(1)nginx主机修改配置文件(虚拟主机做测试):
[root@server1 conf]# vim nginx.conf [root@server1 conf]# ../sbin/nginx -t #还需要重新编译,添加模块 nginx: [emerg] unknown directive "set_real_ip_from" in /usr/local/nginx/conf/nginx.conf:128 nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed(2)重新编译,添加http_realip_module模块,并重启
[root@server1 nginx-1.17.1]# ./configure --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module [root@server1 nginx-1.17.1]# make [root@server1 nginx-1.17.1]#cd objs 会生成该模块 [root@server1 objs] # cp -f nginx /usr/local/nginx/sbin/nginx [root@server1 objs] # systemctl restart nginx(2)测试:能够获取到真实物理ip
[root@server1 conf]# vim /etc/hosts [root@server1 conf]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.25.33.250 foundation72.ilt.example.com 172.25.33.1 server1 server1.example.com 172.25.33.2 server2 172.25.33.3 server3 172.25.33.4 server4 172.25.33.5 server5 172.25.33.6 server6 172.25.33.7 server7 172.25.33.8 server8 [root@server1 conf]# curl -H "X_Forwarded-For: 2.2.2.2,172.25.33.1" server1.example.com Client real ip: 172.25.33.1(1)所需环境: 两台虚拟机:反向代理nginx主机:172.25.33.2 真实Nginx主机:172.25.33.1 (2)反向代理主机所作操作:
[root@server1 conf]# scp -r /usr/local/nginx server2:/usr/local #将安装目录传到server2主机上 [root@server2 ~]# cd /usr/local/nginx [root@server2 nginx]# ls client_body_temp fastcgi_temp logs sbin uwsgi_temp conf html proxy_temp scgi_temp [root@server2 nginx]# cd conf [root@server2 conf]# vim nginx.conf [root@server2 conf]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@server2 conf]# cd .. [root@server2 nginx]# cd html [root@server2 html]# vim index.html [root@server2 html]# cat index.html server2(3)真实Nginx主机所作操作:
(4)测试:(在真机测试)
vim /etc/hosts ##先添加域名解析 172.25.33.2 www.westos.org curl -I www.westos.org ##访问域名,查看server1的access日志 tail -f /usr/local/nginx/logs/access.log ##查看server1的日志可以看到获取到了真机的ip地址(1)server1中先下载图像压缩所需要的模块
[root@server1 ~]# cd nginx-1.17.1/ [root@server1 nginx-1.17.1]# ls auto CHANGES.ru configure html Makefile objs src CHANGES conf contrib LICENSE man README [root@server1 nginx-1.17.1]# ./configure --help | grep image --with-http_image_filter_module enable ngx_http_image_filter_module --with-http_image_filter_module=dynamic enable dynamic ngx_http_image_filter_module [root@server1 nginx-1.17.1]# ./configure --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module --with-stream_realip_module --with-http_image_filter_module=dynamic #编译失败,提示需要gd library,然后重新编译下载 [root@server1 ~]# yum install gd-devel-2.0.35-26.el7.x86_64.rpm [root@server1 nginx-1.17.1]# ./configure --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module --with-stream_realip_module --with-http_image_filter_module=dynamic [root@server1 nginx-1.17.1]# make(2)server1中修改配置文件
[root@server1 nginx-1.17.1]# cd objs [root@server1 objs]# cp -f nginx /usr/local/nginx/sbin/nginx cp: overwrite ‘/usr/local/nginx/sbin/nginx’? y [root@server1 objs]# mkdir /usr/local/nginx/modules [root@server1 objs]# cp ngx_http_image_filter_module.so /usr/local/nginx/modules [root@server1 objs]# vim /usr/local/nginx/conf/nginx.conf
为了提高web应用的安全性,现在基本上都需要支持https访问,配置Https访问如下: 重新编译安装nginx
[root@server1 ~]# cd /nginx-1.17.1 [root@server1 nginx-1.17.1]# ./configure --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module --with-http_image_filter_module=dynamic --with-http_ssl_module [root@server1 nginx-1.17.1]# make更新主程序,并重启
[root@server1 objs]# cp -f nginx /usr/local/nginx/sbin/nginxcp: overwrite ‘/usr/local/nginx/sbin/nginx’? y [root@server1 objs]# cp ngx_http_image_filter_module.so /usr/local/nginx/modulescp: overwrite ‘/usr/local/nginx/modules/ngx_http_image_filter_module.so’? y [root@server1 objs]# systemctl restart nginx [root@server1 objs]#修改配置文件
生成证书密钥
[root@server1 conf]# cd /etc/pki/tls/certs [root@server1 certs]# make cert.pem umask 77 ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ /usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 ; \ cat $PEM1 > cert.pem ; \ echo "" >> cert.pem ; \ cat $PEM2 >> cert.pem ; \ rm -f $PEM1 $PEM2 Generating a 2048 bit RSA private key ...............................+++ .....................................................+++ writing new private key to '/tmp/openssl.sHxhnC' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:shaanxi Locality Name (eg, city) [Default City]:xi'an Organization Name (eg, company) [Default Company Ltd]:westos Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:server1 Email Address []:root@westos.org/web资源下写入发布内容
[root@server1 certs]# cp cert.pem /usr/local/nginx/conf [root@server1 certs]# cd /usr/local/nginx/conf [root@server1 conf]# vim nginx.conf^C [root@server1 conf]# mkdir /web [root@server1 conf]# vim /web/index.html [root@server1 conf]# systemctl reload nginx测试:真机写解析, 172.25.33.1 www.westos.org 浏览器访问:https://www.westos.org,访问成功
