【环境】
在 CentOS 7 / CentOS 8 / Ubuntu 18.4 编译安装 Nginx 。
也可以通过RPM包快速安装。但不推荐,因为新模块的安装依然需要从源码编译。
因为 headers-more-nginx-module 没跟上更新的脚步,仅支持 Nginx 1.22 。所以之后就用不了了。
【安装】
安装依赖 :
yum install -y pcre pcre-devel zlib zlib-devel
下载 Nginx 源码包:
cd /root && wget http://nginx.org/download/nginx-1.22.0.tar.gz && tar zxf nginx-1.20.0.tar.gz
配置 Nginx 支持 HTTP/2 :
参考:https://amon.org/nginx-http2
1. 在编译 Nginx时加入 –with-http_v2_module
2. nginx.conf 中设置:listen 443 ssl http2;
下载 OpenSSL 源码包:
注意:Nginx屡次报错找不到OpenSSL。原来并发指定OpenSSL的安装路径,而是OpenSSL的源码路径;因此应该将Openssl源码包解压缩到Nginx的源码目录下处理。
参考:https://zhidao.baidu.com/question/1515545728986614340.html
查看当前 OpenSSL 版本:
openssl version
如果是 OpenSSL 1.0.2k :
cd /root/nginx-1.23.0 && wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz && tar zxvf openssl-1.0.2k.tar.gz && cd openssl-1.0.2k
如果是 OpenSSL 1.0.2t :
cd /root/nginx-1.23.0 && wget https://www.openssl.org/source/openssl-1.0.2t.tar.gz && tar zxvf openssl-1.0.2t.tar.gz && cd openssl-1.0.2t
如果是 OpenSSL 1.1.1c :
cd /root/nginx-1.23.0 && wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz && tar zxvf openssl-1.1.1c.tar.gz
如果是 OpenSSL 1.1.1g :
cd /root/nginx-1.23.0 && wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz && tar zxvf openssl-1.1.1g.tar.gz
添加 nginx 用户组 和 用户 nginx :
/usr/sbin/groupadd -f nginx && /usr/sbin/useradd -g nginx nginx
下载 Nginx cache purge 源码包 :
参考:https://amon.org/ngx_cache_purge
cd /root/nginx-1.23.0 && wget http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz && tar zxf ngx_cache_purge-2.3.tar.gz
下载 modsecurity 源码包 :
先编译 libmodsecurity 。
参考:https://amon.org/modsecurity
下载源码到 nginx 源代码目录:
cd /root/nginx-1.23.0 && git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
安装 headers-more 模块 :
参考:https://amon.org/ngx_http_headers_more_filter_module
下载源码到 nginx 源代码目录:
cd /root/nginx-1.23.0 && git clone --depth 1 https://github.com/openresty/headers-more-nginx-module.git
编译安装 Nginx :
CentOS 7 环境(openssl-1.0.2k):
cd /root/nginx-1.23.0 && ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=./openssl-1.0.2k --add-module=./ngx_cache_purge-2.3 --add-dynamic-module=./headers-more-nginx-module --add-dynamic-module=./ModSecurity-nginx --without-pcre2 make && make install
CentOS 7 环境(openssl-1.0.2t):
cd /root/nginx-1.23.0 && ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=./openssl-1.0.2t --add-module=./ngx_cache_purge-2.3 --add-dynamic-module=./headers-more-nginx-module --add-dynamic-module=./ModSecurity-nginx --without-pcre2 make && make install
CentOS 8 环境(OpenSSL 1.1.1c):
cd /root/nginx-1.23.0 && ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=./openssl-1.1.1c --add-module=./ngx_cache_purge-2.3 --add-dynamic-module=./headers-more-nginx-module --add-dynamic-module=./ModSecurity-nginx --without-pcre2 make && make install
CentOS 8 环境(OpenSSL 1.1.1g):
cd /root/nginx-1.23.0 && ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=./openssl-1.1.1g --add-module=./ngx_cache_purge-2.3 --add-dynamic-module=./headers-more-nginx-module --add-dynamic-module=./ModSecurity-nginx --without-pcre2 make && make install
添加 nginx 到系统命令:
echo -e '\n\nexport PATH=/usr/local/nginx/sbin:$PATH\n' >> /etc/profile && source /etc/profile
检查 Nginx 版本:
nginx -V /usr/local/nginx/sbin/nginx -V
CentOS 7 环境下输出:
