Nginx自建CDN 第二篇

正文索引 [隐藏]

Nginx自建CDN 第二篇

Nginx反代Cloudflare网站

反代Cloudflare的好处在哪里
可以解决国内用户访问慢的问题(反代机器的线路质量决定)
可以解决源站和反代机器之间延迟过高,延迟不稳定的问题,缓解源站压力,被Cloudflare缓存的页面可以直接从Cloudflare读取。

如果只是简单的反代http页面,在反代服务器简单的配置以下即可,例如使用宝塔面板的,默认设置即可成功实现反代cloudflare http站点
(反代服务器如果跟cloudflare给予的Anycast节点IP延迟过高,或者因为反代服务器IP是广播问题而造成的cloudflare分配到错误的节点问题,可以通过修改反代服务器的hosts文件进行修改)

如果接下来只是单纯的Nginx文件配置设置,把反代的地址从http改为https的话,你会发现报错(有些Nginx环境配置好后可以打开页面,但是动态链接无法使用,例如无法评论,无法注册登录,也是相同报错)只要在反代设置规则里面加入

proxy_ssl_name $host;
proxy_ssl_server_name on;

即可成功反代Cloudflare的https站点

方法来自好东东大佬

Nginx缓存到内存

这个只需将缓存目录设置在/dev/shm/下即可

配置文件:

proxy_cache_path /dev/shm/moec.top levels=1:2 keys_zone=laoxong:1m inactive=30m max_size=50m;
server {
 listen 80;
 listen 443 ssl http2;
 ssl_certificate /usr/local/nginx/conf/ssl/moec.crt;
 ssl_certificate_key /usr/local/nginx/conf/ssl/moec.key;
 ssl_session_timeout 1d;
 ssl_session_cache builtin:1000 shared:SSL:10m;
 add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
 ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
 ssl_ciphers "TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5";

 ssl_prefer_server_ciphers on;

 ssl_stapling on;
 ssl_stapling_verify on;

 server_name 你的域名;
 access_log /usr/local/nginx/caches/moec.top_nginx.log combined;

 charset utf-8,gbk;
 location / {
 proxy_set_header Accept-Encoding "";
 proxy_pass https://你的网站;
 proxy_redirect off;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_cache laoxong;
 proxy_cache_key $uri$is_args$args;
 proxy_cache_valid 200 304 30m;
 proxy_cache_valid 301 24h;
 proxy_cache_valid 500 502 503 504 0s;
 proxy_cache_valid any 1s;
 proxy_cache_min_uses 1;
 expires 12h;
 }
 location ~ /purge(/.*) {
                allow              all;
                allow              127.0.0.1;
            #   deny               all;
                proxy_cache_purge laoxong $1$is_args$args;
 }
}

注意max_size不要超了内存大小哦

/dev/shm的容量默认最大为内存的一半大小,使用df -h命令可以看到。但它并不会真正的占用这块内存,如果/dev/shm/下没有任何文件,它占用的内存实际上就是0字节。

如果需要使用到这个目录,并且默认的大小不够使用,而其他程序占用的内存又比较少的时候,可以修改器最大占用内存的大小,来达到自己的目的。
其实修改它的原理很简单,对其进行重新挂载即可,挂载的时候指定挂载参数。

mount -o size=5128M  -o remount /dev/shm

上面对/dev/shm进行了重新挂载,并修改其大小为5G

Nginx 配置 WAF(Web Application Firewall)

1.安装 VeryNginx

VeryNginx 依赖以下三个 Nginx 模块:

  • lua-nginx-module
  • http_stub_status_module
  • http_ssl_module

VeryNginx 安装

git clone https://github.com/alexazhou/VeryNginx.git
cd VeryNginx
python install.py install verynginx

2.编译Nginx

是的,又要编译Nginx

所需插件:LuaJIT ngx_devel_kit ngx_lua

Oneinstack用户

如果你是Oneinstack用户且看过上一篇可以使用一下方法编译

cd ~/oneinstack/src/
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar -zxvf LuaJIT*.tar.gz
cd LuaJIT-2.0.5/
make
make install 
ln -sf luajit-2.0.5 /usr/local/LuaJIT/bin/luajit
echo "/usr/local/luajit/lib" > /etc/ld.so.conf.d/usr_local_luajit_lib.conf
ldconfig
cd ../
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0/
wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.zip
unzip v0.3.0.zip
wget https://github.com/openresty/lua-nginx-module/archive/v0.10.14.tar.gz
tar xvf v0.10.14.tar.gz
tar zxvf pcre-8.43.tar.gz
tar zxvf openssl-1.1.1d.tar.gz 
wget http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz
tar zxvf ngx_cache_purge-2.3.tar.gz
tar zxf nginx-*.tar.gz
cd nginx-1.16.1
./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.1.1d --with-pcre=../pcre-8.43 --with-pcre-jit --with-ld-opt=-ljemalloc --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../lua-nginx-module-0.10.14
make -j2
mv /usr/local/nginx/sbin/nginx{,$(date +%m%d)}
cp objs/nginx /usr/local/nginx/sbin 
nginx -t
service nginx restart

其他用户

下载以下插件

LuaJIT

wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar -zxvf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5/
make
make install
cd ../

设置环境变量:

export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0/

ngx_devel_kit

wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.zip
unzip v0.3.0.zip

ngx_lua

wget https://github.com/openresty/lua-nginx-module/archive/v0.10.7.zip
unzip v0.10.7.zip
编译安装(自行修改代码)
configure arguments: --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.1.1d --with-pcre=../pcre-8.43 --with-pcre-jit --with-ld-opt=-ljemalloc --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../lua-nginx-module-0.10.7

如出现

nginx: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: No such file or directory

编辑/etc/ld.so.conf.d/usr_local_lib.conf ,加入

# libc default configuration
/usr/local/lib
/usr/local/LuaJIT/lib

cat /etc/ld.so.conf
echo "/usr/local/lib" >> /etc/ld.so.conf

3.配置Nginx

/opt/verynginx/verynginx/nginx_conf/in_external.conf;
/opt/verynginx/verynginx/nginx_conf/in_http_block.conf;
/opt/verynginx/verynginx/nginx_conf/in_server_block.conf;

分别放在Nginx的主配置文件(/usr/local/nginx/conf/)的http配置块外部,http配置块内部,服务器配置块内部,在修改时请保留这三条。

user www www;
worker_processes auto;

error_log /data/wwwlogs/error_nginx.log crit;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;

events {
  use epoll;
  worker_connections 51200;
  multi_accept on;
}
#CC
include /opt/verynginx/verynginx/nginx_conf/in_external.conf;
http {
#CC
  include /opt/verynginx/verynginx/nginx_conf/in_http_block.conf;
  include mime.types;
  default_type application/octet-stream;
  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 1024m;
  client_body_buffer_size 10m;
  sendfile on;
  tcp_nopush on;
  keepalive_timeout 120;
  server_tokens off;
  tcp_nodelay on;

  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  fastcgi_intercept_errors on;

  #Gzip Compression
  gzip on;
  gzip_buffers 16 8k;
  gzip_comp_level 6;
  gzip_http_version 1.1;
  gzip_min_length 256;
  gzip_proxied any;
  gzip_vary on;
  gzip_types
    text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
    text/javascript application/javascript application/x-javascript
    text/x-json application/json application/x-web-app-manifest+json
    text/css text/plain text/x-component
    font/opentype application/x-font-ttf application/vnd.ms-fontobject
    image/x-icon;
  gzip_disable "MSIE [1-6]\.(?!.*SV1)";

  ##Brotli Compression
  #brotli on;
  #brotli_comp_level 6;
  #brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

  ##If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency.
  #open_file_cache max=1000 inactive=20s;
  #open_file_cache_valid 30s;
  #open_file_cache_min_uses 2;
  #open_file_cache_errors on;

######################## default ############################
  server {
#CC 
    include /opt/verynginx/verynginx/nginx_conf/in_server_block.conf;
    listen 80;
    server_name _;
    access_log /data/wwwlogs/access_nginx.log combined;
    root /data/wwwroot/default;
    index index.html index.htm index.php;
    #error_page 404 /404.html;
    #error_page 502 /502.html;
    location /nginx_status {
      stub_status on;
      access_log off;
      allow 127.0.0.1;
      deny all;
    }
    location ~ [^/]\.php(/|$) {
      #fastcgi_pass remote_php_ip:9000;
      fastcgi_pass unix:/dev/shm/php-cgi.sock;
      fastcgi_index index.php;
      include fastcgi.conf;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
      expires 30d;
      access_log off;
    }
    location ~ .*\.(js|css)?$ {
      expires 7d;
      access_log off;
    }
    location ~ ^/(\.user.ini|\.ht|\.git|\.svn|\.project|LICENSE|README.md) {
      deny all;
    }
  }
########################## vhost #############################
  include vhost/*.conf;
}

#CC下的为添加的语句

之后测试配置看有没有报错:

nginx -t

没有的话,重启一下Nginx就OK了:

systemctl restart nginx

访问服务器的公网IP+/verynginx/index.html (默认的管理员账号密码:verynginx)即可看到配置页面