nginx1.10.3一键安装/系统内核优化/配置文件优化/https/日志切割-阿里云开发者社区

下面的是一键安装nginx 1.10.3 最新稳定版本，编译参数是官方推荐的。
 

yum groupinstall "Development Tools"   -y

yum  install wget   zlib-devel openssl-devel pcre-devel -y

cd /usr/local/src

wget http://nginx.org/download/nginx-1.10.3.tar.gz

tar zxvf nginx-1.10.3.tar.gz

cd nginx-1.10.3
groupadd -g 58 nginx

useradd -u 58 -g 58 -M nginx -s /sbin/nologin

mkdir -p /var/tmp/nginx/{client,proxy,fastcgi,uwsgi,scgi}

mkdir -p /var/cache/nginx/client_temp

./configure \
--user=nginx --group=nginx \

--prefix=/etc/nginx   \

--sbin-path=/usr/sbin/nginx \

--conf-path=/etc/nginx/nginx.conf \

--error-log-path=/var/log/nginx/error.log \

--http-log-path=/var/log/nginx/access.log \

--pid-path=/var/run/nginx.pid \

--lock-path=/var/run/nginx.lock \

--http-client-body-temp-path=/var/cache/nginx/client_temp \

--http-proxy-temp-path=/var/cache/nginx/proxy_temp \

--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \

--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \

--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-http_auth_request_module \
--with-threads \
--with-stream \
--with-stream_ssl_module \
--with-http_slice_module \
--with-mail \
--with-mail_ssl_module \

--with-file-aio \
--with-http_v2_module \
--with-ipv6

make && make install
nginx -V

  

  
Centos7 启动方式
 

cat  >> /lib/systemd/system/nginx.service  <<EOF
[Unit]
Description=nginx - high performance web server

Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target

   
[Service]
Type=forking

PIDFile=/run/nginx.pid

ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf

ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf

ExecReload=/bin/kill -s HUP $MAINPID

ExecStop=/bin/kill -s QUIT $MAINPID

PrivateTmp=true

   
[Install]
WantedBy=multi-user.target
EOF
 
 
 

systemctl enable nginx.service
systemctl start  nginx.service

netstat -lntup  | grep 80

内核优化  
 

cat   >>  /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096        87380   4194304
net.ipv4.tcp_wmem = 4096        16384   4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024    6500
EOF

sysctl -p

cd /etc/nginx/

mv nginx.conf nginx.conf.bak

配置文件优化，启用HTTPS
 
vim nginx.conf
user  nginx nginx;
worker_processes  auto;
worker_rlimit_nofile 65535;
 
error_log  /var/log/nginx/error.log  info;

pid        /var/run/nginx.pid;
 
events {

    use epoll;

    worker_connections 10240;

    multi_accept on;
}
 
http

    {

    include       mime.types;

    default_type  application/octet-stream;
 
    charset  utf-8;
 
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

                      '$status $body_bytes_sent "$http_referer" '

                      '"$http_user_agent" "$http_x_forwarded_for"';
 
    access_log  /var/log/nginx/access.log  main;
 
    server_names_hash_bucket_size 128;

    client_header_buffer_size 16k;

    large_client_header_buffers 4 16k;

    client_max_body_size 50m;
 
    server_tokens off;

    autoindex off;
 
    sendfile on;

    tcp_nopush     on;
 
    keepalive_timeout 60;

    tcp_nodelay  on;

    client_header_timeout 15;

    reset_timedout_connection on;

    client_body_timeout 15;

    send_timeout 15;
 
    fastcgi_intercept_errors on;
 
    fastcgi_connect_timeout 300;

    fastcgi_send_timeout 300;

    fastcgi_read_timeout 300;

    fastcgi_buffer_size 16k;

    fastcgi_buffers 16 16k;

    fastcgi_busy_buffers_size 16k;

    fastcgi_temp_file_write_size 16k;
 
    fastcgi_cache_path /etc/nginx/fastcgi_cache levels=1:2

                    keys_zone=TEST:10m

                    inactive=5m;
 
    fastcgi_cache TEST;

    fastcgi_cache_valid 200 302 1h;

    fastcgi_cache_valid 301 1d;

    fastcgi_cache_valid any 1m;

    fastcgi_cache_min_uses 1;

    fastcgi_cache_use_stale error timeout invalid_header http_500;

    fastcgi_cache_key "$request_method://$host$request_uri";
 
    open_file_cache max=204800 inactive=20s;

    open_file_cache_min_uses 1;

    open_file_cache_valid 30s;
 
    gzip on;

    gzip_min_length  1k;

    gzip_buffers     4 16k;

    gzip_http_version 1.1;

    gzip_comp_level 5;

    gzip_types       text/css application/javascript  text/xml;

    gzip_vary on;

    gzip_disable "MSIE [1-6].(?!.*SV1)";
 
    server

        {

        listen       80;

        server_name  hequan.lol;

        index index.php index.html  index.htm;

        root html;
 
        return         301 https://$server_name$request_uri;
 
    }
 
    server {

        listen 443  ssl;

        server_name hequan.lol;

        index index.html index.htm index.php default.html default.htm default.php;
 
        root  html;
 
        ssl on;

        ssl_certificate      /etc/nginx/key/1_www.hequan.lol_bundle.crt;

        ssl_certificate_key  /etc/nginx/key/2_www.hequan.lol.key;
 
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_prefer_server_ciphers on;

        ssl_session_cache shared:SSL:10m;
 
        location /status

            {

            stub_status on;

            access_log off;

            #allow 127.0.0.1;

            #deny all;

        }
 
        error_page  400 401 402 403 404  /40x.html;

        location = /40x.html {

                root  html;

                index  index.html index.htm;

        }
 
        error_page  500 501 502 503 504  /50x.html;

        location = /50x.html {

            root  html;

            index  index.html index.htm;

        }
 
        location ~ \.php$ {

            root           html;

            fastcgi_pass   127.0.0.1:9000;

            fastcgi_index  index.php;

            fastcgi_param  SCRIPT_FILENAME  /etc/nginx/html$fastcgi_script_name;

            include        fastcgi_params;

        }
 
        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

            {

            expires 30d;

        }
 
        location ~ .*\.(js|css)?$

            {

            expires 12h;

        }

    }
}
 
日志切割
 
cat >> log.sh <<EOF
#!/bin/bash

path=/var/log/nginx/backup

if [ ! -d  "#path"  ]; then

    mkdir -p $path
fi

cd  /var/log/nginx

mv access.log   backup/$(date +%F -d -1day).log
systemctl reload  nginx.service
EOF
 
crontab -e

00 00 * * * /var/log/nginx/log.sh  > /dev/null 2&1

关于证书可以去

https://console.qcloud.com/ssl/apply (有效期一年) 申请，非常简单。腾讯认证的。跟着流程走，几分钟就好。

ssl_certificate      /etc/nginx/key/1_www.hequan.lol_bundle.crt;   

ssl_certificate_key  /etc/nginx/key/2_www.hequan.lol.key;

上面一个是证书，一个是密钥。自定义目录。

以上设置仅供参考。欢迎提出有疑问的地方。

本文转自 295631788 51CTO博客，原文链接：http://blog.51cto.com/hequan/1895932，如需转载请自行联系原作者