安装C++环境:yum install -y gcc gcc-c++ 添加用户和组(安装PHP-FPM一步已完成) groupadd www -g 503 useradd -s /sbin/nologin -M www -u 503 -g 503 新版nginx安装: cd /root/software ####解压 tar zxf pcre-8.34.tar.gz tar zxf openssl-1.0.1c.tar.gz tar zxf zlib-1.2.8.tar.gz (不需要编译) tar zxf nginx-1.4.4.tar.gz; cd nginx-1.4.4 ./configure --prefix=/opt/nginx \ --user=www --group=www \ --with-http_stub_status_module \ --with-http_gzip_static_module \ --without-http_map_module \ --without-http_geo_module \ --with-http_flv_module \ --with-http_realip_module \ --with-pcre=/root/software/pcre-8.34 \ --with-zlib=/root/software/zlib-1.2.8 \ --with-http_ssl_module \ --with-openssl=/root/software/openssl-1.0.1c \ --with-debug 如果没有--with-openssl=/root/software/openssl-1.0.1c,则/opt/nginx/sbin/nginx -V 能查出TLS SNI未激活,反之则是: TLS SNI support enabled 即基于主机名的多个虚拟机提供 SSL 支持. make make install 说明: --with-openssl和--with-pcre都指定的源码包,而不是编译好的目录 vhost目录及目录中文件配置 修改侦听IP 大航海mini暂时简化了配置,只配了一个虚拟主机, 全部配置在主文件 ##### (以海贼时代的宝歌为例) user www www; worker_processes 1; #error_log logs/error.log; error_log logs/error.log notice; #error_log logs/error.log info; pid logs/nginx.pid; worker_rlimit_nofile 2048; events { use epoll; worker_connections 2048; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 180; server_tokens off; ## Compression gzip on; gzip_min_length 1024; gzip_comp_level 6; gzip_buffers 16 8k; gzip_types text/plain application/x-javascript text/css; # gzip_disable "MSIE [1-6]\." ; # gzip_vary on; gzip_proxied any; gzip_http_version 1.0; #upload max size client_max_body_size 10M; client_body_buffer_size 1024K; # client_header_buffer_size 8K; large_client_header_buffers 4 8K; # fastcgi_intercept_errors on; fastcgi_buffers 8 128k; resolver 172.31.0.2; # server { # listen 81; # server_name _; # return 444; # } server { listen 80; server_name _; set $host_dir /opt/web/serverlist; charset utf-8; access_log logs/serverlist_access.log main; location / { root $host_dir; } } server { listen 81; server_name _; set $host_dir /opt/web/gm/web; charset utf-8; access_log logs/gm_access.log main; location / { root $host_dir; index index.html index.htm index.php; } location ~ \.php { root $host_dir; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $host_dir$fastcgi_script_name; include fastcgi_params; } location ~ /\.ht { deny all; } } server { listen 82; server_name _; set $host_dir /opt/web/payment; charset utf-8; access_log logs/payment_access.log main; location / { root $host_dir; index index.html index.htm index.php; } location ~ /index\.php/Server { root $host_dir; fastcgi_index index.php; fastcgi_pass 127.0.0.1:9000; include fastcgi_params; set $path_info ""; set $real_script_name $fastcgi_script_name; if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") { set $real_script_name $1; set $path_info $2; } fastcgi_param SCRIPT_FILENAME $host_dir/$real_script_name; fastcgi_param SCRIPT_NAME $real_script_name; fastcgi_param PATH_INFO $path_info; allow 219.232.246.23; allow 60.169.0.217; allow 117.28.254.130; #deny all; } location ~ \.php { root $host_dir; fastcgi_index index.php; fastcgi_pass 127.0.0.1:9000; include fastcgi_params; set $path_info ""; set $real_script_name $fastcgi_script_name; if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") { set $real_script_name $1; set $path_info $2; } fastcgi_param SCRIPT_FILENAME $host_dir/$real_script_name; fastcgi_param SCRIPT_NAME $real_script_name; fastcgi_param PATH_INFO $path_info; allow