{"id":84,"date":"2015-11-25T12:05:28","date_gmt":"2015-11-25T04:05:28","guid":{"rendered":"https:\/\/blog.espnlol.com\/?p=84"},"modified":"2015-11-26T23:39:20","modified_gmt":"2015-11-26T15:39:20","slug":"%e7%bc%96%e8%af%91%e5%ae%89%e8%a3%85nginx-1-8-0%e6%94%af%e6%8c%81%e7%bc%93%e5%ad%98%ef%bc%8c%e5%8f%8d%e5%90%91%e4%bb%a3%e7%90%86%ef%bc%8cwaf%ef%bc%8cssl","status":"publish","type":"post","link":"https:\/\/blog.espnlol.com\/?p=84","title":{"rendered":"\u7f16\u8bd1\u5b89\u88c5nginx-1.8.0\u652f\u6301\u7f13\u5b58\uff0c\u53cd\u5411\u4ee3\u7406\uff0cwaf\uff0cssl"},"content":{"rendered":"

Nginx (“engine x”) \u662f\u4e00\u4e2a\u9ad8\u6027\u80fd\u7684 HTTP \u548c \u53cd\u5411\u4ee3\u7406\u00a0\u670d\u52a1\u5668\uff0c\u4e5f\u662f\u4e00\u4e2a IMAP\/POP3\/SMTP \u670d\u52a1\u5668\u3002 Nginx \u662f\u7531 Igor Sysoev \u4e3a\u4fc4\u7f57\u65af\u8bbf\u95ee\u91cf\u7b2c\u4e8c\u7684 Rambler.ru \u7ad9\u70b9\u5f00\u53d1\u7684\uff0c\u7b2c\u4e00\u4e2a\u516c\u5f00\u7248\u672c0.1.0\u53d1\u5e03\u4e8e2004\u5e7410\u67084\u65e5\u3002\u5176\u5c06\u6e90\u4ee3\u7801\u4ee5\u7c7bBSD\u8bb8\u53ef\u8bc1\u7684\u5f62\u5f0f\u53d1\u5e03\uff0c\u56e0\u5b83\u7684\u7a33\u5b9a\u6027\u3001\u4e30\u5bcc\u7684\u529f\u80fd\u96c6\u3001\u793a\u4f8b\u914d\u7f6e\u6587\u4ef6\u548c\u4f4e\u7cfb\u7edf\u8d44\u6e90\u7684\u6d88\u8017\u800c\u95fb\u540d\u30022011\u5e746\u67081\u65e5\uff0cnginx 1.0.4\u53d1\u5e03\u3002<\/strong><\/h3>\n

Nginx\u662f\u4e00\u6b3e\u8f7b\u91cf\u7ea7\u7684Web \u670d\u52a1\u5668\/\u53cd\u5411\u4ee3\u7406\u670d\u52a1\u5668\u53ca\u7535\u5b50\u90ae\u4ef6\uff08IMAP\/POP3\uff09\u4ee3\u7406\u670d\u52a1\u5668\uff0c\u5e76\u5728\u4e00\u4e2aBSD-like \u534f\u8bae\u4e0b\u53d1\u884c\u3002\u7531\u4fc4\u7f57\u65af\u7684\u7a0b\u5e8f\u8bbe\u8ba1\u5e08Igor Sysoev\u6240\u5f00\u53d1\uff0c\u4f9b\u4fc4\u56fd\u5927\u578b\u7684\u5165\u53e3\u7f51\u7ad9\u53ca\u641c\u7d22\u5f15\u64ceRambler\uff08\u4fc4\u6587\uff1a\u0420\u0430\u043c\u0431\u043b\u0435\u0440\uff09\u4f7f\u7528\u3002\u5176\u7279\u70b9\u662f\u5360\u6709\u5185\u5b58\u5c11\uff0c\u5e76\u53d1\u80fd\u529b\u5f3a\uff0c\u4e8b\u5b9e\u4e0anginx\u7684\u5e76\u53d1\u80fd\u529b\u786e\u5b9e\u5728\u540c\u7c7b\u578b\u7684\u7f51\u9875\u670d\u52a1\u5668\u4e2d\u8868\u73b0\u8f83\u597d\uff0c\u4e2d\u56fd\u5927\u9646\u4f7f\u7528nginx\u7f51\u7ad9\u7528\u6237\u6709\uff1a\u767e\u5ea6\u3001\u65b0\u6d6a\u3001\u7f51\u6613\u3001\u817e\u8baf\u7b49\u3002<\/strong><\/h3>\n

1\uff0c\u5b89\u88c5nginx<\/p>\n

\/\/\u5b89\u88c5\u76f8\u5173\u5e93\u6587\u4ef6<\/p>\n

yum install openssl-devel gd-devel pcre-devel -y<\/pre>\n
\/\/\u4e0b\u8f7d\u5e76\u7f16\u8bd1\u5b89\u88c5nginx\uff0c\u652f\u6301\u7f13\u5b58\uff0c\u53cd\u5411\u4ee3\u7406\uff0cwaf\uff0cssl<\/p>\n
