nginx一键安装脚本

nginx一键安装脚本

[root@cc nginx]# cat nginx_install.sh
#!/bin/bash
#	> File Name: nginx_install.sh
# 	> Author: cc
# 	> mail: 547253687@qq.com
# 	> Created Time: Fri 16 Nov 2018 11:02:58 AM CST

INSTALL_DIR=/usr/local
SRC_DIR=/root
NGINX_LUA="nginx-tengine+lua"
GEOIP="GeoIP-1.4.8"
SOCK="sock"
CONF="/root/nginx-tengine+lua/conf"
NGINX_DIR="/usr/local/tengine"
system_version=`grep -o "[0-9].*[0-9]" /etc/redhat-release | awk '{print int($0)}'`


[ ! -d ${INSTALL_DIR} ] && mkdir -p ${INSTALL_DIR}
[ ! -d ${SRC_DIR} ] && mkdir -p ${SRC_DIR}
[ ! -d ${SRC_DIR}$SOCK ] && mkdir -p ${INSTALL_DIR}/$SOCK

if [ $(id -u) != "0" ]; then
	echo "Error: you must be root to run this script!"
	exit 1
fi

##颜色输出函数
red_echo(){
	local what=$*
	echo -e "e[1;31m ********************* e[0m"
	echo -e "e[1;31m ${what} e[0m"
	echo -e "e[1;31m ********************* e[0m"
}
blue_echo()
{
	local what=$*
	echo -e "e[1;32m --------------------- e[0m"
	echo -e "e[1;32m ${what} e[0m"
	echo -e "e[1;32m --------------------- e[0m"
}

##yum安装相关变量包
Install_Package()
{
for Package in lrzsz openssl-devel zlib zlib-devel pcre pcre-devel geoip-devel patch iptables iptables-services c++ gcc-c++ telnet curl curl-devel vim make wget lua lua-devel tcl ipset patch ntpdate
do
	yum -y install $Package
done
}

If_Success()
{
if [ $? -eq 0 ]
        then
	echo -e "33[32m ------------------- 33[0m"
        echo -e "33[32m $1 $2 Success!!! 33[0m"
	echo -e "33[32m ------------------- 33[0m"
else 
	echo -e "33[31m ******************* 33[0m"
        echo -e "33[31m $1 $2 Failure!!! 33[0m"
	echo -e "33[31m ******************* 33[0m"
fi
sleep 5
}

##centos7以下手动编译Geoip库，在下面函数将此函数调用即可
If_GeoIp()
{
cd ${SRC_DIR}/${NGINX_LUA}/${GEOIP}
./configure
If_Success "Configure" "GeoIp"
make
If_Success "Make" "GeoIp"
make install
If_Success "Install" "GeoIp"
}

Install_Nginx()
{
NGINX="tengine-2.2.2"
PCRE="pcre-8.40"
ZLIB="zlib-1.2.11"
OPENSSL="openssl-1.0.2p"
ACCESSKEY="nginx-accesskey-2.0.3"


##解压准备好的包
cd ${SRC_DIR}
echo "Extracting ${NGINX_LUA}"
tar -xzf ${NGINX_LUA}.tar.gz
cd ${SRC_DIR}/${NGINX_LUA}
echo "Done..."

##下载安装包
:<<!
cd ${SRC_DIR}/${NGINX_LUA}
echo 'Downloading NGINX'
if [ ! -f ${NGINX}.tar.gz ]
then
  wget -c http://nginx.org/download/${NGINX}.tar.gz
else
  echo 'Skipping: NGINX already downloaded'
fi

echo 'Downloading PCRE'
if [ ! -f ${PCRE}.tar.gz ]
then
  wget -c https://sourceforge.net/projects/pcre/files/pcre/8.35/${PCRE}.tar.gz
else
  echo 'Skipping: PCRE already downloaded'
fi

echo 'Downloading ZLIB'
if [ ! -f ${ZLIB}.tar.gz ]
then
  wget -c http://zlib.net/${ZLIB}.tar.gz
else
  echo 'Skipping: ZLIB already downloaded'
fi

echo 'Downloading OPENSSL'
if [ ! -f ${OPENSSL}.tar.gz ]
then
  wget -c http://www.openssl.org/source/${OPENSSL}.tar.gz
else
  echo 'Skipping: OPENSSL already downloaded'
fi

echo '----------Unpacking downloaded archives. This process may take serveral minutes---------'

echo "Extracting ${NGINX}..."
tar xzf ${NGINX}.tar.gz
echo 'Done.'

