Shulou(Shulou.com)06/02 Report--

This article mainly explains the "detailed installation steps of Nginx", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn the "detailed installation steps of Nginx" bar!

1. Nginx

Nginx (engine x) is a high-performance HTTP and reverse proxy web server, as well as providing IMAP/POP3/SMTP services. Nginx was developed by Igor Sesoyev for the second most visited Rambler.ru site in Russia. The first public version 0.1.0 was released on October 4, 2004.

It distributes the source code as a BSD-like license and is known for its stability, rich feature set, sample configuration files, and low consumption of system resources. Nginx 1.0.4 was released on June 1, 2011.

Nginx is a lightweight Web server / reverse proxy server and email (IMAP/POP3) proxy server, distributed under the BSD-like protocol. It is characterized by low memory and strong concurrency ability. in fact, the concurrency ability of nginx does perform well in the same type of web server. Chinese mainland uses nginx website users: Baidu, JD.com, Sina, NetEase, Tencent, Taobao and so on.

Second, build a simple Nginx environment

Build the environment: Linux CentOS7

Nginx does not support yum installation, so you need to use the package (I use the mainline version to install it here):

API http://nginx.org/download/nginx-1.17.4.tar.gz

Dependency package: yum-y install gcc pcre-devel openssl-devel

0. What needs to be done.

Install and deploy the Nginx service on the host with the IP address 192.168.109.190, and you can configure the Nginx server with the following features enabled at compile time:

Support for SSL encryption

Set Nginx account and group name to nginx

Upgrade the Nginx server to a later version.

Access and verify the Nginx Web server:

1. Install the Nginx package

[root@centos7~] # yum-y install gcc pcre-devel openssl-devel (I am minimizing the installation of the system that needs to install the complete yum-y install gcc pcre pcre-devel openssl openssl-devel make automake autoconf of the dependency package) / / install the dependency package

[root@centos7~] # useradd-s / sbin/nologin nginx / / add a dedicated user and add the parameter-s followed by the addition

[root@centos7~] # tar-xzvf nginx-1.17.4.tar.gz

[root@centos7~] # cd nginx-1.17.4

[root@centos7 nginx-1.17.4] #. / configure\

>-- prefix=/usr/local/nginx\ / / specify the installation path

>-- user=nginx\ / / specify a user

>-- group=nginx\ / / specify a group

>-- with-http_ssl_module / / enable SSL encryption

[root@centos7 nginx-1.17.4] # make & & make install / / compile and install

[root@centos7 nginx-1.17.4] # ls / usr/local/nginx/sbin/nginx / / check whether this directory exists. If so, the installation is successful.

Supplement (on why dedicated users are added):

According to the principle of least privilege, Nginx needs to be assigned an appropriate permission to complete the Web service.

The principle of least privilege is one of the most basic principles in system security. it limits the minimum permissions that users need to access the system and data, and ensures that users can complete the tasks they operate. at the same time, it also ensures that the losses caused by illegal users or abnormal operations are minimized. You must make sure that Nginx uses a dedicated user and user group and does not use the system's predefined accounts.

Because only root users can run Nginx,DocumentRoot should be able to be accessed by users who manage the content of the Web site and Nginx users and Nginx groups that use the Nginx server. So, if you want a "nginx" user to post content on a Web site and can run the Nginx server as httpd, you can usually add that user to the Nginx group.

In short, we enable Nginx as a root user and use Nginx as a Nginx user or group, because if we do not separate root from the Nginx user, if the user has root privileges, we can find the root up through the system path of the Nginx software, which is very dangerous.

two。 Start Nginx

[root@centos7~] # / usr/local/nginx/sbin/nginx / / start the service

[root@centos7~] # / usr/local/nginx/sbin/nginx-s stop / / disable the service

[root@centos7~] # / usr/local/nginx/sbin/nginx-s reload / / reload the configuration file

[root@centos7~] # / usr/local/nginx/sbin/nginx-V / / View software information

[root@centos7~] # ln-s / usr/local/nginx/sbin/nginx / sbin/ / create soft links for later use. Enter nginx directly to start the service.

3. Verify that Nginx is running

The netstat command can view the port information started on the system, and the common options for this command are as follows:

-a displays information for all ports

-n displays the port number in numeric format

-t displays the port of the TCP connection

-u shows the port to which UDP is connected

-l displays the port information that the service is listening to. For example, port 80 will be monitored all the time after httpd is started.

-p shows what the service name of the listening port is (that is, the program name)

By default, the nginx service listens for client requests through TCP port 80 to see if it is being occupied by nginx through TCP 80. If your server has other services using port 80, such as httpd, you should close httpd and shut down the process kill all-9 httpd.

[root@centos7 ~] # netstat-anptu | grep nginx

Tcp 0 0 0.0.0 0 master 80 0.0.0 0. 0. 0 master

3. Configure Nginx virtual host

Virtual host (English: virtual hosting) or shared host (shared web hosting), also known as virtual server, is a method to implement multi-domain services on a single host or host group, which can run multiple websites or services. Virtual hosts are completely independent and can be managed by users. Virtual does not exist, but means that the space is extended from the server of the entity, and its hardware system can be based on the server farm, or a single server.

The technology is the technology adopted by the Internet server to save the hardware cost of the server. The virtual host technology is mainly applied to many services such as HTTP,FTP,EMAIL. One or all of the service contents of a server are logically divided into multiple service units, which are externally represented as multiple servers, thus making full use of server hardware resources. If the partition is system-level, it is called a virtual server.

