如何附加Oracle Linux 9.x Nginx Cookie标签模块?
- By : Will
- Category : Reverse Proxy
Reverse Proxy
1 基础知识
“nginx_cookie_flag_module”为上游响应标头中的cookie设置如下标志,
– HttpOnly
– SameSite
– secureSet-Cookie
注:关于以上标志提供的功能非本章重点,将由其他章节介绍。
2 最佳实践
2.1 环境配置
2.1.1 系统环境
IP Address = 10.168.0.154
Host Name = any.cmdschool.org
OS = CentOS 7.3 x86_64
2.1.2 yum源配置
sudo dnf install -y gcc gcc-c++ make expat-devel sudo dnf install -y rpm-build sudo dnf install -y vim wget
2.1.3 创建构建用户
useradd -u 1001 builder
2.1.4 关闭selinux
setenforce 0 sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
2.2 构建rpm包部分
2.2.1 下载安装包
su - builder cd ~ wget https://nginx.org/packages/rhel/9/SRPMS/nginx-1.28.2-1.el9.ngx.src.rpm wget -O nginx_cookie_flag_module-1.1.0.tar.gz https://github.com/AirisX/nginx_cookie_flag_module/archive/refs/tags/v1.1.0.tar.gz
另外,其他版本请从如下链接下载,
http://nginx.org/packages/
https://github.com/AirisX/nginx_cookie_flag_module/releases
2.2.2 解压并测试构建环境
rpm -ivh nginx-1.28.2-1.el9.ngx.src.rpm rpmbuild -bb rpmbuild/SPECS/nginx.spec
如果看到类似提示,
setting SOURCE_DATE_EPOCH=1770163200
error: Failed build dependencies:
openssl-devel is needed by nginx-2:1.28.2-1.el9.ngx.x86_64
pcre2-devel is needed by nginx-2:1.28.2-1.el9.ngx.x86_64
zlib-devel is needed by nginx-2:1.28.2-1.el9.ngx.x86_64
请先解决包的依赖关系然后重试:
sudo dnf install -y openssl-devel zlib-devel pcre2-devel
2.2.3 配置nginx_cookie_flag_modele模块
tar -xf nginx_cookie_flag_module-1.1.0.tar.gz cp -a nginx_cookie_flag_module-1.1.0/ rpmbuild/BUILD/nginx_cookie_flag_module
2.2.4 修改构建文件
cd rpmbuild/SPECS cp nginx.spec nginx.spec.orig
修改配置文件参数,
vim nginx.spec
修改如下代码,
%build
./configure %{BASE_CONFIGURE_ARGS} \
--with-cc-opt="%{WITH_CC_OPT}" \
--with-ld-opt="%{WITH_LD_OPT}" \
--with-debug \
--add-module=../nginx_cookie_flag_module
make %{?_smp_mflags}
%{__mv} %{bdir}/objs/nginx \
%{bdir}/objs/nginx-debug
./configure %{BASE_CONFIGURE_ARGS} \
--with-cc-opt="%{WITH_CC_OPT}" \
--with-ld-opt="%{WITH_LD_OPT}" \
--add-module=../nginx_cookie_flag_module
make %{?_smp_mflags}
2.2.5 重新构建rpm包
diff -uN nginx.spec.orig nginx.spec > nginx_cookie_flag_module.patch patch -p0 < nginx_cookie_flag_module.patch
如果出现如下提示,按照以下向导处理,
patching file nginx.spec Reversed (or previously applied) patch detected! Assume -R? [n] y
继续完成重构
rpmbuild -bb nginx.spec exit
2.3 配置Nginx服务
2.3.1 安装nginx包
cd /home/builder/rpmbuild/RPMS/x86_64/ dnf -y install nginx-1.28.2-1.el9.ngx.x86_64.rpm
2.3.2 确认模块启用
nginx -V
显示如下:
nginx version: nginx/1.28.2 built by gcc 11.5.0 20240719 (Red Hat 11.5.0-5.0.1) (GCC) built with OpenSSL 3.2.2 4 Jun 2024 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-module=../nginx_cookie_flag_module
可见配置的参数后面有加载模块:
--add-module=../nginx_cookie_flag_module
2.3.3 启动服务并配置自启动
systemctl start nginx.service systemctl enable nginx.service
2.3.4 配置防火墙
firewall-cmd --permanent --add-service http --add-service https firewall-cmd --reload firewall-cmd --list-all
2.3.5 增加带echo的配置
vim /etc/nginx/conf.d/default.conf
加入如下行:
server {
[..]
location / {
[..]
set_cookie_flag Secret HttpOnly secure SameSite;
set_cookie_flag * HttpOnly;
set_cookie_flag SessionID SameSite=Lax secure;
set_cookie_flag SiteToken SameSite=Strict;
}
[..]
}
2.3.6 校验配置文件
nginx -t
如果看到以下提示则达到预期,
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
2.3.7 重启服务使配置生效
systemctl reload nginx.service
参阅文档
======================
https://github.com/AirisX/nginx_cookie_flag_module
https://docs.nginx.com/nginx/admin-guide/dynamic-modules/cookie-flag/
没有评论