导航：首页 > 服务器 >

Nginx的配置和使用

发表于：2025-01-24 作者：千家信息网编辑

千家信息网最后更新 2025年01月24日，概述Nginx (engine x) 是一个高性能的HTTP和反向代理web服务器，同时也提供了IMAP/POP3/SMTP服务。Nginx是由伊戈尔·赛索耶夫为俄罗斯访问量第二的Rambler.ru

千家信息网最后更新 2025年01月24日Nginx的配置和使用

概述

Nginx (engine x) 是一个高性能的HTTP和反向代理web服务器，同时也提供了IMAP/POP3/SMTP服务。Nginx是由伊戈尔·赛索耶夫为俄罗斯访问量第二的Rambler.ru站点（俄文：Рамблер）开发的，第一个公开版本0.1.0发布于2004年10月4日。

其将源代码以类BSD许可证的形式发布，因它的稳定性、丰富的功能集、示例配置文件和低系统资源的消耗而闻名。2011年6月1日，nginx 1.0.4发布。

Nginx是一款轻量级的Web 服务器/反向代理服务器及电子邮件（IMAP/POP3）代理服务器，在BSD-like 协议下发行。其特点是占有内存少，并发能力强，事实上nginx的并发能力在同类型的网页服务器中表现较好

Nginx优点

Nginx 可以在大多数 UnixLinux OS 上编译运行，并有 Windows 移植版。 Nginx 的1.4.0稳定版已经于2013年4月24日发布，一般情况下，对于新建站点，建议使用最新稳定版作为生产版本，已有站点的升级急迫性不高。

Nginx 的源代码使用 2-clause BSD-like license。

Nginx 是一个很强大的高性能Web和反向代理服务，它具有很多非常优越的特性：

在连接高并发的情况下，Nginx是Apache服务不错的替代品：Nginx在美国是做虚拟主机生意的老板们经常选择的软件平台之一。能够支持高达 50,000 个并发连接数的响应，感谢Nginx为我们选择了 epoll and kqueue作为开发模型。

nginx状态页

在编译的时候需要添加--with-http_stub_status_module参数配置案例：[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server {  listen 80;  server_name www.hechunping.tech;  location /nginx_status {    stub_status;    allow 192.168.7.0/24;    allow 127.0.0.1;    deny all;  }}[root@CentOS7-01 ~]#systemctl reload nginx访问测试[root@CentOS7-01 ~]#curl www.hechunping.tech/nginx_statusActive connections: 1 server accepts handled requests 32 32 36  #这三个数字分别对应accepts,handled,requests三个值Reading: 0 Writing: 1 Waiting: 0 相关解释：Active connections： 当前处于活动状态的客户端连接数，包括连接等待空闲连接数。accepts： 统计总值，Nginx⾃启动后已经接受的客户端请求的总数。handled： 统计总值，Nginx⾃启动后已经处理完成的客户端请求的总数，通常等于accepts，除⾮有因worker_connections限制等被拒绝的连接。requests：统计总值，Nginx⾃启动后客户端发来的总的请求数。Reading： 当前状态，正在读取客户端请求报⽂⾸部的连接的连接数。Writing： 当前状态，正在向客户端发送响应报⽂过程中的连接数。Waiting： 当前状态，正在等待客户端发出请求的空闲连接数，开启 keep-alive的情况下,这个值等于 active - (reading+writing)。

