介绍 (Introduction)

Node.js is an open source Javascript runtime environment for easily building server-side and networking applications. The platform runs on Linux, OS X, FreeBSD, and Windows, and its applications are written in JavaScript. Node.js applications can be run at the command line but we will teach you how to run them as a service, so they will automatically restart on reboot or failure, so you can use them in a production environment.

Node.js是一个开源Javascript运行时环境，可轻松构建服务器端和网络应用程序。 该平台可在Linux，OS X，FreeBSD和Windows上运行，其应用程序是用JavaScript编写的。 Node.js应用程序可以在命令行运行，但是我们将教您如何将它们作为服务运行，因此它们将在重新启动或发生故障时自动重新启动，因此您可以在生产环境中使用它们。

In this tutorial, we will cover setting up a production-ready Node.js environment that is composed of two CentOS 7 servers; one server will run Node.js applications managed by PM2, while the other will provide users with access to the application through an Nginx reverse proxy to the application server.

在本教程中，我们将介绍如何设置一个由两台CentOS 7服务器组成的可生产的Node.js环境。 一台服务器将运行由PM2管理的Node.js应用程序，而另一台服务器将通过Nginx反向代理向用户提供对应用程序的访问权限。

The Ubuntu version of this tutorial can be found here.

可以在这里找到本教程的Ubuntu版本。

先决条件 (Prerequisites)

This guide uses two CentOS 7 servers with private networking (in the same datacenter). Private networking can be configured on new servers when they are being created (in the Select additional options section). We will refer to them by the following names:

本指南使用两个具有专用网络的 CentOS 7服务器(在同一数据中心中)。 创建新服务器时，可以在新服务器上配置专用网络(在“ Select additional options部分中)。 我们将使用以下名称来引用它们：

• app: The server where we will install Node.js runtime, your Node.js application, and PM2.

  app ：我们将在其中安装Node.js运行时的服务器，您的Node.js应用程序和PM2。

• web: The server where we will install the Nginx web server, which will act as a reverse proxy to your application. Users will access this server’s public IP address to get to your Node.js application.

  web ：我们将在其中安装Nginx Web服务器的服务器，它将充当您的应用程序的反向代理。 用户将访问该服务器的公共IP地址以访问您的Node.js应用程序。

Note: Refer to the DigitalOcean Documentation - How to Enable Private Networking on Droplets if you intend on using an existing server that doesn’t currently have private networking configured.

注意：如果打算使用当前未配置专用网络的现有服务器，请参阅DigitalOcean文档-如何在Droplet上启用专用网络 。

Before you begin this guide, you should have a regular, non-root user with sudo privileges configured on both of your servers—this is the user that you should log in to your servers as. You can learn how to configure a regular user account by following our initial server setup guide for CentOS 7.

在开始本指南之前，您应该在两个服务器上都配置有具有sudo特权的常规非root用户-这是您应以其身份登录到该服务器的用户。 您可以按照我们的CentOS 7初始服务器设置指南来学习如何配置常规用户帐户。

Commands executed on the app server:

在应用服务器上执行的命令：

Commands executed on the web server:

在Web服务器上执行的命令：

It is possible to use a single server for this tutorial, but you will have to make a few changes along the way. Simply use the localhost IP address, i.e. 127.0.0.1, wherever the app server’s private IP address is used.

可以在本教程中使用单个服务器，但是在此过程中您必须进行一些更改。 只需在使用应用程序服务器的专用IP地址的地方使用localhost IP地址，即127.0.0.1 。

Here is a diagram of what your setup will be after following this tutorial:

这是完成本教程后您的设置的示意图：

If you want to be able to access your web server via a domain name, instead of its public IP address, purchase a domain name then follow these tutorials:

如果您希望能够通过域名而不是其公共IP地址来访问Web服务器，请购买域名，然后按照以下教程进行操作：

• How To Set Up a Host Name with DigitalOcean

  如何使用DigitalOcean设置主机名

• How to Point to DigitalOcean Nameservers From Common Domain Registrars

  如何从通用域注册商指向DigitalOcean域名服务器

Let’s get started by installing the Node.js runtime on the app server.

