一、

nginx版本信息:nginx-1.10.1

安装路径:/usr/local

1.安装环境准备:

yum install pcre-devel openssl-devel zlib-devel

否则编译安装过程中有如下报错:

./configure: error: the HTTP rewrite module requires the PCRE library.

You can either disable the module by using --without-http_rewrite_module

option, or install the PCRE library into the system, or build the PCRE library

statically from the source with nginx by using --with-pcre=<path> option.

 

./configure: error: SSL modules require the OpenSSL library.

You can either do not enable the modules, or install the OpenSSL library

into the system, or build the OpenSSL library statically from the source

with nginx by using --with-openssl=<path> option.

 

2.升级安装openssh-7.3p1 openssl-1.0.2j (步骤略)

 

二、安装步骤:

 

1.首先下载Ngnix,放置于/usr/local/src 下并解压:

cd /usr/local/src

tar xzvf nginx-1.12.1.tar.gz

2.伪装NGINX名字 (解压缩后进入目录)

cd nginx-1.12.1/src/core

现在Web Server使用广泛,针对它的攻击也越来越多,Nginx这玩意出道时间也并不长,虽然国内很多门户网站都用它,小内存VPS用户也爱它,但是我可不想哪天它爆出了个惊天BUG,上次80sec公布的Nginx相关PHP FPM漏洞就是警示哦,倘若伪装了我的Nginx服务器,攻击者就不知道我使用的是何种Web Server,也就无从下手了。

 

修改src/core/nginx.h(Nginx内部名称的)

复制代码 代码如下:

 

#define NGINX_VERSION      "1.8.0"

#define NGINX_VER          "NGINX/" NGINX_VERSION

NGINX_VERSION是版本号,NGINX_VER是名称

修改src/http/ngx_http_header_filter_module.c(HTTP ResponseHeader)

复制代码 代码如下:

 

static char ngx_http_server_string[] = "Server: nginx" CRLF;

 

修改src/http/ngx_http_special_response.c(修改错误页的底部Footer)

复制代码 代码如下:

 

static u_char ngx_http_error_tail[] =

"<hr><center>nginx</center>" CRLF

"</body>" CRLF

"</html>" CRLF

;

 

3.编译安装

./configure  --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --with-http_gzip_static_module --with-openssl=/usr/local/src/openssl-1.0.2k --add-module=../ngx_cache_purge-2.3 #最后这项是安装新版NGINX1.12会报错。需要指定具体SSL源码路径,而不是SSL安装路径。

make && make install

以下是安装upstream和sticky模块

./configure --prefix=/usr/local/nginx --with-pcre --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --add-module=/home/nginx/nginx_upstream_check_module-master --add-module=/home/nginx/nginx-sticky-module-ng-1.2.5

--add-module=../ngx_cache_purge-2.3

 

 

 

4.查看安装

/usr/local/nginx/sbin/nginx -V

nginx version: nginx/1.10.1

built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)

built with OpenSSL 1.0.1e-fips 11 Feb 2013

TLS SNI support enabled

configure arguments: --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --with-http_gzip_static_module

 

三、配置SSL

root@localhost nginx]# mkdir /usr/local/nginx/conf/ssl

[root@localhost nginx]# cd /usr/local/nginx/conf/ssl

服务端的配置

生成证书

在服务器的命令行下进行如下操作

1.生成服务端的私钥,需要输入一个4~8191位的密码 (为了安全用2048)

openssl genrsa -des3 -out server.key 2048

2.去除key文件的密码,这里需要输入①中填写的密码

openssl rsa -in server.key -out server.key

3.生成csr文件,这一步要求输入多种信息,可以全部按回车跳过

openssl req -new -key server.key -out server.csr

4.生成crt文件,这一步中的-days后为有效期,可以写长一点

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

5.合并crt与key制作pem,用于后面生成cer以供客户端验证

cat server.crt server.key > server.pem

6.用pem生成cer,cer文件存放在客户端用于验证

openssl x509 -in server.pem -outform der -out server.cer

 

配置nginx的SERVER部分:

server {

#listen       80;

#server_name  localhost;

 

#charset koi8-r;

 

#access_log  logs/host.access.log  main;

 

listen 443 ssl;

ssl on;

keepalive_timeout 70;

ssl_session_cache   shared:SSL:10m;

ssl_session_timeout 10m;

 

ssl_certificate      /usr/local/nginx/conf/ssl/server.crt;

ssl_certificate_key  /usr/local/nginx/conf/ssl/server.key;

 

server_name  121.192.191.113;

 

location / {

proxy_set_header  X-Real-IP  $remote_addr;

proxy_pass http://core.xchs.com;

}

 

 

其他配置与一般的web 服务配置相同,https 默认使用443端口。

配置完成后重新加载配置文件

/usr/local/nginx/sbin/nginx -t

nginx -s reload

测试:

https://121.192.191.113/

这里若放置 文件可以看到测试页面。因为在这里做反向代理,可以看到后端返回的测试界面 。

NGiNX https 证书更新

LETS的证书三个月需要更新一次

步骤

./letsencrypt-auto certonly --renew-by-default  --email 12345678@qq.com -d xxx.com -d www.xxx.com

2.输入2自己选webroot

3.输入路径(注意路径为真实路径,不是NGINX路径)

/home/luog/site

4.将生成的两个文件CP到NGINX配置存放的位置

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/xchsedu.com/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/xchsedu.com/privkey.pem

Your cert will expire on 2018-03-08. To obtain a new or tweaked

version of this certificate in the future, simply run

letsencrypt-auto again. To non-interactively renew *all* of your

certificates, run "letsencrypt-auto renew"

- If you like Certbot, please consider supporting our work by:

 

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

Donating to EFF:                    https://eff.org/donate-le

 

[root@TestHealthServer letsencrypt]# cd /etc/letsencrypt/live/xxx.com/

[root@TestHealthServer xchsedu.com]# ls

cert.pem  chain.pem  fullchain.pem  privkey.pem  README

[root@TestHealthServer xchsedu.com]# cp fullchain.pem privkey.pem /usr/local/nginx/conf/ssl/

 

最后重启NGINX使配置生效

最后修改日期:2018年11月8日

作者

留言

撰写回覆或留言

发布留言必须填写的电子邮件地址不会公开。