nginx

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了nginx相关的知识,希望对你有一定的参考价值。

nginx
nginx是一款轻量级的web服务器/反向代理服务器及电子邮件(IMAP/POP3)代理服务器
nginx是个高性能web和反向代理服务器
nginx由内核和模块组成
nginx的特性与优点

‘特性:
使用epoll  and  kqueue作为开发模型
在高连接并发的情况下,nginx是apache服务器不错的替代品,能够支持高达50000个并发连接数的响应
nginx作为负载均衡服务器,既可在内部直接支持和php程序对外进行服务,也可作为HTTP代理服务器对外进行服务
采用c语言进行编写‘

‘优点:
~~~模块化设计:模块可以动态编译
~~~稳定性高:用于反向代理
~~~节省带宽:支持GZIP压缩,可以添加浏览器本地缓存的Header头
~~~配置文件简单
~~~高并发连接:官方测试能支持5万并发连接,实际生产环境中跑2-3万并发连接数
~~~成本低廉:免费使用,购买F5 BIG-IP NetScaler 等硬件负载均衡交换机则需要十多万至几十万人名币
~~~内置的健康检查功能:Nginx Proxy后端如果某台web服务端宕机,不会影响前端访问
~~~外围支持好:文档全,二次开发和模块较多
~~~支持热部署:可以不停机重载配置文件
~~~支持事件驱动,AIO (Asycncl ,异步IO)、mmap(Memory Map,内存映射)等性能优化 ‘

nginx的模块从结构上分为核心模块、基础模块和第三方模块
核心模块:HTTP模块、event模块、mail模块
基础模块:http access模块、http fastcgl模块、http proxy模块、http rewrite模块
第三方模块:http upstream模块、request hash模块、notice模块、http access key模块(自己需要开发的模块都属于第三方模块)
nginx模块从功能fen‘w分为三类:Handlers(处理器模块)、Filters(过滤器模块)、proxies(代理器模块)

‘Handlers(处理器模块):直接处理请求,进行输出内容和修改headers信息等操作
Filters(过滤器模块):主要是对其他处理器模块输出的内容进行修改操作,最后由nginx输出
Proxies(代理器模块):nginx的HTTP upstream之类的模块,这些模块主要与后端一些服务比如fastcgi等操作交互,实现服务代理和负载均衡等功能。‘

nginx的安装

‘创建系统用户nginx‘
[[email protected] ~]# useradd -r -M -s /sbin/nologin nginx
[[email protected] ~]# id nginx
uid=998(nginx) gid=996(nginx) groups=996(nginx)
‘安装依赖环境‘
[[email protected] ~]# yum -y install pcre-devel openssl openssl-devel gd-devel
[[email protected] ~]# yum -y groups mark install ‘Development Tools‘
‘创建日志存放目录‘
[[email protected] ~]# mkdir -p /var/log/nginx
[[email protected] ~]# chown -R nginx.nginx /var/log/nginx/
‘下载nginx‘
[[email protected] ~]# cd /usr/src/
[[email protected] src]# wget http://nginx.org/download/nginx-1.12.0.tar.gz
‘编译安装‘
[[email protected] src]# ls
debug  kernels  nginx-1.12.0.tar.gz
[[email protected] src]# tar xf nginx-1.12.0.tar.gz
[[email protected] src]# cd nginx-1.12.0
[[email protected] nginx-1.12.0]# ./configure > --prefix=/usr/local/nginx > --user=nginx > --group=nginx > --with-debug > --with-http_ssl_module > --with-http_realip_module > --with-http_image_filter_module > --with-http_gunzip_module > --with-http_gzip_static_module > --with-http_stub_status_module > --http-log-path=/var/log/nginx/access.log > --error-log-path=/var/log/nginx/error.log
[[email protected] nginx-1.12.0]# make -j 2 && make install
‘配置环境变量‘
[[email protected] ~]# echo ‘export PATH=/usr/local/nginx/sbin:$PATH‘ > /etc/profile.d/nginx.sh
[[email protected] ~]# source /etc/profile.d/nginx.sh
‘启动nginx‘
[[email protected] ~]# nginx 
[[email protected] ~]# ss -antl
State       Recv-Q Send-Q Local Address:Port               Peer Address:Port              
LISTEN      0      128     *:80                  *:*                  
LISTEN      0      128     *:22                  *:*                  
LISTEN      0      100    127.0.0.1:25                  *:*                  
LISTEN      0      128    :::22                 :::*                  
LISTEN      0      100       ::1:25                 :::*                  

