊是由公司的開發?員針對業務需求定制開發的,有的模塊是開源愛好者開發好之后上傳到github進?開源的模塊,nginx?持第三?模塊需要從源碼重新編譯?持,?如開源的echo模塊 https://github.com/openresty/echo-nginx-module
配置案例
[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf
server {
listen 80;
server_name www.hechunping.tech;
location /pc {
echo_sleep 1;
echo "this is pc directory";
}
}
[root@CentOS7-01 ~]#nginx -t
nginx: [emerg] unknown directive "echo_sleep" in /apps/nginx/conf/vhosts/pc.conf:5
nginx: configuration file /apps/nginx/conf/nginx.conf test failed
[root@CentOS7-01 ~]#yum install git -y
[root@CentOS7-01 ~]#git clone https://github.com/openresty/echo-nginx-module.git
[root@CentOS7-01 ~]#systemctl stop nginx
[root@CentOS7-01 ~]#cd nginx-1.16.1/
[root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_gunzip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--add-module=/usr/local/src/echo-nginx-module
[root@CentOS7-01 nginx-1.16.1]#make -j lscpu |awk 'NR==4{print $2}' && make install
# 再次檢測語法,正常
[root@CentOS7-01 nginx-1.16.1]#nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
[root@CentOS7-01 nginx-1.16.1]#nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module
[root@CentOS7-01 nginx-1.16.1]#systemctl start nginx
# 訪問測試,echo模塊已經可用
[root@CentOS7-01 nginx-1.16.1]#curl www.hechunping.tech/pc
this is pc directorynginx的變量可以在配置?件中引?,作為功能判斷或者?志等場景使?,變量可以分為內置變量和?定義變量,
內置變量是由nginx模塊?帶,通過變量可以獲取到眾多的與客?端訪問相關的值。可以通過上面的echo模塊輸出,下面的變量都是參照如下配置文件
[root@CentOS7-01 nginx-1.16.1]#cat /apps/nginx/conf/vhosts/pc.conf
server {
listen 80;
server_name www.hechunping.tech;
location /pc {
echo $remote_addr;
}
}
$remote_addr; #存放了客戶端的地址,注意是客戶端的公?IP,也就是?家?訪問?個?站,則會顯?為路由器的公?IP。
[root@CentOS7-01 nginx-1.16.1]#curl www.hechunping.tech/pc
127.0.0.1
$args; #變量中存放了URL中的指令,例如http://www.hechunping.tech/pc/index.do?id=20200105
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105
id=20200105
$document_root; #保存了針對當前資源的請求的系統根?錄
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
/apps/nginx/html
$document_uri; #保存了當前請求中不包含指令的URI,注意是不包含請求的指令,比如
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105
/pc/index.do
$host; #存放了請求的host名稱。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
www.hechunping.tech
$http_user_agent; #客?端瀏覽器的詳細信息
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
curl/7.29.0
$http_cookie; #客?端的cookie信息。
$limit_rate; #如果nginx服務器使?limit_rate配置了顯??絡速率,則會顯?,如果沒有設置,則顯?0。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
0
$remote_port; #客?端請求Nginx服務器時隨機打開的端?,這是每個客?端??的端?。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
37848
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
37850
$remote_user; #已經經過Auth Basic Module驗證的??名。
$request_body_file; #做反向代理時發給后端服務器的本地資源的名稱。
$request_method; #請求資源的?式,GET/PUT/DELETE等
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
GET
$request_filename; #當前請求的資源?件的路徑名稱,由root或alias指令與URI請求?成的?件絕對路徑,如
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.html
/apps/nginx/html/pc/index.html
$request_uri; #包含請求參數的原始URI,不包含主機名,如
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105
/pc/index.do?id=20200105
$scheme; #請求的協議,如ftp,https,http等。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
http
$server_protocol; #保存了客?端請求資源使?的協議的版本,如HTTP/1.0,HTTP/1.1,HTTP/2.0等。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
HTTP/1.1
$server_addr; #保存了服務器的IP地址。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
127.0.0.1
$server_name; #請求的服務器的主機名。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
www.hechunping.tech
$server_port; #請求的服務器的端?號。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
80假如需要?定義變量名稱和值,使?指令"set $variable value;",語法如下
Syntax: set $variable value;
Default: —
Context: server, location, if
配置
[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf
server {
listen 80;
server_name www.hechunping.tech;
location /pc {
set $name $server_name;
echo $name;
set $my_port $server_port;
echo $my_port;
}
}
[root@CentOS7-01 ~]#!s
systemctl restart nginx
訪問測試
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
www.hechunping.tech
80訪問?志是記錄客戶端即?戶的具體請求內容信息,全局配置模塊中的error_log是記錄nginx服務器運?時的?志
保存路徑和記錄?志的level,因此有著本質的區別,?且Nginx的錯誤?志?般只有?個,但是訪問?志可以在不
