您当前的位置:首页 > 学海无涯 > 其他网站首页其他
Openresty的部署及其Nginx特殊配置详解
发布时间:2021-03-03作者:♂逸風★淩軒
一、Nginx和Openresty的部署
1、依赖包:
yum install -y gcc gcc-c++ autoconf automake zlib zlib-devel openssl openssl-devel pcre-devel pcre wget
2、①部署Nginx
wget http://nginx.org/download/nginx-1.29.1.tar.gz tar -zxvf nginx-1.29.1.tar.gz && cd nginx-1.29.1 /usr/sbin/groupadd www /usr/sbin/useradd -s /bin/bash -g www www ./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_realip_module --with-stream make && make install
②部署Openresty
wget https://openresty.org/download/openresty-1.19.3.2.tar.gz tar -zxvf openresty-1.19.3.2.tar.gz && cd openresty-1.19.3.2 /usr/sbin/groupadd www /usr/sbin/useradd -s /bin/bash -g www www ./configure --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_realip_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_ssl_module make && make install ln -s /usr/local/openresty/nginx/sbin/nginx /usr/bin/nginx
3、配置Nginx配置文件
user www www;
worker_processes auto;
error_log /usr/local/nginx/logs/error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
multi_accept on;
}
http
{
include mime.types;
default_type application/octet-stream;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 2048m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
#limit_conn_zone $binary_remote_addr zone=perip:10m;
##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.
##set user real ip to remote addr 二层Nginx代理
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
##set user real ip to remote addr三层Nginx代理
#set_real_ip_from 后面是可信 IP 规则
#set_real_ip_from 10.200.21.0/24;
#set_real_ip_from 10.100.23.0/24;
#real_ip_header X-Forwarded-For;
#real_ip_recursive on;
server_tokens off;
#log format
log_format access '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for';
log_format eslog '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for';
access_log off;
log_format nomal [$time_local] - $remote_addr - $request_method - $scheme - $server_protocol - $status - $http_host - [$http_referer] - [$http_user_agent]- $remote_user;
log_format json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
#'"http_token":"$http_token",'
'"user_cookie":"$http_cookie",'
'"request_uri":"$scheme://$http_host$request_uri",'
'"agent":"$http_user_agent",'
'"status":"$status",'
'"request_method":"$request_method",'
'"request_length":"$request_length",'
'"connection":"$connection",'
'"connection_requests":"$connection_requests"}';
#'"status":"$status"}';
access_log /usr/local/nginx/logs/access.log nomal;
server{
listen 80 default;
#location /svddfy-status {
#stub_status on;
#access_log off;
#allow 192.168.0.1;
#deny all;
#}
##Flow is Rewrite setting
location /{
rewrite ^(.*) http://dev.52aiops.cn permanent;
}
}
include vhost/*.conf;
}
stream{
include stream/*.conf;
}4、配置自启动
cat >> /etc/systemd/system/nginx.service << EOF [Unit] Description=nginx-The High-performance HTTP Server After=network.target [Service] Type=forking PIDFile=/usr/local/nginx/logs/nginx.pid ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf ExecReload=/usr/local/nginx/sbin/nginx -s reload ExecStop=/usr/local/nginx/sbin/nginx -s stop PrivateTmp=true [Install] WantedBy=multi-user.target EOF chmod 755 /etc/systemd/system/nginx.service systemctl start nginx.service systemctl enable nginx.service
