Nginx高级配置
发表于:2024-11-29 作者:千家信息网编辑
千家信息网最后更新 2024年11月29日,1 nginx状态页在编译的时候需要添加--with-http_stub_status_module参数配置案例:[root@CentOS7-01 ~]#cat /apps/nginx/conf/vh
千家信息网最后更新 2024年11月29日Nginx高级配置
1 nginx状态页
在编译的时候需要添加--with-http_stub_status_module参数配置案例:[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; server_name www.hechunping.tech; location /nginx_status { stub_status; allow 192.168.7.0/24; allow 127.0.0.1; deny all; }}[root@CentOS7-01 ~]#systemctl reload nginx访问测试[root@CentOS7-01 ~]#curl www.hechunping.tech/nginx_statusActive connections: 1 server accepts handled requests 32 32 36 #这三个数字分别对应accepts,handled,requests三个值Reading: 0 Writing: 1 Waiting: 0 相关解释:Active connections: 当前处于活动状态的客户端连接数,包括连接等待空闲连接数。accepts: 统计总值,Nginx⾃启动后已经接受的客户端请求的总数。handled: 统计总值,Nginx⾃启动后已经处理完成的客户端请求的总数,通常等于accepts,除⾮有因worker_connections限制等被拒绝的连接。requests:统计总值,Nginx⾃启动后客户端发来的总的请求数。Reading: 当前状态,正在读取客户端请求报⽂⾸部的连接的连接数。Writing: 当前状态,正在向客户端发送响应报⽂过程中的连接数。Waiting: 当前状态,正在等待客户端发出请求的空闲连接数,开启 keep-alive的情况下,这个值等于 active - (reading+writing)。2 nginx编译的时候添加第三方模块
第三模块是对nginx的功能扩展,第三⽅模块需要在编译安装Nginx的时候使⽤参数--add-module=PATH指定路径添加,有的模块是由公司的开发⼈员针对业务需求定制开发的,有的模块是开源爱好者开发好之后上传到github进⾏开源的模块,nginx⽀持第三⽅模块需要从源码重新编译⽀持,⽐如开源的echo模块 https://github.com/openresty/echo-nginx-module配置案例[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; server_name www.hechunping.tech; location /pc { echo_sleep 1; echo "this is pc directory"; }}[root@CentOS7-01 ~]#nginx -tnginx: [emerg] unknown directive "echo_sleep" in /apps/nginx/conf/vhosts/pc.conf:5nginx: configuration file /apps/nginx/conf/nginx.conf test failed[root@CentOS7-01 ~]#yum install git -y[root@CentOS7-01 ~]#git clone https://github.com/openresty/echo-nginx-module.git[root@CentOS7-01 ~]#systemctl stop nginx[root@CentOS7-01 ~]#cd nginx-1.16.1/[root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx \--with-http_ssl_module \--with-http_v2_module \--with-http_realip_module \--with-http_addition_module \--with-http_image_filter_module \--with-http_geoip_module \--with-http_gunzip_module \--with-http_stub_status_module \--with-http_gzip_static_module \--with-pcre \--with-stream \--with-stream_ssl_module \--with-stream_realip_module \--add-module=/usr/local/src/echo-nginx-module[root@CentOS7-01 nginx-1.16.1]#make -j lscpu |awk 'NR==4{print $2}' && make install# 再次检测语法,正常[root@CentOS7-01 nginx-1.16.1]#nginx -tnginx: the configuration file /apps/nginx/conf/nginx.conf syntax is oknginx: configuration file /apps/nginx/conf/nginx.conf test is successful[root@CentOS7-01 nginx-1.16.1]#nginx -Vnginx version: nginx/1.16.1built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017TLS SNI support enabledconfigure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module[root@CentOS7-01 nginx-1.16.1]#systemctl start nginx# 访问测试,echo模块已经可用[root@CentOS7-01 nginx-1.16.1]#curl www.hechunping.tech/pcthis is pc directory3 nginx变量使用
nginx的变量可以在配置⽂件中引⽤,作为功能判断或者⽇志等场景使⽤,变量可以分为内置变量和⾃定义变量,内置变量是由nginx模块⾃带,通过变量可以获取到众多的与客⼾端访问相关的值。3.1 内置变量
