1. 程式人生 > >centos7 搭建ngnix+vsftp伺服器

centos7 搭建ngnix+vsftp伺服器

安裝 nginx

一nginx安裝環境

1. gcc

         安裝nginx需要先將官網下載的原始碼進行編譯,編譯依賴gcc環境,如果沒有gcc環境,需要安裝gcc:

   yum install gcc-c++

2.PCRE

         PCRE(Perl Compatible Regular Expressions)是一個Perl庫,包括 perl 相容的正則表示式庫。nginx的http模組使用pcre來解析正則表示式,所以需要在linux上安裝pcre庫。

   yum install -y pcre pcre-devel

注:pcre-devel是使用pcre開發的一個二次開發庫。nginx也需要此庫。

3. zlib

         zlib庫提供了很多種壓縮和解壓縮的方式,nginx使用zlib對http包的內容進行gzip,所以需要在linux上安裝zlib庫。

   yum install -y zlib zlib-devel

4.openssl

         OpenSSL 是一個強大的安全套接字層密碼庫,囊括主要的密碼演算法、常用的金鑰和證書封裝管理功能及SSL協議,並提供豐富的應用程式供測試或其它目的使用。

         nginx不僅支援http協議,還支援https(即在ssl協議上傳輸http),所以需要在linux安裝openssl庫。

   yum install -y openssl openssl-devel

編譯安裝

1.將nginx-1.8.0.tar.gz拷貝至linux伺服器。

2.解壓:

  tar -zxvf nginx-1.8.0.tar.gz

  cd nginx-1.8.0

3.配置  configure

./configure --help查詢詳細引數(參考本教程附錄部分:nginx編譯引數)

引數設定如下:

./configure \

--prefix=/usr/local/nginx \

--pid-path=/var/run/nginx/nginx.pid \

--lock-path=/var/lock/nginx.lock \

--error-log-path=/var/log/nginx/error.log \

--http-log-path=/var/log/nginx/access.log \

--with-http_gzip_static_module \

--http-client-body-temp-path=/var/temp/nginx/client \

--http-proxy-temp-path=/var/temp/nginx/proxy \

--http-fastcgi-temp-path=/var/temp/nginx/fastcgi \

--http-uwsgi-temp-path=/var/temp/nginx/uwsgi \

--http-scgi-temp-path=/var/temp/nginx/scgi

注意:上邊將臨時檔案目錄指定為/var/temp/nginx,需要在/var下建立temp及nginx目錄

 啟動執行測試

1編譯安裝

./configure

make

make  install

安裝成功檢視安裝目錄 :whereis nginx

2 啟動nginx

cd /usr/local/nginx/sbin/

./nginx

注意:執行./nginx啟動nginx,這裡可以-c指定載入的nginx配置檔案,如下:

./nginx -c /usr/local/nginx/conf/nginx.conf

如果不指定-c,nginx在啟動時預設載入conf/nginx.conf檔案,此檔案的地址也可以在編譯安裝nginx時指定./configure的引數(--conf-path= 指向配置檔案(nginx.conf))

3 停止nginx

方式1,快速停止:

cd /usr/local/nginx/sbin

./nginx -s stop

此方式相當於先查出nginx程序id再使用kill命令強制殺掉程序。

方式2,完整停止(建議使用):

cd /usr/local/nginx/sbin

./nginx -s quit

此方式停止步驟是待nginx程序處理任務完畢進行停止。

4 重啟nginx

方式1,先停止再啟動(建議使用):

對nginx進行重啟相當於先停止nginx再啟動nginx,即先執行停止命令再執行啟動命令。

如下:

./nginx -s quit

./nginx

方式2,重新載入配置檔案:

當nginx的配置檔案nginx.conf修改後,要想讓配置生效需要重啟nginx,使用-s reload不用先停止nginx再啟動nginx即可將配置資訊在nginx中生效,如下:

./nginx -s reload

5 測試

nginx安裝成功,啟動nginx,即可訪問虛擬機器上的nginx:瀏覽器輸入伺服器地址即可

安裝ftp元件

1.安裝vsftpd元件

安裝完後,有/etc/vsftpd/vsftpd.conf 檔案,是vsftp的配置檔案。

yum -y install vsftpd

2.新增一個ftp使用者

此使用者就是用來登入ftp伺服器用的。

useradd ftpuser

這樣一個使用者建完,可以用這個登入,記得用普通登入不要用匿名了。登入後預設的路徑為 /home/ftpuser.     