让我们开始在应用服务器上安装Node.js运行时。

第1步-安装Node.js (Step 1 — Installing Node.js)

We will install the latest LTS release of Node.js, on the app server.

我们将在应用服务器上安装最新的LTS版本的Node.js。

SSH to your app server using the regular, non-root user with sudo privileges.

使用具有sudo特权的常规非root用户SSH到您的应用服务器。

On the app server, let’s use curl to download the NodeSource RPM Repository configuration file:

在应用服务器上，让我们使用curl下载NodeSource RPM存储库配置文件：

CURL will use the HTTPS protocol to download the setup script to your server, with the output including information relevant to the download:

CURL将使用HTTPS协议将设置脚本下载到您的服务器，其输出包括与下载有关的信息：

   

    Output
   
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 11109  100 11109    0     0  70128      0 --:--:-- --:--:-- --:--:-- 70757

Next, you should inspect the script’s contents. The following command will open the NodeSource setup script in your servers console, which you can then cross-reference with the NodeSource setup script (from the NodeSource Distributions Github repository) to confirm the script that downloaded properly:

接下来，您应该检查脚本的内容。 以下命令将在服务器控制台中打开NodeSource设置脚本，然后您可以将其与NodeSource设置脚本 (来自NodeSource Distributions Github存储库)进行交叉引用，以确认已正确下载的脚本：

Once satisfied with the file, exit vi by typing :q to quit and return to the command line.

对文件满意后，通过输入:q退出vi quit并返回命令行。

Now let’s run the setup script to install the NodeSource RPM Repository. This will enable us to access NodeSource’s repository from within the yum package manager:

现在，让我们运行安装脚本以安装NodeSource RPM存储库。 这将使我们能够从yum软件包管理器中访问NodeSource的存储库：

The script outputs information on the setup for our reference:

该脚本输出有关设置的信息供我们参考：

   

    Output
   
## Installing the NodeSource Node.js 10.x repo...

## Inspecting system...

+ rpm -q --whatprovides redhat-release || rpm -q --whatprovides centos-release || rpm -q --whatprovides cloudlinux-release || rpm -q --whatprovides sl-release
+ uname -m

## Confirming "el7-x86_64" is supported...

+ curl -sLf -o /dev/null 'https://rpm.nodesource.com/pub_10.x/el/7/x86_64/nodesource-release-el7-1.noarch.rpm'

## Downloading release setup RPM...

+ mktemp
+ curl -sL -o '/tmp/tmp.2aCcULVx8n' 'https://rpm.nodesource.com/pub_10.x/el/7/x86_64/nodesource-release-el7-1.noarch.rpm'

## Installing release setup RPM...

+ rpm -i --nosignature --force '/tmp/tmp.2aCcULVx8n'

## Cleaning up...

+ rm -f '/tmp/tmp.2aCcULVx8n'

## Checking for existing installations...

+ rpm -qa 'node|npm' | grep -v nodesource

## Run `sudo yum install -y nodejs` to install Node.js 10.x and npm.
## You may also need development tools to build native addons:
     sudo yum install gcc-c++ make
## To install the Yarn package manager, run:
     curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | sudo tee /etc/yum.repos.d/yarn.repo
     sudo yum install yarn

Before installing Node.js it is important to clean all the cached information from yum. Clearing the cache will ensure that yum uses the network connection to get Node.js from our new NodeSource Repository (which will prevent any potential conflicts caused by outdated packages):

在安装Node.js之前，从yum清除所有缓存的信息很重要。 清除缓存将确保yum使用网络连接从新的NodeSource存储库中获取Node.js(这将防止由过时的包引起的任何潜在冲突)：

Next we will download and make usable all the metadata for the currently enabled yum repos. This will ensure that our yum queries are completed as quickly as possible:

接下来，我们将下载并启用当前启用的yum库的所有元数据。 这将确保我们的yum查询尽快完成：

To compile and install native add-ons from npm we also need to install build tools:

要从npm编译并安装本机加载项，我们还需要安装构建工具：

Now we can install the latest release of the Node.js package:

现在，我们可以安装最新版本的Node.js软件包：

Verify that Node is installed by checking its version with this command:

通过使用以下命令检查其版本来验证节点是否已安装：

Your output will show the version number you’re running:

您的输出将显示您正在运行的版本号：

   

    Output
   
v10.16.3

The Node.js runtime is now installed, and ready to run an application. Let’s write a Node.js application.

