centos7.6环境下编译安装tengine-2.2.2的编译安装
.获取tengine2..2的源码包
http://tengine.taobao.org/download/tengine-2.2.2.tar.gz
.获取tengine的编译参数
/usr/loca/nginx/sbin/nginx -V
# tengine2..2的编译安装
tar -zxf tengine-2.2..tar.gz
cd tengine-2.2.
./configure --prefix=/usr/local/tengine-2.2. --with-ld-opt=-Wl,-rpath, --user=daemon --group=daemon --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_sub_module --with-http_stub_status_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_geoip_module --with-http_secure_link_module --with-http_degradation_module --with-mail_ssl_module --with-http_sysguard_module --with-http_concat_module --with-pcre=/usr/local/lab/pcre-8.34 --with-zlib=/usr/local/lab/zlib-1.2. --add-module=/usr/local/lab/ngx_cache_purge-2.3 --with-jemalloc --with-http_upstream_check_module --with-http_lua_module --with-luajit-lib=/usr/local/lib/ --with-luajit-inc=/usr/local/include/luajit-2.0/ --with-lua-inc=/usr/local/include/luajit-2.0/ --with-lua-lib=/usr/local/lib/ --with-openssl=/usr/local/lab/openssl-1.1.0i --add-module=/usr/local/ngx_http_geoip2_module-3.2
make && make install
# 因为openssl经常曝出一些大的漏洞,使用最新版本的openssl1..0i
--with-openssl=/usr/local/lab/openssl-1.1.0i
# 找到geoip相关的库
ngx_http_geoip2_module-3.2
....
报错的处理:
问题1:./configure预编译报错
configuring additional modules
adding module in /usr/local/lab/ngx_cache_purge-2.3
+ ngx_http_cache_purge_module was configured
adding module in /usr/local/ngx_http_geoip2_module-3.2
checking for MaxmindDB library ... found
+ ngx_geoip2_module was configured
adding module in modules/ngx_http_lua_module
checking for LuaJIT library in /usr/local/lib/ and /usr/local/include/luajit-2.0/ (specified by the LUAJIT_LIB and LUAJIT_INC env, with -ldl) ... found
checking for export symbols by default (-E) ... found
checking for export symbols by default (--export-all-symbols) ... not found
checking for SO_PASSCRED ... found
+ ngx_http_lua_module was configured
checking for libxslt ... found
checking for libexslt ... found
checking for GeoIP library ... not found
checking for GeoIP library in /usr/local/ ... not found
checking for GeoIP library in /usr/pkg/ ... not found
checking for GeoIP library in /opt/local/ ... not found
./configure: error: the GeoIP module requires the GeoIP library.
You can either do not enable the module or install the library.
解决办法编译安装GeoIP:
cd source
wget https://github.com/maxmind/geoip-api-c/releases/download/v1.6.9/GeoIP-1.6.9.tar.gz
tar -zxvf GeoIP-1.6..tar.gz -C /usr/local
cd GeoIP-1.6.
# 注意不要添加--prefix 默认即可否则无法正常编译安装
./configure
make
sudo make install
问题2:
make编译报错:
POSIX mem threshold ............. :
Internal link size .............. :
Nested parentheses limit ........ :
Match limit ..................... :
Match limit recursion ........... : MATCH_LIMIT
Build shared libs ............... : no
Build static libs ............... : yes
Use JIT in pcregrep ............. : no
Buffer size for pcregrep ........ :
Link pcregrep with libz ......... : no
Link pcregrep with libbz2 ....... : no
Link pcretest with libedit ...... : no
Link pcretest with libreadline .. : no
Valgrind support ................ : no
Code coverage ................... : no
cd /usr/local/lab/openssl-1.1.0i \
&& if [ -f Makefile ]; then make clean; fi \
&& ./config --prefix=/usr/local/lab/openssl-1.1.0i/.openssl no-shared \
&& make \
&& make install LIBDIR=lib
/bin/sh: line : ./config: No such file or directory
make[]: *** [/usr/local/lab/openssl-1.1.0i/.openssl/include/openssl/ssl.h] Error
make[]: Leaving directory `/usr/local/src/tengine-2.2.'
