1 基础依赖
Centos7安装Lua和OpenResty
yum -y install readline-devel pcre-devel openssl-devel gcc perl
yum install lua* -y
如果你想升级lua
tar zxf lua-5.4.3.tar.gz
cd lua-5.4.3
make all test
# 查看lua版本是否跟安装的一致
lua -v
# 如果不一致,则
rm -rf /usr/bin/lua
ln -s /application/lua-5.4.3/src/lua /usr/bin/lua
配置waf之后,nginx启动报错,如下所示:
nginx: [alert] failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found:no field package.preload['resty.core']no file '/appdata/nginx/nginx/nginx/conf/waf/resty/core.lua'no file '/appdata/nginx/nginx-1.21.4/site/lualib/resty/core.so'no file '/appdata/nginx/nginx-1.21.4/lualib/resty/core.so'no file './resty/core.so'no file '/usr/local/lib/lua/5.1/resty/core.so'no file '/appdata/nginx/nginx-1.21.4/luajit/lib/lua/5.1/resty/core.so'no file '/usr/local/lib/lua/5.1/loadall.so'no file '/appdata/nginx/nginx-1.21.4/site/lualib/resty.so'no file '/appdata/nginx/nginx-1.21.4/lualib/resty.so'no file './resty.so'no file '/usr/local/lib/lua/5.1/resty.so'no file '/appdata/nginx/nginx-1.21.4/luajit/lib/lua/5.1/resty.so'no file '/usr/local/lib/lua/5.1/loadall.so') in /appdata/nginx/nginx-1.21.4/nginx/conf/nginx.conf:205解决方案只需要,注意要改成你自己的目录
ln -s /appdata/nginx/nginx-1.21.4/lualib/resty /appdata/nginx/nginx/nginx/conf/waf/resty
2 openresty
tar -xvzf openresty-1.21.4.1.tar.gz cd openresty-1.21.4.1cd /app/openresty-1.21.4.1/bundle/nginx-1.21.4
# - 1.隐藏版本
vim src/core/nginx.h
#define NGINX_VERSION "6666"
#define NGINX_VER "FW/" NGINX_VERSION ".6"#define NGINX_VAR "FW"# - 2.修改头部
vim src/http/ngx_http_header_filter_module.c
# 49 static u_char ngx_http_server_string[] = "Server: FW" CRLF;# - 3.修改错误页响应头部(response header)
vim src/http/ngx_http_special_response.c
# 22 "<hr><center>FW</center>" CRLF
# ...
# 29 "<hr><center>FW</center>" CRLF
# ...
# 36 "<hr><center>FW</center>" CRLF#创建用户
groupadd www
useradd -s /sbin/nologin -g www -M www./configure --prefix=/app/nginx-1.21.4 \
--with-luajit --with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--add-module=../ngx_log_if-master \
--with-pcre --with-pcre-jitgmakegmake install
参考史上最全nginx 安装升级安全配置
yum install git -y
cd /appdata/nginx
git clone https://github.com/yzprofile/ngx_http_dyups_module.git
git clone https://github.com/yaoweibin/nginx_upstream_check_module.git
git clone https://github.com/vozlt/nginx-module-vts.git
yum install patch -y
yum install gd gd-devel -y# nginx_upstream_check_module 补丁
cd /appdata/nginx/openresty-1.21.4.1/bundle/nginx-1.21.4
patch -p1 < /appdata/nginx/nginx_upstream_check_module/check_1.20.1+.patch./configure --prefix=/appdata/nginx/nginx-1.21.4 \
--with-luajit \
--with-pcre \
--with-pcre-jit \
--with-http_realip_module \
--with-http_v2_module \
--with-http_image_filter_module \
--with-http_iconv_module \
--with-stream_realip_module \
--with-stream \
--with-stream_ssl_module \
--with-http_slice_module \
--with-http_sub_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--add-module=../nginx-module-vts \
--add-module=../ngx_log_if-master \
--add-module=../ngx_http_dyups_module \
--add-module=../nginx_upstream_check_module \
--without-http_autoindex_moduleln -s /appdata/nginx/nginx-1.21.4 /appdata/nginx/nginx
3 nginx
ln -s /app/nginx-1.21.4 /app/nginxcat /lib/systemd/system/nginx.service > /lib/systemd/system/nginx.service cat >> /lib/systemd/system/nginx.service <<EOF
[Unit]
Description=nginx - high performance web server
After=network.target remote-fs.target nss-lookup.target[Service]
Type=forking
ExecStart=/app/nginx/nginx/sbin/nginx
ExecReload=/app/nginx/nginx/sbin/nginx -s reload
ExecStop=/app/nginx/nginx/sbin/nginx -s stop[Install]
WantedBy=multi-user.target
EOFsystemctl daemon-reloadsystemctl start nginxsystemctl status nginx# 设置开机启动
systemctl enable nginxsystemctl stop nginxsystemctl restart nginxsystemctl status nginx
4 nginx的配置
user www www;
#user root;
#user nginx nginx;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
error_log logs/error.log error;#pid 默认地址 /application/nginx/logs
#pid logs/nginx.pid;
#pid /var/run/nginx.pid; worker_processes 4;
worker_cpu_affinity 0001 0010 0100 1000;
worker_rlimit_nofile 65535 ;
events {use epoll; worker_connections 2048;
}http {include mime.types;default_type application/octet-stream;server { listen 80 default; rewrite ^(.*) http://www.xxx.com/ permanent; }sub_filter '鄂ICP备xxx号'
'鄂ICP备xxx号-1';sub_filter_once on;#拿到用户真实IP
map $http_x_forwarded_for $clientRealIp {"" $remote_addr;~^(?P<firstAddr>[0-9\.]+),?.*$ $firstAddr;}#log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$remote_addr" ';#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent $request_body "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for" ';#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for" '
# '$connection $upstream_addr '
# '$upstream_response_time $request_time';log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$remote_addr" ''$connection $upstream_addr ''$upstream_response_time $request_time';#################################################
#定义日志格式logstash_json
##################################################proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_headerX_FORWARDED_PROTOhttps;
#proxy_set_headerHost $host;
#proxy_set_header X-Real-IP $remote_addr; # 针对首层代理,拿到真实IP
#proxy_set_header X-Real-IP $http_x_real_ip; # 针对非首层代理,一直传下去log_format logstash_json '{"@timestamp":"$time_iso8601",''"@source":"$server_addr",''"hostname":"$hostname",''"ip":"$clientRealIp",''"client":"$remote_addr",''"request_method":"$request_method",''"scheme":"$scheme",''"domain":"$server_name",''"referer":"$http_referer",''"request":"$request_uri",''"args":"$args",''"size":$body_bytes_sent,''"status": $status,''"responsetime":$request_time,''"upstreamtime":"$upstream_response_time",''"upstreamaddr":"$upstream_addr",''"http_user_agent":"$http_user_agent",''"https":"$https",''"@version":"1",''"http_host":"$host",''"url":"$uri"''}';#################################################
#WAF 防火墙
#################################################
#lua_shared_dict limit 200m;
#lua_package_path "/application/nginx/nginx/conf/waf/?.lua";
#init_by_lua_file "/application/nginx/nginx/conf/waf/init.lua";
#access_by_lua_file "/application/nginx/nginx/conf/waf/access.lua";#################################################
#IP限速 nginx配置limit_conn_zone来限制并发连接数以及下载带宽
#################################################limit_conn_zone $clientRealIp zone=perip:130m;
limit_conn_zone $server_name zone=perserver:130m;#定义一个名为conn的limit_conn_zone用来存储session,大小是20M内存,1M能存储16000个状态;
#$clientRealIp 表示以客户端ip作为键值来进行限制
#$server_name是限制同一server最大并发数;###safe setting to limit the request number per second
limit_req_status 599;
limit_req_zone $clientRealIp zone=allips:200m rate=1000r/s;#zone=allips:70m 表示生成一个大小为100M,名字为 allips 的存储区域,用来存储访问频率
#session池大小70M,如果限制的ip很多 那可以调小,如果限制的ip很少,那可访问的ip很多则要调大
#每秒20个请求(PV 一个网页也许不止20个PV 要实际测试),这个也是根据情况调节的,20个是比较合适或者说偏大一点点的。
#rate=20r/s:表示限定客户端的访问频率为每秒20次#然后修改www.xxoo.com.conf(这是lnmp针对每个虚拟主机都有个配置文件)server里面,location上面添加如下一行:
#limit_req zone=allips burst=20 nodelay;
#limit_conn perip 500 ;
#limit_conn perserver 3000 ;
#limit_rate 100k; #burst=20 表示每IP最大延迟请求数量不大于20 rate=20r/s + 20 就是40次。
#perip 表示最大并发连接数 500
