linux 之 Nginx 编译安装以及配置https虚拟主机
1、编译安装LNMP,配置自定义404页面,配置访问日志为json格式。
1.实验环境
[root@chujiapeng ~]#192.168.146.133/24
2.准备编译安装的基础环境
[root@chujiapeng ~]#yum install -y vim lrzsz tree screen psmisc lsof tcpdump wget ntpdate \ gcc gcc-c++ glibc glibc-devel pcre pcre-devel openssl openssl-devel systemd-devel \ net-tools iotop bc zip unzip zlib-devel bash-completion nfs-utils automake libxml2 \ libxml2-devel libxslt libxslt-devel perl perl-ExtUtils-Embed
3.准备软件包,编译并安装
[root@chujiapeng data]# tar xf nginx-1.12.2.tar.gz [root@chujiapeng data]# cd nginx-1.12.2/ [root@chujiapeng nginx-1.12.2]# ./configure --prefix=/apps/nginx \ > --user=nginx \ > --group=nginx \ > --with-http_ssl_module \ > --with-http_v2_module \ > --with-http_realip_module \ > --with-http_stub_status_module \ > --with-http_gzip_static_module \ > --with-pcre \ > --with-stream \ > --with-stream_ssl_module \ > --with-stream_realip_module [root@chujiapeng nginx-1.12.2]# make && make install [root@chujiapeng nginx-1.12.2]# useradd nginx -s /sbin/nologin -u 2000 [root@chujiapeng nginx-1.12.2]# ll /apps/nginx/ total 0 drwxr-xr-x 2 root root 333 Sep 2 21:50 conf drwxr-xr-x 2 root root 40 Sep 2 21:50 html drwxr-xr-x 2 root root 6 Sep 2 21:50 logs drwxr-xr-x 2 root root 19 Sep 2 21:50 sbin [root@chujiapeng nginx-1.12.2]# chown nginx.nginx -R /apps/nginx/
4.验证版本及编译参数
[root@chujiapeng nginx-1.12.2]# /apps/nginx/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
5.启动服务并验证web页面
[root@chujiapeng sbin]# ./nginx
6.创建nginx 自启动脚本
[root@chujiapeng sbin]# cat /usr/lib/systemd/system/nginx.service [Unit] Description=The nginx HTTP and reverse proxy server After=network.target remote-fs.target nss-lookup.target [Service] Type=forking PIDFile=/apps/nginx/logs/nginx.pid # Nginx will fail to start if /run/nginx.pid already exists but has the wrong # SELinux context. This might happen when running `nginx -t` from the cmdline. # https://bugzilla.redhat.com/show_bug.cgi?id=1268621 ExecStartPre=/usr/bin/rm -f /apps/nginx/logs/nginx.pid ExecStartPre=/apps/nginx/sbin/nginx -t ExecStart=/apps/nginx/sbin/nginx ExecReload=/bin/kill -s HUP $MAINPID #KillSignal=SIGQUIT #TimeoutStopSec=5 KillMode=process PrivateTmp=true [Install] WantedBy=multi-user.target
7.启动服务
[root@chujiapeng sbin]# systemctl start nginx
[root@chujiapeng sbin]#
8.查看配置文件
9.配置404页面并测试
location =404.html { root html; }
准备404页面
[root@chujiapeng html]# cat 404.html
not found
10.配置访问日志为json格式
Nginx 的默认访问日志记录内容相对比较单一,默认的格式也不方便后期做日志统计分析,生产环境中通常将nginx日志转换为json日志,然后配合使用ELK做日志收集-统计-分析。
http{ log_format access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_time,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}'; access_log /apps/nginx/logs/cjp_json.log access_json; }
测试
2、配置虚拟主机,实现https访问www.x.com(x.com为自己定义的域名)
1.制作自签名证书