make: *** [build] Error
解决方案:
打开nginx源文件下的/usr/local/src/tengine-2.2./auto/lib/openssl/conf文件:
找到这么一段代码:
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
修改成以下代码:
CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
然后再进行Nginx的编译安装即可
问题3:
make报错:
make[]: *** No rule to make target `distclean'. Stop
make[]: *** [/usr/local/lab/zlib-1.2./libz.a] Error
问题分析:
/usr/local/lab/zlib-1.2./下没有libz.a文件,当时编译的时候是--prefix的,源码没有拷贝过来
解决办法:
将之前的编译目录拷贝过去即可:
cp -ar /usr/loca/src/zlib-1.2./* /usr/local/lab/zlib-1.2.11/
#####################################
tengine升级为2.2.3
# tengine2.2.3的编译安装
tar -zxf tengine-2.2.3.tar.gz
cd tengine-2.2.3
./configure --prefix=/usr/local/tengine-2.2.3 --with-ld-opt=-Wl,-rpath, --user=daemon --group=daemon --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_sub_module --with-http_stub_status_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_geoip_module --with-http_secure_link_module --with-http_degradation_module --with-mail_ssl_module --with-http_sysguard_module --with-http_concat_module --with-pcre=/usr/local/lab/pcre-8.34 --with-zlib=/usr/local/lab/zlib-1.2.11 --add-module=/usr/local/lab/ngx_cache_purge-2.3 --with-jemalloc --with-http_upstream_check_module --with-http_lua_module --with-luajit-lib=/usr/local/lib/ --with-luajit-inc=/usr/local/include/luajit-2.0/ --with-lua-inc=/usr/local/include/luajit-2.0/ --with-lua-lib=/usr/local/lib/ --with-openssl=/usr/local/lab/openssl-1.1.0i --add-module=/usr/local/ngx_http_geoip2_module-3.2
# 报错
Use JIT in pcregrep ............. : no
Buffer size for pcregrep ........ : 20480
Link pcregrep with libz ......... : no
Link pcregrep with libbz2 ....... : no
Link pcretest with libedit ...... : no
Link pcretest with libreadline .. : no
Valgrind support ................ : no
Code coverage ................... : no
cd /usr/local/lab/openssl-1.1.0i \
&& if [ -f Makefile ]; then make clean; fi \
&& ./config --prefix=/usr/local/lab/openssl-1.1.0i/.openssl no-shared \
&& make \
&& make install LIBDIR=lib
/bin/sh: line 2: ./config: No such file or directory
make[1]: *** [/usr/local/lab/openssl-1.1.0i/.openssl/include/openssl/ssl.h] Error 127
make[1]: Leaving directory `/usr/local/src/tengine-2.2.3'
make: *** [build] Error 2
解决方案:
打开nginx源文件下的/usr/local/src/tengine-2.2.2/auto/lib/openssl/conf文件:
找到这么一段代码:
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
修改成以下代码:
CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
然后再进行Nginx的编译安装即可
无法解析SSI报错如下:Nginx: unsafe URI detected while sending response
现象:# 类似 <!--#include virtual="../library/header.html"--><div id="blog"> html语法无法解析,导致网站头部尾部不能正常展示
<!--#include virtual="library/header.html"--> 可以解析没有问题
# 代码片段
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<link rel="shortcut icon" href="http://blog.chinasoft.com/static/favicon.ico" />
<title>Influencer Marketing Tips</title>
<meta name="description" content="Learn more about the helpful influencer marketing tips for your brand, products or business on chinasoft blog center." />
</head>
<body>
<!--#include virtual="../library/header.html"--><div id="blog">
<div>
<div class="container py-lg-5" style="max-width:1200px">
<div class="bg-light rounded py-4 px-5 mx-auto">
网站头部不能加载影响美观
[root@eus_mp_web01:/data/www/vhosts/blog.chinasoft.com/httpdocs/influencer-marketing-tips]# tail -f /data/www/logs/nginx_log/error/blog.com_error.log
// :: [error] #: * unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
// :: [error] #: * open() "/data/www/vhosts/blog.chinasoft.com/httpdocs/static/favicon.ico" failed (: No such file or directory), client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /static/favicon.ico HTTP/1.1", host: "blog.chinasoft.com", referrer: "https://blog.chinasoft.com/influencer-marketing-tips/"
// :: [error] #: * unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
// :: [error] #: * unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
// :: [error] #: * unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
// :: [error] #: * unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
// :: [error] #: * unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
// :: [error] #: * unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
// :: [error] #: * unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
// :: [error] #: * unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
// :: [error] #: * unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
// :: [error] #: * unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
关于Nginx的SSI(包含路径)
如果shtml里面的网页代码包含语句写成如下:
<!--#include virtual="/test.html"-->
这样是没有问题,可以包含的,但是如果写成这样:
<!--#include virtual="../test.html"-->
由于需要包含当前代码文件所在目录路径的上级目录文件,nginx会为此请求产生的子请求uri为/../test.html,默认nginx会认为这个uri并不是安全的,日志(error_log)会输入如下错误:
// :: [error] #: * unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
不能正确包含文件,页面会输出[an error occurred while processing the directive],解决方法是找到nginx源代码目录的unsafe uri检查函数并强制使其返回一个NGX_OK
# 解决办法:
# 修改源文件tengine-2.2./src/http/ngx_http_parse.c
# 找到ngx_http_parse_unsafe_uri 函数,直接返回 NGX_OK
ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
ngx_str_t *args, ngx_uint_t *flags)
{
return NGX_OK; # 新增return NGX_OK;
u_char ch, *p, *src, *dst;
size_t len;
ngx_uint_t quoted;
len = uri->len;
p = uri->data;
quoted = ;
if (len == || p[] == '?') {
goto unsafe;
}
if (p[] == '.' && len > && p[] == '.'
&& (len == || ngx_path_separator(p[])))
{
goto unsafe;
}
for ( /* void */ ; len; len--) {
ch = *p++;
if (ch == '%') {
quoted = ;
continue;
}
if (usual[ch >> ] & ( << (ch & 0x1f))) {
continue;
}
if (ch == '?') {
args->len = len - ;
args->data = p;
uri->len -= len;
break;
}
# 重新编译即可
./configure --prefix=/usr/local/tengine-2.2.3_ssi --with-ld-opt=-Wl,-rpath, --user=daemon --group=daemon --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_sub_module --with-http_stub_status_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_geoip_module --with-http_secure_link_module --with-http_degradation_module --with-mail_ssl_module --with-http_sysguard_module --with-http_concat_module --with-pcre=/usr/local/lab/pcre-8.34 --with-zlib=/usr/local/lab/zlib-1.2. --add-module=/usr/local/lab/ngx_cache_purge-2.3 --with-jemalloc --with-http_upstream_check_module --with-http_lua_module --with-luajit-lib=/usr/local/lib/ --with-luajit-inc=/usr/local/include/luajit-2.0/ --with-lua-inc=/usr/local/include/luajit-2.0/ --with-lua-lib=/usr/local/lib/ --with-openssl=/usr/local/lab/openssl-1.1.0i --add-module=/usr/local/ngx_http_geoip2_module-3.2
# make && make install
重新编译以后nginx可以包含上级目录的文件,当然,带来的后果是安全性的下降