diff --git "a/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/Readme.md" "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/Readme.md" new file mode 100644 index 0000000000000000000000000000000000000000..9fcdb1a3760144995a137444a95b762a60b1d600 --- /dev/null +++ "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/Readme.md" @@ -0,0 +1,471 @@ +# LAB 环境准备 + +本次实验需要各位学员自备linux环境,建议使用CentOS 7.4+ 系统或 Ubuntu 18.04及以上系统: +本次实验需要申请 NGINX Plus 试用版 license; + +## 申请 NGIXN Plus 试用license + +登录 MyF5 网站,https://my.f5.com/manage/s/ ,如果您还没有 MyF5 账号的话,需要先注册一个用户账号。 +登录后,点击 TRAILS 进入试用申请界面 +![申请试用](images/Trail-1.png) + +您可以选择产品进行试用,在这里,我们选择API Connectivity Stack申请试用,包含了本次培训所需的license +![申请试用](images/Trail-2.png) + +稍等片刻,您将在页面下方获得本次申请的试用license,点击进入详情界面 +![获得试用](images/Trail-3.png) + +在这里,您可以下载所需的一切文件,我们需要下载ssl证书(nginx-mgmt-suite-acm-trail.crt)和私钥(nginx-mgmt-suite-acm-trail.key),这两个文件将允许您从 NGINX 官方仓库下载安装包 +![下载证书](images/Trail-4.png) + +## 实验环境准备 + +准备干净的linux系统 + +## 继续进入后续实验环节 + + +# 实验1 root安装非root用户运行 + +本次实验主要演示root用户安装NGINX Plus,非root用户使用的场景 + +## 安装 NGINX Plus (Root用户) + +### CentOS/RHEL 系统 + +1. 将下载好的 nginx-mgmt-suite-acm-trail.crt 和 nginx-mgmt-suite-acm-trail.key 文件导入到 /etc/ssl/nginx 文件夹中,并重命名为 nginx-repo.crt 和 nginx-repo.key + + ```bash + mkdir -p /etc/ssl/nginx + cd /etc/ssl/nginx + cp nginx-mgmt-suite-acm-trail.crt /etc/ssl/nginx/nginx-repo.crt + cp nginx-mgmt-suite-acm-trail.key /etc/ssl/nginx/nginx-repo.key + ``` + +2. 安装 ca-certificates wget 依赖包 + + ```bash + yum install ca-certificates wget + ``` + +3. 添加 NGINX plus 仓库 + + ```bash + wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo + ``` + +4. 安装 NGINX Plus + + ```bash + yum install nginx-plus + ``` + +5. 启用 NGINX Plus 服务,查看 NGINX 版本 + + ```bash + systemctl enable nginx.service + nginx -v + ``` + + 确认安装版本 + ```bash + nginx version: nginx/1.23.4 (nginx-plus-r29) + ``` + +### Ubuntu 系统 + +1. 将下载好的 nginx-mgmt-suite-acm-trail.crt 和 nginx-mgmt-suite-acm-trail.key 文件导入到 /etc/ssl/nginx 文件夹中,并重命名为 nginx-repo.crt 和 nginx-repo.key + + ```bash + mkdir -p /etc/ssl/nginx + cd /etc/ssl/nginx + cp nginx-mgmt-suite-acm-trail.crt /etc/ssl/nginx/nginx-repo.crt + cp nginx-mgmt-suite-acm-trail.key /etc/ssl/nginx/nginx-repo.key + ``` + +2. 安装依赖包 + + ```bash + apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyring + ``` + +3. 下载 NGIXN signing key + + ```bash + wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null + ``` + + +4. 添加 NGINX plus 仓库 + + ```bash + printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-plus.list + ``` + +5. 获取 NGINX Plus apt 配置,导入至 /etc/apt/apt.conf.d + + ```bash + wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx + ``` + +6. 安装 NGINX Plus + + ```bash + apt-get update + apt-get install -y nginx-plus + ``` + +7. 查看 NGINX 版本 + + ```bash + nginx -v + ``` + + 确认安装版本 + ```bash + nginx version: nginx/1.23.4 (nginx-plus-r29) + ``` +至此,NGINX Plus 已安装完成,以下进行非root用户启动设置 + +## 设置非root用户运行环境 + +1. 新建用户组与用户,用于运维管理NGINX Plus + + ```bash + groupadd test + useradd -d /home/lee -r -m -s /bin/bash -g test lee + ``` + +2. 查看 NGIXN Plus 相关路径,并更改以下目录属性,将其归为用户所有 + + CentOS/RHEL系统 + ```bash + [root@centos nginx]# find / -name nginx + /etc/logrotate.d/nginx + /etc/ssl/nginx + /etc/nginx + /var/lib/nginx + /var/log/nginx + /var/cache/nginx + /usr/sbin/nginx + /usr/lib64/nginx + /usr/share/nginx + /usr/libexec/initscripts/legacy-actions/nginx + ``` + + Ubuntu系统 + ```bash + root@ubuntu:/etc/nginx# find / -name nginx + /var/lib/nginx + /var/cache/nginx + /var/log/nginx + /etc/ssl/nginx + /etc/nginx + /etc/logrotate.d/nginx + /etc/init.d/nginx + /usr/lib/nginx + /usr/share/nginx + /usr/sbin/nginx + ``` + +3. 