#自签名CA证书 [root@chujiapeng conf]# mkdir certs [root@chujiapeng conf]# cd certs/ [root@chujiapeng conf]# mv certs/ ../ [root@chujiapeng nginx]# cd certs/ [root@chujiapeng certs]# openssl req -newkey rsa:4096 -nodes -keyout ca.key -x509 -days 3650 -out ca.crt Country Name (2 letter code) [XX]:c^H^H^H string is too long, it needs to be less than 2 bytes long Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BeiJing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:yin^H^H^H Organizational Unit Name (eg, section) []:tester Common Name (eg, your name or your server's hostname) []:c^H Email Address []:allen83@sian.com [root@chujiapeng certs]# ll total 8 -rw-r--r-- 1 root root 2086 Sep 4 22:33 ca.crt -rw-r--r-- 1 root root 3272 Sep 4 22:33 ca.key #自制key和csr文件 [root@chujiapeng certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.x.com.key -out www.x.com.csr Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:b^H Locality Name (eg, city) [Default City]:b Organization Name (eg, company) [Default Company Ltd]:test Organizational Unit Name (eg, section) []:tester Common Name (eg, your name or your server's hostname) []:www.x.com Email Address []:allen8354@sina.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:111111 An optional company name []:beijing [root@chujiapeng certs]# ll total 16 -rw-r--r-- 1 root root 2086 Sep 4 22:33 ca.crt -rw-r--r-- 1 root root 3272 Sep 4 22:33 ca.key -rw-r--r-- 1 root root 1789 Sep 4 22:42 www.x.com.csr -rw-r--r-- 1 root root 3272 Sep 4 22:42 www.x.com.key #签发证书 [root@chujiapeng certs]# openssl x509 -req -days 3650 -in www.x.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.x.com.crt Signature ok subject=/C=CN/ST=b\x08/L=b/O=test/OU=tester/CN=www.x.com/emailAddress=allen8354@sina.com Getting CA Private Key [root@chujiapeng certs]# ll total 24 -rw-r--r-- 1 root root 2086 Sep 4 22:33 ca.crt -rw-r--r-- 1 root root 3272 Sep 4 22:33 ca.key -rw-r--r-- 1 root root 17 Sep 4 22:46 ca.srl -rw-r--r-- 1 root root 1960 Sep 4 22:46 www.x.com.crt -rw-r--r-- 1 root root 1789 Sep 4 22:42 www.x.com.csr -rw-r--r-- 1 root root 3272 Sep 4 22:42 www.x.com.key #验证证书内容 [root@chujiapeng certs]# openssl x509 -in www.x.com.crt -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: 81:f3:44:45:31:29:f4:c6 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=BeiJing, L=Beijing, O=yin\x08\x08\x08, OU=tester, CN=c\x08/emailAddress=allen83@sian.com Validity Not Before: Sep 4 14:46:55 2021 GMT Not After : Sep 2 14:46:55 2031 GMT Subject: C=CN, ST=b\x08, L=b, O=test, OU=tester, CN=www.x.com/emailAddress=allen8354@sina.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:dc:ba:2f:a1:fa:af:31:3c:cc:7c:23:4c:79:22: b2:3e:8d:89:be:42:d7:ec:ce:1d:e7:91:17:fa:23: e6:18:a6:51:04:88:53:77:6a:0f:c6:50:aa:6e:ca: 0d:d9:d9:7d:d8:2c:01:c1:a7:77:d3:0e:00:26:6c: 9a:3c:d4:01:98:22:fb:18:01:69:5c:7b:98:70:ea: 46:7d:81:ac:d1:f3:c4:50:a6:8e:c9:42:34:63:c7: 49:b9:04:6f:7f:5c:f9:0b:32:d2:1a:16:eb:b7:be: 01:a3:cd:a4:06:be:aa:f9:0e:9c:dc:16:da:91:82: 3f:d2:8e:64:72:05:3c:f3:4a:71:d8:41:76:f7:25: 7f:e9:69:bb:38:f5:25:8c:e0:5c:c0:11:c2:d0:cd: 03:e8:41:22:ee:ee:c0:85:81:9c:98:6c:84:75:c2: 1b:d6:0d:f6:4f:75:17:12:e7:e1:1a:2f:d2:c4:b3: fa:37:57:90:bc:50:2f:df:96:7c:0e:1d:f6:4c:40: 12:43:d4:0b:4b:d1:fd:e4:cf:7b:a1:bc:83:4f:09: 81:19:be:c7:8c:3d:7a:41:72:77:c7:63:74:55:97: bd:c2:4f:4f:60:02:e6:9b:12:b3:93:59:89:4a:9e: f5:bb:33:48:2f:88:66:43:79:50:b3:5c:d1:bf:c6: ee:24:af:ce:3d:95:0f:17:78:15:a4:1c:42:e3:63: c6:d1:d5:8d:ca:09:e5:d7:fc:38:14:f3:8c:15:28: 7f:cb:76:6d:38:f8:6d:ed:d3:d1:30:9d:da:97:72: 74:60:17:8d:3f:1e:48:47:79:5c:b2:36:80:c8:2c: c2:16:09:70:be:45:96:aa:ba:5b:a6:9a:73:d4:d2: b0:aa:7c:a8:32:2f:0b:63:3a:ae:c0:75:ec:be:f4: 57:e0:bc:11:13:6c:7e:bf:ef:4b:45:41:4a:7c:83: 5d:85:aa:ef:4f:f0:96:a5:99:db:7a:41:07:eb:6f: 4e:85:a9:49:d1:ae:e1:71:85:dc:fc:7b:43:2a:56: 92:05:3f:64:e0:18:9d:c1:30:ce:81:1a:8c:4a:50: 3e:fe:ad:6d:22:c8:05:73:26:7e:88:45:ca:04:7d: 5f:ca:76:f9:b5:60:3d:ce:29:10:90:2e:81:62:03: f2:cf:3b:4e:ab:84:89:46:30:d0:11:38:55:2d:d4: 8e:d6:41:bf:25:d1:20:0d:3d:26:70:c1:4c:c2:40: 2e:ec:67:8d:6f:45:56:f6:0f:7b:55:88:e5:b6:76: 2a:8f:77:93:f0:7b:3d:19:6c:5d:5d:75:b5:09:8f: c1:1a:ff:bd:f5:76:32:59:ca:9a:a4:11:48:62:c0: 3a:5d:9f Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 31:c3:8f:02:d7:b7:16:2f:0b:24:1d:32:c2:0b:a5:a2:3c:87: 8c:3f:09:75:a8:d7:94:4e:b8:ca:74:91:12:e4:c0:14:28:f4: e1:9f:96:b1:e5:c7:35:ed:f0:03:51:38:58:1e:91:7d:d6:14: ff:28:26:dd:21:ac:15:9d:22:17:d9:67:aa:c7:1b:e8:fd:26: 8d:e7:d9:29:17:b4:37:fc:57:d4:3c:01:2a:3f:06:78:e5:0c: 64:f1:33:c1:ff:14:1c:23:c8:4c:0d:ba:79:65:cd:bb:da:29: d5:88:ab:41:ad:8c:60:4e:d3:ce:92:db:77:09:75:2d:e0:b2: fd:84:29:3a:97:73:76:1d:2e:f7:78:87:8c:23:ad:d4:5a:be: ff:f6:53:3e:b0:5b:60:92:5e:55:34:dd:65:5f:60:1c:a0:9b: e1:69:f0:57:56:7a:81:fe:c3:8d:36:f9:c6:64:cf:35:17:8b: 89:6c:c1:e6:8f:b5:12:ae:80:a4:ca:8a:6f:28:e6:49:76:4f: 49:82:33:2f:97:4d:15:fe:a9:17:f7:81:ec:d3:3c:84:cc:82: 53:7c:ce:7e:20:84:2d:4c:8e:5c:ef:d7:29:d5:0a:7f:e2:f2: 62:d5:4d:01:83:9e:0a:5a:77:cb:3a:6b:3c:22:11:0c:99:e6: 23:90:df:bf:5f:38:7b:7b:bf:f1:15:29:32:bc:cf:09:e2:4e: 7d:2a:b8:f4:cc:b4:02:05:bb:be:9b:ea:9f:7e:58:ba:b6:0a: cc:c7:47:0d:a7:eb:6e:46:1a:35:77:e3:a1:cf:f5:d8:72:3d: 02:6a:72:ba:22:55:83:c1:40:d3:24:61:e4:f6:78:66:10:2d: fd:6b:16:82:4c:17:e3:9e:f1:f7:52:42:0a:57:db:57:25:61: 30:ee:1a:96:9b:e8:eb:62:f4:46:6c:5e:8f:63:b8:9e:d5:83: 3f:2f:a8:f1:db:ad:54:3b:99:90:60:2b:a7:7c:b7:6c:90:aa: 16:70:08:f8:d9:29:b1:b4:72:17:03:d4:02:db:37:95:29:93: ee:ef:55:2f:52:32:29:33:cf:5e:95:d5:9f:68:20:a4:ad:93: 29:ba:b1:14:39:8f:7f:d5:d6:ee:92:df:26:68:f3:96:45:5b: 92:45:b6:33:a3:6d:38:c3:7e:5e:50:2d:af:cc:cd:b3:0b:a0: b0:98:e5:d6:6d:62:06:8c:fc:6a:a8:77:65:70:05:82:44:4f: 80:2e:3c:d0:46:3c:ca:86:5c:88:bb:85:61:2f:6e:4e:8a:a0: 85:8c:56:76:72:19:00:24:0d:2b:ca:4f:59:1e:49:26:a9:03: 68:6c:36:d1:dd:9e:54:e0
2.准备nginx配置文件并测试
server{ listen 443 ssl; server_name www.x.com; ssl_certificate /apps/nginx/certs/www.x.com.crt; ssl_certificate_key /apps/nginx/certs/www.x.com.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; location / { root /data/html; index index.html index.htm; }
3.重启服务并准备测试数据 进行测试与验证证书
重启服务
[root@chujiapeng sbin]# ./nginx -t nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok nginx: configuration file /apps/nginx/conf/nginx.conf test is successful [root@chujiapeng sbin]# systemctl start ngxix
2.准备测试数据
[root@chujiapeng sbin]# mkdir /data/html
[root@chujiapeng sbin]# echo 'www.x.com web page ' >> /data/
3.准备host文件
192.168.146.133 www.x.com
jiapengchu
posted on 2021-09-02 22:16 jiapengchu 阅读(1134) 评论(0) 编辑 收藏 举报
