Nginx記錄1-基礎(chǔ)安裝相關(guān)

多線程架構(gòu)

master進(jìn)程主要用來管理worker進(jìn)程,具體包括如下4個(gè)主要功能:
(1)接收來自外界的信號。
(2)向各worker進(jìn)程發(fā)送信號。
(3)監(jiān)控woker進(jìn)程的運(yùn)行狀態(tài)。
(4)當(dāng)woker進(jìn)程退出后(異常情況下),會自動重新啟動新的woker進(jìn)程。
woker進(jìn)程主要用來處理網(wǎng)絡(luò)事件,各個(gè)woker進(jìn)程之間是對等且相互獨(dú)立的,它們同等競爭來自客戶端的請求,一個(gè)請求只可能在一個(gè)woker進(jìn)程中處理,woker進(jìn)程個(gè)數(shù)一般設(shè)置為機(jī)器CPU核數(shù)。

參考文獻(xiàn)

官方文檔 | 在線文檔
安裝 | 應(yīng)用實(shí)例 | 安全實(shí)例 | Nginx限流特技
反向代理-proxy_buffering
Aiod | ngx_http_core_module-日志常用參數(shù)

安裝過程

編譯選項(xiàng):
--with-http_image_filter_module=dynamic --需要GD
--with-pcre-jit
--with-file-aio
--with-http_v2_module
--with-http_realip_module
--with-http_addition_module
--with-http_xslt_module=dynamic
--with-http_sub_module
--with-http_dav_module
--with-http_flv_module
--with-http_mp4_module
--with-http_gunzip_module
--with-http_gzip_static_module
--with-http_random_index_module
--with-http_secure_link_module
--with-http_slice_module
--需要pcre JIT
--with-http_geoip_module=dynamic --需要GeoIP GeoIP-devel

編譯參數(shù)
--with-stream 支持TCP代理以及負(fù)載均衡功能 官網(wǎng)

錯誤記錄:參考錯誤記錄
配置文件:參考配置文件

功能:安裝nginx、編譯sticky模塊、添加service服務(wù)

#!/bin/bash
nginxdir=/usr/local/nginx
nginxver=nginx-1.12.2

#funtion
nginx_init () {
curl -L https://raw.githubusercontent.com/mainiubaba/One/master/bash/nginx > /etc/init.d/nginx
if [ $? -eq '0' ];
then
 chmod +x /etc/init.d/nginx
else
 echo "add /etc/init.d/nginx filed."
 exit
fi
}

if [ -d ${nginxdir} ];
then
 echo "${nginxdir} directory exists"
else
 mkdir ${nginxdir}
fi
#yum
yum -y install cmake make gcc gcc-c++ libevent nss zlib zlib-devel openssl openssl-devel glibc glibc-devel compat-expat1 glibc.i686 procps procmail  ncurses-devel ncurses-libs ncurses-base ncurses  libuuid-devel pcre pcre-devel  libxslt libxml2 libxml2-devel gd-devel perl-ExtUtils-Embed perl-devel libxslt-devel
#wget tar
if [ -f ${nginxdir}/${nginxver}.tar.gz ];
then
 rm -r ${nginxdir}/${nginxver}.tar.gz
 rm -rf ${nginxdir}/${nginxver}
 wget -P $nginxdir http://nginx.org/download/${nginxver}.tar.gz
else
 wget -P $nginxdir http://nginx.org/download/${nginxver}.tar.gz
fi
wget -P $nginxdir https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/get/08a395c66e42.zip
#unzip
cd $nginxdir
tar -zxf nginx-1.12.2.tar.gz
unzip 08a395c66e42.zip
mv nginx-goodies-nginx-sticky-module-ng-08a395c66e42 nginx-sticky-module
#configure
cd ${nginxdir}/nginx-1.12.2
./configure \
--prefix=/usr/local/nginx/ \
--user=nginx \
--group=nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_stub_status_module \
--with-http_ssl_module \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body  \
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy  \
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi  \
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi  \
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi  \
--lock-path=/var/lock/subsys/nginx  \
--with-file-aio  \
--with-http_v2_module  \
--with-http_realip_module  \
--with-http_addition_module  \
--with-http_xslt_module=dynamic  \
--with-http_sub_module  \
--with-http_dav_module  \
--with-http_flv_module \
--with-http_mp4_module  \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module  \
--with-http_slice_module \
--add-module=${nginxdir}/nginx-sticky-module

make -j 4
make install

if [ $? -eq '0' ];
then
  nginx_init
fi

功能:安裝nginx、編譯sticky模塊、添加service服務(wù)、編譯modsecurity(2.9.2)模塊、添加owasp規(guī)則

#!/bin/bash
nginxdir=/usr/local/nginx
nginxver=nginx-1.12.2
modsecurity_path=/etc/nginx