最后在浏览器通过IP访问,出现如下界面就是正确
技术分享图片

服务控制方式,使用nginx命令

-t   检查配置文件语法
-v   输出nginx的版本
-c   指定配置文件的路径
-s  发送服务控制信号,可选值有stop、quit、 reopen、reload

nginx的配置文件,nginx的基本配置文件在/usr/local/nginx/conf/nginx.conf,nginx.conf的内容分为以下几段:
main配置段:全局配置段,其中main配置段中可能包含event配置段
event{}:定义event模型工作特性
http{}:定义http协议相关的配置,要以分号结尾
/usr/local/nginx/conf/nginx.conf修改后的配置文件如下:

[[email protected] conf]# vim nginx.conf
user  nginx;      #‘event配置段,指定运行worker进程的用户和组‘
worker_processes  3;      #‘启动n个worker进程,这里的n为了避免上下文切换,通常设置为cpu总核心数,设置几个人工作‘
worker_cpu_affinity  00000001  00000010  00000100;    #‘将进程绑定到某cpu中,避免频繁刷新缓存,优化性能的配置参数‘
error_log  logs/error.log;    #‘位置 级别;配置错误日志,相对路径,级别:notice、info‘
lock_file   logs/nginx.lock;
pid        logs/nginx.pid;    ‘指定nginx守护进程的pid文件‘
worker_rlimit_nofile 35000;

daemon on;   ‘#这行是添加的,daemon {on|off};   //是非法以守护进程方式运行nginx,调试时应设置为off‘

events {
    worker_connections  35000;     #‘每个进程能够接受的最大连接数‘
        accept_mutex  on;       #‘master调度用户请求至各worker进程使用的负载均衡锁‘
}

http {      ‘//协议级别‘
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  ‘$remote_addr - $remote_user [$time_local] "$request" ‘    #‘远程主机的地址、远程主机的用户、本地时间、请求‘
                      ‘$status $body_bytes_sent "$http_referer" ‘
                      ‘"$http_user_agent" "$http_x_forwarded_for"‘;

    access_log  logs/access.log  main;

    sendfile        on;

    keepalive_timeout  65;

    server {        ‘服务器级别,每个server类似于httpd中的一个<VirtualHost>,定义一个虚拟主机‘
        listen       80;
        server_name  localhost;

        access_log  logs/host.access.log  main;

        location /       ‘请求级别,类似于httpd中的<Location>,用于定义URL与本地文件系统的映射关系‘
            root   html;
            index  index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        location ~ .php$ {
            root           html;
            fastcgi_pass   127.0.0.1:9000;     //定义反向代理
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }

    }

    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}

网络连接相关的配置参数

keepalive_timeout number;        ‘//长连接的超时时长,默认为75s‘
keepalive_requests number;      ‘//在一个长连接上所能够允许请求的最大资源数‘
keepalive_disable [msie6|safari|none];  ‘//为指定类型的UserAgeng禁用长连接‘
tcp_nodelay on|off;     ‘是否对长连接使用TCP_nodelay选项,为了提升用户体验,通常设为on‘
client_header_timeout number;     ‘//读取http请求报文首部的超时时长‘
client_body_timeout number;        ‘//读取http请求报文body部分的超时时长‘
send_timeout number;           ‘发送响应报文的超时时长‘

访问控制,用于location段
allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
deny:设置禁止哪台或哪些主机访问,多个参数间用空格隔开

