nginx一键安装脚本
nginx一键安装脚本
[root@cc nginx]# cat nginx_install.sh
#!/bin/bash
# > File Name: nginx_install.sh
# > Author: cc
# > mail: 547253687@qq.com
# > Created Time: Fri 16 Nov 2018 11:02:58 AM CST
INSTALL_DIR=/usr/local
SRC_DIR=/root
NGINX_LUA="nginx-tengine+lua"
GEOIP="GeoIP-1.4.8"
SOCK="sock"
CONF="/root/nginx-tengine+lua/conf"
NGINX_DIR="/usr/local/tengine"
system_version=`grep -o "[0-9].*[0-9]" /etc/redhat-release | awk '{print int($0)}'`
[ ! -d ${INSTALL_DIR} ] && mkdir -p ${INSTALL_DIR}
[ ! -d ${SRC_DIR} ] && mkdir -p ${SRC_DIR}
[ ! -d ${SRC_DIR}$SOCK ] && mkdir -p ${INSTALL_DIR}/$SOCK
if [ $(id -u) != "0" ]; then
echo "Error: you must be root to run this script!"
exit 1
fi
##颜色输出函数
red_echo(){
local what=$*
echo -e "\e[1;31m ********************* \e[0m"
echo -e "\e[1;31m ${what} \e[0m"
echo -e "\e[1;31m ********************* \e[0m"
}
blue_echo()
{
local what=$*
echo -e "\e[1;32m --------------------- \e[0m"
echo -e "\e[1;32m ${what} \e[0m"
echo -e "\e[1;32m --------------------- \e[0m"
}
##yum安装相关变量包
Install_Package()
{
for Package in lrzsz openssl-devel zlib zlib-devel pcre pcre-devel geoip-devel patch iptables iptables-services c++ gcc-c++ telnet curl curl-devel vim make wget lua lua-devel tcl ipset patch ntpdate
do
yum -y install $Package
done
}
If_Success()
{
if [ $? -eq 0 ]
then
echo -e "\033[32m ------------------- \033[0m"
echo -e "\033[32m $1 $2 Success!!! \033[0m"
echo -e "\033[32m ------------------- \033[0m"
else
echo -e "\033[31m ******************* \033[0m"
echo -e "\033[31m $1 $2 Failure!!! \033[0m"
echo -e "\033[31m ******************* \033[0m"
fi
sleep 5
}
##centos7以下手动编译Geoip库,在下面函数将此函数调用即可
If_GeoIp()
{
cd ${SRC_DIR}/${NGINX_LUA}/${GEOIP}
./configure
If_Success "Configure" "GeoIp"
make
If_Success "Make" "GeoIp"
make install
If_Success "Install" "GeoIp"
}
Install_Nginx()
{
NGINX="tengine-2.2.2"
PCRE="pcre-8.40"
ZLIB="zlib-1.2.11"
OPENSSL="openssl-1.0.2p"
ACCESSKEY="nginx-accesskey-2.0.3"
##解压准备好的包
cd ${SRC_DIR}
echo "Extracting ${NGINX_LUA}"
tar -xzf ${NGINX_LUA}.tar.gz
cd ${SRC_DIR}/${NGINX_LUA}
echo "Done..."
##下载安装包
:<<!
cd ${SRC_DIR}/${NGINX_LUA}
echo 'Downloading NGINX'
if [ ! -f ${NGINX}.tar.gz ]
then
wget -c http://nginx.org/download/${NGINX}.tar.gz
else
echo 'Skipping: NGINX already downloaded'
fi
echo 'Downloading PCRE'
if [ ! -f ${PCRE}.tar.gz ]
then
wget -c https://sourceforge.net/projects/pcre/files/pcre/8.35/${PCRE}.tar.gz
else
echo 'Skipping: PCRE already downloaded'
fi
echo 'Downloading ZLIB'
if [ ! -f ${ZLIB}.tar.gz ]
then
wget -c http://zlib.net/${ZLIB}.tar.gz
else
echo 'Skipping: ZLIB already downloaded'
fi
echo 'Downloading OPENSSL'
if [ ! -f ${OPENSSL}.tar.gz ]
then
wget -c http://www.openssl.org/source/${OPENSSL}.tar.gz
else
echo 'Skipping: OPENSSL already downloaded'
fi
echo '----------Unpacking downloaded archives. This process may take serveral minutes---------'
echo "Extracting ${NGINX}..."