mkdir -p \/opt\/tools\r\ncd \/opt\/tools\r\nwget http:\/\/labs.frickle.com\/files\/ngx_cache_purge-2.3.tar.gz\r\ntar xf ngx_cache_purge-2.3.tar.gz\r\n\r\nwget http:\/\/www.espnlol.com\/xx\/download\/waf\/LuaJIT-2.0.4.tar.gz\r\ntar xf LuaJIT-2.0.4.tar.gz\r\ncd LuaJIT-2.0.4\r\nmake && make install\r\n\r\ncd ..\/\r\nwget http:\/\/www.espnlol.com\/xx\/download\/waf\/v0.2.19.tar.gz\r\ntar xf v0.2.19.tar.gz\r\n\r\nwget http:\/\/www.espnlol.com\/xx\/download\/waf\/v0.9.16.tar.gz\r\ntar xf v0.9.16.tar.gz\r\n\r\nwget http:\/\/www.espnlol.com\/xx\/download\/web\/nginx-1.8.0.tar.gz\r\ntar xf nginx-1.8.0.tar.gz\r\n\r\nwget http:\/\/www.espnlol.com\/xx\/download\/web\/zlib-1.2.8.tar.gz\r\ntar xf zlib-1.2.8.tar.gz\r\n\r\nwget http:\/\/www.espnlol.com\/xx\/download\/waf\/master.zip\r\nunzip master.zip<\/pre>\n
\/\/\u4fee\u6539nginx\u6e90\u6587\u4ef6\u8fbe\u5230\u9690\u85cf\u7248\u672c\u7684\u76ee\u7684<\/p>\n
cd nginx-1.8.0\r\nsed -i 's\/1.8.0\/1.0.1\/g' src\/core\/nginx.h\r\nsed -i 's\/\"nginx\\\/\"\/\"AE-SERVER\\\/\"\/g' src\/core\/nginx.h\r\nsed -i 's\/\"NGINX\"\/\"AE-SERVER\"\/g' src\/core\/nginx.h\r\nsed -i 's\/\"Server:\\ nginx\"\/\"Server:\\ AESERVER\"\/g' src\/http\/ngx_http_header_filter_module.c\r\nsed -i 's\/>nginx\/>AESERVER\/g' src\/http\/ngx_http_special_response.c<\/pre>\n
\/\/\u7f16\u8bd1\u5b89\u88c5<\/p>\n
export LUAJIT_LIB=\/usr\/local\/lib\r\nexport LUAJIT_INC=\/usr\/local\/include\/luajit-2.0\r\nexport LD_LIBRARY_PATH=\/usr\/local\/lib\/:$LD_LIBRARY_PATH\r\n\r\n.\/configure \\\r\n--prefix=\/usr\/local\/nginx-1.8.0 \\\r\n--error-log-path=\/usr\/local\/nginx-1.8.0\/var\/log\/nginx\/error.log \\\r\n--http-log-path=\/usr\/local\/nginx-1.8.0\/var\/log\/nginx\/access.log \\\r\n--pid-path=\/usr\/local\/nginx-1.8.0\/var\/run\/nginx\/nginx.pid \\\r\n--lock-path=\/usr\/local\/nginx-1.8.0\/var\/lock\/nginx.lock \\\r\n--user=www \\\r\n--group=www \\\r\n--with-http_ssl_module \\\r\n--with-file-aio \\\r\n--with-http_mp4_module \\\r\n--with-http_flv_module \\\r\n--with-http_stub_status_module \\\r\n--with-http_gzip_static_module \\\r\n--http-client-body-temp-path=\/data\/tmp\/nginx\/client\/ \\\r\n--http-proxy-temp-path=\/data\/tmp\/nginx\/proxy\/ \\\r\n--http-fastcgi-temp-path=\/data\/tmp\/nginx\/uwsgi \\\r\n--http-scgi-temp-path=\/data\/tmp\/nginx\/scgi \\\r\n--with-zlib=..\/zlib-1.2.8 \\\r\n--with-pcre \\\r\n--with-http_image_filter_module \\\r\n--add-module=..\/ngx_cache_purge-2.3 \\\r\n--add-module=..\/ngx_devel_kit-0.2.19 \\\r\n--add-module=..\/lua-nginx-module-0.9.16 \\\r\n--with-ld-opt=\"-Wl,-rpath,$LUAJIT_LIB\"\r\n\r\nmake && make install<\/pre>\n
2\uff0c\u521b\u5efa\u7528\u6237<\/p>\n
groupadd -g 501 www\r\nuseradd -u 501 -g www www<\/pre>\n
3\uff0c\u521b\u5efa\u5404\u79cd\u6240\u9700\u76ee\u5f55\uff08\u6839\u636e\u7f16\u8bd1\u5b89\u88c5\u5236\u5b9a\u7684\u53c2\u6570\uff09<\/p>\n
cd \/usr\/local\r\n\r\nmkdir -p \/data\/tmp\/nginx\/{client,proxy,uwsgi,scgi}\r\n\r\nln -s nginx-1.8.0 nginx\r\n\r\nmkdir -p \/usr\/local\/nginx\/logs\r\n\r\nmkdir -p \/usr\/local\/nginx\/conf\/vhost\r\n\r\nmkdir -p \/home\/data\/{wwwlogs\/{itjuzi,today,blog,sevice},wwwroot,cache\/fcgicache}\r\nmkdir -p \/home\/data\/tmp\/nginx\/{client,proxy,uwsgi,scgi}\r\n\r\nchown -R www.www \/home\/data\/tmp\/nginx\/{client,proxy,uwsgi,scgi}\r\nchown -R www.www \/home\/data\/{wwwlogs,wwwroot,cache\/fcgicache}\r\n\r\n\r\nmv \/opt\/tools\/ngx_lua_waf-master\/ \/usr\/local\/nginx\/conf\/waf\/\r\n\r\nmkdir -p \/home\/data\/logs\/hack\/\r\nchown -R www:www \/home\/data\/logs\/hack\/\r\nchmod -R 755 \/home\/data\/logs\/hack\/<\/pre>\n
4\uff0c\u7f16\u5199\u76f8\u5173\u914d\u7f6e\u6587\u4ef6\uff0c\u542f\u52a8\u811a\u672c<\/p>\n
\/\/waf\u914d\u7f6e\u6587\u4ef6<\/p>\n
cat << EOF > \/usr\/local\/nginx\/conf\/waf\/config.lua\r\nRulePath = \"\/usr\/local\/nginx\/conf\/waf\"\r\nattacklog = \"on\"\r\nlogdir = \"\/data\/logs\/hack\"\r\nUrlDeny=\"on\"\r\nRedirect=\"on\"\r\nCookieMatch=\"on\"\r\npostMatch=\"on\" \r\nwhiteModule=\"on\" \r\nblack_fileExt={\"php\",\"jsp\"}\r\nipWhitelist={\"127.0.0.1\"}\r\nipBlocklist={\"1.0.0.1\"}\r\nCCDeny=\"on\"\r\nCCrate=\"100\/60\"\r\nhtml=[[please go away]]\r\nEOF<\/pre>\n
\/\/nginx\u914d\u7f6e\u6587\u4ef6<\/p>\n
vi \/usr\/local\/nginx\/conf\/nginx.conf\r\nuser git www;\r\n\r\nworker_processes auto;\r\n\r\nerror_log \/home\/data\/wwwlogs\/nginx_error.log crit;\r\n\r\npid \/usr\/local\/nginx\/logs\/nginx.pid;\r\n\r\n#Specifies the value for maximum file descriptors that can be opened by this process.\r\nworker_rlimit_nofile 65535;\r\n\r\nevents\r\n{\r\nuse epoll;\r\nworker_connections 65535;\r\nmulti_accept on;\r\n}\r\n\r\nhttp\r\n{\r\ninclude mime.types;\r\ndefault_type application\/octet-stream;\r\n\r\n# waf\r\n#lua_need_request_body on;\r\n#access_by_lua_file \/usr\/local\/nginx\/conf\/waf\/waf.lua;\r\n#lua_shared_dict limit 10m;\r\n#lua_package_path \"\/usr\/local\/nginx\/conf\/waf\/?.lua\";\r\n#init_by_lua_file \/usr\/local\/nginx\/conf\/waf\/init.lua;\r\n\r\nserver_names_hash_bucket_size 128;\r\nclient_header_buffer_size 4k;\r\nlarge_client_header_buffers 4 32k;\r\nclient_max_body_size 100m;\r\nclient_body_buffer_size 50m;\r\n\r\nsendfile on;\r\ntcp_nopush on;\r\n\r\nkeepalive_timeout 60;\r\n\r\n# tcp_nodelay on;\r\n\r\nfastcgi_connect_timeout 300;\r\nfastcgi_send_timeout 300;\r\nfastcgi_read_timeout 300;\r\nfastcgi_buffer_size 128k;\r\nfastcgi_buffers 8 128k;\r\nfastcgi_busy_buffers_size 256k;\r\nfastcgi_temp_file_write_size 256k;\r\n\r\ngzip on;\r\ngzip_min_length 1k;\r\ngzip_buffers 4 16k;\r\ngzip_http_version 1.1;\r\ngzip_comp_level 2;\r\ngzip_types text\/plain application\/javascript application\/x-javascript text\/javascript text\/css application\/xml application\/xml+rss;\r\ngzip_vary on;\r\ngzip_proxied expired no-cache no-store private auth;\r\ngzip_disable \"MSIE [1-6]\\.\";\r\n\r\n#limit_conn_zone $binary_remote_addr zone=perip:10m;\r\n##If enable limit_conn_zone,add \"limit_conn perip 10;\" to server section.\r\n\r\nserver_tokens off;\r\n#log format\r\nlog_format access '$remote_addr - $remote_user [$time_local] \"$request\" '\r\n'$status $body_bytes_sent \"$http_referer\" '\r\n'\"$http_user_agent\" $http_x_forwarded_for';\r\naccess_log off;\r\n\r\n\r\ninclude vhost\/*.conf;\r\n}<\/pre>\n
\/\/nginx\u542f\u52a8\u811a\u672c<\/p>\n