Virtual hosts are generally available: domain name-based, IP-based and port-based virtual hosts. Here we configure a domain name-based virtual host.

# case 1

Implement two virtual hosts based on domain name access, the domain names are www.aa.com and www.bb.com

Modify the configuration file

Here we only configure the most basic functions, configure two websites, the website aa uses the default page, and the website bb creates a new index.html to put into the directory www

Mkdir / usr/local/nginx/www / / create directory www

Echo "this is www.bb.com hell world!" > / usr/local/nginx/www/index.html / / create an index.html file and write it to this is www.bb.com hell world!

Vim / usr/local/nginx/conf/nginx.conf

The modifications are as follows:

User nginx nginx

Worker_processes 1

Pid logs/nginx.pid

Events {

Worker_connections 1024

}

Http {

Include mime.types

Default_type application/octet-stream

Sendfile on

Keepalive_timeout 65

Server {

Listen 80; / / the port accessed

Domain name accessed by server_name www.aa.com; / /

Location / {

Root html; / / specify the site root path

Index index.html index.htm

}

Error_page 500 502 503 504 / 50x.html

Location = / 50x.html {

Root html

}

}

Server {

Listen 80; / / Port

Server_name www.bb.com; / / domain name

Location / {

Root www; / / specify the root path, which is the default path used before, which points to the directory we created, www.

Index index.html index.htm

}

Error_page 500 502 503 504 / 50x.html

Location = / 50x.html {

Root html

}

}

}

After the configuration modification is completed, let's restart nginx

[root@centos7] # nginx-s reload

test

Bind the local hosts file for testing:

Visit www.aa.com to display the default nginx page

Visit www.bb.com to display the html page we configured:

There are many ways to configure nginx as a reverse proxy, such as domain name, IP and domain name plus different ports, IP plus different ports, and so on.

You only need to modify the parameters listen and server_name in the configuration file.

4. Configure access to SSL virtual hosts.

SSL (Secure Socket Layer), developed by Netscape, is used to ensure the security of data transmission on Internet. Data encryption (Encryption) technology can be used to ensure that data will not be intercepted and eavesdropped during transmission on the network. The general safety standard is 40 bit, while the United States has introduced a higher safety standard of 128 bit, but the exit is restricted. As long as version 3.0 or above of I.E. Or Netscape browser can support SSL.

SSL protocol is located between TCP/IP protocol and various application layer protocols, which provides security support for data communication. SSL protocol can be divided into two layers: SSL recording Protocol (SSL Record Protocol): it is based on reliable transport protocols (such as TCP) and provides support for high-level protocols such as data encapsulation, compression, encryption and other basic functions. SSL handshake Protocol (SSL Handshake Protocol): it is based on the SSL recording protocol and is used for identity authentication, negotiation of encryption algorithms, exchange of encryption keys, etc., before the actual data transmission begins.

Generally speaking, it is not safe to use the SSL protocol, if you simply transfer the file, everything is displayed in clear text when the visitor enters the account password to the server. If someone grabs the package at this time, you can see the contents of the file and use the SSL protocol to encrypt the data. Even if you are caught, you can not see the specific contents of the file, which greatly improves the security, especially the website involving money transactions.

# case 2

Implement a SSL virtual host accessed based on https protocol, and encrypt all the data of the site through private key and certificate

# encryption algorithm:

# encryption algorithms are generally divided into symmetric algorithms, asymmetric algorithms and information summaries.

# symmetric algorithms are: AES, DES, mainly used in stand-alone data encryption.

# asymmetric algorithms include RSA and DSA, which are mainly used in network data encryption.

# Information summary: MD5, sha256, mainly used in data integrity verification.

The asymmetric algorithm RSA is generally adopted:

[root@centos7 conf] # openssl genrsa > cert.key / / generate the private key. Record the file name and use it when configuring the nginx configuration file later.

[root@centos7 conf] # openssl req-new-x509-key cert.key > cert.pem / / generate a certificate. Record the file name and use it when configuring the nginx configuration file later.

Modify the nginx configuration file:

[root@centos7 conf] # vim nginx.conf

User nginx nginx

Worker_processes 1

Pid logs/nginx.pid

Events {

Worker_connections 1024

}

Http {

Include mime.types

Default_type application/octet-stream

Sendfile on

Keepalive_timeout 65

Server {

Listen 80

Server_name www.cc.com

Return 301https://$server_name$request_uri; / / configure the access method that forces http to jump to https when accessing www.cc.com

Location / {

Root html

Index index.html index.htm

}

Error_page 500 502 503 504 / 50x.html

Location = / 50x.html {

Root html

}

}

# HTTPS server

Server {

Listen 443 ssl

Server_name www.cc.com

Ssl_certificate cert.pem; / / here is the certificate file

Ssl_certificate_key cert.key; / / here is the private key file

Ssl_session_cache shared:SSL:1m

Ssl_session_timeout 5m

Ssl_ciphers HIGH:!aNULL:!MD5

Ssl_prefer_server_ciphers on

Location / {

Root html

Index index.html index.htm

}

}

}

Save the configuration changes and restart nginx.

[root@centos7 conf] # nginx-s reload

Modify the local hosts file for verification:

Use a google browser to access a network connection that has prompted https to be insecure because the SSL file we configured is locally generated

It is not officially certified by a third party, so the google browser will pop up a prompt that we just need to be advanced and continue to visit.

Thank you for your reading, the above is the content of "detailed installation steps of Nginx", after the study of this article, I believe you have a deeper understanding of the detailed installation steps of Nginx, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.