升级版本并添加新功能
源码升级软件或添加功能模块的步骤:
1.准备升级包或功能包
2.获取升级前版本的编译参数
3.解压新版本,使用conf igure进行配置,配置时加上升级前版本的编译参数,然后添加新功能模块
4.编译(禁止执行make install安装)
5.将老程序停止并使用新程序和老配置文件启动新版本
6.如果第5步成功,并能够正常访问,则备份老版本的程序并同时复制新版本程序覆盖老版本并重启
7.验证
//下载要升级的软件包
[root@localhost ~]# ls
anaconda-ks.cfg nginx-1.20.2 nginx-1.22.0.tar.gz
准备要升级要用的功能模块,在github.com上找
//下载拉包工具
[root@localhost ~]# yum -y install git
[root@localhost ~]# git clone https://github.com/openresty/echo-nginx-module.git
Cloning into 'echo-nginx-module'...
remote: Enumerating objects: 3047, done.
remote: Counting objects: 100% (29/29), done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 3047 (delta 11), reused 19 (delta 9), pack-reused 3018
Receiving objects: 100% (3047/3047), 1.17 MiB | 771.00 KiB/s, done.
Resolving deltas: 100% (1635/1635), done.
[root@localhost ~]# ls
anaconda-ks.cfg echo-nginx-module nginx-1.20.2 nginx-1.22.0.tar.gz
//复制旧版本的参数
[root@localhost ~]# nginx -V
nginx version: nginx/1.20.2
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-15) (GCC)
built with OpenSSL 1.1.1k FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-debug --with-http_ssl_module --with-http_realip_module --with-http_image_filter_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log
[root@localhost ~]# ls
anaconda-ks.cfg echo-nginx-module nginx-1.20.2 nginx-1.22.0.tar.gz
[root@localhost ~]# tar -xf nginx-1.22.0.tar.gz
[root@localhost ~]# ls
anaconda-ks.cfg nginx-1.20.2 nginx-1.22.0.tar.gz
echo-nginx-module nginx-1.22.0
[root@localhost ~]# cd nginx-1.22.0/
[root@localhost nginx-1.22.0]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-debug --with-http_ssl_module --with-http_realip_module --with-http_image_filter_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --add-module=../echo-nginx-module //复制前面的参数,使用前面下载的模块
//省略过程
//编译
//编译(禁止执行make install安装)
[root@localhost nginx-1.22.0]# make
//省略过程
[root@localhost nginx-1.22.0]# ls objs/ //这个目录会生成新版本的主文件,nginx
Makefile nginx ngx_auto_headers.h src
addon nginx.8 ngx_modules.c
autoconf.err ngx_auto_config.h ngx_modules.o
//测试新版本有无问题
[root@localhost nginx-1.22.0]# ./objs/nginx -V //查看
nginx version: nginx/1.22.0
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-15) (GCC)
built with OpenSSL 1.1.1k FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-debug --with-http_ssl_module --with-http_realip_module --with-http_image_filter_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --add-module=../echo-nginx-module
//关闭旧版本nginx,立刻使用新版本测试,减少时间差,确保业务不中断
[root@localhost nginx-1.22.0]# nginx -s stop;./objs/nginx -c /usr/local/nginx/conf/nginx.conf
[root@localhost nginx-1.22.0]# ss -antl //开启80
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
//网页正常访问
//备份老版本的程序并同时复制新版本程序覆盖老版本并重启
[root@localhost nginx-1.22.0]# mv /usr/local/nginx/sbin/nginx{,.bak};\cp objs/nginx /usr/local/nginx/sbin/;nginx -s stop;nginx // \cp不在询问
测试
[root@localhost ~]# nginx -v //查看版本
nginx version: nginx/1.22.0
[root@localhost ~]# nginx -V
nginx version: nginx/1.22.0
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-15) (GCC)
built with OpenSSL 1.1.1k FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-debug --with-http_ssl_module --with-http_realip_module --with-http_image_filter_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --add-module=../echo-nginx-module
[root@localhost conf]# vim nginx.conf //添加一行,错误语法
location / {
echo "hehe"; //添加
root html;
index index.html index.htm;
}
[root@localhost conf]# nginx.bak -t //检查语法,老版本有问题
nginx: [emerg] unknown directive "echo" in /usr/local/nginx/conf/nginx.conf:44
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@localhost conf]# nginx -t //检查语法,新版本ok
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
location的使用
location区段,通过指定模式来与客户端请求的URI相匹配
//用curl检测location
[root@localhost conf]# vim nginx.conf
location /qzl {
echo 'tt';
}
[root@localhost conf]# curl 192.168.70.131/qzl
tt
//如果后面的目录没有没有值,以第一个为主
[root@localhost conf]# curl 192.168.70.131/qzl/sdf/sdf
tt
//没有修饰符表示必须以指定模式开始
[root@localhost conf]# curl 192.168.70.131/qzl/sdf/sdf
tt
[root@localhost conf]# curl 192.168.70.131/qzlasdfjsoidif
tt
//功能:允许根据用户请求的URI来匹配定义的各location,匹配到时,此请求将被相应的location配置块中的配置所处理,例如做访问控制等功能
//语法:location [ 修饰符 ] pattern {......}
常用修饰符说明:
不用修饰符按顺序执行,有修饰符,按修饰符的优先级执行
//不完整匹配
例:
[root@localhost conf]# vim nginx.conf
location ~ /qzl {
echo 'tt';
}
[root@localhost conf]# nginx -s reload
[root@localhost conf]# curl 192.168.70.131/qzlsdf
tt
//如果优先级一样,就一直执行先匹配的值,
[root@localhost conf]# vim nginx.conf
location ~ /qzl {
echo 'tt';
}
location ~ /qzli {
echo 'tts';
}
[root@localhost conf]# curl 192.168.70.131/qzlsdf
tt
[root@localhost conf]# curl 192.168.70.131/qzlsdf
tt
=:表示必须与指定的模式精确匹配,
[root@localhost conf]# vim nginx.conf
location = /qzl {
echo 'tt';
}
[root@localhost conf]# curl 192.168.70.131/qzl
tt
~:表示指定的正则表达式要区分大小写,如:
location ~ ^/qzl$ {
echo 'tt';
}
[root@localhost conf]# curl 192.168.70.131/qzlasdfj
tt
[root@localhost conf]# curl 192.168.70.131/kqzlasdfj
<html>
<head><title>404 Not Found</title></head>
~*:表示指定的正则表达式不区分大小写
location ~* ^/qzl$ {
echo 'tt';
}
~:类似于无修饰符的行为,也是以指定模式开始,不同的是,如果模式匹配,则停止搜索其他模式
查找顺序和优先级:由高到底依次为
- 带有=的精确匹配优先
- 正则表达式按照他们在配置文件中定义的顺序
- 带有^~修饰符的,开头匹配
- 带有或*修饰符的,如果正则表达式与URI匹配
- 没有修饰符的精确匹配
优先级次序如下:
( location = 路径 ) --> ( location ^~ 路径 ) --> ( location ~ 正则 ) --> ( location ~* 正则 ) --> ( location 路径 )
访问控制
用于location段
allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
deny:设定禁止哪台或哪些主机访问,多个参数间用空格隔开
示例:
//allow 默认允许所有主机通过
//设置白名单
[root@localhost conf]# vim nginx.conf
location / {
allow 192.168.70.131;
deny all;
root html;
index index.html index.htm;
}
[root@localhost conf]# nginx -s reload
//设置黑名单
location / {
deny 192.168.70.131;
allow all;
root html;
index index.html index.htm;
}
//黑白名单都设置,基本不用
location / {
deny 192.168.70.131;
allow 192.169.93.23;
root html;
index index.html index.htm;
}
用户认证
location /hehe {
auth_basic "tt"; //内容随便
auth_basic_user_file "/usr/local/nginx/conf/.pass";
root html;
index index.html index.htm;
}
[root@localhost conf]# dnf -y install httpd-tools
//这里的密码为加密后的密码串,建议用htpasswd来创建此文件:
[root@localhost nginx]# htpasswd -c -m /usr/local/nginx/conf/.pass tom //tom 网页用户
New password:
Re-type new password:
Adding password for user tom
https配置
实现私有CA
[root@localhost ~]# cd /etc/pki/
[root@localhost pki]# mkdir CA
[root@localhost pki]# cd CA/
[root@localhost CA]# mkdir private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................+++++
.......................................................+++++
e is 65537 (0x010001)
[root@localhost CA]# ls
private
[root@localhost CA]# file private/cakey.pem
private/cakey.pem: PEM RSA private key
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:www.example.com
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:
[root@localhost CA]# ls
cacert.pem private
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@localhost CA]#
[root@localhost nginx]# cd conf/
[root@localhost conf]# mkdir ssl
[root@localhost conf]# cd ssl
[root@localhost ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..........+++++
................................+++++
e is 65537 (0x010001)
[root@localhost ssl]# ls
nginx.key
[root@localhost ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:www.example.com
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls
nginx.csr nginx.key
[root@localhost ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 4 19:19:25 2022 GMT
Not After : Sep 4 19:19:25 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = runtime
organizationalUnitName = www.example.com
commonName = www.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E3:D6:B8:2F:A7:CB:81:B0:9B:D7:92:4A:B1:F4:38:4F:7D:2F:51:A4
X509v3 Authority Key Identifier:
keyid:59:BC:4B:38:9C:F3:D1:DC:53:CA:10:F8:A8:41:0E:09:85:E8:F8:CD
Certificate is to be certified until Sep 4 19:19:25 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl]# ls
nginx.crt nginx.csr nginx.key
[root@localhost ssl]# rm -rf nginx.csr
[root@localhost ssl]# ls
nginx.crt nginx.key
[root@localhost ssl]# vim /usr/local/nginx/conf/nginx.conf
[root@localhost ssl]# cat /usr/local/nginx/conf/nginx.conf
//在企业真实情况只需要改下面几行,取消注释,改成这样
# HTTPS server
#
server {
listen 443 ssl;
server_name www.example.com; //刚刚配置的域名,
ssl_certificate /usr/local/nginx/conf/ssl/nginx.crt; //证书位置,公钥
ssl_certificate_key /usr/local/nginx/conf/ssl/nginx.key; //证书位置,私钥
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
[root@localhost ssl]# nginx -s reload
[root@localhost ssl]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:* //证书端口
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:22 [::]:*
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
