一、安装LNMP 1.编译安装基础环境 yum install -y vim lrzsz tree screen psmisc lsof tcpdump wget ntpdate gcc gcc-c++ glibc glibc-devel pcre pcre-devel openssl openssl-devel systemd-devel net- tools iotop bc zip unzip zlib-devel bash-completion nfs-utils automake libxml2 libxml2-devel libxslt libxslt-devel perl perl-ExtUtils-Embed

1.编译安装Nginx [root@web ~]# cd /usr/local/src/ [root@web src]# tar xf nginx-1.16.1.tar.gz [root@web src]# cd nginx-1.16.1/

编译是为了检查系统环境是否符合编译安装的要求,⽐如是否有gcc编译⼯具,是否⽀持编译参数当中的模块,并根据 开启的参数等⽣成Makefile⽂件为下⼀步做准备:

[root@web src]# ./configure --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module

./configure --prefix=/apps/nginx
--user=nginx
--group=nginx
--with-http_ssl_module
--with-http_v2_module
--with-http_realip_module
--with-http_stub_status_module
--with-http_gzip_static_module
--with-pcre
--with-stream
--with-stream_ssl_module
--with-stream_realip_module

[root@web src]# make #编译步骤,根据Makefile⽂件⽣成相应的模块 [root@web src]# make install #创建⽬录,并将⽣成的模块和⽂件复制到相应的⽬录 [root@web src]# useradd nginx -s /sbin/nologin -u 2000 #以普通⽤⼾启动nginx [root@web src]# chown nginx.nginx -R /apps/nginx/ # 设置权限

** 配置nginx服务,设置开机自启动**

echo '[Unit] Description=The nginx HTTP and reverse proxy server After=network.target remote-fs.target nss-lookup.target [Service] Type=forking PIDFile=/apps/nginx/logs/nginx.pid

ExecStartPre=/usr/bin/rm -f /apps/nginx/logs/nginx.pid ExecStartPre=/apps/nginx/sbin/nginx -t ExecStart=/apps/nginx/sbin/nginx ExecReload=/bin/kill -s HUP $MAINPID #KillSignal=SIGQUIT #TimeoutStopSec=5 KillMode=process PrivateTmp=true [Install] WantedBy=multi-user.target ' > /usr/lib/systemd/system/nginx.service

[root@web system]# systemctl daemon-reload [root@web system]# systemctl start nginx [root@web system]# systemctl enable nginx

检查nginx服务运行状态,并访问nginx测试页面

[root@web system]# systemctl status nginx [root@web system]# curl http://192.168.91.102 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style>

设置404错误页面

[root@web system]# sed -i 's/500 502 503 504/500 502 503 504 404/' /apps/nginx/conf/nginx.conf

验证404错误页设置成功

[root@web ~]# curl http://192.168.91.102/123456

  1. 设置日志格式为json

在http配置中添加 access_json 日志模板,并应用该日志模板

[root@web ~]# vim /apps/nginx/conf/nginx.conf

log_format access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_time,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}';

access_log logs/access_json.log access_json;

重启nginx服务

[root@web ~]# /apps/nginx/sbin/nginx -t [root@web ~]# /apps/nginx/sbin/nginx -s reload

确认修改后的日志结构

[root@web ~]# tail -f /apps/nginx/logs/access_json.log {"@timestamp":"2020-11-25T14:44:22+08:00","host":"192.168.91.102","clientip":"192.168.91.1","size":0,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"192.168.91.102","uri":"/index.html","domain":"192.168.91.102","xff":"-","referer":"-","tcp_xff":"","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36","status":"304"}

二、配置虚拟主机,实现https访问(为自己定义的域名)

1.自签名CA证书 [root@web ~]# cd /apps/nginx/ [root@web nginx]# mkdir certs [root@web nginx]# cd certs/ [root@web certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt [root@web certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.devops.com.key -out www.devops.com.csr 2.签发证书,hostname设置为 www.devops.com [root@web certs]# openssl x509 -req -days 3650 -in www.devops.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.devops.com.crt

[root@web certs]# ll total 24 -rw-r--r-- 1 root root 2074 Nov 25 14:59 ca.crt -rw-r--r-- 1 root root 3272 Nov 25 14:59 ca.key -rw-r--r-- 1 root root 17 Nov 25 15:45 ca.srl -rw-r--r-- 1 root root 1968 Nov 25 15:45 www.devops.com.crt -rw-r--r-- 1 root root 1740 Nov 25 15:43 www.devops.com.csr -rw-r--r-- 1 root root 3272 Nov 25 15:43 www.devops.com.key

3.验证证书内容 [root@web certs]# openssl x509 -in www.devops.com.crt -noout -text

4.配置https,nginx.conf listen 443 ssl;

        ssl_certificate /apps/nginx/certs/www.devops.com.crt;
        ssl_certificate_key /apps/nginx/certs/www.devops.com.key;
        ssl_session_cache shared:sslcache:20m;
        ssl_session_timeout 10m;

5.重启nginx,使https server生效 [root@web certs]# /apps/nginx/sbin/nginx -s reload

6.配置域名解析 echo '127.0.0.1 www.devops.com' >> /etc/hosts

7.验证https配置 [root@web certs]# curl --cacert /apps/nginx/conf/ca.crt https://www.devops.com curl: (77) Problem with the SSL CA cert (path? access rights?)