1, Environmental description
Serial number | Operating system (version number) | Basic software (version number) |
---|---|---|
001 | CentOS/RedHat/Oracle Linux 6/7 x86_64 | nginx 1.8.0 |
The Nginx server implements the following scenarios and requirements:
(1) As a static resource server of http protocol, it supports SSL encryption.
(2) As an http protocol reverse proxy server, it supports ssl encryption.
(3) As an http/https forward proxy server.
(4) TCP protocol reverse proxy forwarding.
(5) UDP protocol reverse proxy forwarding.
The above scenarios can be implemented on a web server at the same time or separately according to function division.
2, Software installation
According to functional requirements, Nginx can add and customize official modules and third-party modules at compile time, apply the latest security patches, and disable unused modules.
Dependent libraries and version 1.2
As of August 20, 2020, the latest stable version officially released by NGINX is 1.18.0. Some modules of NGINX need to rely on some common tool libraries. In principle, the dependency library should be independent of the operating system and packaged and released together with the compiled version of NGINX, so as to facilitate timely update and recompilation. The following three libraries are required for the necessary components. The corresponding versions have been placed in the src directory in the NGINX source code for compilation and use at any time.
- PCRE supports regular expression syntax. Used for NGINX Core and Rewrite modules.
- zlib supports header compression. Gzip module for nginx.
- OpenSSL supports HTTPS protocol. For NGINX SSL and other modules.
2.2 installation module selection
Nginx source code download page: http://nginx.org/download/ . Basic principle of module selection: the minimum set meeting the needs of production configuration shall prevail. On the basis of the minimum set, you can customize modules, add third-party modules, modules to meet special system requirements, and so on.
The minimum set list of modules is as follows (whichever is checked):
[x] http_access_module | [ ] http_auth_basic_module | [ ] http_autoindex_module |
---|---|---|
[x] http_browser_module | [x] http_charset_module | [ ] http_empty_gif_module |
[ ] http_fastcgi_module | [x] http_geo_module | [x] http_gzip_module |
[x] http_limit_conn_module | [x] http_limit_req_module address. | [x] http_map_module |
[ ] http_memcached_module | [x] http_proxy_module | [x] http_referer_module |
[x] http_rewrite_module | [ ] http_scgi_module | [ ] http_ssi_module |
[ ] http_split_clients_module | [x] http_upstream_hash_module | [x] http_upstream_ip_hash_module |
[x] http_upstream_keepalive_module | [x] http_upstream_least_conn_module | [x] http_upstream_zone_module |
[x] http_userid_module | [ ] http_uwsgi_module | [x] http_gzip_static_module |
[x] http_mp4_module | [x] http_realip_module | [x] http_ssl_module |
[x] http_sub_module | [ ] http_v2_module | [x] stream |
[x] stream_ssl_module | [x] stream_realip_module | [ ] stream_geoip_module |
[x] http_secure_link_module | [x] http_slice_module | [X] threads |
[x] ngx_http_proxy_connect_module | [x] nginx_upstream_check_module |
Most modules built into Nginx open source are statically linked: they are built into Nginx open source at compile time and statically linked to Nginx binaries.
Of which:
- Forward proxy module NGX_ http_ proxy_ connect_ The source code download page of module is https://github.com/chobits/ngx_http_proxy_connect_module .
- Health check module nginx_ upstream_ check_ The source code download page of module is https://github.com/yaoweibin/nginx_upstream_check_module .
- The directory of the session holding module nginx sticky module ng is: https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/src/master/ .
- Log filtering module NGX_ log_ If the download link is: https://github.com/cfsego/ngx_log_if .
Put the source directory of the four modules into the nginx source folder SRC (already exists in nginx-1.18.0.src.tar.gz).
