碼上歡樂
相關內容    簡體    繁體

centos7安裝tengine強制使用HTTPS訪問

本文轉載自   查看原文   2017-02-05 20:59   2800    Nginx

操作系統:centos7.2 x64
tengine:Tengine/2.2.0
主機IP: 10.0.0.12

 

一、安裝tengine

    1.1 下載源碼安裝包

        1.1.1 源碼包pcre-8.40
            用於支持正則表達式

            [root@tengine ~]# cd /usr/local/src/
            [root@tengine src]# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.40.tar.gz

 
        1.1.2 源碼包zlib-1.2.11
            用於支持數據壓縮

            [root@tengine src]# wget http://zlib.net/zlib-1.2.11.tar.gz

 
        1.1.3 源碼包openssl-1.0.2
            用於數據加密及支持SSL協議

            [root@tengine src]# wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz

 
        1.1.4 源碼包jemalloc-4.4.0
            用於優化內存管理

            [root@tengine src]# wget https://github.com/jemalloc/jemalloc/archive/4.4.0.tar.gz

 
        1.1.5 源碼包tengine-2.2.0

            [root@tengine src]# wget http://tengine.taobao.org/download/tengine-2.2.0.tar.gz
            [root@tengine src]# ls
            jemalloc-4.4.0.tar.gz  openssl-1.0.2k.tar.gz  pcre-8.40.tar.gz  tengine-2.2.0.tar.gz  zlib-1.2.11.tar.gz

 

    1.2 編譯安裝依賴包

        1.2.1 更新工具包

            [root@tengine src]# yum install openssl-devel zlib-devel -y

 
        1.2.2 編譯pcre

            [root@tengine src]# tar xf pcre-8.40.tar.gz
            [root@tengine src]# cd pcre-8.40
            [root@tengine pcre-8.40]# ./configure --prefix=/usr/local/pcre
            [root@tengine pcre-8.40]# make && make install

 
        1.2.3 編譯openssl

            [root@tengine src]# tar xf openssl-1.0.2k.tar.gz
            [root@tengine src]# cd openssl-1.0.2k
            [root@tengine openssl-1.0.2k]# ./config --prefix=/usr/local/openssl
            [root@tengine openssl-1.0.2k]# make && make install


        1.2.4 編譯zlib

            [root@tengine src]# tar xf zlib-1.2.11.tar.gz
            [root@tengine src]# cd zlib-1.2.11
            [root@tengine zlib-1.2.11]# ./configure --prefix=/usr/local/zlib
            [root@tengine zlib-1.2.11]# make && make install

 
        1.2.5 編譯jemalloc

            [root@tengine src]# tar xf jemalloc-4.4.0.tar.gz
            [root@tengine src]# cd jemalloc-4.4.0
            [root@tengine jemalloc-4.4.0]# ./autogen.sh
            autoconf
            ./autogen.sh: line 5: autoconf: command not found
            Error 0 in autoconf

            # 安裝autoconf包
            [root@tengine jemalloc-4.4.0]# yum install autoconf -y
            [root@tengine jemalloc-4.4.0]# ./autogen.sh
            [root@tengine jemalloc-4.4.0]# make
            [root@tengine jemalloc-4.4.0]# make install
            /usr/bin/install: cannot stat ‘doc/jemalloc.html’: No such file or directory
            make: *** [install_doc_html] Error 1
            # 這里只是說明文檔和html頁面沒有,可以忽悠這個錯誤,可以直接touch
            [root@tengine jemalloc-4.4.0]# touch doc/jemalloc.html
            [root@tengine jemalloc-4.4.0]# make install
            [root@tengine jemalloc-4.4.0]# touch doc/jemalloc.3
            [root@tengine jemalloc-4.4.0]# make install

 
        1.2.8 加載庫文件

            [root@tengine tengine-2.2.0]# echo '/usr/local/pcre/lib/' > /etc/ld.so.conf.d/pcre.conf
            [root@tengine tengine-2.2.0]# echo '/usr/local/zlib/lib/' > /etc/ld.so.conf.d/zlib.conf
            [root@tengine tengine-2.2.0]# echo '/usr/local/openssl/lib/' > /etc/ld.so.conf.d/openssl.conf
            [root@tengine tengine-2.2.0]# echo '/usr/local/lib/' > /etc/ld.so.conf.d/local.conf
            [root@tengine tengine-2.2.0]# ldconfig -v | less
            /usr/local/lib:
                    libjemalloc.so.2 -> libjemalloc.so.2
            /usr/local/openssl/lib:
            /usr/local/pcre/lib:
                    libpcrecpp.so.0 -> libpcrecpp.so.0.0.1
                    libpcreposix.so.0 -> libpcreposix.so.0.0.4
                    libpcre.so.1 -> libpcre.so.1.2.8
            /usr/local/zlib/lib:
                    libz.so.1 -> libz.so.1.2.11
                    ......
                    ......

 
        1.2.7 編譯tengine

            [root@tengine src]# tar xf tengine-2.2.0.tar.gz
            [root@tengine src]# cd tengine-2.2.0
            # 創建tengine運行用戶
            [root@tengine tengine-2.2.0]# groupadd -g 80 www
            [root@tengine tengine-2.2.0]# useradd -u 80 -g 80 -s /sbin/nologin -M www
            # 注意,在編譯tengine時候,pcre, openssl, zlib必須指向源碼目錄,而jemalloc不能指向源碼目錄。切記!
            [root@tengine tengine-2.2.0]# ./configure --prefix=/usr/local/tengine --user=www --group=www \
            --with-http_stub_status_module \
            --with-http_ssl_module \
            --with-http_gzip_static_module \
            --with-openssl=/usr/local/src/openssl-1.0.2k \
            --with-pcre=/usr/local/src/pcre-8.40 \
            --with-zlib=/usr/local/src/zlib-1.2.11 \
            --with-jemalloc

            [root@tengine tengine-2.2.0]# make
            [root@tengine tengine-2.2.0]# make install

            [root@tengine tengine-2.2.0]# cd /usr/local/tengine/
            [root@tengine tengine]# ls
            conf  html  include  logs  modules  sbin
            [root@tengine tengine]# echo 'PATH=$PATH:/usr/local/tengine/sbin/' > /etc/profile.d/tengine.sh
            [root@tengine tengine]# cat !$
            cat /etc/profile.d/tengine.sh
            PATH=$PATH:/usr/local/tengine/sbin/
            [root@tengine tengine]# source /etc/profile.d/tengine.sh
            [root@tengine tengine]# nginx
            [root@tengine tengine]# netstat -ntplu | grep nginx
            tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      53295/nginx: master

            # tengine編譯成功!

            # 驗證jemalloc是否生效
            [root@tengine tengine]# yum install lsof -y
            [root@tengine tengine]# lsof -n | grep jemalloc
            nginx     23371         root  mem       REG              253,0   2584161   34723136 /usr/local/lib/libjemalloc.so.2
            nginx     23372          www  mem       REG              253,0   2584161   34723136 /usr/local/lib/libjemalloc.so.2
            # jemalloc 已生效!

 
    1.3 編寫服務,實現開機啟動

        [root@tengine tengine-2.2.0]# vim /usr/lib/systemd/system/tengine.service

        [Unit]
        Description=The nginx HTTP and reverse proxy server
        After=syslog.target network.target remote-fs.target nss-lookup.target

        [Service]
        Type=forking
        PIDFile=/usr/local/tengine/logs/nginx.pid
        ExecStartPre=/usr/local/tengine/sbin/nginx -t
        ExecStart=/usr/local/tengine/sbin/nginx
        ExecReload=/bin/kill -s HUP $MAINPID
        ExecStop=/bin/kill -s QUIT $MAINPID
        PrivateTmp=true

        [Install]
        WantedBy=multi-user.target    

        [root@tengine tengine-2.2.0]# nginx -s stop
        [root@tengine tengine-2.2.0]# systemctl status tengine
        ● tengine.service - The nginx HTTP and reverse proxy server
           Loaded: loaded (/usr/lib/systemd/system/tengine.service; disabled; vendor preset: disabled)
           Active: inactive (dead)

        # 啟動服務
        [root@tengine tengine-2.2.0]# systemctl start tengine
        [root@tengine tengine-2.2.0]# netstat -ntplu | grep nginx
        tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      23429/nginx: master

        # 設置開機啟動
        [root@tengine tengine-2.2.0]# systemctl enable tengine
        Created symlink from /etc/systemd/system/multi-user.target.wants/tengine.service to /usr/lib/systemd/system/tengine.service.

 


二、tengine配置SSL並強制使用HTTPS訪問

    2.1 使用openssl 生成 SSL key 和 CSR

        [root@tengine ~]# mkdir /etc/ssl/private
        [root@tengine ~]# cd /etc/ssl/private/    
        [root@tengine private]# openssl req -new -newkey rsa:2048 -sha256 -nodes -out super_com.csr -keyout super_com.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=super.com"

        # 這里為了實驗,我們自行簽發不受瀏覽器信任的SSL證書

        [root@tengine private]# openssl x509 -req -days 365 -in super_com.csr -signkey super_com.key -out super_com.crt
        Signature ok
        subject=/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=super.com
        Getting Private key

 
    2.2 為tengine配置SSL協議認證
        這里配置建議使用以下兩種方式:            
            (1)通過tengine write配置正則跳轉的方式,該方式會占用服務器資源;
            (2)通過html meta 跳轉的方式,百度采用這種方式;
        2.2.1 tengine write方式實現:

            [root@tengine ~]# cd /usr/local/tengine/conf/
            [root@tengine conf]# vim nginx.conf
            ...
            ...
            http {
                server {
                    listen       80;
                    server_name  www.super.com;
                    rewrite ^(.*)$ https://$host$1 permanent;                    # 訪問的所有url都跳轉為https協議
                    ...
                    ...
                    }
                include vhost/.conf;
            }
            ...
            ...            
            [root@tengine conf]# mkdir /usr/local/tengine/conf/vhost
            [root@tengine conf]# cd /usr/local/tengine/conf/vhost
       [root@tengine conf]# cp -a /etc/ssl/super_com.crt /etc/ssl/private/
         [root@tengine conf]# cp -a /etc/ssl/super_com.key /etc/ssl/private/

            [root@tengine vhost]# vim ssl.conf

            server {
              listen       443 ssl;
              ssl on;
              ssl_certificate /etc/ssl/private/super_com.crt;
              ssl_certificate_key /etc/ssl/private/super_com.key;
              location / {
                root /usr/local/tengine/html/ssl;
                index index.html;
              }
            }
            # 創建網站根目錄和測試頁面
            [root@tengine vhost]# mkdir /usr/local/tengine/html/ssl
            [root@tengine vhost]# cd !$
            cd /usr/local/tengine/html/ssl
            [root@tengine ssl]# echo 'hello 10.0.0.12' > index.html


            [root@tengine conf]# echo '10.0.0.12    www.super.com' >> /etc/hosts
            [root@tengine conf]# ping www.super.com
            PING www.super.com (10.0.0.12) 56(84) bytes of data.
            64 bytes from www.super.com (10.0.0.12): icmp_seq=1 ttl=64 time=0.057 ms
            # 重新加載tengine
            [root@tengine conf]# nginx -t
            nginx: the configuration file /usr/local/tengine/conf/nginx.conf syntax is ok
            nginx: configuration file /usr/local/tengine/conf/nginx.conf test is successful
            [root@tengine conf]# nginx -s stop     # 這里reload不生效可以嘗試關閉,在開啟
            [root@tengine conf]# nginx
            [root@tengine conf]# netstat -ntplu | grep nginx
            tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      23513/nginx: master
            tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      23513/nginx: master
            [root@tengine conf]# setenforce 0; systemctl stop firewalld     # 關閉selinux和防火牆

 


            # 編輯本地主機hosts文件。C:\Windows\System32\drivers\etc\hosts
            10.0.0.12             www.super.com

            瀏覽器訪問:http://www.super.com/
           

        2.2.2 通過html meta 跳轉的方式實現:

            [root@tengine conf]# vim nginx.conf
            # 將rewrite注釋
            #rewrite ^(.*)$  https://$host$1 permanent;
            [root@tengine conf]# cd /usr/local/tengine/html/
            [root@tengine html]# vim index.html

            <html>
            <meta http-equiv="refresh" content="0;url=https://www.super.com/">
            </html>

 


           


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 nginx強制使用https訪問(http跳轉到https) LNMP強制https訪問 nginx強制使用https訪問(多站點多域名配置) CentOS 7 配置nginx並默認強制使用https對http進行跳轉 CentOS7下Nginx強制http 301跳轉到https的設置方法 CentOS7上安裝VMWare並遠程訪問 Tengine筆記1:安裝Tengine和Tengine說明 CentOS7安裝使用MySQL centos7上vagrant的安裝及使用 centos7之vsftp安裝和使用
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM