zoukankan      html  css  js  c++  java

  • centos7安装tengine强制使用HTTPS访问

    操作系统:centos7.2 x64
    tengine:Tengine/2.2.0
    主机IP: 10.0.0.12

    一、安装tengine

        1.1 下载源码安装包

            1.1.1 源码包pcre-8.40
                用于支持正则表达式

                [root@tengine ~]# cd /usr/local/src/
            [root@tengine src]# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.40.tar.gz

     
            1.1.2 源码包zlib-1.2.11
                用于支持数据压缩

                [root@tengine src]# wget http://zlib.net/zlib-1.2.11.tar.gz

     
            1.1.3 源码包openssl-1.0.2
                用于数据加密及支持SSL协议

                [root@tengine src]# wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz

     
            1.1.4 源码包jemalloc-4.4.0
                用于优化内存管理

                [root@tengine src]# wget https://github.com/jemalloc/jemalloc/archive/4.4.0.tar.gz

     
            1.1.5 源码包tengine-2.2.0

                [root@tengine src]# wget http://tengine.taobao.org/download/tengine-2.2.0.tar.gz
            [root@tengine src]# ls
            jemalloc-4.4.0.tar.gz  openssl-1.0.2k.tar.gz  pcre-8.40.tar.gz  tengine-2.2.0.tar.gz  zlib-1.2.11.tar.gz

        1.2 编译安装依赖包

            1.2.1 更新工具包

                [root@tengine src]# yum install openssl-devel zlib-devel -y

     
            1.2.2 编译pcre

                [root@tengine src]# tar xf pcre-8.40.tar.gz
            [root@tengine src]# cd pcre-8.40
            [root@tengine pcre-8.40]# ./configure --prefix=/usr/local/pcre
            [root@tengine pcre-8.40]# make && make install

     
            1.2.3 编译openssl

                [root@tengine src]# tar xf openssl-1.0.2k.tar.gz
            [root@tengine src]# cd openssl-1.0.2k
            [root@tengine openssl-1.0.2k]# ./config --prefix=/usr/local/openssl
            [root@tengine openssl-1.0.2k]# make && make install


            1.2.4 编译zlib

                [root@tengine src]# tar xf zlib-1.2.11.tar.gz
            [root@tengine src]# cd zlib-1.2.11
            [root@tengine zlib-1.2.11]# ./configure --prefix=/usr/local/zlib
            [root@tengine zlib-1.2.11]# make && make install

     
            1.2.5 编译jemalloc

                [root@tengine src]# tar xf jemalloc-4.4.0.tar.gz
            [root@tengine src]# cd jemalloc-4.4.0
            [root@tengine jemalloc-4.4.0]# ./autogen.sh
            autoconf
            ./autogen.sh: line 5: autoconf: command not found
            Error 0 in autoconf

            # 安装autoconf包
            [root@tengine jemalloc-4.4.0]# yum install autoconf -y
            [root@tengine jemalloc-4.4.0]# ./autogen.sh
            [root@tengine jemalloc-4.4.0]# make
            [root@tengine jemalloc-4.4.0]# make install
            /usr/bin/install: cannot stat ‘doc/jemalloc.html’: No such file or directory
            make: *** [install_doc_html] Error 1
            # 这里只是说明文档和html页面没有,可以忽悠这个错误,可以直接touch
            [root@tengine jemalloc-4.4.0]# touch doc/jemalloc.html
            [root@tengine jemalloc-4.4.0]# make install
            [root@tengine jemalloc-4.4.0]# touch doc/jemalloc.3
            [root@tengine jemalloc-4.4.0]# make install

     
            1.2.8 加载库文件

                [root@tengine tengine-2.2.0]# echo '/usr/local/pcre/lib/' > /etc/ld.so.conf.d/pcre.conf
            [root@tengine tengine-2.2.0]# echo '/usr/local/zlib/lib/' > /etc/ld.so.conf.d/zlib.conf
            [root@tengine tengine-2.2.0]# echo '/usr/local/openssl/lib/' > /etc/ld.so.conf.d/openssl.conf
            [root@tengine tengine-2.2.0]# echo '/usr/local/lib/' > /etc/ld.so.conf.d/local.conf
            [root@tengine tengine-2.2.0]# ldconfig -v | less
            /usr/local/lib:
                    libjemalloc.so.2 -> libjemalloc.so.2
            /usr/local/openssl/lib:
            /usr/local/pcre/lib:
                    libpcrecpp.so.0 -> libpcrecpp.so.0.0.1
                    libpcreposix.so.0 -> libpcreposix.so.0.0.4
                    libpcre.so.1 -> libpcre.so.1.2.8
            /usr/local/zlib/lib:
                    libz.so.1 -> libz.so.1.2.11
                    ......
                    ......