The source code structure is as follows:
[root@ks-allinone src]# tree -L 1 . . ├── core ├── event ├── http ├── mail ├── misc ├── nginx-sticky-module-ng ├── nginx_upstream_check_module ├── ngx_http_proxy_connect_module ├── ngx_log_if ├── openssl-1.1.1g ├── os ├── pcre-8.44 ├── stream └── zlib-1.2.11
If you need to add the module to the binary file, you need to rebuild Nginx and add the following configuration options:
$./configure ... --add-module=/usr/build/nginx-rtmp-module
2.3 installation directory description
Installation directory root: / usr/local/nginx, that is, the directory specified by the configuration parameter -- prefix, is also the recommended default directory of Nginx. This directory contains several subdirectories:
Note: this directory is root permission and can be authorized to application users as needed.
Subdirectory | explain |
---|---|
$PREFIX/logs | Log storage directory, which stores access logs, error logs, nginx pid |
$PREFIX/sbin | The program file directory stores the execution program nginx |
$PREFIX/conf | Configuration file directory to store configuration files, such as nginx conf |
2.4 configuration module options
Directory structure for building and compiling:
nginx-x.y.z: Nginx source file directory.
nginx-x.y.z/src: nginx source code directory. Its subdirectory contains library source code directory and module source code directory.
cd nginx-1.18.0/
If you want to install the forward agent and health check module, you need to enter a separate proprietary patch. The command is as follows:
patch -p1 < src/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_1018.patch patch -p1 < src/nginx_upstream_check_module/check_1.16.1+.patch
./configure --prefix="/usr/local/nginx" --user=nobody--group=nobody --with-pcre="src/pcre-8.44" --with-zlib="src/zlib-1.2.11" --with-openssl="src/openssl-1.1.1g" --without-http_autoindex_module --without-http_auth_basic_module --without-http_empty_gif_module --without-http_fastcgi_module --without-http_geo_module --without-http_memcached_module --without-http_scgi_module --without-http_ssi_module --without-http_split_clients_module --without-http_uwsgi_module --without-http_upstream_zone_module --with-http_gzip_static_module --with-http_mp4_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-stream_realip_module --with-threads --add-module=src/ngx_http_proxy_connect_module/ --add-module=src/nginx_upstream_check_module/ --add-module=src/ngx_log_if --add-module=src/nginx-sticky-module-ng
2.5 compile build package
Compilation environment and supported operating system: CentOS / RedHat / Oracle Linux 6 / 7 x86_ sixty-four
implement
make & make install cd /usr/local/nginx #View nginx
3, Configuration specification
3.1 main profile description
The recommended configuration is considered in each module of Nginx, and the detailed configuration is as follows:
nginx.conf
#Define the users and user groups that Nginx runs user nobody nobody; #The number of nginx processes is recommended to be equal to the total number of CPU cores. worker_processes 1; #Global error log definition type, [debug | info | notice | warn | error | crit] error_log /var/log/nginx/error.log; #Process file pid /usr/local/nginx/logs/nginx.pid; #The theoretical value of the maximum number of file descriptors opened by an nginx process should be the maximum number of open files (the system value ulimit -n) divided by the number of nginx processes, but the nginx allocation requests are not uniform, so it is recommended to keep consistent with the value ulimit -n. worker_rlimit_nofile 51200; events { #Refer to the event model, use [kqueue | rtsig | epoll | / dev / poll | select | poll]; Epoll model is a high-performance network I/O model in the kernel of Linux version 2.6 or above The kernel above 6 is enabled to improve the performance of Nginx. If running on FreeBSD, use the kqueue model. use epoll; #Maximum connections of a single process (maximum connections = connections * processes) worker_connections 51200; multi_accept on; } include http.conf include stream.conf
3.3 http server configuration description
http.conf
