Compilation and installation of nginx and related settings in ubuntu environment, using tung.pdf

Source: Internet
Author: User
Tags install openssl openssl library openssl rsa openssl x509

Compilation and installation of nginx and related settings in ubuntu environment, using tung.pdf

I. Basic compilation and Installation

1. Install Dependencies

sudo apt-get updatesudo apt-get install build-essential zlib1g-dev libpcre3 libpcre3-dev libssl-dev libxslt1-dev libxml2-dev libgd2-xpm-dev libgeoip-dev libgoogle-perftools-dev libperl-dev libtoolsudo apt-get install openssl

2. download the new version and copy the download link to the official website.

wget http://nginx.org/download/nginx-1.13.5.tar.gz

3. Decompress

tar -zxvf nginx-1.13.5.tar.gz

4. Compile and install

# Enter the unzip Directory: cd nginx-1.13.5 # configuration: here to install a few additional modules. /configure -- prefix =/usr/local/nginx -- with-http_ssl_module -- with-stream -- with-mail = dynamic # edit nginx: sudo make # install nginx: sudo make install # Start nginx: sudo/usr/local/nginx/sbin/nginx-c/usr/local/nginx/conf/nginx. conf # Note:-c specifies the path of the configuration file. If this parameter is not added, nginx automatically loads the configuration file of the default path. You can use-h to view the Help Command. # View nginx processes: ps-ef | grep nginx # create a soft link (because/usr/local/bin is included in $ PATH, no additional environment variables need to be set, this means you can directly run the nginx command in other paths.) sudo ln-s/opt/dotnet/usr/local/bin # (create a link)

Compilation option description:

-- Prefix = path if the installation location is not specified during compilation, the default location is/usr/local/nginx directory.
-- Sbin-path = path: Set the position where the nginx script is executed. If it is set in the path variable, you can use any nginx command in the bash environment, default position: prefix/sbin/nginx. Note that the prefix is the path configured in the configuration file.
-- Conf-path = path: configure the path of the nginx configuration file. If this option is not specified, the default path of the configuration file will be prefix/conf/nginx. conf.
-- Pid-path = path: Configure nginx. pid file path. Generally, a process id is generated when the process is running. This id is stored in the pid file, the default pid file is prefix/logs/nginx. pid
-- Error-log-path = path: Specifies the path for storing error logs. If this parameter is not specified, prefix/logs/error. log is used by default.
-- Http-log-path = path: Specifies the path of the http access log. If this parameter is not specified, prefix/logs/access. log is used by default.
-- User = name: Specifies the user who starts the process by default. If this parameter is not specified, the default value is nobody.
-- Group = name: Specifies the user group to which the user belongs. If this parameter is not specified, it is still the nobody.
-- The with-http_ssl_module enables the http ssl module so that NGINX can support HTTPS requests. OPENSSL must be installed
With-http_flv_module
-- With-http_stub_status_module enables the server status page
-- The without-http_gzip_module disables ngx_http_gzip_module. If enabled, zlib is required
-- Disable ngx_http_ssi_module for the without-http_ssi_module
-- Disable ngx_http_referer_module for the without-http_referer_module
-- The without-http_rewrite_module disables ngx_http_rewrite_module. If enabled, PCRE is required.
-- Disable ngx_http_proxy_module for the without-http_proxy_module
-- Disable ngx_http_fastcgi_module for the without-http_fastcgi_module
-- Disable ngx_http_memcached_module for the without-http_memcached_module
-- Disable ngx_http_browser_module for the without-http_browser_module
-- Http-proxy-temp-path = PATH: set the path to the http proxy temporary files
-- Http-fastcgi-temp-path = PATH: Set path to the http fastcgi temporary files
-- Without-http disable HTTP server
-- With-mail enables the IMAP4/POP3/SMTP proxy Module
-- Enable ngx_mail_ssl_module for the with-mail_ssl_module
-- With-openssl = DIR: set the path to OpenSSL library sources.
-- With-stream is used to implement layer-4 protocol forwarding, proxy, or load balancing.

