安裝 NGINX

No Comments

參考資料

使用自行編譯安裝

  • 將源碼目錄置於 /usr/local/src/ 底下
  • 預設,將會生成執行檔於 /usr/local/nginx/ 底下,執行時位於 /usr/local/nginx/sbin/nginx
  • 首先相依的開發套件需先安裝。
    zlib1g-dev libpcre3-dev libssl-dev libkqueue-dev(這個 kqueue 預設下好像是多餘的)
  • 接著執行組態生成 ./configure。
  • 事實上,使用預設安裝時,./configure,會出現找不到 openssl 的錯誤訊息,因此查找了如上的一些參考資料(條目 2-6)所提供的一些解法。
  • 但實際是(條目 7),可能內定設定使用到了 https 的相關參數,但另一方面仍需使用者明定使用 https,才會引入編譯,故此二者不一致才發生這樣的錯誤訊息。解法就是明定使用 https(我們當然該使用),即,加上 –with-http_ssl_module(注意 – -w)參數,就無該訊息了。
  • 筆者使用的版本是 nginx version: nginx/1.20.1
  • 因此,安裝三步驟即成:
  • sudo ./configure –with-http_ssl_module –with-http_v2_module(注意 – -with)
  • sudo make
  • sudo make install
  • 命令列基本用法:
    HELP
    sudo ./nginx -h
    查看版本
    sudo ./nginx -v
    版本細節
    sudo ./nginx -V
    啟動 nginx
    sudo ./nginx
    停止 nginx
    sudo ./nginx -s quit
    重新加載(config),服務不會中斷
    sudo ./nginx -s reload
    即刻終止 nginx
    sudo ./nginx -s stop
    指向配置文件
    sudo ./nginx -c path_to_conf_file
    檢查配置組態的合法性
    sudo ./nginx -t

Service

[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

組態

  • 筆者對於組態中條目的對象不瞭解,組織起來也不清楚其作用與影響,故,當前只能慢慢消化理解了。
  • 根據 wordpress 中的 nginx 配置範例,於 conf 目錄下建立出幾個子目錄,放置子組態,其將由 nginx.conf 有條件引入(generic 指的是通用組態,global 此亦指通用,非全域):
  • ./generic/global.conf
  • ./generic/restrictions.conf
  • ./sites/sites.conf
  • ./sites/my_site.conf
  • ./sites/my_localhost.conf
  • the nginx.conf:
    include /usr/local/nginx/conf/generic/global.conf;
  • the sites.conf: (modify here)
    include /usr/local/nginx/conf/sites/my_site.conf;
    include /usr/local/nginx/conf/sites/my_localhost.conf;
    include /usr/local/nginx/conf/sites/my_site_1.conf;
    include /usr/local/nginx/conf/sites/my_site_2.conf;

global.conf

user www-data www-data;


#usually equal to number of CPUs you have. run command "grep processor /proc/cpuinfo | wc -l" to find it
worker_processes    auto;
worker_cpu_affinity auto;


error_log           /usr/local/nginx/logs/error.log;
pid                 /usr/local/nginx/logs/nginx.pid;


# Keeps the logs free of messages about not being able to bind().
#daemon     off;


events {
    worker_connections      1024;
}


http {
#   rewrite_log     on;
    include                 /usr/local/nginx/conf/mime.types;
    default_type            application/octet-stream;
    access_log              /usr/local/nginx/logs/access.log;
    sendfile                on;
#   tcp_nopush      on;
    keepalive_timeout       3;
#   tcp_nodelay     on;
    gzip                    on;
    index                   index.php index.html index.htm;


