From 83e2e6f72cdb542af520f84450b35445fa37a65e Mon Sep 17 00:00:00 2001 From: Chaohao Li <10942323+chaohao-li@user.noreply.gitee.com> Date: Thu, 1 Jun 2023 09:34:51 +0000 Subject: [PATCH] =?UTF-8?q?add=2001=20NGINX=20Plus=20=E5=AE=89=E8=A3=85?= =?UTF-8?q?=E9=83=A8=E7=BD=B2/Readme.md.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Chaohao Li <10942323+chaohao-li@user.noreply.gitee.com> --- .../Readme.md" | 471 ++++++++++++++++++ 1 file changed, 471 insertions(+) create mode 100644 "01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/Readme.md" diff --git "a/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/Readme.md" "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/Readme.md" new file mode 100644 index 0000000..6917cae --- /dev/null +++ "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/Readme.md" @@ -0,0 +1,471 @@ +# LAB 环境准备 + +本次实验需要各位学员自备linux环境,建议使用CentOS 7.4+ 系统或 Ubuntu 18.04及以上系统: +本次实验需要申请 NGINX Plus 试用版 license; + +## 申请 NGIXN Plus 试用license + +登录 MyF5 网站,https://my.f5.com/manage/s/ ,如果您还没有 MyF5 账号的话,需要先注册一个用户账号。 +登录后,点击 TRAILS 进入试用申请界面 +![申请试用](images/Trail-1.png) + +您可以选择产品进行试用,在这里,我们选择API Connectivity Stack申请试用,包含了本次培训所需的license +![申请试用](images/Trail-2.png) + +稍等片刻,您将在页面下方获得本次申请的试用license,点击进入详情界面 +![获得试用](images/Trail-3.png) + +在这里,您可以下载所需的一切文件,我们需要下载ssl证书(nginx-mgmt-suite-acm-trail.crt)和私钥(nginx-mgmt-suite-acm-trail.key),这两个文件将允许您从 NGINX 官方仓库下载安装包 +![下载证书](images/Trail-4.png) + +## 实验环境准备 + +准备干净的linux系统 + +## 继续进入后续实验环节 + + +# 实验1 root安装非root用户运行 + +本次实验主要演示root用户安装NGINX Plus,非root用户使用的场景 + +## 安装 NGINX Plus (Root用户) + +### CentOS/RHEL 系统 + +1. 将下载好的 nginx-mgmt-suite-acm-trail.crt 和 nginx-mgmt-suite-acm-trail.key 文件导入到 /etc/ssl/nginx 文件夹中,并重命名为 nginx-repo.crt 和 nginx-repo.key + + ```bash + mkdir -p /etc/ssl/nginx + cd /etc/ssl/nginx + cp nginx-mgmt-suite-acm-trail.crt /etc/ssl/nginx/nginx-repo.crt + cp nginx-mgmt-suite-acm-trail.key /etc/ssl/nginx/nginx-repo.key + ``` + +2. 安装 ca-certificates wget 依赖包 + + ```bash + yum install ca-certificates wget + ``` + +3. 添加 NGINX plus 仓库 + + ```bash + wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo + ``` + +4. 安装 NGINX Plus + + ```bash + yum install nginx-plus + ``` + +5. 启用 NGINX Plus 服务,查看 NGINX 版本 + + ```bash + systemctl enable nginx.service + nginx -v + ``` + + 确认安装版本 + ```bash + nginx version: nginx/1.23.4 (nginx-plus-r29) + ``` + +### Ubuntu 系统 + +1. 将下载好的 nginx-mgmt-suite-acm-trail.crt 和 nginx-mgmt-suite-acm-trail.key 文件导入到 /etc/ssl/nginx 文件夹中,并重命名为 nginx-repo.crt 和 nginx-repo.key + + ```bash + mkdir -p /etc/ssl/nginx + cd /etc/ssl/nginx + cp nginx-mgmt-suite-acm-trail.crt /etc/ssl/nginx/nginx-repo.crt + cp nginx-mgmt-suite-acm-trail.key /etc/ssl/nginx/nginx-repo.key + ``` + +2. 安装依赖包 + + ```bash + apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyring + ``` + +3. 下载 NGIXN signing key + + ```bash + wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null + ``` + + +4. 添加 NGINX plus 仓库 + + ```bash + printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-plus.list + ``` + +5. 获取 NGINX Plus apt 配置,导入至 /etc/apt/apt.conf.d + + ```bash + wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx + ``` + +6. 安装 NGINX Plus + + ```bash + apt-get update + apt-get install -y nginx-plus + ``` + +7. 查看 NGINX 版本 + + ```bash + nginx -v + ``` + + 确认安装版本 + ```bash + nginx version: nginx/1.23.4 (nginx-plus-r29) + ``` +至此,NGINX Plus 已安装完成,以下进行非root用户启动设置 + +## 设置非root用户运行环境 + +1. 新建用户组与用户,用于运维管理NGINX Plus + + ```bash + groupadd test + useradd -d /home/lee -r -m -s /bin/bash -g test lee + ``` + +2. 查看 NGIXN Plus 相关路径,并更改以下目录属性,将其归为用户所有 + + CentOS/RHEL系统 + ```bash + [root@centos nginx]# find / -name nginx + /etc/logrotate.d/nginx + /etc/ssl/nginx + /etc/nginx + /var/lib/nginx + /var/log/nginx + /var/cache/nginx + /usr/sbin/nginx + /usr/lib64/nginx + /usr/share/nginx + /usr/libexec/initscripts/legacy-actions/nginx + ``` + + Ubuntu系统 + ```bash + root@ubuntu:/etc/nginx# find / -name nginx + /var/lib/nginx + /var/cache/nginx + /var/log/nginx + /etc/ssl/nginx + /etc/nginx + /etc/logrotate.d/nginx + /etc/init.d/nginx + /usr/lib/nginx + /usr/share/nginx + /usr/sbin/nginx + ``` + +3. 将上述文件夹所有权归为使用者 + + CentOS/RHEL系统 + ```bash + [root@centos nginx]# find / -name nginx + chown -R lee:test /etc/logrotate.d/nginx + chown -R lee:test /etc/ssl/nginx + chown -R lee:test /etc/nginx + chown -R lee:test /var/lib/nginx + chown -R lee:test /var/log/nginx + chown -R lee:test /var/cache/nginx + chown -R lee:test /usr/sbin/nginx + chown -R lee:test /usr/lib64/nginx + chown -R lee:test /usr/share/nginx + chown -R lee:test /usr/libexec/initscripts/legacy-actions/nginx + ``` + + Ubuntu系统 + ```bash + chown -R lee:test /var/lib/nginx + chown -R lee:test /var/cache/nginx + chown -R lee:test /var/log/nginx + chown -R lee:test /etc/ssl/nginx + chown -R lee:test /etc/nginx + chown -R lee:test /etc/logrotate.d/nginx + chown -R lee:test /etc/init.d/nginx + chown -R lee:test /usr/lib/nginx + chown -R lee:test /usr/share/nginx + chown -R lee:test /usr/sbin/nginx + ``` + +4. 切换至NGINX使用者用户(非root),在家目录下创建 NGINX Plus 工作目录,其中log文件夹存放 access.log 及 error.log,run 文件夹存放 pid 文件 + + ```bash + su lee + cd ~ + mkdir -p /home/lee/log /home/lee/run + ``` + 确认工作目录属性 + ```bash + [lee@centos ~]$ pwd + /home/lee + [lee@centos ~]$ ll + total 0 + drwxr-xr-x. 2 lee test 6 Jun 1 06:55 log + drwxr-xr-x. 2 lee test 6 Jun 1 06:55 run + ``` + +5. 修改 /etc/nginx/nginx.conf 文件,删除第一行的 `user nginx;` ,更新 log 及 pid 目录 + + ```bash + + worker_processes auto; + + error_log /home/lee/log/error.log notice; + pid /home/lee/run/nginx.pid; + + access_log /home/lee/log/access.log main; + ``` + +6. 此时,可以尝试使用 `nginx` 指令启动nginx,但会报错,因为非root用户无法默认无法绑定1024以下端口 + + ```bash + lee@ubuntu:/usr/share/nginx$ nginx + nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied) + ``` + +7. 切换回 root 用户,为 nginx 服务赋予绑定1024以下端口的能力 + + ```bash + su + setcap cap_net_bind_service=+eip /usr/sbin/nginx + ``` + +## 非root用户运行 NGINX Plus + +1. 再切换回 lee 用户,启动 NGINX Plus + + ```bash + root@ubuntu:/usr/share/nginx# su lee + lee@ubuntu:/usr/share/nginx$ nginx + ``` + +2. 