[[email protected] conf]# vim nginx.conf
....
        location / {
            root   html;
            index  index.html index.htm;
            allow 192.168.228.1;
            deny all;
        }
....
[[email protected] conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] conf]# nginx -s reload

如图:
技术分享图片
**设置拒绝本机访问***

[[email protected] conf]# vim nginx.conf

       access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
            deny 192.168.228.1;
            allow all;
        }
[[email protected] conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] conf]# nginx -s reload

如图:
技术分享图片
基于用户认证

[[email protected] ~]# cd /usr/local/nginx/
[[email protected] nginx]# mkdir auth
[[email protected] nginx]# cd auth
[[email protected] auth]# pwd
/usr/local/nginx/auth
[[email protected] auth]# yum provides *bin/htpasswd
[[email protected] auth]# yum -y install httpd-tools
[[email protected] auth]# htpasswd -c -m /usr/local/nginx/auth/.user_auth_file tom   ‘这里的密码为加密后的密码串,建议用htpasswd来创建此文件‘
New password:             ‘此处设的密码是"yaoxiaorong!",可设为自己想设的密码‘
Re-type new password: 
Adding password for user tom
[[email protected] auth]# cat /usr/local/nginx/auth/.user_auth_file 
tom:$apr1$VBVYAKxN$5wQz/LPtuebYWeWRwqnjq/
[[email protected] auth]# vim /usr/local/nginx/conf/nginx.conf
.....
        location / {
            root   html;
            index  index.html index.htm;
            auth_basic "welcome to there";
            auth_basic_user_file ../auth/.user_auth_file;     ‘路径要带上绝对路径,或者在/usr/local/nginx的相对路径‘
        }
.....
[[email protected] auth]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] auth]# nginx -s reload

如图:
技术分享图片
https配置

‘openssl实现私有CA:‘
CA的配置文件:/etc/pkil/tls/openssl.cnf
CA生成一对密钥
[[email protected] ~]# cd /etc/pki/CA
[[email protected] CA]# ls
certs  crl  newcerts  private
[[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)     ‘#生成密钥,括号必须要‘
[[email protected] CA]# openssl rsa -in private/cakey.pem -pubout ‘提取公钥‘

CA生成自签署证书
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365    ‘生成签署证书‘
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organizational Unit Name (eg, section) []:www.wangqing.com
Common Name (eg, your name or your server‘s hostname) []:www.wangqing.com
Email Address []:[email protected]
[[email protected] CA]# openssl x509 -text -in cacert.pem   ‘读出cacert.pem证书的内容‘
[[email protected] CA]# mkdir certs newcerts crl

[[email protected] CA]# touch index.txt && echo 01 > serial
‘客户端生成密钥‘
[email protected] CA]# cd /usr/local/nginx/
[[email protected] nginx]# ls
auth              conf          html  proxy_temp  scgi_temp
client_body_temp  fastcgi_temp  logs  sbin        uwsgi_temp
[[email protected] nginx]# mkdir ssl
[[email protected] nginx]# cd ssl/
[[email protected] ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
................................+++
...................+++
e is 65537 (0x10001)
客户端生成证书签署请求
[[email protected] ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
客户端把证书签署请求文件发送给CA
scp httpd.csr [email protected]端IP:/root
CA签署客户端提交上来的证书
[[email protected] ssl]# openssl ca -in /root/nginx.csr -out nginx.crt -days 365
CA把签署好的证书httpd.ctr发给客户端
scp httpd.crt [email protected]客户端IP:/etc/httpd/ssl/

以上是关于nginx的主要内容,如果未能解决你的问题,请参考以下文章

将 nginx rtmp 片段发送到 WebRTC

text 有用的nginx命令和片段

linux学习:Nginx--常见功能配置片段与优化-06

HLS NGINX-RTMP [错误] 1281#0:* 58 hls:强制片段拆分:10.002 秒

Nginx 跨域

Nginx配置文件详细介绍