根據此文檔進行編譯安裝 Nginx，可以將Nginx默認的功能全部安裝上，讀者也可以自己的根據實際情況刪減需要編譯的模塊。

支持的特色功能如下：

• 支持 TLSv1.3 - openssl 從 1.1.1 版本起支持最終版的TLSv1.3標準協議，詳情參見：TLS1.3
• 支持 HTTP2 - Nginx 從 1.9.5 版本起支持http2，詳情參見：Module ngx_http_v2_module
• 支持 Lua語法 - 詳情參見：lua-nginx-module

安裝

Nginx 官方資料：Building nginx from Sources

安裝依賴

yum install -y vim gcc gcc-c++ make cmake cmake3 automake autoconf perl-ExtUtils-Embed openssl-devel libxml2-devel libxslt-devel GeoIP-devel luajit-devel gperftools-devel systemd-devel perl-devel libatomic_ops-devel pcre-devel gd-devel
 

準備源碼包

# Create Directory
mkdir -p /opt/down/nginx
cd /opt/down/nginx

# Get nginx source
wget https://nginx.org/download/nginx-1.14.0.tar.gz

# Get zlib/openssl/pcre dependency
wget https://zlib.net/zlib-1.2.11.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1.tar.gz
wget https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.gz

# Get Lua module and depend if you need
wget -c ‘https://github.com/openresty/lua-nginx-module/archive/v0.10.13.tar.gz‘ -O lua-nginx-module-0.10.13.tar.gz
wget -c ‘https://github.com/simplresty/ngx_devel_kit/archive/v0.3.1rc1.tar.gz‘ -O ngx_devel_kit-0.3.1rc1.tar.gz

# Extract source file
tar xzf nginx-1.14.0.tar.gz

tar xzf zlib-1.2.11.tar.gz
tar xzf openssl-1.1.1.tar.gz
tar xzf pcre-8.42.tar.gz

tar xzf lua-nginx-module-0.10.13.tar.gz
tar xzf ngx_devel_kit-0.3.1rc1.tar.gz
 

編譯與安裝

• 讀者可根據實際情況自定義修改編譯選項中指定的路徑。
• 用戶與組需要執行useradd work提前創建，或讀者自定義用戶與組名。
• 這裏將nginx-1.14.0所有可編譯的模塊都加上了，讀者可自定義刪減。

# Configure option
cd nginx-1.14.0
./configure --prefix=/opt/soft/nginx --error-log-path=/opt/log/nginx/error.log --pid-path=/opt/run/nginx/nginx.pid --lock-path=/opt/run/nginx/nginx.lock --user=work --group=work --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --http-log-path=/opt/log/nginx/access.log --http-client-body-temp-path=/opt/soft/nginx/temp/client_body --http-proxy-temp-path=/opt/soft/nginx/temp/proxy --http-fastcgi-temp-path=/opt/soft/nginx/temp/fastcgi --http-uwsgi-temp-path=/opt/soft/nginx/temp/uwsgi --http-scgi-temp-path=/opt/soft/nginx/temp/scgi --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-google_perftools_module --with-cpp_test_module --with-compat --with-pcre=../pcre-8.42 --with-pcre-jit --with-libatomic --with-zlib=../zlib-1.2.11 --with-openssl=../openssl-1.1.1 --with-debug --with-ld-opt=-Wl,-rpath,/usr/lib64 --add-module=../ngx_devel_kit-0.3.1rc1 --add-module=../lua-nginx-module-0.10.13

# Compile & Install
make -j2
make install
 

配置與啟動

創建一些必要的目錄，可根據實際情況自定義。

mkdir -p /opt/log/nginx
mkdir -p /opt/run/nginx
mkdir -p /opt/soft/nginx/temp
mkdir -p /opt/soft/nginx/conf/{acl,ssl,vhosts}

主配置文件

路徑：/opt/soft/nginx/conf/nginx.conf
基本參數已經滿足大部分的應用場景，如需要額外的調整參數請參閱官方文檔的 Modules reference

# nginx main config
user    work work;

worker_processes     auto;
worker_cpu_affinity  auto;
worker_rlimit_nofile 655350;

# Loads a dynamic module.
# load_module modules/ngx_stream_module.so;

# Provides the configuration file context in which the directives that affect connection processing are specified.
events {
    # nginx will by default use the most efficient method.
    # use epoll;
    worker_connections  102400;
}

