说明:
gcc 版本大于6 编译BoringSSL 需要go环境支持 cmake 3版本以上
编译BoringSSL
编译BoringSSL 依赖安装
yum -y install epel-release
yum install libunwind-devel libunwind gcc cmake make go git gcc-c++
# 使用ninja 编译
wget https://github.com/ninja-build/ninja/releases/download/v1.10.2/ninja-linux.zip
unzip ninja-linux.zip
mv ninja /usr/bin/
which ninja
[root@node src]# which ninja
/usr/bin/ninja
拉取BoringSSL源码
git clone https://github.com/google/boringssl.git
编译BoringSSL
cd boringssl
# 建立一个专门用于编译的文件夹
mkdir build
cd build
cmake -GNinja ..
[root@node build]# cmake -GNinja ..
-- The CXX compiler identification is GNU 8.5.0
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Found Perl: /usr/bin/perl (found version "5.26.3")
-- Checking for module 'libunwind-generic'
-- Found libunwind-generic, version 1.3.1
-- The ASM compiler identification is GNU
-- Found assembler: /usr/bin/cc
-- Configuring done
-- Generating done
-- Build files have been written to: /usr/local/src/boringssl/build
ninja
nginx 编译
nginx 支持br 压缩 lua 使用jemalloc内存
nginx 编译依赖安装
yum install -y pcre pcre-devel zlib zlib-devel libtool lua-devel patch
luajit2编译
git clone https://github.com/openresty/luajit2.git
cd luajit2
make -j$(nproc) && make -j$(nproc) install
ln -sf /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
jemalloc 编译
git clone https://github.com/jemalloc/jemalloc.git
cd jemalloc
./autogen.sh
./configure
make -j$(nproc) && make -j$(nproc) install_bin install_include install_lib
echo '/usr/local/lib' > /etc/ld.so.conf.d/jemalloc.conf
ldconfig
ln -sf /usr/local/lib/libjemalloc.so /usr/lib64/
lua-cjson 编译
wget https://www.kyne.com.au/~mark/software/download/lua-cjson-2.1.0.tar.gz
tar -xzvf lua-cjson-2.1.0.tar.gz
cd lua-cjson-2.1.0
make -j$(nproc) && make -j$(nproc) install
luasocket 编译
git clone https://github.com/diegonehab/luasocket.git
cd luasocket
make -j$(nproc) && make -j$(nproc) install
libbrotli 编译
git clone https://github.com/bagder/libbrotli
cd libbrotli/
./autogen.sh
./configure
make -j$(nproc) && make -j$(nproc) install
下载nginx 插件
git clone https://github.com/FRiCKLE/ngx_cache_purge.git
git clone https://github.com/weibocom/nginx-upsync-module.git
git clone https://github.com/xiaokai-wang/nginx_upstream_check_module.git
git clone https://github.com/openresty/echo-nginx-module.git
git clone https://github.com/openresty/lua-nginx-module.git
git clone https://github.com/openresty/stream-lua-nginx-module.git
git clone https://github.com/openresty/lua-upstream-nginx-module.git
git clone https://github.com/evanmiller/mod_zip.git
git clone https://github.com/simplresty/ngx_devel_kit.git
git clone https://github.com/wdaike/ngx_upstream_jdomain.git
git clone https://github.com/GUI/nginx-upstream-dynamic-servers.git
git clone https://github.com/openresty/headers-more-nginx-module.git
git clone https://github.com/vozlt/nginx-module-vts.git
git clone https://github.com/google/ngx_brotli
cd ngx_brotli
git submodule update --init
下载pcre 再centos8 或者 Rocky 系统 报错
wget https://sourceforge.net/projects/pcre/files/pcre/8.39/pcre-8.39.tar.gz
下载nginx
wget http://nginx.org/download/nginx-1.21.6.tar.gz
编译nginx
tar -xvf nginx-1.21.6.tar.gz
cd nginx-1.21.6
# nginx_upstream_check_module 模块 打补丁
patch -p1 < ../nginx_upstream_check_module/check_1.12.1+.patch
# check_1.12.1+.patch 根据版本号选择
[root@node nginx-1.21.6]# patch -p1 < ../nginx_upstream_check_module/check_1.12.1+.patch
patching file src/http/modules/ngx_http_upstream_hash_module.c
Hunk #2 succeeded at 241 (offset 3 lines).
Hunk #3 succeeded at 571 (offset 22 lines).
patching file src/http/modules/ngx_http_upstream_ip_hash_module.c
Hunk #2 succeeded at 211 (offset 3 lines).
patching file src/http/modules/ngx_http_upstream_least_conn_module.c
patching file src/http/ngx_http_upstream_round_robin.c
Hunk #1 succeeded at 9 with fuzz 2.
Hunk #2 succeeded at 108 (offset 6 lines).
Hunk #3 succeeded at 187 (offset 12 lines).
Hunk #4 succeeded at 264 (offset 13 lines).
Hunk #5 succeeded at 384 (offset 14 lines).
Hunk #6 succeeded at 421 (offset 14 lines).
Hunk #7 succeeded at 489 (offset 14 lines).
