【环境】
在 CentOS 7 / CentOS 8 / Ubuntu 18.4 编译安装 Nginx 。
也可以通过RPM包快速安装。但不推荐,因为新模块的安装依然需要从源码编译。
因为 headers-more-nginx-module 没跟上更新的脚步,仅支持 Nginx 1.22 。所以之后就用不了了。
【安装】
安装依赖 :
1 | yum install -y pcre pcre-devel zlib zlib-devel |
下载 Nginx 源码包:
1 | cd /root && wget http://nginx.org/download/nginx-1.22.0.tar.gz && tar zxf nginx-1.20.0.tar.gz |
配置 Nginx 支持 HTTP/2 :
参考:https://amon.org/nginx-http2
1. 在编译 Nginx时加入 –with-http_v2_module
2. nginx.conf 中设置:listen 443 ssl http2;
下载 OpenSSL 源码包:
注意:Nginx屡次报错找不到OpenSSL。原来并发指定OpenSSL的安装路径,而是OpenSSL的源码路径;因此应该将Openssl源码包解压缩到Nginx的源码目录下处理。
参考:https://zhidao.baidu.com/question/1515545728986614340.html
查看当前 OpenSSL 版本:
1 | openssl version |
如果是 OpenSSL 1.0.2k :
1 | cd /root/nginx-1.23.0 && wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz && tar zxvf openssl-1.0.2k.tar.gz && cd openssl-1.0.2k |
如果是 OpenSSL 1.0.2t :
1 | cd /root/nginx-1.23.0 && wget https://www.openssl.org/source/openssl-1.0.2t.tar.gz && tar zxvf openssl-1.0.2t.tar.gz && cd openssl-1.0.2t |
如果是 OpenSSL 1.1.1c :
1 | cd /root/nginx-1.23.0 && wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz && tar zxvf openssl-1.1.1c.tar.gz |
如果是 OpenSSL 1.1.1g :
1 | cd /root/nginx-1.23.0 && wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz && tar zxvf openssl-1.1.1g.tar.gz |
添加 nginx 用户组 和 用户 nginx :
1 | /usr/sbin/groupadd -f nginx && /usr/sbin/useradd -g nginx nginx |
下载 Nginx cache purge 源码包 :
参考:https://amon.org/ngx_cache_purge
1 | cd /root/nginx-1.23.0 && wget http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz && tar zxf ngx_cache_purge-2.3.tar.gz |
下载 modsecurity 源码包 :
先编译 libmodsecurity 。
参考:https://amon.org/modsecurity
下载源码到 nginx 源代码目录:
1 | cd /root/nginx-1.23.0 && git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git |
安装 headers-more 模块 :
参考:https://amon.org/ngx_http_headers_more_filter_module
下载源码到 nginx 源代码目录:
1 | cd /root/nginx-1.23.0 && git clone --depth 1 https://github.com/openresty/headers-more-nginx-module.git |
编译安装 Nginx :
CentOS 7 环境(openssl-1.0.2k):
1 2 | cd /root/nginx-1.23.0 && ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=./openssl-1.0.2k --add-module=./ngx_cache_purge-2.3 --add-dynamic-module=./headers-more-nginx-module --add-dynamic-module=./ModSecurity-nginx --without-pcre2make && make install |
CentOS 7 环境(openssl-1.0.2t):
1 2 | cd /root/nginx-1.23.0 && ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=./openssl-1.0.2t --add-module=./ngx_cache_purge-2.3 --add-dynamic-module=./headers-more-nginx-module --add-dynamic-module=./ModSecurity-nginx --without-pcre2make && make install |
CentOS 8 环境(OpenSSL 1.1.1c):
1 2 | cd /root/nginx-1.23.0 && ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=./openssl-1.1.1c --add-module=./ngx_cache_purge-2.3 --add-dynamic-module=./headers-more-nginx-module --add-dynamic-module=./ModSecurity-nginx --without-pcre2make && make install |
CentOS 8 环境(OpenSSL 1.1.1g):