Ii. ssl Configuration

1. Use your own certificate (only for testing or data encryption, not supported by mainstream browsers)

# Create a server private key (the password is required during the process, please remember this password) to generate the RSA key sudo openssl genrsa-des3-out testcert. key 1024 # generate a certificate request # enter the country, region, organization, and email in sequence. # The most important thing is to have a common name, which can be your name or domain name. If you apply for https (do not use your own certificate, apply to CA), this must match the domain name; otherwise, a browser alarm will be triggered. After the generated csr file is signed by the CA, the server certificate sudo openssl req-new-key testcert is formed. key-out testcert. csr # generate keysudo openssl rsa-in testcert without a password. key-out testcert_nopwd.key # generate the crt file sudo openssl x509-req-days 365-in testcert. csr-signkey testcert_nopwd.key-out testcert. crt

Then, copy the testcert_nopwd.key, testcert. csr, and testcert. crt files.Copy to the/etc/ssl/certs directory

Then configure the nginx. conf file

Because the path set in the compilation process is/usr/local/nginx, the file is located in the/usr/local/nginx/conf directory.
Open the file to be modified and make the following settings in the http module:
Ssl_certificate/etc/ssl/certs/testcert. crt;
Ssl_certificate_key/etc/ssl/certs/testcert. key;

Specific Code:

Http {include proxy. conf; include mime. types; default_type application/octet-stream; limit_req_zone $ region zone = one: 10 m rate = 5r/s; server_tokens off; sendfile on; # tcp_nopush on; keepalive_timeout 29; limit 10; client_header_timeout 10; send_timeout 10; # gzip on; # mvctest is a name related to a specific program. upstream mvctest {server localhost: 5000;} server {listen 80; add_header Strict-Transport-Security max-age = 15768000; return 301 https: // $ host $ request_uri;} server {listen *: 443 ssl; server_name localhost; ssl_certificate/etc/ssl/certs/testcert. crt; ssl_certificate_key/etc/ssl/certs/testcert. key; ssl_protocols TLSv1.1 TLSv1.2; login on; ssl_ciphers "EECDH + AESGCM: EDH + AESGCM: AES256 + EECDH: AES256 + EDH"; login metadata; Protocol shared: SSL: 10 m; disable off; ssl_stapling on; # ensure your cert is capable ssl_stapling_verify on; # ensure your cert is capable add_header Strict-Transport-Security "max-age = 63072000; includeSubdomains; preload "; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; # Redirects all traffic location/{proxy_pass http: // localhost: 5000; limit_req zone = one burst = 10 nodelay; limit_req_status 503 ;}}}

The region name defined above is one (zone = one) and the allocated memory size is 10 MB (if the storage space of the restricted domain is exhausted, the server will return 503 for all subsequent requests ),
The average request frequency of the same ip address ($ binary_remote_addr) cannot exceed 5 times per second (rate = 5r/s ); if the number of requests exceeds 5 times per second but exceeds 10 (burst = 10), the request will be delayed.
If the number of requests exceeding 5 times per second exceeds 10, 503 (limit_req_status 503) is immediately returned to the client.

2. Apply for a certificate
Common free certificate: https://letsencrypt.org/
Generally, you need to submit the CSR file (generated in the same way as the CSR file or according to CA requirements) to the SSL Certification Authority. After your domain name or organization passes verification, the certification authority will issue you two files: test_com.crt and test_com.ca-bundle
The test_com.key is to be used in Nginx configuration and test_com.crt, test_com.ca-bundle with the use of, need to be well kept.

# Use cat command to generate cat test_com.crt test_com.ca-bundle> test_com.pem

Two files are obtained: test_com.key and test_com.pem. You can move both files to the same location./Etc/ssl/privateDirectory or/Etc/ssl/certDirectory.
Then you can modify the nginx. conf file as follows:

server {      #...    ssl on;    ssl_certificate /etc/ssl/private/test_com.pem;    ssl_certificate_key /etc/ssl/private/test_com.key;    #...}

It is basically the same as using a self-generated certificate, but it is only replaced with the certificate issued by the certification authority.

