nginx安装部署及OA配置http和https反向代理设置

一、下载nginx及相关依赖文件包并检查gcc与gcc-c++是否安装

1. Nginx，参考下载链接（建议下载 stable version）：http://nginx.org/en/download.html

2. nginx-sticky-module，参考下载链接：https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/downloads/

3. pcre，参考下载链接：https://ftp.pcre.org/pub/pcre/

4. openssl，参考下载链接：https://www.openssl.org/source/

5. zlib，参考下载链接：https://zlib.net/

6. 检查gcc与gcc-c++是否已安装 yum list installed | grep gcc gcc-c++ yum install -y perl perl-devel gcc gcc-c++

二、解压nginx安装包及相关以来二进制文件

1. 将所有下载的二进制包和zip包上传至服务器二进制存放路径里进行解压，路径自建，本文档中所有建立的二进制文件存放路径为/seeyon/Nginx，安装路径为/seeyon/nginx。注：存放路径和安装路径不可放在同一目录！

2. 解压二进制文件
   

   tar -zxvf nginx-1.xx.x.tar.gz # x代表版本信息，已下载的各自版本为准；
   tar -zxvf pcre-x.xx.tar.gz
   tar -zxvf zlib-x.xx.xx.tar.gz
   tar -zxvf openssl-x.x.x.tar.gz
   unzip nginx-goodies-nginx-sticky-module-ng-08a395c66e42.zip
   # 修改解压好的文件名，便于后续安装
   mv nginx-1.xx.x nginx
   mv pcre-x.xx pcre
   mv zlib-x.xx.xx zlib
   mv openssl-x.x.x openssl
   mv nginx-goodies-nginx-sticky-module-ng-08a395c66e42 nginx-sticky-module

3. 提权文件夹权限
   

   chmod -R 777 nginx
   chmod -R 777 pcre
   chmod -R 777 zlib
   chmod -R 777 openssl
   chmod -R 777 nginx-sticky-module

4. 安装nginx
   

   # 安装nginx及相关依赖
   cd /seeyon/Nginx/nginx # 进入nginx文件夹
   ./configure --prefix=/seeyon/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-http_auth_request_module --with-http_random_index_module --with-http_gzip_static_module --with-pcre=/seeyon/Nginx/pcre --add-module=/seeyon/Nginx/nginx-sticky-module --with-openssl=/seeyon/Nginx/openssl --with-zlib=/seeyon/Nginx/zlib 

   
   

5. 安装完成后进行编译安装
   

   make
   make install
   # 注如编译过程中遇到问题，自行百度解决

三、配置nginx代理OAhttp服务

1. 已nginx安装在/seeyon/nginx下为例，nginx配置文件位于/seeyon/nginx/conf/nginx.conf。配置文件内容如下：
   

   worker_processes auto; 
   worker_rlimit_nofile 20960; 
   error_log logs/error.log crit;
   	events {
   	worker_connections 4096;
   	multi_accept on; 
   	accept_mutex on;
   	accept_mutex_delay 500ms; 
   }
   	http {
   		server_tokens off;
   		sendfile on;
   		tcp_nopush on; 
   		tcp_nodelay on;
   		access_log off;
   		include mime.types;
   		default_type application/octet-stream;
   		keepalive_timeout 300;
   		client_max_body_size 10240M;
   		gzip on;
   		gzip_min_length 1k;
   		gzip_buffers 4 16k;
   		gzip_comp_level 3;
   		gzip_types text/xml text/plain text/css text/javascript application/x-javascript 
   		application/javascript application/xml;
   		gzip_disable "MSIE [1-6]\.";
   			upstream seeyon_v5_cluster{
   				sticky;
   				server 192.168.31.110:8080 max_fails=300 fail_timeout=30s; # 192.168.31.110为OA地址 8080为OA使用的端口
   				#server 192.168.0.2:80 max_fails=300 fail_timeout=30s;
   			}
   			server {
   				listen 80;
   				server_name localhost;
   				charset utf-8;
   				location / {
   				proxy_pass http://seeyon_v5_cluster;
   				proxy_set_header Host $host:$server_port;
   				proxy_set_header X-Real-IP $remote_addr;
   				proxy_set_header REMOTE-HOST $remote_addr;
   				proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   				# proxy_set_header X-Forwarded-Proto $scheme;
   				proxy_redirect off; 
   				proxy_connect_timeout 300;
   				proxy_read_timeout 300;
   				proxy_send_timeout 300;
   			}
   				error_page 500 502 503 504 /50x.html;
   				location = /50x.html {
   				root html;
   			}
   		}
   }
   # 修改配置文件后在nginx的启动目录下检查nginx.conf是否合理   seeyon/nginx/sbin  
   ./nginx -t

2. 配置开启https访问
   注意开启https需要购买证书，腾讯、阿里云等云服务器可以申请免费证书，如虚拟机等安装体验可使用openssl生成自签名证书，自签名证书可参考:nginx生成ssl证书 - me小怪兽 - 博客园 (cnblogs.com)
   

   server {
   		listen 443 ssl;
   		ssl_certificate ssl/server.crt; 
   		ssl_certificate_key ssl/server.key; 
   		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   				
   		location / {
   		proxy_pass http://seeyon_v5_cluster;
   		proxy_set_header Host $host:$server_port;
   		proxy_set_header X-Real-IP $remote_addr;
   		proxy_set_header REMOTE-HOST $remote_addr;
   		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   		# proxy_set_header X-Forwarded-Proto $scheme;
   		proxy_set_header X-Forwarded-Proto https;
   		proxy_redirect off; 
   		proxy_connect_timeout 300;
   		proxy_read_timeout 300;
   		proxy_send_timeout 300;
   		}
   	}
   # 修改配置文件后在nginx的启动目录下检查nginx.conf是否合理   seeyon/nginx/sbin  
   ./nginx -t

3. OA配置https重定向
   

   server {
   				listen 443 ssl;
   				server_name localhost; #域名或IP  
   				ssl_certificate ssl/server.crt; 
   				ssl_certificate_key ssl/server.key; 
   				ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   				
   				location / {
   				proxy_pass http://seeyon_v5_cluster;
   				proxy_set_header Host $host:$server_port;
   				proxy_set_header X-Real-IP $remote_addr;
   				proxy_set_header REMOTE-HOST $remote_addr;
   				proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   				proxy_set_header X-Forwarded-Proto $scheme;
   				proxy_http_version 1.1;
        			proxy_set_header Upgrade $http_upgrade;
   				proxy_redirect off; 
   				proxy_connect_timeout 300;
   				proxy_read_timeout 300;
   				proxy_send_timeout 300;
   				}
   			
   			}
   			server {
   				listen 80;
   				server_name localhost; #域名或IP
   				charset utf-8;
   				
   				location / {
               rewrite ^(.*)$ https://$host$1 permanent;
   			}
           }
   
   }

修改配置文件后在nginx的启动目录下检查nginx.conf是否合理 seeyon/nginx/sbin

./nginx -t

4. OA配置文件修改ApacheJetspeed/conf下的server.xml,修改一下内容
```xml
<Connector port="8080" executor="tomcatThreadPool" maxHttpHeaderSize="8192" maxPostSize="-1" maxSwallowSize="-1" acceptCount="1024" maxThreads="4096" minSpareThreads="100" enableLookups="false" redirectPort="443" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/css,text/javascript,text/plain,application/vnd.ms-fontobject,application/javascript,application/json" connectionTimeout="20000" disableUploadTimeout="true" protocol="HTTP/1.1" server="SY8045" /> #修改该代码文件
在port后面加上  proxyPort="443" scheme="https" #具体修改如下

<Connector port="8080" proxyPort="443" scheme="https" executor="tomcatThreadPool" maxHttpHeaderSize="8192" maxPostSize="-1" maxSwallowSize="-1" acceptCount="1024" maxThreads="4096" minSpareThreads="100" enableLookups="false" redirectPort="443" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/css,text/javascript,text/plain,application/vnd.ms-fontobject,application/javascript,application/json" connectionTimeout="20000" disableUploadTimeout="true" protocol="HTTP/1.1" server="SY8045" /> #修改该代码文件

5. 重启OA服务
   

   Seeyon/A8/ApacheJetspeed/bin
   ./startup.sh

四、nginx常用命令

1. 常用运维命令
   

   ./nginx -t # 检查nginx配置文件是否合规
   ./nginx # 启动nginx
   ./nginx -s reload # 重启nginx
   ./nginx -c /seeyon/nginx/conf/nginx.conf # 指定nginx.conf配置文件启动
   fuser -k 80/tcp # 查询占用端口pid

五、注册系统服务使用systemctl进行启动管理

1. 创建服务脚本
   

   vi /usr/lib/systemd/system/nginx.service
   # 服务脚本内容
   [Unit]
   Description=nginx - web server
   After=network.target remote-fs.target nss-lookup.target
   
   [Service]
   Type=forking
   PIDFile=/seeyon/nginx/logs/nginx.pid
   ExecStartPre=/seeyon/nginx/sbin/nginx -t -c /seeyon/nginx/conf/nginx.conf
   ExecStart=/seeyon/nginx/sbin/nginx -c /seeyon/nginx/conf/nginx.conf
   ExecReload=/seeyon/nginx/sbin/nginx -s reload
   ExecStop=/seeyon/nginx/sbin/nginx -s stop
   ExecQuit=/seeyon/nginx/sbin/nginx -s quit
   PrivateTmp=true
   
   [Install]
   WantedBy=multi-user.target

2. 重新加载系统服务
   

   systemctl daemon-reload

3. 设置nginx开机自启动
   

   systemctl enable nginx

六、如果按上述重定向配置无法下载或登录，则尝试下方配置

• 配置项
  

  worker_processes auto; 
  worker_rlimit_nofile 20960; 
  error_log  logs/error.log  crit;
  events {
      worker_connections  4096;
  	multi_accept on; 
  	accept_mutex on;
  	accept_mutex_delay 500ms; 
  }
  http {
          server_tokens off;
          sendfile on;
          tcp_nopush on; 
          tcp_nodelay on;
          access_log off;
          include       mime.types;
          default_type  application/octet-stream;
          keepalive_timeout  300;
          client_max_body_size 10240M;
  		
          gzip on;		
          gzip_min_length 1k;		
          gzip_buffers 4 16k;		
          gzip_comp_level 3;		
          gzip_types text/xml text/plain text/css text/javascript application/x-javascript application/javascript application/xml application/json;		
          gzip_disable "MSIE [1-6]\.";
  ## 若需要进行集群轮训则增加upstream块，复制上面upstream内容即可
        server {
          listen 80;
      	listen 443 ssl http2;
      listen [::]:80;
          server_name   192.168.2.35;
      index index.php index.html index.htm default.php default.htm default.html;
          charset utf-8;
  
        if ($server_port !~ 443){
          rewrite ^(/.*)$ https://$host$1 permanent;
      }
      ssl_certificate   security/oa.crt;
      ssl_certificate_key  security/oa.key;
      ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
      ssl_prefer_server_ciphers on;
      ssl_session_tickets on;
      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 10m;
      add_header Strict-Transport-Security "max-age=31536000";
      error_page 497  https://$host$request_uri;
  
      proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
   
      location  / {
        
        
        proxy_pass http://192.168.2.35:18080; #配置集群后，此处修改为upstream命名的名称
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Real-Port $remote_port;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header REMOTE-HOST $remote_addr;
        
        proxy_connect_timeout 60s;
       proxy_send_timeout 600s;
        proxy_read_timeout 600s;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_redirect     off;
            
        	proxy_busy_buffers_size 2048k;
           proxy_max_temp_file_size 1024m;
      		}
          }
  }
  ···