# php max upload limit cannot be larger than this
#   client_max_body_size 13m;


# Upstream to abstract backend connection(s) for PHP.
    upstream php {
        # this should match value of "listen" directive in php-fpm pool
        server unix:/run/php/php-fpm.sock;
    }

    include /usr/local/nginx/conf/sites/sites.conf;
}

restrictions.conf

# Global restrictions configuration file.
# Designed to be included in any server {} block.


location = /favicon.ico {
    log_not_found off;
    access_log off;
}


location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}


# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
    deny all;
}


# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
}

my_site.conf

# WordPress single site rules.
# Designed to be included in any server {} block.


server {
    server_name  _;
    return 302 $scheme://example.com$request_uri;
}


server {

    ## Your website name goes here.
    server_name example.com;

    ## Your only path reference.
    root /var/web/wordpress;

    index index.php;

    include /usr/local/nginx/conf/generic/restrictions.conf;


    location / {
        # This is cool because no php is touched for static content.
        # include the "?$args" part so non-default permalinks doesn't break when using query string
        try_files $uri $uri/ /index.php?$args;
    }


    location ~ \.php$ {
        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        include /usr/local/nginx/conf/fastcgi_params;
        fastcgi_intercept_errors on;
        fastcgi_pass php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }


    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }
}

my_localhost.conf

server {

    ## Your website name goes here.
    server_name localhost;

    listen 8080;

    if ($host != localhost) {
        return 404;
    }

    ## Your only path reference.
    root /var/web/phpmyadmin;

    index index.php index.html index.htm;

    include /usr/local/nginx/conf/generic/restrictions.conf;

    location / {
        # This is cool because no php is touched for static content.
        # include the "?$args" part so non-default permalinks doesn't break when using query string
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        include /usr/local/nginx/conf/fastcgi_params;
        fastcgi_intercept_errors on;
        fastcgi_pass php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }

}

SSL by using LetsEncrypt Certbot

  • 使用 snap 來安裝 certbot。
    sudo snap install –classic certbot(注意 – -c)
  • https://certbot.eff.org/docs/install.html
  • 接著,按照這篇文章 step by step 操作:
    https://certbot.eff.org/instructions
  • 請注意,certbot 將會使用它自己內定的 nginx 組態檔路徑與名稱,/etc/nginx/nginx.conf。並且 nginx 執行檔必須在可執行路徑中,即,certbot 可自行呼叫執行。因為它會去修改組態檔,並且隨後執行 nginx 並測試是否成功獲取憑證。
  • 故,應對方式便是必須停止 service,設定檔與執行檔可被索引到,如此,預期將會成功,再把被修改的組態更新到真正的組態檔上面。
  • 最後,需注意,certbot 會定期更新憑證,故,以上額外的設定應是需保留著。並且,可能,當 nginx service 運作中,certbot 又更新憑證並驗證因而導致衝突。筆者接續在有限能力下 workaround 實測結果,於 /etc/nginx/ 加入 link,依然更新憑證失敗。故要不是有 script file 可搭配此 certbot,要不就是 conf file(注意是已被修改過的 conf)只能置於該處了。當前問題未解只能當憑證失效再來手動處理了。
    對了,下 sudo certbot certonly –nginx(注意 – -n),就好了。那麼,schedule 檔就必須使用此指令,問題是筆者找不到該設定,先醬了。
  • 以下是成功後,組態檔新增的內容:
# block 1:
# note that these are within the server block.
# need to change example.com to yours.

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# block 2:
# need to change example.com to yours.

server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name example.com;
    listen 80;
    return 404; # managed by Certbot
}
  • 如何查看憑證有效期限:
  • openssl x509 -noout -dates -in /etc/letsencrypt/live/example.com/cert.pem
  • renewal
  • 註銷申請的憑證:
  • sudo certbot delete
  • 接著選擇代號以刪除之。
  • 最後,以上,有幾點需注意的地方,
  • 刪除後,記得 nginx config files 需要更新。同理新增也記得更新。因為我們通常做此類操作就是 subdomain name 變更了,故 config files 內將索引不到而報錯。
  • 常用指令再列一下:
    sudo certbot –nginx(注意 – -n)
    sudo certbot certonly –nginx
    sudo certbot renew –dryrun(注意 – -d)
    sudo certbot delete
  • 若在同一個 nginx 控管下有數個網站(domains,subdomains),那麼在做 certbot 時,可分開啟用(方法是在 sites-enabled 底下只放一支欲啟用者,其餘所有先停用,至於是否就不會合併附屬仍不肯定),那麼將會有個別的 tls 檔案,並且名稱將會是唯一的,即例如 a.com 和 www.a.com 即便重導向也無法通用,但 http:80 是允許重導向的。而若同時啟用數個或全部,則 certbot 將會從當中選取一個來産生 tls 檔案,而其他的便附屬於其下,故,這些全都有啟用 SSL 了。後者的缺點是使用者可從憑證查到所有關聯的網站。

