1 安装及启动
1.1 rpm安装,非yum
(1) 下载:http://nginx.org/packages/centos/7/x86_64/RPMS/
wget http://nginx.org/packages/centos/7/x86_64/RPMS/nginx-1.20.1-1.el7.ngx.x86_64.rpm
(2) 安装:
rpm -ivh nginx-1.20.1-1.el7.ngx.x86_64.rpm
(3) 启动:
systemctl enable nginx --now
(4) 验证:
# elinks --dump http://10.5.30.7
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to [1]nginx.org.
Commercial support is available at [2]nginx.com.
Thank you for using nginx.
References
Visible links
1. http://nginx.org/
2. http://nginx.com/
1.2 二进制源码安装
(1)下载Nginx源文件 进入nginx官网下载nginx的稳定版本,我下载的是1.20.0
wget http://nginx.org/download/nginx-1.20.1.tar.gz
解压:tar -zxvf nginx-1.10.0.tar.gz
tar xf nginx-1.20.1.tar.gz
(2)检查安装依赖项
执行下面的命令安装nginx的依赖库:
yum -y install gcc pcre pcre-devel zlib zlib-devel openssl openssl-devel
(3) 配置Nginx安装选项
我这里只配置安装到/opt目录下,其它选项可执行./configuration –help查看。 cd nginx安装目录,执行如下命令:
./configure --prefix=/usr/local/nginx --sbin-path=/usr/bin/nginx --with-http_ssl_module
(4) 编译并安装
make && make install
1.3 yum安装(未写)
2 命令
# 1.启动nginx
shell> nginx
# 可通过ps -ef | grep nginx查看nginx是否已启动成功
# 2.停止nginx
shell> nginx -s stop
# 3. 重新启动
shell> nginx -s reload
nginx -t -c /etc/nginx/nginx.conf #检查命令
nginx -s reload -c /etc/nginx/nginx.conf #重置配置文件
rpm或者yum安装:
# 开启开机自动启动及启动服务
systemctl enable nginx --now
# 开启服务
systemctl start nginx
# 关闭服务
systemctl stop nginx
# 重启服务
systemctl restart nginx
3 配置
开启方向代理,必须关闭selinux,haproxy也一样。
3.1 web标准配置
在http{}里面加下以下配置:
server {
listen 443;
ssl on;
server_name localhost;
ssl_certificate /etc/ssl/tls.crt;
ssl_certificate_key /etc/ssl/tls.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
80端口将listen改成80, ssl on去掉。
3.2 反向代理
在http{}里面加下以下配置:
server {
listen 80;
server_name nexus-devops.utopacloud.com;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://10.186.102.104:8801;
}
}
3.3 反向代理+负载均衡
在http{}里面加下以下配置:
upstream jenkins-devops {
server 10.186.102.104:8801;
# server 10.186.102.108:8801;
}
server {
listen 80;
server_name jenkins-devops.utopacloud.com;
location / {
proxy_pass http://jenkins-devops;
}
}
其他:
location /dcp-kernel-dataexchange {
rewrite ^/dcp-kernel-dataexchange(.*) $1 break;
proxy_pass http://serv-dcp-kernel-dataexchange;
}
3.4 经典配置:
前端反代:
server {
listen 443 ssl;
listen 80;
server_name scm.myutopa.com;
ssl_certificate /usr/local/nginx/conf/scm/ssl/_.myutopa.com.crt;
ssl_certificate_key /usr/local/nginx/conf/scm/ssl/_.myutopa.com.key;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://10.186.135.137:80;
}
location /scm {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://10.186.135.111:8088;
}
}
后端web主页:
server {
listen 443 ssl http2;
server_name mpapi.utopaliving.com;
ssl_certificate conf.d/ssl/mp_api/mpapi.utopaliving.com_chain.crt;
ssl_certificate_key conf.d/ssl/mp_api/mpapi.utopaliving.com_key.key;
#ssl_trusted_certificate conf.d/ssl/mp_api/mpapi.utopaliving.com_chain.crt;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000";
resolver 223.5.5.5 223.6.6.6 valid=300s;
resolver_timeout 10s;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
ssi on;
ssi_silent_errors on;
ssi_types text/shtml;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ^~ /images/ {
root /usr/share/nginx/html/upload/user;
expires 1d;
}
location ~ \.jsp$ {
proxy_pass http://10.186.102.110:8080;
}
location ~ \.(js|css)?$ {
root /usr/share/nginx/html;
expires 12h;
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /admin{
root /usr/share/nginx/html;
index index.html index.htm;
}
location /h5{
root /usr/share/nginx/html;
index index.html index.htm;
}
#后端Api
location /api {
proxy_pass http://10.186.102.110:8080;
}
}
使用上面的配置,不论浏览器请求哪个主机,都只会收到默认主机www.example.com的证书。这是由SSL协议本身的行为引起的——先建立SSL连接,再发送HTTP请求,所以nginx建立SSL连接时
3.4 四层代理例子
upstream k8s-apiserver {
server 192.168.31.71:6443; # Master1 APISERVER IP:PORT
server 192.168.31.72:6443; # Master2 APISERVER IP:PORT
}
server {
listen 16443; # 由于nginx与master节点复用,这个监听端口不能是6443,否则会冲突
proxy_pass k8s-apiserver;
}