#perserver 表示该服务提供的总连接数不得超过3000,超过请求的会被拒绝
#限速为 100KB/秒
#################################################include extra/base.conf;
include extra/gzip.conf;
include extra/fastcgi.conf;
include extra/proxy.conf;##-----------------------------------------------------###
##----------------------配置域名----------------------###
##-----------------------------------------------------###
include upstream/xxxx.com_.conf;}
base.conf
#优化hash 表
# 服务器名称哈希表的最大值,更多信息请参考nginx部分优化。
server_names_hash_max_size 512 ;
######################################
#开启高效的传输模式
sendfile on;
# 告诉nginx在一个数据包里发送所有头文件,而不一个接一个的发送
tcp_nopush on;
tcp_nodelay on;
#######################################隐藏版本信息
server_tokens off;######################################
# 设置连接超时
#设置客户端连接保持会话的超时世间,超过这个世间,服务器关闭该连接
keepalive_timeout 600;
#设置客户端请求头读取超时世间,如果超过这个世间,客户端没有发送任何数据,nginx 将返回 "Request time out 408"
client_header_timeout 600;
#客户端请求主体读取超时世间,客户端没有发送任何数据,nginx 将返回 "Request time out 408"
client_body_timeout 600;
#客户端的响应超时时间。这个设置不会用于整个转发器,而是在两次客户端读取操作之间。如果在这段时间内,客户端没有读取任何数据,nginx就会关闭连接。
send_timeout 600;
###############################################文件上传#####################################
client_max_body_size 105m;
##缓冲区代理缓冲用户端请求的最大字节数
client_body_buffer_size 32M;
##############################################
gzip.conf
#######################################开启压缩
gzip on;#设置对数据启用压缩的最少字节数。大于1k才压缩
gzip_min_length 1k;#打开 4个单位为16k 的缓存流用作压缩
gzip_buffers 4 16k;#gzip_http 版本选择默认即可 现在的版本基本支持
#gzip_http_version 1.0;# 设置数据的压缩等级。这个等级可以是1-9之间的任意数值,9是最慢但是压缩比最大的。
gzip_comp_level 3; # 设置需要压缩的数据格式 文本 JavaScript 等。
#gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; gzip_types text/css text/xml application/javascript application/atom+xml application/rss+xml text/plain ;# vary header 支持, 该选项让前端缓存服务器能缓存经过gzip压缩界面
gzip_vary on;# 为指定的客户端禁用gzip功能。我们设置成IE6或者更低版本以使我们的方案能够广泛兼容。
gzip_disable "MSIE [1-6]\.";#允许或者禁止压缩基于请求和响应的响应流。我们设置为any,意味着将会压缩所有的请求
gzip_proxied any; #fire fox 安装firebug yslow 看看有没有压缩
fastcgi.conf
#ceshi_config
server_names_hash_bucket_size 128;
client_header_buffer_size 500k;
large_client_header_buffers 8 32k;
#指定链接到后端的超时时间
fastcgi_connect_timeout 600;
#向fastcgi 发送请求的超时时间,指两次捂手后向fastcgi 传输请求的超时时间
fastcgi_send_timeout 600;
#fastcgi 应答超时时间
fastcgi_read_timeout 600;
#fastcgi 应答需要多大的缓冲区
fastcgi_buffer_size 128k;
#fastcgi 应答 指定本地需要用多少个和多大的缓冲区来缓冲
fastcgi_buffers 8 128k;
#fastcgi 繁忙的时候buffers 大小
fastcgi_busy_buffers_size 256k;
#fastcgi 临时文件大小
fastcgi_temp_file_write_size 256k;
proxy.conf
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $http_x_forwarded_for;#跟后端服务器连接的超时时间_发起握手等候响应超时时间
proxy_connect_timeout 1500;
#连接成功后_等候后端服务器响应的时间_其实已经进入后端的排队之中等候处理
proxy_send_timeout 1500;
#后端服务器数据回传时间_就是在规定时间内后端服务器必须传完所有数据
proxy_read_timeout 1500;
#代理请求缓存区_这个缓存区间会保存用户的头信息以供Nginx进行规则处理_一般只要能保存下头信息即可
proxy_buffer_size 128k;
#同上 告诉Nginx保存单个用的几个Buffer最大用多大空间
proxy_buffers 4 128k;
#高负荷下缓冲大小
#如果系统很忙的时候可以申请更大的 proxy_buffers 官方推荐*2(proxy_buffers*2)
proxy_busy_buffers_size 128k;
#proxy缓存临时文件的大小
proxy_temp_file_write_size 128k;proxy_temp_path /app/nginx/nginx/temp;
#用于指定本地目录来缓冲较大的代理请求proxy_cache_path /app/nginx/nginx/cache levels=1:2 keys_zone=cache_one:5000m inactive=1d max_size=20g;
#设置web缓存区名为cache_one,内存缓存空间大小为 5000 M,自动清除超过15天没有被访问过的缓存数据,硬盘缓存空间大小 20g#proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
#设定缓存文件夹大小,大于这个值,将从upstream服务器传
#proxy_max_temp_file_size 128m;
proxy_store on;
proxy_store_access user:rw group:rw all:r;
upstream xxx.com_pssl {ip_hash;server 10.101.10.123:9000 max_fails=3 fail_timeout=5s;server 10.101.10.124:9000 max_fails=3 fail_timeout=5s;server 10.101.10.125:9000 max_fails=3 fail_timeout=5s;server 10.101.10.126:9000 max_fails=3 fail_timeout=5s;
