來架個網站吧
nginx
最近工作真的忙到不可開交,庫存已經耗盡,所以我拿筆記檔一下 XDDD
話說是筆記,不過我還是加點解說吧~
想要用 CentOS7 為底的環境,想說目前(202310)還是有很多無法完成脫離 CentOS7 穩定的環境吧!但是這個平台雖穩,但也日益老舊,許多跳鍵也漸漸不再支援了,就讓我為他在附上一點色彩吧。
考慮到 CentOS7 本身的 OpenSSL 已經不符合網路安全要求,因此我這邊是另外獨自從 OpenSSL 官網下載原始碼編譯。
yum update -y
yum install -y gcc* openssl-devel pcre* patch git
export compileRPMPath="/home/pollo/nginx-build"
mkdir -p ${compileRPMPath}
cd ${compileRPMPath}
#下載指定版本的nginx
export nginxVersion="1.22.1"
wget http://nginx.org/download/nginx-$nginxVersion.tar.gz
tar -xzf nginx-$nginxVersion.tar.gz
ln -sf nginx-$nginxVersion nginx
## 此版號為1.2.6 fix v0.1
wget https://github.com/PolloChang/nginx-sticky-module-ng/archive/refs/tags/0.1.tar.gz
tar -zxf 0.1.tar.gz
mv nginx-sticky-module-ng-0.1 nginx-sticky-module-ng
#下載nginx-module-vts
git clone https://github.com/vozlt/nginx-module-vts.git
#下載nginx_upstream_check_module
git clone https://github.com/yaoweibin/nginx_upstream_check_module
#下載nginx_cookie_flag_module
git clone https://github.com/AirisX/nginx_cookie_flag_module/
#更新nginx_upstream_check_module所需的patch
cd ${compileRPMPath}/nginx-sticky-module-ng
patch -p0 < ${compileRPMPath}/nginx_upstream_check_module/nginx-sticky-module.patch
cd ${compileRPMPath}/nginx
patch -p1 < ${compileRPMPath}/nginx_upstream_check_module/check_1.20.1+.patch
# WAF
export MODSECURITY_INC="${compileRPMPath}/ModSecurity/headers/"
git clone -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity.git
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
# 指定OpenSSL,特定版本請至 https://ftp.openssl.org/ 裡面尋找
export openSSLVersion="openssl-1.1.1s"
cd ${compileRPMPath}
curl --insecure -O https://www.openssl.org/source/${openSSLVersion}.tar.gz
tar zxf ${openSSLVersion}.tar.gz
ls ${compileRPMPath}/${openSSLVersion}
cd ${compileRPMPath}/nginx
./configure \
--user=nginx \
--group=nginx \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_v2_module \
--with-http_ssl_module \
--with-pcre \
--with-file-aio \
--with-http_realip_module \
--without-http_scgi_module \
--without-http_uwsgi_module \
--without-http_fastcgi_module \
--with-openssl=${compileRPMPath}/${openSSLVersion} \
--add-module=${compileRPMPath}/nginx-sticky-module-ng \
--add-module=${compileRPMPath}/nginx-module-vts \
--add-module=${compileRPMPath}/nginx_upstream_check_module \
--add-module=${compileRPMPath}/nginx_cookie_flag_module \
--add-dynamic-module=${compileRPMPath}/ModSecurity-nginx
make -j8 # 依CPU 核心數設定,這裡是4核心
useradd -s /sbin/nologin nginx
mkdir -p /var/log/nginx/
chown nginx:nginx /var/log/nginx/
ln -s /var/log/nginx /etc/nginx/logs
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPost=/bin/sleep 0.1
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s TERM $MAINPID
ExecTest=/usr/sbin/nginx -t
[Install]
WantedBy=multi-user.target
sudo chmod +x /lib/systemd/system/nginx.service
sudo systemctl daemon-reload && sudo systemctl start nginx && sudo systemctl status nginx
sudo systemctl enable nginx.service
firewall-cmd --permanent --zone=public --add-service=https
安全的網站https 是必備的,一開始憑證自簽即可。
mkdir /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt