Nginx服务配置

在配置之前需要改一下配置文件

// 给vim /usr/local/nginx/conf/nginx.conf配置文件后面加上最后添加一行
[root@lnmp nginx-1.17.8]# vim /usr/local/nginx/conf/nginx.conf
// 把server那一段删了，加入这一句 include vhost/*.conf;
user nobody nobody;
worker_processes 2;
error_log /usr/local/nginx/logs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 6000;
}
http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 3526;
server_names_hash_max_size 4096;
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
sendfile on;
tcp_nopush on;
keepalive_timeout 30;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 8 4k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
client_max_body_size 10m;
client_body_buffer_size 256k;
client_body_temp_path /usr/local/nginx/client_body_temp;
proxy_temp_path /usr/local/nginx/proxy_temp;
fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
fastcgi_intercept_errors on;
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm
application/xml;
include vhost/*.conf;
}
//创建
[root@lnmp nginx-1.17.8]# mkdir /usr/local/nginx/conf/vhost
//移动
[root@lnmp nginx-1.17.8]# cd /usr/local/nginx/conf/vhost/
//检查
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload

一.默认虚拟主机

//查看当前所在位置
[root@lnmp vhost]# pwd
/usr/local/nginx/conf/vhost
//配置
[root@lnmp vhost]# vim default.conf 
server
{
    listen 80 default_server;
    server_name aaa.com;
    index index.html index.htmindex.php;
    root /data/nginx/default;
}
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload

2.测试

[root@lnmp vhost]# mkdir -p /data/nginx/default
[root@lnmp vhost]# echo " default server! " > /data/nginx/default/index.html
# dingyi的为aaa.com
[root@lnmp vhost]# curl -x127.0.0.1:80 bbb.com
 default server! 
[root@lnmp vhost]# curl -x127.0.0.1:80 aaa.com
 default server!

二.用户认证
1，配置

//移动
[root@lnmp ~]# cd /usr/local/nginx/conf/vhost/
//查看
[root@lnmp vhost]# ls
default.conf
//配置文件
[root@lnmp vhost]# vim test.com.conf
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    location /
    {
    auth_basic "Auth";
    auth_basic_user_file /usr/local/nginx/conf/htpasswd;
    }
}
//安装http服务
[root@lnmp vhost]# yum install -y httpd
[root@lnmp vhost]# htpasswd -c /usr/local/nginx/conf/htpasswd bsq
New password: 
Re-type new password: 
Adding password for user bsq
//重启
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload
//创建
[root@lnmp vhost]# mkdir /data/nginx/test.com
//写入
[root@lnmp vhost]# echo "test.com" > /data/nginx/test.com/index.html

测试

[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload

//测试
[root@lnmp vhost]# curl -x127.0.0.1:80 test.com
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>
[root@lnmp vhost]# curl -usxs -x127.0.0.1:80 test.com
Enter host password for user 'sxs':
test.comadsadfa

2，针对目录认证
一般用来保护后台admin目录
配置

[root@lnmp vhost]# vim test.com.conf
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
location  /admin/
    {
        auth_basic              "Auth";
        auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}
}
[root@lnmp vhost]# mkdir /data/nginx/test.com/admin
[root@lnmp vhost]# echo "asdfadmin" > /data/nginx/test.com/admin/index.html
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

3.URL认证
针对URL做认证，即连接中带了某个关键字
配置

[root@lnmp vhost]# vim test.com.conf 
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
location  ~ admin.php
    {
        auth_basic              "Auth";
        auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}
}

测试

[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@lnmp vhost]# curl -x127.0.0.1:80 test.com/admin.php
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>

三.域名重定向
配置

//编辑配置文件
[root@lnmp vhost]# vim test.com.conf
server
{
    listen 80;
    server_name test.com test2.com test3.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    if ($host != 'test.com' ){
        rewrite ^(.*)$ http://test.com/$1 permanent;
}
}

测试

//重启
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload
#  状态码301就是域名重定向
[root@lnmp vhost]# curl -x127.0.0.1:80 test2.com 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>
[root@lnmp vhost]# curl -x127.0.0.1:80 test2.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.17.8
Date: Wed, 11 Aug 2021 10:09:23 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://test.com//

     测试在Windows上，需要将两个域名都写入hosts文件，并使用没有缓存的浏览器<br />    ![image.png](https://cdn.nlark.com/yuque/0/2021/png/25425154/1638839727741-da504a7b-4878-4476-a1cb-4904f03c204f.png#clientId=ua52a4247-2ab2-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=284&id=u74dab092&margin=%5Bobject%20Object%5D&name=image.png&originHeight=446&originWidth=944&originalType=binary&ratio=1&rotation=0&showTitle=false&size=83114&status=done&style=none&taskId=u7b1723ac-1723-4752-814c-401c017f8ce&title=&width=601.6666870117188)<br />四.Nginx访问日志<br /> 1. 配置

# nginx 默认格式
[root@lnmp vhost]# grep -A2 log_format /usr/local/nginx/conf/nginx.conf
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
# combined_realip为日志格式名字。
#$remote_addr为网站的用户的出口IP。
# $http_x_forwarded_for 为代理服务器的IP，如果使用了代理，则会记录IP
# $time_local为当前时间；$host为主机名；
#$request_uri为访问的URL地址
# $status为状态码，$http_referer为referer地址，$http_user_agent为user_agent
[root@lnmp vhost]# vim test.com.conf 
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    access_log /tmp/1.log combined_realip;
}

测试

[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@lnmp vhost]# curl -x127.0.0.1:80 test.com
test.comadsadfa  
[root@lnmp vhost]# cat /tmp/1.log 
127.0.0.1 - [11/Aug/2021:20:59:49 +0800] test.com "/" 200 "-" "curl/7.29.0"

五.日志切割

// 需要自己写一个脚本，
[root@lnmp ~]# vim /usr/local/sbin/nginx_log_rotate.sh 
#!/bin/bash
##假设nignx的日志存放路径为/data/logs/
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
// 权限
[root@lnmp ~]# chmod 755 /usr/local/sbin/nginx_log_rotate.sh
//设定执行时间
[root@lnmp ~]# crontab -e
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
[root@lnmp ~]# ls /tmp/
1.log  1.log-20210811
[root@lnmp ~]# sh -x /usr/local/sbin/nginx_log_rotate.sh 
++ date -d '-1 day' +%Y%m%d
+ d=20210816
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls 1.log
+ for log in '`ls *.log`'
+ mv 1.log 1.log-20210816
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 1606
[root@lnmp ~]# ls /tmp/
1.log           1.log-20210816  
1.log-20210811

六.配置静态切割文件不记录日志并添加日期时间

//修改配置文件
[root@lnmp ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    if ($host != 'test.com' ) {
        rewrite ^/(.*)$ http://test.com/$1 permanent;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
        expires 7d;
        access_log off;
    }
    location ~ .*\.(js|css)$
    {
         expires 12h;
    }
    access_log /tmp/1.log combined_realip;
}
//写入文件重定向
[root@lnmp ~]# echo '111' > /data/nginx/test.com/1.js
[root@lnmp ~]# echo '222' > /data/nginx/test.com/2.jpg
[root@lnmp ~]# touch /data/nginx/test.com/1.jss
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload
[root@lnmp ~]# echo > /tmp/1.log
[root@lnmp ~]# curl -I -x127.0.0.1:80 test.com/1.js
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Tue, 17 Aug 2021 10:37:13 GMT
Content-Type: application/javascript
Content-Length: 4
Last-Modified: Tue, 17 Aug 2021 09:46:43 GMT
Connection: keep-alive
ETag: "611b8583-4"
Expires: Tue, 17 Aug 2021 22:37:13 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
[root@lnmp ~]# curl -I -x127.0.0.1:80 test.com/2.jpg
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Tue, 17 Aug 2021 10:37:23 GMT
Content-Type: image/jpeg
Content-Length: 4
Last-Modified: Tue, 17 Aug 2021 09:47:12 GMT
Connection: keep-alive
ETag: "611b85a0-4"
Expires: Tue, 24 Aug 2021 10:37:23 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[root@lnmp ~]# curl -I -x127.0.0.1:80 test.com/1.jss
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Tue, 17 Aug 2021 10:37:32 GMT
Content-Type: application/octet-stream
Content-Length: 0
Last-Modified: Tue, 17 Aug 2021 10:02:04 GMT
Connection: keep-alive
ETag: "611b891c-0"
Accept-Ranges: bytes
[root@lnmp ~]# cat /tmp/1.log
127.0.0.1 - [17/Aug/2021:18:37:13 +0800] test.com "/1.js" 200 "-" "curl/7.29.0"
127.0.0.1 - [17/Aug/2021:18:37:32 +0800] test.com "/1.jss" 200 "-" "curl/7.29.0"