http { #File extension and file type mapping table include /usr/local/nginx/conf/mime.types; #Default file type default_type application/octet-stream; #Default encoding charset utf-8; #Hide version number server_tokens off; #Output to local directory log_format main'$remote_addr - $remote_user [$time_local]"$request"' '$status$body_bytes_sent "$http_referer"' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; #Log block (output to web log analysis system) #log_format ccb-combined '\'$proxy_add_x_forwarded_for\'$remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time $hostname'; #access_log syslog:server=10.214.170.17:514,facility=local4,tag=C_AMP_CP_CP_APQD,severity=info ccb-combined; #Turn on the efficient file transfer mode. The sendfile instruction specifies whether nginx calls the sendfile function to output files. For ordinary applications, it is set to on. If it is used for downloading and other applications, it can be set to off to balance the disk and network I/O processing speed and reduce the system load. Note: if the picture is not normal, change this to off. sendfile on; #Long connection timeout, in seconds keepalive_timeout 120; #Prevent network congestion tcp_nopush on; #Prevent network congestion tcp_nodelay on; #Maximum number of single file bytes allowed for client requests client_max_body_size 60m; #The maximum number of bytes that the buffer agent can buffer client requests client_body_buffer_size 128k; types_hash_max_size 2048; client_header_buffer_size 32k; large_client_header_buffers 4 32K; #Turn on gzip compressed output gzip on; #The minimum number of bytes of the page allowed to be compressed. The number of bytes of the page is obtained from the content length of the header The default is 0. No matter how many pages are compressed It is recommended to set the number of bytes greater than 1k. Less than 1k may increase the pressure gzip_min_length 1k; #It means that four 16k memory units are applied as the compression result stream cache. The default value is to apply the same memory space as the original data size to store gzip compression results gzip_buffers 4 16k; #Compressed version (the default is 1.1. At present, most browsers already support gzip decompression. If the front end is squid2.5, please use 1.0) gzip_http_version 1.1; #Compression level. 1 the compression ratio is the smallest and the processing speed is fast. 9 the compression ratio is the largest, which consumes cpu resources and the processing speed is the slowest. However, because the compression ratio is the largest, the packet is the smallest and the transmission speed is fast gzip_comp_level 4; #The compression type contains text/html by default, so there is no need to write it below. There will be no problem writing it, but there will be a warn gzip_types text/plain application/javascript application/x-javascript text/javascript text/xml text/css image/gif image/png image/jpg; #Option allows the front - end cache server to cache gzip - compressed pages For example, squid is used to cache nginx compressed data gzip_vary on; #Import http server include http-server.conf #Introducing forward proxy module include forward-proxy.conf }
http-server.conf
#weight The default is 1.weight The greater the, the greater the weight of the load upstream myserver { server 192.168.24.200:8080 weight=2; server 192.168.24.205:8080 weight=2; #Health check plug-in. The protocol checked is http,Detect every 3 seconds, and mark if it is normal after 3 requests realserver Status is up #If all 5 tests fail, mark realserver Status is down, The timeout is 1 second check interval=3000 rise=3 fall=5 timeout=1000; #check_http_send "HEAD / HTTP/1.0\r\n\r\n"; #check_http_expect_alive http_2xx http_3xx; } #Static pages and reverse proxies server { listen 80; # Domain name or IP There can be more than one,Separated by spaces server_name 127.0.0.1; #Health check on load balancing adopts HEAD Request, log printing can be excluded access_log_bypass_if ($request_method = HEAD); #limit http Request method can only be GET\POST\HEAD if ($request_method !~* GET|POST|HEAD) { return 403; } #Processing static file requests location ^~ /static/ { #As long as the domain name accessed by the user in the browser is bound VIP VIP There are below RS;Then use it $host ;host Is access URL Domain name and port in www.taobao.com:80 proxy_set_header Host $host; #Source IP [$remote_addr,establish HTTP connect header [information inside] assigned to X-Real-IP;So in the code $X-Real-IP To get the source IP proxy_set_header X-Real-IP $remote_addr; #stay nginx When acting as a proxy server, the IP The list will put the passing machines ip,Agent machine ip Write it down proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; alias /home/ap/cloudapp/webroot/static/; index index.html index.htm; } location ~* \.