     
            1.2.7 编译tengine

                [root@tengine src]# tar xf tengine-2.2.0.tar.gz
            [root@tengine src]# cd tengine-2.2.0
            # 创建tengine运行用户
            [root@tengine tengine-2.2.0]# groupadd -g 80 www
            [root@tengine tengine-2.2.0]# useradd -u 80 -g 80 -s /sbin/nologin -M www
            # 注意,在编译tengine时候,pcre, openssl, zlib必须指向源码目录,而jemalloc不能指向源码目录。切记!
            [root@tengine tengine-2.2.0]# ./configure --prefix=/usr/local/tengine --user=www --group=www 
            --with-http_stub_status_module 
            --with-http_ssl_module 
            --with-http_gzip_static_module 
            --with-openssl=/usr/local/src/openssl-1.0.2k 
            --with-pcre=/usr/local/src/pcre-8.40 
            --with-zlib=/usr/local/src/zlib-1.2.11 
            --with-jemalloc

            [root@tengine tengine-2.2.0]# make
            [root@tengine tengine-2.2.0]# make install

            [root@tengine tengine-2.2.0]# cd /usr/local/tengine/
            [root@tengine tengine]# ls
            conf  html  include  logs  modules  sbin
            [root@tengine tengine]# echo 'PATH=$PATH:/usr/local/tengine/sbin/' > /etc/profile.d/tengine.sh
            [root@tengine tengine]# cat !$
            cat /etc/profile.d/tengine.sh
            PATH=$PATH:/usr/local/tengine/sbin/
            [root@tengine tengine]# source /etc/profile.d/tengine.sh
            [root@tengine tengine]# nginx
            [root@tengine tengine]# netstat -ntplu | grep nginx
            tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      53295/nginx: master

            # tengine编译成功!

            # 验证jemalloc是否生效
            [root@tengine tengine]# yum install lsof -y
            [root@tengine tengine]# lsof -n | grep jemalloc
            nginx     23371         root  mem       REG              253,0   2584161   34723136 /usr/local/lib/libjemalloc.so.2
            nginx     23372          www  mem       REG              253,0   2584161   34723136 /usr/local/lib/libjemalloc.so.2
            # jemalloc 已生效!

     
        1.3 编写服务,实现开机启动

            [root@tengine tengine-2.2.0]# vim /usr/lib/systemd/system/tengine.service

        [Unit]
        Description=The nginx HTTP and reverse proxy server
        After=syslog.target network.target remote-fs.target nss-lookup.target

        [Service]
        Type=forking
        PIDFile=/usr/local/tengine/logs/nginx.pid
        ExecStartPre=/usr/local/tengine/sbin/nginx -t
        ExecStart=/usr/local/tengine/sbin/nginx
        ExecReload=/bin/kill -s HUP $MAINPID
        ExecStop=/bin/kill -s QUIT $MAINPID
        PrivateTmp=true

        [Install]
        WantedBy=multi-user.target    

        [root@tengine tengine-2.2.0]# nginx -s stop
        [root@tengine tengine-2.2.0]# systemctl status tengine
        ● tengine.service - The nginx HTTP and reverse proxy server
           Loaded: loaded (/usr/lib/systemd/system/tengine.service; disabled; vendor preset: disabled)
           Active: inactive (dead)

        # 启动服务
        [root@tengine tengine-2.2.0]# systemctl start tengine
        [root@tengine tengine-2.2.0]# netstat -ntplu | grep nginx
        tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      23429/nginx: master

        # 设置开机启动
        [root@tengine tengine-2.2.0]# systemctl enable tengine
        Created symlink from /etc/systemd/system/multi-user.target.wants/tengine.service to /usr/lib/systemd/system/tengine.service.


