��װC++����:yum install -y gcc gcc-c++
�����û�����(��װPHP-FPMһ�������)
groupadd www -g 503
useradd -s /sbin/nologin -M www -u 503 -g 503
�°�nginx��װ��
cd /root/software
####��ѹ
tar zxf pcre-8.34.tar.gz
tar zxf openssl-1.0.1c.tar.gz
tar zxf zlib-1.2.8.tar.gz
(����Ҫ����)
tar zxf nginx-1.4.4.tar.gz;
cd nginx-1.4.4
./configure --prefix=/opt/nginx \
--user=www --group=www \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--without-http_map_module \
--without-http_geo_module \
--with-http_flv_module \
--with-http_realip_module \
--with-pcre=/root/software/pcre-8.34 \
--with-zlib=/root/software/zlib-1.2.8 \
--with-http_ssl_module \
--with-openssl=/root/software/openssl-1.0.1c \
--with-debug
���û��--with-openssl=/root/software/openssl-1.0.1c����/opt/nginx/sbin/nginx -V �ܲ��TLS SNIδ�����֮���ǣ�
TLS SNI support enabled
�������������Ķ��������ṩ SSL ֧��.
make
make install
˵����
--with-openssl��--with-pcre��ָ����Դ����������DZ���õ�Ŀ¼
vhostĿ¼��Ŀ¼���ļ�����
������IP
��mini��ʱ�������ã�ֻ����һ������������
ȫ�����������ļ� #####
���Ժ���ʱ���ı���Ϊ����
user www www;
worker_processes 1;
#error_log logs/error.log;
error_log logs/error.log notice;
#error_log logs/error.log info;
pid logs/nginx.pid;
worker_rlimit_nofile 2048;
events {
use epoll;
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 180;
server_tokens off;
## Compression
gzip on;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_types text/plain application/x-javascript text/css;
# gzip_disable "MSIE [1-6]\." ;
# gzip_vary on;
gzip_proxied any;
gzip_http_version 1.0;
#upload max size
client_max_body_size 10M;
client_body_buffer_size 1024K;
#
client_header_buffer_size 8K;
large_client_header_buffers 4 8K;
#
fastcgi_intercept_errors on;
fastcgi_buffers 8 128k;
resolver 172.31.0.2;
# server {
# listen 81;
# server_name _;
# return 444;
# }
server {
listen 80;
server_name _;
set $host_dir /opt/web/serverlist;
charset utf-8;
access_log logs/serverlist_access.log main;
location / {
root $host_dir;
}
}
server {
listen 81;
server_name _;
set $host_dir /opt/web/gm/web;
charset utf-8;
access_log logs/gm_access.log main;
location / {
root $host_dir;
index index.html index.htm index.php;
}
location ~ \.php {
root $host_dir;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $host_dir$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
server {
listen 82;
server_name _;
set $host_dir /opt/web/payment;
charset utf-8;
access_log logs/payment_access.log main;
location / {
root $host_dir;
index index.html index.htm index.php;
}
location ~ /index\.php/Server {
root $host_dir;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
set $path_info "";
set $real_script_name $fastcgi_script_name;
if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
set $real_script_name $1;
set $path_info $2;
}
fastcgi_param SCRIPT_FILENAME $host_dir/$real_script_name;
fastcgi_param SCRIPT_NAME $real_script_name;
fastcgi_param PATH_INFO $path_info;
allow 219.232.246.23;
allow 60.169.0.217;
allow 117.28.254.130;
#deny all;
}
location ~ \.php {
root $host_dir;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
set $path_info "";
set $real_script_name $fastcgi_script_name;
if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
set $real_script_name $1;
set $path_info $2;
}
fastcgi_param SCRIPT_FILENAME $host_dir/$real_script_name;
fastcgi_param SCRIPT_NAME $real_script_name;
fastcgi_param PATH_INFO $path_info;
allow all;
}
}
}
### ���ݽ��� ###
### ��SQLע�� ###
�ȴ����ļ���/opt/nginx/conf/prevent-sql-injection.conf
������
if ($request_uri ~* "((union|select|insert|delete|update|drop|show|count|master|truncate|declare|exec|\*)(\%20|\+))|\%20and\%20") {
return 403;
}
�������IJ����������������Ƿ����˵�����URL�ķ�����ע�����������һ������
