本文参考了csdn这位博主的文章并修改整理:
https://blog.csdn.net/qq_32262243/article/details/133951973
还是腾讯云ubuntu 24系统,我这里并没有手动下载pcre等源码,直接用ubuntu自带的就可以了,也不需要手动编译openssl等。
一、软件准备
1.1 nginx源码
这里使用最新的稳定版本1.26.1的源码,下载地址:
https://nginx.org/download/nginx-1.26.1.tar.gz
1.2 geoip2模块源码
Releases · leev/ngx_http_geoip2_module · GitHub
这个源码是配合nginx源码在做静态编译的时候添加对IP地址过滤支持用的。
1.3 libmaxmindb库
https://github.com/maxmind/libmaxminddb/releases
1.4 IP地址库
https://www.maxmind.com/en/home
注册然后登录,下载country库和city库备用
二、环境准备
ubuntu 24系统做以下准备
sudo apt-get install build-essential zlib1g-dev libssl-dev libpcre2-dev libmaxminddb-dev libmaxminddb0 mmdb-bin vim
三、编译安装
解压缩第一步下载的4个压缩包,解压缩命令是tar -zxvf 压缩包名称,我这里数据盘挂载路径是/data,所以在解压缩以后我把这四个压缩包解压结果移动到了我的/data里面备用,其中geoip2模块的路径是/data/software/nginx/ngx_http_geoip2_module-3.4/,以下先编译安装libmaxmindb
cd /data/libmaxminddb-1.10.0
./configure
make
make install
ldconfig
然后开始编译nginx
cd /data/nginx-1.26.1
./configure --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-stream --add-module=/data/software/nginx/ngx_http_geoip2_module-3.4/
make
make install
这就编译安装成功了,以下开始配置nginx
mkdir -p /data/nginx/logs
mkdir -p /usr/local/nginx/conf/v_host/
mkdir -p /usr/local/nginx/cache
四、配置nginx
修改/usr/local/nginx/conf/nginx.conf文件,增加对IP地址过滤的支持
#user nobody;
worker_processes auto;
error_log /data/nginx/logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /data/nginx/logs/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
gzip on;
# 配置国家IP库
geoip2 /data/GeoLite2-Country/GeoLite2-Country.mmdb{
auto_reload 20m;
$geoip2_metadate_country_build metadata build_epoch;
#$geoip2_data_country_code country iso_code;
$geoip2_country_name country names en;
$geoip2_data_country_code default=US country iso_code;
}
# 配置城市IP库
geoip2 /data/GeoLite2-City/GeoLite2-City.mmdb {
auto_reload 20m;
$geoip2_data_city_name city names en;
$geoip2_data_province_name subdivisions 0 names en;
$geoip2_data_province_isocode subdivisions 0 iso_code;
$geoip2_continent_code continent code;
}
#配置规则,默认不允许所有IP访问,只允许中国IP访问
map $geoip2_data_country_code $allowed_country {
default no;
CN yes;
}
# 引用v_host中的指定conf配置文件
include /usr/local/nginx/conf/v_host/*.conf;
}
在/usr/local/nginx/conf/v_host里面新增自己站点的.conf文件,如xxx.com.conf文件并配置里面的内容:
server {
listen 443 ssl;
server_name xxxx.com;
ssl_certificate /data/nginx/xxxxxxx.crt;
ssl_certificate_key /data/nginx/xxxxxxxxx.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 50M;
# 添加客户端的IP头
add_header client-country $geoip2_data_country_code;
# 做判断,如果国家不是中国,就返回451状态码给客户端;
if ($geoip2_data_country_code != CN ) {
return 451;
}
# 做判断,如果匹配到默认不允许的规则,就返回452状态码给客户端;
if ($geoip2_data_country_code = no ) {
return 452;
}
location / {
if ($allowed_country = no) {
return 403;
}
#你的正常配置
}
}
最后,写一个nginx的systemd服务文件,将nginx配置为systemd 服务程序
vim /etc/systemd/system/nginx.service
[Unit]
Description=NGINX HTTP and reverse proxy server
After=syslog.target network.target nss-lookup.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/bin/kill -s HUP $MAINPID
ExecStop=/usr/bin/kill -s QUIT $MAINPID
# Hardening
#InaccessiblePaths=/etc/gnupg /etc/shadow /etc/ssh
#ProtectSystem=full
#ProtectKernelTunables=yes
#ProtectControlGroups=yes
#SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
#MemoryDenyWriteExecute=yes
#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
#RestrictRealtime=yes
[Install]
WantedBy=multi-user.target
systemctl enable nginx 就可以了。