同server中定義多個,定義?個?志需要使?access_log指定?志的保存路徑,使?log_format指定?志的格式,
格式中定義要保存的具體?志內容。如果是要保留?志的原格式,只是添加相應的?志內容,則配置如下:
log_format www.hechunping.tech '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
'$server_name:$server_port';
access_log /data/nginx/logs/www.hechunping.tech/access.log www.hechunping.tech;
[root@CentOS7-01 ~]#nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
[root@CentOS7-01 ~]#systemctl reload nginx
[root@CentOS7-01 ~]#tail -f /data/nginx/logs/www.hechunping.tech/access.log
192.168.7.1 - - [05/Jan/2020:14:58:47 +0800] "GET /pc/ HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" "-"www.hechunping.tech:80Nginx 的默認訪問?志記錄內容相對?較單?,默認的格式也不?便后期做?志統計分析,?產環境中通常將nginx?志轉換為json?志,然后配合使?ELK做?志收集-統計-分析。
log_format access_json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"uri":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"tcp_xff":"$proxy_protocol_addr",'
'"http_user_agent":"$http_user_agent",'
'"status":"$status"}';
access_log /data/nginx/logs/www.hechunping.tech/access.log access_json;
[root@CentOS7-01 ~]#tail -f /data/nginx/logs/www.hechunping.tech/access.log
{"@timestamp":"2020-01-05T15:04:16+08:00","host":"192.168.7.71","clientip":"192.168.7.1","size":7,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.hechunping.tech","uri":"/pc/index.html","domain":"www.hechunping.tech","xff":"-","referer":"-","tcp_xff":"","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36","status":"200"}[root@CentOS7-01 ~]#cat nginx_json.py
#!/usr/bin/env python
#coding:utf-8
status_200 = []
status_404 = []
with open("access_json.log") as f:
for line in f.readlines():
line = eval(line)
if line.get("status") == "200":
status_200.append(line.get)
elif line.get("status") == "404":
status_404.append(line.get)
else:
print("狀態碼 ERROR")
f.close()
print "狀態碼為200的有-->:",len(status_200)
print "狀態碼為404的有-->:",len(status_404)
[root@CentOS7-01 ~]#python nginx_json.py
...
狀態碼 ERROR
狀態碼為200的有-->: 403428
狀態碼為404的有-->: 125712Nginx?持對指定類型的?件進?壓縮然后再傳輸給客?端,?且壓縮還可以設置壓縮?例,壓縮后的?件??將?源?件顯著變?,這樣有助于降低出?帶寬的利?率,降低企業的IT?出,不過會占?相應的CPU資源。
Nginx對?件的壓縮功能是依賴于模塊ngx_http_gzip_module,官??檔: https://nginx.org/en/docs/http/ngx_http_gzip_module.html, 配置指令如下:
gzip on | off; #啟?或禁?gzip壓縮,默認關閉
gzip_comp_level level; #壓縮?由低到?從1到9,默認為1
gzip_disable "MSIE [1-6]\."; #禁?IE6 gzip功能
gzip_min_length 1k; #gzip壓縮的最??件,?于設置值的?件將不會壓縮
gzip_http_version 1.0 | 1.1; #啟?壓縮功能時,協議的最?版本,默認HTTP/1.1
gzip_buffers number size; #指定Nginx服務需要向服務器申請的緩存空間的個數*??,默認32 4k|16 8k;
gzip_types mime-type ...; #指明僅對哪些類型的資源執?壓縮操作;默認為gzip_types text/html,不?顯?指定,否則出錯
gzip_vary on | off; #如果啟?壓縮,是否在響應報??部插?"Vary: Accept-Encoding"
配置案例
gzip on;
gzip_comp_level 5;
gzip_min_length 1k; gzip_types text/plain application/javascript application/x-javascript text/cssapplication/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary on;
[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf
server {
listen 80;
server_name www.hechunping.tech;
location /pc {
root html;
}
}
[root@CentOS7-01 ~]#ll /apps/nginx/html/pc/test.html -h
-rw-r--r-- 1 nginx nginx 1.7M Jan 5 16:01 /apps/nginx/html/pc/test.html #使用該文件進行壓縮測試
訪問測試,壓縮后的大小
nginx的https功能基于模塊ngx_http_ssl_module實現,因此如果是編譯安裝的nginx要使?參數--with-http_ssl_module開啟ssl功能,但是作為nginx的核?功能,yum安裝的nginx默認就是開啟的。
官??檔: https://nginx.org/en/docs/http/ngx_http_ssl_module.html
配置參數如下:
ssl on | off; #為指定的虛擬主機配置是否啟?ssl功能,此功能在1.15.0廢棄,使?listen [ssl]替代。
ssl_certificate /path/to/file; #當前虛擬主機使?使?的公鑰?件,?般是crt?件
ssl_certificate_key /path/to/file; #當前虛擬主機使?的私鑰?件,?般是key?件
ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; #?持ssl協議版本,早期為ssl,現在是TSL,默認為后三個
ssl_session_cache off | none | [builtin[:size]] [shared:name:size]; #配置ssl緩存
off: 關閉緩存
none: 通知客?端?持ssl session cache,但實際不?持
builtin[:size]: 使?OpenSSL內建緩存,為每worker進程私有
[shared:name:size]: 在各worker之間使??個共享的緩存,需要定義?個緩存名稱和緩存空間??,?兆可以存儲4000個會話信息,多個虛擬主機可以使?相同的緩存名稱。
ssl_session_timeout time; #客?端連接可以復?ssl session cache中緩存的有效時?,默認5m# 自簽名CA證書
[root@CentOS7-01 ~]#cd /apps/nginx/
[root@CentOS7-01 nginx]#mkdir certs
[root@CentOS7-01 nginx]#cd certs
[root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Generating a 4096 bit RSA private key
......++
...................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #國家代碼,參看:https://country-code.cl
State or Province Name (full name) []:BeiJing #省份
Locality Name (eg, city) [Default City]:BeiJing #城市名稱
Organization Name (eg, company) [Default Company Ltd]:abc #公司名稱
Organizational Unit Name (eg, section) []:IT #部門名稱
Common Name (eg, your name or your server's hostname) []:hechunping #通用名稱
Email Address []:742384103@qq.com #郵箱
[root@CentOS7-01 certs]#ls
ca.crt ca.key
# 自制key和csr文件
[root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.hechunping.tech.key -out www.hechunping.tech.csr
Generating a 4096 bit RSA private key
...............................................++
........................................................................................++
writing new private key to 'www.hechunping.tech.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:abc
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:hechunping
Email Address []:742384103@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #此處為空即可
An optional company name []: #同上
[root@CentOS7-01 certs]#ll
total 16
-rw-r--r-- 1 root root 2090 Jan 5 21:05 ca.crt
-rw-r--r-- 1 root root 3272 Jan 5 21:05 ca.key
-rw-r--r-- 1 root root 1736 Jan 5 21:11 www.hechunping.tech.csr
-rw-r--r-- 1 root root 3272 Jan 5 21:11 www.hechunping.tech.key
# 簽發證書
[root@CentOS7-01 certs]#openssl x509 -req -days 3650 -in www.hechunping.tech.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.hechunping.tech.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=abc/OU=IT/CN=hechunping/emailAddress=742384103@qq.com
Getting CA Private Key
# 驗證證書內容
[root@CentOS7-01 certs]#openssl x509 -in www.hechunping.tech.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
c6:bd:85:07:5d:3c:bc:54
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com
Validity
Not Before: Jan 5 13:13:08 2020 GMT
Not After : Jan 2 13:13:08 2030 GMT
Subject: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
......[root@CentOS7-01 certs]#cat /apps/nginx/conf/vhosts/pc.conf
server {
listen 80;
listen 443 ssl;
ssl_certificate /apps/nginx/certs/www.hechunping.tech.crt;
ssl_certificate_key /apps/nginx/certs/www.hechunping.tech.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
server_name www.hechunping.tech;
location /pc {
root html;
}
}
[root@CentOS7-01 certs]#systemctl reload nginx
訪問測試
Nginx?持基于單個IP實現多域名的功能,并且還?持單IP多域名的基礎之上實現HTTPS,其實是基于Nginx的SNI(Server Name Indication)功能實現,SNI是為了解決?個Nginx服務器內使??個IP綁定多個域名和證書的功能,其具體功能是客?端在連接到服務器建?SSL鏈接之前先發送要訪問站點的域名(Hostname),這樣服務器再根據這個域名返回給客?端?個合適的證書。
# 制作key和csr文件
[root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout news.hechunping.tech.key -out news.hechunping.tech.csr
Generating a 4096 bit RSA private key
.............................................................................++
.....................................................................................................................................................................................................................................................................................................++
writing new private key to 'news.hechunping.tech.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:xyz
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:hechunping
Email Address []:742384103@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 簽名證書
[root@CentOS7-01 certs]#openssl x509 -req -days 3650 -in news.hechunping.tech.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out news.hechunping.tech.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=xyz/OU=IT/CN=hechunping/emailAddress=742384103@qq.com
Getting CA Private Key
# 驗證證書內容
[root@CentOS7-01 certs]#openssl x509 -in news.hechunping.tech.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
c6:bd:85:07:5d:3c:bc:55
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com
Validity
Not Before: Jan 5 13:52:00 2020 GMT
Not After : Jan 2 13:52:00 2030 GMT
Subject: C=CN, ST=BeiJing, L=BeiJing, O=xyz, OU=IT, CN=hechunping/emailAddress=742384103@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
......
