openresty环境部署
一、系统配置
1.关闭虚拟内存
2.优化ssh配置
3.文件句柄调整
4.关闭selinux
5.配置内核网络参数
6.安装常用工具软件
7.配置普通用户
8.数据盘配置将系统跟数据分离
二、下载相关软件
1.openresty-1.21.4.1.tar.gz
2.openssl-1.1.1t.tar.gz
3.pcre-8.38.tar.gz
4.nginx-http-concat-1.2.2.tar.gz
5.waf-1.0.1.tar.gz
三、添加模块、配置目录、添加nginx服务用户
编译前nginx安全配置
tar xvf openresty-1.21.4.1.tar.gz
cd /root/openresty-1.21.4.1/bundle/nginx-1.21.4/
# - 1.隐藏版本
vim src/core/nginx.h
#define NGINX_VERSION "6666"
#define NGINX_VER "FW/" NGINX_VERSION ".6"
#define NGINX_VAR "FW"
# - 2.修改头部
vim src/http/ngx_http_header_filter_module.c
# 49 static u_char ngx_http_server_string[] = "Server: FW" CRLF;
# - 3.修改错误页响应头部(response header)
#注:这个位置修改后编译报错,用默认值可以
vim src/http/ngx_http_special_response.c
# 22 "<hr><center>FW</center>" CRLF
# ...
# 29 "<hr><center>FW</center>" CRLF
# ...
# 36 "<hr><center>FW</center>" CRLF
配置、编译、安装
1.添加普通用户,安装http_image_filter_module依赖模块
useradd -s /sbin/nologin -M www -g www
yum install gd gd-devel
2.配置nginx编译模块
注意:如果是添加新模块重新编译后,不要执行gmake install,执行完gmake后复制二进制文件替换原来的文件就行,不然配置会被覆盖!!!!!!!!
./configure \
--prefix=/opt/local/openresty \
--with-luajit \
--with-http_v2_module \
--error-log-path=/mnt/localdata/openresty/logs/error.log \
--http-log-path=/mnt/localdata/openresty/logs/access.log \
--pid-path=/var/run/openresty/openresty.pid \
--lock-path=/var/lock/openresty/openresty.lock \
--user=www \
--group=www \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-http_ssl_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_random_index_module \
--http-client-body-temp-path=/var/tmp/openresty/client/ \
--http-proxy-temp-path=/var/tmp/openresty/proxy/ \
--http-fastcgi-temp-path=/var/tmp/openresty/fcgi/ \
--http-uwsgi-temp-path=/var/tmp/openresty/uwsgi \
--http-scgi-temp-path=/var/tmp/openresty/scgi \
--with-http_image_filter_module \
--with-pcre=../pcre/ \
--add-module=../concat/ \
--with-openssl=../openssl/
gmake
gmake install
4.修改nginx目录中html文件夹下的:50x.html index.html内容为自己想要的内容。
四、配置启动服务
[Unit] Description=The openresty HTTP and reverse proxy server After=syslog.target network.target remote-fs.target nss-lookup.target [Service] Type=forking ExecStartPre=/bin/mkdir -p /var/tmp/openresty/ ExecStartPre=/bin/mkdir -p /var/run/openresty/ PIDFile=/var/run/openresty/openresty.pid ExecStartPre=/opt/local/openresty/bin/openresty -t -c /opt/local/openresty/nginx/conf/nginx.conf ExecStart=/opt/local/openresty/bin/openresty -c /opt/local/openresty/nginx/conf/nginx.conf ExecReload=/opt/local/openresty/bin/openresty -s reload ExecStop=/opt/local/openresty/bin/openresty -s stop ExecQuit=/opt/local/openresty/bin/openresty -s quit PrivateTmp=true [Install] WantedBy=multi-user.target
五、相关配置
1.waf配置
git地址:https://github.com/unixhot/waf
cp -r /root/mndata/openrestysrc/waf-1.0.1/waf/waf /opt/local/openresty/nginx/waf/
vim /opt/local/openresty/nginx/optconf.d/waf.conf
#WAF
lua_shared_dict limit 50m;
lua_shared_dict blockiplimit 10m;
lua_package_path "/opt/local/openresty/nginx/waf/?.lua";
init_by_lua_file "/opt/local/openresty/nginx/waf/init.lua";
access_by_lua_file "/opt/local/openresty/nginx/waf/access.lua";
ln -s /opt/local/openresty/lualib/resty/ /opt/local/openresty/nginx/waf/resty
#WAF日志调整为:/mnt/localdata/openresty/waflogs/日期_waf.log
systemctl reload openresty
六、目录结构及使用规范
1.安装目录
openresty安装目录:/opt/local/openresty/,该目录中的nginx目录为ngx的配置目录:
- appconfs.d:为应用程序站点配置目录,目录中站点命名遵循:业务名称.域名.conf,如:pms.muniao.com.conf
- conf:为nginx本身配置文件目录
- optconf.d:为缓存、日志格式、限流ZONE、WAF脚本引用的配置目录
- ssl:为https证书存放目录
- waf:为应用防火墙目录主要配置黑白名单、url、user-agent过滤等,config.lua为主配置文件,rule-config目录为具体规则
缓存、日志文件存放目录:/mnt/localdata/
- openresty:
applogs:为应用站点访问日志目录,日志命名遵循:日志组件名业务名端口proxy.log,如:filebeatpms_443_muniao
cachesroot:为缓存数据目录,缓存命名遵循:cache_业务名称,如:cache_appimg
logs:为ngx默认的访问日志和错误日志目录
waflogs:为waf防火墙记录日志
快捷目录:/waf/
2.这个/mnt/localdata为数据盘挂载点
3.常用命令
systemctl start openresty 启动
systemctl stop openresty 停止
systemctl reload openresty 重新加载配置
systemctl restart openresty 重启
systemctl quit openresty 退出对应ngx quit命令
浙公网安备 33010602011771号