    二、tengine配置SSL并强制使用HTTPS访问

        2.1 使用openssl 生成 SSL key 和 CSR

            [root@tengine ~]# mkdir /etc/ssl/private
        [root@tengine ~]# cd /etc/ssl/private/    
        [root@tengine private]# openssl req -new -newkey rsa:2048 -sha256 -nodes -out super_com.csr -keyout super_com.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=super.com"

        # 这里为了实验,我们自行签发不受浏览器信任的SSL证书

        [root@tengine private]# openssl x509 -req -days 365 -in super_com.csr -signkey super_com.key -out super_com.crt
        Signature ok
        subject=/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=super.com
        Getting Private key

     
        2.2 为tengine配置SSL协议认证
            这里配置建议使用以下两种方式:            
                (1)通过tengine write配置正则跳转的方式,该方式会占用服务器资源;
                (2)通过html meta 跳转的方式,百度采用这种方式;
            2.2.1 tengine write方式实现:

                [root@tengine ~]# cd /usr/local/tengine/conf/
            [root@tengine conf]# vim nginx.conf
            ...
            ...
            http {
                server {
                    listen       80;
                    server_name  www.super.com;
                    rewrite ^(.*)$ https://$host$1 permanent;                    # 访问的所有url都跳转为https协议
                    ...
                    ...
                    }
                include vhost/.conf;
            }
            ...
            ...            
            [root@tengine conf]# mkdir /usr/local/tengine/conf/vhost
            [root@tengine conf]# cd /usr/local/tengine/conf/vhost
           [root@tengine conf]# cp -a /etc/ssl/super_com.crt /etc/ssl/private/
             [root@tengine conf]# cp -a /etc/ssl/super_com.key /etc/ssl/private/
    
            [root@tengine vhost]# vim ssl.conf

            server {
              listen           443 ssl;
              ssl on;
              ssl_certificate /etc/ssl/private/super_com.crt;
              ssl_certificate_key /etc/ssl/private/super_com.key;
              location / {
                root /usr/local/tengine/html/ssl;
                index index.html;
              }
            }
            # 创建网站根目录和测试页面
            [root@tengine vhost]# mkdir /usr/local/tengine/html/ssl
            [root@tengine vhost]# cd !$
            cd /usr/local/tengine/html/ssl
            [root@tengine ssl]# echo 'hello 10.0.0.12' > index.html


            [root@tengine conf]# echo '10.0.0.12    www.super.com' >> /etc/hosts
            [root@tengine conf]# ping www.super.com
            PING www.super.com (10.0.0.12) 56(84) bytes of data.
            64 bytes from www.super.com (10.0.0.12): icmp_seq=1 ttl=64 time=0.057 ms
            # 重新加载tengine
            [root@tengine conf]# nginx -t
            nginx: the configuration file /usr/local/tengine/conf/nginx.conf syntax is ok
            nginx: configuration file /usr/local/tengine/conf/nginx.conf test is successful
            [root@tengine conf]# nginx -s stop     # 这里reload不生效可以尝试关闭,在开启
            [root@tengine conf]# nginx
            [root@tengine conf]# netstat -ntplu | grep nginx
            tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      23513/nginx: master
            tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      23513/nginx: master
            [root@tengine conf]# setenforce 0; systemctl stop firewalld     # 关闭selinux和防火墙


                # 编辑本地主机hosts文件。C:WindowsSystem32driversetchosts
                10.0.0.12             www.super.com

                浏览器访问:http://www.super.com/
               

            2.2.2 通过html meta 跳转的方式实现:

                [root@tengine conf]# vim nginx.conf
            # 将rewrite注释
            #rewrite ^(.*)$  https://$host$1 permanent;
            [root@tengine conf]# cd /usr/local/tengine/html/
            [root@tengine html]# vim index.html

            <html>
            <meta http-equiv="refresh" content="0;url=https://www.super.com/">
            </html>


               

  • 相关阅读:
    [kuangbin带你飞]专题十六 KMP & 扩展KMP & ManacherK
    [kuangbin带你飞]专题十六 KMP & 扩展KMP & Manacher J
    [kuangbin带你飞]专题十六 KMP & 扩展KMP & Manacher I
    pat 1065 A+B and C (64bit)(20 分)(大数, Java)
    pat 1069 The Black Hole of Numbers(20 分)
    pat 1077 Kuchiguse(20 分) (字典树)
    pat 1084 Broken Keyboard(20 分)
    pat 1092 To Buy or Not to Buy(20 分)
    pat 1046 Shortest Distance(20 分) (线段树)
    pat 1042 Shuffling Machine(20 分)
  • 原文地址:https://www.cnblogs.com/hukey/p/6368543.html
Copyright © 2011-2022 走看看