# nginx配置證書
[root@CentOS7-01 certs]#cat /apps/nginx/conf/vhosts/news.conf
server {
listen 80;
listen 443 ssl;
ssl_certificate /apps/nginx/certs/news.hechunping.tech.crt;
ssl_certificate_key /apps/nginx/certs/news.hechunping.tech.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
server_name news.hechunping.tech;
location /pc {
root html;
}
}
[root@CentOS7-01 certs]#systemctl reload nginx
# 訪問測試
favicon.ico ?件是瀏覽器收藏?址時顯?的圖標,當客?端使?瀏覽器問??時,瀏覽器會??主動發起請求獲取??的favicon.ico?件,但是當瀏覽器請求的favicon.ico?件不存在時,服務器會記錄404?志,?且瀏覽器也會顯?404報錯。
解決方法
將圖標保存到指定的目錄
[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf
server {
listen 80;
server_name www.hechunping.tech;
location = /favicon.ico {
root html/image;
}
location /pc {
root html;
}
}
[root@CentOS7-01 ~]#systemctl reload nginx
更改nginx源碼信息,將nginx服務版本號更改為HCPWS/1.1并重新編譯nginx
[root@CentOS7-01 nginx-1.16.1]#sed -ir 's#Server: nginx#Server: HCPWS/1.1#' /root/nginx-1.16.1/src/http/ngx_http_header_filter_module.c
[root@CentOS7-01 nginx-1.16.1]#nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module
[root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module
[root@CentOS7-01 nginx-1.16.1]#make -j lscpu | awk 'NR==4{print $2}' && make install
[root@CentOS7-01 nginx-1.16.1]#systemctl restart nginx
訪問測試
?臟出?(英語:Heartbleed),也簡稱為??漏洞,是?個出現在加密程序庫OpenSSL的安全漏洞,該程序庫?泛?于實現互聯?的傳輸層安全(TLS)協議。它于2012年被引?了軟件中,2014年4??次向公眾披露。只要使?的是存在缺陷的OpenSSL實例,?論是服務器還是客?端,都可能因此?受到***。此問題的原因是在實現TLS的?跳擴展時沒有對輸?進?適當驗證(缺少邊界檢查),因此漏洞的名稱來源于“?跳”(heartbeat)。該程序錯誤屬于緩沖區過讀,即可以讀取的數據?應該允許讀取的還多。
升級步驟
1)查看當前的Openssl版本
2)下載OpenSSL源碼包并解壓
[root@CentOS7-01 nginx-1.16.1]#wget -P /usr/local/src/ https://www.openssl.org/source/openssl-1.1.1d.tar.gz
[root@CentOS7-01 nginx-1.16.1]#tar xf /usr/local/src/openssl-1.1.1d.tar.gz
3)編譯安裝nginx并指定新版本OpenSSL路徑
[root@CentOS7-01 nginx-1.16.1]#nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module
[root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module --with-openssl=./openssl-1.1.1d
[root@CentOS7-01 nginx-1.16.1]#make -j lscpu |awk 'NR==4{print $2}' && make install
[root@CentOS7-01 nginx-1.16.1]#systemctl restart nginx
驗證
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
