Nginx 配置备忘

前两个月把公司生产服务器迁移云服务商的时候，对新服务器模版做了不少优化，还编译了 nginx 加入了 http2 等诸多酷炫的特性，然而当时没做笔记过几天就忘记了具体做了什么。

前些天发现自己的几台服务器年久失修，在修理的时候手滑把数据都删了……那就从头来过吧，辣鸡服务商最高只提供14.04的系统，那 DD 做个18.04，再重新加上各种优化，记笔记水几篇文章？

Nginx 源码编译安装

由于 apt 即使引入了第三方源安装 Nginx 的版本也很低，为了实践最新的特性，只好从源码编译安装 Nginx。

Nginx 依赖 openssl（SSL加密），pcre（prel正则库）和zlib（压缩库）。其中 openssl 更新比较快，也采用源码方式引入。

安装依赖：

sudo apt install -y build-essential libpcre3 libpcre3-dev zlib1g-dev unzip git

第三方组件

openssl

从官网下载最新版 openssl

wget https://www.openssl.org/source/openssl-1.1.1a.tar.gz
tar zxf openssl-1.1.1a

ngx_brotli

Brotli 是 Google 开源的高效的压缩算法。性能比 gzip 好很多

git clone https://github.com/google/ngx_brotli
cd ngx_brotli
git submodule update --init

下载 Nginx 源码

从官网下载最新版 nginx

wget https://nginx.org/download/nginx-1.15.8.tar.gz
tar zxf nginx-1.15.8.tar.gz

编译Nginx

为了保持习惯（apt 安装的 nginx）一致，我指定了 nginx 的配置，日志，pid 文件路径。加入了之前下载的ngx_brotli和openssl。启用了http_v2和http_ssl这两个HTTP/2相关模块，http_gzip_static支持预编译压缩文件（抄Jerry Qu的，自己并没有用上），stream支持 TCP/UDP转发

./configure \
--prefix=/etc/nginx \
--conf-path=/etc/nginx/nginx.conf \
--sbin-path=/usr/local/bin/nginx \
--pid-path=/run/nginx.pid \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \ 
--add-module=../ngx_brotli \ 
--with-openssl=../openssl-1.1.1a --with-openssl-opt='enable-tls1_3' \ 
--with-http_v2_module \
--with-http_ssl_module \
--with-http_gzip_static_module \
--with-stream

make
sudo make install

Nginx 服务管理脚本与自启动

都用18.04了，那就用systemd来管理吧，配置文件都是 Nginx 官网抄的

vim /etc/systemd/system/nginx.service

[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/local/bin/nginx -t
ExecStart=/usr/local/bin/nginx
ExecReload=/usr/local/bin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl start nginx
sudo systemctl status nginx  # 启动后查看下服务是否正常
sudo systemctl enable nginx  # 开机自启

Nginx 配置文件

nginx.conf

# user nobody;
worker_processes auto;
pid /run/nginx.pid;

events {
	use epoll;
	worker_connections 809044;
	accept_mutex off;
	multi_accept off;
}

http {

	##
	# Basic Settings
	##

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	charset	UTF-8;

	sendfile	on;
	tcp_nopush	on;
	tcp_nodelay	on;

	keepalive_timeout 65;

	types_hash_max_size 2048;
	server_names_hash_max_size 4096;
	# server_tokens off;

	server_names_hash_bucket_size 128;
	client_max_body_size 2m;
	# server_name_in_redirect off;

	server_tokens off;

	##
	# SSL Settings
	##

	ssl_ciphers	ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:DES-CBC3-SHA;

	ssl_prefer_server_ciphers  on;

	ssl_protocols	TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

	##
	# Logging Settings
	##

	log_format	kd_access_log	'$remote_addr - $remote_user [$time_local] "$request" '
					'$status $body_bytes_sent "$http_referer" '
					'"$http_user_agent" "$http_x_forwarded_for" '
					'$upstream_addr $upstream_response_time $request_time';

	access_log /var/log/nginx/access.log kd_access_log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip	on;
	gzip_vary	on;

	gzip_comp_level	6;
	gzip_buffers	16 8k;

	gzip_min_length	1000;
	gzip_proxied	any;
	gzip_disable	"msie6";

	gzip_http_version	1.0;

	gzip_types	text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

	# 如果编译时添加了 ngx_brotli 模块，需要增加 brotli 相关配置
	brotli	on;
	brotli_comp_level	6;
	brotli_types	text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

sites-available/blog

server  {
	listen 443 ssl http2 fastopen=3 reuseport;
    # 这里有个问额：第二个网站配置时只能写 listen 443; 否则会报错，但是 http2 特性也是能用的，还没找到原因

	server_name blog.kdwycz.com;
	access_log /var/log/nginx/blog.access.log kd_access_log;
	error_log /var/log/nginx/blog.error.log;

	location / {
		alias /home/kdwycz/blog/;
	}

	ssl_session_cache        shared:SSL:10m;
	ssl_session_timeout      60m;

	ssl_session_tickets      on;

	# ssl_stapling	on;
	# ssl_stapling_verify	on;
	# ssl_trusted_certificate;

	ssl_certificate /home/kdwycz/certs/cert.pem;
	ssl_certificate_key /home/kdwycz/privkey.pem;

}

server  {
	listen 80;
	server_name blog.kdwycz.com;
	if ($request_method = GET) {
	    return 301 https://$server_name$request_uri;
	}
	return 308 https://$server_name$request_uri;
}

没填的坑？

在各处参考（抄袭）之下完成了看似很不错的 Nginx 配置，但是很多原理层面的东西还是模糊的。近期在看更深入的 Nginx 教程。慢慢补全文中的坑吧

参考资料

• Jerry Qu - 本博客 Nginx 配置之完整篇（以及其他文章）