MENU

openresty (nginx)

安装部署

基础包

yum install pcre-devel openssl-devel gcc curl
#安装开发库

yum方式安装

sudo yum install yum-utils
sudo yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
#添加repo库

yum install openresty
#安装软件包

编译方式安装

wget -c https://openresty.org/download/openresty-1.13.6.2.tar.gz
tar zxvf openresty-*.gz
cd  openresty-*
./configure --with-http_stub_status_module --with-http_v2_module --with-http_realip_module

make && make install

配置

ln -s /usr/local/openresty/nginx  /usr/local/nginx
ln -s  /usr/local/nginx/sbin/nginx  /bin/
#nginx快捷方式

检查

ldd $(which /usr/local/nginx/sbin/nginx)
#查看lib文件

nginx.conf

worker_processes  8;
#cat /proc/cpuinfo | grep processor | wc -l

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    gzip  on;

    include /usr/local/nginx/conf/vhosts/*.conf;
}

vhosts

null.conf

server {
listen 80 default_server;
server_name _;
return 444;
access_log  /usr/local/nginx/logs/default.log;
}
#禁止ip直接访问

初始配置

mkdir  /usr/local/nginx/conf/vhosts/

mkdir /www
groupadd www
#添加www组
useradd  -M -s /sbin/nologin -g www  -d /www www
#添加www用户
chmod 770 /www && chown -R www:www /www

返回json日志格式

 log_format  main  '"remote_addr:$remote_addr", "remote_user":"$remote_user", "time":"$time_local"'
                      '"server_name":"$server_name", "request:"$request"'
                      '"http_user_agent":"$http_user_agent","http_x_forwarded_for":"$http_x_forwarded_for"'
                      '"upstream_addr":"$upstream_addr","upstream_response_time":"$upstream_response_time","upstream_status":"$upstream_status"'
                      '"$http_referer":"$http_referer","http_status":"$status","body_bytes_sent":"$body_bytes_sent"';

日志分割

/etc/logrotate.d/openresty

/usr/local/openresty/nginx/logs/*log {
     daily
    missingok
    rotate 7
    notifempty
    sharedscripts
    postrotate
        [ ! -f /usr/local/openresty/nginx/logs/nginx.pid ] || kill -USR1 `cat /usr/local/openresty/nginx/logs/nginx.pid`
    endscript
}

更新logrotate配置

logrotate /etc/logrotate.conf

阿里云网站web安全以及负载/高可用架构

WAF - SLB - NGINX (https网站)

WAF

  • 配置ssl证书
  • 跳转443

SLB

  • tcp 负载80

web服务

  • tcp 监听80 (不用配置证书)

Nginx Server 配置

upstream ruiyan_cluster{
        server 172.16.140.xxx:7000;

}

server {
        listen 80;
        server_name ruiyan.xxx.net;
        

location / {
        proxy_pass  http://ruiyan_cluster;


        proxy_set_header Host $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    }
}

nginx waf

启用软waf

nginx.conf

# lua_waf
    lua_shared_dict limit 50m;
    lua_shared_dict blackip 50m;
    lua_package_path "/usr/local/nginx/conf/waf/?.lua";
    init_by_lua_file  /usr/local/nginx/conf/waf/init.lua;
    access_by_lua_file /usr/local/nginx/conf/waf/access.lua;

/usr/local/nginx/conf/waf/config.lua

config_waf_enable = "on"
#启用waf

chown $nginx_user /usr/local/nginx/logs # waf日志写入赋权

Tags: None
Archives QR Code
QR Code for this page
Tipping QR Code
Leave a Comment