Hunk #8 succeeded at 589 (offset 14 lines).
patching file src/http/ngx_http_upstream_round_robin.h
# 编译nginx
# 创建nginx 账号
useradd nginx -s /sbin/nologin -M
# 导入lua 环境变量
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.1
# 创建工作目录
mkdir -pv /apps/nginx/cache/{client_temp,proxy_temp,fastcgi_temp,uwsgi_temp,scgi_temp,proxy_cache,ngx_pagespeed_cache}
chown -R nginx:nginx /apps/nginx
./configure --prefix=/apps/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/apps/nginx/log/error.log \
--http-log-path=/apps/nginx/log/access.log \
--pid-path=/apps/nginx/run/nginx.pid \
--lock-path=/apps/nginx/run/nginx.lock \
--http-client-body-temp-path=/apps/nginx/cache/client_temp \
--http-proxy-temp-path=/apps/nginx/cache/proxy_temp \
--http-fastcgi-temp-path=/apps/nginx/cache/fastcgi_temp \
--http-uwsgi-temp-path=/apps/nginx/cache/uwsgi_temp \
--http-scgi-temp-path=/apps/nginx/cache/scgi_temp \
--user=nginx \
--group=nginx \
--with-compat \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-http_auth_request_module \
--with-threads \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_ssl_preread_module \
--with-http_slice_module \
--with-mail \
--with-mail_ssl_module \
--with-file-aio \
--with-pcre-jit \
--with-pcre=../pcre-8.39 \
--with-http_v2_module \
--with-openssl-opt=enable-tls1_3 \
--add-module=../ngx_brotli \
--add-module=../nginx-upsync-module \
--add-module=../echo-nginx-module \
--add-module=../nginx_upstream_check_module \
--add-module=../lua-nginx-module \
--add-module=../stream-lua-nginx-module \
--add-module=../lua-upstream-nginx-module \
--add-module=../ngx_devel_kit \
--add-module=../mod_zip \
--add-module=../ngx_cache_purge \
--add-module=../headers-more-nginx-module \
--add-module=../ngx_upstream_jdomain \
--add-module=../nginx-upstream-dynamic-servers \
--add-module=../nginx-module-vts \
--with-cc-opt="-I../boringssl/include" \
--with-ld-opt="-Wl,-rpath,$LUAJIT_LIB,-ljemalloc -L../boringssl/build/ssl -L../boringssl/build/crypto"
# make
make -j$(nproc) && make -j$(nproc) install
# 创建lua 目录
mkdir -p /apps/nginx/lua/resty
git clone https://github.com/openresty/lua-resty-lrucache.git
git clone https://github.com/openresty/lua-resty-core.git
cp 文件到resty
cp -pdr ./lua-resty-core/lib/resty/* /apps/nginx/lua/resty/
mv ./lua-resty-lrucache/lib/resty/* /apps/nginx/lua/resty/
# 创建nginx 启动脚本
vim /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
LimitCORE=infinity
LimitNOFILE=100000
LimitNPROC=100000
PIDFile=/apps/nginx/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
# 修改nginx.conf 不然找不到lua 相关文件报错
vim /etc/nginx/nginx.conf
http 段加入
lua_need_request_body on;
lua_package_path "/apps/nginx/lua/?.lua";
lua_shared_dict limit 100m;
lua_shared_dict badGuys 100m;
lua_code_cache on;
nginx.conf
# /apps/nginx/lua/test.lua 测试是否支持lua
# test.lua 内容
ngx.say("hello world");
cat /etc/nginx/nginx.conf
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
# 设置lua 路径不然会报错
lua_need_request_body on;
lua_package_path "/apps/nginx/lua/?.lua";
lua_shared_dict limit 100m;
lua_shared_dict badGuys 100m;
lua_code_cache on;
server {
listen 8880;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location /hello {
default_type text/html;
content_by_lua_block {
ngx.say("HelloWorld")
}
}
location /lua {
default_type 'text/html';
content_by_lua_file lua/test.lua; #相对于nginx安装目录 /apps/nginx/lua
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
nginx 相关优化及增加模块自行到github 对应仓库查看说明文档
nginx http3 编译
https://quic.nginx.org/readme.html
wget https://hg.nginx.org/nginx-quic/archive/tip.zip
unzip tip.zip
#会生成一个 nginx-quic-55359b950132 55359b950132版本
cd nginx-quic-55359b950132
./auto/configure \
--prefix=/usr/share/nginx \
--conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--modules-path=/usr/lib/nginx/modules \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-compat \
--with-debug \
--with-pcre-jit \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_auth_request_module \
--with-http_v2_module \
--with-http_dav_module \
--with-http_slice_module \
--with-threads \
--with-http_addition_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-stream \
--with-http_v3_module \
--with-cc-opt="-I../boringssl/include" --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto" \
--with-stream_quic_module \
--with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto"
编译
make -j4
安装
make install
域名配置文件参考
server {
listen 80;
server_name xx.xxx.com;
root /usr/share/nginx/html;
index index.html index.htm;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
server {
listen 443 http3;
listen 443 ssl http2;
server_name xx.xxx.com;
ssl_certificate /apps/nginx/sslkey/xxx.com/fullchain.crt;
ssl_certificate_key /apps/nginx/sslkey/xxx.com/private.key;
ssl_prefer_server_ciphers on;
keepalive_timeout 60;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_early_data on;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ecdh_curve X25519:P-256:P-384;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256;
proxy_set_header Early-Data $ssl_early_data;
add_header Alt-Svc 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"';
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
root /usr/share/nginx/html;
index index.html index.htm;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