1 2 | cd /root/nginx-1.23.0 && ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=./openssl-1.1.1g --add-module=./ngx_cache_purge-2.3 --add-dynamic-module=./headers-more-nginx-module --add-dynamic-module=./ModSecurity-nginx --without-pcre2make && make install |
添加 nginx 到系统命令:
1 | echo -e '\n\nexport PATH=/usr/local/nginx/sbin:$PATH\n' >> /etc/profile && source /etc/profile |
检查 Nginx 版本:
1 2 | nginx -V/usr/local/nginx/sbin/nginx -V |
CentOS 7 环境下输出:
1 2 3 4 5 | nginx version: nginx/1.23.0built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)built with OpenSSL 1.0.2t 10 Sep 2019TLS SNI support enabledconfigure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=./openssl-1.0.2t --add-module=./ngx_cache_purge-2.3 --add-dynamic-module=./headers-more-nginx-module --add-dynamic-module=./ModSecurity-nginx |
CentOS 8 环境下输出:
1 2 3 4 | built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC)built with OpenSSL 1.1.1d 10 Sep 2019TLS SNI support enabledconfigure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=./openssl-1.1.1d --add-module=./ngx_cache_purge-2.3 --add-dynamic-module=./headers-more-nginx-module --add-dynamic-module=./ModSecurity-nginx |
可以看到 TLS SNI support 已经启用。
通过 Let’s Encrypt 生成 Wildcard 证书 :
1 2 3 | cd /root && wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d stripe.wiki -d "*.stripe.wiki" --manual --preferred-challenges dns-01 certonly./certbot-auto renew |
生成证书相关文件路径:
/etc/letsencrypt/live/stripe.wiki/fullchain.pem
/etc/letsencrypt/live/stripe.wiki/privkey.pem
配置 Nginx 应用服务器:
配置路径:/usr/local/nginx/conf/nginx.conf
参考:https://amon.org/nginx-conf
源码路径:/usr/local/nginx/html
添加 nginx 对程序目录有执行权限:
1 | chown -R nginx:nginx /usr/local/nginx/html |
启动 Nginx :
1 | /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf |
如果有修改配置文件,先检查正确性:
1 | /usr/local/nginx/sbin/nginx -t |
重启 Nginx :
1 | /usr/local/nginx/sbin/nginx -s reload |
在浏览器中打开:https://stripe.wiki/ ,发现http正常跳转到https,而且支持h2。
设置nginx开机自启动:
参考:https://amon.org/nginx-init
Nginx服务设置:dos2unix 转换/设置执行权限/注册成服务/设置开机启动
1 | dos2unix /etc/init.d/nginx && chmod a+x /etc/init.d/nginx && chkconfig --add nginx && chkconfig nginx on |
查看版本:
1 | nginx -v |
输出:
1 | nginx version: nginx/1.23.0 |
【命令】
1 2 3 4 5 | service nginx startservice nginx stopservice nginx restartservice nginx statusservice nginx reload |
【测试】
查看端口:
1 | netstat -tulpn | grep nginx |
输出:
1 | tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 11351/nginx: master |
是否可以访问网站,然鹅不能,是因为 firewalld 需要进一步设置,先关闭:
1 | service firewalld stop |
然后在浏览器中访问 IP :
Welcome to nginx!
…
【排错】
报错:‘ngx_http_headers_in_t’ has no member named ‘cookies’; did you mean ‘cookie’?
make 时报错。
参考:https://trac.nginx.org/nginx/ticket/2358
参考:https://github.com/arut/nginx-dav-ext-module/issues/60
As per the build output, this is a problem in the 3rd party module ngx_http_headers_more
For the record, there are multiple header-releated changes in nginx 1.23.0 internal API
The 3rd party modules you are using need to be adjust to work with nginx 1.23.0.