可以通过上面的echo模块输出,下面的变量都是参照如下配置文件[root@CentOS7-01 nginx-1.16.1]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; server_name www.hechunping.tech; location /pc { echo $remote_addr; }}$remote_addr; #存放了客户端的地址,注意是客户端的公⽹IP,也就是⼀家⼈访问⼀个⽹站,则会显⽰为路由器的公⽹IP。[root@CentOS7-01 nginx-1.16.1]#curl www.hechunping.tech/pc127.0.0.1$args; #变量中存放了URL中的指令,例如http://www.hechunping.tech/pc/index.do?id=20200105[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105id=20200105$document_root; #保存了针对当前资源的请求的系统根⽬录[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/apps/nginx/html$document_uri; #保存了当前请求中不包含指令的URI,注意是不包含请求的指令,比如[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105/pc/index.do$host; #存放了请求的host名称。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pcwww.hechunping.tech$http_user_agent; #客⼾端浏览器的详细信息[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pccurl/7.29.0$http_cookie; #客⼾端的cookie信息。$limit_rate; #如果nginx服务器使⽤limit_rate配置了显⽰⽹络速率,则会显⽰,如果没有设置,则显⽰0。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc0$remote_port; #客⼾端请求Nginx服务器时随机打开的端⼝,这是每个客⼾端⾃⼰的端⼝。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc37848[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc37850$remote_user; #已经经过Auth Basic Module验证的⽤⼾名。$request_body_file; #做反向代理时发给后端服务器的本地资源的名称。$request_method; #请求资源的⽅式,GET/PUT/DELETE等[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pcGET$request_filename; #当前请求的资源⽂件的路径名称,由root或alias指令与URI请求⽣成的⽂件绝对路径,如[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.html/apps/nginx/html/pc/index.html$request_uri; #包含请求参数的原始URI,不包含主机名,如[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105/pc/index.do?id=20200105$scheme; #请求的协议,如ftp,https,http等。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pchttp$server_protocol; #保存了客⼾端请求资源使⽤的协议的版本,如HTTP/1.0,HTTP/1.1,HTTP/2.0等。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pcHTTP/1.1$server_addr; #保存了服务器的IP地址。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc127.0.0.1$server_name; #请求的服务器的主机名。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pcwww.hechunping.tech$server_port; #请求的服务器的端⼝号。[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc803.2 自定义变量
假如需要⾃定义变量名称和值,使⽤指令"set $variable value;",语法如下Syntax: set $variable value;Default: -Context: server, location, if配置[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; server_name www.hechunping.tech; location /pc { set $name $server_name; echo $name; set $my_port $server_port; echo $my_port; }}[root@CentOS7-01 ~]#!ssystemctl restart nginx访问测试[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pcwww.hechunping.tech804 nginx自定义访问日志
访问⽇志是记录客户端即⽤户的具体请求内容信息,全局配置模块中的error_log是记录nginx服务器运⾏时的⽇志保存路径和记录⽇志的level,因此有着本质的区别,⽽且Nginx的错误⽇志⼀般只有⼀个,但是访问⽇志可以在不同server中定义多个,定义⼀个⽇志需要使⽤access_log指定⽇志的保存路径,使⽤log_format指定⽇志的格式,格式中定义要保存的具体⽇志内容。4.1 自定义默认格式日志
如果是要保留⽇志的原格式,只是添加相应的⽇志内容,则配置如下: log_format www.hechunping.tech '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"' '$server_name:$server_port'; access_log /data/nginx/logs/www.hechunping.tech/access.log www.hechunping.tech;[root@CentOS7-01 ~]#nginx -tnginx: the configuration file /apps/nginx/conf/nginx.conf syntax is oknginx: configuration file /apps/nginx/conf/nginx.conf test is successful[root@CentOS7-01 ~]#systemctl reload nginx[root@CentOS7-01 ~]#tail -f /data/nginx/logs/www.hechunping.tech/access.log 192.168.7.1 - - [05/Jan/2020:14:58:47 +0800] "GET /pc/ HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" "-"www.hechunping.tech:804.2 自定义json格式日志
Nginx 的默认访问⽇志记录内容相对⽐较单⼀,默认的格式也不⽅便后期做⽇志统计分析,⽣产环境中通常将nginx⽇志转换为json⽇志,然后配合使⽤ELK做⽇志收集-统计-分析。log_format access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_time,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}';access_log /data/nginx/logs/www.hechunping.tech/access.log access_json;[root@CentOS7-01 ~]#tail -f /data/nginx/logs/www.hechunping.tech/access.log{"@timestamp":"2020-01-05T15:04:16+08:00","host":"192.168.7.71","clientip":"192.168.7.1","size":7,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.hechunping.tech","uri":"/pc/index.html","domain":"www.hechunping.tech","xff":"-","referer":"-","tcp_xff":"","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36","status":"200"}4.3 用Python统计json格式的访问日志