将上述文件夹所有权归为使用者 + + CentOS/RHEL系统 + ```bash + [root@centos nginx]# find / -name nginx + chown -R lee:test /etc/logrotate.d/nginx + chown -R lee:test /etc/ssl/nginx + chown -R lee:test /etc/nginx + chown -R lee:test /var/lib/nginx + chown -R lee:test /var/log/nginx + chown -R lee:test /var/cache/nginx + chown -R lee:test /usr/sbin/nginx + chown -R lee:test /usr/lib64/nginx + chown -R lee:test /usr/share/nginx + chown -R lee:test /usr/libexec/initscripts/legacy-actions/nginx + ``` + + Ubuntu系统 + ```bash + chown -R lee:test /var/lib/nginx + chown -R lee:test /var/cache/nginx + chown -R lee:test /var/log/nginx + chown -R lee:test /etc/ssl/nginx + chown -R lee:test /etc/nginx + chown -R lee:test /etc/logrotate.d/nginx + chown -R lee:test /etc/init.d/nginx + chown -R lee:test /usr/lib/nginx + chown -R lee:test /usr/share/nginx + chown -R lee:test /usr/sbin/nginx + ``` + +4. 切换至NGINX使用者用户(非root),在家目录下创建 NGINX Plus 工作目录,其中log文件夹存放 access.log 及 error.log,run 文件夹存放 pid 文件 + + ```bash + su lee + cd ~ + mkdir -p /home/lee/log /home/lee/run + ``` + 确认工作目录属性 + ```bash + [lee@centos ~]$ pwd + /home/lee + [lee@centos ~]$ ll + total 0 + drwxr-xr-x. 2 lee test 6 Jun 1 06:55 log + drwxr-xr-x. 2 lee test 6 Jun 1 06:55 run + ``` + +5. 修改 /etc/nginx/nginx.conf 文件,删除第一行的 `user nginx;` ,更新 log 及 pid 目录 + + ```bash + + worker_processes auto; + + error_log /home/lee/log/error.log notice; + pid /home/lee/run/nginx.pid; + + access_log /home/lee/log/access.log main; + ``` + +6. 此时,可以尝试使用 `nginx` 指令启动nginx,但会报错,因为非root用户无法默认无法绑定1024以下端口 + + ```bash + lee@ubuntu:/usr/share/nginx$ nginx + nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied) + ``` + +7. 切换回 root 用户,为 nginx 服务赋予绑定1024以下端口的能力 + + ```bash + su + setcap cap_net_bind_service=+eip /usr/sbin/nginx + ``` + +## 非root用户运行 NGINX Plus + +1. 再切换回 lee 用户,启动 NGINX Plus + + ```bash + root@ubuntu:/usr/share/nginx# su lee + lee@ubuntu:/usr/share/nginx$ nginx + ``` + +2. 确认 nginx 由非root用户启动,并监听了80端口 + + ```bash + lee@ubuntu:/usr/share/nginx$ ps aux | grep nginx + lee 8077 0.0 0.0 25428 884 ? Ss 07:24 0:00 nginx: master process nginx + lee 8078 0.0 0.1 25812 2048 ? S 07:24 0:00 nginx: worker process + lee 8082 0.0 0.0 14860 1040 pts/1 S+ 07:25 0:00 grep --color=auto nginx + ``` + + ```bash + root@ubuntu:/usr/share/nginx# netstat -ntplu | grep nginx + tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 8077/nginx: master + ``` + +3. 浏览器访问 http:// + + ![下载证书](images/nginx.png) + +## 进行以下实验前,先退出当前运行的NGIXN Plus + + ```bash + nginx -s quit + ``` + +# 实验2 非root用户安装 + +本实验介绍在非root环境下的 NGINX Plus 安装,除创建用户时使用root权限,其余全程在非root环境下进行 + +## 准备工作 + +新建用户组与用户,用于安装运维管理 NGINX Plus + + ```bash + groupadd demo + useradd -d /home/mebius -r -m -s /bin/bash -g demo mebius + ``` + +创建完用户,请切换至非root用户,以下步骤均在非root环境进行 + +## 安装与使用 + +1. 将下载好的 nginx-mgmt-suite-acm-trail.crt 和 nginx-mgmt-suite-acm-trail.key 文件导入到 /home/mebius/ssl 文件夹中,并重命名为 nginx-repo.crt 和 nginx-repo.key + + ```bash + mkdir -p /home/mebius/ssl + cd /home/mebius/ssl + cp nginx-mgmt-suite-acm-trail.crt /home/mebius/ssl/nginx-repo.crt + cp nginx-mgmt-suite-acm-trail.key /home/mebius/ssl/nginx-repo.key + ``` + +2. 下载安装脚本,放于 /home/mebius/packages 文件夹中,并赋予执行权限 + + ```bash + mkdir -p /home/mebius/packages + cd /home/mebius/packages + wget https://raw.githubusercontent.com/nginxinc/nginx-plus-install-tools/main/ngxunprivinst.sh + chmod +x ngxunprivinst.sh + ``` + +3. 查看可安装 NGINX Plus 版本 + + ```bash + mebius@ubuntu:~/packages$ ./ngxunprivinst.sh list -c ~/ssl/nginx-repo.crt -k ~/ssl/nginx-repo.key + Versions available for ubuntu bionic amd64: + 15-2 + 15-3 + 16-1 + 16-2 + 17-1 + 18-1 + 18-2 + 19-1 + 20-1 + 21-1 + 22-1 + 23-1 + 23-2 + 24-1 + 24-2 + 24-3 + 25-1 + 25-2 + 26-1 + 26-2 + 27-1 + 27-2 + 28-1 + 29-1 + ``` + +4. 下载安装包,默认会下载最新版,也可指定版本进行下载。