vi \/etc\/init.d\/nginx\r\n#!\/bin\/sh\r\n#\r\n# nginx - this script starts and stops the nginx daemin\r\n#\r\n# chkconfig: - 85 15\r\n# description: Nginx is an HTTP(S) server, HTTP(S) reverse \\\r\n# proxy and IMAP\/POP3 proxy server\r\n# processname: nginx\r\n# config: \/usr\/local\/nginx\/conf\/nginx.conf\r\n# pidfile: \/usr\/local\/nginx\/logs\/nginx.pid\r\n\r\n# Source function library.\r\n. \/etc\/rc.d\/init.d\/functions\r\n\r\n# Source networking configuration.\r\n. \/etc\/sysconfig\/network\r\n\r\n# Check that networking is up.\r\n[ \"$NETWORKING\" = \"no\" ] && exit 0\r\n\r\nnginx=\"\/usr\/local\/nginx\/sbin\/nginx\"\r\nprog=$(basename $nginx)\r\n\r\nNGINX_CONF_FILE=\"\/usr\/local\/nginx\/conf\/nginx.conf\"\r\n\r\nlockfile=\/usr\/local\/nginx\/var\/nginx\r\n\r\nstart() {\r\n[ -x $nginx ] || exit 5\r\n[ -f $NGINX_CONF_FILE ] || exit 6\r\necho -n $\"Starting $prog: \"\r\ndaemon $nginx -c $NGINX_CONF_FILE\r\nretval=$?\r\necho\r\n[ $retval -eq 0 ] && touch $lockfile\r\nreturn $retval\r\n}\r\n\r\nstop() {\r\necho -n $\"Stopping $prog: \"\r\nkillproc $prog -QUIT\r\nretval=$?\r\necho\r\n[ $retval -eq 0 ] && rm -f $lockfile\r\nreturn $retval\r\n}\r\n\r\nrestart() {\r\nconfigtest || return $?\r\nstop\r\nstart\r\n}\r\n\r\nreload() {\r\nconfigtest || return $?\r\necho -n $\"Reloading $prog: \"\r\nkillproc $nginx -HUP\r\nRETVAL=$?\r\necho\r\n}\r\n\r\nforce_reload() {\r\nrestart\r\n}\r\n\r\nconfigtest() {\r\n$nginx -t -c $NGINX_CONF_FILE\r\n}\r\n\r\nrh_status() {\r\nstatus $prog\r\n}\r\n\r\nrh_status_q() {\r\nrh_status >\/dev\/null 2>&1\r\n}\r\n\r\ncase \"$1\" in\r\nstart)\r\nrh_status_q && exit 0\r\n$1\r\n;;\r\nstop)\r\nrh_status_q || exit 0\r\n$1\r\n;;\r\nrestart|configtest)\r\n$1\r\n;;\r\nreload)\r\nrh_status_q || exit 7\r\n$1\r\n;;\r\nforce-reload)\r\nforce_reload\r\n;;\r\nstatus)\r\nrh_status\r\n;;\r\ncondrestart|try-restart)\r\nrh_status_q || exit 0\r\n;;\r\n*)\r\necho $\"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}\"\r\nexit 2\r\nesac\r\n\r\nchmod 755 \/etc\/init.d\/nginx\r\n\/etc\/init.d\/start<\/pre>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Nginx (“engine x”) \u662f\u4e00\u4e2a\u9ad8\u6027\u80fd\u7684 H … \u7ee7\u7eed\u9605\u8bfb →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-84","post","type-post","status-publish","format-standard","hentry","category-nginx"],"_links":{"self":[{"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=\/wp\/v2\/posts\/84","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=84"}],"version-history":[{"count":1,"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=\/wp\/v2\/posts\/84\/revisions"}],"predecessor-version":[{"id":85,"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=\/wp\/v2\/posts\/84\/revisions\/85"}],"wp:attachment":[{"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=84"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=84"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=84"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}