nginx & tengine 编译安装

摘要

  • 编译安装nginx-1.13.3(最近新报出来的漏洞,所以升级到新版本)
  • 编译安装tengine-2.1.2
  • nginx版本更新到1.13.10

nginx从1.19版本开始支持tcp以及udp的转发,而目前tengine最新版本2.2.0还是基于1.6.2版本的nginx,所以还是不支持tcp以及udp的转发,所以还是建议使用nginx。

编译安装nginx

安装依赖

1
2
3
4
5
# centos
yum -y install wget curl gcc gcc-c++ autoconf automake zlib zlib-devel openssl openssl-devel pcre*
# ubuntu
apt-get install wget curl libpcre3 libpcre3-dev zlib1g-dev libssl-dev build-essential apache2-utils

下载nginx源码包

1
2
3
4
5
6
7
8
cd /usr/local/src
INSTALL_DIR="/usr/local/product"
NGINX_VERSION="1.13.10"
wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
tar xvf nginx-${NGINX_VERSION}.tar.gz && cd nginx-${NGINX_VERSION}
TENGINE_VERSION="2.1.2"
wget http://tengine.taobao.org/download/tengine-${TENGINE_VERSION}.tar.gz

创建用户、用户组

1
2
3
groupadd -g 1101 www
useradd -s /sbin/nologin -g www -u 1101 www

编译安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
./configure \
--prefix=${INSTALL_DIR}/nginx-${NGINX_VERSION} \
--user=www \
--group=www \
--with-pcre \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-http_auth_request_module \
--with-mail \
--with-mail_ssl_module \
--with-file-aio \
--with-stream \
--with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
make && make install
ln -s ${INSTALL_DIR}/nginx-${NGINX_VERSION} /usr/local/nginx
# 去掉ipv6参数
# 添加tcp代理支持参数
- --with-ipv6
+ --with-stream

创建nginx启动文件

init

1
2
curl http://c.isme.pub/2017/08/30/service-install/nginx.init -o /etc/init.d/nginx
chmod +x /etc/init.d/nginx

systemd

1
2
3
4
# curl http://c.isme.pub/2017/08/30/service-install/nginx.service -o /usr/lib/systemd/system/nginx.service
curl http://c.isme.pub/2017/08/30/service-install/nginx.service -o /lib/systemd/system/nginx.service
systemctl enable nginx.service

创建nginx配置文件

1
curl http://c.isme.pub/2017/08/30/service-install/nginx.conf -o /usr/local/nginx/conf/nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
user www www;
error_log /data/logs/nginx/error.log error;
pid /var/run/nginx.pid;
lock_file /var/lock/nginx;
worker_rlimit_nofile 102400;
worker_processes 2;
events {
worker_connections 10240;
use epoll;
multi_accept on;
}
http {
#core
include mime.types;
default_type application/octet-stream;
connection_pool_size 1024;
client_body_buffer_size 16k;
client_body_temp_path /usr/local/nginx/var/tmp/client_body 1 2;
client_body_timeout 30;
client_header_buffer_size 4k;
large_client_header_buffers 4 4k;
client_header_timeout 30;
client_max_body_size 32m;
#keepalive_disable msie6 safari;
keepalive_timeout 3;
tcp_nodelay on;
send_timeout 30;
sendfile on;
tcp_nopush off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 128;
server_tokens off;
open_file_cache off;
#index
index index.php index.html index.htm;
#fastcgi
fastcgi_connect_timeout 60;
fastcgi_read_timeout 60;
fastcgi_send_timeout 60;
fastcgi_temp_path /usr/local/nginx/var/tmp/fastcgi 1 2;
fastcgi_buffer_size 4k;
fastcgi_buffers 16 4k;
fastcgi_busy_buffers_size 8k;
fastcgi_temp_file_write_size 8k;
fastcgi_max_temp_file_size 256k;
fastcgi_intercept_errors on;
fastcgi_index index.php;
#proxy
proxy_temp_path /usr/local/nginx/var/tmp/proxy;
proxy_buffer_size 4k;
proxy_buffering on;
proxy_buffers 256 4k;
proxy_busy_buffers_size 8k;
#gzip
gzip on;
gzip_buffers 16 4k;
gzip_comp_level 1;
gzip_http_version 1.1;
gzip_min_length 1024;
gzip_types text/css text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml application/xhtml+xml;
#realip module
set_real_ip_from 127.0.0.1;
real_ip_header X-Real-IP;
#real_ip_header X-Forwarded-For;
#log module
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format moss '$remote_addr | $http_x_forwarded_for | $remote_user | [$time_local] |'
' "$request" | $status | $body_bytes_sent |'
' "$http_referer" | "$http_user_agent" | $request_time | $upstream_response_time';
#ClickJacking
# add_header X-Frame-Options SAMEORIGIN;
#virtualhost
include vhosts/*.conf;
}
# tcp proxy
stream {
upstream backend{
hash $remote_addr consistent;
server 127.0.0.1:8000 weight=10;
}
server{
listen 80;
proxy_connect_timeout 20s;
proxy_timeout 5m;
proxy_pass backend;
}
}
# udp proxy
stream {
upstream backend{
hash $remote_addr consistent;
server 127.0.0.1:8000 weight=10;
}
server{
listen 80 udp;
proxy_connect_timeout 20s;
proxy_timeout 5m;
proxy_pass backend;
}
}

