centos7 搭建ngnix+vsftp伺服器
安裝 nginx
一nginx安裝環境
1. gcc
安裝nginx需要先將官網下載的原始碼進行編譯,編譯依賴gcc環境,如果沒有gcc環境,需要安裝gcc:
yum install gcc-c++
2.PCRE
PCRE(Perl Compatible Regular Expressions)是一個Perl庫,包括 perl 相容的正則表示式庫。nginx的http模組使用pcre來解析正則表示式,所以需要在linux上安裝pcre庫。
yum install -y pcre pcre-devel
注:pcre-devel是使用pcre開發的一個二次開發庫。nginx也需要此庫。
3. zlib
zlib庫提供了很多種壓縮和解壓縮的方式,nginx使用zlib對http包的內容進行gzip,所以需要在linux上安裝zlib庫。
yum install -y zlib zlib-devel
4.openssl
OpenSSL 是一個強大的安全套接字層密碼庫,囊括主要的密碼演算法、常用的金鑰和證書封裝管理功能及SSL協議,並提供豐富的應用程式供測試或其它目的使用。
nginx不僅支援http協議,還支援https(即在ssl協議上傳輸http),所以需要在linux安裝openssl庫。
yum install -y openssl openssl-devel
二 編譯安裝
1.將nginx-1.8.0.tar.gz拷貝至linux伺服器。
2.解壓:
tar -zxvf nginx-1.8.0.tar.gz
cd nginx-1.8.0
3.配置 configure
./configure --help查詢詳細引數(參考本教程附錄部分:nginx編譯引數)
引數設定如下:
./configure \
--prefix=/usr/local/nginx \
--pid-path=/var/run/nginx/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_gzip_static_module \
--http-client-body-temp-path=/var/temp/nginx/client \
--http-proxy-temp-path=/var/temp/nginx/proxy \
--http-fastcgi-temp-path=/var/temp/nginx/fastcgi \
--http-uwsgi-temp-path=/var/temp/nginx/uwsgi \
--http-scgi-temp-path=/var/temp/nginx/scgi
注意:上邊將臨時檔案目錄指定為/var/temp/nginx,需要在/var下建立temp及nginx目錄
三 啟動執行測試
1編譯安裝
./configure
make
make install
安裝成功檢視安裝目錄 :whereis nginx
2 啟動nginx
cd /usr/local/nginx/sbin/
./nginx
注意:執行./nginx啟動nginx,這裡可以-c指定載入的nginx配置檔案,如下:
./nginx -c /usr/local/nginx/conf/nginx.conf
如果不指定-c,nginx在啟動時預設載入conf/nginx.conf檔案,此檔案的地址也可以在編譯安裝nginx時指定./configure的引數(--conf-path= 指向配置檔案(nginx.conf))
3 停止nginx
方式1,快速停止:
cd /usr/local/nginx/sbin
./nginx -s stop
此方式相當於先查出nginx程序id再使用kill命令強制殺掉程序。
方式2,完整停止(建議使用):
cd /usr/local/nginx/sbin
./nginx -s quit
此方式停止步驟是待nginx程序處理任務完畢進行停止。
4 重啟nginx
方式1,先停止再啟動(建議使用):
對nginx進行重啟相當於先停止nginx再啟動nginx,即先執行停止命令再執行啟動命令。
如下:
./nginx -s quit
./nginx
方式2,重新載入配置檔案:
當nginx的配置檔案nginx.conf修改後,要想讓配置生效需要重啟nginx,使用-s reload不用先停止nginx再啟動nginx即可將配置資訊在nginx中生效,如下:
./nginx -s reload
5 測試
nginx安裝成功,啟動nginx,即可訪問虛擬機器上的nginx:瀏覽器輸入伺服器地址即可
安裝ftp元件
1.安裝vsftpd元件
安裝完後,有/etc/vsftpd/vsftpd.conf 檔案,是vsftp的配置檔案。
yum -y install vsftpd
2.新增一個ftp使用者
此使用者就是用來登入ftp伺服器用的。
useradd ftpuser
這樣一個使用者建完,可以用這個登入,記得用普通登入不要用匿名了。登入後預設的路徑為 /home/ftpuser.
3.給ftp使用者新增密碼。
passwd ftpuser
輸入兩次密碼後修改密碼。
4 .防火牆開啟21埠
firewall-cmd --permanent --zone=public --add-port=21/tcp
firewall-cmd --permanent --zone=public --add-port=21/udp
還要執行下,重啟iptables
firewall-cmd --reload
5.修改selinux
外網是可以訪問上去了,可是發現沒法返回目錄(使用ftp的主動模式,被動模式還是無法訪問),也上傳不了,因為selinux作怪了。
修改selinux:
執行以下命令檢視狀態:
getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
執行上面命令,再返回的結果看到兩行都是off,代表,沒有開啟外網的訪問
setsebool -P allow_ftpd_full_access on
setsebool -P ftp_home_dir on
nginx配置檔案
#user nobody; worker_processes 1;
#error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info;
#pid logs/nginx.pid;
events { worker_connections 1024; }
http { include mime.types; default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on; #tcp_nopush on;
#keepalive_timeout 0; keepalive_timeout 65;
#gzip on;
server { listen 80; server_name localhost;
charset utf-8;
#access_log logs/host.access.log main;
location ~ .*\.(gif|jpg|jpeg|png)$ { expires 24h; root /home/ftpuser/picture/;#Ö¸¶¨Í¼Æ¬´æ·Å·¾¶ access_log /home/ftpuser/picture/images.log;#ÈÕÖ¾´æ·Å·¾¶ proxy_store on; proxy_store_access user:rw group:rw all:rw; proxy_temp_path /home/ftpuser/picture/;#ͼƬ·ÃÎÊ·¾¶ proxy_redirect off; proxy_set_header Host 127.0.0.1; client_max_body_size 10m; client_body_buffer_size 1280k; proxy_connect_timeout 900; proxy_send_timeout 900; proxy_read_timeout 900; proxy_buffer_size 40k; proxy_buffers 40 320k; proxy_busy_buffers_size 640k; proxy_temp_file_write_size 640k; if ( !-e $request_filename) { proxy_pass http://127.0.0.1;#ĬÈÏ80¶Ë¿Ú } }
location / { root html; index index.html index.htm; } #error_page 404 /404.html;
# redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; }
# proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #}
# deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} }
# another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias;
# location / { # root html; # index index.html index.htm; # } #}
# HTTPS server # #server { # listen 443 ssl; # server_name localhost;
# ssl_certificate cert.pem; # ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on;
# location / { # root html; # index index.html index.htm; # } #}
}
vsftpd配置
# Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # # Uncomment this to allow local users to log in. # When SELinux is enforcing check for SE bool ftp_home_dir local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. xferlog_file=/var/log/xferlog # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) #chroot_local_user=YES chroot_list_enable=NO # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=no # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. # Make sure, that one of the listen options is commented !! listen_ipv6=YES
pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES
#local_root=/home/image/ #chroot_local_user=YES #anon_root=/home/image/
最後一步修改ftpuser的檔案許可權
chown -R 755 /home/ftpuser/picture/
然後啟動ngnix與vsftp