# Log level: debug, info, notice, warn, error, crit, alert, or emerg.
error_log   /opt/log/nginx/error.log error;

# PCRE JIT can speed up processing of regular expressions significantly.
pcre_jit on;

pid /opt/run/nginx/nginx.pid;

http {
    include       mime.types;
    default_type  application/octet-stream;

    # Default log format - main
    #log_format  main  ‘$remote_addr - $remote_user [$time_local] "$request" ‘
    #                  ‘$status $body_bytes_sent "$http_referer" ‘
    #                  ‘"$http_user_agent" "$http_x_forwarded_for"‘;

    # Custom log format - main
    log_format main   ‘[$time_local] $remote_addr $http_x_connecting_ip "$http_x_forwarded_for" ‘
                      ‘$scheme $http_host "$request" $body_bytes_sent $request_time $status "$http_referer" ‘
                      ‘"$http_user_agent" $upstream_addr $upstream_response_time $upstream_status ‘;

    access_log  /opt/log/nginx/access.log main;

    # client_body_buffer_size 8k|16k;
    # client_body_timeout 120s;
    # client_header_buffer_size 1k;
    # client_header_timeout 120s;
    # client_max_body_size 10m;

    keepalive_timeout 75s;

    send_timeout    60s;
    sendfile        on;
    server_tokens   off;
    tcp_nodelay     on;
    tcp_nopush      on;

    # Enables or disables the use of underscores in client request header fields.
    # underscores_in_headers off;
    gzip  on;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    # Module ngx_http_fastcgi_module setting.
    # fastcgi_buffer_size 8k;
    # fastcgi_buffering on;
    # fastcgi_buffers 8 256k;
    # fastcgi_connect_timeout 120s;
    # fastcgi_read_timeout 120s;
    # fastcgi_send_timeout 120s;

    include vhosts/*.conf;
}

默認的虛擬主機

配置默認虛擬主機，禁止直接IP請求及針對未綁定域名的請求跳轉。
路徑：/opt/soft/nginx/conf/vhosts/default.conf

# vhosts - default
server {
    listen  80  default_server;
    server_name _;

    # underscores_in_headers on;

    if ($host ~ "\d+\.\d+\.\d+\.\d+") {
        return 404;
    }

    if ($host ~ "fandenggui.com") {
        return https://www.fandenggui.com;
    }

    location / {
        return https://www.fandenggui.com;
    }
}

正式虛擬主機配置

很多細節，需要讀者了解配置的作用自行修改，這裏不做過多的解釋。

server {
    listen 80;
    listen 443 ssl http2;
    server_name www.fandenggui.com;

    # Access control
    # include acl/your_acl_rule.conf;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate     ssl/fandenggui.com.pem;
    ssl_certificate_key ssl/fandenggui.com.key;
    ssl_session_timeout 1d;
    ssl_session_cache   shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers ‘ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS‘;

    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9

    # OCSP Stapling --- Requires nginx >= 1.3.7
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    # DHPARAM: openssl dhparam -out /opt/soft/nginx/conf/dhparam.pem 4096
    # ssl_dhparam /opt/soft/nginx/conf/dhparam.pem; 

    # resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
    # resolver_timeout 5s; 

    # add_header X-Frame-Options DENY;
    # add_header X-Content-Type-Options nosniff;
    # add_header X-XSS-Protection "1; mode=block";

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    # add_header Strict-Transport-Security max-age=15768000;
    # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    # Forced to use HTTPS
    # if ( $scheme = "http") {
    #     return 301 https://$host$request_uri;
    # }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log /opt/log/nginx/www.fandenggui.com_access.log main;
    error_log /opt/log/nginx/www.fandenggui.com_error.log error;

    location / {
        # 根據實際情況配置反向代理
        # ……
    }
}

創建 nginx.service

路徑：/usr/lib/systemd/system/nginx.service

[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/opt/run/nginx/nginx.pid
ExecStartPre=/usr/bin/rm -f /opt/run/nginx/nginx.pid
ExecStartPre=/opt/soft/nginx/sbin/nginx -t
ExecStart=/opt/soft/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true

[Install]
WantedBy=multi-user.target

啟動服務 & 設置開機啟動

# Check Nginx config.
/opt/soft/nginx/sbin/nginx -t

systemctl start nginx
systemctl enable nginx

參考與工具

• Mozilla SSL Configuration Generator
• Strong Ciphers for nginx
• SSL Server Test

Centos7.x 編譯安裝全功能的Nginx