20210917 補充,使用 apt 預設安裝

  • 之前在安裝 php 時,有加入 ppa,其會提示另有 nginx 套件,故我們就加入此 ppa,畢竟 ubuntu 官方更新地較保守。
  • sudo add-apt-repository ppa:ondrej/nginx-mainline
  • 我們在 /etc/nginx/sites-available/ 加入所有網站的 conf files。
  • 並在 ./sites-enabled/ 中建立連結想要啟用的那些網站,nginx 會自動搜尋套用此目錄下的所有 files。
  • 之後,比對前述,certbot 因而就可順利安裝與啟用與 renew。它可順利找到與修改由 ln 所連結的 config files。
  • 不過有個問題需注意;前述的 config,需懂得如何套用到此,其中,若 fastcgi_pass php; 發生問題,則改為 fastcgi_pass unix:/run/php/php-fpm.sock;
  • 此可參考 https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/
  • 以上,似乎沒什麼其他問題了。
  • 再回文,若手動編譯安裝,我們可以將安裝路徑改為如同 apt 安裝路徑則就不會有後續困擾了。
  • data files
    /etc/nginx
    /etc/nginx/nginx.conf
    /etc/nginx/mime.types
    /etc/nginx/fastcgi_params
    /etc/nginx/sites-available/
    /etc/nginx/sites-enabled/
    /etc/nginx/sites-disabled/
  • bin file
    /usr/sbin/nginx
  • nginx.conf 內容如下,記得要合稱內容的路徑。
    而像動態載入 modules,其 config file 內容如下型式:
    load_module modules/ngx_ssl_ct_module.so;
    load_module modules/ngx_http_ssl_ct_module.so;
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

20210925 補充

  • 統合以上,我們使用手動編譯安裝,並使用 apt 安裝的預設路徑,搭配安裝說明如前的參考資料。
./configure
--prefix=/etc/nginx
--sbin-path=/usr/sbin/nginx
--conf-path=/etc/nginx/nginx.conf
--pid-path=/run/nginx.pid
--error-log-path=/var/log/nginx/nginx_error.log
--http-log-path=/var/log/nginx/nginx_access.log
--with-http_ssl_module
--with-http_v2_module
--with-stream
--with-stream_ssl_module

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx.pid --error-log-path=/var/log/nginx/nginx_error.log --http-log-path=/var/log/nginx/nginx_access.log --with-http_ssl_module --with-http_v2_module --with-stream --with-stream_ssl_module
  • configure 之後,得到輸出如下
...
...
creating objs/Makefile

Configuration summary
  + using system PCRE library
  + using system OpenSSL library
  + using system zlib library

  nginx path prefix: "/etc/nginx"
  nginx binary file: "/usr/sbin/nginx"
  nginx modules path: "/etc/nginx/modules"
  nginx configuration prefix: "/etc/nginx"
  nginx configuration file: "/etc/nginx/nginx.conf"
  nginx pid file: "/run/nginx.pid"
  nginx error log file: "/var/log/nginx/nginx_error.log"
  nginx http access log file: "/var/log/nginx/nginx_access.log"
  nginx http client request body temporary files: "client_body_temp"
  nginx http proxy temporary files: "proxy_temp"
  nginx http fastcgi temporary files: "fastcgi_temp"
  nginx http uwsgi temporary files: "uwsgi_temp"
  nginx http scgi temporary files: "scgi_temp"
  • 在安裝完成後,
  • 接著下 sudo make clean
  • 接著改寫 nginx.conf 成如下預設,但還需接著修改
# default file
# begin of nginx.conf

user                    www-data;
worker_processes        auto;
pid                     /run/nginx.pid;

# dynamic modules
include                 /etc/nginx/modules-enabled/*.conf;
error_log               /var/log/nginx/nginx_error.log;

events {
    worker_connections  768;
    # multi_accept        on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    # tcp_nopush on;
    types_hash_max_size 2048;
    # server_tokens off;

    # keepalive_timeout   65;

    # server_names_hash_bucket_size       64;
    # server_name_in_redirect             off;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers           on;

    ##
    # Logging Settings
    ##
    # log_format          main '$remote_addr - $remote_user [$time_local] "$request" '
    #                     '$status $body_bytes_sent "$http_referer" '
    #                     '"$http_user_agent" "$http_x_forwarded_for"';

    access_log          /var/log/nginx/nginx_access.log;
    error_log           /var/log/nginx/nginx_error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    server {
        listen          80;
        server_name     localhost;

        # charset         koi8-r;

        access_log      /var/log/nginx/nginx_host_access.log  main;

        location / {
            root        html;
            index       index.html index.htm;
        }

        # error_page      404 /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page      500 502 503 504 /50x.html;
        location = /50x.html {
            root        html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        # location ~ \.php$ {
        #     proxy_pass  http://127.0.0.1;
        # }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        # location ~ \.php$ {
        #     root            html;
        #     fastcgi_pass    127.0.0.1:9000;
        #     fastcgi_index   index.php;
        #     fastcgi_param   SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #     include         fastcgi_params;
        # }

        # deny access to .htaccess files, if Apache's document root. concurs with nginx's one.
        # location ~ /\.ht {
        #     deny            all;
        # }
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    # server {
    #     listen          8000;
    #     listen          somename:8080;
    #     server_name     somename alias another.alias;

    #     location / {
    #         root        html;
    #         index       index.html index.htm;
    #     }
    # }


    # HTTPS server
    # server {
    #     listen              443 ssl;
    #     server_name         localhost;

    #     ssl_certificate     cert.pem;
    #     ssl_certificate_key cert.key;

    #     ssl_session_cache   shared:SSL:1m;
    #     ssl_session_timeout 5m;

    #     ssl_ciphers         HIGH:!aNULL:!MD5;
    #     ssl_prefer_server_ciphers on;

    #     location / {
    #         root            html;
    #         index           index.html index.htm;
    #     }
    # }
}


#mail {
#   # See sample authentication script at:
#   # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#   # auth_http localhost/auth.php;
#   # pop3_capabilities "TOP" "USER";
#   # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#   server {
#       listen     localhost:110;
#       protocol   pop3;
#       proxy      on;
#   }
#
#   server {
#       listen     localhost:143;
#       protocol   imap;
#       proxy      on;
#   }
#}

# end of nginx.conf
  • 我們先在 /etc/nginx 底下建立一系列的必要目錄。
sudo mkdir /etc/nginx/modules
sudo mkdir /etc/nginx/modules-available
sudo mkdir /etc/nginx/modules-enabled
sudo mkdir /etc/nginx/modules-disabled
sudo mkdir /etc/nginx/conf.d
sudo mkdir /etc/nginx/sites-available
sudo mkdir /etc/nginx/sites-enabled
sudo mkdir /etc/nginx/sites-disabled
  • 搭配路徑,修改後的 nginx.conf
# begin of nginx.conf


user                    www-data;

# usually equal to number of CPUs you have. run command "grep processor /proc/cpuinfo | wc -l" to find it
worker_processes        auto;
worker_cpu_affinity     auto;

# threading
# thread_pool             default_thread threads=64 max_queue=65536;

pid                     /run/nginx.pid;

# dynamic modules
include                 /etc/nginx/modules-enabled/*.conf;

error_log               /var/log/nginx/nginx_error.log;

# Keeps the logs free of messages about not being able to bind().
# daemon                  off;


events {
    worker_connections  768;
    # multi_accept        on;
    # accept_mutex        off;
}


http {

    ##
    # threading
    ##
    # aio                 threads=default_thread;

    ##
    # Basic Settings
    ##

    sendfile on;
    sendfile_max_chunk 512k;
    # tcp_nopush on;
    # tcp_nodelay on;
    # rewrite_log on;
    types_hash_max_size 2048;
    # server_tokens off;

    keepalive_timeout   65;

    # server_names_hash_bucket_size       64;
    # server_name_in_redirect             off;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers           on;

    ##
    # Logging Settings
    ##
    # log_format          main '$remote_addr - $remote_user [$time_local] "$request" '
    #                     '$status $body_bytes_sent "$http_referer" '
    #                     '"$http_user_agent" "$http_x_forwarded_for"';

