[NOTE] Updated November 24, 2019. This article may have outdated content or subject matter.
nginx编译安装
下载源码
1
2
3
4
|
wget https://nginx.org/download/nginx-1.16.1.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
wget https://www.zlib.net/zlib-1.2.11.tar.gz
wget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz
|
安装依赖
1
|
apt install -y g++ cmake gcc perl libperl-dev libgd3 libgd-dev libgeoip1 libgeoip-dev geoip-bin libxml2 libxml2-dev libxslt1.1 libxslt1-dev
|
编译安装
在configure里面加上tls1.3, 开启httpv2模块
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
tar -xvf nginx-1.16.1.tar.gz
tar -xvf openssl-1.1.1a.tar.gz
tar -xvf zlib-1.2.11.tar.gz
tar -xvf pcre-8.43.tar.gz
useradd nginx
cd nginx-1.16.1
./configure --prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--build=Ubuntu \
--builddir=nginx-1.16.1 \
--with-select_module \
--with-poll_module \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_geoip_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module=dynamic \
--with-perl_modules_path=/usr/share/perl/5.26.1 \
--with-perl=/usr/bin/perl \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module=dynamic \
--with-stream_ssl_preread_module \
--with-compat \
--with-pcre=../pcre-8.43 \
--with-pcre-jit \
--with-zlib=../zlib-1.2.11 \
--with-openssl=../openssl-1.1.1d \
--with-openssl-opt='enable-tls1_3'
make
make install
useradd nginx
|
systemd管理nginx启动
将下面内容写入/lib/systemd/system/nginx.service
,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
|
开机自启动并启动nginx服务
1
2
3
4
5
6
|
# 加载nginx service
systemctl daemon-reload
# 开机启动
systemctl enable nginx
# 启动nginx服务
systemctl start nginx
|
nginx中HTTPS配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
server {
listen 80;
server_name beyondkmp.com;
if ($scheme != "https") {
return 301 https://beyondkmp.com$request_uri;
}
}
server {
listen 443 ssl http2;
server_name beyondkmp.com;
client_max_body_size 50M;
keepalive_timeout 300;
ssl_prefer_server_ciphers On;
ssl_certificate /etc/letsencrypt/live/beyondkmp.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/beyondkmp.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/beyondkmp.com/chain.pem;
#ssl_session_cache shared:SSL:128m;
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";
location / {
root html/hugo-beyondkmp/public;
index index.html index.htm;
if (!-e $request_filename) {
rewrite ^/(.*) /index.html last;
break;
}
}
}
|
申请let’s encrypt免费证书
下载certbot-auto脚本,并生成证书
1
2
3
4
|
wget https://raw.githubusercontent.com/certbot/certbot/master/certbot-auto
chmod +x certbot-auto
cp certbot-auto /usr/local/bin
/usr/local/bin/certbot-auto certonly -d beyondkmp.com -d www.beyondkmp.com --standalone
|
证书过期前手动运行下面命令更新证书
1
|
/usr/local/bin/certbot-auto renew --force-renewal
|
加入crontab每月自动更新证书
1
|
0 9 1 * * systemctl stop nginx; /usr/local/bin/certbot-auto renew --force-renewal;systemctl start nginx
|
nginx中HSTS配置
1
|
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
|
参考
- Nginx Quick Reference
- 本博客 Nginx 配置之性能篇