企业内网环境下的OpenResty离线部署实战指南在金融、政务等对网络安全要求极高的行业场景中生产环境往往部署在严格隔离的内网中。这种环境下常规的yum install一键安装方式完全失效而OpenResty作为基于Nginx的高性能Web平台其复杂的依赖链让离线安装成为许多开发者的噩梦。本文将分享一套经过大型银行项目验证的完整解决方案从依赖包下载到编译避坑带你彻底攻克内网环境下的OpenResty部署难题。1. 离线环境准备工作1.1 构建离线资源库在有外网权限的跳板机上执行以下操作创建完整的依赖包仓库# 创建依赖包下载目录 mkdir -p /opt/offline-packages/{openresty,openssl,dependencies} # 下载OpenResty官方包 wget https://openresty.org/download/openresty-1.21.4.1.tar.gz -P /opt/offline-packages/openresty # 使用yum的downloadonly插件获取依赖 yum install yum-plugin-downloadonly yum install --downloadonly --downloaddir/opt/offline-packages/dependencies \ gcc make perl pcre-devel openssl-devel zlib-devel关键点说明通过--downloaddir参数指定rpm包存储位置必须包含的开发工具链gcc、make、perl核心依赖库pcre-devel、openssl-devel、zlib-devel1.2 处理嵌套依赖的技巧使用repotrack工具解决复杂的依赖关系# 安装repotrack工具 yum install yum-utils # 下载完整依赖树 repotrack -a x86_64 -p /opt/offline-packages/dependencies \ openssl-devel pcre-devel zlib-devel将整个/opt/offline-packages目录打包后传输到内网环境tar czvf openresty-offline.tar.gz -C /opt/offline-packages .2. 内网环境部署实战2.1 离线安装系统依赖在内网服务器上解压资源包后使用以下脚本批量安装依赖#!/bin/bash OFFLINE_DIR/opt/offline-packages # 安装基础依赖 for rpm in $(ls ${OFFLINE_DIR}/dependencies/*.rpm); do rpm -ivh --nodeps --force $rpm 21 | grep -v already installed done # 验证安装 for package in gcc make pcre-devel openssl-devel zlib-devel; do rpm -qa | grep $package || echo [WARNING] $package not installed done常见问题处理遇到already installed提示可忽略若出现依赖缺失使用rpm -qpR package.rpm查看具体依赖关系2.2 OpenResty编译安装解压并编译OpenResty源码tar xzvf openresty-1.21.4.1.tar.gz cd openresty-1.21.4.1 ./configure --prefix/usr/local/openresty \ --with-http_ssl_module \ --with-http_realip_module \ --with-http_stub_status_module \ --with-pcre-jit \ --with-stream make -j$(nproc) make install关键配置参数说明参数作用内网环境特别注意事项--with-pcre-jit启用PCRE正则表达式JIT编译需确保pcre-devel已安装--with-http_ssl_module启用HTTPS支持依赖openssl-devel-j$(nproc)多核并行编译大幅提升内网环境编译速度3. OpenSSL源码编译避坑指南3.1 特定版本OpenSSL编译在内网环境中系统自带的OpenSSL往往版本不匹配需要手动编译# 解压openssl源码 tar xzvf openssl-1.1.1g.tar.gz cd openssl-1.1.1g # 静态编译方式 ./config --prefix/usr/local/openssl --openssldir/usr/local/openssl no-shared make depend make make install # 更新系统库链接 echo /usr/local/openssl/lib /etc/ld.so.conf.d/openssl.conf ldconfig -v验证安装结果/usr/local/openssl/bin/openssl version3.2 常见编译错误解决错误1SSL modules require the OpenSSL library解决方案确认OpenSSL头文件路径find / -name opensslv.h在configure时指定正确路径./configure --with-openssl/usr/local/openssl ...错误2undefined reference to EVP_xxx这是典型的链接库路径问题解决方法export LD_LIBRARY_PATH/usr/local/openssl/lib:$LD_LIBRARY_PATH4. 生产环境配置优化4.1 文件类型识别优化针对前端静态资源加载问题修正mime.types配置http { include mime.types; default_type application/octet-stream; # 扩展支持的文件类型 types { text/css css; application/javascript js; image/svgxml svg; font/woff2 woff2; } server { location ~* \.(?:css|js|svg|woff2)$ { expires 365d; add_header Cache-Control public; } } }4.2 Lua模块使用规范正确处理不同阶段的Lua脚本执行指令执行阶段典型用途注意事项access_by_lua访问控制阶段IP白名单、权限校验不能产生响应输出content_by_lua内容生成阶段动态内容生成会终止后续处理阶段header_filter_by_lua响应头处理阶段修改响应头信息不能读取请求体示例代码location /api { access_by_lua local ip ngx.var.remote_addr if not check_ip(ip) then ngx.exit(403) end ; content_by_lua ngx.say({\status\:\OK\}) ; }5. 系统集成与维护5.1 服务化管理配置创建systemd服务文件/etc/systemd/system/openresty.service[Unit] DescriptionOpenResty HTTP Server Afternetwork.target [Service] Typeforking PIDFile/usr/local/openresty/nginx/logs/nginx.pid ExecStartPre/usr/local/openresty/nginx/sbin/nginx -t ExecStart/usr/local/openresty/nginx/sbin/nginx ExecReload/bin/kill -s HUP $MAINPID ExecStop/bin/kill -s QUIT $MAINPID PrivateTmptrue [Install] WantedBymulti-user.target管理命令# 重载systemd配置 systemctl daemon-reload # 开机自启 systemctl enable openresty # 启动服务 systemctl start openresty5.2 环境变量配置永久添加OpenResty到系统PATHecho export PATH/usr/local/openresty/bin:/usr/local/openresty/nginx/sbin:$PATH /etc/profile.d/openresty.sh source /etc/profile.d/openresty.sh验证安装nginx -v resty -v
内网环境搞定OpenResty离线安装:从依赖包下载到避坑全记录
发布时间:2026/5/20 8:55:06
企业内网环境下的OpenResty离线部署实战指南在金融、政务等对网络安全要求极高的行业场景中生产环境往往部署在严格隔离的内网中。这种环境下常规的yum install一键安装方式完全失效而OpenResty作为基于Nginx的高性能Web平台其复杂的依赖链让离线安装成为许多开发者的噩梦。本文将分享一套经过大型银行项目验证的完整解决方案从依赖包下载到编译避坑带你彻底攻克内网环境下的OpenResty部署难题。1. 离线环境准备工作1.1 构建离线资源库在有外网权限的跳板机上执行以下操作创建完整的依赖包仓库# 创建依赖包下载目录 mkdir -p /opt/offline-packages/{openresty,openssl,dependencies} # 下载OpenResty官方包 wget https://openresty.org/download/openresty-1.21.4.1.tar.gz -P /opt/offline-packages/openresty # 使用yum的downloadonly插件获取依赖 yum install yum-plugin-downloadonly yum install --downloadonly --downloaddir/opt/offline-packages/dependencies \ gcc make perl pcre-devel openssl-devel zlib-devel关键点说明通过--downloaddir参数指定rpm包存储位置必须包含的开发工具链gcc、make、perl核心依赖库pcre-devel、openssl-devel、zlib-devel1.2 处理嵌套依赖的技巧使用repotrack工具解决复杂的依赖关系# 安装repotrack工具 yum install yum-utils # 下载完整依赖树 repotrack -a x86_64 -p /opt/offline-packages/dependencies \ openssl-devel pcre-devel zlib-devel将整个/opt/offline-packages目录打包后传输到内网环境tar czvf openresty-offline.tar.gz -C /opt/offline-packages .2. 内网环境部署实战2.1 离线安装系统依赖在内网服务器上解压资源包后使用以下脚本批量安装依赖#!/bin/bash OFFLINE_DIR/opt/offline-packages # 安装基础依赖 for rpm in $(ls ${OFFLINE_DIR}/dependencies/*.rpm); do rpm -ivh --nodeps --force $rpm 21 | grep -v already installed done # 验证安装 for package in gcc make pcre-devel openssl-devel zlib-devel; do rpm -qa | grep $package || echo [WARNING] $package not installed done常见问题处理遇到already installed提示可忽略若出现依赖缺失使用rpm -qpR package.rpm查看具体依赖关系2.2 OpenResty编译安装解压并编译OpenResty源码tar xzvf openresty-1.21.4.1.tar.gz cd openresty-1.21.4.1 ./configure --prefix/usr/local/openresty \ --with-http_ssl_module \ --with-http_realip_module \ --with-http_stub_status_module \ --with-pcre-jit \ --with-stream make -j$(nproc) make install关键配置参数说明参数作用内网环境特别注意事项--with-pcre-jit启用PCRE正则表达式JIT编译需确保pcre-devel已安装--with-http_ssl_module启用HTTPS支持依赖openssl-devel-j$(nproc)多核并行编译大幅提升内网环境编译速度3. OpenSSL源码编译避坑指南3.1 特定版本OpenSSL编译在内网环境中系统自带的OpenSSL往往版本不匹配需要手动编译# 解压openssl源码 tar xzvf openssl-1.1.1g.tar.gz cd openssl-1.1.1g # 静态编译方式 ./config --prefix/usr/local/openssl --openssldir/usr/local/openssl no-shared make depend make make install # 更新系统库链接 echo /usr/local/openssl/lib /etc/ld.so.conf.d/openssl.conf ldconfig -v验证安装结果/usr/local/openssl/bin/openssl version3.2 常见编译错误解决错误1SSL modules require the OpenSSL library解决方案确认OpenSSL头文件路径find / -name opensslv.h在configure时指定正确路径./configure --with-openssl/usr/local/openssl ...错误2undefined reference to EVP_xxx这是典型的链接库路径问题解决方法export LD_LIBRARY_PATH/usr/local/openssl/lib:$LD_LIBRARY_PATH4. 生产环境配置优化4.1 文件类型识别优化针对前端静态资源加载问题修正mime.types配置http { include mime.types; default_type application/octet-stream; # 扩展支持的文件类型 types { text/css css; application/javascript js; image/svgxml svg; font/woff2 woff2; } server { location ~* \.(?:css|js|svg|woff2)$ { expires 365d; add_header Cache-Control public; } } }4.2 Lua模块使用规范正确处理不同阶段的Lua脚本执行指令执行阶段典型用途注意事项access_by_lua访问控制阶段IP白名单、权限校验不能产生响应输出content_by_lua内容生成阶段动态内容生成会终止后续处理阶段header_filter_by_lua响应头处理阶段修改响应头信息不能读取请求体示例代码location /api { access_by_lua local ip ngx.var.remote_addr if not check_ip(ip) then ngx.exit(403) end ; content_by_lua ngx.say({\status\:\OK\}) ; }5. 系统集成与维护5.1 服务化管理配置创建systemd服务文件/etc/systemd/system/openresty.service[Unit] DescriptionOpenResty HTTP Server Afternetwork.target [Service] Typeforking PIDFile/usr/local/openresty/nginx/logs/nginx.pid ExecStartPre/usr/local/openresty/nginx/sbin/nginx -t ExecStart/usr/local/openresty/nginx/sbin/nginx ExecReload/bin/kill -s HUP $MAINPID ExecStop/bin/kill -s QUIT $MAINPID PrivateTmptrue [Install] WantedBymulti-user.target管理命令# 重载systemd配置 systemctl daemon-reload # 开机自启 systemctl enable openresty # 启动服务 systemctl start openresty5.2 环境变量配置永久添加OpenResty到系统PATHecho export PATH/usr/local/openresty/bin:/usr/local/openresty/nginx/sbin:$PATH /etc/profile.d/openresty.sh source /etc/profile.d/openresty.sh验证安装nginx -v resty -v
)
)
)
)
)
