目录
本地系统安装搭建
Nginx 安装包一般都存在于系统镜像中,直接挂本地源安装即可;
# Nginx 的默认根目录为
/usr/share/nginx/html
# 默认主配置文件为
/etc/nginx/nginx.conf
配置文件有效示例如下
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
# nginx 进程数
worker_processes 16;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 16;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 600;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
# 显示目录
autoindex on;
# 显示文件大小; # 关闭计算文件确切大小(单位bytes),只显示大概大小(单位kb、mb、gb)
autoindex_exact_size off;
# 显示文件时间
autoindex_localtime on;
# 避免中文乱码;
charset utf-8;
server {
listen 80;
server_name localhost;
# 本地文件路径;
root /var/www/html;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
注意
报 403 forbien 时 , 可能是 nginx 后台进程不是 nginx , 或者 是文件的权限不足, 至少655
配置 nginx 本地认证
# 添加如下两行配置
auth_basic "admin";
auth_basic_user_file /etc/nginx/.passwd.db
# 可以是针对全局的 ---------放在 server 空间外
# 也可以是针对某一个区域的----------- 放在 location 空间内
# 创建秘钥文件
htpasswd -c <秘钥文件名> <用户名>
参考文档
问题百宝箱
在 selinux 开启时, 访问显示 403 Forbiden
# 原因
因为上下文的配置,导致不具备访问该目录文件的权限;
# 解决方法
# 方法 001 ---- 直接设置
chcon -R -t httpd_sys_content_t /data/html
# 方法 002 ---- 参考设置
chcon -R --reference=/var/www/html /data/html
# 方法 003 ---- 永久性设置 -- 更新配置文件的方式
semanage fcontext -a -t httpd_sys_content_t "/data(/.*)?" # 添加
semanage fcontext -d -t httpd_sys_content_t "/data(/.*)?" # 删除
-- 注意: 该方法需重启机器或执行如下命令 reload
restorecon -FRv /data/
--------------
Security-Enhanced Linux (SELinux) Notes:
Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the
useradd and groupadd family of binaries. Run the following command as the
root user to turn this Boolean on:
setsebool -P samba_domain_controller on
Turn the samba_enable_home_dirs Boolean on if you want to share home
directories via Samba. Run the following command as the root user to turn this
Boolean on:
setsebool -P samba_enable_home_dirs on
If you create a new directory, such as a new top-level directory, label it
with samba_share_t so that SELinux allows Samba to read and write to it. Do
not label system directories, such as /etc/ and /home/, with samba_share_t, as
such directories should already have an SELinux label.
Run the "ls -ldZ /path/to/directory" command to view the current SELinux
label for a given directory.
Set SELinux labels only on files and directories you have created. Use the
chcon command to temporarily change a label:
chcon -t samba_share_t /path/to/directory
Changes made via chcon are lost when the file system is relabeled or commands
such as restorecon are run.
Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
directories. To share such directories and only allow read-only permissions:
setsebool -P samba_export_all_ro on
To share such directories and allow read and write permissions:
setsebool -P samba_export_all_rw on
To run scripts (preexec/root prexec/print command/...), copy them to the
/var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
Note that if you move the scripts to /var/lib/samba/scripts/, they retain
their existing SELinux labels, which may be labels that SELinux does not allow
smbd to run. Copying the scripts will result in the correct SELinux labels.
Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
apply the correct SELinux labels to these files.
利用 Docker 容器搭建 Nginx 文件服务器
# 1. 下拉 nginx 官方镜像 -- debian 12
docker pull nginx
# 2. 创建 容器; 命令如下:
#!/bin/bash echo "创建nginx容器" docker run \ -p 80:80 \ --name nginx_debian_12 \ -v /shiwei/dock-home/nginx.conf:/etc/nginx/nginx.conf \ -v /shiwei/dock-home/log:/var/log/nginx \ -v /shiwei/dock-home/html:/usr/share/nginx/html \ -v /shiwei/dock-home/sources.list:/etc/apt/sources.list \ -d nginx #-v /shiwei/dock-home/conf/nginx.conf:/etc/nginx/nginx.conf \ #-v /shiwei/dock-home/conf/conf.d:/etc/nginx/conf.d \debian 12 的 apt 仓库配置如下
deb https://mirrors.aliyun.com/debian/ bookworm main non-free non-free-firmware contrib deb-src https://mirrors.aliyun.com/debian/ bookworm main non-free non-free-firmware contrib deb https://mirrors.aliyun.com/debian-security/ bookworm-security main deb-src https://mirrors.aliyun.com/debian-security/ bookworm-security main deb https://mirrors.aliyun.com/debian/ bookworm-updates main non-free non-free-firmware contrib deb-src https://mirrors.aliyun.com/debian/ bookworm-updates main non-free non-free-firmware contrib deb https://mirrors.aliyun.com/debian/ bookworm-backports main non-free non-free-firmware contrib deb-src https://mirrors.aliyun.com/debian/ bookworm-backports main non-free non-free-firmware contrib
在容器内执行如下命令
apt install iputils-ping # 可选
apt install iproute2 # 可选
apt install iptables # 可选
apt install ufw # 可选
systemctl start nginx
/etc/init.d/nginx status
其他
# 在宿主机内获取 docker 容器的 ip
docker inspect nginx_debian_12 | jq .[0].NetworkSettings.IPAddress | xargs
# 将容器中的nginx.conf文件以及conf.d文件夹复制到刚创建的目录中
# 生成容器 docker run --name nginx -p 9001:80 -d nginx # 将容器nginx.conf文件复制到宿主机 docker cp nginx:/etc/nginx/nginx.conf /home/nginx/conf/nginx.conf # 将容器conf.d文件夹下内容复制到宿主机 docker cp nginx:/etc/nginx/conf.d /home/nginx/conf/conf.d # 将容器中的html文件夹复制到宿主机 docker cp nginx:/usr/share/nginx/html /home/nginx/