3. difi-Herman Key Exchange
The above is not safe. The default format is SHA-1. Currently, mainstream solutions should avoid SHA-1. To ensure better security, we can adopt the defi-Herman key exchange.
First, go to the/etc/ssl/certs directory and run sudo openssl dhparam-out dhparam. pem 4096 to generate a dhparam. pem

Test @ test-VirtualBox:/etc/ssl/certs $Sudo openssl dhparam-out dhparam. pem 4096[Sudo] test password: Generating DH parameters, 4096 bit long safe prime, generator 2 This is going to take a long time #... will wait for a while, which is related to machine performance... # view the generated file test @ test-VirtualBox :~ $ Cd/etc/ssl/certs/test @ test-VirtualBox:/etc/ssl/certs $ ll dhparam. pem-rw-r -- 1 root 769 September 27 11:49 dhparam. pem

Modify the nginx. conf file and add ssl_dhparam/etc/ssl/certs/dhparam. pem;

ssl_prefer_server_ciphers on;ssl_dhparam /etc/ssl/certs/dhparam.pem;ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

 

Iii. startup

1. Common commands

# Start Nginx/usr/local/nginx/sbin/nginx. /sbin/nginx # Stop Nginx. /sbin/nginx-s stop. /sbin/nginx-s quit #-s all use the method of sending signals to Nginx. # Reload the configuration in Nginx. /sbin/nginx-s reload # specify the configuration file. /sbin/nginx-c/usr/local/nginx/conf/nginx. conf #-c Indicates configuration. Specify the configuration file # view the Nginx version. /sbin/nginx-v # Help. /sbin/nginx-h. /sbin/nginx -?

2. Automatic Start
You must set your own compiling and installation to enable automatic startup.

# Set nginx to start automatically. Create a service file vim/lib/systemd/system/in the/lib/systemd/system/nginx. service directory.

The content is as follows:

[Unit]Description=nginx - high performance web serverAfter=network.target remote-fs.target nss-lookup.target[Service]Type=forkingExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.confExecReload=/usr/local/nginx/sbin/nginx -s reloadExecStop=/usr/local/nginx/sbin/nginx -s stop[Install]WantedBy=multi-user.target

File description
[Unit] Section
Description: describes the service.
After: dependency. After the dependent service is started, start the Custom Service.

[Service] Section
Type = forking is the form of background running
ExecStart is the specific running command of the service (it must be adapted to the path)
ExecReload is the restart command (it must be adapted to the path)
ExecStop is the Stop command (path adaptation is required)
PrivateTmp = True indicates that an independent temporary space is allocated to the service.
Note: the absolute path is required for starting, restarting, and stopping commands.

[Install]
Service installation settings, which can be set to multiple users

# Execute systemctl enable nginx in any directory after Automatic startup is set. service # start the nginx service systemctl start nginx. service # enable automatic start of systemctl enable nginx at startup. service # Stop the boot and automatically start systemctl disable nginx. service # view the status of systemctl status nginx. service # restart the systemctl restart nginx service. service # view all services systemctl list-units -- type = service

4. Possible Problems
Nginx: [emerg] SSL_CTX_use_PrivateKey_file ("/etc/ssl/certs/testcert. key") failed (SSL: error: 0906406D: PEM routines :....
When starting nginx, you need to enter the certificate password. The solution is to use the private key to generate the decrypted key. The effect is the same (similar to ssh connection ), achieve password-free restart:
Openssl rsa-in testcert. key-out untestcert. key
Next, you only need to use the new untestcert. key in nginx to use https connection.

Nginx: [emerg] zero size shared memory zone "oneip"
This error occurs because the limit_req_zone command is used if the limit_req command is not specified (or the name value in limit_req is inconsistent with the name value defined in limit_req_zone ).

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.