all; } } } ### 内容结束 ### ### 防SQL注入 ### 先创建文件:/opt/nginx/conf/prevent-sql-injection.conf 内容为: if ($request_uri ~* "((union|select|insert|delete|update|drop|show|count|master|truncate|declare|exec|\*)(\%20|\+))|\%20and\%20") { return 403; } 检查上面的策略在生产环境中是否会过滤到正常URL的方法(注意让正则规则保持一样): awk '{ print $7; }' /opt/nginx/logs/*.log | egrep -i "((union|select|insert|delete|update|drop|show|count|master|truncate|declare|exec|\*)(\%20|\+))|\%20and\%20" 每个server下增加: include prevent-sql-injection.conf; 或 include /opt/nginx/conf/prevent-sql-injection.conf; 重载nginx 107项目的WEB目初始创建示例: mkdir -p /opt/web/{serverlist,gm/web,payment} chown www:www -R /opt/web ### 日常管理 ##############3 /opt/nginx/sbin/nginx -s reload 重新加载配置,会重启子进程 /opt/nginx/sbin/nginx -s stop 停止 /opt/nginx/sbin/nginx -s quit 退出 老版使用以下命令,新版的当然也可以用: killall -s HUP nginx -------------重新加载配置 killall -s TERM 或INT nginx -----------快速关闭程序,中止当前正在处理的请求 killall -s QUIT nginx ----------------处理完当前请求后,关闭程序 其它参数: -c:使用其它配置文件 -v:显示 nginx 版本号。 -V:显示 nginx 的版本号以及编译环境信息以及编译时的参数。 ### 增加系统自启动 ############### 编辑 /etc/rc.local,加入以下行: /opt/nginx/sbin/nginx 或者加入系统服务 # 加入系统服务 ########## vi /etc/rc.d/init.d/nginx 脚本内容: #!/bin/bash # Comments to support chkconfig on Linux # chkconfig: 35 85 15 # description: Nginx is an HTTP(S) server, HTTP(S) reverse set -e PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DESC="nginx daemon" NAME=nginx DAEMON=/opt/nginx/sbin/$NAME SCRIPTNAME=/etc/init.d/$NAME test -x $DAEMON || exit 0 d_start(){ $DAEMON || echo -n " already running" } d_stop() { $DAEMON -s quit || echo -n " not running" } d_reload() { $DAEMON -s reload || echo -n " counld not reload" } case "$1" in start) echo -n "Starting $DESC:$NAME" d_start echo "." ;; stop) echo -n "Stopping $DESC:$NAME" d_stop echo "." ;; reload) echo -n "Reloading $DESC configuration..." d_reload echo "reloaded." ;; restart) echo -n "Restarting $DESC: $NAME" d_stop sleep 2 d_start echo "." ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|reload}" >&2 exit 3 ;; esac exit 0 脚本内容结束 chmod +x /etc/rc.d/init.d/nginx chkconfig --add nginx chkconfig --level 2345 nginx on #### 日志切割处理 ##### vi /root/sh/nginx_cut_log.sh 脚本内容: #!/bin/bash #History ###################################################### # touch /root/sh/nginx_cut_log.sh; chmod u+x /root/sh/nginx_cut_log.sh # 00 0 * * * root /root/sh/nginx_cut_log.sh >> /root/sh/nginx_cut_log.log 2>&1 ########## variable ####################################### nginx_dir=/opt/nginx nginx_log_dir=/opt/nginx/logs logs_bakpath=/opt/data_bak/nginx_log year=$(date -d "yesterday" +"%Y") month=$(date -d "yesterday" +"%m") delyear=$(date -d "3 months ago" +"%Y") delmonth=$(date -d " 4 months ago" +"%m") deldays=90 cut_log_path=${logs_bakpath}/${year}/${month} export LANG=C export LC_ALL=C export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin ####### do ############################################## if [ ! -d "$cut_log_path" ];then mkdir -p ${logs_bakpath}/${year}/${month} fi echo "" echo "" echo "`date` start." echo "##################################" #### move yesterday logs #### echo "`date` move yesterday logs." if [ -d "$nginx_log_dir" ]; then cd $nginx_log_dir ls | grep ".log" | awk -F '.log' '{print $1}' > /tmp/nginxloglist.txt else echo "log backup directory does not exist, exit" exit 1 fi for logfilename in `cat /tmp/nginxloglist.txt` do mv "$logfilename".log "$cut_log_path"/"$logfilename"_$(date -d "yesterday" +"%Y%m%d").log