在这里我们指定下载R28-1版本 + + ```bash + mebius@ubuntu:~/packages$ ./ngxunprivinst.sh fetch -c ~/ssl/nginx-repo.crt -k ~/ssl/nginx-repo.key -v 28-1 + Downloading nginx-plus_28-1~bionic_amd64.deb... + Downloading nginx-plus-module-auth-spnego_28%2B1.1.0-2~bionic_amd64.deb... + ``` + 默认会将相关的安装包及动态模块都下载下来,也可以在下载完主安装包后中断 + + ```bash + mebius@ubuntu:~/packages$ ls + nginx-plus-module-auth-spnego_28%2B1.1.0-2~bionic_amd64.deb + nginx-plus-module-brotli_28%2B1.0.0-1~bionic_amd64.deb + nginx-plus-module-encrypted-session_28%2B0.09-1~bionic_amd64.deb + nginx-plus-module-fips-check_28%2B0.1-2~bionic_amd64.deb + nginx-plus-module-geoip2_28%2B3.4-1~bionic_amd64.deb + nginx-plus-module-geoip_28-1~bionic_amd64.deb + nginx-plus-module-headers-more_28%2B0.34-2~bionic_amd64.deb + nginx-plus-module-image-filter_28-1~bionic_amd64.deb + nginx-plus-module-lua_28%2B0.10.22-2~bionic_amd64.deb + nginx-plus-module-lua_28%2B0.10.22-3~bionic_amd64.deb + nginx-plus-module-ndk_28%2B0.3.2-1~bionic_amd64.deb + nginx-plus-module-njs_28%2B0.7.10-1~bionic_amd64.deb + nginx-plus-module-njs_28%2B0.7.11-1~bionic_amd64.deb + nginx-plus-module-njs_28%2B0.7.9-1~bionic_amd64.deb + nginx-plus-module-opentracing_28%2B0.27.0-1~bionic_amd64.deb + nginx-plus-module-passenger_28%2B6.0.15-1~bionic_amd64.deb + nginx-plus-module-perl_28-1~bionic_amd64.deb + nginx-plus-module-prometheus_28%2B1.3.4-1~bionic_amd64.deb + nginx-plus-module-rtmp_28%2B1.2.2-1~bionic_amd64.deb + nginx-plus-module-set-misc_28%2B0.33-1~bionic_amd64.deb + nginx-plus-module-subs-filter_28%2B0.6.4-1~bionic_amd64.deb + nginx-plus-module-xslt_28-1~bionic_amd64.deb + nginx-plus_28-1~bionic_amd64.deb + ngxunprivinst.sh + ``` + +5. 创建 NGIXN Plus 安装目录,并指定安装路径(不同操作系统请根据实际情况指定安装包文件) + + ```bash + mkdir -p /home/mebius/nginxplus + ./ngxunprivinst.sh install -y -p /home/mebius/nginxplus nginx-plus_28-1~bionic_amd64.deb + ``` + 安装成功后,出现如下提示 + ```bash + Installation finished. You may run nginx with this command: + /home/mebius/nginxplus/usr/sbin/nginx -p /home/mebius/nginxplus/etc/nginx -c nginx.conf -e /home/mebius/nginxplus/var/log/nginx/error.log + ``` + +6. 根据提示启动NGIXN Plus,查看进程,确认为非root用户启动 + + ```bash + mebius@ubuntu:~/packages$ /home/mebius/nginxplus/usr/sbin/nginx -p /home/mebius/nginxplus/etc/nginx -c nginx.conf -e /home/mebius/nginxplus/var/log/nginx/error.log + + mebius@ubuntu:~/packages$ ps aux | grep nginx + mebius 8599 0.0 0.0 25400 896 ? Ss 08:37 0:00 nginx: master process /home/mebius/nginxplus/usr/sbin/nginx -p /home/mebius/nginxplus/etc/nginx -c nginx.conf -e /home/mebius/nginxplus/var/log/nginx/error.log + mebius 8600 0.0 0.1 25804 2132 ? S 08:37 0:00 nginx: worker process + mebius 8602 0.0 0.0 14860 1044 pts/1 S+ 08:37 0:00 grep --color=auto nginx + ``` + +7. 查看安装目录,可以发现以自定义目录为根目录进行了安装,nginx主目录为 ~/nginxplus/etc/nginx + + ```bash + mebius@ubuntu:~/nginxplus$ cd ~/nginxplus + mebius@ubuntu:~/nginxplus$ ll + total 24 + drwxr-xr-x 4 mebius demo 4096 Jun 1 08:31 etc/ + drwxr-xr-x 3 mebius demo 4096 Jun 7 2022 lib/ + drwxr-xr-x 5 mebius demo 4096 Jun 7 2022 usr/ + drwxr-xr-x 6 mebius demo 4096 Jun 1 08:31 var/ + ``` + +8. 查看相关配置文件,目录自动更新,默认监听端口自动改为8080 + + ```bash + mebius@ubuntu:~$ cat ~/nginxplus/etc/nginx/nginx.conf + + worker_processes auto; + + error_log /home/mebius/nginxplus/var/log/nginx/error.log notice; + pid /home/mebius/nginxplus/var/run/nginx.pid; + + + http { + scgi_temp_path /home/mebius/nginxplus/var/cache/nginx/scgi_temp; + uwsgi_temp_path /home/mebius/nginxplus/var/cache/nginx/uwsgi_temp; + fastcgi_temp_path /home/mebius/nginxplus/var/cache/nginx/fastcgi_temp; + proxy_temp_path /home/mebius/nginxplus/var/cache/nginx/proxy_temp_path; + client_body_temp_path /home/mebius/nginxplus/var/cache/nginx/client_temp; + include /home/mebius/nginxplus/etc/nginx/mime.types; + + access_log /home/mebius/nginxplus/var/log/nginx/access.log main; + include /home/mebius/nginxplus/etc/nginx/conf.d/*.conf; + } + ``` + + ```bash + mebius@ubuntu:~$ cat ~/nginxplus/etc/nginx/conf.d/default.conf + + server { + listen 8080 default_server; + server_name localhost; + + #access_log /home/mebius/nginxplus/var/log/nginx/host.access.log main; + + location / { + root /home/mebius/nginxplus/usr/share/nginx/html; + index index.html index.htm; + } + ``` + +9. 