七、Nginx防盗链

//修改配置文件
[root@lnmp ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    if ($host != 'test.com' ) {
        rewrite ^/(.*)$ http://test.com/$1 permanent;
    }
        location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
        {
         expires 7d;
        valid_referers none blocked server_names  *.test.com ;
         if ($invalid_referer) {
         return 403;
         }
         access_log off;
        }
}
//重启
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload
//测试
[root@lnmp ~]# curl -x127.0.0.1:80 -e "http://aaa.com/1.txt" test.com/2.jpg -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.8
Date: Tue, 17 Aug 2021 14:08:41 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
[root@lnmp ~]# curl -x127.0.0.1:80 -e "http://test.com/1.txt" test.com/2.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Tue, 17 Aug 2021 14:09:01 GMT
Content-Type: image/jpeg
Content-Length: 4
Last-Modified: Tue, 17 Aug 2021 09:47:12 GMT
Connection: keep-alive
ETag: "611b85a0-4"
Expires: Tue, 24 Aug 2021 14:09:01 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

八、访问控制
针对目录进行控制访问
配置

//修改配置文件
[root@lnmp ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    access_log /tmp/1.log combined_realip;
location /admin/ {
        allow 192.168.200.32;
        allow 127.0.0.1;
        deny all;
}
}
//重启
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload

测试

//echo写入
[root@lnmp ~]# echo "1234" > /data/nginx/test.com/admin/1.html 
// 测试 可以把配置文件改为192.168.200.1允许访问，使用浏览器测试
[root@tomcat ~]# curl test.com/admin/1.html
1234
[root@tomcat ~]# curl test.com/admin/1.html
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>

九、Nginx解析PHP
配置

//修改配置
[root@lnmp ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    access_log /tmp/1.log combined_realip;
location ~ \.php$ {
    include fastcgi_params;
    fastcgi_pass unix:/tmp/php-fcgi.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name;
    }
}
[root@lnmp ~]# vim /data/nginx/test.com/3.php 
<?php
phpinfo();
?>
// fastcgi_pass用来指定php-fpm的地址 路径如果错误，则报错502 
// 路径在这个配置文件中
[root@lnmp ~]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
# listen = 127.0.0.1:9000  # 也可以这样配置，但是他们的配置文件要对应。
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
// 注意一下这三行的配置文件与nginx配置文件的关系 
listen = /tmp/php-fcgi.sock
# listen = 127.0.0.1:9000  # 也可以这样配置，但是他们的配置文件要对应。
listen.mode = 666

测试

[root@lnmp ~]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();
?>
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload

        ![image.png](https://cdn.nlark.com/yuque/0/2021/png/25425154/1638866827476-c8bb482f-b029-40e9-856a-2cb4ffbdc4e5.png#clientId=u9624a520-8b89-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=569&id=u44cafebd&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1137&originWidth=1099&originalType=binary&ratio=1&rotation=0&showTitle=false&size=150884&status=done&style=none&taskId=u90117fe8-3758-421a-9483-f425126e0a1&title=&width=549.5)<br />十、Nginx代理<br />一个没有公网IP的服务器提供web服务，可以通过代理是实现。<br />配置

//修改配置文件
[root@lnmp ~]# vim /usr/local/nginx/conf/vhost/proxy.conf
server
{
    listen 80;
    server_name ask.apelearn.com;
    location /
    {
        proxy_pass      http://47.104.7.242/;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

测试

//检验
[root@lnmp ~]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload
[root@lnmp ~]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#
User-agent: *
Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@lnmp ~]#

十一、负载均衡
一个IP叫做代理，两个IP以上叫负载均衡
配置

// 下载安装dig命令
[root@lnmp ~]# yum install -y bind-utils
// 通过dig命令获取相应域名的地址,这里是拿百度的做测试
[root@lnmp ~]# dig www.baidu.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23817
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.baidu.com.            IN    A
;; ANSWER SECTION:
www.baidu.com.        33    IN    CNAME    www.a.shifen.com.
www.a.shifen.com.    129    IN    A    220.181.38.149
www.a.shifen.com.    129    IN    A    220.181.38.150
;; Query time: 31 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Wed Aug 18 19:12:15 CST 2021
;; MSG SIZE  rcvd: 101
[root@lnmp ~]# vim /usr/local/nginx/conf/vhost/load.conf 
upstream baidu
{
    ip_hash;
    server 220.181.38.149:80;
    server 220.181.38.150:80;
}
server
{
    listen 80;
    server_name www.baidu.com;
    location /
    {
        proxy_pass      http://baidu;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
#upstream来指定多个web server
# upstream后面的名字要和proxy_pass后面的名字相同

测试

//测试
[root@lnmp ~]# curl -x127.0.0.1:80 www.baidu.com
 default server! 
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload
[root@lnmp ~]# curl -x127.0.0.1:80 www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;
charset=utf-8><meta http-equiv=X-UA-Compatible 
content=IE=Edge><meta content=always name=referrer><link rel=stylesheet 
type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>
百度一下，你就知道

十二、SSL
大家在访问网站的时候前面一般都是http和HTTPS，其中HTTP就是和SSL证书有关
生成SSL密钥对

[root@lnmp ~]# rpm -qa  openssl
openssl-1.0.2k-21.el7_9.x86_64
//切换目录
[root@lnmp ~]# cd /usr/local/nginx/conf/
[root@lnmp conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................................................+++
..............................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
[root@lnmp conf]# openssl rsa -in tmp.key -out aminglinux.key 
Enter pass phrase for tmp.key:
writing RSA key
[root@lnmp conf]# ls
aminglinux.key          koi-win              tmp.key
fastcgi.conf            mime.types           uwsgi_params
fastcgi.conf.default    mime.types.default   uwsgi_params.default
fastcgi_params          nginx.conf           vhost
fastcgi_params.default  nginx.conf.default   win-utf
htpasswd                scgi_params
koi-utf                 scgi_params.default
[root@lnmp conf]# rm -rf tmp.key 
[root@lnmp conf]# openssl req -new -key aminglinux.key -out aminglinux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:66
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:^C
[root@lnmp conf]# openssl req -new -key aminglinux.key -out aminglinux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:66
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:cn
Organizational Unit Name (eg, section) []:cn
Common Name (eg, your name or your server's hostname) []:cn
Email Address []:wsw@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:1234
[root@lnmp conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
Signature ok
subject=/C=66/ST=bj/L=bj/O=cn/OU=cn/CN=cn/emailAddress=wsw@163.com
Getting Private key

配置SSL

//修改配置文件
[root@lnmp conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
    listen 443;
    server_name 1234.com;
    index index.html index.php;
    root /data/wwwroot/1234.com;
    ssl on;
    ssl_certificate aminglinux.crt;
    ssl_certificate_key aminglinux.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
[root@lnmp conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
// 重新编译安装nginx
[root@lnmp conf]# cd /usr/local/src/
[root@lnmp src]# ls
mysql-5.6.47-linux-glibc2.12-x86_64.tar.gz  php-5.6.30
nginx-1.17.8                                php-5.6.30.tar.gz
nginx-1.17.8.tar.gz
[root@lnmp src]# cd nginx-1.17.8
[root@lnmp nginx-1.17.8]# ls
auto     CHANGES.ru  configure  html     Makefile  objs    src
CHANGES  conf        contrib    LICENSE  man       README
[root@lnmp nginx-1.17.8]# ./configure --help |grep ssl
  --with-http_ssl_module             enable ngx_http_ssl_module
  --with-mail_ssl_module             enable ngx_mail_ssl_module
  --with-stream_ssl_module           enable ngx_stream_ssl_module
  --with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module
  --with-openssl=DIR                 set path to OpenSSL library sources
  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL
[root@lnmp nginx-1.17.8]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
//编译安装
[root@lnmp nginx-1.17.8]# make && make install
[root@lnmp nginx-1.17.8]# /etc/init.d/nginx restart 
Restarting nginx (via systemctl):                          [  OK  ]
[root@lnmp nginx-1.17.8]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5609/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1102/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2439/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5609/nginx: master  
tcp6       0      0 :::3306                 :::*                    LISTEN      2437/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      1102/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      2439/master         
//创建
[root@lnmp nginx-1.17.8]# mkdir -p /data/nginx/1234.com
[root@lnmp nginx-1.17.8]# echo "ssl test" > /data/nginx/1234.com/index.html