现在已安装Node.js运行时，并准备运行应用程序。 让我们编写一个Node.js应用程序。

第2步-创建Node.js应用程序 (Step 2 — Creating the Node.js Application)

Now we will create a Hello World application that simply returns "Hello World" to any HTTP requests. This is a sample application that will help you get Node.js set up, which you can replace with your own application—just make sure that you modify your application to listen on the appropriate IP addresses and ports.

现在，我们将创建一个Hello World应用程序，该应用程序仅向任何HTTP请求返回"Hello World" 。 这是一个示例应用程序，可以帮助您设置Node.js，可以将其替换为自己的应用程序-只需确保修改应用程序以侦听适当的IP地址和端口即可。

Because we want our Node.js application to serve requests that come from our reverse proxy server (web) we will use our app server’s private network interface for inter-server communication. Look up your app server’s private network address.

因为我们希望Node.js应用程序能够处理来自反向代理服务器( web )的请求，所以我们将使用应用程序服务器的专用网络接口进行服务器之间的通信。 查找您的应用服务器的专用网络地址。

If you are using a DigitalOcean Droplet as your server, you may look up the server’s private IP address through the Metadata service. On the app server, use the curl command to retrieve the IP address now:

如果您使用DigitalOcean Droplet作为服务器，则可以通过元数据服务查找服务器的私有IP地址。 在应用服务器上，使用curl命令立即检索IP地址：

You will want to copy the output (the private IP address), as it will be used to configure the Node.js application.

您将要复制输出(私有IP地址)，因为它将用于配置Node.js应用程序。

Next, create and open your Node.js application for editing. For this tutorial, we will use vi to edit a sample application called hello.js:

接下来，创建并打开您的Node.js应用程序进行编辑。 在本教程中，我们将使用vi编辑一个名为hello.js的示例应用程序：

Insert the following code into the file, and be sure to substitute the app server’s private IP address for both of the highlighted APP_PRIVATE_IP_ADDRESS items. If you want to, you may also replace the highlighted port, 8080, in both locations (be sure to use a non-admin port, i.e. 1024 or greater):

将以下代码插入文件中，并确保用突出显示的APP_PRIVATE_IP_ADDRESS项替换应用服务器的专用IP地址。 如果需要，您也可以在两个位置都替换突出显示的端口8080 (确保使用非管理员端口，即1024或更大)：

var http = require('http');
http.createServer(function (req, res) {
  res.writeHead(200, {'Content-Type': 'text/plain'});
  res.end('Hello World\n');
}).listen(8080, 'APP_PRIVATE_IP_ADDRESS');
console.log('Server running at http://APP_PRIVATE_IP_ADDRESS:8080/');

Now save and exit by pressing ESC to exit --INSERT-- mode, followed by :wq to write and quit in a single command.

现在保存并退出，方法是按ESC退出--INSERT--模式，然后按:wq在单个命令中write并quit 。

This Node.js application simply listens on the specified IP address and port, and returns "Hello World" with a 200 HTTP success code. This means that the application is only reachable from servers on the same private network, such as our web server.

此Node.js应用程序仅侦听指定的IP地址和端口，并返回带有200 HTTP成功代码的"Hello World" 。 这意味着只能从同一专用网络上的服务器(例如我们的Web服务器)访问该应用程序。

If you want to test if your application works, run this node command on the app server:

如果要测试应用程序是否正常运行，请在应用服务器上运行以下node命令：

Note: Running a Node.js application in this manner will block additional commands until the application is killed by pressing CTRL+C.

注意：以这种方式运行Node.js应用程序将阻止其他命令，直到按CTRL+C将其杀死。

It will save a lot of Nginx debugging if we first test that our web server is able to communicate with the Node.js application on app.

如果我们首先测试我们的Web服务器能够与app上的Node.js应用程序通信，它将节省大量Nginx调试。

In order to test the application, open another terminal session and connect to your web server. Because the web server is on the same private network, it should be able to reach the private IP address of the app server using curl. Be sure to substitute in the app server’s private IP address for APP_PRIVATE_IP_ADDRESS, and the port if you changed it:

为了测试该应用程序，请打开另一个终端会话并连接到Web服务器。 由于Web服务器位于同一专用网络上，因此它应该能够使用curl到达应用程序服务器的专用IP地址。 确保将应用服务器的专用IP地址APP_PRIVATE_IP_ADDRESS为APP_PRIVATE_IP_ADDRESS和端口(如果已更改)：

If you see the following output, the application is working properly and listening on the proper IP address and port:

如果看到以下输出，则表明应用程序运行正常，并且正在侦听正确的IP地址和端口：

   

    Node Application Output
   
Hello World

If you do not see the proper output, make sure that your Node.js application is running, and configured to listen on the proper IP address and port.

如果看不到正确的输出，请确保您的Node.js应用程序正在运行，并配置为侦听正确的IP地址和端口。

On the app server, be sure to kill the application by pressing CTRL+C.

在应用程序服务器上，请确保通过按CTRL+C应用程序。

步骤3 —安装和使用PM2 (Step 3 — Installing and Using PM2)

Now we will install PM2, which is a process manager for Node.js applications. PM2 provides an easy way to manage and daemonize applications (run them as a service).

现在，我们将安装PM2，它是Node.js应用程序的流程管理器。 PM2提供了一种简单的方法来管理和守护应用程序(将它们作为服务运行)。

We will use Node Packaged Modules (NPM), which is basically a package manager for Node modules that installs with Node.js, to install PM2 on our app server. Use this command to install PM2:

我们将使用Node Packaged Modules(NPM)(它基本上是与Node.js一起安装的Node模块的软件包管理器)在我们的应用服务器上安装PM2。 使用以下命令安装PM2：

We will cover a few basic uses of PM2.

我们将介绍PM2的一些基本用法。

The first thing you will want to do is use the pm2 start command to run your application, hello.js, in the background:

您要做的第一件事是使用hello.js pm2 start命令在后台运行您的应用程序hello.js ：

This also adds your application to PM2’s process list, which is outputted every time you start an application:

这还将您的应用程序添加到PM2的进程列表中，该列表在每次启动应用程序时输出：

   

    Output
   
┌──────────┬────┬──────┬───────┬────────┬─────────┬────────┬─────────────┬──────────┐
│ App name │ id │ mode │ pid   │ status │ restart │ uptime │ memory      │ watching │
├──────────┼────┼──────┼───────┼────────┼─────────┼────────┼─────────────┼──────────┤
│ hello    │ 0  │ fork │ 30099 │ online │ 0       │ 0s     │ 14.227 MB   │ disabled │
└──────────┴────┴──────┴───────┴────────┴─────────┴────────┴─────────────┴──────────┘

As you can see, PM2 automatically assigns an App name (based on the filename, without the .js extension) and a PM2 id. PM2 also maintains other information, such as the PID of the process, its current status, and memory usage.

如您所见，PM2自动分配一个应用程序名称 (基于文件名，不带.js扩展名)和一个PM2 id 。 PM2还维护其他信息，例如进程的PID ，其当前状态和内存使用情况。

Applications that are running under PM2 will be restarted automatically if the application crashes or is killed, but an additional step needs to be taken to get the application to launch on system startup (boot or reboot). Luckily, PM2 provides an easy way to do this, the startup subcommand.

如果PM2下运行的应用程序崩溃或被杀死，它将自动重新启动，但是还需要采取其他步骤来使应用程序在系统启动(启动或重新启动)时启动。 幸运的是， startup子命令PM2提供了一种简单的方法。

The startup subcommand generates and configures a startup script to launch PM2 and its managed processes on server boots. You must also specify the init system you are running on, which is systemd, in our case:

startup子命令生成并配置启动脚本，以在服务器启动时启动PM2及其托管进程。 在本例中，还必须指定正在运行的初始化系统systemd ：

You will see output like the following, which indicates that the PM2 service has been installed:

您将看到类似以下的输出，表明已安装PM2服务：

   

    Output
   
[PM2] Generating system init script in /etc/systemd/system/pm2.service
[PM2] Making script booting at startup...
[PM2] -systemd- Using the command:
      su root -c "pm2 dump && pm2 kill" && su root -c "systemctl daemon-reload && systemctl enable pm2 && systemctl start pm2"
[PM2] Dumping processes
[PM2] Stopping PM2...
[PM2] All processes have been stopped and deleted
[PM2] PM2 stopped
[PM2] Done.

To ensure PM2 knows which applications to start on boot, we need to save the current process list. To save the list:

为了确保PM2知道要在启动时启动的应用程序，我们需要保存当前进程列表。 要保存列表：

You will see output like the following, which indicates that the PM2 process list has been saved:

您将看到类似以下的输出，表明PM2进程列表已保存：

   

    Output
   
[PM2] Saving current process list...
[PM2] Successfully saved in /home/deployer/.pm2/dump.pm2

Now your PM2-managed applications should start automatically on boot.

现在，由PM2管理的应用程序应在启动时自动启动。

PM2 provides many subcommands that allow you to manage or look up information about your applications. Note that running pm2 without any arguments will display a help page, including example usage, that covers PM2 usage in more detail than this section of the tutorial.

PM2提供了许多子命令，这些子命令使您可以管理或查找有关应用程序的信息。 请注意，不带任何参数运行pm2将显示帮助页面，包括示例用法，该页面比本教程的这一部分更详细地介绍了PM2的用法。

Stop an application with this command (specify the PM2 App name or id):

使用以下命令停止应用程序(指定PM2 App name或id )：

Restart an application with this command (specify the PM2 App name or id):

使用以下命令重新启动应用程序(指定PM2 App name或id )：

The list of applications currently managed by PM2 can also be looked up with the list subcommand:

PM2当前管理的应用程序列表也可以使用list子命令来查找：

More information about a specific application can be found by using the info subcommand (specify the PM2 App name or id):

可以使用info子命令(指定PM2 App名称或id )找到有关特定应用程序的更多信息：

The PM2 process monitor can be pulled up with the monit subcommand. This displays the application status, CPU, and memory usage:

可以使用monit子命令拉起PM2过程监视器。 这将显示应用程序状态，CPU和内存使用情况：

Note: Running PM2’s monit command will block additional commands until the application is killed by pressing CTRL+C.

注意：运行PM2的monit命令将阻止其他命令，直到通过按CTRL+C monit应用程序。

Now that your Node.js application is running, and managed by PM2, let’s set up the reverse proxy.

现在您的Node.js应用程序正在运行，并由PM2管理，让我们设置反向代理。

步骤4 —设置Nginx反向代理服务器 (Step 4 — Setting Up an Nginx Reverse Proxy Server)

Now that your application is running, and listening on a private IP address, you need to set up a way for your users to access it. We will set up an Nginx web server as a reverse proxy for this purpose. This tutorial will set up an Nginx server from scratch. If you already have an Nginx server setup, you can just copy the location block into the server block of your choice (make sure the location does not conflict with any of your web server’s existing content).

现在您的应用程序正在运行，并且正在侦听专用IP地址，您需要设置一种让用户访问它的方式。 为此，我们将Nginx Web服务器设置为反向代理。 本教程将从头开始设置Nginx服务器。 如果您已经具有Nginx服务器设置，则只需将location块复制到您选择的服务器块中(确保位置不与您的Web服务器的任何现有内容冲突)。

On the web server, let’s install the epel-release package using yum:

在Web服务器上，让我们使用yum安装epel-release软件包：

Then install Nginx:

然后安装Nginx：

Now open the Nginx configuration file for editing:

现在打开Nginx配置文件进行编辑：

First, find the line where server_name is defined, within the default server block. It should look something like this:

首先，在默认服务器块中找到定义了server_name的行。 它看起来应该像这样：

server_name _;

Update the server name to substitute the underscore (_) with your own domain name for the server_name directive (or IP address if you don’t have a domain set up).

更新服务器名称，用您自己的域名替换下划线( _ )作为server_name指令的域名(如果未设置域，则为IP地址)。

server_name your-domain;

Then, find the line where location / is defined (usually a few lines below the server_name), within the same default server block. It should look something like this:

然后，在同一默认服务器块中找到定义location /的行(通常在server_name下面几行)。 它看起来应该像这样：

location / {
        }

Replace it with the following code block and be sure to substitute the app server private IP address for the APP_PRIVATE_IP_ADDRESS. Additionally, change the port (8080) if your application is set to listen on a different port:

将其替换为以下代码块，并确保将APP_PRIVATE_IP_ADDRESS替换为应用服务器专用IP地址。 此外，如果您的应用程序设置为侦听其他端口，则更改端口( 8080 )：

location / {
        proxy_pass http://APP_PRIVATE_IP_ADDRESS:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

This configures the web server to respond to requests at its root. Assuming our server is available at your-domain, accessing http://your-domain/ via a web browser would send the request to the application server’s private IP address on port 8080, which would be received and replied to by the Node.js application.

这会将Web服务器配置为响应其根目录的请求。 假设我们的服务器在your-domain可用，那么通过Web浏览器访问http://your-domain/会将请求发送到端口8080上的应用程序服务器的私有IP地址，Node.js会接收并回复该请求。应用。

You can add additional location blocks to the same server block to provide access to other applications on the same web server. For example, if you were also running another Node.js application on the app server on port 8081, you could add this location block to allow access to it via http://your-domain/app2:

您可以将其他location块添加到同一服务器块，以提供对同一Web服务器上其他应用程序的访问。 例如，如果您还在端口8081的应用程序服务器上运行另一个Node.js应用程序，则可以添加此位置块以允许通过http://your-domain/app2对其进行访问：

location /app2 {
        proxy_pass http://APP_PRIVATE_IP_ADDRESS:8081;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

Once you are done editing the location block(s) for your application(s), save and exit by pressing ESC to exit --INSERT-- mode, followed by :wq to write and quit in a single command.

编辑完应用程序的位置块后，请按ESC退出--INSERT--模式，然后按:wq在单个命令中write并quit ，以保存并退出。

On the web server, restart Nginx:

在Web服务器上，重新启动Nginx：

Next we want to ensure that Nginx runs whenever the server restarts:

接下来，我们要确保服务器重新启动时Nginx可以运行：

The enable command should provide the following Output

enable命令应提供以下输出

   

    Output
   
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.

You can also confirm that Nginx is running and is enabled, by requesting its status from systemctl:

您还可以通过从systemctl请求其状态来确认Nginx正在运行并已启用：

The status command will output configuration information for the Nginx service:

status命令将输出Nginx服务的配置信息：

   

    Output
   
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2019-10-14 09:37:23 UTC; 3min 29s ago
 Main PID: 12818 (nginx)
   CGroup: /system.slice/nginx.service
           ├─12818 nginx: master process /usr/sbin/nginx
           └─12819 nginx: worker process

Oct 14 09:37:23 centos-s-1vcpu-1gb-sgp1-01 systemd[1]: Starting The nginx HTTP and reverse proxy server...
Oct 14 09:37:23 centos-s-1vcpu-1gb-sgp1-01 nginx[12814]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Oct 14 09:37:23 centos-s-1vcpu-1gb-sgp1-01 nginx[12814]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Oct 14 09:37:23 centos-s-1vcpu-1gb-sgp1-01 systemd[1]: Failed to read PID from file /run/nginx.pid: Invalid argument
Oct 14 09:37:23 centos-s-1vcpu-1gb-sgp1-01 systemd[1]: Started The nginx HTTP and reverse proxy server.

Finally, provide Nginx with the ability to relay traffic through Security-Enhanced Linux (SELinux). SELinux provides a security layer that implements Mandatory Access Control (MAC) in the Linux Kernel. Each operating system object (process, file descriptor, file, etc.) is labeled with an SELinux context that defines the permissions and operations the object can perform.

最后，为Nginx提供通过安全增强型Linux (SELinux)中继流量的功能。 SELinux提供了一个安全层，可在Linux内核中实现强制访问控制(MAC)。 每个操作系统对象(进程，文件描述符，文件等)都标记有SELinux上下文，该上下文定义了对象可以执行的权限和操作。

Nginx is labelled with the httpd_t context and as a result, has a number of configurations blocked by SELinux unless explicitly allowed. To demonstrate this, run the following command to confirm the Nginx service is labelled httpd_t:

Nginx带有httpd_t上下文标记，因此，除非明确允许，否则它会有许多配置被SELinux阻止。 为了证明这一点，请运行以下命令以确认Nginx服务被标记为httpd_t ：

This command provides process status information, search for the Nginx specific process information to see the label. You will see the httpd_t, in a similar manner to the following:

该命令提供了进程状态信息，搜索Nginx特定的进程信息以查看标签。 您将以类似于以下内容的方式看到httpd_t ：

   

    Output
   
...
system_u:system_r:httpd_t:s0    10208 ?        00:00:00 nginx
system_u:system_r:httpd_t:s0    10209 ?        00:00:00 nginx
...

Now let’s check the status of the default booleans related to the httpd_t SELinux label. We can show this information by running the following command:

现在，让我们检查与httpd_t SELinux标签有关的默认布尔值的状态。 我们可以通过运行以下命令来显示此信息：

We are only interested in the httpd related booleans for this tutorial:

我们只对本教程中与httpd相关的布尔值感兴趣：

   

    Output
   
...
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
...

The two booleans of particular note, are httpd_can_network_connect and httpd_can_network_relay. The Redhat Documentation provides detail on each of the httpd booleans and their associated function (should you wish to find out more about each boolean), although following are the explanations of the two booleans that relate to this tutorial:

需要特别注意的两个布尔值是httpd_can_network_connect和httpd_can_network_relay 。 Redhat文档提供了有关每个httpd布尔值及其关联函数的详细信息(您希望了解有关每个布尔值的更多信息)，尽管以下是与本教程相关的两个布尔值的说明：

...
httpd_can_network_connect: When disabled, this Boolean prevents HTTP scripts and modules from initiating a connection to a network or remote port. Enable this Boolean to allow this access.
httpd_can_network_relay: Enable this Boolean when httpd is being used as a forward or reverse proxy.
...

Since our configuration is only relaying traffic, we just need to tell SELinux that the httpd server, in our case Nginx, can use the network to relay traffic in the reverse proxy configuration that we have set up. We will use the -P flag, to ensure that the changes are permanent (omitting this flag will result in httpd_can_network_relay reverting to its default state, off, upon restart of the server):

由于我们的配置仅中继流量，因此我们只需要告诉SELinux， httpd服务器(在我们的示例中为Nginx)可以使用网络以已设置的反向代理配置中继流量。 我们将使用-P标志，以确保更改是永久的(省略该标志将导致httpd_can_network_relay在服务器重新启动时恢复为其默认状态，即关闭)：

Assuming that your Node.js application is running, and your application and Nginx configurations are correct, you should be able to access your application via the reverse proxy of the web server. Try it out by accessing your web server’s URL (its public IP address or domain name).

假设您的Node.js应用程序正在运行，并且您的应用程序和Nginx配置正确，那么您应该能够通过Web服务器的反向代理访问您的应用程序。 通过访问Web服务器的URL(其公共IP地址或域名)进行尝试。

Note: If you were also planning on using your web server to host other sites (as conventional virtual hosts), then you will also need to set the httpd_can_network_connect to on.

注意：如果您还打算使用Web服务器托管其他站点(作为常规虚拟主机)，则还需要将httpd_can_network_connect设置为on。

结论 (Conclusion)

You now have your Node.js application running behind an Nginx reverse proxy. This reverse proxy setup is flexible enough to provide your users access to other applications or static web content that you want to share.

现在，您的Node.js应用程序在Nginx反向代理后面运行。 这种反向代理设置足够灵活，可以为您的用户提供对您要共享的其他应用程序或静态Web内容的访问权限。

Also, if you are looking to encrypt transmissions between your web server and your users, here is a tutorial that will help you get HTTPS (TLS/SSL) support set up.

此外，如果您希望对Web服务器和用户之间的传输进行加密，那么这里的教程将帮助您设置HTTPS(TLS / SSL)支持 。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-node-js-application-for-production-on-centos-7