(gif|jpg|jpeg|png|css|js|ico)$ { alias /home/ap/cloudapp/webroot/resource/; } # Forward the request error page to a specific static web page error_page 403 404 /40x.html; location = /40x.html { alias /usr/local/nginx/html; } # Forward error pages to specific static pages error_page 500 502 503 504 /50x.html; location = /50x.html { alias /usr/local/nginx/html; } #Disable hidden files location ~ /\. { deny all; } #You can also specify the format through the requested parameters, assuming'/nsstatus'It's your status page URL,format Parameter changes the format of the page/nsstatus?format=json location /nsstatus { check_status; access_log off; allow 127.0.0.1; deny all; } #yes "/" Enable reverse proxy location / { proxy_pass http://myserver; #proxy_redirect off; #proxy_redirect ~^http://([^:]+)(:\d+)?(.*)$ https://; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Cookie $http_cookie; proxy_pass_header Set-Cookie; add_header Response-IP $upstream_addr; add_header Response-Status $upstream_status; # The back-end Web server can obtain the user's real IP proxy through x-forward-for_ set_ header X-Forwarded-For $proxy_ add_ x_ forwarded_ for; proxy_ set_ header Host $host; # The following are some reverse proxy configurations, which are optional# Nginx connection timeout with backend server (proxy connection timeout)_ connect_ timeout 90s; # Data return time of backend server (proxy sending timeout)_ send_ timeout 90s; # After the connection is successful, the response time of the back-end server (proxy receiving timeout) proxy_read_timeout 90s; # Set the buffer size of the proxy server (nginx) to store user header information_ buffer_ size 4k; # proxy_ Buffers buffer. Proxy is set for Web pages with an average of less than 32K_ buffers 4 32k; # Buffer size under high load (proxy_buffers*2)_ busy_ buffers_ size 64k; # Set the cache folder size. If it is larger than this value, it will be transferred from the upstream server to the proxy_temp_file_write_size 64k; } }
3.4 forward agent configuration description
[the external chain image transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the image and upload it directly (img-ldek7qef-1626919064944) (C: \ users \ mi \ appdata \ roaming \ typora \ user images \ image-20210224095331114. PNG)]
3.4.1 server configuration description
forward-proxy.conf
#Forward proxy module server { listen 3188; # CCB cloud dns The server #resolver 183.60.83.19 ipv6=off; resolver 114.114.114.114 ipv6=off; # Forward proxy used connect Requested configuration proxy_connect; # The service port for the visit needs to be supplemented proxy_connect_allow 80 443 563; proxy_connect_connect_timeout 60s; proxy_connect_read_timeout 60s; proxy_connect_send_timeout 60s; # Configuration location / {proxy_pass http: / / $http_host; proxy_set_header host $host; proxy_Connect_timeout 60s; proxy_read_timeout 60s; proxy_send_timeout 60s;}}
3.4.2 client configuration description
Method 1: set java startup parameters and add environment variable parameters when starting java.
java –jar xxx.war -Dhttp.proxyHost=ip -Dhttp.proxyPort=port -Dhttps.proxyHost=ip -Dhttps.proxyPort=port -Dhttp.nonProxyHosts="localhost"
Method 2: set the environment variable during java code initialization:
System.setProperty("http.proxyHost", "agent ip");System.setProperty("http.proxyPort", "3128");System.setProperty("https.proxyHost", "agent ip");System.setProperty("https.proxyPort", "3128");
Method 3: set the proxy in java code:
URL url = new URL("https://A web address "); Proxy proxy = new Proxy(Proxy.Type.DIRECT.HTTP, new InetSocketAddress(" proxy IP ", port)); httpurlconnection conn = (httpurlconnection) url.openconnection (proxy);
3.5 TCP/UDP streaming server configuration description
stream.conf
#4 Layer network traffic forwarding configuration stream { upstream socket_proxy { server 192.168.1.100:9000 ; server 192.168.1.101:9000 ; } server { #Select tcp or udp according to the protocol. The default is tcp listen 9001; proxy_ connect_ timeout 5s; proxy_ timeout 60m; proxy_ pass socket_ proxy; }}
4, Installation specification
1. Upload the installation media to / usr/local /, and the root user uses tar – xzvf nginx-1.18.0_el7_x86_64.tar.gz extract and modify the configuration file under / usr/local/nginx/conf as needed. The nginx logs (including error_log and access_log) should be consistently output to / var/log/nginx /. Please refer to the example configuration.