确认 nginx 由非root用户启动,并监听了80端口 + + ```bash + lee@ubuntu:/usr/share/nginx$ ps aux | grep nginx + lee 8077 0.0 0.0 25428 884 ? Ss 07:24 0:00 nginx: master process nginx + lee 8078 0.0 0.1 25812 2048 ? S 07:24 0:00 nginx: worker process + lee 8082 0.0 0.0 14860 1040 pts/1 S+ 07:25 0:00 grep --color=auto nginx + ``` + + ```bash + root@ubuntu:/usr/share/nginx# netstat -ntplu | grep nginx + tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 8077/nginx: master + ``` + +3. 浏览器访问 http:// + + ![下载证书](images/nginx.png) + +## 进行以下实验前,先退出当前运行的NGIXN Plus + + ```bash + nginx -s quit + ``` + +# 实验2 非root用户安装 + +本实验介绍在非root环境下的 NGINX Plus 安装,除创建用户时使用root权限,其余全程在非root环境下进行 + +## 准备工作 + +新建用户组与用户,用于安装运维管理 NGINX Plus + + ```bash + groupadd demo + useradd -d /home/mebius -r -m -s /bin/bash -g demo mebius + ``` + +创建完用户,请切换至非root用户,以下步骤均在非root环境进行 + +## 安装与使用 + +1. 将下载好的 nginx-mgmt-suite-acm-trail.crt 和 nginx-mgmt-suite-acm-trail.key 文件导入到 /home/mebius/ssl 文件夹中,并重命名为 nginx-repo.crt 和 nginx-repo.key + + ```bash + mkdir -p /home/mebius/ssl + cd /home/mebius/ssl + cp nginx-mgmt-suite-acm-trail.crt /home/mebius/ssl/nginx-repo.crt + cp nginx-mgmt-suite-acm-trail.key /home/mebius/ssl/nginx-repo.key + ``` + +2. 下载安装脚本,放于 /home/mebius/packages 文件夹中,并赋予执行权限 + + ```bash + mkdir -p /home/mebius/packages + cd /home/mebius/packages + wget https://raw.githubusercontent.com/nginxinc/nginx-plus-install-tools/main/ngxunprivinst.sh + chmod +x ngxunprivinst.sh + ``` + +3. 查看可安装 NGINX Plus 版本 + + ```bash + mebius@ubuntu:~/packages$ ./ngxunprivinst.sh list -c ~/ssl/nginx-repo.crt -k ~/ssl/nginx-repo.key + Versions available for ubuntu bionic amd64: + 15-2 + 15-3 + 16-1 + 16-2 + 17-1 + 18-1 + 18-2 + 19-1 + 20-1 + 21-1 + 22-1 + 23-1 + 23-2 + 24-1 + 24-2 + 24-3 + 25-1 + 25-2 + 26-1 + 26-2 + 27-1 + 27-2 + 28-1 + 29-1 + ``` + +4. 下载安装包,默认会下载最新版,也可指定版本进行下载。在这里我们指定下载R28-1版本 + + ```bash + mebius@ubuntu:~/packages$ ./ngxunprivinst.sh fetch -c ~/ssl/nginx-repo.crt -k ~/ssl/nginx-repo.key -v 28-1 + Downloading nginx-plus_28-1~bionic_amd64.deb... + Downloading nginx-plus-module-auth-spnego_28%2B1.1.0-2~bionic_amd64.deb... + ``` + 默认会将相关的安装包及动态模块都下载下来,也可以在下载完主安装包后中断 + + ```bash + mebius@ubuntu:~/packages$ ls + nginx-plus-module-auth-spnego_28%2B1.1.0-2~bionic_amd64.deb + nginx-plus-module-brotli_28%2B1.0.0-1~bionic_amd64.deb + nginx-plus-module-encrypted-session_28%2B0.09-1~bionic_amd64.deb + nginx-plus-module-fips-check_28%2B0.1-2~bionic_amd64.deb + nginx-plus-module-geoip2_28%2B3.4-1~bionic_amd64.deb + nginx-plus-module-geoip_28-1~bionic_amd64.deb + nginx-plus-module-headers-more_28%2B0.34-2~bionic_amd64.deb + nginx-plus-module-image-filter_28-1~bionic_amd64.deb + nginx-plus-module-lua_28%2B0.10.22-2~bionic_amd64.deb + nginx-plus-module-lua_28%2B0.10.22-3~bionic_amd64.deb + nginx-plus-module-ndk_28%2B0.3.2-1~bionic_amd64.deb + nginx-plus-module-njs_28%2B0.7.10-1~bionic_amd64.deb + nginx-plus-module-njs_28%2B0.7.11-1~bionic_amd64.deb + nginx-plus-module-njs_28%2B0.7.9-1~bionic_amd64.deb + nginx-plus-module-opentracing_28%2B0.27.0-1~bionic_amd64.deb + nginx-plus-module-passenger_28%2B6.0.15-1~bionic_amd64.deb + nginx-plus-module-perl_28-1~bionic_amd64.deb + nginx-plus-module-prometheus_28%2B1.3.4-1~bionic_amd64.deb + nginx-plus-module-rtmp_28%2B1.2.2-1~bionic_amd64.deb + nginx-plus-module-set-misc_28%2B0.33-1~bionic_amd64.deb + nginx-plus-module-subs-filter_28%2B0.6.4-1~bionic_amd64.deb + nginx-plus-module-xslt_28-1~bionic_amd64.deb + nginx-plus_28-1~bionic_amd64.deb + ngxunprivinst.sh + ``` + +5. 创建 NGIXN Plus 安装目录,并指定安装路径(不同操作系统请根据实际情况指定安装包文件) + + ```bash + mkdir -p /home/mebius/nginxplus + ./ngxunprivinst.sh install -y -p /home/mebius/nginxplus nginx-plus_28-1~bionic_amd64.deb + ``` + 安装成功后,出现如下提示 + ```bash + Installation finished. You may run nginx with this command: + /home/mebius/nginxplus/usr/sbin/nginx -p /home/mebius/nginxplus/etc/nginx -c nginx.conf -e /home/mebius/nginxplus/var/log/nginx/error.log + ``` + +6. 根据提示启动NGIXN Plus,查看进程,确认为非root用户启动 + + ```bash + mebius@ubuntu:~/packages$ /home/mebius/nginxplus/usr/sbin/nginx -p /home/mebius/nginxplus/etc/nginx -c nginx.conf -e /home/mebius/nginxplus/var/log/nginx/error.log + + mebius@ubuntu:~/packages$ ps aux | grep nginx + mebius 8599 0.0 0.0 25400 896 ? Ss 08:37 0:00 nginx: master process /home/mebius/nginxplus/usr/sbin/nginx -p /home/mebius/nginxplus/etc/nginx -c nginx.conf -e /home/mebius/nginxplus/var/log/nginx/error.log + mebius 8600 0.0 0.1 25804 2132 ? S 08:37 0:00 nginx: worker process + mebius 8602 0.0 0.0 14860 1044 pts/1 S+ 08:37 0:00 grep --color=auto nginx + ``` + +7. 查看安装目录,可以发现以自定义目录为根目录进行了安装,nginx主目录为 ~/nginxplus/etc/nginx + + ```bash + mebius@ubuntu:~/nginxplus$ cd ~/nginxplus + mebius@ubuntu:~/nginxplus$ ll + total 24 + drwxr-xr-x 4 mebius demo 4096 Jun 1 08:31 etc/ + drwxr-xr-x 3 mebius demo 4096 Jun 7 2022 lib/ + drwxr-xr-x 5 mebius demo 4096 Jun 7 2022 usr/ + drwxr-xr-x 6 mebius demo 4096 Jun 1 08:31 var/ + ``` + +8. 查看相关配置文件,目录自动更新,默认监听端口自动改为8080 + + ```bash + mebius@ubuntu:~$ cat ~/nginxplus/etc/nginx/nginx.conf + + worker_processes auto; + + error_log /home/mebius/nginxplus/var/log/nginx/error.log notice; + pid /home/mebius/nginxplus/var/run/nginx.pid; + + + http { + scgi_temp_path /home/mebius/nginxplus/var/cache/nginx/scgi_temp; + uwsgi_temp_path /home/mebius/nginxplus/var/cache/nginx/uwsgi_temp; + fastcgi_temp_path /home/mebius/nginxplus/var/cache/nginx/fastcgi_temp; + proxy_temp_path /home/mebius/nginxplus/var/cache/nginx/proxy_temp_path; + client_body_temp_path /home/mebius/nginxplus/var/cache/nginx/client_temp; + include /home/mebius/nginxplus/etc/nginx/mime.types; + + access_log /home/mebius/nginxplus/var/log/nginx/access.log main; + include /home/mebius/nginxplus/etc/nginx/conf.d/*.conf; + } + ``` + + ```bash + mebius@ubuntu:~$ cat ~/nginxplus/etc/nginx/conf.d/default.conf + + server { + listen 8080 default_server; + server_name localhost; + + #access_log /home/mebius/nginxplus/var/log/nginx/host.access.log main; + + location / { + root /home/mebius/nginxplus/usr/share/nginx/html; + index index.html index.htm; + } + ``` + +9. 查看版本信息,确认为NGINX Plus R28 + + ```bash + mebius@ubuntu:~$ /home/mebius/nginxplus/usr/sbin/nginx -v + nginx version: nginx/1.23.2 (nginx-plus-r28) + ``` + +10. 浏览器访问 http://:8080 + + ![下载证书](images/nginx-2.png) + +# 实验结束 + +## 思考 + +刚才的环境中能否启动多个NGINX Plus实例,是否会冲突? + -- Gitee