在编译的时候需要添加--with-http_stub_status_module参数 配置案例: [root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; server_name www.hechunping.tech; location /nginx_status { stub_status; allow 192.168.7.0/24; allow 127.0.0.1; deny all; } } [root@CentOS7-01 ~]#systemctl reload nginx 访问测试 [root@CentOS7-01 ~]#curl www.hechunping.tech/nginx_status Active connections: 1 server accepts handled requests 32 32 36 #这三个数字分别对应accepts,handled,requests三个值 Reading: 0 Writing: 1 Waiting: 0 相关解释: Active connections: 当前处于活动状态的客户端连接数,包括连接等待空闲连接数。 accepts: 统计总值,Nginx⾃启动后已经接受的客户端请求的总数。 handled: 统计总值,Nginx⾃启动后已经处理完成的客户端请求的总数,通常等于accepts,除⾮有因worker_connections限制等被拒绝的连接。 requests:统计总值,Nginx⾃启动后客户端发来的总的请求数。 Reading: 当前状态,正在读取客户端请求报⽂⾸部的连接的连接数。 Writing: 当前状态,正在向客户端发送响应报⽂过程中的连接数。 Waiting: 当前状态,正在等待客户端发出请求的空闲连接数,开启 keep-alive的情况下,这个值等于 active – (reading+writing)。第三模块是对nginx的功能扩展,第三⽅模块需要在编译安装Nginx的时候使⽤参数--add-module=PATH指定路径添加,有的模块是由公司的开发⼈员针对业务需求定制开发的,有的模块是开源爱好者开发好之后上传到github进⾏开源的模块,nginx⽀持第三⽅模块需要从源码重新编译⽀持,⽐如开源的echo模块 https://github.com/openresty/echo-nginx-module 配置案例 [root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; server_name www.hechunping.tech; location /pc { echo_sleep 1; echo "this is pc directory"; } } [root@CentOS7-01 ~]#nginx -t nginx: [emerg] unknown directive "echo_sleep" in /apps/nginx/conf/vhosts/pc.conf:5 nginx: configuration file /apps/nginx/conf/nginx.conf test failed [root@CentOS7-01 ~]#yum install git -y [root@CentOS7-01 ~]#git clone https://github.com/openresty/echo-nginx-module.git [root@CentOS7-01 ~]#systemctl stop nginx [root@CentOS7-01 ~]#cd nginx-1.16.1/ [root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx \ --with-http_ssl_module \ --with-http_v2_module \ --with-http_realip_module \ --with-http_addition_module \ --with-http_image_filter_module \ --with-http_geoip_module \ --with-http_gunzip_module \ --with-http_stub_status_module \ --with-http_gzip_static_module \ --with-pcre \ --with-stream \ --with-stream_ssl_module \ --with-stream_realip_module \ --add-module=/usr/local/src/echo-nginx-module [root@CentOS7-01 nginx-1.16.1]#make -j lscpu |awk 'NR==4{print $2}' && make install # 再次检测语法,正常 [root@CentOS7-01 nginx-1.16.1]#nginx -t nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok nginx: configuration file /apps/nginx/conf/nginx.conf test is successful [root@CentOS7-01 nginx-1.16.1]#nginx -V nginx version: nginx/1.16.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module [root@CentOS7-01 nginx-1.16.1]#systemctl start nginx # 访问测试,echo模块已经可用 [root@CentOS7-01 nginx-1.16.1]#curl www.hechunping.tech/pc this is pc directorynginx的变量可以在配置⽂件中引⽤,作为功能判断或者⽇志等场景使⽤,变量可以分为内置变量和⾃定义变量, 内置变量是由nginx模块⾃带,通过变量可以获取到众多的与客⼾端访问相关的值。可以通过上面的echo模块输出,下面的变量都是参照如下配置文件 [root@CentOS7-01 nginx-1.16.1]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; server_name www.hechunping.tech; location /pc { echo $remote_addr; } } $remote_addr; #存放了客户端的地址,注意是客户端的公⽹IP,也就是⼀家⼈访问⼀个⽹站,则会显⽰为路由器的公⽹IP。 [root@CentOS7-01 nginx-1.16.1]#curl www.hechunping.tech/pc 127.0.0.1 $args; #变量中存放了URL中的指令,例如http://www.hechunping.tech/pc/index.do?id=20200105 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105 id=20200105 $document_root; #保存了针对当前资源的请求的系统根⽬录 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc /apps/nginx/html $document_uri; #保存了当前请求中不包含指令的URI,注意是不包含请求的指令,比如 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105 /pc/index.do $host; #存放了请求的host名称。 