CentOS 7 编译安装与配置 Nginx
本文以目前 Nginx 稳定版本 1.18.0 版本为例,记录在 CentOS 7 系统下从源码编译安装 Nginx 的过程。由于目前 CentOS 7 系统自带 OpenSSL 版本过于老旧,且不支持 TLS 1.3,所以在编译 Nginx 的过程中,使用了目前最新版本的 OpenSSL 1.1.1g。
注意:编译 Nginx 过程中使用到的 OpenSSL 并不会影响到(替换)系统的 OpenSSL 版本。
准备工作
本文以 root 用户编译安装 Nginx。另外为了方便,所有需要用到的源码都存放在 /usr/local/src
目录下。
安装 vim 编辑器、Development Tools 以及 epel-release:
yum groupinstall -y 'Development Tools' && yum install -y vim && yum install -y epel-release
安装相关依赖:
yum install -y perl perl-devel perl-ExtUtils-Embed libxslt libxslt-devel libxml2 libxml2-devel gd gd-devel GeoIP GeoIP-devel
创建运行 Nginx 的用户:
mkdir -p /var/cache/nginx
useradd --system --home /var/cache/nginx --shell /sbin/nologin --comment "nginx user" --user-group nginx
源码下载
编译安装 Nginx 需要用到 OpenSSL、zlib、PCRE 三个库。
OpenSSL
编译安装 Nginx 要求 1.0.2 以上版本的 OpenSSL,本文使用的是目前稳定版本 1.1.1g。从 OpenSSL Downloads 界面可以找到当前 OpenSSL 的稳定版本及其下载链接,如下图所示。
下载 OpenSSL 稳定版本 Source Code 至 /usr/local/src
目录下,并且解压:
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
tar -zxf openssl-1.1.1g.tar.gz
zlib
可在 zlib Home Site 找到 zlib 的当前版本(current release),如下图所示:
下载至 /usr/local/src/
目录下,并且解压:
wget https://www.zlib.net/zlib-1.2.11.tar.gz
tar -zxf zlib-1.2.11.tar.gz
PCRE
可在 PCRE ftp 页面找到 PCRE 的最新版本,如下图所示:
下载至 /usr/local/src/
目录下,并且解压:
wget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gz
tar -zxf pcre-8.44.tar.gz
Nginx
可在 Nginx download 页面找到目前 Nginx 的稳定版本 nginx-1.18.0
的下载链接,如下图所示:
下载至 /usr/local/src/
目录下,并且解压:
wget https://nginx.org/download/nginx-1.18.0.tar.gz
tar -zxf nginx-1.18.0.tar.gz
此时 /usr/local/src
目录下应该如下图所示:
编译安装
切换至 /usr/local/src/nginx-1.18.0
目录下:
cd /usr/local/src/nginx-1.18.0
执行 configure 建立 Makefile。注意,OpenSSL、pcre、zlib 等的路径一定要正确。
./configure \
--error-log-path=/var/log/nginx/error.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--user=nginx \
--group=nginx \
--with-select_module \
--with-poll_module \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_geoip_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module=dynamic \
--with-stream_ssl_preread_module \
--with-compat \
--with-pcre=/usr/local/src/pcre-8.44 \
--with-pcre-jit \
--with-zlib=/usr/local/src/zlib-1.2.11 \
--with-openssl=/usr/local/src/openssl-1.1.1g \
--with-openssl-opt=no-nextprotoneg \
--with-debug
如果成功则可以看到以下 Configuration summary 输出:
Configuration summary
+ using threads
+ using PCRE library: /usr/local/src/pcre-8.40
+ using OpenSSL library: /usr/local/src/openssl-1.1.1g
+ using zlib library: /usr/local/src/zlib-1.2.11
nginx path prefix: "/usr/local/nginx"
nginx binary file: "/usr/local/nginx/sbin/nginx"
nginx modules path: "/usr/local/nginx/modules"
nginx configuration prefix: "/usr/local/nginx/conf"
nginx configuration file: "/usr/local/nginx/conf/nginx.conf"
nginx pid file: "/var/run/nginx.pid"
nginx error log file: "/var/log/nginx/error.log"
nginx http access log file: "/var/log/nginx/access.log"
nginx http client request body temporary files: "/var/cache/nginx/client_temp"
nginx http proxy temporary files: "/var/cache/nginx/proxy_temp"
nginx http fastcgi temporary files: "/var/cache/nginx/fastcgi_temp"
nginx http uwsgi temporary files: "/var/cache/nginx/uwsgi_temp"
nginx http scgi temporary files: "/var/cache/nginx/scgi_temp"
从 Configuration summary 得知:
- Nginx 的二进制文件路径为
/usr/local/nginx/sbin/nginx
; - 配置文件为
/usr/local/nginx/conf/nginx.conf
;
编译并将生成的文件转移至设置的目录下:
make && make install
如果编译成功,执行 /usr/local/nginx/sbin/nginx -V
可以查看 Nginx 的版本以及配置参数:
安装 Nginx Man Page:
cp /usr/local/src/nginx-1.18.0/man/nginx.8 /usr/share/man/man8 && gzip /usr/share/man/man8/nginx.8
此时,便可以通过 man nginx
查看nginx 的相关指令。
将 Nignx 二进制可执行文件软链接至 /usr/local/sbin
:
ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin
此时,可以直接执行 nginx
:
Nginx 启动与自启动管理
创建服务以通过 systemctl 管理 Nginx 的启动,停止与开机自启动:
vim /usr/lib/systemd/system/nginx.service
写入:
[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPost=/bin/sleep 0.1
ExecStartPre=/usr/local/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target
启动 Nginx:
systemctl start nginx
查看 Nginx 状态:
systemctl status nginx
其他指令:
# 停止
systemctl stop nginx
# 重启
systemctl restart nginx
# 重新载入配置
systemctl reload nginx
开机自自动:
# 允许开机自启动
systemctl enable nginx
# 取消开机自启动
systemctl disable nginx
添加网站(Vhost)
创建 Vhost 配置文件文件夹:
mkdir /usr/local/nginx/conf/vhost
修改 Nginx 配置文件 /usr/local/nginx/conf/nginx.conf
:
vim /usr/local/nginx/conf/nginx.conf
在最后一个花括号前添加如下:
include vhost/*.conf;
假设网站域名为 example.com
,创建网站配置文件:
touch /usr/local/nginx/conf/vhost/example.com.conf
写入模板如下,推荐参考 SSL Configuration Generator,然后根据实际情况修改:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
root /home/wwwroot/example.com
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /path/to/dhparam;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# replace with the IP address of your resolver
resolver 127.0.0.1;
}
修改配置之后,检查 Nginx 配置:
nginx -t
然后需要重启 Nginx:
systemctl restart nginx
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。