二、配置详解
1、解决部分类似
⑴signin-oidc 502 bad gateway dotnet core and identity server
⑵Socket链接异常
配置方案:
#Http公共部分 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection keep-alive; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade;
#Server Vhost部分添加 fastcgi_buffers 16 16k; fastcgi_buffer_size 32k;
2、解决包上传大小超出1M
client_max_body_size 50m;
3、开启Gzip压缩
gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.1; gzip_comp_level 2; gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss; gzip_vary on; gzip_proxied expired no-cache no-store private auth; gzip_disable "MSIE [1-6]\.";
4、多层Nginx代理转发请求头
⑴二层Nginx服务
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_set_header X-Forwarded-Proto $scheme;
⑵三层Nginx服务
set_real_ip_from 后面是上层Nginx IP 规则 set_real_ip_from 10.200.21.0/24; set_real_ip_from 10.100.23.0/24; real_ip_header X-Forwarded-For; real_ip_recursive on;
5、关闭Nginx版本显示
server_tokens off;
6、自动匹配CPU启动进程
worker_processes auto;
7、转发HTTP或HTTPS请求头到后端
proxy_set_header X-Forwarded-Proto $scheme;
8、开启Post数据不丢非标准请求头
underscores_in_headers on;
9、标准日志输出
⑴HTTP日志输出
log_format aka_logs
'{"@timestamp":"$time_iso8601",'
'"host":"$hostname",'
'"server_ip":"$server_addr",'
'"client_ip":"$remote_addr",'
'"xff":"$http_x_forwarded_for",'
'"domain":"$host",'
'"url":"$uri",'
'"referer":"$http_referer",'
'"upstreamtime":"$upstream_response_time",'
'"responsetime":"$request_time",'
'"request_method":"$request_method",'
'"status":"$status",'
'"size":"$body_bytes_sent",'
'"request_length":"$request_length",'
'"protocol":"$server_protocol",'
'"upstreamhost":"$upstream_addr",'
'"file_dir":"$request_filename",'
'"http_user_agent":"$http_user_agent"'
'}';
access_log /usr/local/nginx/logs/access.log aka_logs;⑵Stream日志输出
log_format tcp_logs
'{"@timestamp":"$time_iso8601",'
'"domain":"$server_addr",'
'"server_ip":"$server_addr",'
'"server_port":"$server_port",'
'"client_ip":"$remote_addr",'
'"client_port":"$remote_port",'
'"request_method":"$protocol",'
'"status":"$status",'
'"upstreamhost":"$upstream_addr",'
'"protocol":"$protocol",'
'"bytes_received":"$bytes_received",'
'"bytes_sent":"$bytes_sent",'
'"session_time":"$session_time",'
'"upstream_bytes_sent":"$upstream_bytes_sent",'
'"upstream_bytes_received":"$upstream_bytes_received",'
'"upstream_connect_time":"$upstream_connect_time"'
'}';
map $bytes_received $loggable {
0 0;
default 1;
}
access_log /usr/local/nginx/logs/tcp-access.log tcp_logs if=$loggable ;
open_log_file_cache off;10、Nginx结合lua对接口进行token认证(推荐 直接使用openresty)
#Post模式
set $resp_body "";
location /{
#default_type text/html;
access_by_lua '
ngx.req.read_body()
local str = ngx.req.get_body_data()
-- ngx.say("str:"..str);
local token = "token=密码";
local errs1 = "oh,Only Authorized Request will be Processe" --定义错误提示消息
local errs2 = "oh,The parameter is incorrect"
-- ngx.say(token)
if str == "" then
ngx.status = ngx.HTTP_FORBIDDEN
ngx.say(errs1)
ngx.exit(200)
end
if str ~= token then
ngx.status = ngx.HTTP_FORBIDDEN
ngx.say(errs2)
ngx.exit(200)
else
return
end
';
#echo 222222;
autoindex on;# 显示目录
autoindex_exact_size on;# 显示文件大小