echo "Extracting ${PCRE}..."
tar xzf ${PCRE}.tar.gz
echo 'Done.'

echo "Extracting ${ZLIB}..."
tar xzf ${ZLIB}.tar.gz
echo 'Done.'

echo "Extracting ${OPENSSL}..."
tar xzf ${OPENSSL}.tar.gz
echo 'Done.'
!

##创建用户
groupadd nginx
useradd -g nginx nginx

##系统为7以下时打开
if [ $system_version -ne 7 ]
then
	If_GeoIp
else
        echo "pass..."
fi

##编译
echo '###################'
echo 'Compile NGINX'
echo '###################'
cd ${SRC_DIR}/${NGINX_LUA}/${NGINX}
./configure --prefix=${INSTALL_DIR}/tengine 
--user=nginx --group=nginx 
--lock-path=/var/run/nginx.lock 
--error-log-path=/var/log/nginx/error.log 
--http-log-path=/var/log/nginx/access.log 
--pid-path=/var/run/nginx.pid 
--with-http_secure_link_module 
--with-http_random_index_module 
--with-http_ssl_module 
--with-http_realip_module 
--with-http_gzip_static_module 
--with-http_stub_status_module 
--with-http_flv_module 
--with-http_mp4_module 
--with-http_gunzip_module 
--with-http_auth_request_module 
--with-http_v2_module 
--with-http_addition_module 
--with-http_sub_module 
--with-file-aio 
--with-http_geoip_module 
--with-pcre=../${PCRE} 
--with-openssl=../${OPENSSL} 
--with-zlib=../${ZLIB} 
--add-module=../ngx_cache_purge-master 
--add-module=../echo-nginx-module 
--add-module=../file-md5-master 
--add-module=../${ACCESSKEY} 
--add-module=../lua-nginx-module-master 
--add-module=../nginx_tcp_proxy_module-master 
--with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 
--with-ld-opt=-Wl,-rpath,/usr/local/lib
If_Success "Configure"

make
If_Success "Make" "NGINX"

make install
If_Success "Install" "NGINX"
}

##创建sock
Create_Sock()
{
SOCKPACK="sockproc-master"
SHELL="shell"


cd ${SRC_DIR}/${NGINX_LUA}/${SOCKPACK}
chmod u+x sockproc
./sockproc /tmp/$SHELL.sock
chmod 0666 /tmp/$SHELL.sock
}

##安装redis
Install_Redis()
{
REDIS="redis-5.0.0"
WORK_REDIS="/etc/redis"

[ ! -d ${WORK_REDIS} ] && mkdir -p ${WORK_REDIS}

cd ${SRC_DIR}/${NGINX_LUA}
echo 'Downloading Redis...'
if [ ! -f ${REDIS}.tar.gz ]
then
	wget -c http://download.redis.io/releases/${REDIS}.tar.gz
else
	echo "Skipping: REDIS already downloaded..."
fi
echo "Extracting ${REDIS}..."
tar xzf ${REDIS}.tar.gz -C ${INSTALL_DIR}
echo "Done..."

cd ${INSTALL_DIR}/${REDIS}
make
If_Success "Make" "REDIS"
make install
If_Success "Install" "REDIS"

cd ${INSTALL_DIR}/${REDIS}/src
cp -a redis-server redis-benchmark redis-cli ${WORK_REDIS}
cp -a ${CONF}/redis.conf ${WORK_REDIS}
cd ${WORK_REDIS}
./redis-server redis.conf > /dev/null 2>&1 &
sleep 3
netstat -tunlp | grep redis > /dev/null 2>&1
if [ $? -eq 0 ] 
then
        blue_echo "Redis in started..."
else
        red_echo "Error:Redis started failed..."
fi
}

##安装ipset以及创建ipset表
Install_Ipset()
{
IPSET="ipset-6.38"
IPTABLES_CONF="/etc/sysconfig"
IPSET_CONF="/usr/local/ipset"

##安装
cd ${SRC_DIR}/${NGINX_LUA}
ipset version > /dev/null 2>&1
if [ $? -ne 0 ]
then
	wget http://ipset.netfilter.org/${IPSET}.tar.bz2
	echo "Extracting ${IPSET}..."
	tar xf ${SRC_DIR}/${NGINX_LUA}/${IPSET}.tar.bz2
	echo "Done..."
	cd ${SRC_DIR}/${NGINX_LUA}/${IPSET}
	./configure > /dev/null 2>&1
	if [ $? -eq 0 ]
	then
		If_Success "Configure" "IPSET"
		make
		If_Success "Make" "IPSET"
		make install
		If_Success "Install" "IPSET"
	else
		wget http://www.rpmfind.net/linux/centos/6.10/updates/x86_64/Packages/kernel-devel-2.6.32-754.3.5.el6.x86_64.rpm
		rpm -ivh kernel-devel-2.6.32-754.3.5.el6.x86_64.rpm
		./configure
		If_Success "Configure" "IPSET"
                make
                If_Success "Make" "IPSET"
                make install
                If_Success "Install" "IPSET"
	fi
else
	echo "Skipping: IPSET already install..."
fi

##创建
ipset create timeout hash:ip maxelem 100000 timeout 300	##参数说明，timeout是表(集合)名，以 hash 方式存储，存储内容是 IP 地址,ipset默认可以存储65536个element，使用maxelem指定数量，只存放300秒，即300秒后解除限制
ipset create bmd hash:ip maxelem 100000	##白名单列表，永久生效
ipset create black hash:ip maxelem 100000	##黑名单，永久限制
ipset create ssh hash:ip maxelem 100000		##办公出口ip表

##添加ssh白名单
ipset add ssh 192.168.2.200


##添加防火墙规则
/usr/bin/systemctl stop firewalld.service > /dev/null 2>&1
/usr/bin/systemctl disable firewalld.service > /dev/null 2>&1
cp -a ${CONF}/iptables* ${IPTABLES_CONF}
if [ $system_version -eq 7 ]
then
	/usr/bin/systemctl restart iptables > /dev/null 2>&1
	if [ $? -eq 0 ]
	then
	        iptables -I INPUT -m set --match-set timeout src -j DROP        #添加定时黑名单
	        iptables -I INPUT -m set --match-set black src -j DROP          #添加黑名单
	        iptables -I INPUT -m set --match-set bmd src -j ACCEPT        #添加白名单
			iptables -I INPUT -m set --match-set ssh src -p tcp --destination-port 22 -j ACCEPT #创建防火墙规则，与此同时，允许ssh这个ipset里的ip访问22端口
	        iptables -I INPUT -p tcp --dport 80 -j ACCEPT                   #允许80访问
	        iptables -I INPUT -p tcp --dport 443 -j ACCEPT                  #允许443访问
	        service iptables save
	        /usr/bin/systemctl restart iptables > /dev/null 2>&1
	        if [ $? -eq 0 ]
	        then
	                blue_echo "Iptables is started..."
	        else
	                red_echo "Error:Iptables started failed..."
	        fi
	else
	       red_echo "Error:Iptables started failed..."
	fi
else
	service iptables restart > /dev/null 2>&1
	if [ $? -eq 0 ]
	then
	        iptables -I INPUT -m set --match-set timeout src -j DROP        #添加定时黑名单
	        iptables -I INPUT -m set --match-set black src -j DROP          #添加黑名单
	        iptables -I INPUT -m set --match-set bmd src -j ACCEPT        #添加白名单
		iptables -I INPUT -m set --match-set ssh src -p tcp --destination-port 22 -j ACCEPT #创建防火墙规则，与此同时，允许ssh这个ipset里的ip访问22端口
	        iptables -I INPUT -p tcp --dport 80 -j ACCEPT                   #允许80访问
	        iptables -I INPUT -p tcp --dport 443 -j ACCEPT                  #允许443访问
	        service iptables save
	        service iptables restart > /dev/null 2>&1
	        if [ $? -eq 0 ]
	        then
	                blue_echo "IPTALBES is started..."
	        else
	                red_echo "Error:Iptables started failed..."
	        fi
	else
	        red_echo "Error:Iptables started failed..."
	fi
fi