有待补丁。
报错: error: ‘pcre_malloc’ undeclared
当 make 时,报错:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | ./ModSecurity-nginx/src/ngx_http_modsecurity_module.c: In function ‘ngx_http_mod security_pcre_malloc_init’:./ModSecurity-nginx/src/ngx_http_modsecurity_module.c:78:9: error: ‘pcre_malloc’ undeclared (first use in this function); did you mean ‘old_pcre_malloc’? if (pcre_malloc != ngx_http_modsec_pcre_malloc) { ^~~~~~~~~~~ old_pcre_malloc./ModSecurity-nginx/src/ngx_http_modsecurity_module.c:78:9: note: each undeclare d identifier is reported only once for each function it appears in./ModSecurity-nginx/src/ngx_http_modsecurity_module.c:82:25: error: ‘pcre_free’ undeclared (first use in this function); did you mean ‘pkey_free’? old_pcre_free = pcre_free; ^~~~~~~~~ pkey_free./ModSecurity-nginx/src/ngx_http_modsecurity_module.c: In function ‘ngx_http_mod security_pcre_malloc_done’:./ModSecurity-nginx/src/ngx_http_modsecurity_module.c:102:9: error: ‘pcre_mallo ’ undeclared (first use in this function); did you mean ‘old_pcre_malloc’? pcre_malloc = old_pcre_malloc; ^~~~~~~~~~~ old_pcre_malloc./ModSecurity-nginx/src/ngx_http_modsecurity_module.c:103:9: error: ‘pcre_free’ undeclared (first use in this function); did you mean ‘pkey_free’? pcre_free = old_pcre_free; ^~~~~~~~~ pkey_freemake[1]: *** [objs/Makefile:1419: objs/addon/src/ngx_http_modsecurity_module.o] Error 1make[1]: Leaving directory '/root/nginx-1.23.0'make: *** [Makefile:10: build] Error 2 |
参考:https://github.com/SpiderLabs/ModSecurity-nginx/issues/264
long story short – use –without-pcre2 configure argument when building connector with nginx after 1.21.5
方法:在 configure 时添加 –without-pcre2
报错:An error occurred. Sorry, the page you are looking for is currently unavailable.
查看 nginx 日志,发现:failed (2: No such file or directory)
仔细查看,原来网站目录名出现拼写错误。
报错:connect() failed (111: Connection refused)
当 LNMP 各项配置OK的时候,打开 IP ,发现页面报错:502 Bad Gateway
查看日志:/usr/local/nginx/logs/error.log
1 | connect() failed (111: Connection refused) while connecting to upstream ... upstream: "fastcgi://127.0.0.1:9000"... |
参考:https://www.cnblogs.com/xbxxf/p/9132163.html
方法:因为 Nginx 和 PHP 有两种链接方式
第一种(源码编译方式)
1 | fastcgi_pass 127.0.0.1:9000; |
另一种(迅速安装方式)
1 | fastcgi_pass unix:/run/php/php-fpm.sock; |
具体使用哪一种方式需要查看 php-fpm 的配置文件:
第一种(源码编译方式):/usr/local/php/etc/php-fpm.d/www.conf
1 | listen = 127.0.0.1:9000 |
Listen 是端口,就按第一种链接方式。
另一种(迅速安装方式):/etc/php-fpm.d/www.conf
1 | listen = /run/php-fpm/www.sock |
必须保持一致。本例是第二种链接方式,修正后测试无误。
参考:https://blog.csdn.net/LY_Dengle/article/details/69568652
报错:the “ssl” directive is deprecated, use the “listen … ssl
参考:https://www.bbsmax.com/A/nAJvbjnGJr/
新版nginx采用新的方式进行监听https请求,解决方法:
1. listen 443 ssl;
2. 删除ssl配置 ssl on
报错:headers_more_filter_module.so” is not binary compatible
参考:https://blog.csdn.net/qq_35011172/article/details/88873861
原因:第三方模块的编译中包含的签名和使用的nignx不一致。
办法:先通过 nginx -V 命令得到当前配置的configure配置,在复制所有的配置命令。添加到:
./configure [“你的nignx -V 得到的配置参数”] –add-dynamic-module=/etc/pan1/fastdfs-nginx-mo,重新生成第三方模块。
参考:https://amon.org/headers-more-nginx-module
造成这个问题的原因大致有两个:
1. php-fpm没有运行
执行如下命令查看是否启动了php-fpm,如果没有则启动你的php-fpm即可。
用命令 netstat -ant | grep 9000 查看php-fpm进程,没有运行则启动。
2. 可能是php-fpm队列满了
php-fpm.conf 配置文件 pm.max_children 修改大一点,然后重启 php-fpm 并观察日志情况。
【参考】
参考:https://www.cnblogs.com/Dy1an/p/11227796.html
参考:https://blog.csdn.net/leonpengweicn/article/details/52849527
参考:https://www.cnblogs.com/beyang/p/7718463.html
参考:https://www.markdream.com/technologies/server/nginx-many-https-mapping.shtml
参考:https://www.tollmanz.com/http2-nghttp2-nginx-tls/
参考:https://http2.pro/doc/Nginx
参考:https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-with-http-2-support-on-ubuntu-16-04
参考:https://blog.51cto.com/lee90/1885188
参考:http://nginx.org/en/docs/http/ngx_http_v2_module.html
参考:https://www.jb51.net/article/151273.htm
参考:https://blog.csdn.net/zzpuser/article/details/71173451