CentOS7 使用 yum 安装配置 Nginx 以及反向代理配置

[TOC]

参考资料

Installing nginx on Linux - 官网
centos 7 安装nginx以及nginx的目录详解 - CSDN
CentOS 7 安装Nginx 并配置自动启动 - CSDN
Centos7.3安装nginx
centos 7.0 查看selinux状态|关闭|开启 - csdn
Centos7 nginx提示错误 Access denied - 查看 SeLinux 限制日志
Using NGINX and NGINX Plus with SELinux - 官方指导，就是靠谱
技巧集：nginx作代理时，查看请求被转发到哪台服务器 -

使用 yum 安装 nginx

配置 yum 仓库

添加配置文件 vi /etc/yum.repos.d/nginx.repo

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1

yum 安装 Nginx

yum -y install nginx

设置 nginx 为服务，开机启动

systemctl enable nginx.service
systemctl start nginx.service
systemctl status nginx.service # 确认服务是否启动
nginx -v # 查看版本

配置防火墙

firewall-cmd --permanent --add-port=80/tcp // ngnix 默认使用 80 端口，需要开放防火墙 80 端口
firewall-cmd --reload

配置 Nginx

查看 Nginx 配置文件路径 nginx -V 注意，V 大写

[root@localhost conf.d]# nginx -V
nginx version: nginx/1.14.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

两个关键配置如下：

--prefix=/etc/nginx ，nginx 工程路径：/etc/nginx
--conf-path=/etc/nginx/nginx.conf , 配置文件路径：/etc/nginx/nginx.conf

cat /etc/nginx/nginx.conf 可以在最后看到如下

user  root;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    # 注意这里，配置文件放在 conf.d/ 中，且必须以 .conf 结尾
    include /etc/nginx/conf.d/*.conf; 
}

这里我们可以得知配置文件放在 conf.d/ 中，且必须以 .conf 结尾。从而我们可以在 conf.d/ 中，定义多个需要反向代理的配置，参考如下

[root@localhost conf.d]# ll
总用量 12
-rw-r--r--. 1 root root 1093 12月  4 23:01 default.conf
-rw-r--r--. 1 root root  341 1月  10 15:20 mirror.reading.zt.conf
-rw-r--r--. 1 root root  339 1月  10 14:25 test.reading.zt.conf

反向代理 192.168.0.232 -> test.reading.zt 配置为： vi /etc/nginx/conf.d/test.reading.zt.conf

server {
  listen       80;
  server_name  test.reading.zt;

  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-Ip $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_pass http://192.168.0.232:8080;
    add_header backendIP $upstream_addr;
    add_header backendCode $upstream_status;
  }
}

反向代理 192.168.0.233 -> mirror.reading.zt 配置为： vi /etc/nginx/conf.d/mirror.reading.zt.conf

server {
  listen       80;
  server_name  mirror.reading.zt;

  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-Ip $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_pass http://192.168.0.233:8080;
    add_header backendIP $upstream_addr;
    add_header backendCode $upstream_status;
  }
}

完成配置后，检查配置，并重启 nginx

nginx -t
nginx -s reload

配置反向代理时 SeLinx 限制

image.png

从 Nginx 异常日志 /var/log/nginx/error.log 中可以看到以下异常

2019/01/10 13:19:33 [crit] 1829#1829: *162 connect() to 192.168.0.232:8080 failed (13: Permission denied) while connecting to upstream, client: 192.168.0.196, server: test.reading.zt, request: "GET /library/index/login.html HTTP/1.1", upstream: "http://192.168.0.232:8080/library/index/login.html", host: "test.reading.zt"

处理方法 setsebool -P httpd_can_network_relay 1

配置查看请求被转发到哪台服务器

server {
  listen       80;
  server_name  mirror.reading.zt;

  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-Ip $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_pass http://192.168.0.233:8080;
    
    ## nginx 作代理时，查看请求被转发到哪台服务器，添加下面 2 行
    add_header backendIP $upstream_addr;
    add_header backendCode $upstream_status;
  }
}

以 chrome 为例，F12 后操作如下图