awk '{ print $7; }' /opt/nginx/logs/*.log | egrep -i "((union|select|insert|delete|update|drop|show|count|master|truncate|declare|exec|\*)(\%20|\+))|\%20and\%20"
ÿ��server�����ӣ�
include prevent-sql-injection.conf;
��
include /opt/nginx/conf/prevent-sql-injection.conf;
����nginx
107��Ŀ��WEBĿ��ʼ����ʾ����
mkdir -p /opt/web/{serverlist,gm/web,payment}
chown www:www -R /opt/web
### �ճ����� ##############3
/opt/nginx/sbin/nginx -s reload ���¼������ã��������ӽ���
/opt/nginx/sbin/nginx -s stop ֹͣ
/opt/nginx/sbin/nginx -s quit �˳�
�ϰ�ʹ����������°�ĵ�ȻҲ�����ã�
killall -s HUP nginx -------------���¼�������
killall -s TERM ��INT nginx -----------���ٹرճ�����ֹ��ǰ���ڴ���������
killall -s QUIT nginx ----------------�����굱ǰ����رճ���
����������
-c��ʹ�����������ļ�
-v����ʾ nginx �汾�š�
-V����ʾ nginx �İ汾���Լ����뻷����Ϣ�Լ�����ʱ�IJ�����
### ����ϵͳ������ ###############
�༭ /etc/rc.local�����������У�
/opt/nginx/sbin/nginx
������ϵͳ����
# ����ϵͳ���� ##########
vi /etc/rc.d/init.d/nginx
�ű����ݣ�
#!/bin/bash
# Comments to support chkconfig on Linux
# chkconfig: 35 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse
set -e
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="nginx daemon"
NAME=nginx
DAEMON=/opt/nginx/sbin/$NAME
SCRIPTNAME=/etc/init.d/$NAME
test -x $DAEMON || exit 0
d_start(){
$DAEMON || echo -n " already running"
}
d_stop() {
$DAEMON -s quit || echo -n " not running"
}
d_reload() {
$DAEMON -s reload || echo -n " counld not reload"
}
case "$1" in
start)
echo -n "Starting $DESC:$NAME"
d_start
echo "."
;;
stop)
echo -n "Stopping $DESC:$NAME"
d_stop
echo "."
;;
reload)
echo -n "Reloading $DESC configuration..."
d_reload
echo "reloaded."
;;
restart)
echo -n "Restarting $DESC: $NAME"
d_stop
sleep 2
d_start
echo "."
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|reload}" >&2
exit 3
;;
esac
exit 0
�ű����ݽ���
chmod +x /etc/rc.d/init.d/nginx
chkconfig --add nginx
chkconfig --level 2345 nginx on
#### ��־�и�� #####
vi /root/sh/nginx_cut_log.sh
�ű����ݣ�
#!/bin/bash
#History
######################################################
# touch /root/sh/nginx_cut_log.sh; chmod u+x /root/sh/nginx_cut_log.sh
# 00 0 * * * root /root/sh/nginx_cut_log.sh >> /root/sh/nginx_cut_log.log 2>&1
########## variable #######################################
nginx_dir=/opt/nginx
nginx_log_dir=/opt/nginx/logs
logs_bakpath=/opt/data_bak/nginx_log
year=$(date -d "yesterday" +"%Y")
month=$(date -d "yesterday" +"%m")
delyear=$(date -d "3 months ago" +"%Y")
delmonth=$(date -d " 4 months ago" +"%m")
deldays=90
cut_log_path=${logs_bakpath}/${year}/${month}
export LANG=C
export LC_ALL=C
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
####### do ##############################################
if [ ! -d "$cut_log_path" ];then
mkdir -p ${logs_bakpath}/${year}/${month}
fi
echo ""
echo ""
echo "`date` start."
echo "##################################"
#### move yesterday logs ####
echo "`date` move yesterday logs."
if [ -d "$nginx_log_dir" ]; then
cd $nginx_log_dir
ls | grep ".log" | awk -F '.log' '{print $1}' > /tmp/nginxloglist.txt
else
echo "log backup directory does not exist, exit"
exit 1
fi
for logfilename in `cat /tmp/nginxloglist.txt`
do
mv "$logfilename".log "$cut_log_path"/"$logfilename"_$(date -d "yesterday" +"%Y%m%d").log
done
#### nginx reopen log ####
kill -USR1 `cat ${nginx_dir}/logs/nginx.pid`
#or
#${nginx_dir}/sbin/nginx -s reopen
### gzip ###
for logfilename in `cat /tmp/nginxloglist.txt`
do
gzip "$cut_log_path"/"$logfilename"_$(date -d "yesterday" +"%Y%m%d").log
done
#### Delete 3 months before the log ####
cd "$logs_bakpath"/"$delyear"
if [ -d "$delmonth" ];then
rm -rf "$delmonth"
echo "`date` Delete ${logs_bakpath}/${delyear}/${delmonth}"
else
echo "`date` Did not delete the directory."
fi
if [ -d "$logs_bakpath" ]; then
cd $logs_bakpath
echo "`date` Deletes the file list."