查看版本信息,确认为NGINX Plus R28 + + ```bash + mebius@ubuntu:~$ /home/mebius/nginxplus/usr/sbin/nginx -v + nginx version: nginx/1.23.2 (nginx-plus-r28) + ``` + +10. 浏览器访问 http://:8080 + + ![下载证书](images/nginx-2.png) + +# 实验结束 + +## 思考 + +刚才的环境中能否启动多个NGINX Plus实例,是否会冲突? + diff --git "a/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262" "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/.keep" similarity index 100% rename from "01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262" rename to "01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/.keep" diff --git "a/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/Trail-1.png" "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/Trail-1.png" new file mode 100644 index 0000000000000000000000000000000000000000..a497f1c74aa6bf0a4a448231790fa62cea24d105 Binary files /dev/null and "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/Trail-1.png" differ diff --git "a/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/Trail-2.png" "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/Trail-2.png" new file mode 100644 index 0000000000000000000000000000000000000000..ca3e81ac0e4b98ef03b70bff166879e3126c4098 Binary files /dev/null and "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/Trail-2.png" differ diff --git "a/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/Trail-3.png" "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/Trail-3.png" new file mode 100644 index 0000000000000000000000000000000000000000..67b8fed16d1c3e4e45b7dbe3f6e80b888b248488 Binary files /dev/null and "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/Trail-3.png" differ diff --git "a/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/Trail-4.png" "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/Trail-4.png" new file mode 100644 index 0000000000000000000000000000000000000000..9fd633235b595d09f0e08cefeb8b82e617f593f3 Binary files /dev/null and "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/Trail-4.png" differ diff --git "a/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/nginx-2.png" "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/nginx-2.png" new file mode 100644 index 0000000000000000000000000000000000000000..e28aad277a62c4624bfc0f7bf25ae9ef6237ae5b Binary files /dev/null and "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/nginx-2.png" differ diff --git "a/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/nginx.png" "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/nginx.png" new file mode 100644 index 0000000000000000000000000000000000000000..d6c5500cd5aa9f9e1c49d5b38a794aa49c4886d3 Binary files /dev/null and "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/images/nginx.png" differ diff --git "a/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/scripts/.keep" "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/scripts/.keep" new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git "a/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/scripts/ngxunprivinst.sh" "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/scripts/ngxunprivinst.sh" new file mode 100644 index 0000000000000000000000000000000000000000..716a6a031d98a1c61841ab70fe7fae1f73d85a45 --- /dev/null +++ "b/01 NGINX Plus \345\256\211\350\243\205\351\203\250\347\275\262/scripts/ngxunprivinst.sh" @@ -0,0 +1,416 @@ +#!/bin/sh +set -e +## +# This script downloads and extracts nginx-plus and modules packages to +# user writable directory, then modify nginx configuration to run from unprivileged user. +# It also can upgrade existing unprivileged installation, including graceful reload. +# +# Make sure that you have downloaded Nginx Plus subscription certificate and key. +# For RPM-based distros, make sure that you have rpm2cpio installed. +## +# Usage: ./ngxunprivinst.sh fetch -c -k [-v ] +# ./ngxunprivinst.sh (install|upgrade) [-y] -p ... +# ./ngxunprivinst.sh list -c -k +# +# fetch - download Nginx Plus and modules packages +# for current operating system +# install - extracts downloaded packages to specific +# upgrade - upgrade existing installation in +# list - list available versions from repository to install +# +# cert_file - path to your subscription certificate file +# key_file - path to your subscription private key file +# path - nginx prefix path +# version - nginx package version (default: latest available) +# -y - answers "yes" to all questions +## + +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin: + +NGXUSER=`id -nu` +NGXCERT= +NGXKEY= +NGXPATH= +CURDIR=`pwd` +WGET="wget -q" +REPOURL= +HTTPPORT=8080 +FORCE="NO" + +about() { + sed -ne '3,/^##$/p' < $0 | sed 's/#//g' +} +usage() { + sed -ne '/^# Usage/,/^##$/p' < $0 | sed 's/#//g' +} +if [ $# -eq 0 ]; then + about + usage + exit +fi +if ! ( [ x$1 = x'fetch' ] || [ x$1 = x'install' ] || [ x$1 = x'upgrade' ] || [ x$1 = x'list' ]) ; then + usage + exit +else + ACTION=$1 + shift +fi + +args=`getopt c:k:p:v:y $*` + +for opt +do + case "$opt" in + -c) NGXCERT=$2; shift; shift;; + -k) NGXKEY=$2; shift; shift;; + -p) NGXPATH=$2; shift; shift;; + -v) VERSION=$2; shift; shift;; + -y) FORCE="YES"; shift;; + esac +done + +if ( [ "$NGXKEY" = '' ] || [ "$NGXCERT" = '' ] ) && ( [ "$ACTION" = 'fetch' ] || [ "$ACTION" = 'list' ] ) ; then + echo "-c and -k options are mandatory to fetch/list" + exit 1 +fi + +if [ "$NGXPATH" = '' ] && ( [ "$ACTION" = 'install' ] || [ "$ACTION" = 'upgrade' ] ) ; then + echo "-p option is mandatory for install/upgrade" + exit + if ! ( [ -x /usr/bin/dpkg ] || [ -x /usr/bin/rpm2cpio ] ); then + echo "Please make sure that you have dpkg or rpm2cpio packages installed" + exit 1 + fi +fi + +FILES=$* + +if [ -z "$FILES" ]; then + if [ "$ACTION" = 'install' ] || [ "$ACTION" = 'upgrade' ]; then + echo "Please specify packages to install or upgrade." + exit 1 + fi +fi + +ARCH=x86_64 +[ `uname -m` = "aarch64" ] && ARCH=aarch64 + +if [ -f /etc/redhat-release ]; then + RELEASE=`grep -Eo 'release [0-9]{1}' /etc/redhat-release | cut -d' ' -f2` + REPOURL=https://pkgs.nginx.com/plus/centos/$RELEASE/$ARCH/RPMS/ + DISTRO="RHEL/CentOS" + SUFFIX="el" +elif [ -f /etc/os-release ] && fgrep SLES /etc/os-release; then + RELEASE=`grep -Eo 'VERSION="[0-9]{2}' /etc/os-release | cut -d'"' -f2` + REPOURL=https://pkgs.nginx.com/plus/sles/$RELEASE/$ARCH/RPMS/ + DISTRO="SLES" + SUFFIX="sles" +elif [ -f /etc/os-release ] && fgrep -q -i amazon /etc/os-release; then + RELEASE=`grep -Eo 'VERSION=".+"' /etc/os-release | cut -d'"' -f2` + if [ "$RELEASE" = "2" ]; then + REPOURL=https://pkgs.nginx.com/plus/amzn2/2/$ARCH/RPMS/ + SUFFIX="amzn2" + elif [ "$RELEASE" = "2023" ]; then + REPOURL=https://pkgs.nginx.com/plus/amzn/2023/$ARCH/RPMS/ + SUFFIX="amzn2023" + else + REPOURL=https://pkgs.nginx.com/plus/amzn/latest/$ARCH/RPMS/ + SUFFIX="amzn1" + RELEASE="1" + fi + DISTRO="amzn" +elif [ -f /usr/bin/dpkg ]; then + ARCH=amd64 + [ `uname -m` = "aarch64" ] && ARCH=arm64 + DISTRO=`grep -E "^ID=" /etc/os-release | cut -d '=' -f2 | tr '[:upper:]' '[:lower:]'` + RELEASE=`grep VERSION_CODENAME /etc/os-release | cut -d '=' -f2` + REPOURL=https://pkgs.nginx.com/plus/$DISTRO/pool/nginx-plus/n/ +elif [ -x /sbin/apk ]; then + RELEASE=`grep -Eo 'VERSION_ID=[0-9]\.[0-9]{1,2}' /etc/os-release | cut -d'=' -f2` + REPOURL=https://pkgs.nginx.com/plus/alpine/v$RELEASE/main/$ARCH/ + DISTRO="alpine" +else + echo "Cannot determine your operating system." + exit 1 +fi +if [ "$ACTION" = 'fetch' ] || [ "$ACTION" = 'list' ]; then + if [ ! -f $NGXCERT ] || [ ! -f $NGXKEY ]; then + echo "Check that certificate and key files exist." + exit 1 + else + # check that wget is not a part of busybox package + [ `find $(which wget) -type f | wc -l` -eq 0 ] && echo "Please install wget package." && exit 1 + # lower security level for certificate check + ldd $(which wget) | grep -q libgnutls || \ + echo "" | openssl s_client -servername pkgs.nginx.com -cert $NGXCERT -key $NGXKEY -connect pkgs.nginx.com:443 >/dev/null 2>&1 || \ + WGET='wget -q --ciphers DEFAULT@SECLEVEL=1' + if ! $WGET -O /dev/null --certificate=$NGXCERT --private-key=$NGXKEY https://pkgs.nginx.com/plus/ ; then + echo "Cannot connect to pkgs.nginx.com, please check certificate and key." + exit 1 + fi + fi +fi +cleanup() { + [ -d $TMPDIR ] && rm -rf $TMPDIR +} + +ask() { + echo "$1 {y/N}" + if [ "$FORCE" != 'YES' ]; then + read -r a + if ! ( [ x$a = 'xy' ] || [ x$a = 'xY' ] ); then + echo "Exiting..." + cleanup + exit + fi + else + echo y + fi +} + +fetch() { + a=$(list | wc -l) + [ $a -eq 1 ] && echo "OS ($DISTRO $RELEASE $ARCH) is not supported." && exit 1 + if [ "$DISTRO" = 'ubuntu' ] || [ "$DISTRO" = 'debian' ]; then + if [ -z $VERSION ]; then + NGXDEB=`$WGET -O- --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL/nginx-plus | cut -d '"' -f2 | egrep 'nginx-plus_[0-9][0-9]' | fgrep $RELEASE | fgrep $ARCH | sort | uniq | tail -1` + else + NGXDEB="nginx-plus_${VERSION}~${RELEASE}_${ARCH}.deb" + fi + echo "Downloading $NGXDEB..." + $WGET --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL/nginx-plus/$NGXDEB -O $NGXDEB ||: + if [ ! -s $NGXDEB ]; then + echo "Wrong Nginx Plus version!" + list + rm $NGXDEB + cleanup + exit 1 + fi + PLUS_RELEASE=$(echo $NGXDEB | grep -Eo '[0-9][0-9]' | head -1) + MODULES_PATHS=$($WGET --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL -O- | fgrep 'nginx-plus-module' | cut -d '"' -f2) + for MODPATH in $MODULES_PATHS; do + MODDEBS=$($WGET --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL/$MODPATH/ -O- | fgrep 'nginx-plus-module' | fgrep deb | fgrep -v dbg | cut -d '"' -f2 | fgrep $RELEASE | fgrep $ARCH | fgrep "_$PLUS_RELEASE") ||: + for MODDEB in $MODDEBS; do + echo "Downloading $MODDEB..." + $WGET --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL/$MODPATH/$MODDEB -O $MODDEB + done + done + elif [ "$DISTRO" = 'alpine' ]; then + if [ -z $VERSION ]; then + NGXAPK=`$WGET -O- --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL | cut -d '"' -f2 | egrep 'nginx-plus-[0-9][0-9]' | sort | uniq | tail -1` + else + NGXAPK=nginx-plus-$VERSION.apk + fi + echo "Downloading $NGXAPK..." + $WGET --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL/$NGXAPK -O $NGXAPK ||: + if [ ! -s $NGXAPK ]; then + echo "Wrong Nginx Plus version!" + list + rm $NGXAPK + cleanup + exit 1 + fi + PLUS_RELEASE=$(echo $NGXAPK | grep -Eo '[0-9][0-9]' | head -1) + MODULES_APKS=$($WGET --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL/ -O- | fgrep nginx-plus-module | fgrep -v debug | fgrep "$PLUS_RELEASE." | cut -d '"' -f2) ||: + for MODAPK in $MODULES_APKS; do + echo "Downloading $MODAPK..." + $WGET --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL/$MODAPK -O $MODAPK + done + else + if [ -z $VERSION ]; then + NGXRPM=`$WGET -O- --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL | cut -d '"' -f2 | egrep 'nginx-plus-[0-9][0-9]' | sort | uniq | tail -1` + else + echo $VERSION | egrep -q '1[567]\-' && [ "$RELEASE" = "7" ] && RELEASE="7_4" + NGXRPM=nginx-plus-$VERSION.$SUFFIX$RELEASE.ngx.$ARCH.rpm + fi + echo "Downloading $NGXRPM..." + $WGET --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL/$NGXRPM -O $NGXRPM ||: + if [ ! -s $NGXRPM ]; then + echo "Wrong Nginx Plus version!" + list + rm $NGXRPM + cleanup + exit 1 + fi + PLUS_RELEASE=$(echo $NGXRPM | grep -Eo '[0-9][0-9]' | head -1) + MODULES_RPMS=$($WGET --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL/ -O- | fgrep nginx-plus-module | fgrep -v debug | fgrep "$PLUS_RELEASE+" | cut -d '"' -f2) ||: + for MODRPM in $MODULES_RPMS; do + echo "Downloading $MODRPM..." + $WGET --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL/$MODRPM -O $MODRPM + done + fi +} + +prepare() { + mkdir -p $ABSPATH + TMPDIR=`mktemp -dq /tmp/nginx-prefix.XXXXXXXX` + if [ "$DISTRO" = "debian" ] || [ "$DISTRO" = "ubuntu" ]; then + for PKG in $FILES; do + dpkg -x $PKG $TMPDIR + done + elif [ "$DISTRO" = "alpine" ]; then + for PKG in $FILES; do + tar -C $TMPDIR -xf $PKG + done + else + cp $FILES $TMPDIR/ + for PKG in $FILES; do + NGXCPIO=${PKG%%.rpm}.cpio + cd $TMPDIR + rpm2cpio $PKG > $NGXCPIO + cpio -id < $NGXCPIO 2>/dev/null + [ -f $PKG ] && rm -f $PKG + [ -f $NGXCPIO ] && rm -f $NGXCPIO + done + fi +} + +check_modules_deps() { + DEPS_NEEDED="NO" + for MODULE in `find $ABSPATH/usr/lib*/nginx/modules/ -type f`; do + echo "Module installed: modules/`basename $MODULE`" + UNMET=$(ldd $MODULE 2>&1 | grep 'Error loading shared library\|=> not found' | sed -E 's/Error loading shared library (.+):.*/\1/g' | sed -E 's/ => not found//g' | sort | uniq | tr -d ': \t' | tr '\n' ' ') + if [ ! -z $UNMET ]; then + echo " >>> Module $MODULE have unmet dependencies: $UNMET" && DEPS_NEEDED="YES" + UNMET= + fi + done + [ $DEPS_NEEDED = 'YES' ] && echo " >>> You should install necessary packages or export correct LD_LIBRARY_PATH contains these libraries." ||: + +} + +extract() { + ABSPATH=$(readlink -f $NGXPATH) + if [ -d $ABSPATH ]; then + ask "$ABSPATH already exists. Continue?" + fi + prepare + if [ -x $TMPDIR/usr/sbin/nginx ]; then + # extract and configure nginx-plus package + if [ -f $ABSPATH/etc/nginx/nginx.conf ]; then + OLDVERSION=`$ABSPATH/usr/sbin/nginx -V 2>&1 | head -1 | cut -d' ' -f4` + ask "Previous installation $OLDVERSION detected in $ABSPATH. Overwrite?" + echo "Backing up configuration directory..." + mv $ABSPATH/etc $ABSPATH/etc.`date +'%Y%d%m%H%M%S'` + fi + cp -a $TMPDIR/* $ABSPATH/ + sed -i "s|\([ ^t]*access_log[ ^t]*\)/|\1$ABSPATH/|" $ABSPATH/etc/nginx/nginx.conf + sed -i "s|\([ ^t]*error_log[ ^t]*\)/|\1$ABSPATH/|" $ABSPATH/etc/nginx/nginx.conf + sed -i "s|\([ ^t]*pid[ ^t]*\)/|\1$ABSPATH/|" $ABSPATH/etc/nginx/nginx.conf + sed -i "s|\([ ^t]*include[ ^t]*\)/|\1$ABSPATH/|" $ABSPATH/etc/nginx/nginx.conf + sed -i "s|\([ ^t]*root[ ^t]*\)/|\1$ABSPATH/|" $ABSPATH/etc/nginx/nginx.conf + sed -i "s|\([ ^t]*user[ ^t]*\)nginx;||" $ABSPATH/etc/nginx/nginx.conf + + sed -i "s|http {|http {\n client_body_temp_path $ABSPATH/var/cache/nginx/client_temp;|" \ + $ABSPATH/etc/nginx/nginx.conf + sed -i "s|http {|http {\n proxy_temp_path $ABSPATH/var/cache/nginx/proxy_temp_path;|" \ + $ABSPATH/etc/nginx/nginx.conf + sed -i "s|http {|http {\n fastcgi_temp_path $ABSPATH/var/cache/nginx/fastcgi_temp;|" \ + $ABSPATH/etc/nginx/nginx.conf + sed -i "s|http {|http {\n uwsgi_temp_path $ABSPATH/var/cache/nginx/uwsgi_temp;|" \ + $ABSPATH/etc/nginx/nginx.conf + sed -i "s|http {|http {\n scgi_temp_path $ABSPATH/var/cache/nginx/scgi_temp;|" \ + $ABSPATH/etc/nginx/nginx.conf + + sed -i "s|\([ ^t]*access_log[ ^t]*\)/|\1$ABSPATH/|" $ABSPATH/etc/nginx/conf.d/default.conf + sed -i "s|\([ ^t]*root[ ^t]*\)/|\1$ABSPATH/|" $ABSPATH/etc/nginx/conf.d/default.conf + sed -i "s|\([ ^t]*listen[ ^t]*\)80|\1$HTTPPORT|" $ABSPATH/etc/nginx/conf.d/default.conf + + mkdir -p $ABSPATH/var/run + mkdir -p $ABSPATH/var/log/nginx + mkdir -p $ABSPATH/var/cache/nginx + [ -d $ABSPATH/etc/logrotate.d ] && rm -rf $ABSPATH/etc/logrotate.d + cd $ABSPATH/etc/nginx + ln -sfn ../../usr/lib*/nginx/modules modules + # check that nginx binary does not have unmet dependencies + if ! ldd $ABSPATH/usr/sbin/nginx > /dev/null 2>&1; then + echo "Please install all necessary dependencies to nginx binary" && \ + echo "Use command \"ldd $ABSPATH/usr/sbin/nginx\" to check unmet dependencies." && \ + exit 1 + fi + echo "Installation finished. You may run nginx with this command:" + if [ `$ABSPATH/usr/sbin/nginx -v 2>&1 | cut -d ' ' -f3 | cut -d/ -f2 | tr -d '.'` -ge 1195 ]; then + echo "$ABSPATH/usr/sbin/nginx -p $ABSPATH/etc/nginx -c nginx.conf -e $ABSPATH/var/log/nginx/error.log" + else + echo "$ABSPATH/usr/sbin/nginx -p $ABSPATH/etc/nginx -c nginx.conf" + echo "You may safely ignore message about /var/log/nginx/error.log or create this file writable by your user." + fi + else + # extract module only in existing directory + if [ ! -x $ABSPATH/usr/sbin/nginx ]; then + echo "Please use existing installation directory or specify nginx-plus package in arguments too." + exit 1 + else + cp -a $TMPDIR/* $ABSPATH/ + fi + fi + check_modules_deps +} + +upgrade() { + ABSPATH=$(readlink -f $NGXPATH) + prepare + if [ -x $TMPDIR/usr/sbin/nginx ]; then + if [ -f $ABSPATH/etc/nginx/nginx.conf ]; then + OLDVERSION=`$ABSPATH/usr/sbin/nginx -V 2>&1 | head -1 | cut -d' ' -f4` + ask "Previous installation $OLDVERSION detected in $ABSPATH. Upgrade?" + fi + echo "Upgrading $ABSPATH/usr/sbin/nginx binary..." + install $TMPDIR/usr/sbin/nginx $ABSPATH/usr/sbin/nginx + install $TMPDIR/usr/sbin/nginx-debug $ABSPATH/usr/sbin/nginx-debug + cp -a $TMPDIR/usr/share/* $ABSPATH/usr/share/ + [ -d $TMPDIR/usr/lib/ ] && cp -a $TMPDIR/usr/lib/* $ABSPATH/usr/lib/ + [ -d $TMPDIR/usr/lib64/ ] && cp -a $TMPDIR/usr/lib64/* $ABSPATH/usr/lib64/ + check_modules_deps + echo "Performing binary seamless upgrade..." + ps x | grep -q '[n]ginx: master process' \ + && kill -s USR2 `cat $ABSPATH/var/run/nginx.pid` \ + && sleep 5 \ + && kill -s WINCH `cat $ABSPATH/var/run/nginx.pid.oldbin` \ + && kill -s QUIT `cat $ABSPATH/var/run/nginx.pid.oldbin` + else + echo "No nginx binary found in packages, upgrading modules only..." + [ -d $TMPDIR/usr/lib/ ] && cp -a $TMPDIR/usr/lib/* $ABSPATH/usr/lib/ + [ -d $TMPDIR/usr/lib64/ ] && cp -a $TMPDIR/usr/lib64/* $ABSPATH/usr/lib64/ + check_modules_deps + echo "Reloading nginx..." + ps x | grep -q '[n]ginx: master process' && kill -s HUP `cat $ABSPATH/var/run/nginx.pid` + fi +} + +list() { + if [ "$DISTRO" = 'ubuntu' ] || [ "$DISTRO" = 'debian' ]; then + REPOURL=https://pkgs.nginx.com/plus/$DISTRO/pool/nginx-plus/n/nginx-plus + fi + echo "Versions available for $DISTRO $RELEASE $ARCH:" + if [ "$DISTRO" = 'alpine' ] ; then + $WGET -O- --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL | grep -Eo "nginx-plus-[0-9][0-9]-r[1-9]" | sed 's/nginx-plus-//g' | sort | uniq + else + $WGET -O- --certificate=$NGXCERT --private-key=$NGXKEY $REPOURL | grep -E "nginx-plus[_-][0-9][0-9]-[1-9]" | fgrep $ARCH | fgrep $RELEASE | grep -Eo '[0-9][0-9]-[1-9]' | sort | uniq + fi +} + +case $ACTION in + fetch) + fetch + ;; + install) + if [ `ps x | grep -c '[n]ginx: master process'` -eq 0 ]; then + extract + else + echo "Stop running nginx processes or use 'upgrade' script option." + cleanup + exit 1 + fi + ;; + upgrade) + upgrade + ;; + list) + list + ;; + *) + break + ;; +esac +cleanup