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc www.hechunping.tech $http_user_agent; #客⼾端浏览器的详细信息 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc curl/7.29.0 $http_cookie; #客⼾端的cookie信息。 $limit_rate; #如果nginx服务器使⽤limit_rate配置了显⽰⽹络速率,则会显⽰,如果没有设置,则显⽰0。 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc 0 $remote_port; #客⼾端请求Nginx服务器时随机打开的端⼝,这是每个客⼾端⾃⼰的端⼝。 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc 37848 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc 37850 $remote_user; #已经经过Auth Basic Module验证的⽤⼾名。 $request_body_file; #做反向代理时发给后端服务器的本地资源的名称。 $request_method; #请求资源的⽅式,GET/PUT/DELETE等 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc GET $request_filename; #当前请求的资源⽂件的路径名称,由root或alias指令与URI请求⽣成的⽂件绝对路径,如 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.html /apps/nginx/html/pc/index.html $request_uri; #包含请求参数的原始URI,不包含主机名,如 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105 /pc/index.do?id=20200105 $scheme; #请求的协议,如ftp,https,http等。 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc http $server_protocol; #保存了客⼾端请求资源使⽤的协议的版本,如HTTP/1.0,HTTP/1.1,HTTP/2.0等。 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc HTTP/1.1 $server_addr; #保存了服务器的IP地址。 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc 127.0.0.1 $server_name; #请求的服务器的主机名。 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc www.hechunping.tech $server_port; #请求的服务器的端⼝号。 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc 80假如需要⾃定义变量名称和值,使⽤指令"set $variable value;",语法如下 Syntax: set $variable value; Default: — Context: server, location, if 配置 [root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; server_name www.hechunping.tech; location /pc { set $name $server_name; echo $name; set $my_port $server_port; echo $my_port; } } [root@CentOS7-01 ~]#!s systemctl restart nginx 访问测试 [root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc www.hechunping.tech 80访问⽇志是记录客户端即⽤户的具体请求内容信息,全局配置模块中的error_log是记录nginx服务器运⾏时的⽇志 保存路径和记录⽇志的level,因此有着本质的区别,⽽且Nginx的错误⽇志⼀般只有⼀个,但是访问⽇志可以在不 同server中定义多个,定义⼀个⽇志需要使⽤access_log指定⽇志的保存路径,使⽤log_format指定⽇志的格式, 格式中定义要保存的具体⽇志内容。如果是要保留⽇志的原格式,只是添加相应的⽇志内容,则配置如下: log_format www.hechunping.tech '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"' '$server_name:$server_port'; access_log /data/nginx/logs/www.hechunping.tech/access.log www.hechunping.tech; [root@CentOS7-01 ~]#nginx -t nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok nginx: configuration file /apps/nginx/conf/nginx.conf test is successful [root@CentOS7-01 ~]#systemctl reload nginx [root@CentOS7-01 ~]#tail -f /data/nginx/logs/www.hechunping.tech/access.log 192.168.7.1 - - [05/Jan/2020:14:58:47 +0800] "GET /pc/ HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" "-"www.hechunping.tech:80Nginx 的默认访问⽇志记录内容相对⽐较单⼀,默认的格式也不⽅便后期做⽇志统计分析,⽣产环境中通常将nginx⽇志转换为json⽇志,然后配合使⽤ELK做⽇志收集-统计-分析。 log_format access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_time,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}'; access_log /data/nginx/logs/www.hechunping.tech/access.log access_json; [root@CentOS7-01 ~]#tail -f /data/nginx/logs/www.hechunping.tech/access.log {"@timestamp":"2020-01-05T15:04:16+08:00","host":"192.168.7.71","clientip":"192.168.7.1","size":7,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.hechunping.tech","uri":"/pc/index.html","domain":"www.hechunping.tech","xff":"-","referer":"-","tcp_xff":"","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36","status":"200"}[root@CentOS7-01 ~]#cat nginx_json.py #!/usr/bin/env python #coding:utf-8 status_200 = [] status_404 = [] with open("access_json.log") as f: for line in f.readlines(): line = eval(line) if line.get("status") == "200": status_200.append(line.get) elif line.get("status") == "404": status_404.append(line.get) else: print("状态码 ERROR") f.close() print "状态码为200的有-->:",len(status_200) print "状态码为404的有-->:",len(status_404) [root@CentOS7-01 ~]#python nginx_json.py ... 状态码 ERROR 状态码为200的有-->: 403428 状态码为404的有-->: 125712Nginx⽀持对指定类型的⽂件进⾏压缩然后再传输给客⼾端,⽽且压缩还可以设置压缩⽐例,压缩后的⽂件⼤⼩将⽐源⽂件显著变⼩,这样有助于降低出⼝带宽的利⽤率,降低企业的IT⽀出,不过会占⽤相应的CPU资源。 Nginx对⽂件的压缩功能是依赖于模块ngx_http_gzip_module,官⽅⽂档: https://nginx.org/en/docs/http/ngx_http_gzip_module.html, 配置指令如下: gzip on | off; #启⽤或禁⽤gzip压缩,默认关闭 gzip_comp_level level; #压缩⽐由低到⾼从1到9,默认为1 gzip_disable "MSIE [1-6]\."; #禁⽤IE6 gzip功能 gzip_min_length 1k; #gzip压缩的最⼩⽂件,⼩于设置值的⽂件将不会压缩 gzip_http_version 1.0 | 1.1; #启⽤压缩功能时,协议的最⼩版本,默认HTTP/1.1 gzip_buffers number size; #指定Nginx服务需要向服务器申请的缓存空间的个数*⼤⼩,默认32 4k|16 8k; gzip_types mime-type ...; #指明仅对哪些类型的资源执⾏压缩操作;默认为gzip_types text/html,不⽤显⽰指定,否则出错 gzip_vary on | off; #如果启⽤压缩,是否在响应报⽂⾸部插⼊"Vary: Accept-Encoding" 配置案例 gzip on; gzip_comp_level 5; gzip_min_length 1k; gzip_types text/plain application/javascript application/x-javascript text/cssapplication/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png; gzip_vary on; [root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; server_name www.hechunping.tech; location /pc { root html; } } [root@CentOS7-01 ~]#ll /apps/nginx/html/pc/test.html -h -rw-r--r-- 1 nginx nginx 1.7M Jan 5 16:01 /apps/nginx/html/pc/test.html #使用该文件进行压缩测试 访问测试,压缩后的大小
nginx的https功能基于模块ngx_http_ssl_module实现,因此如果是编译安装的nginx要使⽤参数--with-http_ssl_module开启ssl功能,但是作为nginx的核⼼功能,yum安装的nginx默认就是开启的。 官⽅⽂档: https://nginx.org/en/docs/http/ngx_http_ssl_module.html 配置参数如下: ssl on | off; #为指定的虚拟主机配置是否启⽤ssl功能,此功能在1.15.0废弃,使⽤listen [ssl]替代。 ssl_certificate /path/to/file; #当前虚拟主机使⽤使⽤的公钥⽂件,⼀般是crt⽂件 ssl_certificate_key /path/to/file; #当前虚拟主机使⽤的私钥⽂件,⼀般是key⽂件 ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; #⽀持ssl协议版本,早期为ssl,现在是TSL,默认为后三个 ssl_session_cache off | none | [builtin[:size]] [shared:name:size]; #配置ssl缓存 off: 关闭缓存 none: 通知客⼾端⽀持ssl session cache,但实际不⽀持 builtin[:size]: 使⽤OpenSSL内建缓存,为每worker进程私有 [shared:name:size]: 在各worker之间使⽤⼀个共享的缓存,需要定义⼀个缓存名称和缓存空间⼤⼩,⼀兆可以存储4000个会话信息,多个虚拟主机可以使⽤相同的缓存名称。 ssl_session_timeout time; #客⼾端连接可以复⽤ssl session cache中缓存的有效时⻓,默认5m# 自签名CA证书 [root@CentOS7-01 ~]#cd /apps/nginx/ [root@CentOS7-01 nginx]#mkdir certs [root@CentOS7-01 nginx]#cd certs [root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt Generating a 4096 bit RSA private key ......++ ...................