[root@CentOS7-01 ~]#cat nginx_json.py#!/usr/bin/env python#coding:utf-8status_200 = []status_404 = []with open("access_json.log") as f: for line in f.readlines(): line = eval(line) if line.get("status") == "200": status_200.append(line.get) elif line.get("status") == "404": status_404.append(line.get) else: print("状态码 ERROR")f.close()print "状态码为200的有-->:",len(status_200)print "状态码为404的有-->:",len(status_404)[root@CentOS7-01 ~]#python nginx_json.py...状态码 ERROR状态码为200的有-->: 403428状态码为404的有-->: 1257125 nginx压缩功能
Nginx⽀持对指定类型的⽂件进⾏压缩然后再传输给客⼾端,⽽且压缩还可以设置压缩⽐例,压缩后的⽂件⼤⼩将⽐源⽂件显著变⼩,这样有助于降低出⼝带宽的利⽤率,降低企业的IT⽀出,不过会占⽤相应的CPU资源。Nginx对⽂件的压缩功能是依赖于模块ngx_http_gzip_module,官⽅⽂档: https://nginx.org/en/docs/http/ngx_http_gzip_module.html, 配置指令如下:gzip on | off; #启⽤或禁⽤gzip压缩,默认关闭gzip_comp_level level; #压缩⽐由低到⾼从1到9,默认为1gzip_disable "MSIE [1-6]\."; #禁⽤IE6 gzip功能gzip_min_length 1k; #gzip压缩的最⼩⽂件,⼩于设置值的⽂件将不会压缩gzip_http_version 1.0 | 1.1; #启⽤压缩功能时,协议的最⼩版本,默认HTTP/1.1gzip_buffers number size; #指定Nginx服务需要向服务器申请的缓存空间的个数*⼤⼩,默认32 4k|16 8k;gzip_types mime-type ...; #指明仅对哪些类型的资源执⾏压缩操作;默认为gzip_types text/html,不⽤显⽰指定,否则出错gzip_vary on | off; #如果启⽤压缩,是否在响应报⽂⾸部插⼊"Vary: Accept-Encoding"配置案例 gzip on; gzip_comp_level 5; gzip_min_length 1k; gzip_types text/plain application/javascript application/x-javascript text/cssapplication/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png; gzip_vary on;[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; server_name www.hechunping.tech; location /pc { root html; }}[root@CentOS7-01 ~]#ll /apps/nginx/html/pc/test.html -h-rw-r--r-- 1 nginx nginx 1.7M Jan 5 16:01 /apps/nginx/html/pc/test.html #使用该文件进行压缩测试访问测试,压缩后的大小6 https功能
6.1 ssl配置参数
nginx的https功能基于模块ngx_http_ssl_module实现,因此如果是编译安装的nginx要使⽤参数--with-http_ssl_module开启ssl功能,但是作为nginx的核⼼功能,yum安装的nginx默认就是开启的。官⽅⽂档: https://nginx.org/en/docs/http/ngx_http_ssl_module.html配置参数如下:ssl on | off; #为指定的虚拟主机配置是否启⽤ssl功能,此功能在1.15.0废弃,使⽤listen [ssl]替代。ssl_certificate /path/to/file; #当前虚拟主机使⽤使⽤的公钥⽂件,⼀般是crt⽂件ssl_certificate_key /path/to/file; #当前虚拟主机使⽤的私钥⽂件,⼀般是key⽂件ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; #⽀持ssl协议版本,早期为ssl,现在是TSL,默认为后三个ssl_session_cache off | none | [builtin[:size]] [shared:name:size]; #配置ssl缓存off: 关闭缓存none: 通知客⼾端⽀持ssl session cache,但实际不⽀持builtin[:size]: 使⽤OpenSSL内建缓存,为每worker进程私有[shared:name:size]: 在各worker之间使⽤⼀个共享的缓存,需要定义⼀个缓存名称和缓存空间⼤⼩,⼀兆可以存储4000个会话信息,多个虚拟主机可以使⽤相同的缓存名称。ssl_session_timeout time; #客⼾端连接可以复⽤ssl session cache中缓存的有效时⻓,默认5m6.2 自签名证书
# 自签名CA证书[root@CentOS7-01 ~]#cd /apps/nginx/[root@CentOS7-01 nginx]#mkdir certs[root@CentOS7-01 nginx]#cd certs[root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crtGenerating a 4096 bit RSA private key......++...................++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN #国家代码,参看:https://country-code.clState or Province Name (full name) []:BeiJing #省份Locality Name (eg, city) [Default City]:BeiJing #城市名称Organization Name (eg, company) [Default Company Ltd]:abc #公司名称Organizational Unit Name (eg, section) []:IT #部门名称Common Name (eg, your name or your server's hostname) []:hechunping #通用名称Email Address []:742384103@qq.com #邮箱[root@CentOS7-01 certs]#lsca.crt ca.key# 自制key和csr文件[root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.hechunping.tech.key -out www.hechunping.tech.csrGenerating a 4096 bit RSA private key...............................................