    # access_log          off;
    access_log          /var/log/nginx/nginx_access.log;
    error_log           /var/log/nginx/nginx_error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    # php max upload limit cannot be larger than this
    client_max_body_size 4096m; # 4G

    # Upstream to abstract backend connection(s) for PHP.
    upstream php {
        # this should match value of "listen" directive in php-fpm pool
        server unix:/run/php/php-fpm.sock;
    }


    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}


# end of nginx.conf
  • 最後,我們把前述的 restrictions.conf 放到 /etc/nginx/ 底下,並由每支 server.conf 引入。
  • 其中,所有的 server 組態檔都放到 sites-available 底下,並在 sites-enabled 中建立連結,
  • 而若要暫時取消,則將該連結移至 sites-disabled 中即可。
  • 此外,由於怕先前發生過的 certbot 找不到組態檔,所以建立連結使用絕對路徑,已試過上述的一整套做法,沒問題了。
  • 最後,請特別注意,要重新安裝 nginx 乃或重新安裝作業系統,務必要先註銷憑證,斥或新裝好的 nginx 就必須已手動設置好那些憑證設定於 .conf 檔中並予 certbot 以 renew。最好是前者的做法則從頭來過不怕出錯。否則(筆者自判斷),異地連上此網站將取用原先的憑證,而與此新建者不符而致無法存取此網站。
  • NGINX 還有些細部的設定;若網頁有某些未預期的行為,可能要先針對 nginx 的設定來調查。例如參見此段落的 nginx.conf
# php max upload limit cannot be larger than this
client_max_body_size 4096m; # 4G
  • 這行便是設定能夠上傳到網站的最大檔案大小。若不設定,能上傳的大概幾咩而已。
  • 延長 timeout 的時間,可於 http 或 server/location blocks 中:
http {
    ...
    proxy_read_timeout 300;
    proxy_connect_timeout 300;
    proxy_send_timeout 300;
    ...
}
  • configure 加入 --with-threads(注意 – – w)的參考:
    https://www.nginx.com/blog/thread-pools-boost-performance-9x/
    不過筆者初級地試過,似乎沒多大改善。

    提到 nginx.conf 內的兩行設定,
    worker_processes auto;
    worker_cpu_affinity auto;
    nginx 便會為我們在效能上做最佳的配置。我們透過 systemctl status nginx,可看到所産生的 processes,原則上幾支 processes 就對上幾核,故基本上 auto 就行了。
    而我們若想手動全部的核都指定,則如下下法,若 8 核:
    worker_processes 8;
    worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;

    原則上來說,若主機只有 webserver 的功能,則使用 multi-thread 可能效果有限。因為用上了便會有類 context switch 的額外花費。倒不如在 single-thread loop 所有 requests。而若 nginx 的 multi-thread 對應 multi-site(筆者未知),當實現兩個網站以上於同一台主機下,或許可試試看。

20211003 補充-網頁速度與安全性測試

    # Add HTTP Strict Transport Security(HSTS)
    add_header Strict-Transport-Security max-age=31536000;

    # Add X-Frame-Options security header
    add_header X-Frame-Options "SAMEORIGIN" always;

    # Add X-XSS-Protection security header
    add_header X-Xss-Protection "1; mode=block" always;

    # Add X-Content-Type-Options security header
    add_header X-Content-Type-Options "nosniff" always;

    # Add Content Security Policy security header
    # add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';";
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
  • 再一個。測試下,網頁似乎沒有壓縮。而看到 config file 內的 gzip 是有打開的, gzip on,因此,筆者觀點是,若有安裝 wordpress wp super cache,才把 gzip on 接續的 gzip 選項都打開。如此 wp super cache 就可預先壓縮。而若沒有安裝 cache,那麼即時的壓縮,對於沒有伺服器效能的微型網站反而是有點傷的。
  • 因此提及了 wp super cache,以下就超簡短地說明一下 wp super cache 的安裝。而在此之前先說,還記得 siege 嗎?請參考前面文章。在 wp super cache 都設定好後,記得利用 siege,預先將所有連結都走過一遍,那麼,測試起來才會最為快速,即,測 all cached 的上界。
  • wp super cache:
  • 在安裝前,就先在 wp-config.php 內加入兩行,請注意,加在 require_once( ABSPATH . ‘wp-settings.php’ ); 的上面。
    define( ‘WPCACHEHOME’, ‘/var/web/wordpress/wp-content/plugins/wp-super-cache/’ );
    define( ‘WP_CACHE’, true );
  • 在“設定 -> wp super cache -> 進階 -> Rejected URL Strings”加入兩行,
    sitemap-.*.xml
    sitemap.xml
  • 而記得,若 wp super cache 每有頁面編輯更新就會清除快取的話,就再跑一次 siege。

20211024 將自己最後的版本置於下供參考

# 某些需換成適合自己的,不另標註
# 某些需修改的地方標示了 ****************
# begin of nginx.conf


user                    www-data;

# usually equal to number of CPUs you have. run command "grep processor /proc/cpuinfo | wc -l" to find it
worker_processes        auto;
worker_cpu_affinity     auto;

# threading
# thread_pool             default_thread threads=64 max_queue=65536;

pid                     /run/nginx.pid;

# dynamic modules
include                 /etc/nginx/modules-enabled/*.conf;

error_log               /var/log/nginx/nginx_error.log;

# Keeps the logs free of messages about not being able to bind().
# daemon                  off;


events {
    worker_connections  768;
    # multi_accept        on;
    # accept_mutex        off;
}


http {

    ##
    # threading
    ##
    # aio                 threads=default_thread;

    ##
    # Basic Settings
    ##

    sendfile on;
    sendfile_max_chunk 512k;
    # tcp_nopush on;
    # tcp_nodelay on;
    # rewrite_log on;
    types_hash_max_size 2048;
    # server_tokens off;

    keepalive_timeout   65;

    # server_names_hash_bucket_size       64;
    # server_name_in_redirect             off;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers           on;

    ##
    # Logging Settings
    ##
    # log_format          main '$remote_addr - $remote_user [$time_local] "$request" '
    #                     '$status $body_bytes_sent "$http_referer" '
    #                     '"$http_user_agent" "$http_x_forwarded_for"';

    # access_log          off;
    access_log          /var/log/nginx/nginx_access.log;
    error_log           /var/log/nginx/nginx_error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 256k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    # php max upload limit cannot be larger than this
    client_max_body_size 4096m; # 4G

    # Upstream to abstract backend connection(s) for PHP.
    upstream php {
        # this should match value of "listen" directive in php-fpm pool
        server unix:/run/php/php-fpm.sock;
    }


    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;


    server {
        server_name  _;
        root /var/web/****************;
        #return 302 $scheme://example.com$request_uri;
        return 302 ****************error.html;
    }


}


# end of nginx.conf
# 某些需換成適合自己的,不另標註
# 某些需修改的地方標示了 ****************
# begin of server_1.conf


# WordPress single site rules.
# Designed to be included in any server {} block.


server {

    ## Your website name goes here.
    server_name ****************.tw www.****************.tw;

    ## Your only path reference.
    root /var/web/****************;
    #root /var/web/****************;

    index index.php;

    include /etc/nginx/restrictions.conf;

    access_log /var/log/nginx/nginx_host_access.log;


    # Add HTTP Strict Transport Security(HSTS)
    add_header Strict-Transport-Security max-age=31536000;

    # Add X-Frame-Options security header
    add_header X-Frame-Options "SAMEORIGIN" always;

    # Add X-XSS-Protection security header
    add_header X-Xss-Protection "1; mode=block" always;

    # Add X-Content-Type-Options security header
    add_header X-Content-Type-Options "nosniff" always;

    # Add Content Security Policy security header
    # add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';";
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;


    location / {
        # This is cool because no php is touched for static content.
        # include the "?$args" part so non-default permalinks doesn't break when using query string
        try_files $uri $uri/ /index.php?$args;
    }


    location ~ \.php$ {
        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        include /etc/nginx/fastcgi_params;
        fastcgi_intercept_errors on;
        fastcgi_pass php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }


    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/****************/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/****************/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}


server {

    server_name ****************.tw www.****************.tw;
    listen 80;
    return 301 https://$host$request_uri;

}


# end of server_1.conf

Categories: 架設網站

Tags:

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

PHP Code Snippets Powered By : XYZScripts.com