虚拟主机配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
upstream web{
server 127.0.0.1:8000;
}
server {
listen 80;
server_name xxx.com;
#access_log off;
#error_log off;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header remote_addr $remote_addr;
proxy_pass http://web;
}
}
server {
listen 80;
server_name xxx.com;
access_log /data/logs/nginx_log/xxx_access.log;
error_log /data/logs/nginx_log/xxx_error.log error;
location / {
root /data/web_data/web/app/xxx/www/;
index index.php index.html index.htm;
}
location ~ \.php$ {
root /data/web_data/web/app/xxx/www/;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.html;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
include fastcgi_params;
}
location /php-fpm_status {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
include fastcgi_params;
}
}

创建缓存、日志目录

1
2
3
mkdir -p /usr/local/nginx/conf/{vhosts,ssl}
mkdir -p /usr/local/nginx/var/tmp/client_body
mkdir /data/logs/nginx

参数解析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
--help print this message
--prefix=PATH set installation prefix
--sbin-path=PATH set nginx binary pathname
--conf-path=PATH set nginx.conf pathname
--error-log-path=PATH set error log pathname
--pid-path=PATH set nginx.pid pathname
--lock-path=PATH set nginx.lock pathname
--user=USER set non-privileged user for
worker processes
--group=GROUP set non-privileged group for
worker processes
--build=NAME set build name
--builddir=DIR set build directory
--with-select_module enable select module
--without-select_module disable select module
--with-poll_module enable poll module
--without-poll_module disable poll module
--with-threads enable thread pool support
--with-file-aio enable file AIO support
--with-ipv6 enable IPv6 support
--with-http_ssl_module enable ngx_http_ssl_module
--with-http_spdy_module enable ngx_http_spdy_module
--with-http_realip_module enable ngx_http_realip_module
--with-http_addition_module enable ngx_http_addition_module
--with-http_xslt_module enable ngx_http_xslt_module
--with-http_image_filter_module enable ngx_http_image_filter_module
--with-http_geoip_module enable ngx_http_geoip_module
--with-http_sub_module enable ngx_http_sub_module
--with-http_dav_module enable ngx_http_dav_module
--with-http_flv_module enable ngx_http_flv_module
--with-http_mp4_module enable ngx_http_mp4_module
--with-http_gunzip_module enable ngx_http_gunzip_module
--with-http_gzip_static_module enable ngx_http_gzip_static_module
--with-http_auth_request_module enable ngx_http_auth_request_module
--with-http_random_index_module enable ngx_http_random_index_module
--with-http_secure_link_module enable ngx_http_secure_link_module
--with-http_degradation_module enable ngx_http_degradation_module
--with-http_stub_status_module enable ngx_http_stub_status_module
--without-http_charset_module disable ngx_http_charset_module
--without-http_gzip_module disable ngx_http_gzip_module
--without-http_ssi_module disable ngx_http_ssi_module
--without-http_userid_module disable ngx_http_userid_module
--without-http_access_module disable ngx_http_access_module
--without-http_auth_basic_module disable ngx_http_auth_basic_module
--without-http_autoindex_module disable ngx_http_autoindex_module
--without-http_geo_module disable ngx_http_geo_module
--without-http_map_module disable ngx_http_map_module
--without-http_split_clients_module disable ngx_http_split_clients_module
--without-http_referer_module disable ngx_http_referer_module
--without-http_rewrite_module disable ngx_http_rewrite_module
--without-http_proxy_module disable ngx_http_proxy_module
--without-http_fastcgi_module disable ngx_http_fastcgi_module
