## Nginx安装 1、使用[Nginx官方](https://nginx.org/en/)安装包 * 截至文章撰写,最新Stable版为1.26.2 * 本文使用[nginx_1.26.2-1~bookworm_amd64.deb](https://nginx.org/packages/debian/pool/nginx/n/nginx/nginx_1.26.2-1~bookworm_amd64.deb) * 本文使用[nginx-module-geoip_1.26.2-2~bookworm_amd64.deb](https://nginx.org/packages/debian/pool/nginx/n/nginx-module-geoip/nginx-module-geoip_1.26.2-2~bookworm_amd64.deb) ```shell dpkg -i nginx_1.26.2-1~bookworm_amd64.deb dpkg -i nginx-module-geoip_1.26.2-2~bookworm_amd64.deb ``` 2、自编译 未完待续 下载安装包 [nginx-1.26.2.tar.gz](https://nginx.org/download/nginx-1.26.2.tar.gz) 解压文件 ```shell tar -xvf nginx-1.26.2.tar.gz ``` 安装必备依赖 ```shell apt update -y && apt upgrade -y apt install -y build-essential openssl libssl-dev zlib1g-dev libpcre3 libpcre3-dev ``` ```shell ./configure \ --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --modules-path=/usr/lib/nginx/modules \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock \ --http-client-body-temp-path=/var/cache/nginx/client_temp \ --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ --user=nginx \ --group=nginx \ --with-compat \ --with-file-aio \ --with-threads \ --with-http_addition_module \ --with-http_auth_request_module \ --with-http_dav_module \ --with-http_flv_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_mp4_module \ --with-http_random_index_module \ --with-http_realip_module \ --with-http_secure_link_module \ --with-http_slice_module \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-http_sub_module \ --with-http_v2_module \ --with-http_v3_module \ --with-mail \ --with-mail_ssl_module \ --with-stream \ --with-stream_realip_module --with-stream_ssl_module \ --with-stream_ssl_preread_module \ --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.26.2/debian/debuild-base/nginx-1.26.2=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' ``` 编译 ```shell make ``` 安装 ``` make install ``` 创建系统服务文件 ```shell root@debian:~# cat /etc/systemd/system/nginx.service [Unit] Description=Nginx Service Documentation="http://nginx.org/en/docs/" After=network.target remote-fs.target nss-lookup.target [Service] Type=forking PIDFile=/usr/local/nginx/logs/nginx.pid ExecStartPre=/usr/local/nginx/sbin/nginx -t ExecStart=/usr/local/nginx/sbin/nginx ExecReload=/usr/local/nginx/sbin/nginx -s reload ExecStop=/bin/kill -s QUIT $MAINPID PrivateTmp=true LimitNOFILE=200000 [Install] WantedBy=multi-user.target ``` ## Nginx配置 检验Nginx状态是否启动,且开机自启 ```shell systemctl status nginx.service ``` 默认安装Nginx 会有如下文件 log日志: ```shell /var/log/nginx/access.log /var/log/nginx/error.log ``` conf文件 ``` /etc/nginx/nginx.conf /etc/nginx/conf.d/default.conf ``` 其它文件目录请使用如下命令查看 ``` root@nginx-center:~# nginx -V nginx version: nginx/1.26.2 built by gcc 12.2.0 (Debian 12.2.0-14) built with OpenSSL 3.0.11 19 Sep 2023 (running with OpenSSL 3.0.14 4 Jun 2024) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.26.2/debian/debuild-base/nginx-1.26.2=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' ``` Nginx默认监听IPV4 80端口,默认配置文件如下: ```shell root@nginx-center:~# cat /etc/nginx/conf.d/default.conf server { listen 80; server_name localhost; #access_log /var/log/nginx/host.access.log main; location / { root /usr/share/nginx/html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } ``` 想要监听IPV6 80端口,则在`listen 80;`下新增一行如下配置 ```shell listen [::]:80; ``` 然后重载nginx即可双栈访问 ```shell systemctl reload nginx.service ``` 如果对外提供服务,建议系统使用UFW防火墙,限制外部允许访问的端口(如ssh的22端口),并设置公钥密钥,禁止密码登录。 配置SSL的反向代理样例如下 ``` root@nginx-center:~# cat /etc/nginx/conf.d/域名.conf server { listen 10443 ssl; listen [::]:10443 ssl; http2 on; server_name 域名; # SSL证书配置 ssl_certificate 证书路径; # 替换为你的证书路径 ssl_certificate_key 私钥路径; # 替换为你的私钥路径 # HSTS 设置 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # 防止常见漏洞 add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; location / { proxy_pass http://+IP+端口; # 替换为目标服务器地址 proxy_http_version 1.1; # WebSocket 支持 proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # 返回给后端真实IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } ``` 拓展了解 ```txt logrotate——日志拆分 promtail+loki+grafana——Nginx监控 ``` Loading... ## Nginx安装 1、使用[Nginx官方](https://nginx.org/en/)安装包 * 截至文章撰写,最新Stable版为1.26.2 * 本文使用[nginx_1.26.2-1~bookworm_amd64.deb](https://nginx.org/packages/debian/pool/nginx/n/nginx/nginx_1.26.2-1~bookworm_amd64.deb) * 本文使用[nginx-module-geoip_1.26.2-2~bookworm_amd64.deb](https://nginx.org/packages/debian/pool/nginx/n/nginx-module-geoip/nginx-module-geoip_1.26.2-2~bookworm_amd64.deb) ```shell dpkg -i nginx_1.26.2-1~bookworm_amd64.deb dpkg -i nginx-module-geoip_1.26.2-2~bookworm_amd64.deb ``` 2、自编译 未完待续 下载安装包 [nginx-1.26.2.tar.gz](https://nginx.org/download/nginx-1.26.2.tar.gz) 解压文件 ```shell tar -xvf nginx-1.26.2.tar.gz ``` 安装必备依赖 ```shell apt update -y && apt upgrade -y apt install -y build-essential openssl libssl-dev zlib1g-dev libpcre3 libpcre3-dev ``` ```shell ./configure \ --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --modules-path=/usr/lib/nginx/modules \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock \ --http-client-body-temp-path=/var/cache/nginx/client_temp \ --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ --user=nginx \ --group=nginx \ --with-compat \ --with-file-aio \ --with-threads \ --with-http_addition_module \ --with-http_auth_request_module \ --with-http_dav_module \ --with-http_flv_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_mp4_module \ --with-http_random_index_module \ --with-http_realip_module \ --with-http_secure_link_module \ --with-http_slice_module \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-http_sub_module \ --with-http_v2_module \ --with-http_v3_module \ --with-mail \ --with-mail_ssl_module \ --with-stream \ --with-stream_realip_module --with-stream_ssl_module \ --with-stream_ssl_preread_module \ --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.26.2/debian/debuild-base/nginx-1.26.2=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' ``` 编译 ```shell make ``` 安装 ``` make install ``` 创建系统服务文件 ```shell root@debian:~# cat /etc/systemd/system/nginx.service [Unit] Description=Nginx Service Documentation="http://nginx.org/en/docs/" After=network.target remote-fs.target nss-lookup.target [Service] Type=forking PIDFile=/usr/local/nginx/logs/nginx.pid ExecStartPre=/usr/local/nginx/sbin/nginx -t ExecStart=/usr/local/nginx/sbin/nginx ExecReload=/usr/local/nginx/sbin/nginx -s reload ExecStop=/bin/kill -s QUIT $MAINPID PrivateTmp=true LimitNOFILE=200000 [Install] WantedBy=multi-user.target ``` ## Nginx配置 检验Nginx状态是否启动,且开机自启 ```shell systemctl status nginx.service ``` 默认安装Nginx 会有如下文件 log日志: ```shell /var/log/nginx/access.log /var/log/nginx/error.log ``` conf文件 ``` /etc/nginx/nginx.conf /etc/nginx/conf.d/default.conf ``` 其它文件目录请使用如下命令查看 ``` root@nginx-center:~# nginx -V nginx version: nginx/1.26.2 built by gcc 12.2.0 (Debian 12.2.0-14) built with OpenSSL 3.0.11 19 Sep 2023 (running with OpenSSL 3.0.14 4 Jun 2024) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.26.2/debian/debuild-base/nginx-1.26.2=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' ``` Nginx默认监听IPV4 80端口,默认配置文件如下: ```shell root@nginx-center:~# cat /etc/nginx/conf.d/default.conf server { listen 80; server_name localhost; #access_log /var/log/nginx/host.access.log main; location / { root /usr/share/nginx/html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } ``` 想要监听IPV6 80端口,则在`listen 80;`下新增一行如下配置 ```shell listen [::]:80; ``` 然后重载nginx即可双栈访问 ```shell systemctl reload nginx.service ``` 如果对外提供服务,建议系统使用UFW防火墙,限制外部允许访问的端口(如ssh的22端口),并设置公钥密钥,禁止密码登录。 配置SSL的反向代理样例如下 ``` root@nginx-center:~# cat /etc/nginx/conf.d/域名.conf server { listen 10443 ssl; listen [::]:10443 ssl; http2 on; server_name 域名; # SSL证书配置 ssl_certificate 证书路径; # 替换为你的证书路径 ssl_certificate_key 私钥路径; # 替换为你的私钥路径 # HSTS 设置 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # 防止常见漏洞 add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; location / { proxy_pass http://+IP+端口; # 替换为目标服务器地址 proxy_http_version 1.1; # WebSocket 支持 proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # 返回给后端真实IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } ``` 拓展了解 ```txt logrotate——日志拆分 promtail+loki+grafana——Nginx监控 ``` 最后修改:2024 年 11 月 05 日 © 允许规范转载 赞 如果觉得我的文章对你有用,请随意赞赏