}
include xxx/xxx.com_.conf;
带证书的配置
server {listen 80;server_name mi.xxx.com;return 301 https://$server_name$request_uri;
}server {#listen 80;listen 443 ssl http2;client_max_body_size 100M;charset utf-8;#ssl on;#ssl off;limit_req zone=allips burst=50 nodelay;limit_conn perip 2000 ;limit_conn perserver 3000 ;limit_rate 300k; server_name mi.xxx.com;ssl_certificate /app/nginx/nginx/conf/xxx.com/crt/8813129_mi.xxx.com.pem;ssl_certificate_key /app/nginx/nginx/conf/xxx.com/crt/8813129_mi.xxx.com.key;ssl_session_cache shared:SSL:10m;#ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;ssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;ssl_prefer_server_ciphers on;index index.jsp default.jsp index.do default.do index.html index.htm index.php forum.php;#nginx日志#json日志access_log jsonlogs/mi.xxx.com.log logstash_json;location / {proxy_pass http://mi.xxx.com_pssl;}location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico|svg|flv|xml|webp)(.*)${expires 15d;proxy_pass http://mi.xxx.com_pssl;}location ~ .*\.(js|css|gzcss|gzjs)(.*)${expires 5d;proxy_pass http://mi.xxx.com_pssl;}location /(WEB-INF)/ {deny all;}location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico|svg|flv|js|css|gzcss|gzjs|webp)?${if (-f $request_filename) {expires 5d;break;}}error_page 500 502 503 504 /50x.html;location = /50x.html {root html;}
}
5 时区
#删除系统里的当地时间链接
sudo rm -fr /etc/localtime
#编辑文件 /etc/sysconfig/clock
cat << EOF > /etc/sysconfig/clock
Zone=Asia/Shanghai
EOF
#更新时区信息
sudo ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
#更新硬件时钟(RTC)
hwclock -w
#NTP 服务介绍
#在 Linux 系统中,可以通过 ntpdate 和 ntpd 两种方式实现 NTP 时间同步,ntpdate 为断点更新,ntpd 为步进式地逐渐调整时间。
#对于新服务器,可以使用 ntpdate 同步时间,对于已经承载有运行中业务的服务器,建议使用 ntpd 同步时间。
yum install -y ntp ntpdate
sleep 2
ntpdate -u ntp2.aliyun.com
# 配置自定义 NTP 服务
#sudo vi /etc/ntp.conf
cat > /etc/ntp.conf <<EOF
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server ntp2.aliyun.com iburst
server ntp3.aliyun.com iburst
server ntp4.aliyun.com iburst
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
EOF
ntpdate cn.pool.ntp.org
#提醒:启用服务前,请务必配置好防火墙和安全组,开放端口 123 协议 UDP
#开机自动启动
sudo service ntpd start
sudo systemctl enable ntpd
6 nginx错误日志
6.1 mkdir() rename()
nginx中error.log存在大量的相同的错误信息,这是什么原因造成的呢?
2022/12/30 15:51:23 [crit] 26809#0: *6116 mkdir() "/appdata/nginx/nginx-1.21.4/nginx/html/xd/code2Session" failed (13: Permission denied) while reading upstream, client: 222.182.0.45, server: bsel.bsspirit.cn, request: "POST /xd/code2Session HTTP/1.1", upstream: "http://192.168.0.8:8352/xd/code2Session", host: "bsel.bsspirit.cn", referrer: "https://servicewechat.com/wx6e1b2f6e41df803b/30/page-frame.html"2022/12/30 15:58:45 [crit] 26810#0: *45765 rename() "/appdata/nginx/nginx/nginx/temp/0000022147" to "/appdata/nginx/nginx-1.21.4/nginx/html/bsmgr/bskj" failed (13: Permission denied) while reading upstream, client: 121.60.87.242, server: bs.bsspirit.cn, request: "POST /bsmgr/bskj HTTP/1.1", upstream: "http://192.168.0.103:8080/bsmgr/bskj", host: "bs.bsspirit.cn"
2022/12/30 15:58:45 [crit] 26808#0: *45569 rename() "/appdata/nginx/nginx/nginx/temp/0000022148" to "/appdata/nginx/nginx-1.21.4/nginx/html/bsmgr/bskj" failed (13: Permission denied) while reading upstream, client: 183.93.17.160, server: bs.bsspirit.cn, request: "POST /bsmgr/bskj HTTP/1.1", upstream: "http://192.168.0.103:8080/bsmgr/bskj", host: "bs.bsspirit.cn"
^C![使用自训模型实现PaddleSeg半自动化交互式分割[工程化经验]](https://img-blog.csdnimg.cn/img_convert/7042abf813087075e7e374f16b24b8ea.png)