++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #国家代码,参看:https://country-code.cl State or Province Name (full name) []:BeiJing #省份 Locality Name (eg, city) [Default City]:BeiJing #城市名称 Organization Name (eg, company) [Default Company Ltd]:abc #公司名称 Organizational Unit Name (eg, section) []:IT #部门名称 Common Name (eg, your name or your server's hostname) []:hechunping #通用名称 Email Address []:742384103@qq.com #邮箱 [root@CentOS7-01 certs]#ls ca.crt ca.key # 自制key和csr文件 [root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.hechunping.tech.key -out www.hechunping.tech.csr Generating a 4096 bit RSA private key ...............................................++ ........................................................................................++ writing new private key to 'www.hechunping.tech.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BeiJing Locality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]:abc Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:hechunping Email Address []:742384103@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #此处为空即可 An optional company name []: #同上 [root@CentOS7-01 certs]#ll total 16 -rw-r--r-- 1 root root 2090 Jan 5 21:05 ca.crt -rw-r--r-- 1 root root 3272 Jan 5 21:05 ca.key -rw-r--r-- 1 root root 1736 Jan 5 21:11 www.hechunping.tech.csr -rw-r--r-- 1 root root 3272 Jan 5 21:11 www.hechunping.tech.key # 签发证书 [root@CentOS7-01 certs]#openssl x509 -req -days 3650 -in www.hechunping.tech.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.hechunping.tech.crt Signature ok subject=/C=CN/ST=BeiJing/L=BeiJing/O=abc/OU=IT/CN=hechunping/emailAddress=742384103@qq.com Getting CA Private Key # 验证证书内容 [root@CentOS7-01 certs]#openssl x509 -in www.hechunping.tech.crt -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: c6:bd:85:07:5d:3c:bc:54 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com Validity Not Before: Jan 5 13:13:08 2020 GMT Not After : Jan 2 13:13:08 2030 GMT Subject: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) ......[root@CentOS7-01 certs]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; listen 443 ssl; ssl_certificate /apps/nginx/certs/www.hechunping.tech.crt; ssl_certificate_key /apps/nginx/certs/www.hechunping.tech.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; server_name www.hechunping.tech; location /pc { root html; } } [root@CentOS7-01 certs]#systemctl reload nginx 访问测试
Nginx⽀持基于单个IP实现多域名的功能,并且还⽀持单IP多域名的基础之上实现HTTPS,其实是基于Nginx的SNI(Server Name Indication)功能实现,SNI是为了解决⼀个Nginx服务器内使⽤⼀个IP绑定多个域名和证书的功能,其具体功能是客⼾端在连接到服务器建⽴SSL链接之前先发送要访问站点的域名(Hostname),这样服务器再根据这个域名返回给客⼾端⼀个合适的证书。 # 制作key和csr文件 [root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout news.hechunping.tech.key -out news.hechunping.tech.csr Generating a 4096 bit RSA private key .............................................................................++ .....................................................................................................................................................................................................................................................................................................++ writing new private key to 'news.hechunping.tech.