nginx编译的时候添加第三方模块

第三模块是对nginx的功能扩展，第三⽅模块需要在编译安装Nginx的时候使⽤参数--add-module=PATH指定路径添加，有的模块是由公司的开发⼈员针对业务需求定制开发的，有的模块是开源爱好者开发好之后上传到github进⾏开源的模块，nginx⽀持第三⽅模块需要从源码重新编译⽀持，⽐如开源的echo模块 https://github.com/openresty/echo-nginx-module配置案例[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server {  listen 80;  server_name www.hechunping.tech;  location /pc {    echo_sleep 1;    echo "this is pc directory";  }}[root@CentOS7-01 ~]#nginx -tnginx: [emerg] unknown directive "echo_sleep" in /apps/nginx/conf/vhosts/pc.conf:5nginx: configuration file /apps/nginx/conf/nginx.conf test failed[root@CentOS7-01 ~]#yum install git -y[root@CentOS7-01 ~]#git clone https://github.com/openresty/echo-nginx-module.git[root@CentOS7-01 ~]#systemctl stop nginx[root@CentOS7-01 ~]#cd nginx-1.16.1/[root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx \--with-http_ssl_module \--with-http_v2_module \--with-http_realip_module \--with-http_addition_module  \--with-http_image_filter_module \--with-http_geoip_module \--with-http_gunzip_module \--with-http_stub_status_module \--with-http_gzip_static_module \--with-pcre \--with-stream \--with-stream_ssl_module \--with-stream_realip_module \--add-module=/usr/local/src/echo-nginx-module[root@CentOS7-01 nginx-1.16.1]#make -j lscpu |awk 'NR==4{print $2}' && make install# 再次检测语法，正常[root@CentOS7-01 nginx-1.16.1]#nginx -tnginx: the configuration file /apps/nginx/conf/nginx.conf syntax is oknginx: configuration file /apps/nginx/conf/nginx.conf test is successful[root@CentOS7-01 nginx-1.16.1]#nginx -Vnginx version: nginx/1.16.1built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips  26 Jan 2017TLS SNI support enabledconfigure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module[root@CentOS7-01 nginx-1.16.1]#systemctl start nginx# 访问测试，echo模块已经可用[root@CentOS7-01 nginx-1.16.1]#curl www.hechunping.tech/pcthis is pc directory

nginx变量使用

nginx的变量可以在配置⽂件中引⽤，作为功能判断或者⽇志等场景使⽤，变量可以分为内置变量和⾃定义变量，内置变量是由nginx模块⾃带，通过变量可以获取到众多的与客⼾端访问相关的值。

1 内置变量

可以通过上面的echo模块输出，下面的变量都是参照如下配置文件[root@CentOS7-01 nginx-1.16.1]#cat /apps/nginx/conf/vhosts/pc.conf server {  listen 80;  server_name www.hechunping.tech;  location /pc {    echo $remote_addr;  }}$remote_addr; #存放了客户端的地址，注意是客户端的公⽹IP，也就是⼀家⼈访问⼀个⽹站，则会显⽰为路由器的公⽹IP。[root@CentOS7-01 nginx-1.16.1]#curl www.hechunping.tech/pc127.0.0.1$args; #变量中存放了URL中的指令，例如http://www.hechunping.tech/pc/index.do?id=20200105[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105id=20200105$document_root; #保存了针对当前资源的请求的系统根⽬录[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/apps/nginx/html$document_uri; #保存了当前请求中不包含指令的URI，注意是不包含请求的指令，比如[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105/pc/index.do$host; #存放了请求的host名称。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pcwww.hechunping.tech$http_user_agent; #客⼾端浏览器的详细信息[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pccurl/7.29.0$http_cookie; #客⼾端的cookie信息。$limit_rate; #如果nginx服务器使⽤limit_rate配置了显⽰⽹络速率，则会显⽰，如果没有设置，则显⽰0。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc0$remote_port; #客⼾端请求Nginx服务器时随机打开的端⼝，这是每个客⼾端⾃⼰的端⼝。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc37848[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc37850$remote_user; #已经经过Auth Basic Module验证的⽤⼾名。$request_body_file; #做反向代理时发给后端服务器的本地资源的名称。$request_method; #请求资源的⽅式，GET/PUT/DELETE等[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pcGET$request_filename; #当前请求的资源⽂件的路径名称，由root或alias指令与URI请求⽣成的⽂件绝对路径，如[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.html/apps/nginx/html/pc/index.html$request_uri; #包含请求参数的原始URI，不包含主机名，如[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105/pc/index.do?id=20200105$scheme; #请求的协议，如ftp，https，http等。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pchttp$server_protocol; #保存了客⼾端请求资源使⽤的协议的版本，如HTTP/1.0，HTTP/1.1，HTTP/2.0等。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pcHTTP/1.1$server_addr; #保存了服务器的IP地址。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc127.0.0.1$server_name; #请求的服务器的主机名。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pcwww.hechunping.tech$server_port; #请求的服务器的端⼝号。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc80

2 自定义变量

假如需要⾃定义变量名称和值，使⽤指令"set $variable value;"，语法如下Syntax: set $variable value;Default:    -Context:    server, location, if配置[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server {  listen 80;  server_name www.hechunping.tech;  location /pc {    set $name $server_name;    echo $name;    set $my_port $server_port;    echo $my_port;  }}[root@CentOS7-01 ~]#!ssystemctl restart nginx访问测试[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pcwww.hechunping.tech80

nginx自定义访问日志

访问⽇志是记录客户端即⽤户的具体请求内容信息，全局配置模块中的error_log是记录nginx服务器运⾏时的⽇志保存路径和记录⽇志的level，因此有着本质的区别，⽽且Nginx的错误⽇志⼀般只有⼀个，但是访问⽇志可以在不同server中定义多个，定义⼀个⽇志需要使⽤access_log指定⽇志的保存路径，使⽤log_format指定⽇志的格式，格式中定义要保存的具体⽇志内容。

1 自定义默认格式日志

如果是要保留⽇志的原格式，只是添加相应的⽇志内容，则配置如下：    log_format  www.hechunping.tech  '$remote_addr - $remote_user [$time_local] "$request" '                                     '$status $body_bytes_sent "$http_referer" '                                     '"$http_user_agent" "$http_x_forwarded_for"'                                     '$server_name:$server_port';    access_log /data/nginx/logs/www.hechunping.tech/access.log www.hechunping.tech;[root@CentOS7-01 ~]#nginx -tnginx: the configuration file /apps/nginx/conf/nginx.conf syntax is oknginx: configuration file /apps/nginx/conf/nginx.conf test is successful[root@CentOS7-01 ~]#systemctl reload nginx[root@CentOS7-01 ~]#tail -f /data/nginx/logs/www.hechunping.tech/access.log 192.168.7.1 - - [05/Jan/2020:14:58:47 +0800] "GET /pc/ HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" "-"www.hechunping.tech:80

2 自定义json格式日志

Nginx 的默认访问⽇志记录内容相对⽐较单⼀，默认的格式也不⽅便后期做⽇志统计分析，⽣产环境中通常将nginx⽇志转换为json⽇志，然后配合使⽤ELK做⽇志收集-统计-分析。log_format access_json '{"@timestamp":"$time_iso8601",'                       '"host":"$server_addr",'                       '"clientip":"$remote_addr",'                       '"size":$body_bytes_sent,'                       '"responsetime":$request_time,'                       '"upstreamtime":"$upstream_response_time",'                       '"upstreamhost":"$upstream_addr",'                       '"http_host":"$host",'                       '"uri":"$uri",'                       '"domain":"$host",'                       '"xff":"$http_x_forwarded_for",'                       '"referer":"$http_referer",'                       '"tcp_xff":"$proxy_protocol_addr",'                       '"http_user_agent":"$http_user_agent",'                       '"status":"$status"}';access_log /data/nginx/logs/www.hechunping.tech/access.log access_json;[root@CentOS7-01 ~]#tail -f /data/nginx/logs/www.hechunping.tech/access.log{"@timestamp":"2020-01-05T15:04:16+08:00","host":"192.168.7.71","clientip":"192.168.7.1","size":7,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.hechunping.tech","uri":"/pc/index.html","domain":"www.hechunping.tech","xff":"-","referer":"-","tcp_xff":"","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36","status":"200"}