done #### nginx reopen log #### kill -USR1 `cat ${nginx_dir}/logs/nginx.pid` #or #${nginx_dir}/sbin/nginx -s reopen ### gzip ### for logfilename in `cat /tmp/nginxloglist.txt` do gzip "$cut_log_path"/"$logfilename"_$(date -d "yesterday" +"%Y%m%d").log done #### Delete 3 months before the log #### cd "$logs_bakpath"/"$delyear" if [ -d "$delmonth" ];then rm -rf "$delmonth" echo "`date` Delete ${logs_bakpath}/${delyear}/${delmonth}" else echo "`date` Did not delete the directory." fi if [ -d "$logs_bakpath" ]; then cd $logs_bakpath echo "`date` Deletes the file list." find $logs_bakpath -maxdepth 3 -type f -name "*.log" -mtime +"$deldays" find $logs_bakpath -maxdepth 3 -type f -name "*.log" -mtime +"$deldays" | xargs rm -rf else echo "`date` Log directory does not exist, exit." exit fi ### 脚本内容结束 ### chmod u+x /root/sh/nginx_cut_log.sh 建自动任务,每晚凌晨执行,切记是在0点0分0秒: vi /etc/crontab 00 0 * * * root /root/sh/nginx_cut_log.sh >> /root/sh/nginx_cut_log.log 2>&1 启动服务: service nginx start ######################################## ##### nginx https ssl加密 配置 ##### ######################################## ##### nginx 配置https ssl ##### mkdir /opt/nginx/ssl cd /opt/nginx/ssl 生成RSA密钥: # openssl genrsa -out rsa_key.pem 2048 ---openssl genrsa 用于生成rsa私钥文件,指定长度为2048,-f 3/4是指定算法,-passout pass:123生成的rsa私钥文件施加密码保护 生成一个证书请求 # openssl req -new -key rsa_key.pem -out cert.csr # //会提示输入省份、城市、域名信息等,重要的是,email 一定要是你的域名后缀的你可以拿着这个文件去数字证书颁发机构(即CA)申请一个数字证书。CA会给你一个新的文件cacert.pem,那才是你的数字证书。 如果是正式生产环境,需要将刚刚生成的pem和csr发给证书发布机构,他会给一些文件,当然有key,如果是自己做测试,就可以用下面这个命令来生成证书: # openssl req -new -x509 -nodes -days 36500 -out server.crt -keyout server.key --测试环境采用的这一条命令即可 export KEY_SIZE=1024 export KEY_COUNTRY=CN export KEY_PROVINCE=ChongQing export KEY_CITY=ChongQing export KEY_OU="system" export KEY_ORG="Soonyo Technology Co., Ltd." export KEY_EMAIL="zhaoyn@soonyo.com" ### 生成证书和自签证书的方法 #### ●生成服务器的私钥: openssl genrsa -out server.key 1024 或者加密 openssl genrsa -des3 -out server.key 1024 -conf=openssl.cnf 运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施! 去除key文件口令的命令: openssl rsa -in server.key -out server.key ●生成签署申请(注意除Common Name以外可以为空,Common Name必须为服务器的ip或域名): 生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可 openssl req -new -out server.csr -key server.key ●生成CA私钥 openssl genrsa -out ca.key 1024 ●利用CA的私钥产生CA的自签署证书(注意除Common Name和organizationName以外可以为空,Common Name必须为服务器的ip或域名(内外网区分), organizationName必须和上一次一致): .CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱,何不自己做CA呢 openssl req -new -x509 -days 365 -key ca.key -out ca.crt ●CA为网站服务器签署证书: openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key nginx配置: server { listen 443; server_name t1-test.soonyo.com; charset utf_8; access_log logs/t1_softdown.log main; set $host_dir /opt/web/t1/test/gamehttp; ssl on; ssl_certificate /opt/nginx/ssl/server.crt; ssl_certificate_key /opt/nginx/ssl/server.key; ssl_session_timeout 30s; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; location / { root $host_dir; index index.html; } } 或采用 合并HTTP/HTTPS主机 方式: server { listen 80; listen 443 ssl; #ssl on; ##如果想让 443和80都可以访问的话,就需要 注释 SSL on ssl_certificate /opt/nginx/ssl/server.crt; ssl_certificate_key /opt/nginx/ssl/server.key; } ####pfx证书直接转换##### openssl pkcs12 -in _.54.com.pfx -nocerts -nodes -out _.54.com.key openssl pkcs12 -in _.54.com.pfx -clcerts -nokeys -out _.54.com.crt ####代理配置 location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }