2. 部署指南

nginx安装ngx_lua_waf模块,以及添加Brotli算法压缩网站 安装部署 shell docker

https://hub.docker.com/_/nginx

http://nginx.org/en/download.html

https://github.com/ADD-SP/ngx_waf/releases


# Debian 10 Buster 国内常用镜像源

sed -i 's#http://deb.debian.org#http://mirrors.aliyun.com#g' /etc/apt/sources.list


cd  /data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module

apt-get update -y;
apt-get install -y wget vim net-tools curl iproute2 git cmake build-essential autoconf automake libtool zlib1g-dev zip openssl libssl-dev libpcre3 libpcre3-dev libfreetype6-dev libfontconfig1-dev libgpm-dev fontconfig gcc make autoconf libc6-dev pkg-config libmcrypt-dev libmemcached-dev zlib1g-dev bzip2 libbz2-dev libxml2-dev libfreetype6-dev libjpeg62-turbo-dev libpng-dev libpcre3-dev libbz2-dev libxml2-dev mcrypt libedit-dev  libxslt1-dev libxml2-dev libxml2-dev;
apt-get dist-upgrade -y; 
apt-get upgrade -y; 
apt autoremove;
apt clean;   
cat /etc/debian_version;
apt-get install aptitude -y
aptitude install locales -y
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
echo Asia/Shanghai > /etc/timezone;
export LANG=zh_CN.UTF-8
sed -i 's/^# *\(zh_CN.UTF-8\)/\1/' /etc/locale.gen
locale-gen


1.安装GeoIP库:  

https://abc.htmltoo.com/thread-46043.htm


2.下载ngx_devel_kit(NDK)模块:  https://github.com/simplresty/ngx_devel_kit/releases

wget  https://github.com/simplresty/ngx_devel_kit/archive/v0.3.3.tar.gz

tar -xzvf  v0.3.3.tar.gz


3.下载lua-nginx-module模块:  https://github.com/openresty/lua-nginx-module/tags

wget  https://github.com/openresty/lua-nginx-module/archive/refs/tags/v0.10.26.tar.gz

tar -xzvf  v0.10.26.tar.gz  && rm -rf  v0.10.26.tar.gz 


vim /data/site/docker/env/nginx/nginx/conf.d/waf/resty/core/base.lua

ngx.config.ngx_lua_version ~= 10026
ngx_http_lua_module 0.10.26 required


4. openssl

---下载openssl模块: 

https://github.com/openssl/openssl/releases

https://www.openssl.org/source/

wget  https://github.com/openssl/openssl/releases/download/openssl-3.3.1/openssl-3.3.1.tar.gz

tar -xzvf  openssl-3.3.1.tar.gz &&  rm -rf   openssl-3.3.1.tar.gz

cd  openssl-3.3.1

apt-get remove openssl -y

---centos

yum remove openssl -y

yum -y install perl-CPAN

cpan -i Text::Template

->sudo , yes

cpan -i IPC::Cmd 

---

---OpenSSL

./config --prefix=/usr/local/openssl

make -j 4 && make install

# 更新到系统层

mv  /usr/bin/openssl /usr/bin/openssl.old

mv  /usr/include/openssl  /usr/include/openssl.old

ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

ln -s /usr/local/openssl/include/openssl /usr/include/openssl

cp  /usr/local/openssl/lib64/libcrypto.so.3 /lib/x86_64-linux-gnu/

cp  /usr/local/openssl/lib64/libssl.so.3 /lib/x86_64-linux-gnu/

# 检查更新后的openssl依赖库是否是3.3.0

strings /usr/local/openssl/lib64/libssl.so | grep OpenSSL

# 显示结果表明已升级到最新版本链接库

OpenSSL 3.3.1

# 配置openssl库文件的搜索路径

echo '/usr/local/openssl/lib64' >> /etc/ld.so.conf

# 使修改后的搜索路径生效

ldconfig -v

# 查看openssl版本,结果显示升级成功

openssl version


5.下载pcre模块https://sourceforge.net/projects/pcre/files/pcre/

wget  https://nchc.dl.sourceforge.net/project/pcre/pcre/8.45/pcre-8.45.tar.gz

tar -xzvf  pcre-8.45.tar.gz


6.实现动态配置模块:   nginx-upsync, nginx-upsync-module, nginx-stream-upsync-module 

# https://github.com/CallMeFoxie/nginx-upsync

git clone https://github.com/CallMeFoxie/nginx-upsync.git
cd nginx-upsync
git clone https://github.com/xiaokai-wang/nginx-stream-upsync-module.git
git clone https://github.com/weibocom/nginx-upsync-module.git
cd  ../

--add-module=addons/nginx-upsync --with-stream

7.pagespeed:   https://github.com/apache/incubator-pagespeed-ngx/releases

wget https://github.com/apache/incubator-pagespeed-ngx/archive/v1.13.35.2-stable.zip
unzip v1.13.35.2-stable.zip
cd incubator-pagespeed-ngx-1.13.35.2-stable/ 
curl -L https://dl.google.com/dl/page-speed/psol/1.13.35.2-x64.tar.gz | tar -xz

--add-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/incubator-pagespeed-ngx-1.13.35.2-stable

--with-cc-opt='-DLINUX=2 -D_REENTRANT -D_LARGEFILE64_SOURCE -march=i686 -pthread'

ngx_pagespeed将重写你的网页,让用户以更快的速度进行访问。重写的工作包括压缩图片、缩减CSS和JavaScript、扩展缓存时间,同样还包括其它一些最佳实践:

优化缓存——整合应用程序的数据和逻辑

最小化round-trip次数——削减连续的请求/响应周期数

最小化请求开销——削减上传大小

最小化负载大小——削减响应、下载及缓存页面大小

优化浏览器渲染——改善浏览器页面布局

移动方面的优化——优化站点移动网络和设备方面的相关特性


8.下载安装LuaJIT:  https://github.com/openresty/luajit2  http://luajit.org/download.html  

git clone https://github.com/openresty/luajit2
cd luajit2
make PREFIX=/usr/local/luajit
make install PREFIX=/usr/local/luajit
ln -sf luajit-2.1.0-beta3 /usr/local/luajit/bin/luajit
/sbin/ldconfig
cd ../
wget  http://luajit.org/download/LuaJIT-2.1.0-beta3.tar.gz
tar -xzvf  LuaJIT-2.1.0-beta3.tar.gz
cd  LuaJIT-2.1.0-beta3
make PREFIX=/usr/local/luajit
make install PREFIX=/usr/local/luajit
ln -sf luajit-2.1.0-beta3 /usr/local/luajit/bin/luajit
/sbin/ldconfig
cd ../


9.第三方模块

9.1 安装Brotli算法压缩网站:   

https://github.com/google/ngx_brotli

https://github.com/google/brotli/releases

-libtool 重装/升级

https://abc.htmltoo.com/thread-46658.htm

# 安装libbrotli:
git clone https://github.com/bagder/libbrotli
cd libbrotli
git config --global --add safe.directory "*"
autoreconf
./autogen.sh
./configure
make && make install
cd ../

git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli
cd ngx_brotli/deps/brotli
mkdir out && cd out
cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed ..
cmake --build . --config Release --target brotlienc
cd ../../../..

# 安装ngx_brotli:
git clone https://github.com/google/ngx_brotli
cd ngx_brotli && git submodule update --init
cd ../

export CFLAGS="-m64 -march=native -mtune=native -Ofast -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections"

export LDFLAGS="-m64 -Wl,-s -Wl,-Bsymbolic -Wl,--gc-sections"

--add-module=/path/to/ngx_brotli

9.2 WebDAV模块

https://github.com/arut/nginx-dav-ext-module

apt-get install -y libxml2
apt-get install -y python-lxml-doc python3-lxml python3-lxml-dbg libui-gxmlcpp-dev  libui-gxmlcpp5v5
git clone  https://github.com/arut/nginx-dav-ext-module
# static module
--with-http_dav_module --add-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/nginx-dav-ext-module
# dynamic module
--with-http_dav_module --add-dynamic-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/nginx-dav-ext-module

9.3 nginx-module-vts监控nginx流量

http://github.com/vozlt/nginx-module-vts.git

git clone http://github.com/vozlt/nginx-module-vts.git

--add-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/nginx-module-vts

http {
    ...
    default_type  application/octet-stream;
    vhost_traffic_status_zone;               #流量状态监控
    vhost_traffic_status_filter_by_host on;  # 根据host分别进行流量统计
    # 开启此功能,在Nginx配置有多个server_name的情况下,会根据不同的server_name进行流量的统计,
    # 否则默认会把流量全部计算到第一个server_name上。	
    # 假如nginx没有规范配置server_name或者无需进行监控的server上,那么建议在此vhost上禁用统计监控功能。
    # 否则会出现“127.0.0.1”,hostname等的域名监控信息
    ...
    server {
        ...
        listen 9912;
        location /status {
            vhost_traffic_status_display;
            vhost_traffic_status_display_format html;
        }
    }
    include /etc/nginx/conf.d/*.conf;
}

-显示监控数据

http://g.htmltoo.com:9912/status


9.4 ngx_waf模块

https://abc.htmltoo.com/thread-46595.htm


9.5 配置QUIC和HTTP/3

https://abc.htmltoo.com/thread-46783.htm


10.下载Nginx源文件:   http://nginx.org/en/download.html

wget  http://nginx.org/download/nginx-1.22.1.tar.gz

wget  http://nginx.org/download/nginx-1.25.4.tar.gz

tar -xzvf  nginx-1.22.1.tar.gz  &&  rm  -rf  nginx-1.22.1.tar.gz

tar -xzvf  nginx-1.25.4.tar.gz  &&  rm  -rf  nginx-1.25.4.tar.gz


11.编译Nginx:

cd  nginx-1.22.1
cd  nginx-1.25.4
export LUAJIT_LIB=/usr/local/luajit/lib       # 设置环境变量
export LUAJIT_INC=/usr/local/luajit/include/luajit-2.1

# ======永久生效的可以执行如下脚本======
cat >> /etc/profile <<END
export LUAJIT_LIB=/usr/local/luajit/lib
export LUAJIT_INC=/usr/local/luajit/include/luajit-2.1
END
# 使/etc/profile 立刻生效
source /etc/profile


12.nginx修改并隐藏版本号

vim  src/core/nginx.h

#define NGINX_VERSION      "1.8.1"  #修改想要显示的版本如:2.2.23

#define NGINX_VER          "nginx"        #将nginx修改成想要显示的软件名称

#define NGINX_VAR          "NGINX" #将nginx修改成想要显示的软件名称(Evan Web Server)

vim  src/http/ngx_http_header_filter_module.c

ngx_http_server_string[] = "Server: nginx" CRLF;   #将nginx修改为想要的版本

vim  src/http/ngx_http_special_response.c

"<hr><center>nginx</center>" CRLF  #将nginx修改为想要的版本信息


# nginx configure

https://abc.htmltoo.com/thread-46489.htm


===yum nginx

yum install -y   libxslt-devel  libxml2 libxml2-devel  gd gd-devel  perl-ExtUtils-Embed libgd2-xpm-dev

===


13.编译:

sed -i 's/^\(CFLAGS.*\)/\1 -fstack-protector-strong -Wno-sign-compare/' objs/Makefile

make && make install


14.resty.core

https://github.com/openresty/lua-resty-core/tags

https://github.com/openresty/lua-resty-lrucache/tags

wget  https://github.com/openresty/lua-resty-core/archive/refs/tags/v0.1.28.tar.gz

wget  https://github.com/openresty/lua-resty-lrucache/archive/refs/tags/v0.13.tar.gz

tar -xzvf  v0.1.28.tar.gz  &&  rm  -rf  v0.1.28.tar.gz

tar -xzvf  v0.13.tar.gz  &&  rm  -rf  v0.13.tar.gz

cd  lua-resty-core-0.1.28

make install prefix=/usr/local/LuaLIB

cd  ../lua-resty-lrucache-0.13

make install prefix=/usr/local/LuaLIB


---缺少:libluajit-5.1.so.2

$find / -name libluajit-5.1.so.2

/usr/local/luajit/lib/libluajit-5.1.so.2


cp /usr/local/luajit/lib/libluajit-5.1.so.2  /usr/local/lib/

echo "/usr/local/lib"  >>/etc/ld.so.conf

/sbin/ldconfig


cd /usr/local/lib

ls

libluajit-5.1.a  libluajit-5.1.so  libluajit-5.1.so.2  libluajit-5.1.so.2.1.0  lua  pkgconfig  resty

rm -rf ./resty

ln -s /usr/local/openresty/lualib/resty /usr/local/lib


nginx.conf 中的 http{}模块中加入下面这行代码:

lua_load_resty_core off;


echo "/usr/local/luajit/lib" > /etc/ld.so.conf.d/usr_local_lib.conf

echo “/usr/local/luajit/lib” >> /etc/ld.so.conf


service nginx restart    #  nginx -V  验证


15. 安装ngx_lua_waf模块:  https://github.com/loveshell/ngx_lua_waf

cd  ngx_lua_waf-0.7.2

扔到/etc/nginx/conf.d下面(如果是直接编译的,放到对应的conf文件夹下),解压文件,重命名为"waf"

cd ../  && cp ngx_lua_waf-0.7.2  /etc/nginx/conf.d/  &&  mv ngx_lua_waf-0.7.2 waf


在nginx.conf的http段添加:

#ngx_lua_waf
lua_package_path "/etc/nginx/conf.d/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file  /etc/nginx/conf.d/waf/init.lua;
access_by_lua_file /etc/nginx/conf.d/waf/waf.lua;


vi  /data/docker/nginx-test/conf.d/waf/wafconf/whiteurl

/sysadmin.php
/index.php?s=member


vi  /data/site/docker/env/nginx/nginx/conf.d/waf/config.lua

RulePath = "/etc/nginx/conf.d/waf/wafconf/"   #  配置config.lua里的waf规则存放目录(一般在waf/conf/目录下)
attacklog = "on"                              #  是否开启攻击信息记录,需要配置logdir
logdir = "/data/file/logs/nginxhack/"         #  log存储目录,该目录需要用户自己新建,切需要nginx用户的可写权限
UrlDeny="on"     # 是否拦截url访问
Redirect="on"    # 是否拦截后重定向
CookieMatch="on" # 是否拦截cookie攻击
postMatch="on"   # 是否拦截post攻击
whiteModule="on" # 是否开启URL白名单
black_fileExt={"php","jsp","js","sh","exe"}   #  填写不允许上传文件后缀类型  
ipWhitelist={"127.0.0.1"}   # ip白名单,多个ip用逗号分隔
ipBlocklist={"1.0.0.1"}     # ip黑名单,多个ip用逗号分隔
CCDeny="on"                 # 是否开启拦截cc攻击(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
CCrate="300/60"             # 设置cc攻击频率,单位为秒. 默认1分钟同一个IP只能请求同一个地址100次
html=[[Please go away~~]]   # 警告内容,可在中括号内自定义,备注:不要乱动双引号,区分大小写

vim  /data/site/docker/env/nginx/nginx/conf.d/waf/resty/core/base.lua

       or ngx.config.ngx_lua_version ~= 10025
    then
        error("ngx_http_lua_module 0.10.25 required")


service nginx restart


# 测试.

http://xxxx/?id=../etc/passwd   # 返回"Please go away~~"字样,说明规则生效。

/p.php?id=../../etc/passwd  # 测试任意文件读取

ab  -n200 -c1  http://www.cndo.org/  进行CC***测试


# nginx-日志

access_log /data/wwwlogs/access_nginx.log  main;  # 开启日志

error_log  /dev/null;    # 关闭日志

/usr/local/nginx/sbin/nginx -t  # 测试配置

/usr/local/nginx/sbin/nginx -s reload  /  stop

/usr/local/nginx/sbin/nginx     # 开启


# 删除下载的源代码:

apt-get update -y
apt-get dist-upgrade -y
apt-get upgrade -y
apt autoremove
apt clean
rm -rf /var/www/html/*


# 使用ngx_pagespeed

mkdir /var/ngx_pagespeed_cache

chown www.www /var/ngx_pagespeed_cache

vim  nginx.conf

server {
pagespeed on; 
pagespeed FileCachePath /var/ngx_pagespeed_cache;
location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; }
location ~ "^/ngx_pagespeed_static/" { }
location ~ "^/ngx_pagespeed_beacon$" { }
location /ngx_pagespeed_statistics { allow 127.0.0.1; deny all; }
location /ngx_pagespeed_message { allow 127.0.0.1; deny all; }
}
    pagespeed on; 
    # memcached优化,如果没有memcached优化请删去
    pagespeed MemcachedThreads 1;
    pagespeed MemcachedServers "127.0.0.1:11211";
    pagespeed FileCachePath /data/file/pagespeed;
    pagespeed XHeaderValue "Powered By htmltoo.com";
    pagespeed FetchHttps enable,allow_self_signed,allow_unknown_certificate_authority,allow_certificate_not_yet_valid;
    # 配置服务器缓存位置和自动清除触发条件(空间大小、时限)
    pagespeed FileCacheSizeKb 2048000;
    pagespeed FileCacheCleanIntervalMs 43200000;
    pagespeed FileCacheInodeLimit 500000;
    # 过滤规则
    pagespeed RewriteLevel PassThrough;
    # 过滤管理目录(可选配置,可参考使用)
    pagespeed Disallow "*/sysadmin/*";
    pagespeed Disallow "*/sysadmin.php*";
    # 移除 html 空白
    pagespeed EnableFilters collapse_whitespace;
    # 移除 html 注释
    pagespeed EnableFilters remove_comments;
    # DNS 预加载
    pagespeed EnableFilters insert_dns_prefetch;
    # 压缩CSS
    pagespeed EnableFilters rewrite_css;
    # 合并CSS
    pagespeed EnableFilters combine_css;
    # 重写CSS,优化加载渲染页面的CSS规则
    pagespeed EnableFilters prioritize_critical_css;
    # google字体直接写入html 目的是减少浏览器请求和DNS查询
    pagespeed EnableFilters inline_google_font_css;
    # 压缩js
    pagespeed EnableFilters rewrite_javascript;
    # 合并js
    pagespeed EnableFilters combine_javascript;
    # 优化内嵌样式属性
    pagespeed EnableFilters rewrite_style_attributes;
    # 压缩图片
    pagespeed EnableFilters rewrite_images;
    #支持webp
    pagespeed EnableFilters convert_gif_to_png,convert_png_to_jpeg,convert_jpeg_to_webp;
    # 不加载显示区域以外的图片
    pagespeed LazyloadImagesAfterOnload off;
    # 图片预加载
    pagespeed EnableFilters inline_preview_images;
    # 移动端图片自适应重置
    pagespeed EnableFilters resize_mobile_images;
    # 图片延迟加载
    pagespeed EnableFilters lazyload_images;
    # 雪碧图片,图标很多的时候很有用
    pagespeed EnableFilters sprite_images;
    # 扩展缓存 改善页面资源的可缓存性
    pagespeed EnableFilters extend_cache;
    # And no extraneous headers get set.
    location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" "";}
    location ~ "^/pagespeed_static/" {}
    location ~ "^/ngx_pagespeed_beacon$" {}
    location /ngx_pagespeed_statistics { allow 127.0.0.1; deny all; }
    location /ngx_pagespeed_global_statistics { allow 127.0.0.1; deny all; }
    location /ngx_pagespeed_message { allow 127.0.0.1; deny all; }
    location /pagespeed_console { allow 127.0.0.1; deny all; }
    location ~ ^/pagespeed_admin { allow 127.0.0.1; deny all; }
    location ~ ^/pagespeed_global_admin { allow 127.0.0.1; deny all; }
    # Add no rewrite if you site set rewrite 
    if ($request_uri ~ "(pagespeed_([^.]+)/(.*)?)") { break; }
    if ($request_uri ~ "(ngx_pagespeed_([^.]+)/(.*)?)") { break; }


https://github.com/markhilton/docker-nginx-pagespeed


签名:这个人很懒,什么也没有留下!
收藏的用户(0 X
正在加载信息~
猜你喜欢:
最新回复 (0)
返回
发新帖
作者最近主题:
热门主题: