1. dnf install gcc gcc-c++ git wget

dnf install gcc gcc-c++ git wget

1. wget https://hg.nginx.org/nginx-quic/archive/release-1.23.4.tar.gz -O nginx-quic-release-1.23.4.tar.gz
2. wget https://github.com/jemalloc/jemalloc/archive/refs/tags/5.3.0.tar.gz -O jemalloc-5.3.0.tar.gz
3. wget https://sourceforge.net/projects/pcre/files/pcre/8.45/pcre-8.45.tar.gz
4. wget https://github.com/quictls/openssl/archive/refs/tags/OpenSSL_1_1_1t-quic1.tar.gz
5. git clone https://github.com/google/ngx_brotli.git && cd ngx_brotli && git submodule update --init && cd ../
6. git clone https://github.com/cloudflare/zlib && cd zlib && make -f Makefile.in distclean && cd ../

wget https://hg.nginx.org/nginx-quic/archive/release-1.23.4.tar.gz -O nginx-quic-release-1.23.4.tar.gz
wget https://github.com/jemalloc/jemalloc/archive/refs/tags/5.3.0.tar.gz -O jemalloc-5.3.0.tar.gz
wget https://sourceforge.net/projects/pcre/files/pcre/8.45/pcre-8.45.tar.gz
wget https://github.com/quictls/openssl/archive/refs/tags/OpenSSL_1_1_1t-quic1.tar.gz

git clone https://github.com/google/ngx_brotli.git && cd ngx_brotli && git submodule update --init && cd ../
git clone https://github.com/cloudflare/zlib && cd zlib && make -f Makefile.in distclean && cd ../

1. tar zxvf jemalloc-5.3.0.tar.gz
2. cd jemalloc-5.3.0
3. ./autogen.sh
4. make install
5. ln -s /usr/local/lib/libjemalloc.so.2 /usr/lib64/libjemalloc.so.2
6. cd ../
7. rm -rf jemalloc-5.3.0

tar zxvf jemalloc-5.3.0.tar.gz
cd jemalloc-5.3.0
./autogen.sh
make
make install
ln -s /usr/local/lib/libjemalloc.so.2 /usr/lib64/libjemalloc.so.2
cd ../
rm -rf jemalloc-5.3.0

1. /usr/sbin/groupadd www && /usr/sbin/useradd -g www www
2. tar zxvf OpenSSL_1_1_1t-quic1.tar.gz
3. tar zxvf pcre-8.45.tar.gz
4. tar zxvf nginx-quic-release-1.23.4.tar.gz
5. cd nginx-quic-release-1.23.4
6. ./auto/configure --prefix=/usr/local/nginx \
7. --user=www --group=www \
8. --with-http_stub_status_module \
9. --with-http_sub_module \
10. --with-http_v2_module \
11. --with-http_v3_module \
12. --with-http_ssl_module \
13. --with-stream \
14. --with-stream_ssl_preread_module \
15. --with-stream_ssl_module \
16. --with-stream_quic_module \
17. --with-http_realip_module \
18. --with-zlib=../zlib \
19. --with-http_gzip_static_module \
20. --with-pcre=../pcre-8.45 \
21. --with-pcre-jit \
22. --with-openssl=../openssl-OpenSSL_1_1_1t-quic1 \
23. --with-ld-opt=-ljemalloc \
24. --add-module=../ngx_brotli
25. make install
26. make clean
27. cd ../

/usr/sbin/groupadd www && /usr/sbin/useradd -g www www
tar zxvf OpenSSL_1_1_1t-quic1.tar.gz
tar zxvf pcre-8.45.tar.gz
tar zxvf nginx-quic-release-1.23.4.tar.gz
cd nginx-quic-release-1.23.4

./auto/configure --prefix=/usr/local/nginx \
--user=www --group=www \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_ssl_module \
--with-stream \
--with-stream_ssl_preread_module \
--with-stream_ssl_module \
--with-stream_quic_module \
--with-http_realip_module \
--with-zlib=../zlib \
--with-http_gzip_static_module \
--with-pcre=../pcre-8.45 \
--with-pcre-jit \
--with-openssl=../openssl-OpenSSL_1_1_1t-quic1 \
--with-ld-opt=-ljemalloc \
--add-module=../ngx_brotli

make
make install
make clean
cd ../

1. mkdir -p /data/htdocs/conf/
2. mkdir -p /data/htdocs/ssl/
3. mkdir -p /data/htdocs/wwwroot/
4. chmod +w /data/htdocs/
5. chown -R www:www /data/htdocs/
6. mkdir -p /data/wwwlogs/
7. chmod +w /data/wwwlogs/
8. chown -R www:www /data/wwwlogs/

mkdir -p /data/htdocs/conf/
mkdir -p /data/htdocs/ssl/

mkdir -p /data/htdocs/wwwroot/
chmod +w /data/htdocs/
chown -R www:www /data/htdocs/

mkdir -p /data/wwwlogs/
chmod +w /data/wwwlogs/
chown -R www:www /data/wwwlogs/

1. vi /etc/logrotate.d/nginx
2. #输入以下内容
3. /data/wwwlogs/*nginx.log {
4. daily
5. rotate 7
6. missingok
7. dateext
8. compress
9. notifempty
10. sharedscripts
11. postrotate
12. [ -e /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
13. endscript

vi /etc/logrotate.d/nginx

#输入以下内容
/data/wwwlogs/*nginx.log {
  daily
  rotate 7
  missingok
  dateext
  compress
  notifempty
  sharedscripts
  postrotate
    [ -e /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
  endscript
}

1. #使nginx.conf的default_server不报错
2. openssl genrsa -out /data/htdocs/ssl/default.key
3. openssl req -new -x509 -key /data/htdocs/ssl/default.key -out /data/htdocs/ssl/default.pem -days 3650

#使nginx.conf的default_server不报错
openssl genrsa -out /data/htdocs/ssl/default.key
openssl req -new -x509 -key /data/htdocs/ssl/default.key -out /data/htdocs/ssl/default.pem -days 3650

1. #安全考虑应不定期更换session_ticket.key秘钥
2. openssl rand 48 > /data0/htdocs/ssl/session_ticket.key

#安全考虑应不定期更换session_ticket.key秘钥
openssl rand 48 > /data0/htdocs/ssl/session_ticket.key

1. mv /usr/local/webserver/nginx/conf/nginx.conf /usr/local/webserver/nginx/conf/nginx.conf.old
2. vi /usr/local/webserver/nginx/conf/nginx.conf

mv /usr/local/webserver/nginx/conf/nginx.conf  /usr/local/webserver/nginx/conf/nginx.conf.old
vi /usr/local/webserver/nginx/conf/nginx.conf

1. mv /usr/local/webserver/nginx/conf/nginx.conf /usr/local/webserver/nginx/conf/nginx.conf.old
2. vi /usr/local/webserver/nginx/conf/nginx.conf
3. #输入以下内容后保存
4. user www www;
5. worker_processes auto;
6. error_log /data/wwwlogs/error_nginx.log crit;
7. pid /var/run/nginx.pid;
8. worker_rlimit_nofile 51200;
9. events {
10. use epoll;
11. worker_connections 51200;
12. multi_accept on;
13. http {
14. include mime.types;
15. default_type application/octet-stream;
16. server_names_hash_bucket_size 128;
17. client_header_buffer_size 32k;
18. large_client_header_buffers 4 32k;
19. client_max_body_size 1024m;
20. client_body_buffer_size 10m;
21. server_tokens off;
22. tcp_nodelay on;
23. sendfile on;
24. tcp_nopush on;
25. keepalive_timeout 120;
26. gzip on;
27. gzip_buffers 16 8k;
28. gzip_comp_level 6;
29. gzip_http_version 1.1;
30. gzip_min_length 256;
31. gzip_proxied any;
32. gzip_vary on;
33. gzip_types
34. text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
35. text/javascript application/javascript application/x-javascript
36. text/x-json application/json application/x-web-app-manifest+json
37. text/css text/plain text/x-component
38. font/opentype application/x-font-ttf application/vnd.ms-fontobject
39. image/x-icon;
40. gzip_disable "MSIE [1-6]\.(?!.*SV1)";
41. brotli on;
42. brotli_comp_level 6;
43. brotli_static on;
44. brotli_min_length 1k;
45. brotli_types
46. text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
47. text/javascript application/javascript application/x-javascript
48. text/x-json application/json application/x-web-app-manifest+json
49. text/css text/plain text/x-component
50. font/opentype application/x-font-ttf application/vnd.ms-fontobject
51. image/x-icon;
52. log_format http '$remote_addr - $remote_user [$time_local] '
53. '"$request" $status $body_bytes_sent '
54. '"$http_referer" "$http_user_agent"';
55. log_format https '$remote_addr - $remote_user [$time_local] '
56. '$ssl_protocol/$ssl_cipher $ssl_early_data '
57. '"$request" $status $body_bytes_sent '
58. '"$http_referer" "$http_user_agent"';
59. limit_req_zone $binary_remote_addr zone=qps:10m rate=1r/s;
60. server {
61. listen 80 default_server reuseport;
62. listen 443 ssl http2 default_server reuseport;
63. listen 443 quic default_server reuseport;
64. server_name localhost;
65. access_log /data/wwwlogs/access_nginx.log combined;
66. ssl_certificate /data/htdocs/ssl/default.pem;
67. ssl_certificate_key /data/htdocs/ssl/default.key;
68. ssl_protocols TLSv1.2 TLSv1.3;
69. ssl_prefer_server_ciphers on;
70. ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
71. ssl_early_data off;
72. #proxy_set_header Early-Data $ssl_early_data;
73. add_header Alt-Svc 'h3=":443"; ma=86400';
74. limit_req zone=ConnLimitZone burst=2 nodelay;
75. return 444;
76. include /data/htdocs/conf/*.conf;

mv /usr/local/webserver/nginx/conf/nginx.conf /usr/local/webserver/nginx/conf/nginx.conf.old
vi /usr/local/webserver/nginx/conf/nginx.conf

#输入以下内容后保存

user www www;
worker_processes auto;

error_log /data/wwwlogs/error_nginx.log crit;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;

events {
    use epoll;
    worker_connections 51200;
    multi_accept on;
}

http {
    include mime.types;
    default_type  application/octet-stream;
    server_names_hash_bucket_size 128;
    client_header_buffer_size 32k;
    large_client_header_buffers 4 32k;
    client_max_body_size 1024m;
    client_body_buffer_size 10m;
    server_tokens off;
    tcp_nodelay on;
    sendfile on;
    tcp_nopush on;
    keepalive_timeout 120;

    gzip on;
    gzip_buffers 16 8k;
    gzip_comp_level 6;
    gzip_http_version 1.1;
    gzip_min_length 256;
    gzip_proxied any;
    gzip_vary on;
    gzip_types
      text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
      text/javascript application/javascript application/x-javascript
      text/x-json application/json application/x-web-app-manifest+json
      text/css text/plain text/x-component
      font/opentype application/x-font-ttf application/vnd.ms-fontobject
      image/x-icon;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    brotli            on;
    brotli_comp_level 6;
    brotli_static     on;
    brotli_min_length 1k;
    brotli_types
      text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
      text/javascript application/javascript application/x-javascript
      text/x-json application/json application/x-web-app-manifest+json
      text/css text/plain text/x-component
      font/opentype application/x-font-ttf application/vnd.ms-fontobject
      image/x-icon;

    log_format  http  '$remote_addr - $remote_user [$time_local] '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent"';

    log_format  https '$remote_addr - $remote_user [$time_local] '
                      '$ssl_protocol/$ssl_cipher $ssl_early_data '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent"';

    limit_req_zone $binary_remote_addr zone=qps:10m rate=1r/s;

    server {
        listen 80  default_server reuseport;
        listen 443 ssl http2 default_server reuseport;
        listen 443 quic default_server reuseport;
        server_name localhost;
        access_log /data/wwwlogs/access_nginx.log combined;

        ssl_certificate /data/htdocs/ssl/default.pem;
        ssl_certificate_key /data/htdocs/ssl/default.key;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_early_data off;
        #proxy_set_header Early-Data $ssl_early_data;
        add_header Alt-Svc 'h3=":443"; ma=86400';

        limit_req zone=ConnLimitZone burst=2 nodelay;

        return 444;
    }

include /data/htdocs/conf/*.conf;
}

1. vi /usr/lib/systemd/system/nginx.service
2. #输入以下内容后保存
3. [Unit]
4. Description=nginx
5. Documentation=http://nginx.org/en/docs/
6. After=network.target
7. [Service]
8. Type=forking
9. PIDFile=/var/run/nginx.pid
10. ExecStartPost=/bin/sleep 0.1
11. ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
12. ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
13. ExecReload=/bin/kill -s HUP $MAINPID
14. ExecStop=/bin/kill -s QUIT $MAINPID
15. TimeoutStartSec=120
16. LimitNOFILE=65535
17. LimitNPROC=65535
18. LimitCORE=65535
19. [Install]
20. WantedBy=multi-user.target

vi /usr/lib/systemd/system/nginx.service

#输入以下内容后保存

[Unit]
Description=nginx
Documentation=http://nginx.org/en/docs/
After=network.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPost=/bin/sleep 0.1
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
TimeoutStartSec=120
LimitNOFILE=65535
LimitNPROC=65535
LimitCORE=65535

[Install]
WantedBy=multi-user.target

1. systemctl start nginx
2. systemctl enable nginx

systemctl start nginx
systemctl enable nginx

1. #检测配置文件正确性
2. /usr/local/nginx/sbin/nginx -t
3. #重新加载配置
4. systemctl reload nginx

#检测配置文件正确性
/usr/local/nginx/sbin/nginx -t

#重新加载配置
systemctl reload nginx

1. server {
2. listen 80;
3. listen 443 ssl http2;
4. listen 443 quic;
5. server_name sitename.com;
6. root /data/htdocs/wwwroot;
7. index index.html index.htm;
8. access_log /data/wwwlogs/sitename.com_nginx.log https;
9. resolver 223.5.5.5 8.8.8.8 valid=300s;
10. resolver_timeout 5s;
11. ssl_stapling on;
12. ssl_stapling_verify on;
13. ssl_trusted_certificate /data/htdocs/ssl/sitename.pem;
14. ssl_certificate /data/htdocs/ssl/sitename.pem;
15. ssl_certificate_key /data/htdocs/ssl/sitename.key;
16. ssl_session_tickets on;
17. ssl_session_ticket_key /data0/htdocs/ssl/session_ticket.key;
18. ssl_session_timeout 1440m;
19. ssl_session_cache shared:SSL:32m;
20. ssl_protocols TLSv1.2 TLSv1.3;
21. ssl_prefer_server_ciphers on;
22. ssl_ciphers ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
23. ssl_early_data off;
24. #proxy_set_header Early-Data $ssl_early_data;
25. add_header Alt-Svc 'h3=":443"; ma=86400';
26. add_header Strict-Transport-Security "max-age=63072000; preload";
27. #add_header X-Content-Type-Options "nosniff";
28. #add_header X-Frame-Options "SAMEORIGIN";
29. #add_header X-XSS-Protection "1; mode=block";
30. client_max_body_size 0;
31. location ~* \.(jpg|jpeg|gif|png|bmp|swf|ico|rar|zip|7z|tgz|tar.gz|txt|flv|mid|doc|docx|pptx|ppt|xlsx|xls|pdf|mp3|wma)$ {
32. valid_referers none blocked sitename.com *.sitename.com *.baidu.com *.baiducontent.com;
33. if ($invalid_referer) {
34. return 412;
35. expires 30d;
36. access_log off;
37. break;
38. location ~* \.(js|css)?$ {
39. expires 7d;
40. access_log off;
41. concat on;
42. concat_max_files 20;
43. location ~* \.(eot|ttf|woff|woff2|svg)$ {
44. expires max;
45. access_log off;
46. #add_header Access-Control-Allow-Origin *;
47. #add_header Access-Control-Allow-Headers X-Requested-With;
48. #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
49. location = /favicon.ico {
50. log_not_found off;
51. location = /robots.txt {
52. #deny all;
53. log_not_found off;
54. location ~ /\.(?!well-known).* {
55. deny all;
56. #error_page 404 /404.html;
57. # redirect server error pages to the static page /50x.html
58. error_page 500 502 503 504 /50x.html;
59. location = /50x.html {
60. root html;
61. # proxy the PHP scripts to Apache listening on 127.0.0.1:80
62. #location ~ \.php$ {
63. # proxy_pass http://127.0.0.1;

server {
        listen                      80;
        listen                      443 ssl http2;
        listen                      443 quic;
        server_name                 sitename.com;
        root                        /data/htdocs/wwwroot;
        index                       index.html index.htm;

        access_log                  /data/wwwlogs/sitename.com_nginx.log https;
        resolver                    223.5.5.5 8.8.8.8 valid=300s;
        resolver_timeout            5s;
        ssl_stapling                on;
        ssl_stapling_verify         on; 
        ssl_trusted_certificate     /data/htdocs/ssl/sitename.pem;
        ssl_certificate             /data/htdocs/ssl/sitename.pem;
        ssl_certificate_key         /data/htdocs/ssl/sitename.key;
        ssl_session_tickets         on;
        ssl_session_ticket_key      /data0/htdocs/ssl/session_ticket.key;
        ssl_session_timeout         1440m;
        ssl_session_cache           shared:SSL:32m;
        ssl_protocols               TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers   on;
        ssl_ciphers ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_early_data off;
        #proxy_set_header Early-Data $ssl_early_data;

        add_header Alt-Svc 'h3=":443"; ma=86400';
        add_header Strict-Transport-Security "max-age=63072000; preload";
        #add_header X-Content-Type-Options "nosniff";
        #add_header X-Frame-Options "SAMEORIGIN";
        #add_header X-XSS-Protection "1; mode=block";

        client_max_body_size 0;

        location ~* \.(jpg|jpeg|gif|png|bmp|swf|ico|rar|zip|7z|tgz|tar.gz|txt|flv|mid|doc|docx|pptx|ppt|xlsx|xls|pdf|mp3|wma)$ {
            valid_referers none blocked sitename.com *.sitename.com *.baidu.com *.baiducontent.com;
            if ($invalid_referer) {
                 return 412;
            }
            expires     30d;
            access_log  off;
            break;
        }
        location ~* \.(js|css)?$ {
            expires     7d;
            access_log  off;
            concat      on;
            concat_max_files 20;
        }
        location ~* \.(eot|ttf|woff|woff2|svg)$ {
            expires     max;
            access_log  off;
            #add_header Access-Control-Allow-Origin *;
            #add_header Access-Control-Allow-Headers X-Requested-With;
            #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
        }
        location = /favicon.ico { 
            log_not_found off; 
        }
        location = /robots.txt {
            #deny all;
            log_not_found off;
        }
        location ~ /\.(?!well-known).* {
            deny all;
        }
        #error_page  404              /404.html;
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}
}