nginx1.10.3一鍵安裝/系統核心優化/配置檔案優化/https/日誌切割

餘二五發表於2017-11-16
Nginx優化HTTP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
下面的是一鍵安裝nginx 1.10.3 最新穩定版本,編譯引數是官方推薦的。
 
yum groupinstall "Development Tools"   -y
yum  install wget   zlib-devel openssl-devel pcre-devel -y
cd /usr/local/src
wget http://nginx.org/download/nginx-1.10.3.tar.gz
tar zxvf nginx-1.10.3.tar.gz
cd nginx-1.10.3
groupadd -g 58 nginx
useradd -u 58 -g 58 -M nginx -s /sbin/nologin
mkdir -p /var/tmp/nginx/{client,proxy,fastcgi,uwsgi,scgi}
mkdir -p /var/cache/nginx/client_temp
./configure 
--user=nginx --group=nginx 
--prefix=/etc/nginx   
--sbin-path=/usr/sbin/nginx 
--conf-path=/etc/nginx/nginx.conf 
--error-log-path=/var/log/nginx/error.log 
--http-log-path=/var/log/nginx/access.log 
--pid-path=/var/run/nginx.pid 
--lock-path=/var/run/nginx.lock 
--http-client-body-temp-path=/var/cache/nginx/client_temp 
--http-proxy-temp-path=/var/cache/nginx/proxy_temp 
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp 
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp 
--http-scgi-temp-path=/var/cache/nginx/scgi_temp 
--user=nginx 
--group=nginx 
--with-http_ssl_module 
--with-http_realip_module 
--with-http_addition_module 
--with-http_sub_module 
--with-http_dav_module 
--with-http_flv_module 
--with-http_mp4_module 
--with-http_gunzip_module 
--with-http_gzip_static_module 
--with-http_random_index_module 
--with-http_secure_link_module 
--with-http_stub_status_module 
--with-http_auth_request_module 
--with-threads 
--with-stream 
--with-stream_ssl_module 
--with-http_slice_module 
--with-mail 
--with-mail_ssl_module 
--with-file-aio 
--with-http_v2_module 
--with-ipv6
make && make install
nginx -V
  
  
Centos7 啟動方式
 
cat  >> /lib/systemd/system/nginx.service  <<EOF
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target
   
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
   
[Install]
WantedBy=multi-user.target
EOF
 
 
 
systemctl enable nginx.service
systemctl start  nginx.service
netstat -lntup  | grep 80
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
核心優化  
 
cat   >>  /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096        87380   4194304
net.ipv4.tcp_wmem = 4096        16384   4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024    6500
EOF
1
2
3
sysctl -p
cd /etc/nginx/
mv nginx.conf nginx.conf.bak
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
配置檔案優化,啟用HTTPS
 
vim nginx.conf
user  nginx nginx;
worker_processes  auto;
worker_rlimit_nofile 65535;
 
error_log  /var/log/nginx/error.log  info;
pid        /var/run/nginx.pid;
 
events {
    use epoll;
    worker_connections 10240;
    multi_accept on;
}
 
http
    {
    include       mime.types;
    default_type  application/octet-stream;
 
    charset  utf-8;
 
    log_format  main  `$remote_addr - $remote_user [$time_local] "$request" `
                      `$status $body_bytes_sent "$http_referer" `
                      `"$http_user_agent" "$http_x_forwarded_for"`;
 
    access_log  /var/log/nginx/access.log  main;
 
    server_names_hash_bucket_size 128;
    client_header_buffer_size 16k;
    large_client_header_buffers 4 16k;
    client_max_body_size 50m;
 
    server_tokens off;
    autoindex off;
 
    sendfile on;
    tcp_nopush     on;
 
    keepalive_timeout 60;
    tcp_nodelay  on;
    client_header_timeout 15;
    reset_timedout_connection on;
    client_body_timeout 15;
    send_timeout 15;
 
   
     
    fastcgi_intercept_errors on;
 
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 16k;
    fastcgi_buffers 16 16k;
    fastcgi_busy_buffers_size 16k;
    fastcgi_temp_file_write_size 16k;
 
    fastcgi_cache_path /etc/nginx/fastcgi_cache levels=1:2
                    keys_zone=TEST:10m
                    inactive=5m;
 
    fastcgi_cache TEST;
    fastcgi_cache_valid 200 302 1h;
    fastcgi_cache_valid 301 1d;
    fastcgi_cache_valid any 1m;
    fastcgi_cache_min_uses 1;
    fastcgi_cache_use_stale error timeout invalid_header http_500;
    fastcgi_cache_key "$request_method://$host$request_uri";
 
    open_file_cache max=204800 inactive=20s;
    open_file_cache_min_uses 1;
    open_file_cache_valid 30s;
 
    gzip on;
    gzip_min_length  1k;
    gzip_buffers     4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 5;
    gzip_types       text/css application/javascript  text/xml;
    gzip_vary on;
    gzip_disable "MSIE [1-6].(?!.*SV1)";
 
 
    server
        {
        listen       80;
        server_name  hequan.lol;
        index index.php index.html  index.htm;
        root html;
 
        return         301 https://$server_name$request_uri;
 
    }
 
    server {
        listen 443  ssl;
        server_name hequan.lol;
        index index.html index.htm index.php default.html default.htm default.php;
 
        root  html;
 
        ssl on;
        ssl_certificate      /etc/nginx/key/1_www.hequan.lol_bundle.crt;
        ssl_certificate_key  /etc/nginx/key/2_www.hequan.lol.key;
 
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
 
        location /status
            {
            stub_status on;
            access_log off;
            #allow 127.0.0.1;
            #deny all;
        }
 
        error_page  400 401 402 403 404  /40x.html;
        location = /40x.html {
                root  html;
                index  index.html index.htm;
        }
 
        error_page  500 501 502 503 504  /50x.html;
        location = /50x.html {
            root  html;
            index  index.html index.htm;
        }
 
         
        location ~ .php$ {
            root           html;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  /etc/nginx/html$fastcgi_script_name;
            include        fastcgi_params;
        }
 
        location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$
            {
            expires 30d;
        }
 
        location ~ .*.(js|css)?$
            {
            expires 12h;
        }
    }
}
 
 
 
日誌切割
 
cat >> log.sh <<EOF
#!/bin/bash
path=/var/log/nginx/backup
if [ ! -d  "#path"  ]; then
    mkdir -p $path
fi
cd  /var/log/nginx
mv access.log   backup/$(date +%F -d -1day).log
systemctl reload  nginx.service
EOF
 
 
crontab -e
00 00 * * * /var/log/nginx/log.sh  > /dev/null 2&1

關於證照  可以去

https://console.qcloud.com/ssl/apply  (有效期一年) 申請,非常簡單。騰訊認證的。跟著流程走,幾分鐘就好。

1
2
ssl_certificate      /etc/nginx/key/1_www.hequan.lol_bundle.crt;   
ssl_certificate_key  /etc/nginx/key/2_www.hequan.lol.key;

上面一個是證照,一個是金鑰。自定義目錄。


以上設定僅供參考。歡迎提出有疑問的地方。

本文轉自 295631788 51CTO部落格,原文連結:http://blog.51cto.com/hequan/1895932,如需轉載請自行聯絡原作者


相關文章