Nginx高級(jí)配置

1 nginx狀態(tài)頁

在編譯的時(shí)候需要添加--with-http_stub_status_module參數(shù)
配置案例：
[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf 
server {
  listen 80;
  server_name www.hechunping.tech;
  location /nginx_status {
    stub_status;
    allow 192.168.7.0/24;
    allow 127.0.0.1;
    deny all;
  }
}
[root@CentOS7-01 ~]#systemctl reload nginx

訪問測(cè)試
[root@CentOS7-01 ~]#curl www.hechunping.tech/nginx_status
Active connections: 1 
server accepts handled requests
 32 32 36  #這三個(gè)數(shù)字分別對(duì)應(yīng)accepts,handled,requests三個(gè)值
Reading: 0 Writing: 1 Waiting: 0 

相關(guān)解釋：
Active connections： 當(dāng)前處于活動(dòng)狀態(tài)的客戶端連接數(shù)，包括連接等待空閑連接數(shù)。
accepts： 統(tǒng)計(jì)總值，Nginx?啟動(dòng)后已經(jīng)接受的客戶端請(qǐng)求的總數(shù)。
handled： 統(tǒng)計(jì)總值，Nginx?啟動(dòng)后已經(jīng)處理完成的客戶端請(qǐng)求的總數(shù)，通常等于accepts，除?有因worker_connections限制等被拒絕的連接。
requests：統(tǒng)計(jì)總值，Nginx?啟動(dòng)后客戶端發(fā)來的總的請(qǐng)求數(shù)。
Reading： 當(dāng)前狀態(tài)，正在讀取客戶端請(qǐng)求報(bào)??部的連接的連接數(shù)。
Writing： 當(dāng)前狀態(tài)，正在向客戶端發(fā)送響應(yīng)報(bào)?過程中的連接數(shù)。
Waiting： 當(dāng)前狀態(tài)，正在等待客戶端發(fā)出請(qǐng)求的空閑連接數(shù)，開啟 keep-alive的情況下,這個(gè)值等于 active – (reading+writing)。

2 nginx編譯的時(shí)候添加第三方模塊

第三模塊是對(duì)nginx的功能擴(kuò)展，第三?模塊需要在編譯安裝Nginx的時(shí)候使?參數(shù)--add-module=PATH指定路徑添加，有的模塊是由公司的開發(fā)?員針對(duì)業(yè)務(wù)需求定制開發(fā)的，有的模塊是開源愛好者開發(fā)好之后上傳到github進(jìn)?開源的模塊，nginx?持第三?模塊需要從源碼重新編譯?持，?如開源的echo模塊 https://github.com/openresty/echo-nginx-module

配置案例
[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf 
server {
  listen 80;
  server_name www.hechunping.tech;
  location /pc {
    echo_sleep 1;
    echo "this is pc directory";
  }
}
[root@CentOS7-01 ~]#nginx -t
nginx: [emerg] unknown directive "echo_sleep" in /apps/nginx/conf/vhosts/pc.conf:5
nginx: configuration file /apps/nginx/conf/nginx.conf test failed
[root@CentOS7-01 ~]#yum install git -y
[root@CentOS7-01 ~]#git clone https://github.com/openresty/echo-nginx-module.git
[root@CentOS7-01 ~]#systemctl stop nginx
[root@CentOS7-01 ~]#cd nginx-1.16.1/
[root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module  \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_gunzip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--add-module=/usr/local/src/echo-nginx-module
[root@CentOS7-01 nginx-1.16.1]#make -j lscpu |awk 'NR==4{print $2}' && make install

# 再次檢測(cè)語法，正常
[root@CentOS7-01 nginx-1.16.1]#nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
[root@CentOS7-01 nginx-1.16.1]#nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module
[root@CentOS7-01 nginx-1.16.1]#systemctl start nginx

# 訪問測(cè)試，echo模塊已經(jīng)可用
[root@CentOS7-01 nginx-1.16.1]#curl www.hechunping.tech/pc
this is pc directory

3 nginx變量使用

nginx的變量可以在配置?件中引?，作為功能判斷或者?志等場(chǎng)景使?，變量可以分為內(nèi)置變量和?定義變量，
內(nèi)置變量是由nginx模塊?帶，通過變量可以獲取到眾多的與客?端訪問相關(guān)的值。

