编译安装nginx-1.8.0支持缓存，反向代理，waf，ssl

Nginx (“engine x”) 是一个高性能的 HTTP 和 反向代理 服务器，也是一个 IMAP/POP3/SMTP 服务器。 Nginx 是由 Igor Sysoev 为俄罗斯访问量第二的 Rambler.ru 站点开发的，第一个公开版本0.1.0发布于2004年10月4日。其将源代码以类BSD许可证的形式发布，因它的稳定性、丰富的功能集、示例配置文件和低系统资源的消耗而闻名。2011年6月1日，nginx 1.0.4发布。

Nginx是一款轻量级的Web 服务器/反向代理服务器及电子邮件（IMAP/POP3）代理服务器，并在一个BSD-like 协议下发行。由俄罗斯的程序设计师Igor Sysoev所开发，供俄国大型的入口网站及搜索引擎Rambler（俄文：Рамблер）使用。其特点是占有内存少，并发能力强，事实上nginx的并发能力确实在同类型的网页服务器中表现较好，中国大陆使用nginx网站用户有：百度、新浪、网易、腾讯等。

1，安装nginx

//安装相关库文件

yum install openssl-devel gd-devel pcre-devel -y

//下载并编译安装nginx，支持缓存，反向代理，waf，ssl

mkdir -p /opt/tools
cd /opt/tools
wget http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz
tar xf ngx_cache_purge-2.3.tar.gz

wget http://www.espnlol.com/xx/download/waf/LuaJIT-2.0.4.tar.gz
tar xf LuaJIT-2.0.4.tar.gz
cd LuaJIT-2.0.4
make && make install

cd ../
wget http://www.espnlol.com/xx/download/waf/v0.2.19.tar.gz
tar xf v0.2.19.tar.gz

wget http://www.espnlol.com/xx/download/waf/v0.9.16.tar.gz
tar xf v0.9.16.tar.gz

wget http://www.espnlol.com/xx/download/web/nginx-1.8.0.tar.gz
tar xf nginx-1.8.0.tar.gz

wget http://www.espnlol.com/xx/download/web/zlib-1.2.8.tar.gz
tar xf zlib-1.2.8.tar.gz

wget http://www.espnlol.com/xx/download/waf/master.zip
unzip master.zip

//修改nginx源文件达到隐藏版本的目的

cd nginx-1.8.0
sed -i 's/1.8.0/1.0.1/g' src/core/nginx.h
sed -i 's/"nginx\/"/"AE-SERVER\/"/g' src/core/nginx.h
sed -i 's/"NGINX"/"AE-SERVER"/g' src/core/nginx.h
sed -i 's/"Server:\ nginx"/"Server:\ AESERVER"/g' src/http/ngx_http_header_filter_module.c
sed -i 's/>nginx/>AESERVER/g' src/http/ngx_http_special_response.c

//编译安装

export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0
export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH

./configure \
--prefix=/usr/local/nginx-1.8.0 \
--error-log-path=/usr/local/nginx-1.8.0/var/log/nginx/error.log \
--http-log-path=/usr/local/nginx-1.8.0/var/log/nginx/access.log \
--pid-path=/usr/local/nginx-1.8.0/var/run/nginx/nginx.pid \
--lock-path=/usr/local/nginx-1.8.0/var/lock/nginx.lock \
--user=www \
--group=www \
--with-http_ssl_module \
--with-file-aio \
--with-http_mp4_module \
--with-http_flv_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--http-client-body-temp-path=/data/tmp/nginx/client/ \
--http-proxy-temp-path=/data/tmp/nginx/proxy/ \
--http-fastcgi-temp-path=/data/tmp/nginx/uwsgi \
--http-scgi-temp-path=/data/tmp/nginx/scgi \
--with-zlib=../zlib-1.2.8 \
--with-pcre \
--with-http_image_filter_module \
--add-module=../ngx_cache_purge-2.3 \
--add-module=../ngx_devel_kit-0.2.19 \
--add-module=../lua-nginx-module-0.9.16 \
--with-ld-opt="-Wl,-rpath,$LUAJIT_LIB"

make && make install

2，创建用户

groupadd -g 501 www
useradd -u 501 -g www www

3，创建各种所需目录（根据编译安装制定的参数）

cd /usr/local

mkdir -p /data/tmp/nginx/{client,proxy,uwsgi,scgi}

ln -s nginx-1.8.0 nginx

mkdir -p /usr/local/nginx/logs

mkdir -p /usr/local/nginx/conf/vhost

mkdir -p /home/data/{wwwlogs/{itjuzi,today,blog,sevice},wwwroot,cache/fcgicache}
mkdir -p /home/data/tmp/nginx/{client,proxy,uwsgi,scgi}

chown -R www.www /home/data/tmp/nginx/{client,proxy,uwsgi,scgi}
chown -R www.www /home/data/{wwwlogs,wwwroot,cache/fcgicache}


mv /opt/tools/ngx_lua_waf-master/ /usr/local/nginx/conf/waf/

mkdir -p /home/data/logs/hack/
chown -R www:www /home/data/logs/hack/
chmod -R 755 /home/data/logs/hack/

4，编写相关配置文件，启动脚本

//waf配置文件

cat << EOF > /usr/local/nginx/conf/waf/config.lua
RulePath = "/usr/local/nginx/conf/waf"
attacklog = "on"
logdir = "/data/logs/hack"
UrlDeny="on"
Redirect="on"
CookieMatch="on"
postMatch="on" 
whiteModule="on" 
black_fileExt={"php","jsp"}
ipWhitelist={"127.0.0.1"}
ipBlocklist={"1.0.0.1"}
CCDeny="on"
CCrate="100/60"
html=[[please go away]]
EOF

//nginx配置文件

vi /usr/local/nginx/conf/nginx.conf
user git www;

worker_processes auto;

error_log /home/data/wwwlogs/nginx_error.log crit;

pid /usr/local/nginx/logs/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 65535;

events
{
use epoll;
worker_connections 65535;
multi_accept on;
}

http
{
include mime.types;
default_type application/octet-stream;

# waf
#lua_need_request_body on;
#access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;
#lua_shared_dict limit 10m;
#lua_package_path "/usr/local/nginx/conf/waf/?.lua";
#init_by_lua_file /usr/local/nginx/conf/waf/init.lua;

server_names_hash_bucket_size 128;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
client_max_body_size 100m;
client_body_buffer_size 50m;

sendfile on;
tcp_nopush on;

keepalive_timeout 60;

# tcp_nodelay on;

fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 128k;
fastcgi_buffers 8 128k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;

gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";

#limit_conn_zone $binary_remote_addr zone=perip:10m;
##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.

server_tokens off;
#log format
log_format access '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for';
access_log off;


include vhost/*.conf;
}

//nginx启动脚本

vi /etc/init.d/nginx
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemin
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /usr/local/nginx/conf/nginx.conf
# pidfile: /usr/local/nginx/logs/nginx.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0

nginx="/usr/local/nginx/sbin/nginx"
prog=$(basename $nginx)

NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

lockfile=/usr/local/nginx/var/nginx

start() {
[ -x $nginx ] || exit 5
[ -f $NGINX_CONF_FILE ] || exit 6
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}

stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}

restart() {
configtest || return $?
stop
start
}

reload() {
configtest || return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
}

force_reload() {
restart
}

configtest() {
$nginx -t -c $NGINX_CONF_FILE
}

rh_status() {
status $prog
}

rh_status_q() {
rh_status >/dev/null 2>&1
}

case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart|configtest)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
exit 2
esac

chmod 755 /etc/init.d/nginx
/etc/init.d/start