# funtion
nginx_init () {
    curl -L https://raw.githubusercontent.com/guaiguaile/One/master/bash/nginx > /etc/init.d/nginx
    if [ $? -eq '0' ];
    then
        chmod +x /etc/init.d/nginx
    else
        echo "add /etc/init.d/nginx filed."
        exit
    fi
}


if [ -d ${nginxdir} ];
then
    echo "${nginxdir} directory exists"
else
    mkdir ${nginxdir}
fi
# yum
yum -y install wget unzip cmake make gcc gcc-c++ libevent nss zlib zlib-devel openssl openssl-devel glibc glibc-devel compat-expat1 glibc.i686 procps procmail  ncurses-devel ncurses-libs ncurses-base ncurses  libuuid-devel pcre pcre-devel  libxslt libxml2 libxml2-devel gd-devel perl-ExtUtils-Embed perl-devel libxslt-devel
# wget tar
if [ -f ${nginxdir}/${nginxver}.tar.gz ];
then
    rm -r ${nginxdir}/${nginxver}.tar.gz
    rm -rf ${nginxdir}/${nginxver}
    wget -P $nginxdir http://nginx.org/download/${nginxver}.tar.gz
else
    wget -P $nginxdir http://nginx.org/download/${nginxver}.tar.gz
fi
# wget sticky
wget -P $nginxdir https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/get/08a395c66e42.zip
# unzip
cd $nginxdir
tar -zxf nginx-1.12.2.tar.gz
unzip 08a395c66e42.zip
mv nginx-goodies-nginx-sticky-module-ng-08a395c66e42 nginx-sticky-module
#  install modsecurity2.9.2
if [ $? -eq '0' ];
then
    echo "Install modsecurity2"
    yum install -y git gcc make automake autoconf libtool
    yum install -y pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel
    if [ $? -eq '0' ];
    then
        cd ${nginxdir} && git clone https://github.com/SpiderLabs/ModSecurity.git  mod_security
    else
        exit
    fi
    cd mod_security && \
    git checkout v2.9.2 && \
    chmod 777 autogen.sh && \
    ./autogen.sh && \
    ./configure --enable-standalone-module && \
    make
fi



# configure
cd ${nginxdir}/nginx-1.12.2
./configure \
--prefix=/usr/local/nginx/ \
--user=nginx \
--group=nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_stub_status_module \
--with-http_ssl_module \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body  \
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy  \
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi  \
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi  \
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi  \
--lock-path=/var/lock/subsys/nginx  \
--with-file-aio  \
--with-http_v2_module  \
--with-http_realip_module  \
--with-http_addition_module  \
--with-http_xslt_module=dynamic  \
--with-http_sub_module  \
--with-http_dav_module  \
--with-http_flv_module \
--with-http_mp4_module  \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module  \
--with-http_slice_module \
--add-module=${nginxdir}/nginx-sticky-module \
--add-module=${nginxdir}/mod_security/nginx/modsecurity

make -j 4
make install

if [ $? -eq '0' ];
then
    nginx_init
    # create nobody user
    useradd -s /sbin/nologin -M nginx
    nginx -t
fi
# install modsecurity owasp
cd ${nginxdir} && git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cp -r owasp-modsecurity-crs/ ${modsecurity_path}
cp ${modsecurity_path}/owasp-modsecurity-crs/crs-setup.conf.example ${modsecurity_path}/owasp-modsecurity-crs/crs-setup.conf
# deploy modsecurity
cp -r /usr/local/nginx/mod_security/{modsecurity.conf-recommended,unicode.mapping} ${modsecurity_path}
cp ${modsecurity_path}/modsecurity.conf-recommended ${modsecurity_path}/modsecurity.conf
sed -i 's/^SecRuleEngine DetectionOnly/SecRuleEngine on/' ${modsecurity_path}/modsecurity.conf
if [ $? -eq '0' ];
then
cat >> ${modsecurity_path}/modsecurity.conf << EOF
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered !!!197-test-196!!!'"
Include owasp-modsecurity-crs/crs-setup.conf
EOF
fi

echo '''
#############################
# #1. nginx開啟ModSecurity
# ...
#         location / {
#             root   html;
#             # 開啟ModSecurity
#             ModSecurityEnabled on;
#             # 選擇ModSecurity配置文件
#             ModSecurityConfig /etc/nginx/modsecurity.conf;
#             index  index.html index.htm;
#         }
# ...

# #2. 測試
# #第一:重啟nginx
# nginx -s reload &
# #第二:使用nikto測試owasp 核心規(guī)則是否生效
# #Nikto掃描工具生成惡意請求,包括針對已知易受攻擊的文件,跨站點(diǎn)腳本(XSS)和其他類型的攻擊的探測。
# #該工具還會報(bào)告?zhèn)鬟f給應(yīng)用程序的請求,從而揭示應(yīng)用程序中的潛在漏洞。
# git clone https://github.com/sullo/nikto
# cd nikto
# perl program/nikto.pl -h http://localhost
# #可以通過日志進(jìn)行驗(yàn)證
# cat /var/log/modsec_audit.log
#############################
'''

Centos7 systemctl.service
# stat /usr/lib/systemd/system/nginx.service
文件:"/usr/lib/systemd/system/nginx.service"
權(quán)限:(0644/-rw-r--r--) Uid:( 0/ root) Gid:( 0/ root)

[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID

[Install]
WantedBy=multi-user.target
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

友情鏈接更多精彩內(nèi)容