3 用Python统计json格式的访问日志

[root@CentOS7-01 ~]#cat nginx_json.py#!/usr/bin/env python#coding:utf-8status_200 = []status_404 = []with open("access_json.log") as f:    for line in f.readlines():        line = eval(line)        if line.get("status") == "200":            status_200.append(line.get)                                                                                                                                            elif line.get("status") == "404":            status_404.append(line.get)        else:            print("状态码 ERROR")f.close()print "状态码为200的有-->:",len(status_200)print "状态码为404的有-->:",len(status_404)[root@CentOS7-01 ~]#python nginx_json.py...状态码 ERROR状态码为200的有-->: 403428状态码为404的有-->: 125712

nginx压缩功能

Nginx⽀持对指定类型的⽂件进⾏压缩然后再传输给客⼾端，⽽且压缩还可以设置压缩⽐例，压缩后的⽂件⼤⼩将⽐源⽂件显著变⼩，这样有助于降低出⼝带宽的利⽤率，降低企业的IT⽀出，不过会占⽤相应的CPU资源。Nginx对⽂件的压缩功能是依赖于模块ngx_http_gzip_module，官⽅⽂档： https://nginx.org/en/docs/http/ngx_http_gzip_module.html， 配置指令如下：gzip on | off; #启⽤或禁⽤gzip压缩，默认关闭gzip_comp_level level; #压缩⽐由低到⾼从1到9，默认为1gzip_disable "MSIE [1-6]\."; #禁⽤IE6 gzip功能gzip_min_length 1k; #gzip压缩的最⼩⽂件，⼩于设置值的⽂件将不会压缩gzip_http_version 1.0 | 1.1; #启⽤压缩功能时，协议的最⼩版本，默认HTTP/1.1gzip_buffers number size; #指定Nginx服务需要向服务器申请的缓存空间的个数*⼤⼩，默认32 4k|16 8k;gzip_types mime-type ...; #指明仅对哪些类型的资源执⾏压缩操作；默认为gzip_types text/html，不⽤显⽰指定，否则出错gzip_vary on | off; #如果启⽤压缩，是否在响应报⽂⾸部插⼊"Vary: Accept-Encoding"配置案例    gzip on;    gzip_comp_level 5;    gzip_min_length 1k;    gzip_types text/plain application/javascript application/x-javascript text/cssapplication/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;      gzip_vary on;[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server {  listen 80;  server_name www.hechunping.tech;  location /pc {    root html;  }}[root@CentOS7-01 ~]#ll /apps/nginx/html/pc/test.html -h-rw-r--r-- 1 nginx nginx 1.7M Jan  5 16:01 /apps/nginx/html/pc/test.html #使用该文件进行压缩测试访问测试，压缩后的大小

https功能

1 ssl配置参数

nginx的https功能基于模块ngx_http_ssl_module实现，因此如果是编译安装的nginx要使⽤参数--with-http_ssl_module开启ssl功能，但是作为nginx的核⼼功能，yum安装的nginx默认就是开启的。官⽅⽂档： https://nginx.org/en/docs/http/ngx_http_ssl_module.html配置参数如下：ssl on | off; #为指定的虚拟主机配置是否启⽤ssl功能，此功能在1.15.0废弃，使⽤listen [ssl]替代。ssl_certificate /path/to/file; #当前虚拟主机使⽤使⽤的公钥⽂件，⼀般是crt⽂件ssl_certificate_key /path/to/file; #当前虚拟主机使⽤的私钥⽂件，⼀般是key⽂件ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; #⽀持ssl协议版本，早期为ssl,现在是TSL，默认为后三个ssl_session_cache off | none | [builtin[:size]] [shared:name:size]; #配置ssl缓存off: 关闭缓存none: 通知客⼾端⽀持ssl session cache，但实际不⽀持builtin[:size]: 使⽤OpenSSL内建缓存，为每worker进程私有[shared:name:size]: 在各worker之间使⽤⼀个共享的缓存，需要定义⼀个缓存名称和缓存空间⼤⼩，⼀兆可以存储4000个会话信息，多个虚拟主机可以使⽤相同的缓存名称。ssl_session_timeout time; #客⼾端连接可以复⽤ssl session cache中缓存的有效时⻓，默认5m

