Openresty 安装配置入门教程 代替Nginx 使用lua redis动态控制请求 home 编辑时间 2021/06/24  <br><br> ## 前言 以往我都是求稳求省心,一般用 `centos` 的 `yum` 安装大佬组装好的 `nginx` 。用常规配置实现反向代理。这次既然换新服务器就挑战点高难度。用 `openresty nginx` 实现反向代理。顺便开启 `TLS 1.3` 和 `Brotli` 压缩 <br><br> 参考 https://www.mf8.biz/nginx-install-tls1-3/ http://openresty.org/cn/installation.html <br><br> ## 安装 简单下载解压一下 `openresty` ,建议去官网看下最新版版本号,替换一下 ```shell wget https://openresty.org/download/openresty-1.19.3.2.tar.gz tar -xzvf openresty-1.19.3.2.tar.gz cd openresty-1.19.3.2/ ``` <br><br> 用帮助,看下支持哪些选项,其中大量选项其实和nginx的是重叠的,可以参考nginx文档 ```shell ./configure --help --help this message --prefix=PATH set the installation prefix (default to /usr/local/openresty) --with-debug enable debug logging --with-no-pool-patch enable the no-pool patch for debugging memory issues -jN pass -jN option to make while building LuaJIT 2.1 --without-http_echo_module disable ngx_http_echo_module --without-http_xss_module disable ngx_http_xss_module --without-http_coolkit_module disable ngx_http_coolkit_module --without-http_set_misc_module disable ngx_http_set_misc_module --without-http_form_input_module disable ngx_http_form_input_module --without-http_encrypted_session_module disable ngx_http_encrypted_session_module --without-http_srcache_module disable ngx_http_srcache_module --without-http_lua_module disable ngx_http_lua_module --without-http_lua_upstream_module disable ngx_http_lua_upstream_module --without-http_headers_more_module disable ngx_http_headers_more_module --without-http_array_var_module disable ngx_http_array_var_module --without-http_memc_module disable ngx_http_memc_module --without-http_redis2_module disable ngx_http_redis2_module --without-http_redis_module disable ngx_http_redis_module --without-http_rds_json_module disable ngx_http_rds_json_module --without-http_rds_csv_module disable ngx_http_rds_csv_module --without-stream_lua_module disable ngx_stream_lua_module --without-ngx_devel_kit_module disable ngx_devel_kit_module --without-stream disable TCP/UDP proxy module --without-http_ssl_module disable ngx_http_ssl_module --without-stream_ssl_module disable ngx_stream_ssl_module --with-http_iconv_module enable ngx_http_iconv_module --with-http_drizzle_module enable ngx_http_drizzle_module --with-http_postgres_module enable ngx_http_postgres_module --without-lua_cjson disable the lua-cjson library --without-lua_tablepool disable the lua-tablepool library (and by consequence, the lua-resty-shell library) --without-lua_redis_parser disable the lua-redis-parser library --without-lua_rds_parser disable the lua-rds-parser library --without-lua_resty_dns disable the lua-resty-dns library --without-lua_resty_memcached disable the lua-resty-memcached library --without-lua_resty_redis disable the lua-resty-redis library --without-lua_resty_mysql disable the lua-resty-mysql library --without-lua_resty_upload disable the lua-resty-upload library --without-lua_resty_upstream_healthcheck disable the lua-resty-upstream-healthcheck library --without-lua_resty_string disable the lua-resty-string library --without-lua_resty_websocket disable the lua-resty-websocket library --without-lua_resty_limit_traffic disable the lua-resty-limit-traffic library --without-lua_resty_lock disable the lua-resty-lock library --without-lua_resty_lrucache disable the lua-resty-lrucache library --without-lua_resty_signal disable the lua-resty-signal library (and by consequence, the lua-resty-shell library) --without-lua_resty_shell disable the lua-resty-shell library --without-lua_resty_core disable the lua-resty-core library --with-luajit=DIR use the external LuaJIT 2.1 installation specified by DIR --with-luajit-xcflags=FLAGS Specify extra C compiler flags for LuaJIT 2.1 --with-luajit-ldflags=FLAGS Specify extra C linker flags for LuaJIT 2.1 --without-luajit-lua52 Turns off the LuaJIT extensions from Lua 5.2 that may break backward compatibility --without-luajit-gc64 Turns off the LuaJIT GC64 mode (which is enabled by default on x86_64) --with-libdrizzle=DIR specify the libdrizzle 1.0 (or drizzle) installation prefix --with-libpq=DIR specify the libpq (or postgresql) installation prefix --with-pg_config=PATH specify the path of the pg_config utility Options directly inherited from nginx --sbin-path=PATH set nginx binary pathname --modules-path=PATH set modules path --conf-path=PATH set nginx.conf pathname --error-log-path=PATH set error log pathname --pid-path=PATH set nginx.pid pathname --lock-path=PATH set nginx.lock pathname --user=USER set non-privileged user for worker processes --group=GROUP set non-privileged group for worker processes --build=NAME set build name --builddir=DIR set build directory --with-select_module enable select module --without-select_module disable select module --with-poll_module enable poll module --without-poll_module disable poll module --with-threads enable thread pool support --with-file-aio enable file AIO support --with-http_ssl_module enable ngx_http_ssl_module (default on) --with-http_v2_module enable ngx_http_v2_module --with-http_realip_module enable ngx_http_realip_module --with-http_addition_module enable ngx_http_addition_module --with-http_xslt_module enable ngx_http_xslt_module --with-http_xslt_module=dynamic enable dynamic ngx_http_xslt_module --with-http_image_filter_module enable ngx_http_image_filter_module --with-http_image_filter_module=dynamic enable dynamic ngx_http_image_filter_module --with-http_geoip_module enable ngx_http_geoip_module --with-http_geoip_module=dynamic enable dynamic ngx_http_geoip_module --with-http_sub_module enable ngx_http_sub_module --with-http_dav_module enable ngx_http_dav_module --with-http_flv_module enable ngx_http_flv_module --with-http_mp4_module enable ngx_http_mp4_module --with-http_gunzip_module enable ngx_http_gunzip_module --with-http_gzip_static_module enable ngx_http_gzip_static_module --with-http_auth_request_module enable ngx_http_auth_request_module --with-http_random_index_module enable ngx_http_random_index_module --with-http_secure_link_module enable ngx_http_secure_link_module --with-http_degradation_module enable ngx_http_degradation_module --with-http_slice_module enable ngx_http_slice_module --with-http_stub_status_module enable ngx_http_stub_status_module --without-http_charset_module disable ngx_http_charset_module --without-http_gzip_module disable ngx_http_gzip_module --without-http_ssi_module disable ngx_http_ssi_module --without-http_userid_module disable ngx_http_userid_module --without-http_access_module disable ngx_http_access_module --without-http_auth_basic_module disable ngx_http_auth_basic_module --without-http_mirror_module disable ngx_http_mirror_module --without-http_autoindex_module disable ngx_http_autoindex_module --without-http_geo_module disable ngx_http_geo_module --without-http_map_module disable ngx_http_map_module --without-http_split_clients_module disable ngx_http_split_clients_module --without-http_referer_module disable ngx_http_referer_module --without-http_rewrite_module disable ngx_http_rewrite_module --without-http_proxy_module disable ngx_http_proxy_module --without-http_fastcgi_module disable ngx_http_fastcgi_module --without-http_uwsgi_module disable ngx_http_uwsgi_module --without-http_scgi_module disable ngx_http_scgi_module --without-http_grpc_module disable ngx_http_grpc_module --without-http_memcached_module disable ngx_http_memcached_module --without-http_limit_conn_module disable ngx_http_limit_conn_module --without-http_limit_req_module disable ngx_http_limit_req_module --without-http_empty_gif_module disable ngx_http_empty_gif_module --without-http_browser_module disable ngx_http_browser_module --without-http_upstream_hash_module disable ngx_http_upstream_hash_module --without-http_upstream_ip_hash_module disable ngx_http_upstream_ip_hash_module --without-http_upstream_least_conn_module disable ngx_http_upstream_least_conn_module --without-http_upstream_random_module disable ngx_http_upstream_random_module --without-http_upstream_keepalive_module disable ngx_http_upstream_keepalive_module --without-http_upstream_zone_module disable ngx_http_upstream_zone_module --with-http_perl_module enable ngx_http_perl_module --with-http_perl_module=dynamic enable dynamic ngx_http_perl_module --with-perl_modules_path=PATH set Perl modules path --with-perl=PATH set perl binary pathname --http-log-path=PATH set http access log pathname --http-client-body-temp-path=PATH set path to store http client request body temporary files --http-proxy-temp-path=PATH set path to store http proxy temporary files --http-fastcgi-temp-path=PATH set path to store http fastcgi temporary files --http-uwsgi-temp-path=PATH set path to store http uwsgi temporary files --http-scgi-temp-path=PATH set path to store http scgi temporary files --without-http disable HTTP server --without-http-cache disable HTTP cache --with-mail enable POP3/IMAP4/SMTP proxy module --with-mail=dynamic enable dynamic POP3/IMAP4/SMTP proxy module --with-mail_ssl_module enable ngx_mail_ssl_module --without-mail_pop3_module disable ngx_mail_pop3_module --without-mail_imap_module disable ngx_mail_imap_module --without-mail_smtp_module disable ngx_mail_smtp_module --with-stream enable TCP/UDP proxy module (default on) --with-stream=dynamic enable dynamic TCP/UDP proxy module --with-stream_ssl_module enable ngx_stream_ssl_module (default on) --with-stream_realip_module enable ngx_stream_realip_module --with-stream_geoip_module enable ngx_stream_geoip_module --with-stream_geoip_module=dynamic enable dynamic ngx_stream_geoip_module --with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module --without-stream_limit_conn_module disable ngx_stream_limit_conn_module --without-stream_access_module disable ngx_stream_access_module --without-stream_geo_module disable ngx_stream_geo_module --without-stream_map_module disable ngx_stream_map_module --without-stream_split_clients_module disable ngx_stream_split_clients_module --without-stream_return_module disable ngx_stream_return_module --without-stream_upstream_hash_module disable ngx_stream_upstream_hash_module --without-stream_upstream_least_conn_module disable ngx_stream_upstream_least_conn_module --without-stream_upstream_random_module disable ngx_stream_upstream_random_module --without-stream_upstream_zone_module disable ngx_stream_upstream_zone_module --with-google_perftools_module enable ngx_google_perftools_module --with-cpp_test_module enable ngx_cpp_test_module --add-module=PATH enable external module --add-dynamic-module=PATH enable dynamic external module --with-compat dynamic modules compatibility --with-cc=PATH set C compiler pathname --with-cpp=PATH set C preprocessor pathname --with-cc-opt=OPTIONS set additional C compiler options --with-ld-opt=OPTIONS set additional linker options --with-cpu-opt=CPU build for the specified CPU, valid values: pentium, pentiumpro, pentium3, pentium4, athlon, opteron, sparc32, sparc64, ppc64 --without-pcre disable PCRE library usage --with-pcre force PCRE library usage --with-pcre=DIR set path to PCRE library sources --with-pcre-opt=OPTIONS set additional build options for PCRE --with-pcre-jit build PCRE with JIT compilation support --with-zlib=DIR set path to zlib library sources --with-zlib-opt=OPTIONS set additional build options for zlib --with-zlib-asm=CPU use zlib assembler sources optimized for the specified CPU, valid values: pentium, pentiumpro --with-libatomic force libatomic_ops library usage --with-libatomic=DIR set path to libatomic_ops library sources --with-openssl=DIR set path to OpenSSL library sources --with-openssl-opt=OPTIONS set additional build options for OpenSSL --dry-run dry running the configure, for testing only --platform=PLATFORM forcibly specify a platform name, for testing only ``` 可以看到与原生nginx几乎一致,可以直接用nginx参数来编译 <br><br> 这里为了支持 tls1.3 和 brotli 需要提前准备 建议在你自己安装的时候去各个官网看下最新版本,替换掉我命令里的版本号 https://www.openssl.org/source/ https://github.com/eustas/ngx_brotli/releases ```shell cd /opt wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz tar xzf openssl-1.1.1k.tar.gz cd /opt git clone https://github.com/google/ngx_brotli.git cd ngx_brotli git submodule update --init --recursive # 期间可能出现如下错误 error: RPC failed; result=35, HTTP code = 0 fatal: The remote end hung up unexpectedly fatal: The remote end hung up unexpectedly # 解决方案 git config --global http.postBuffer 50M # 如果没有git 用命令提前安装一下 yum install git # 如果你也有强迫症,可以结束以后删除不需要的文件 rm openssl-1.1.1k.tar.gz ``` <br><br> 最终的安装和配置 ```shell ./configure \ --prefix=/usr/local/openresty \ ## 编译后安装的目录位置 --with-openssl=/opt/openssl-1.1.1k \ ## 指定单独编译入 OpenSSL 的源码位置 --with-openssl-opt=enable-tls1_3 \ ## 开启 TLS 1.3 支持 --with-http_v2_module \ ## 开启 HTTP/2 --with-http_ssl_module \ ## 开启 HTTPS 支持 --with-http_gzip_static_module \ ## 开启 GZip 压缩 --add-module=/opt/ngx_brotli ## 编译入 ngx_BroTli 扩展 make && make install ``` 安装完成,目录设在 `/usr/local/openresty` 其中 `/usr/local/openresty/nginx/` 就是nginx所在路径 <br><br> ## 配置 配置文件可以参考 `nginx.conf` ```shell user root; worker_processes 8; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # access_log logs/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; client_max_body_size 32M; # GZip 和 Brotli gzip on; gzip_comp_level 6; gzip_min_length 1k; gzip_types text/plain text/css text/xml text/javascript text/x-component application/json application/javascript application/x-javascript application/xml application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype; brotli on; brotli_comp_level 6; brotli_min_length 1k; brotli_types text/plain text/css text/xml text/javascript text/x-component application/json application/javascript application/x-javascript application/xml application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype; server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 403; } server { listen 80; server_name zzzmh.cn www.zzzmh.cn bz.zzzmh.cn chrome.zzzmh.cn api.zzzmh.cn leanote.zzzmh.cn tongji.zzzmh.cn tool.zzzmh.cn beta.bz.zzzmh.cn res.zzzmh.cn; # include agent_deny.conf; return 301 https://$host$request_uri; } server { listen 443 ssl http2 default_server; server_name res.zzzmh.cn; access_log logs/host.access.log main; # 证书部分 ssl_certificate /root/ssl/res.zzzmh.cn/Nginx/1_res.zzzmh.cn_bundle.crt; ssl_certificate_key /root/ssl/res.zzzmh.cn/Nginx/2_res.zzzmh.cn.key; # TLS 握手优化 ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; keepalive_timeout 75s; keepalive_requests 100; # TLS 版本控制 ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5'; # 开启 1.3 o-RTT ssl_early_data on; location / { root html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } } ``` <br><br> nginx的基本用法 ```shell # 进入nginx目录 cd /usr/local/openresty/nginx/ # 测试nginx配置文件 ./sbin/nginx -t # 启动nginx ./sbin/nginx # 停止nginx ./sbin/nginx -s stop # 重新加载配置文件 ./sbin/nginx -s reload ``` <br><br> ## 进阶 这里如果需要把nginx加到系统服务,可以直接用nginx命令来操作,并且把nginx加入开机启动,需要如下配置 ```shell # 新建service配置文件 vim /lib/systemd/system/nginx.service # 粘贴如下配置 路径改成你实际路径 [Unit] Description=nginx service After=network.target [Service] Type=forking ExecStart=/usr/local/openresty/nginx/sbin/nginx ExecReload=/usr/local/openresty/nginx/sbin/nginx -s reload ExecStop=/usr/local/openresty/nginx/sbin/nginx -s quit PrivateTmp=true [Install] WantedBy=multi-user.target ``` <br><br> 这样就可以用以下命令了 ```shell # 开机启动 systemctl enable nginx # 启动 systemctl start nginx # 停止 systemctl stop nginx # 重启 systemctl restart nginx # 状态 systemctl status nginx ``` 送人玫瑰,手留余香 赞赏 Wechat Pay Alipay ROG 幻14 刷 Linux UOS 优化笔记 Leanote 蚂蚁笔记私服 使用docker快速搭建
