本文以目前 Nginx 稳定版本 1.18.0 版本为例,记录在 CentOS 7 系统下从源码编译安装 Nginx 的过程。由于目前 CentOS 7 系统自带 OpenSSL 版本过于老旧,且不支持 TLS 1.3,所以在编译 Nginx 的过程中,使用了目前最新版本的 OpenSSL 1.1.1g

注意:编译 Nginx 过程中使用到的 OpenSSL 并不会影响到(替换)系统的 OpenSSL 版本。

准备工作

本文以 root 用户编译安装 Nginx。另外为了方便,所有需要用到的源码都存放在 /usr/local/src 目录下。

安装 vim 编辑器、Development Tools 以及 epel-release:

yum groupinstall -y 'Development Tools' && yum install -y vim && yum install -y epel-release

安装相关依赖:

yum install -y perl perl-devel perl-ExtUtils-Embed libxslt libxslt-devel libxml2 libxml2-devel gd gd-devel GeoIP GeoIP-devel

创建运行 Nginx 的用户:

mkdir -p /var/cache/nginx
useradd --system --home /var/cache/nginx --shell /sbin/nologin --comment "nginx user" --user-group nginx

源码下载

编译安装 Nginx 需要用到 OpenSSL、zlib、PCRE 三个库。

OpenSSL

编译安装 Nginx 要求 1.0.2 以上版本的 OpenSSL,本文使用的是目前稳定版本 1.1.1g。从 OpenSSL Downloads 界面可以找到当前 OpenSSL 的稳定版本及其下载链接,如下图所示。
Snipaste_2020-08-05_22-10-05.png

下载 OpenSSL 稳定版本 Source Code 至 /usr/local/src 目录下,并且解压:

cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
tar -zxf openssl-1.1.1g.tar.gz

zlib

可在 zlib Home Site 找到 zlib 的当前版本(current release),如下图所示:

Snipaste_2020-08-05_22-34-59.png

下载至 /usr/local/src/ 目录下,并且解压:

wget https://www.zlib.net/zlib-1.2.11.tar.gz
tar -zxf zlib-1.2.11.tar.gz

PCRE

可在 PCRE ftp 页面找到 PCRE 的最新版本,如下图所示:

Snipaste_2020-08-05_22-35-26.png

下载至 /usr/local/src/ 目录下,并且解压:

wget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gz
tar -zxf pcre-8.44.tar.gz

Nginx

可在 Nginx download 页面找到目前 Nginx 的稳定版本 nginx-1.18.0 的下载链接,如下图所示:

Snipaste_2020-08-05_22-53-26.png

下载至 /usr/local/src/ 目录下,并且解压:

wget https://nginx.org/download/nginx-1.18.0.tar.gz
tar -zxf nginx-1.18.0.tar.gz

此时 /usr/local/src 目录下应该如下图所示:

Snipaste_2020-08-09_13-35-36.png

编译安装

切换至 /usr/local/src/nginx-1.18.0目录下:

cd /usr/local/src/nginx-1.18.0

执行 configure 建立 Makefile。注意,OpenSSL、pcre、zlib 等的路径一定要正确。

./configure \
--error-log-path=/var/log/nginx/error.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--user=nginx \
--group=nginx \
--with-select_module \
--with-poll_module \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_geoip_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module=dynamic \
--with-stream_ssl_preread_module \
--with-compat \
--with-pcre=/usr/local/src/pcre-8.44 \
--with-pcre-jit \
--with-zlib=/usr/local/src/zlib-1.2.11 \
--with-openssl=/usr/local/src/openssl-1.1.1g \
--with-openssl-opt=no-nextprotoneg \
--with-debug

如果成功则可以看到以下 Configuration summary 输出:

Configuration summary
  + using threads
  + using PCRE library: /usr/local/src/pcre-8.40
  + using OpenSSL library: /usr/local/src/openssl-1.1.1g
  + using zlib library: /usr/local/src/zlib-1.2.11

  nginx path prefix: "/usr/local/nginx"
  nginx binary file: "/usr/local/nginx/sbin/nginx"
  nginx modules path: "/usr/local/nginx/modules"
  nginx configuration prefix: "/usr/local/nginx/conf"
  nginx configuration file: "/usr/local/nginx/conf/nginx.conf"
  nginx pid file: "/var/run/nginx.pid"
  nginx error log file: "/var/log/nginx/error.log"
  nginx http access log file: "/var/log/nginx/access.log"
  nginx http client request body temporary files: "/var/cache/nginx/client_temp"
  nginx http proxy temporary files: "/var/cache/nginx/proxy_temp"
  nginx http fastcgi temporary files: "/var/cache/nginx/fastcgi_temp"
  nginx http uwsgi temporary files: "/var/cache/nginx/uwsgi_temp"
  nginx http scgi temporary files: "/var/cache/nginx/scgi_temp"

从 Configuration summary 得知:

  • Nginx 的二进制文件路径为 /usr/local/nginx/sbin/nginx
  • 配置文件为 /usr/local/nginx/conf/nginx.conf

编译并将生成的文件转移至设置的目录下:

make && make install

如果编译成功,执行 /usr/local/nginx/sbin/nginx -V 可以查看 Nginx 的版本以及配置参数:

Snipaste_2020-08-09_14-09-57.png

安装 Nginx Man Page:

cp /usr/local/src/nginx-1.18.0/man/nginx.8 /usr/share/man/man8 && gzip /usr/share/man/man8/nginx.8

此时,便可以通过 man nginx 查看nginx 的相关指令。

将 Nignx 二进制可执行文件软链接至 /usr/local/sbin

ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin

此时,可以直接执行 nginx

Snipaste_2020-08-09_14-19-27.png

Nginx 启动与自启动管理

创建服务以通过 systemctl 管理 Nginx 的启动,停止与开机自启动:

vim /usr/lib/systemd/system/nginx.service

写入:

[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPost=/bin/sleep 0.1
ExecStartPre=/usr/local/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID

[Install]
WantedBy=multi-user.target

启动 Nginx:

systemctl start nginx

查看 Nginx 状态:

systemctl status nginx

Snipaste_2020-08-09_14-28-09.png

其他指令:

# 停止
systemctl stop nginx
# 重启
systemctl restart nginx
# 重新载入配置
systemctl reload nginx

开机自自动:

# 允许开机自启动
systemctl enable nginx
# 取消开机自启动
systemctl disable nginx

添加网站(Vhost)

创建 Vhost 配置文件文件夹:

mkdir /usr/local/nginx/conf/vhost

修改 Nginx 配置文件 /usr/local/nginx/conf/nginx.conf

vim /usr/local/nginx/conf/nginx.conf

在最后一个花括号前添加如下:

include vhost/*.conf;

Snipaste_2020-08-09_14-39-36.png

假设网站域名为 example.com ,创建网站配置文件:

touch /usr/local/nginx/conf/vhost/example.com.conf

写入模板如下,推荐参考 SSL Configuration Generator,然后根据实际情况修改:

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com www.example.com;
    root /home/wwwroot/example.com

    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
    ssl_dhparam /path/to/dhparam;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    # replace with the IP address of your resolver
    resolver 127.0.0.1;
}

修改配置之后,检查 Nginx 配置:

nginx -t

然后需要重启 Nginx:

systemctl restart nginx
文章目录