++........................................................................................++writing new private key to 'www.hechunping.tech.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:BeiJingLocality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]:abcOrganizational Unit Name (eg, section) []:ITCommon Name (eg, your name or your server's hostname) []:hechunpingEmail Address []:742384103@qq.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: #此处为空即可An optional company name []: #同上[root@CentOS7-01 certs]#lltotal 16-rw-r--r-- 1 root root 2090 Jan 5 21:05 ca.crt-rw-r--r-- 1 root root 3272 Jan 5 21:05 ca.key-rw-r--r-- 1 root root 1736 Jan 5 21:11 www.hechunping.tech.csr-rw-r--r-- 1 root root 3272 Jan 5 21:11 www.hechunping.tech.key# 签发证书[root@CentOS7-01 certs]#openssl x509 -req -days 3650 -in www.hechunping.tech.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.hechunping.tech.crtSignature oksubject=/C=CN/ST=BeiJing/L=BeiJing/O=abc/OU=IT/CN=hechunping/emailAddress=742384103@qq.comGetting CA Private Key# 验证证书内容[root@CentOS7-01 certs]#openssl x509 -in www.hechunping.tech.crt -noout -textCertificate: Data: Version: 1 (0x0) Serial Number: c6:bd:85:07:5d:3c:bc:54 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com Validity Not Before: Jan 5 13:13:08 2020 GMT Not After : Jan 2 13:13:08 2030 GMT Subject: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit)......6.3 nginx证书配置
[root@CentOS7-01 certs]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; listen 443 ssl; ssl_certificate /apps/nginx/certs/www.hechunping.tech.crt; ssl_certificate_key /apps/nginx/certs/www.hechunping.tech.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; server_name www.hechunping.tech; location /pc { root html; }}[root@CentOS7-01 certs]#systemctl reload nginx访问测试6.4 实现多域名HTTPS
Nginx⽀持基于单个IP实现多域名的功能,并且还⽀持单IP多域名的基础之上实现HTTPS,其实是基于Nginx的SNI(Server Name Indication)功能实现,SNI是为了解决⼀个Nginx服务器内使⽤⼀个IP绑定多个域名和证书的功能,其具体功能是客⼾端在连接到服务器建⽴SSL链接之前先发送要访问站点的域名(Hostname),这样服务器再根据这个域名返回给客⼾端⼀个合适的证书。# 制作key和csr文件[root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout news.hechunping.tech.key -out news.hechunping.tech.csrGenerating a 4096 bit RSA private key.............................................................................++.....................................................................................................................................................................................................................................................................................................++writing new private key to 'news.hechunping.tech.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:BeiJingLocality Name (eg, city) [Default City]:BeiJingOrganization Name (eg, company) [Default Company Ltd]:xyzOrganizational Unit Name (eg, section) []:ITCommon Name (eg, your name or your server's hostname) []:hechunpingEmail Address []:742384103@qq.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:# 签名证书[root@CentOS7-01 certs]#openssl x509 -req -days 3650 -in news.hechunping.tech.