nginx version: nginx/1.23.0 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.0.2t 10 Sep 2019 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=./openssl-1.0.2t --add-module=./ngx_cache_purge-2.3 --add-dynamic-module=./headers-more-nginx-module --add-dynamic-module=./ModSecurity-nginx
CentOS 8 环境下输出:
built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC) built with OpenSSL 1.1.1d 10 Sep 2019 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=./openssl-1.1.1d --add-module=./ngx_cache_purge-2.3 --add-dynamic-module=./headers-more-nginx-module --add-dynamic-module=./ModSecurity-nginx
可以看到 TLS SNI support 已经启用。
通过 Let’s Encrypt 生成 Wildcard 证书 :
cd /root && wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto ./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d stripe.wiki -d "*.stripe.wiki" --manual --preferred-challenges dns-01 certonly ./certbot-auto renew
生成证书相关文件路径:
/etc/letsencrypt/live/stripe.wiki/fullchain.pem
/etc/letsencrypt/live/stripe.wiki/privkey.pem
配置 Nginx 应用服务器:
配置路径:/usr/local/nginx/conf/nginx.conf
参考:https://amon.org/nginx-conf
源码路径:/usr/local/nginx/html
添加 nginx 对程序目录有执行权限:
chown -R nginx:nginx /usr/local/nginx/html
启动 Nginx :
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
如果有修改配置文件,先检查正确性:
/usr/local/nginx/sbin/nginx -t
重启 Nginx :
/usr/local/nginx/sbin/nginx -s reload
在浏览器中打开:https://stripe.wiki/ ,发现http正常跳转到https,而且支持h2。
设置nginx开机自启动:
参考:https://amon.org/nginx-init
Nginx服务设置:dos2unix 转换/设置执行权限/注册成服务/设置开机启动
dos2unix /etc/init.d/nginx && chmod a+x /etc/init.d/nginx && chkconfig --add nginx && chkconfig nginx on
查看版本:
nginx -v
输出:
nginx version: nginx/1.23.0
【命令】
service nginx start service nginx stop service nginx restart service nginx status service nginx reload
【测试】
查看端口:
netstat -tulpn | grep nginx
输出:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 11351/nginx: master
是否可以访问网站,然鹅不能,是因为 firewalld 需要进一步设置,先关闭:
service firewalld stop
然后在浏览器中访问 IP :
Welcome to nginx!
…
【排错】
报错:‘ngx_http_headers_in_t’ has no member named ‘cookies’; did you mean ‘cookie’?
make 时报错。
参考:https://trac.nginx.org/nginx/ticket/2358
参考:https://github.com/arut/nginx-dav-ext-module/issues/60
As per the build output, this is a problem in the 3rd party module ngx_http_headers_more
For the record, there are multiple header-releated changes in nginx 1.23.0 internal API
The 3rd party modules you are using need to be adjust to work with nginx 1.23.0.
有待补丁。
报错: error: ‘pcre_malloc’ undeclared
当 make 时,报错:
./ModSecurity-nginx/src/ngx_http_modsecurity_module.c: In function ‘ngx_http_mod security_pcre_malloc_init’:
./ModSecurity-nginx/src/ngx_http_modsecurity_module.c:78:9: error: ‘pcre_malloc’ undeclared (first use in this function); did you mean ‘old_pcre_malloc’?
if (pcre_malloc != ngx_http_modsec_pcre_malloc) {
^~~~~~~~~~~
old_pcre_malloc
./ModSecurity-nginx/src/ngx_http_modsecurity_module.c:78:9: note: each undeclare d identifier is reported only once for each function it appears in
./ModSecurity-nginx/src/ngx_http_modsecurity_module.c:82:25: error: ‘pcre_free’ undeclared (first use in this function); did you mean ‘pkey_free’?
old_pcre_free = pcre_free;
^~~~~~~~~
pkey_free
./ModSecurity-nginx/src/ngx_http_modsecurity_module.c: In function ‘ngx_http_mod security_pcre_malloc_done’:
./ModSecurity-nginx/src/ngx_http_modsecurity_module.c:102:9: error: ‘pcre_mallo ’ undeclared (first use in this function); did you mean ‘old_pcre_malloc’?
