172173.com


Building nginx from Sources

http://nginx.org/en/docs/configure.html

  • 下载对应版本的源码包。

    $ cd /usr/local/src
    $ sudo wget http://nginx.org/download/nginx-1.12.0.tar.gz
    $ sudo wget https://ftp.pcre.org/pub/pcre/pcre-8.40.tar.gz
    $ sudo wget http://zlib.net/zlib-1.2.11.tar.gz
    
  • 同级目录解压。

    $ sudo tar xf nginx-1.12.0.tar.gz
    $ sudo tar xf pcre-8.40.tar.gz
    $ sudo tar xf zlib-1.2.11.tar.gz
    
  • 安装相关的编译依赖包

    $ sudo apt-get -y install autoconf automake build-essential pkg-config \
        libperl-dev libxml2 libxslt1-dev libgeoip-dev zlib1g-dev
    
  • 创建nginx用户,并禁止其登陆

    $ sudo useradd -s /sbin/nologin nginx
    
  • 编译安装

     $ sudo cd /usr/local/src/nginx-1.12.0
     $ sudo ./configure --user=nginx --group=nginx \
         --prefix=/usr/local/nginx-1.12.0 \
         --conf-path=/usr/local/nginx-1.12.0/conf/nginx.conf \
         --pid-path=/var/log/nginx/nginx.pid \
         --with-pcre=../pcre-8.40 \
         --with-zlib=../zlib-1.2.11 \
         --with-stream \
         --with-stream_ssl_module \
         --with-http_ssl_module \
         --with-http_v2_module \
         --with-http_geoip_module \
         --with-http_realip_module \
         --with-http_xslt_module \
         --with-file-aio \
         --with-http_perl_module \
         --with-http_auth_request_module \
         --with-http_gzip_static_module \
         --with-http_secure_link_module \
         --with-http_sub_module \
         --with-http_stub_status_module
    $ sudo make && make install
    $ sudo ln -s /usr/local/nginx-1.12.0 /usr/local/nginx
    
  • 调整配置文件

    $ sudo vim /usr/local/nginx/conf/nginx.conf
    user                  nginx nginx;
    worker_processes      auto;
    
    ## Binds worker processes to the sets of CPUs. 
    ## Each CPU set is represented by a bitmask of allowed CPUs. There should be a separate set defined for each of the worker processes. 
    ## By default, worker processes are not bound to any specific CPUs.
    worker_cpu_affinity   auto;
    error_log             /var/log/nginx/error.log  notice;
    pid                   /var/log/nginx/nginx.pid;
    
    ## Specifies the value for maximum file descriptors that can be opened by this process.
    worker_rlimit_nofile  51200;
    
    events
    {
        use epoll;
    
        ## Sets the maximum number of simultaneous connections that can be opened by a worker process.
        ## It should be kept in mind that this number includes all connections (e.g. connections with proxied servers, among others), not only connections with clients. Another consideration is that the actual number of simultaneous connections cannot exceed the current limit on the maximum number of open files, which can be changed by worker_rlimit_nofile.
    
        ## maxclient = worker_processes * worker_connections / cpu_number
        worker_connections 30000;
    }
    
    http
    {
        include       mime.types;
        default_type  application/octet-stream;
        log_format    weblog  '$http_x_forwarded_for $remote_port "$request" $status [$time_local] '
                            '"$http_user_agent" "$http_referer" $body_bytes_sent '
                            '$remote_addr $gzip_ratio';
    
        sendfile           on;
        server_tokens      off;
        tcp_nopush         on;
        tcp_nodelay        on;
        keepalive_timeout  60;
        request_pool_size  4k;
    
        ## Allows accurate tuning of per-connection memory allocations. 
        ## This directive has minimal impact on performance and should not generally be used. 
        ## By default, the size is equal to 256 bytes on 32-bit platforms and 512 bytes on 64-bit platforms.
        connection_pool_size            512;
    
        client_header_timeout           3m;
        client_body_timeout             3m;
        send_timeout                    3m;
        client_header_buffer_size       256k;
        large_client_header_buffers     4 1024k;
        client_max_body_size            10m;
        client_body_buffer_size         256k;
        output_buffers                  4 32k;
        postpone_output                 1460;
        server_names_hash_bucket_size   128;
    
        fastcgi_connect_timeout        180s;
        fastcgi_send_timeout           180s;
        fastcgi_read_timeout           180s;
        fastcgi_buffer_size            2048k;
        fastcgi_buffers                4 1024k;
        fastcgi_busy_buffers_size      2048k;
        fastcgi_temp_file_write_size   2048k;
    
        gzip                  on;
        gzip_http_version     1.1;
        gzip_comp_level       2;
        gzip_min_length       1100;
        gzip_buffers          16 8k;
        gzip_vary             on;
        gzip_proxied          expired no-cache no-store private auth;
        gzip_types            text/plain text/css application/json text/xml application/xml application/xml+rss text/javascript application/javascript application/x-javascript;
    
        ## The following includes are specified for virtual hosts
        include          vhosts/*.conf;
    }
    
server
{
    listen  443 ssl default; 
    # server_name silent.live www.silent.live blog.silent.live devops.silent.live;
    server_name silent.live www.silent.live;
    root  /data/wwwroot/silent.live/webroot;
    index index.shtml index.html;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate /etc/letsencrypt/live/silent.live/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/silent.live/privkey.pem;

    ## Specifies that server ciphers should be preferred over client ciphers when the SSLv3 and TLS protocols are used.
    ssl_prefer_server_ciphers on;
    # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /usr/local/nginx/sslkey/dh_ssl/nginx_dh_2048.pem;

    ## The special value auto (1.11.0) instructs nginx to use a list built into the OpenSSL library when using OpenSSL 1.0.2 or higher, or prime256v1 with older versions.
    ## Prior to version 1.11.0, the prime256v1 curve was used by default.
    ssl_ecdh_curve auto;

    ## This will create a cache shared between all worker processes.
    ## The cache size is specified in bytes (in this example: 50 MB).
    ## According to the Nginx documentation can 1MB store about 4000 sessions, so for this example, we can store about 200000 sessions, and we will store them for 180 minutes.
    ## If you expect more traffic, increase the cache size accordingly.
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;

    ## Requires nginx >= 1.5.9
    ssl_session_tickets off;
    # ssl_session_ticket_key /usr/local/nginx/sslkey/tls_session/tls_session_ticket.key;

    ## OCSP Stapling, Requires nginx >= 1.3.7
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs.
    # ssl_trusted_certificate /path/to/signed_cert_plus_intermediates;

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    ssi on; 
    ssi_silent_errors off;
    ssi_types text/shtml;

    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {   
        expires 30d;
        access_log off;
    }   

    location = /favicon.ico {
        rewrite (.*) /static/favicon.ico;
    }

    # location = /robots.txt {
    #     rewrite (.*) /static/robots.txt;
    # }

    location / {
        add_header Cache-Control no-cache;

        ## HSTS
        # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header Strict-Transport-Security "max-age=63072000";

        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
    }

error_page 404 /static/404.html;

access_log  /data/httplog/silent.live_access_ssl.log weblog;
error_log   /data/httplog/silent.live_error_ssl.log;
}

 评论