一、关闭selinux
cat > /etc/sysconfig/selinux << EOF
SELINUX=disabled
SELINUXTYPE=targeted
EOF
sestatus
reboot
二、yum安装docker和docker-compose
#=================检测是否有wget,如果没有先下载====================
# 安装wget下载工具
yum install wget -y
#=================下载阿里云base、epel、docker-ce的repo文件==========
# 基于centos7系统
# 下载repo文件、清理缓存、生产缓存
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo && wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo && wget -O /etc/yum.repos.d/docker-ce.repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo && yum clean all && yum makecache fast
#==================安装docker=======================================
#1.卸载旧版本
yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine
#2.需要的安装包
yum install -y yum-utils
#3.设置镜像的仓库
#yum-config-manager #--add-repo #https://download.docker.com/linux/centos/docker-ce.repo
#默认是从国外的,不推荐
#推荐使用国内的
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
#更新yum软件包索引
yum makecache fast
#4.安装docker相关的 docker-ce 社区版 而ee是企业版
yum install docker-ce docker-ce-cli containerd.io -y
#6. 使用docker version查看是否按照成功
docker version
systemctl enable docker
systemctl start docker
#7. 测试
#docker run hello-world
#====================安装docker-compose=======================
# 官方地址
#https://github.com/docker/compose/releases
# 使用国内下载
sudo curl -L https://get.daocloud.io/docker/compose/releases/download/1.29.2/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
# /usr/local/bin/已经配置环境变量,可以直接使用docker-compose
sudo chmod +x /usr/local/bin/docker-compose
# 查看版本
docker-compose -version
三、dcoker安装nginx
1、sh版本
tee ~/docker_install_nginx.sh <<-‘EOF‘
#!/bin/bash
echo "==>开始安装nginx..."
docker rm -f nginx > /dev/null 2>&1
docker run -d -p 80:80 --name nginx nginx:1.19.10 > /dev/null 2>&1
a=$(docker ps | grep nginx | awk ‘{print $2}‘)
#echo "a is ==>"$a
# 变量和值比较,值是单引号
if [ "$a" == ‘nginx:1.19.10‘ ];then
echo "==>临时nginx容器安装成功"
mkdir -p /home/nginx/conf && mkdir -p /home/nginx/html && mkdir -p /home/nginx/log && rm -rf /home/nginx/conf/* && rm -rf /home/nginx/html/* && rm -rf /home/nginx/log/* && docker cp nginx:/etc/nginx/ /home/nginx/conf/ && docker cp nginx:/usr/share/nginx/html/ /home/nginx/html/ && docker cp nginx:/var/log/nginx/ /home/nginx/log/
fi
echo "==>nginx配置文件复制完成"
# 注意不要使用ll,使用ls -l
count=$(ls -l /home/nginx/conf/nginx | wc -l)
#echo "connt is ==>"$count
count2=$(ls -l /home/nginx/html/html | wc -l)
#echo "connt2 is ==>"$count2
count3=$(ls -l /home/nginx/log/nginx | wc -l)
#echo "connt3 is ==>"$count3
# -a 逻辑与
# -o 逻辑或
# 只能写两个判断
#if (( a > b )) && (( a < c ))
#if [[ $a > $b ]] && [[ $a < $c ]]
if [ "$count" -gt ‘0‘ ];then
if [ "$count" -gt ‘0‘ -a "$count" -gt ‘0‘ ];then
docker rm -f nginx > /dev/null 2>&1
echo "==>nginx临时容器已删除"
else
echo "==>docker cp 失败!"
exit
fi
fi
docker run -d --name nginx --net=host --restart=always --privileged=true -v /home/nginx/conf/nginx:/etc/nginx/ -v /home/nginx/html/html:/usr/share/nginx/html/ -v /home/nginx/log/nginx:/var/log/nginx/ nginx:1.19.10 > /dev/null 2>&1
b=$(docker ps | grep nginx | awk ‘{print $2}‘)
#echo "b is ==>"$b
if [ "$b" == ‘nginx:1.19.10‘ ];then
echo "==>nginx容器安装成功"
else
echo "==>nginx容器安装失败,请检查!"