--without-http_uwsgi_module disable ngx_http_uwsgi_module
--without-http_scgi_module disable ngx_http_scgi_module
--without-http_memcached_module disable ngx_http_memcached_module
--without-http_limit_conn_module disable ngx_http_limit_conn_module
--without-http_limit_req_module disable ngx_http_limit_req_module
--without-http_empty_gif_module disable ngx_http_empty_gif_module
--without-http_browser_module disable ngx_http_browser_module
--without-http_upstream_hash_module
disable ngx_http_upstream_hash_module
--without-http_upstream_ip_hash_module
disable ngx_http_upstream_ip_hash_module
--without-http_upstream_least_conn_module
disable ngx_http_upstream_least_conn_module
--without-http_upstream_keepalive_module
disable ngx_http_upstream_keepalive_module
--without-http_upstream_zone_module
disable ngx_http_upstream_zone_module
--with-http_perl_module enable ngx_http_perl_module
--with-perl_modules_path=PATH set Perl modules path
--with-perl=PATH set perl binary pathname
--http-log-path=PATH set http access log pathname
--http-client-body-temp-path=PATH set path to store
http client request body temporary files
--http-proxy-temp-path=PATH set path to store
http proxy temporary files
--http-fastcgi-temp-path=PATH set path to store
http fastcgi temporary files
--http-uwsgi-temp-path=PATH set path to store
http uwsgi temporary files
--http-scgi-temp-path=PATH set path to store
http scgi temporary files
--without-http disable HTTP server
--without-http-cache disable HTTP cache
--with-mail enable POP3/IMAP4/SMTP proxy module
--with-mail_ssl_module enable ngx_mail_ssl_module
--without-mail_pop3_module disable ngx_mail_pop3_module
--without-mail_imap_module disable ngx_mail_imap_module
--without-mail_smtp_module disable ngx_mail_smtp_module
--with-stream enable TCP proxy module
--with-stream_ssl_module enable ngx_stream_ssl_module
--without-stream_access_module disable ngx_stream_access_module
--without-stream_upstream_hash_module
disable ngx_stream_upstream_hash_module
--without-stream_upstream_least_conn_module
disable ngx_stream_upstream_least_conn_module
--without-stream_upstream_zone_module
disable ngx_stream_upstream_zone_module
--with-google_perftools_module enable ngx_google_perftools_module
--with-cpp_test_module enable ngx_cpp_test_module
--add-module=PATH enable an external module
--with-cc=PATH set C compiler pathname
--with-cpp=PATH set C preprocessor pathname
--with-cc-opt=OPTIONS set additional C compiler options
--with-ld-opt=OPTIONS set additional linker options
--with-cpu-opt=CPU build for the specified CPU, valid values:
pentium, pentiumpro, pentium3, pentium4,
athlon, opteron, sparc32, sparc64, ppc64
--without-pcre disable PCRE library usage
--with-pcre force PCRE library usage
--with-pcre=DIR set path to PCRE library sources
--with-pcre-opt=OPTIONS set additional build options for PCRE
--with-pcre-jit build PCRE with JIT compilation support
--with-md5=DIR set path to md5 library sources
--with-md5-opt=OPTIONS set additional build options for md5
--with-md5-asm use md5 assembler sources
--with-sha1=DIR set path to sha1 library sources
--with-sha1-opt=OPTIONS set additional build options for sha1
--with-sha1-asm use sha1 assembler sources
--with-zlib=DIR set path to zlib library sources
--with-zlib-opt=OPTIONS set additional build options for zlib
--with-zlib-asm=CPU use zlib assembler sources optimized
for the specified CPU, valid values:
pentium, pentiumpro
--with-libatomic force libatomic_ops library usage
--with-libatomic=DIR set path to libatomic_ops library sources
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
--with-debug enable debug logging