tar xzf ${NGINX}.tar.gz
echo 'Done.'
echo "Extracting ${PCRE}..."
tar xzf ${PCRE}.tar.gz
echo 'Done.'
echo "Extracting ${ZLIB}..."
tar xzf ${ZLIB}.tar.gz
echo 'Done.'
echo "Extracting ${OPENSSL}..."
tar xzf ${OPENSSL}.tar.gz
echo 'Done.'
!
##创建用户
groupadd nginx
useradd -g nginx nginx
##系统为7以下时打开
if [ $system_version -ne 7 ]
then
If_GeoIp
else
echo "pass..."
fi
##编译
echo '###################'
echo 'Compile NGINX'
echo '###################'
cd ${SRC_DIR}/${NGINX_LUA}/${NGINX}
./configure --prefix=${INSTALL_DIR}/tengine \
--user=nginx --group=nginx \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--with-http_secure_link_module \
--with-http_random_index_module \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_auth_request_module \
--with-http_v2_module \
--with-http_addition_module \
--with-http_sub_module \
--with-file-aio \
--with-http_geoip_module \
--with-pcre=../${PCRE} \
--with-openssl=../${OPENSSL} \
--with-zlib=../${ZLIB} \
--add-module=../ngx_cache_purge-master \
--add-module=../echo-nginx-module \
--add-module=../file-md5-master \
--add-module=../${ACCESSKEY} \
--add-module=../lua-nginx-module-master \
--add-module=../nginx_tcp_proxy_module-master \
--with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' \
--with-ld-opt=-Wl,-rpath,/usr/local/lib
If_Success "Configure"
make
If_Success "Make" "NGINX"
make install
If_Success "Install" "NGINX"
}
##创建sock
Create_Sock()
{
SOCKPACK="sockproc-master"
SHELL="shell"
cd ${SRC_DIR}/${NGINX_LUA}/${SOCKPACK}
chmod u+x sockproc
./sockproc /tmp/$SHELL.sock
chmod 0666 /tmp/$SHELL.sock
}
##安装redis
Install_Redis()
{
REDIS="redis-5.0.0"
WORK_REDIS="/etc/redis"
[ ! -d ${WORK_REDIS} ] && mkdir -p ${WORK_REDIS}
cd ${SRC_DIR}/${NGINX_LUA}
echo 'Downloading Redis...'
if [ ! -f ${REDIS}.tar.gz ]
then
wget -c http://download.redis.io/releases/${REDIS}.tar.gz
else
echo "Skipping: REDIS already downloaded..."
fi
echo "Extracting ${REDIS}..."
tar xzf ${REDIS}.tar.gz -C ${INSTALL_DIR}
echo "Done..."
cd ${INSTALL_DIR}/${REDIS}
make
If_Success "Make" "REDIS"
make install
If_Success "Install" "REDIS"
cd ${INSTALL_DIR}/${REDIS}/src
cp -a redis-server redis-benchmark redis-cli ${WORK_REDIS}
cp -a ${CONF}/redis.conf ${WORK_REDIS}
cd ${WORK_REDIS}
./redis-server redis.conf > /dev/null 2>&1 &
sleep 3
netstat -tunlp | grep redis > /dev/null 2>&1
if [ $? -eq 0 ]
then
blue_echo "Redis in started..."
else
red_echo "Error:Redis started failed..."
fi
}
##安装ipset以及创建ipset表
Install_Ipset()
{
IPSET="ipset-6.38"
IPTABLES_CONF="/etc/sysconfig"
IPSET_CONF="/usr/local/ipset"
##安装
cd ${SRC_DIR}/${NGINX_LUA}
ipset version > /dev/null 2>&1
if [ $? -ne 0 ]
then
wget http://ipset.netfilter.org/${IPSET}.tar.bz2
echo "Extracting ${IPSET}..."
tar xf ${SRC_DIR}/${NGINX_LUA}/${IPSET}.tar.bz2
echo "Done..."
cd ${SRC_DIR}/${NGINX_LUA}/${IPSET}
./configure > /dev/null 2>&1
if [ $? -eq 0 ]
then
If_Success "Configure" "IPSET"
make
If_Success "Make" "IPSET"
make install
If_Success "Install" "IPSET"
else
wget http://www.rpmfind.net/linux/centos/6.10/updates/x86_64/Packages/kernel-devel-2.6.32-754.3.5.el6.x86_64.rpm
rpm -ivh kernel-devel-2.6.32-754.3.5.el6.x86_64.rpm
./configure
If_Success "Configure" "IPSET"
make
If_Success "Make" "IPSET"
make install
If_Success "Install" "IPSET"
fi
else
echo "Skipping: IPSET already install..."
fi
##创建
ipset create timeout hash:ip maxelem 100000 timeout 300 ##参数说明,timeout是表(集合)名,以 hash 方式存储,存储内容是 IP 地址,ipset默认可以存储65536个element,使用maxelem指定数量,只存放300秒,即300秒后解除限制
ipset create bmd hash:ip maxelem 100000 ##白名单列表,永久生效
ipset create black hash:ip maxelem 100000 ##黑名单,永久限制
ipset create ssh hash:ip maxelem 100000 ##办公出口ip表
##添加ssh白名单
ipset add ssh 192.168.2.200
##添加防火墙规则
/usr/bin/systemctl stop firewalld.service > /dev/null 2>&1
/usr/bin/systemctl disable firewalld.service > /dev/null 2>&1
\cp -a ${CONF}/iptables* ${IPTABLES_CONF}
if [ $system_version -eq 7 ]
then
/usr/bin/systemctl restart iptables > /dev/null 2>&1
if [ $? -eq 0 ]
then
iptables -I INPUT -m set --match-set timeout src -j DROP #添加定时黑名单
iptables -I INPUT -m set --match-set black src -j DROP #添加黑名单
iptables -I INPUT -m set --match-set bmd src -j ACCEPT #添加白名单
iptables -I INPUT -m set --match-set ssh src -p tcp --destination-port 22 -j ACCEPT #创建防火墙规则,与此同时,允许ssh这个ipset里的ip访问22端口
iptables -I INPUT -p tcp --dport 80 -j ACCEPT #允许80访问
iptables -I INPUT -p tcp --dport 443 -j ACCEPT #允许443访问
service iptables save
/usr/bin/systemctl restart iptables > /dev/null 2>&1
if [ $? -eq 0 ]
then
blue_echo "Iptables is started..."
else
red_echo "Error:Iptables started failed..."
fi
else
red_echo "Error:Iptables started failed..."
fi
else
service iptables restart > /dev/null 2>&1
if [ $? -eq 0 ]
then
iptables -I INPUT -m set --match-set timeout src -j DROP #添加定时黑名单
iptables -I INPUT -m set --match-set black src -j DROP #添加黑名单
iptables -I INPUT -m set --match-set bmd src -j ACCEPT #添加白名单
iptables -I INPUT -m set --match-set ssh src -p tcp --destination-port 22 -j ACCEPT #创建防火墙规则,与此同时,允许ssh这个ipset里的ip访问22端口
iptables -I INPUT -p tcp --dport 80 -j ACCEPT #允许80访问
iptables -I INPUT -p tcp --dport 443 -j ACCEPT #允许443访问
service iptables save
service iptables restart > /dev/null 2>&1
if [ $? -eq 0 ]
then
blue_echo "IPTALBES is started..."
else
red_echo "Error:Iptables started failed..."
fi
else
red_echo "Error:Iptables started failed..."
fi
fi
##配置文件持久化
[ ! -d ${IPSET_CONF} ] && mkdir -p ${IPSET_CONF}
echo '''0 */8 * * * /usr/sbin/ntpdate ntp1.aliyun.com;/sbin/hwclock -w
*/1 * * * * /usr/sbin/ipset save black > /usr/local/ipset/black.txt
*/1 * * * * /usr/sbin/ipset save timeout > /usr/local/ipset/timeout.txt
*/1 * * * * /usr/sbin/ipset save bmd > /usr/local/ipset/bmd.txt
*/1 * * * * /usr/sbin/ipset save ssh > /usr/local/ipset/ssh.txt''' >> /var/spool/cron/root
}
##系统优化
System_Optimization()
{
echo ulimit -n 65535 >> /etc/profile
source /etc/profile
echo '''fs.nr_open = 1048576
fs.nr_open = 1048576
fs.file-max = 51200
net.ipv4.tcp_congestion_control = hybla
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
kernel.pid_max = 32768
#net.ipv4.ip_conntrack_max = 10240
net.ipv4.ip_local_port_range = 1024 65535
vm.overcommit_memory=1''' >> /etc/sysctl.conf
sysctl -p
cp -a /etc/security/limits.conf /etc/security/limits.conf.bak
echo '''* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535''' >> /etc/security/limits.conf
cp -a /etc/security/limits.d/20-nproc.conf /etc/security/limits.d/20-nproc.conf.bak
echo '''* soft nproc 65535
root soft nproc unlimited''' > /etc/security/limits.d/20-nproc.conf
}
##拷贝文件
Copy_File()
{
NGINX_FILE="/root/nginx-tengine+lua"
mkdir -p /home/nginx/logs
mkdir -p /data/proxy_cache_path
mkdir -p /data/proxy_temp_path
chown nginx:nginx /data -R
cd ${NGINX_FILE}
\cp -a geoip lua lualib ${NGINX_DIR}/conf
\cp -a ${CONF}/nginx.conf ${NGINX_DIR}/conf
mkdir ${NGINX_DIR}/conf/vhosts
chown nginx:nginx ${NGINX_DIR} -R
}
##启动nginx
NGINX_START()
{
${NGINX_DIR}/sbin/nginx
if [ $? -eq 0 ]
then
blue_echo "Nginx is started..."
else
red_echo "Error:Nginx started faild..."
fi
}
Install_Package
Install_Nginx
Create_Sock
Install_Redis
Install_Ipset
System_Optimization
Copy_File
NGINX_START
开机脚本
[root@cc nginx]# cat inotify.sh
#!/bin/bash
# > File Name: inotify.sh
# > Author: cc
# > mail: 547253687@qq.com
# > Created Time: Fri 16 Nov 2018 11:02:58 AM CST
system_version=`grep -o "[0-9].*[0-9]" /etc/redhat-release | awk '{print int($0)}'`
rm -rf /usr/local/ipset/shell.sock && /root/nginx-tengine+lua/sockproc-master/sockproc /tmp/shell.sock && chmod 0666 /tmp/shell.sock
/etc/redis/redis-server /etc/redis/redis.conf >/dev/null 2>&1 &
/usr/sbin/ipset restore </usr/local/ipset/black.txt
/usr/sbin/ipset restore </usr/local/ipset/timeout.txt
/usr/sbin/ipset restore </usr/local/ipset/bmd.txt
/usr/sbin/ipset restore </usr/local/ipset/ssh.txt
if [ $system_version -eq 7 ]
then
/usr/bin/systemctl restart iptables
else
/sbin/service iptables restart
fi