exit
fi
EOF
echo "=================================="
chmod 755 docker_install_nginx.sh && ./docker_install_nginx.sh && docker ps
2、简单版本
docker rm -f nginx
docker run -d -p 80:80 --name nginx nginx:1.19.10
mkdir -p /home/nginx/conf
mkdir -p /home/nginx/html
mkdir -p /home/ningx/log
rm -rf /home/nginx/conf/*
rm -rf /home/nginx/html/*
rm -rf /home/nginx/log/*
docker cp nginx:/etc/nginx/ /home/nginx/conf/
docker cp nginx:/usr/share/nginx/html/ /home/nginx/html/
docker cp nginx:/var/log/nginx/ /home/nginx/log/
docker rm -f nginx
docker run -d --name nginx --net=host --restart=always --privileged=true -v /home/nginx/conf/nginx:/etc/nginx/ -v /home/nginx/html/html:/usr/share/nginx/html/ -v /home/nginx/log/nginx:/var/log/nginx/ nginx:1.19.10
四、配置文件
1、反向代理+ssl
[root@node16 conf.d]# cat zentao.conf
upstream zentao {
server 10.10.1.17:80;
}
server {
listen 80;
server_name xxx;
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
listen 443 ssl;
server_name xxx;
ssl_certificate /etc/letsencrypt/archive/leliven.com/fullchain1.pem;
ssl_certificate_key /etc/letsencrypt/archive/leliven.com/privkey1.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
#SNI(Server Name Indication):就是为了解决一个服务器,同一个IP,使用多个域名证书的情况,也就是使用SSL连接服务器的时候,
#先发送访问的站点域名,这样服务器就会根据域名返回一个合适的证书。
#Nginx开启SNI: proxy_ssl_server_name on;
location / {
proxy_pass http://zentao;
proxy_ssl_server_name on;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#防止ab
if ($http_user_agent ~ "Wget|ApacheBench"){
set $block_user_agent 1;
}
if ($block_user_agent =1){
retrun 403;
}
error_page 404 500 502 503 504 /error.html;
location = /error.html {
root /usr/share/nginx/html;
}
}
2、ssl错误页面
[root@node16 conf.d]# cat error.conf
server {
listen 443;
error_page 502 /502.html;
location = /502.html {
root /usr/share/nginx/html;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}
}
3、tcp代理
tee > /home/nginx/conf/nginx/nginx.conf <<-‘EOF‘
#stream只能写在nginx.conf配置文件中
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main ‘$remote_addr - $remote_user [$time_local] "$request" ‘
‘$status $body_bytes_sent "$http_referer" ‘
‘"$http_user_agent" "$http_x_forwarded_for"‘;
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
#===================================nginx限流===============================================
#limit_req_zone用来限制单位时间内的请求数,即速率限制,采用的漏桶算法 "leaky bucket"
#limit_req_conn用来限制同一时间连接数,即并发限制。
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_req zone=one burst=10 nodelay;
# 浏览器限制,写在server,写在这会报错
#limit_req_zone $anti_spider zone=one2:10m rate=10r/s;
#limit_req zone=one2 burst=10 nodelay;
#if ($http_user_agent ~* "googlebot|bingbot|Feedfetcher-Google") {
#set $anti_spider $http_user_agent;
#}
# 单个ip请求限制
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
limit_conn perip 10;
limit_conn perserver 100;
#==========================================================================================
include /etc/nginx/conf.d/*.conf;
}
stream {
upstream xxx {
hash $remote_addr consistent;
# $binary_remote_addr;
server 127.0.0.1:8080 weight=5 max_fails=3 fail_timeout=30s;
}
server {
listen 80; #监听端口
proxy_connect_timeout 10s;
proxy_timeout 300s; #设置客户端和代理服务之间的超时时间,如果5分钟内没操作将自动断开。
proxy_pass xxx; # 不能写成http://xxx;
#proxy_set_header都不能加
#proxy_set_header HOST $host;
#proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header X-Real-IP $remote_addr;
# 后端的Web服务器可以通过X-Forwarded-For获取用户真实IP
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
EOF
docker restart nginx
docker logs -f nginx
4、防火墙
systemctl stop firewalld
systemctl disable firewalld
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --remove-port=80/tcp
firewall-cmd --reload
firewall-cmd --list-all-zone
# 操作防火墙需重启docker容器
安装docker+docker版NG+NG配置