find $logs_bakpath -maxdepth 3 -type f -name "*.log" -mtime +"$deldays"
find $logs_bakpath -maxdepth 3 -type f -name "*.log" -mtime +"$deldays" | xargs rm -rf
else
echo "`date` Log directory does not exist, exit."
exit
fi
### �ű����ݽ��� ###
chmod u+x /root/sh/nginx_cut_log.sh
���Զ�����ÿ���賿ִ�У��м�����0��0��0�룺
vi /etc/crontab
00 0 * * * root /root/sh/nginx_cut_log.sh >> /root/sh/nginx_cut_log.log 2>&1
��������
service nginx start
########################################
##### nginx https ssl���� ���� #####
########################################
##### nginx ����https ssl #####
mkdir /opt/nginx/ssl
cd /opt/nginx/ssl
����RSA��Կ��
# openssl genrsa -out rsa_key.pem 2048 ---openssl genrsa ��������rsa˽Կ�ļ�,ָ������Ϊ2048��-f 3/4��ָ���㷨��-passout pass:123���ɵ�rsa˽Կ�ļ�ʩ�����뱣��
����һ��֤������
# openssl req -new -key rsa_key.pem -out cert.csr
# //����ʾ����ʡ�ݡ����С�������Ϣ�ȣ���Ҫ���ǣ�email һ��Ҫ��������������������������ļ�ȥ����֤��䷢��������CA������һ������֤�顣CA�����һ���µ��ļ�cacert.pem���Dz����������֤�顣
�������ʽ������������Ҫ���ո����ɵ�pem��csr����֤�鷢�������������һЩ�ļ�����Ȼ��key,������Լ������ԣ��Ϳ����������������������֤�飺
# openssl req -new -x509 -nodes -days 36500 -out server.crt -keyout server.key --���Ի������õ���һ�������
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=ChongQing
export KEY_CITY=ChongQing
export KEY_OU="system"
export KEY_ORG="Soonyo Technology Co., Ltd."
export KEY_EMAIL="zhaoyn@soonyo.com"
### ����֤�����ǩ֤��ķ��� ####
�����ɷ�������˽Կ��
openssl genrsa -out server.key 1024 ������ openssl genrsa -des3 -out server.key 1024 -conf=openssl.cnf
����ʱ����ʾ��������,���������ڼ���key�ļ�(����des3����ָ�����㷨,��ȻҲ����ѡ����������Ϊ��ȫ���㷨.),�Ժ�ÿ�����ȡ���ļ�(ͨ��openssl�ṩ�������API)�����������.������ò�����,Ҳ����ȥ���������,��һ��Ҫ��ȡ�����ı�����ʩ!
ȥ��key�ļ����������:
openssl rsa -in server.key -out server.key
������ǩ�����루ע���Common Name�������Ϊ�գ�Common Name����Ϊ��������ip����������
����Certificate Signing Request��CSR��,���ɵ�csr�ļ�����CAǩ�����γɷ�����Լ���֤��.��Ļ�Ͻ�����ʾ,������ָʾһ��һ������Ҫ��ĸ�����Ϣ����
openssl req -new -out server.csr -key server.key
������CA˽Կ
openssl genrsa -out ca.key 1024
������CA��˽Կ����CA����ǩ��֤�飨ע���Common Name��organizationName�������Ϊ�գ�Common Name����Ϊ��������ip�����������������֣��� organizationName�������һ��һ�£���
.CSR�ļ�������CA��ǩ���ſ��γ�֤��.�ɽ����ļ����͵�verisign�ȵط�������֤,Ҫ��һ���Ǯ,�β��Լ���CA��
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
��CAΪ��վ������ǩ��֤�飺
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
nginx���ã�
server {
listen 443;
server_name t1-test.soonyo.com;
charset utf_8;
access_log logs/t1_softdown.log main;
set $host_dir /opt/web/t1/test/gamehttp;
ssl on;
ssl_certificate /opt/nginx/ssl/server.crt;
ssl_certificate_key /opt/nginx/ssl/server.key;
ssl_session_timeout 30s;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root $host_dir;
index index.html;
}
}
����� �ϲ�HTTP/HTTPS���� ��ʽ��
server {
listen 80;
listen 443 ssl;
#ssl on; ##������� 443��80�����Է��ʵĻ�������Ҫ ע�� SSL on
ssl_certificate /opt/nginx/ssl/server.crt;
ssl_certificate_key /opt/nginx/ssl/server.key;
}
####pfx֤��ֱ��ת��#####
openssl pkcs12 -in _.54.com.pfx -nocerts -nodes -out _.54.com.key
openssl pkcs12 -in _.54.com.pfx -clcerts -nokeys -out _.54.com.crt
####��������
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}