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out news.hechunping.tech.crtSignature oksubject=/C=CN/ST=BeiJing/L=BeiJing/O=xyz/OU=IT/CN=hechunping/emailAddress=742384103@qq.comGetting CA Private Key# 验证证书内容[root@CentOS7-01 certs]#openssl x509 -in news.hechunping.tech.crt -noout -textCertificate: Data: Version: 1 (0x0) Serial Number: c6:bd:85:07:5d:3c:bc:55 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com Validity Not Before: Jan 5 13:52:00 2020 GMT Not After : Jan 2 13:52:00 2030 GMT Subject: C=CN, ST=BeiJing, L=BeiJing, O=xyz, OU=IT, CN=hechunping/emailAddress=742384103@qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit)......# nginx配置证书[root@CentOS7-01 certs]#cat /apps/nginx/conf/vhosts/news.conf server { listen 80; listen 443 ssl; ssl_certificate /apps/nginx/certs/news.hechunping.tech.crt; ssl_certificate_key /apps/nginx/certs/news.hechunping.tech.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; server_name news.hechunping.tech; location /pc { root html; }}[root@CentOS7-01 certs]#systemctl reload nginx# 访问测试7 关于favicon.ico
favicon.ico ⽂件是浏览器收藏⽹址时显⽰的图标,当客⼾端使⽤浏览器问⻚⾯时,浏览器会⾃⼰主动发起请求获取⻚⾯的favicon.ico⽂件,但是当浏览器请求的favicon.ico⽂件不存在时,服务器会记录404⽇志,⽽且浏览器也会显⽰404报错。解决方法将图标保存到指定的目录[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf server { listen 80; server_name www.hechunping.tech; location = /favicon.ico { root html/image; } location /pc { root html; }}[root@CentOS7-01 ~]#systemctl reload nginx8 安全选项
8.1 隐藏nginx版本号
更改nginx源码信息,将nginx服务版本号更改为HCPWS/1.1并重新编译nginx[root@CentOS7-01 nginx-1.16.1]#sed -ir 's#Server: nginx#Server: HCPWS/1.1#' /root/nginx-1.16.1/src/http/ngx_http_header_filter_module.c[root@CentOS7-01 nginx-1.16.1]#nginx -Vnginx version: nginx/1.16.1built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017TLS SNI support enabledconfigure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module[root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module[root@CentOS7-01 nginx-1.16.1]#make -j lscpu | awk 'NR==4{print $2}' && make install[root@CentOS7-01 nginx-1.16.1]#systemctl restart nginx访问测试8.2 升级Openssl版本
⼼脏出⾎(英语:Heartbleed),也简称为⼼⾎漏洞,是⼀个出现在加密程序库OpenSSL的安全漏洞,该程序库⼴泛⽤于实现互联⽹的传输层安全(TLS)协议。它于2012年被引⼊了软件中,2014年4⽉⾸次向公众披露。只要使⽤的是存在缺陷的OpenSSL实例,⽆论是服务器还是客⼾端,都可能因此⽽受到***。此问题的原因是在实现TLS的⼼跳扩展时没有对输⼊进⾏适当验证(缺少边界检查),因此漏洞的名称来源于"⼼跳"(heartbeat)。该程序错误属于缓冲区过读,即可以读取的数据⽐应该允许读取的还多。升级步骤1)查看当前的Openssl版本2)下载OpenSSL源码包并解压[root@CentOS7-01 nginx-1.16.1]#wget -P /usr/local/src/ https://www.openssl.org/source/openssl-1.1.1d.tar.gz[root@CentOS7-01 nginx-1.16.1]#tar xf /usr/local/src/openssl-1.1.1d.tar.gz 3)编译安装nginx并指定新版本OpenSSL路径[root@CentOS7-01 nginx-1.16.1]#nginx -Vnginx version: nginx/1.16.1built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017TLS SNI support enabledconfigure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module[root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module --with-openssl=./openssl-1.1.1d[root@CentOS7-01 nginx-1.16.1]#make -j lscpu |awk 'NR==4{print $2}' && make install[root@CentOS7-01 nginx-1.16.1]#systemctl restart nginx验证
配置
功能
服务
模块
服务器
变量
名称
状态
客户
证书
缓存
客户端
测试
格式
版本
资源
编译
主机
内容
参数
数据库的安全要保护哪些东西
数据库安全各自的含义是什么
生产安全数据库录入
数据库的安全性及管理
数据库安全策略包含哪些
海淀数据库安全审计系统
建立农村房屋安全信息数据库
易用的数据库客户端支持安全管理
连接数据库失败ssl安全错误
数据库的锁怎样保障安全
数据库同步方案
domcer服务器怎么充会员
信息网络安全审核证
徐汇区网络视频系统服务器
虹口区网络软件开发服务价格对比
北京性价比高的服务器云空间
服务器关机后能不能安装
小软件开发用什么开发
多个域名公用数据库
疾风之刃哪个服务器最多
网络安全宣传每年9月第几周
大学生网络安全教育微课堂
广德智能软件开发服务价钱
潍坊企业管理软件开发商
软件开发招聘启事
医院网络安全检查及改进措施
公益慈善管理专业数据库系统
陕西省学生网络安全知识竞赛
湛江电商软件开发方案
南京媒体软件开发怎么样
国网供网络安全
永诚恒互联网科技有限公司
大学生校园网络安全方案
网络安全产品商业计划书
手机软件开发公司费用情况
潍坊企业管理软件开发商
公益慈善管理专业数据库系统
科技互联网市值排名
珠海市小米粒互联网科技有限公司
软件开发等财务账务处理