3.1 內(nèi)置變量

可以通過上面的echo模塊輸出，下面的變量都是參照如下配置文件
[root@CentOS7-01 nginx-1.16.1]#cat /apps/nginx/conf/vhosts/pc.conf 
server {
  listen 80;
  server_name www.hechunping.tech;
  location /pc {
    echo $remote_addr;
  }
}

$remote_addr; #存放了客戶端的地址，注意是客戶端的公?IP，也就是?家?訪問?個(gè)?站，則會(huì)顯?為路由器的公?IP。
[root@CentOS7-01 nginx-1.16.1]#curl www.hechunping.tech/pc
127.0.0.1

$args; #變量中存放了URL中的指令，例如http://www.hechunping.tech/pc/index.do?id=20200105
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105
id=20200105

$document_root; #保存了針對(duì)當(dāng)前資源的請(qǐng)求的系統(tǒng)根?錄
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
/apps/nginx/html

$document_uri; #保存了當(dāng)前請(qǐng)求中不包含指令的URI，注意是不包含請(qǐng)求的指令，比如
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105
/pc/index.do

$host; #存放了請(qǐng)求的host名稱。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
www.hechunping.tech

$http_user_agent; #客?端瀏覽器的詳細(xì)信息
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
curl/7.29.0

$http_cookie; #客?端的cookie信息。

$limit_rate; #如果nginx服務(wù)器使?limit_rate配置了顯??絡(luò)速率，則會(huì)顯?，如果沒有設(shè)置，則顯?0。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
0

$remote_port; #客?端請(qǐng)求Nginx服務(wù)器時(shí)隨機(jī)打開的端?，這是每個(gè)客?端??的端?。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
37848
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
37850

$remote_user; #已經(jīng)經(jīng)過Auth Basic Module驗(yàn)證的??名。

$request_body_file; #做反向代理時(shí)發(fā)給后端服務(wù)器的本地資源的名稱。

$request_method; #請(qǐng)求資源的?式，GET/PUT/DELETE等
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
GET

$request_filename; #當(dāng)前請(qǐng)求的資源?件的路徑名稱，由root或alias指令與URI請(qǐng)求?成的?件絕對(duì)路徑，如
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.html
/apps/nginx/html/pc/index.html

$request_uri; #包含請(qǐng)求參數(shù)的原始URI，不包含主機(jī)名，如
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc/index.do?id=20200105
/pc/index.do?id=20200105

$scheme; #請(qǐng)求的協(xié)議，如ftp，https，http等。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
http

$server_protocol; #保存了客?端請(qǐng)求資源使?的協(xié)議的版本，如HTTP/1.0，HTTP/1.1，HTTP/2.0等。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
HTTP/1.1

$server_addr; #保存了服務(wù)器的IP地址。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
127.0.0.1

$server_name; #請(qǐng)求的服務(wù)器的主機(jī)名。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
www.hechunping.tech

$server_port; #請(qǐng)求的服務(wù)器的端?號(hào)。
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
80

3.2 自定義變量

假如需要?定義變量名稱和值，使?指令"set $variable value;"，語法如下
Syntax: set $variable value;
Default:    —
Context:    server, location, if

配置
[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf 
server {
  listen 80;
  server_name www.hechunping.tech;
  location /pc {
    set $name $server_name;
    echo $name;
    set $my_port $server_port;
    echo $my_port;
  }
}
[root@CentOS7-01 ~]#!s
systemctl restart nginx

訪問測(cè)試
[root@CentOS7-01 ~]#curl http://www.hechunping.tech/pc
www.hechunping.tech
80

4 nginx自定義訪問日志

訪問?志是記錄客戶端即?戶的具體請(qǐng)求內(nèi)容信息，全局配置模塊中的error_log是記錄nginx服務(wù)器運(yùn)?時(shí)的?志
保存路徑和記錄?志的level，因此有著本質(zhì)的區(qū)別，?且Nginx的錯(cuò)誤?志?般只有?個(gè)，但是訪問?志可以在不
同server中定義多個(gè)，定義?個(gè)?志需要使?access_log指定?志的保存路徑，使?log_format指定?志的格式，
格式中定義要保存的具體?志內(nèi)容。

4.1 自定義默認(rèn)格式日志

如果是要保留?志的原格式，只是添加相應(yīng)的?志內(nèi)容，則配置如下：
    log_format  www.hechunping.tech  '$remote_addr - $remote_user [$time_local] "$request" '
                                     '$status $body_bytes_sent "$http_referer" '
                                     '"$http_user_agent" "$http_x_forwarded_for"'
                                     '$server_name:$server_port';

    access_log /data/nginx/logs/www.hechunping.tech/access.log www.hechunping.tech;

[root@CentOS7-01 ~]#nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
[root@CentOS7-01 ~]#systemctl reload nginx
[root@CentOS7-01 ~]#tail -f /data/nginx/logs/www.hechunping.tech/access.log 
192.168.7.1 - - [05/Jan/2020:14:58:47 +0800] "GET /pc/ HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" "-"www.hechunping.tech:80

4.2 自定義json格式日志

Nginx 的默認(rèn)訪問?志記錄內(nèi)容相對(duì)?較單?，默認(rèn)的格式也不?便后期做?志統(tǒng)計(jì)分析，?產(chǎn)環(huán)境中通常將nginx?志轉(zhuǎn)換為json?志，然后配合使?ELK做?志收集-統(tǒng)計(jì)-分析。

log_format access_json '{"@timestamp":"$time_iso8601",'
                       '"host":"$server_addr",'
                       '"clientip":"$remote_addr",'
                       '"size":$body_bytes_sent,'
                       '"responsetime":$request_time,'
                       '"upstreamtime":"$upstream_response_time",'
                       '"upstreamhost":"$upstream_addr",'
                       '"http_host":"$host",'
                       '"uri":"$uri",'
                       '"domain":"$host",'
                       '"xff":"$http_x_forwarded_for",'
                       '"referer":"$http_referer",'
                       '"tcp_xff":"$proxy_protocol_addr",'
                       '"http_user_agent":"$http_user_agent",'
                       '"status":"$status"}';

access_log /data/nginx/logs/www.hechunping.tech/access.log access_json;

[root@CentOS7-01 ~]#tail -f /data/nginx/logs/www.hechunping.tech/access.log
{"@timestamp":"2020-01-05T15:04:16+08:00","host":"192.168.7.71","clientip":"192.168.7.1","size":7,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.hechunping.tech","uri":"/pc/index.html","domain":"www.hechunping.tech","xff":"-","referer":"-","tcp_xff":"","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36","status":"200"}

4.3 用Python統(tǒng)計(jì)json格式的訪問日志

[root@CentOS7-01 ~]#cat nginx_json.py
#!/usr/bin/env python
#coding:utf-8
status_200 = []
status_404 = []
with open("access_json.log") as f:
    for line in f.readlines():
        line = eval(line)
        if line.get("status") == "200":
            status_200.append(line.get)                                                                                                                                    
        elif line.get("status") == "404":
            status_404.append(line.get)
        else:
            print("狀態(tài)碼 ERROR")
f.close()
print "狀態(tài)碼為200的有-->:",len(status_200)
print "狀態(tài)碼為404的有-->:",len(status_404)

[root@CentOS7-01 ~]#python nginx_json.py
...
狀態(tài)碼 ERROR
狀態(tài)碼為200的有-->: 403428
狀態(tài)碼為404的有-->: 125712

5 nginx壓縮功能

Nginx?持對(duì)指定類型的?件進(jìn)?壓縮然后再傳輸給客?端，?且壓縮還可以設(shè)置壓縮?例，壓縮后的?件??將?源?件顯著變?，這樣有助于降低出?帶寬的利?率，降低企業(yè)的IT?出，不過會(huì)占?相應(yīng)的CPU資源。
Nginx對(duì)?件的壓縮功能是依賴于模塊ngx_http_gzip_module，官??檔： https://nginx.org/en/docs/http/ngx_http_gzip_module.html， 配置指令如下：

gzip on | off; #啟?或禁?gzip壓縮，默認(rèn)關(guān)閉
gzip_comp_level level; #壓縮?由低到?從1到9，默認(rèn)為1
gzip_disable "MSIE [1-6]\."; #禁?IE6 gzip功能
gzip_min_length 1k; #gzip壓縮的最??件，?于設(shè)置值的?件將不會(huì)壓縮
gzip_http_version 1.0 | 1.1; #啟?壓縮功能時(shí)，協(xié)議的最?版本，默認(rèn)HTTP/1.1
gzip_buffers number size; #指定Nginx服務(wù)需要向服務(wù)器申請(qǐng)的緩存空間的個(gè)數(shù)*??，默認(rèn)32 4k|16 8k;
gzip_types mime-type ...; #指明僅對(duì)哪些類型的資源執(zhí)?壓縮操作；默認(rèn)為gzip_types text/html，不?顯?指定，否則出錯(cuò)
gzip_vary on | off; #如果啟?壓縮，是否在響應(yīng)報(bào)??部插?"Vary: Accept-Encoding"

配置案例
    gzip on;
    gzip_comp_level 5;
    gzip_min_length 1k;    gzip_types text/plain application/javascript application/x-javascript text/cssapplication/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;  
    gzip_vary on;

[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf 
server {
  listen 80;
  server_name www.hechunping.tech;
  location /pc {
    root html;
  }
}
[root@CentOS7-01 ~]#ll /apps/nginx/html/pc/test.html -h
-rw-r--r-- 1 nginx nginx 1.7M Jan  5 16:01 /apps/nginx/html/pc/test.html #使用該文件進(jìn)行壓縮測(cè)試

訪問測(cè)試，壓縮后的大小

6 https功能

6.1 ssl配置參數(shù)

nginx的https功能基于模塊ngx_http_ssl_module實(shí)現(xiàn)，因此如果是編譯安裝的nginx要使?參數(shù)--with-http_ssl_module開啟ssl功能，但是作為nginx的核?功能，yum安裝的nginx默認(rèn)就是開啟的。
官??檔： https://nginx.org/en/docs/http/ngx_http_ssl_module.html

配置參數(shù)如下：
ssl on | off; #為指定的虛擬主機(jī)配置是否啟?ssl功能，此功能在1.15.0廢棄，使?listen [ssl]替代。

ssl_certificate /path/to/file; #當(dāng)前虛擬主機(jī)使?使?的公鑰?件，?般是crt?件

ssl_certificate_key /path/to/file; #當(dāng)前虛擬主機(jī)使?的私鑰?件，?般是key?件

ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; #?持ssl協(xié)議版本，早期為ssl,現(xiàn)在是TSL，默認(rèn)為后三個(gè)

ssl_session_cache off | none | [builtin[:size]] [shared:name:size]; #配置ssl緩存
off: 關(guān)閉緩存
none: 通知客?端?持ssl session cache，但實(shí)際不?持
builtin[:size]: 使?OpenSSL內(nèi)建緩存，為每worker進(jìn)程私有
[shared:name:size]: 在各worker之間使??個(gè)共享的緩存，需要定義?個(gè)緩存名稱和緩存空間??，?兆可以存儲(chǔ)4000個(gè)會(huì)話信息，多個(gè)虛擬主機(jī)可以使?相同的緩存名稱。

ssl_session_timeout time; #客?端連接可以復(fù)?ssl session cache中緩存的有效時(shí)?，默認(rèn)5m

6.2 自簽名證書

# 自簽名CA證書
[root@CentOS7-01 ~]#cd /apps/nginx/
[root@CentOS7-01 nginx]#mkdir certs
[root@CentOS7-01 nginx]#cd certs
[root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Generating a 4096 bit RSA private key
......++
...................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #國家代碼,參看：https://country-code.cl
State or Province Name (full name) []:BeiJing  #省份
Locality Name (eg, city) [Default City]:BeiJing #城市名稱
Organization Name (eg, company) [Default Company Ltd]:abc #公司名稱
Organizational Unit Name (eg, section) []:IT #部門名稱
Common Name (eg, your name or your server's hostname) []:hechunping #通用名稱
Email Address []:742384103@qq.com #郵箱
[root@CentOS7-01 certs]#ls
ca.crt  ca.key

# 自制key和csr文件
[root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.hechunping.tech.key -out www.hechunping.tech.csr
Generating a 4096 bit RSA private key
...............................................++
........................................................................................++
writing new private key to 'www.hechunping.tech.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing 
Organization Name (eg, company) [Default Company Ltd]:abc
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:hechunping
Email Address []:742384103@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  #此處為空即可
An optional company name []: #同上
[root@CentOS7-01 certs]#ll
total 16
-rw-r--r-- 1 root root 2090 Jan  5 21:05 ca.crt
-rw-r--r-- 1 root root 3272 Jan  5 21:05 ca.key
-rw-r--r-- 1 root root 1736 Jan  5 21:11 www.hechunping.tech.csr
-rw-r--r-- 1 root root 3272 Jan  5 21:11 www.hechunping.tech.key

# 簽發(fā)證書
[root@CentOS7-01 certs]#openssl x509 -req -days 3650 -in www.hechunping.tech.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.hechunping.tech.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=abc/OU=IT/CN=hechunping/emailAddress=742384103@qq.com
Getting CA Private Key

# 驗(yàn)證證書內(nèi)容
[root@CentOS7-01 certs]#openssl x509 -in www.hechunping.tech.crt -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            c6:bd:85:07:5d:3c:bc:54
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com
        Validity
            Not Before: Jan  5 13:13:08 2020 GMT
            Not After : Jan  2 13:13:08 2030 GMT
        Subject: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
......

6.3 nginx證書配置

[root@CentOS7-01 certs]#cat /apps/nginx/conf/vhosts/pc.conf 
server {
  listen 80;
  listen 443 ssl;
  ssl_certificate /apps/nginx/certs/www.hechunping.tech.crt;
  ssl_certificate_key /apps/nginx/certs/www.hechunping.tech.key;
  ssl_session_cache shared:sslcache:20m;
  ssl_session_timeout 10m;
  server_name www.hechunping.tech;
  location /pc {
    root html;
  }
}
[root@CentOS7-01 certs]#systemctl reload nginx
訪問測(cè)試

6.4 實(shí)現(xiàn)多域名HTTPS

Nginx?持基于單個(gè)IP實(shí)現(xiàn)多域名的功能，并且還?持單IP多域名的基礎(chǔ)之上實(shí)現(xiàn)HTTPS，其實(shí)是基于Nginx的SNI（Server Name Indication）功能實(shí)現(xiàn)，SNI是為了解決?個(gè)Nginx服務(wù)器內(nèi)使??個(gè)IP綁定多個(gè)域名和證書的功能，其具體功能是客?端在連接到服務(wù)器建?SSL鏈接之前先發(fā)送要訪問站點(diǎn)的域名（Hostname），這樣服務(wù)器再根據(jù)這個(gè)域名返回給客?端?個(gè)合適的證書。

# 制作key和csr文件
[root@CentOS7-01 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout news.hechunping.tech.key -out news.hechunping.tech.csr
Generating a 4096 bit RSA private key
.............................................................................++
.....................................................................................................................................................................................................................................................................................................++
writing new private key to 'news.hechunping.tech.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:xyz
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:hechunping
Email Address []:742384103@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# 簽名證書
[root@CentOS7-01 certs]#openssl x509 -req -days 3650 -in news.hechunping.tech.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out news.hechunping.tech.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=xyz/OU=IT/CN=hechunping/emailAddress=742384103@qq.com
Getting CA Private Key

# 驗(yàn)證證書內(nèi)容
[root@CentOS7-01 certs]#openssl x509 -in news.hechunping.tech.crt -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            c6:bd:85:07:5d:3c:bc:55
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com
        Validity
            Not Before: Jan  5 13:52:00 2020 GMT
            Not After : Jan  2 13:52:00 2030 GMT
        Subject: C=CN, ST=BeiJing, L=BeiJing, O=xyz, OU=IT, CN=hechunping/emailAddress=742384103@qq.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
......

# nginx配置證書
[root@CentOS7-01 certs]#cat /apps/nginx/conf/vhosts/news.conf 
server {
  listen 80;
  listen 443 ssl;
  ssl_certificate /apps/nginx/certs/news.hechunping.tech.crt;
  ssl_certificate_key /apps/nginx/certs/news.hechunping.tech.key;
  ssl_session_cache shared:sslcache:20m;
  ssl_session_timeout 10m;
  server_name news.hechunping.tech;
  location /pc {
    root html;
  }
}
[root@CentOS7-01 certs]#systemctl reload nginx

# 訪問測(cè)試

7 關(guān)于favicon.ico

favicon.ico ?件是瀏覽器收藏?址時(shí)顯?的圖標(biāo)，當(dāng)客?端使?瀏覽器問??時(shí)，瀏覽器會(huì)??主動(dòng)發(fā)起請(qǐng)求獲取??的favicon.ico?件，但是當(dāng)瀏覽器請(qǐng)求的favicon.ico?件不存在時(shí)，服務(wù)器會(huì)記錄404?志，?且瀏覽器也會(huì)顯?404報(bào)錯(cuò)。

解決方法
將圖標(biāo)保存到指定的目錄
[root@CentOS7-01 ~]#cat /apps/nginx/conf/vhosts/pc.conf 
server {
  listen 80;
  server_name www.hechunping.tech;
  location = /favicon.ico {
    root html/image;
  }
  location /pc {
    root html;
  }
}
[root@CentOS7-01 ~]#systemctl reload nginx

8 安全選項(xiàng)

8.1 隱藏nginx版本號(hào)

更改nginx源碼信息，將nginx服務(wù)版本號(hào)更改為HCPWS/1.1并重新編譯nginx
[root@CentOS7-01 nginx-1.16.1]#sed -ir 's#Server: nginx#Server: HCPWS/1.1#' /root/nginx-1.16.1/src/http/ngx_http_header_filter_module.c
[root@CentOS7-01 nginx-1.16.1]#nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module
[root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module
[root@CentOS7-01 nginx-1.16.1]#make -j lscpu | awk 'NR==4{print $2}' && make install
[root@CentOS7-01 nginx-1.16.1]#systemctl restart nginx
訪問測(cè)試

8.2 升級(jí)Openssl版本

?臟出?（英語：Heartbleed），也簡(jiǎn)稱為??漏洞，是?個(gè)出現(xiàn)在加密程序庫OpenSSL的安全漏洞，該程序庫?泛?于實(shí)現(xiàn)互聯(lián)?的傳輸層安全（TLS）協(xié)議。它于2012年被引?了軟件中，2014年4??次向公眾披露。只要使?的是存在缺陷的OpenSSL實(shí)例，?論是服務(wù)器還是客?端，都可能因此?受到***。此問題的原因是在實(shí)現(xiàn)TLS的?跳擴(kuò)展時(shí)沒有對(duì)輸?進(jìn)?適當(dāng)驗(yàn)證（缺少邊界檢查），因此漏洞的名稱來源于“?跳”（heartbeat）。該程序錯(cuò)誤屬于緩沖區(qū)過讀，即可以讀取的數(shù)據(jù)?應(yīng)該允許讀取的還多。

升級(jí)步驟
1）查看當(dāng)前的Openssl版本

2）下載OpenSSL源碼包并解壓
[root@CentOS7-01 nginx-1.16.1]#wget -P /usr/local/src/ https://www.openssl.org/source/openssl-1.1.1d.tar.gz
[root@CentOS7-01 nginx-1.16.1]#tar xf /usr/local/src/openssl-1.1.1d.tar.gz 
3）編譯安裝nginx并指定新版本OpenSSL路徑
[root@CentOS7-01 nginx-1.16.1]#nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module
[root@CentOS7-01 nginx-1.16.1]#./configure --prefix=/apps/nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_gunzip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module --with-openssl=./openssl-1.1.1d
[root@CentOS7-01 nginx-1.16.1]#make -j lscpu |awk 'NR==4{print $2}' && make install
[root@CentOS7-01 nginx-1.16.1]#systemctl restart nginx
驗(yàn)證