##配置文件持久化
[ ! -d ${IPSET_CONF} ] && mkdir -p ${IPSET_CONF}

echo '''0 */8 * * *  /usr/sbin/ntpdate ntp1.aliyun.com;/sbin/hwclock -w
*/1 * * * * /usr/sbin/ipset save black > /usr/local/ipset/black.txt
*/1 * * * * /usr/sbin/ipset save timeout > /usr/local/ipset/timeout.txt
*/1 * * * * /usr/sbin/ipset save bmd > /usr/local/ipset/bmd.txt
*/1 * * * * /usr/sbin/ipset save ssh > /usr/local/ipset/ssh.txt''' >> /var/spool/cron/root
}

##系统优化
System_Optimization()
{
echo ulimit -n 65535 >> /etc/profile
source /etc/profile
echo '''fs.nr_open = 1048576
fs.nr_open = 1048576
fs.file-max = 51200
net.ipv4.tcp_congestion_control = hybla
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
kernel.pid_max = 32768
#net.ipv4.ip_conntrack_max = 10240
net.ipv4.ip_local_port_range = 1024  65535
vm.overcommit_memory=1''' >> /etc/sysctl.conf
sysctl -p

cp -a /etc/security/limits.conf /etc/security/limits.conf.bak
echo '''* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535''' >> /etc/security/limits.conf

cp -a /etc/security/limits.d/20-nproc.conf /etc/security/limits.d/20-nproc.conf.bak
echo '''*          soft    nproc     65535
root       soft    nproc     unlimited''' > /etc/security/limits.d/20-nproc.conf
}

##拷贝文件
Copy_File()
{
NGINX_FILE="/root/nginx-tengine+lua"

mkdir -p /home/nginx/logs
mkdir -p /data/proxy_cache_path
mkdir -p /data/proxy_temp_path
chown nginx:nginx /data -R

cd ${NGINX_FILE}
cp -a geoip lua lualib ${NGINX_DIR}/conf
cp -a ${CONF}/nginx.conf ${NGINX_DIR}/conf
mkdir ${NGINX_DIR}/conf/vhosts

chown nginx:nginx ${NGINX_DIR} -R
}

##启动nginx
NGINX_START()
{
${NGINX_DIR}/sbin/nginx
if [ $? -eq 0 ]
then 
	blue_echo "Nginx is started..."
else
	red_echo "Error:Nginx started faild..."
fi
}

Install_Package
Install_Nginx
Create_Sock
Install_Redis
Install_Ipset
System_Optimization
Copy_File
NGINX_START

开机脚本

[root@cc nginx]# cat inotify.sh 
#!/bin/bash
#	> File Name: inotify.sh
# 	> Author: cc
# 	> mail: 547253687@qq.com
# 	> Created Time: Fri 16 Nov 2018 11:02:58 AM CST

system_version=`grep -o "[0-9].*[0-9]" /etc/redhat-release | awk '{print int($0)}'`

rm -rf /usr/local/ipset/shell.sock && /root/nginx-tengine+lua/sockproc-master/sockproc /tmp/shell.sock && chmod 0666 /tmp/shell.sock
/etc/redis/redis-server /etc/redis/redis.conf >/dev/null 2>&1 &
/usr/sbin/ipset restore </usr/local/ipset/black.txt
/usr/sbin/ipset restore </usr/local/ipset/timeout.txt
/usr/sbin/ipset restore </usr/local/ipset/bmd.txt
/usr/sbin/ipset restore </usr/local/ipset/ssh.txt

if [ $system_version -eq 7 ]
then
        /usr/bin/systemctl restart iptables
else
	/sbin/service iptables restart
fi