2. Use the root user to initialize the running environment according to the following script.
chmod -R 755 /usr/local/nginx chmod u+s /usr/local/nginx/sbin/nginx #The key step is to allow non root to start nginxmkdir /var/log/nginx/ chmod 777 /var/log/nginx/
4.4 how to start
After using the application user to log in to the operating system, execute
/usr/local/nginx/nginx –c /usr/local/nginx/conf/nginx.conf
5, Log archiving
In order to ensure that the file system in the operating system is full of nginx log output, nginx log output is required to be divided by date and cleaned regularly. The logrotate log management tool is installed by default in the operating system, which is installed in / etc / logrotate.com D / down vi nginx, enter the following and save. Logrotate will cut a log file every day, compress and clean it regularly.
/var/log/nginx/*log { su root cloudapp create 0666 root cloudapp daily rotate 5 dateext missingok notifempty compress sharedscripts postrotate /bin/kill -USR1 `cat /usr/local/nginx/logs/nginx.pid 2>/dev/null` 2>/dev/null || true endscript}
Test: logrotate – f / etc / logrotate D / nginx # check whether interception occurs
Note: cat / usr / local / nginx / logs / nginx. In the script If the pid section is installed according to the standard mode in Chapter 4, the pid path is correct. If it is installed in other forms, please modify it according to the situation.
6, Common security issues
6.1 improper configuration of nginx directory and file permissions
Reason for prompt: the nginx directory and files belong to non root users, or the nginx installation media is placed in the home directory of other users.
Solution: the owner and group of nginx directory and files should be root. If the installation steps are in accordance with the standard mode in Chapter 4, they can be met. If not, please use root to change the ownership of nginx directory and all its internal files to root, including proxy_temp directory and client_ body_ The user of temp directory and its internal files must be set to nobody.
6.2 login system of Nginx account is not restricted
Prompt reason: the nginx account should not have the ability to log in to prevent the nginx account from being maliciously used. The nginx process is started by a login user such as cloudapp.
Solution: first, ensure that the corresponding configuration has been made according to Section 1 and section 2 of Chapter 1, especially the s bit has been added to the binary file, and all nginx directory files belong to root. In nginx Add the following command to the conf file:
user nobody nobody;
This instruction defines the user and user group running nginx as nobody, and because the s bit is added to the nginx binary startup file, even if the application user cloudapp starts, the process still has root user permission.
6.3 nginx server_tokens baseline
Prompt reason: nginx server is not disabled_ Tokens configuration, server_ The tokens instruction is responsible for displaying the nginx version number and operating system version in the error page and the Server HTTP response header field. This message should not be displayed.
Solution: configure in nginx configuration file
server_tokens off;
6.4 nginx does not disable hidden files
Reason for prompt: hidden files are not prohibited in the server of Nginx, so the hidden files in the location folder can also be accessed by the web terminal.
Solution: edit the nginx configuration file and add the following configuration in the server section:
location ~ /\. { deny all; }
6.5 forward proxy http request configuration modification
Problem phenomenon: when nginx acts as a forward proxy, web services visiting non-80 standard ports cannot be accessed.
Solution: such as forward proxy In the conf file, confirm the following statement:
proxy_pass $scheme://$http_host; # Note that here $host is changed to $http_host