pcre_malloc = old_pcre_malloc;
^~~~~~~~~~~
old_pcre_malloc
./ModSecurity-nginx/src/ngx_http_modsecurity_module.c:103:9: error: ‘pcre_free’ undeclared (first use in this function); did you mean ‘pkey_free’?
pcre_free = old_pcre_free;
^~~~~~~~~
pkey_free
make[1]: *** [objs/Makefile:1419: objs/addon/src/ngx_http_modsecurity_module.o] Error 1
make[1]: Leaving directory '/root/nginx-1.23.0'
make: *** [Makefile:10: build] Error 2
参考:https://github.com/SpiderLabs/ModSecurity-nginx/issues/264
long story short – use –without-pcre2 configure argument when building connector with nginx after 1.21.5
方法:在 configure 时添加 –without-pcre2
报错:An error occurred. Sorry, the page you are looking for is currently unavailable.
查看 nginx 日志,发现:failed (2: No such file or directory)
仔细查看,原来网站目录名出现拼写错误。
报错:connect() failed (111: Connection refused)
当 LNMP 各项配置OK的时候,打开 IP ,发现页面报错:502 Bad Gateway
查看日志:/usr/local/nginx/logs/error.log
connect() failed (111: Connection refused) while connecting to upstream ... upstream: "fastcgi://127.0.0.1:9000"...
参考:https://www.cnblogs.com/xbxxf/p/9132163.html
方法:因为 Nginx 和 PHP 有两种链接方式
第一种(源码编译方式)
fastcgi_pass 127.0.0.1:9000;
另一种(迅速安装方式)
fastcgi_pass unix:/run/php/php-fpm.sock;
具体使用哪一种方式需要查看 php-fpm 的配置文件:
第一种(源码编译方式):/usr/local/php/etc/php-fpm.d/www.conf
listen = 127.0.0.1:9000
Listen 是端口,就按第一种链接方式。
另一种(迅速安装方式):/etc/php-fpm.d/www.conf
listen = /run/php-fpm/www.sock
必须保持一致。本例是第二种链接方式,修正后测试无误。
参考:https://blog.csdn.net/LY_Dengle/article/details/69568652
报错:the “ssl” directive is deprecated, use the “listen … ssl
参考:https://www.bbsmax.com/A/nAJvbjnGJr/
新版nginx采用新的方式进行监听https请求,解决方法:
1. listen 443 ssl;
2. 删除ssl配置 ssl on
报错:headers_more_filter_module.so” is not binary compatible
参考:https://blog.csdn.net/qq_35011172/article/details/88873861
原因:第三方模块的编译中包含的签名和使用的nignx不一致。
办法:先通过 nginx -V 命令得到当前配置的configure配置,在复制所有的配置命令。添加到:
./configure [“你的nignx -V 得到的配置参数”] –add-dynamic-module=/etc/pan1/fastdfs-nginx-mo,重新生成第三方模块。
参考:https://amon.org/headers-more-nginx-module
造成这个问题的原因大致有两个:
1. php-fpm没有运行
执行如下命令查看是否启动了php-fpm,如果没有则启动你的php-fpm即可。
用命令 netstat -ant | grep 9000 查看php-fpm进程,没有运行则启动。
2. 可能是php-fpm队列满了
php-fpm.conf 配置文件 pm.max_children 修改大一点,然后重启 php-fpm 并观察日志情况。
【参考】
参考:https://www.cnblogs.com/Dy1an/p/11227796.html
参考:https://blog.csdn.net/leonpengweicn/article/details/52849527
参考:https://www.cnblogs.com/beyang/p/7718463.html
参考:https://www.markdream.com/technologies/server/nginx-many-https-mapping.shtml
参考:https://www.tollmanz.com/http2-nghttp2-nginx-tls/
参考:https://http2.pro/doc/Nginx
参考:https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-with-http-2-support-on-ubuntu-16-04
参考:https://blog.51cto.com/lee90/1885188
参考:http://nginx.org/en/docs/http/ngx_http_v2_module.html
参考:https://www.jb51.net/article/151273.htm
参考:https://blog.csdn.net/zzpuser/article/details/71173451