autoindex_localtime on;# 显示文件时间
root /web/www/apk;
error_page 405 =200 $request_uri;
} #Get模式
set $resp_body "";
location /{
#default_type text/html;
access_by_lua '
local str = ngx.req.get_uri_args();
local str2 = str["token"];
-- ngx.say("str:"..str);
local token = "密码";
local token2 = "token=密码";
local errs1 = "oh,Only Authorized Request will be Processe" --定义错误提示消息
local errs2 = "oh,The parameter is incorrect"
-- ngx.say(token)
if str == "" then
ngx.status = ngx.HTTP_FORBIDDEN
ngx.say(errs1)
ngx.exit(200)
end
if str2 ~= token then
ngx.status = ngx.HTTP_FORBIDDEN
ngx.say(errs2)
ngx.exit(200)
else
return
end
';
#echo 222222;
autoindex on;# 显示目录
autoindex_exact_size on;# 显示文件大小
autoindex_localtime on;# 显示文件时间
root /oss/zgjy-face;
}11、基于GeoIP封禁IP(推荐使用openresty)
wget https://github.com/maxmind/libmaxminddb/releases/download/1.6.0/libmaxminddb-1.6.0.tar.gz tar -zxvf libmaxminddb-1.6.0.tar.gz && cd libmaxminddb-1.6.0 ./configure && make && make install echo /usr/local/lib >> /etc/ld.so.conf.d/local.conf ldconfig
查看IP属性
mmdblookup --file /usr/local/openresty/nginx/conf/GeoLite2-Country.mmdb --ip 116.25.243.123
编译时添加
--add-module=/usr/local/ngx_http_geoip2_module
模块Git地址:https://github.com/leev/ngx_http_geoip2_module下载解压放到/usr/local/下
Http模块添加
geoip2 /usr/local/openresty/nginx/conf/GeoLite2-Country.mmdb {
$country default=US country iso_code;
$city_name default=Lasa city names en;
$province default=Xizang subdivisions 0 names en;
}
# 定义国家名单
map $country $allowed_country {
default no;
CN yes;
}
# 定义城市名单
map $city_name $allow_city
{
default yes;
Beijing no;
Guangzhou no;
Shanghai no;
Shenzhen no;
}
# 定义省份名单
map $province $allow_province
{
default yes;
Shandong no;
}
# 定义白名单
geo $remote_addr $ip_whitelist {
default 0;
include greyip.conf;
}Server模块添加
if ($ip_whitelist = 1) {
break;
}
if ($allowed_country = no){
return 403;
}这里显示的是允许国内的ip访问,国外直接返回403。
在 conf 下新建一个 greyip.conf 作为 Geoip 的白名单,支持 ip 段,内容和格式为:
8.8.8.8 1; 8.8.8.8/24 1;
这样就配置好了 nginx, 并且通过 GeoIP 限制了国家和城市的访问,并且支持白名单。
12、开源waf组件
https://github.com/wmgm183/ngx_lua_waf.git 脱胎于 https://github.com/loveshell/ngx_lua_waf.git
下载到conf目录
在nginx.conf的http段添加
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua"; lua_shared_dict limit 10m; init_by_lua_file /usr/local/openresty/nginx/conf/waf/init.lua; access_by_lua_file /usr/local/openresty/nginx/conf/waf/waf.lua;
配置config.lua里的waf规则目录(一般在waf/conf/目录下)
RulePath = "/usr/local/openresty/nginx/conf/waf/wafconf/"
绝对路径如有变动,需对应修改
ln -s /usr/local/openresty/lualib /usr/local/lib/lua ln -s /usr/local/openresty/lualib/resty /usr/local/openresty/nginx/conf/waf/resty
然后重启nginx即可
配置文件详细说明:
RulePath = "/usr/local/openresty/nginx/conf/waf/wafconf/"
--规则存放目录
attacklog = "off"
--是否开启攻击信息记录,需要配置logdir
logdir = "/usr/local/openresty/nginx/logs/hack/"
--log存储目录,该目录需要用户自己新建,切需要nginx用户的可写权限
UrlDeny="on"
--是否拦截url访问
Redirect="on"
--是否拦截后重定向
CookieMatch = "on"
--是否拦截cookie攻击
postMatch = "on"
--是否拦截post攻击
whiteModule = "on"
--是否开启URL白名单
black_fileExt={"php","jsp"}
--填写不允许上传文件后缀类型
ipWhitelist={"127.0.0.1"}
--ip白名单,多个ip用逗号分隔
ipBlocklist={"1.0.0.1"}
--ip黑名单,多个ip用逗号分隔
CCDeny="on"
--是否开启拦截cc攻击
CCrate = "100/60"
--设置cc攻击频率,单位为秒.