3.給ftp使用者新增密碼。

passwd ftpuser

輸入兩次密碼後修改密碼。

4 .防火牆開啟21埠

firewall-cmd --permanent --zone=public --add-port=21/tcp

firewall-cmd --permanent --zone=public --add-port=21/udp

還要執行下,重啟iptables

firewall-cmd --reload

5.修改selinux

外網是可以訪問上去了,可是發現沒法返回目錄(使用ftp的主動模式,被動模式還是無法訪問),也上傳不了,因為selinux作怪了。

修改selinux:

執行以下命令檢視狀態:

getsebool -a | grep ftp 

allow_ftpd_anon_write --> off

allow_ftpd_full_access --> off

allow_ftpd_use_cifs --> off

allow_ftpd_use_nfs --> off

ftp_home_dir --> off

ftpd_connect_db --> off

ftpd_use_passive_mode --> off

httpd_enable_ftp_server --> off

tftp_anon_write --> off

執行上面命令,再返回的結果看到兩行都是off,代表,沒有開啟外網的訪問

setsebool -P allow_ftpd_full_access on

setsebool -P ftp_home_dir on

nginx配置檔案

#user  nobody; worker_processes  1;

#error_log  logs/error.log; #error_log  logs/error.log  notice; #error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {     worker_connections  1024; }

http {     include       mime.types;     default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '                       '$status $body_bytes_sent "$http_referer" '                       '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;     #tcp_nopush     on;

    #keepalive_timeout  0;     keepalive_timeout  65;

    #gzip  on;

    server {         listen       80;         server_name  localhost;

        charset utf-8;

        #access_log  logs/host.access.log  main;

        location ~ .*\.(gif|jpg|jpeg|png)$ {               expires 24h;               root /home/ftpuser/picture/;#Ö¸¶¨Í¼Æ¬´æ·Å·¾¶               access_log /home/ftpuser/picture/images.log;#ÈÕÖ¾´æ·Å·¾¶               proxy_store on;               proxy_store_access user:rw group:rw all:rw;               proxy_temp_path     /home/ftpuser/picture/;#ͼƬ·ÃÎÊ·¾¶               proxy_redirect     off;               proxy_set_header    Host 127.0.0.1;               client_max_body_size  10m;               client_body_buffer_size 1280k;               proxy_connect_timeout  900;               proxy_send_timeout   900;               proxy_read_timeout   900;               proxy_buffer_size    40k;               proxy_buffers      40 320k;               proxy_busy_buffers_size 640k;               proxy_temp_file_write_size 640k;               if ( !-e $request_filename)               {                  proxy_pass http://127.0.0.1;#ĬÈÏ80¶Ë¿Ú               }           }

          location / {             root   html;             index  index.html index.htm;         }           #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html         #         error_page   500 502 503 504  /50x.html;         location = /50x.html {             root   html;         }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80         #         #location ~ \.php$ {         #    proxy_pass   http://127.0.0.1;         #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000         #         #location ~ \.php$ {         #    root           html;         #    fastcgi_pass   127.0.0.1:9000;         #    fastcgi_index  index.php;         #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;         #    include        fastcgi_params;         #}

        # deny access to .htaccess files, if Apache's document root         # concurs with nginx's one         #         #location ~ /\.ht {         #    deny  all;         #}     }

    # another virtual host using mix of IP-, name-, and port-based configuration     #     #server {     #    listen       8000;     #    listen       somename:8080;     #    server_name  somename  alias  another.alias;

    #    location / {     #        root   html;     #        index  index.html index.htm;     #    }     #}

    # HTTPS server     #     #server {     #    listen       443 ssl;     #    server_name  localhost;

    #    ssl_certificate      cert.pem;     #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;     #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;     #    ssl_prefer_server_ciphers  on;

    #    location / {     #        root   html;     #        index  index.html index.htm;     #    }     #}

}

vsftpd配置

# Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # # Uncomment this to allow local users to log in. # When SELinux is enforcing check for SE bool ftp_home_dir local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. xferlog_file=/var/log/xferlog # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) #chroot_local_user=YES chroot_list_enable=NO # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=no # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. # Make sure, that one of the listen options is commented !! listen_ipv6=YES

pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES

#local_root=/home/image/ #chroot_local_user=YES #anon_root=/home/image/

最後一步修改ftpuser的檔案許可權

chown -R 755 /home/ftpuser/picture/

然後啟動ngnix與vsftp