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BeiJing Locality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]:xyz Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:hechunping Email Address []:742384103@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # 签名证书 [root@CentOS7-01 certs]#openssl x509 -req -days 3650 -in news.hechunping.tech.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out news.hechunping.tech.crt Signature ok subject=/C=CN/ST=BeiJing/L=BeiJing/O=xyz/OU=IT/CN=hechunping/emailAddress=742384103@qq.com Getting CA Private Key # 验证证书内容 [root@CentOS7-01 certs]#openssl x509 -in news.hechunping.tech.crt -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: c6:bd:85:07:5d:3c:bc:55 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com Validity Not Before: Jan 5 13:52:00 2020 GMT Not After : Jan 2 13:52:00 2030 GMT Subject: C=CN, ST=BeiJing, L=BeiJing, O=xyz, OU=IT, CN=hechunping/emailAddress=742384103@qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) ...... # nginx配置证书 [root@CentOS7-01 certs]#cat /apps/nginx/conf/vhosts/news.conf server { listen 80; listen 443 ssl; ssl_certificate /apps/nginx/certs/news.hechunping.tech.crt; ssl_certificate_key /apps/nginx/certs/news.hechunping.tech.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; server_name news.hechunping.tech; location /pc { root html; } } [root@CentOS7-01 certs]#systemctl reload nginx # 访问测试
favicon.ico ⽂件是浏览器收藏⽹址时显⽰的图标,当客⼾端使⽤浏览器问⻚⾯时,浏览器会⾃⼰主动发起请求获取⻚⾯的favicon.ico⽂件,但是当浏览器请求的favicon.ico⽂件不存在时,服务器会记录404⽇志,⽽且浏览器也会显⽰404报错。 解决方法 将图标保存到指定的目录 [root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; server_name www.hechunping.tech; location = /favicon.ico { root html/image; } location /pc { root html; } } [root@CentOS7-01 ~]#systemctl reload nginx
更改nginx源码信息,将nginx服务版本号更改为HCPWS/1.1并重新编译nginx [root@CentOS7-01 nginx-1.16.1]#sed -ir 's#Server: nginx#Server: HCPWS/1.1#' /root/nginx-1.16.1/src/http/ngx_http_header_filter_module.c [root@CentOS7-01 nginx-1.16.1]#nginx -V nginx version: nginx/1.16.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module [root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module [root@CentOS7-01 nginx-1.16.1]#make -j lscpu | awk 'NR==4{print $2}' && make install [root@CentOS7-01 nginx-1.16.1]#systemctl restart nginx 访问测试
⼼脏出⾎(英语:Heartbleed),也简称为⼼⾎漏洞,是⼀个出现在加密程序库OpenSSL的安全漏洞,该程序库⼴泛⽤于实现互联⽹的传输层安全(TLS)协议。它于2012年被引⼊了软件中,2014年4⽉⾸次向公众披露。只要使⽤的是存在缺陷的OpenSSL实例,⽆论是服务器还是客⼾端,都可能因此⽽受到***。此问题的原因是在实现TLS的⼼跳扩展时没有对输⼊进⾏适当验证(缺少边界检查),因此漏洞的名称来源于“⼼跳”(heartbeat)。该程序错误属于缓冲区过读,即可以读取的数据⽐应该允许读取的还多。 升级步骤 1)查看当前的Openssl版本
2)下载OpenSSL源码包并解压 [root@CentOS7-01 nginx-1.16.1]#wget -P /usr/local/src/ https://www.openssl.org/source/openssl-1.1.1d.tar.gz [root@CentOS7-01 nginx-1.16.1]#tar xf /usr/local/src/openssl-1.1.1d.tar.gz 3)编译安装nginx并指定新版本OpenSSL路径 [root@CentOS7-01 nginx-1.16.1]#nginx -V nginx version: nginx/1.16.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module [root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module --with-openssl=./openssl-1.1.1d [root@CentOS7-01 nginx-1.16.1]#make -j lscpu |awk 'NR==4{print $2}' && make install [root@CentOS7-01 nginx-1.16.1]#systemctl restart nginx 验证
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