--默认1分钟同一个IP只能请求同一个地址100次
html=[[Please go away~~]]
--警告内容,可在中括号内自定义
备注:不要乱动双引号,区分大小写如果要想在某个虚拟主机启用ngx_lua_waf可以修改对应虚拟主机的server段,在该server段中 root 网站目录行下面添加如下代码:
access_by_lua_file /usr/local/openresty/nginx/conf/waf/waf.lua;
修改完成保存重启nginx
检查规则是否生效
13、对日志的处理
https://github.com/cfsego/ngx_log_if.git
nginx或者openrestry编译时添加
--add-module=/usr/local/ngx_log_if
14、基于Cookie的Sticky分发模块
Sticky是nginx的一个模块,它是基于cookie的一种nginx的负载均衡解决方案,通过分发和识别cookie,来使同一个客户端的请求落在同一台服务器上,默认标识名为route ①.客户端首次发起访问请求,nginx接收后,发现请求头没有cookie,则以轮询方式将请求分发给后端服务器。 ②.后端服务器处理完请求,将响应数据返回给nginx。 ③.此时nginx生成带route的cookie,返回给客户端。route的值与后端服务器对应,可能是明文,也可能是md5、sha1等Hash值 ④.客户端接收请求,并保存带route的cookie。 ⑤.当客户端下一次发送请求时,会带上route,nginx根据接收到的cookie中的route值,转发给对应的后端服务器。
解压并重命名为nginx-sticky-module放置/usr/local/下
另外该编译包需要修改其中一个配置,以避免编译报错
vim /usr/local/nginx-sticky-module/ngx_http_sticky_misc.c
添加两行
#include <openssl/sha.h> #include <openssl/md5.h>
到
#include <ngx_sha1.h>
下面,nginx或者openrestry编译时添加
--add-module=/usr/local/nginx-sticky-module
upstream {
sticky;
server 127.0.0.1:9000;
server 127.0.0.1:9001;
server 127.0.0.1:9002;
}upstream www_web_com {
sticky expires=1h domain=web.com path=/;
server 10.0.0.16:8080;
server 10.0.0.17:8080;
}[name=route] 设置用来记录会话的cookie名称 [domain=.foo.bar] 设置cookie作用的域名 [path=/] 设置cookie作用的URL路径,默认根目录 [expires=1h] 设置cookie的生存期,默认不设置,浏览器关闭即失效,需要是大于1秒的值 [hash=index|md5|sha1] 设置cookie中服务器的标识是用明文还是使用md5值,默认使用md5 [no_fallback] 设置该项,当sticky的后端机器挂了以后,nginx返回502 (Bad Gateway or Proxy Error) ,而不转发到其他服务器,不建议设置 [secure] 设置启用安全的cookie,需要HTTPS支持 [httponly] 允许cookie不通过JS泄漏,没用过
15、基于AD的Auth认证
https://github.com/kvspb/nginx-auth-ldap
./configure --add-module=path_to_http_auth_ldap_module make install
ldap_server 52aiops {
url ldap://地址:389/dc=sys,dc=com?sAMAccountName?sub?(objectClass=person);
binddn 'CN=Administrator,CN=Users,DC=sys,DC=com';
binddn_passwd 密码;
group_attribute member;
group_attribute_is_dn on;
satisfy any;
max_down_retries 2;
connections 1;
referral off;
#require group 'CN=AIOps,OU=AIOps,OU=52aiops,DC=sys,DC=com';
#require valid_user;
require user 'CN=yflx,OU=研发中心,OU=AIOps,OU=52aiops,DC=sys,DC=com';
} location / {
auth_ldap "Forbidden";
auth_ldap_servers 52aiops;
proxy_pass http://192.168.254.217:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}关键字词:Nginx,配置,openresty
上一篇:Vue项目使用二级目录