2 自签名证书

# 自签名CA证书[root@CentOS7-01 ~]#cd /apps/nginx/[root@CentOS7-01 nginx]#mkdir certs[root@CentOS7-01 nginx]#cd certs[root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crtGenerating a 4096 bit RSA private key......++...................++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN #国家代码,参看：https://country-code.clState or Province Name (full name) []:BeiJing  #省份Locality Name (eg, city) [Default City]:BeiJing #城市名称Organization Name (eg, company) [Default Company Ltd]:abc #公司名称Organizational Unit Name (eg, section) []:IT #部门名称Common Name (eg, your name or your server's hostname) []:hechunping #通用名称Email Address []:742384103@qq.com #邮箱[root@CentOS7-01 certs]#lsca.crt  ca.key# 自制key和csr文件[root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.hechunping.tech.key -out www.hechunping.tech.csrGenerating a 4096 bit RSA private key...............................................++........................................................................................++writing new private key to 'www.hechunping.tech.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:BeiJingLocality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]:abcOrganizational Unit Name (eg, section) []:ITCommon Name (eg, your name or your server's hostname) []:hechunpingEmail Address []:742384103@qq.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:  #此处为空即可An optional company name []: #同上[root@CentOS7-01 certs]#lltotal 16-rw-r--r-- 1 root root 2090 Jan  5 21:05 ca.crt-rw-r--r-- 1 root root 3272 Jan  5 21:05 ca.key-rw-r--r-- 1 root root 1736 Jan  5 21:11 www.hechunping.tech.csr-rw-r--r-- 1 root root 3272 Jan  5 21:11 www.hechunping.tech.key# 签发证书[root@CentOS7-01 certs]#openssl x509 -req -days 3650 -in www.hechunping.tech.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.hechunping.tech.crtSignature oksubject=/C=CN/ST=BeiJing/L=BeiJing/O=abc/OU=IT/CN=hechunping/emailAddress=742384103@qq.comGetting CA Private Key# 验证证书内容[root@CentOS7-01 certs]#openssl x509 -in www.hechunping.tech.crt -noout -textCertificate:    Data:        Version: 1 (0x0)        Serial Number:            c6:bd:85:07:5d:3c:bc:54    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com        Validity            Not Before: Jan  5 13:13:08 2020 GMT            Not After : Jan  2 13:13:08 2030 GMT        Subject: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (4096 bit)......

3 nginx证书配置

[root@CentOS7-01 certs]#cat /apps/nginx/conf/vhosts/pc.conf server {  listen 80;  listen 443 ssl;  ssl_certificate /apps/nginx/certs/www.hechunping.tech.crt;  ssl_certificate_key /apps/nginx/certs/www.hechunping.tech.key;  ssl_session_cache shared:sslcache:20m;  ssl_session_timeout 10m;  server_name www.hechunping.tech;  location /pc {    root html;  }}[root@CentOS7-01 certs]#systemctl reload nginx访问测试

4 实现多域名HTTPS

Nginx⽀持基于单个IP实现多域名的功能，并且还⽀持单IP多域名的基础之上实现HTTPS，其实是基于Nginx的SNI（Server Name Indication）功能实现，SNI是为了解决⼀个Nginx服务器内使⽤⼀个IP绑定多个域名和证书的功能，其具体功能是客⼾端在连接到服务器建⽴SSL链接之前先发送要访问站点的域名（Hostname），这样服务器再根据这个域名返回给客⼾端⼀个合适的证书。# 制作key和csr文件[root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout news.hechunping.tech.key -out news.hechunping.tech.csrGenerating a 4096 bit RSA private key.............................................................................++.....................................................................................................................................................................................................................................................................................................++writing new private key to 'news.hechunping.tech.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:BeiJingLocality Name (eg, city) [Default City]:BeiJingOrganization Name (eg, company) [Default Company Ltd]:xyzOrganizational Unit Name (eg, section) []:ITCommon Name (eg, your name or your server's hostname) []:hechunpingEmail Address []:742384103@qq.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:# 签名证书[root@CentOS7-01 certs]#openssl x509 -req -days 3650 -in news.hechunping.tech.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out news.hechunping.tech.crtSignature oksubject=/C=CN/ST=BeiJing/L=BeiJing/O=xyz/OU=IT/CN=hechunping/emailAddress=742384103@qq.comGetting CA Private Key# 验证证书内容[root@CentOS7-01 certs]#openssl x509 -in news.hechunping.tech.crt -noout -textCertificate:    Data:        Version: 1 (0x0)        Serial Number:            c6:bd:85:07:5d:3c:bc:55    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com        Validity            Not Before: Jan  5 13:52:00 2020 GMT            Not After : Jan  2 13:52:00 2030 GMT        Subject: C=CN, ST=BeiJing, L=BeiJing, O=xyz, OU=IT, CN=hechunping/emailAddress=742384103@qq.com        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (4096 bit)......# nginx配置证书[root@CentOS7-01 certs]#cat /apps/nginx/conf/vhosts/news.conf server {  listen 80;  listen 443 ssl;  ssl_certificate /apps/nginx/certs/news.hechunping.tech.crt;  ssl_certificate_key /apps/nginx/certs/news.hechunping.tech.key;  ssl_session_cache shared:sslcache:20m;  ssl_session_timeout 10m;  server_name news.hechunping.tech;  location /pc {    root html;  }}[root@CentOS7-01 certs]#systemctl reload nginx# 访问测试

关于favicon.ico

favicon.ico ⽂件是浏览器收藏⽹址时显⽰的图标，当客⼾端使⽤浏览器问⻚⾯时，浏览器会⾃⼰主动发起请求获取⻚⾯的favicon.ico⽂件，但是当浏览器请求的favicon.ico⽂件不存在时，服务器会记录404⽇志，⽽且浏览器也会显⽰404报错。解决方法将图标保存到指定的目录[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server {  listen 80;  server_name www.hechunping.tech;  location = /favicon.ico {    root html/image;  }  location /pc {    root html;  }}[root@CentOS7-01 ~]#systemctl reload nginx

安全选项

1 隐藏nginx版本号

更改nginx源码信息，将nginx服务版本号更改为HCPWS/1.1并重新编译nginx[root@CentOS7-01 nginx-1.16.1]#sed -ir 's#Server: nginx#Server: HCPWS/1.1#' /root/nginx-1.16.1/src/http/ngx_http_header_filter_module.c[root@CentOS7-01 nginx-1.16.1]#nginx -Vnginx version: nginx/1.16.1built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips  26 Jan 2017TLS SNI support enabledconfigure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module[root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module[root@CentOS7-01 nginx-1.16.1]#make -j lscpu | awk 'NR==4{print $2}' && make install[root@CentOS7-01 nginx-1.16.1]#systemctl restart nginx访问测试

2 升级Openssl版本

⼼脏出⾎（英语：Heartbleed），也简称为⼼⾎漏洞，是⼀个出现在加密程序库OpenSSL的安全漏洞，该程序库⼴泛⽤于实现互联⽹的传输层安全（TLS）协议。它于2012年被引⼊了软件中，2014年4⽉⾸次向公众披露。只要使⽤的是存在缺陷的OpenSSL实例，⽆论是服务器还是客⼾端，都可能因此⽽受到***。此问题的原因是在实现TLS的⼼跳扩展时没有对输⼊进⾏适当验证（缺少边界检查），因此漏洞的名称来源于"⼼跳"（heartbeat）。该程序错误属于缓冲区过读，即可以读取的数据⽐应该允许读取的还多。升级步骤1）查看当前的Openssl版本

2）下载OpenSSL源码包并解压[root@CentOS7-01 nginx-1.16.1]#wget -P /usr/local/src/ https://www.openssl.org/source/openssl-1.1.1d.tar.gz[root@CentOS7-01 nginx-1.16.1]#tar xf /usr/local/src/openssl-1.1.1d.tar.gz 3）编译安装nginx并指定新版本OpenSSL路径[root@CentOS7-01 nginx-1.16.1]#nginx -Vnginx version: nginx/1.16.1built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips  26 Jan 2017TLS SNI support enabledconfigure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module[root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module --with-openssl=./openssl-1.1.1d[root@CentOS7-01 nginx-1.16.1]#make -j lscpu |awk 'NR==4{print $2}' && make install[root@CentOS7-01 nginx-1.16.1]#systemctl restart nginx验证

很赞哦！