概述
Nginx("engine x")是一款是由俄罗斯的程序设计师Igor Sysoev所开发高性能的 Web和 反向代理 服务器,也是一个 IMAP/POP3/SMTP 代理服务器。
在高连接并发的情况下,Nginx是Apache服务器不错的替代品。
Building nginx from Sources
下载对应版本的源码包。
$ cd /usr/local/src $ sudo wget http://nginx.org/download/nginx-1.12.0.tar.gz $ sudo wget https://ftp.pcre.org/pub/pcre/pcre-8.40.tar.gz $ sudo wget http://zlib.net/zlib-1.2.11.tar.gz
同级目录解压。
$ sudo tar xf nginx-1.12.0.tar.gz $ sudo tar xf pcre-8.40.tar.gz $ sudo tar xf zlib-1.2.11.tar.gz安装相关的编译依赖包
$ sudo apt-get -y install autoconf automake build-essential pkg-config \ libperl-dev libxml2 libxslt1-dev libgeoip-dev zlib1g-dev创建nginx用户,并禁止其登陆
$ sudo useradd -s /sbin/nologin nginx编译安装
$ sudo cd /usr/local/src/nginx-1.12.0 $ sudo ./configure --user=nginx --group=nginx \ --prefix=/usr/local/nginx-1.12.0 \ --conf-path=/usr/local/nginx-1.12.0/conf/nginx.conf \ --pid-path=/var/log/nginx/nginx.pid \ --with-pcre=../pcre-8.40 \ --with-zlib=../zlib-1.2.11 \ --with-stream \ --with-stream_ssl_module \ --with-http_ssl_module \ --with-http_v2_module \ --with-http_geoip_module \ --with-http_realip_module \ --with-http_xslt_module \ --with-file-aio \ --with-http_perl_module \ --with-http_auth_request_module \ --with-http_gzip_static_module \ --with-http_secure_link_module \ --with-http_sub_module \ --with-http_stub_status_module $ sudo make && make install $ sudo ln -s /usr/local/nginx-1.12.0 /usr/local/nginx调整配置文件
$ sudo vim /usr/local/nginx/conf/nginx.conf user nginx nginx; worker_processes auto; ## Binds worker processes to the sets of CPUs. ## Each CPU set is represented by a bitmask of allowed CPUs. There should be a separate set defined for each of the worker processes. ## By default, worker processes are not bound to any specific CPUs. worker_cpu_affinity auto; error_log /var/log/nginx/error.log notice; pid /var/log/nginx/nginx.pid; ## Specifies the value for maximum file descriptors that can be opened by this process. worker_rlimit_nofile 51200; events { use epoll; ## Sets the maximum number of simultaneous connections that can be opened by a worker process. ## It should be kept in mind that this number includes all connections (e.g. connections with proxied servers, among others), not only connections with clients. Another consideration is that the actual number of simultaneous connections cannot exceed the current limit on the maximum number of open files, which can be changed by worker_rlimit_nofile. ## maxclient = worker_processes * worker_connections / cpu_number worker_connections 30000; } http { include mime.types; default_type application/octet-stream; log_format weblog '$http_x_forwarded_for $remote_port "$request" $status [$time_local] ' '"$http_user_agent" "$http_referer" $body_bytes_sent ' '$remote_addr $gzip_ratio'; sendfile on; server_tokens off; tcp_nopush on; tcp_nodelay on; keepalive_timeout 60; request_pool_size 4k; ## Allows accurate tuning of per-connection memory allocations. ## This directive has minimal impact on performance and should not generally be used. ## By default, the size is equal to 256 bytes on 32-bit platforms and 512 bytes on 64-bit platforms. connection_pool_size 512; client_header_timeout 3m; client_body_timeout 3m; send_timeout 3m; client_header_buffer_size 256k; large_client_header_buffers 4 1024k; client_max_body_size 10m; client_body_buffer_size 256k; output_buffers 4 32k; postpone_output 1460; server_names_hash_bucket_size 128; fastcgi_connect_timeout 180s; fastcgi_send_timeout 180s; fastcgi_read_timeout 180s; fastcgi_buffer_size 2048k; fastcgi_buffers 4 1024k; fastcgi_busy_buffers_size 2048k; fastcgi_temp_file_write_size 2048k; gzip on; gzip_http_version 1.1; gzip_comp_level 2; gzip_min_length 1100; gzip_buffers 16 8k; gzip_vary on; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css application/json text/xml application/xml application/xml+rss text/javascript application/javascript application/x-javascript; ## The following includes are specified for virtual hosts include vhosts/*.conf; }
server
{
listen 443 ssl default;
# server_name silent.live www.silent.live blog.silent.live devops.silent.live;
server_name silent.live www.silent.live;
root /data/wwwroot/silent.live/webroot;
index index.shtml index.html;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/letsencrypt/live/silent.live/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/silent.live/privkey.pem;
## Specifies that server ciphers should be preferred over client ciphers when the SSLv3 and TLS protocols are used.
ssl_prefer_server_ciphers on;
# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /usr/local/nginx/sslkey/dh_ssl/nginx_dh_2048.pem;
## The special value auto (1.11.0) instructs nginx to use a list built into the OpenSSL library when using OpenSSL 1.0.2 or higher, or prime256v1 with older versions.
## Prior to version 1.11.0, the prime256v1 curve was used by default.
ssl_ecdh_curve auto;
## This will create a cache shared between all worker processes.
## The cache size is specified in bytes (in this example: 50 MB).
## According to the Nginx documentation can 1MB store about 4000 sessions, so for this example, we can store about 200000 sessions, and we will store them for 180 minutes.
## If you expect more traffic, increase the cache size accordingly.
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
## Requires nginx >= 1.5.9
ssl_session_tickets off;
# ssl_session_ticket_key /usr/local/nginx/sslkey/tls_session/tls_session_ticket.key;
## OCSP Stapling, Requires nginx >= 1.3.7
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs.
# ssl_trusted_certificate /path/to/signed_cert_plus_intermediates;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssi on;
ssi_silent_errors off;
ssi_types text/shtml;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
access_log off;
}
location = /favicon.ico {
rewrite (.*) /static/favicon.ico;
}
# location = /robots.txt {
# rewrite (.*) /static/robots.txt;
# }
location / {
add_header Cache-Control no-cache;
## HSTS
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header Strict-Transport-Security "max-age=63072000";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
}
error_page 404 /static/404.html;
access_log /data/httplog/silent.live_access_ssl.log weblog;
error_log /data/httplog/silent.live_error_ssl.log;
}
