nginx
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了nginx相关的知识,希望对你有一定的参考价值。
nginx
nginx是一款轻量级的web服务器/反向代理服务器及电子邮件(IMAP/POP3)代理服务器
nginx是个高性能web和反向代理服务器
nginx由内核和模块组成
nginx的特性与优点
‘特性:
使用epoll and kqueue作为开发模型
在高连接并发的情况下,nginx是apache服务器不错的替代品,能够支持高达50000个并发连接数的响应
nginx作为负载均衡服务器,既可在内部直接支持和php程序对外进行服务,也可作为HTTP代理服务器对外进行服务
采用c语言进行编写‘
‘优点:
~~~模块化设计:模块可以动态编译
~~~稳定性高:用于反向代理
~~~节省带宽:支持GZIP压缩,可以添加浏览器本地缓存的Header头
~~~配置文件简单
~~~高并发连接:官方测试能支持5万并发连接,实际生产环境中跑2-3万并发连接数
~~~成本低廉:免费使用,购买F5 BIG-IP NetScaler 等硬件负载均衡交换机则需要十多万至几十万人名币
~~~内置的健康检查功能:Nginx Proxy后端如果某台web服务端宕机,不会影响前端访问
~~~外围支持好:文档全,二次开发和模块较多
~~~支持热部署:可以不停机重载配置文件
~~~支持事件驱动,AIO (Asycncl ,异步IO)、mmap(Memory Map,内存映射)等性能优化 ‘
nginx的模块从结构上分为核心模块、基础模块和第三方模块
核心模块:HTTP模块、event模块、mail模块
基础模块:http access模块、http fastcgl模块、http proxy模块、http rewrite模块
第三方模块:http upstream模块、request hash模块、notice模块、http access key模块(自己需要开发的模块都属于第三方模块)
nginx模块从功能fen‘w分为三类:Handlers(处理器模块)、Filters(过滤器模块)、proxies(代理器模块)
‘Handlers(处理器模块):直接处理请求,进行输出内容和修改headers信息等操作
Filters(过滤器模块):主要是对其他处理器模块输出的内容进行修改操作,最后由nginx输出
Proxies(代理器模块):nginx的HTTP upstream之类的模块,这些模块主要与后端一些服务比如fastcgi等操作交互,实现服务代理和负载均衡等功能。‘
nginx的安装
‘创建系统用户nginx‘
[[email protected] ~]# useradd -r -M -s /sbin/nologin nginx
[[email protected] ~]# id nginx
uid=998(nginx) gid=996(nginx) groups=996(nginx)
‘安装依赖环境‘
[[email protected] ~]# yum -y install pcre-devel openssl openssl-devel gd-devel
[[email protected] ~]# yum -y groups mark install ‘Development Tools‘
‘创建日志存放目录‘
[[email protected] ~]# mkdir -p /var/log/nginx
[[email protected] ~]# chown -R nginx.nginx /var/log/nginx/
‘下载nginx‘
[[email protected] ~]# cd /usr/src/
[[email protected] src]# wget http://nginx.org/download/nginx-1.12.0.tar.gz
‘编译安装‘
[[email protected] src]# ls
debug kernels nginx-1.12.0.tar.gz
[[email protected] src]# tar xf nginx-1.12.0.tar.gz
[[email protected] src]# cd nginx-1.12.0
[[email protected] nginx-1.12.0]# ./configure > --prefix=/usr/local/nginx > --user=nginx > --group=nginx > --with-debug > --with-http_ssl_module > --with-http_realip_module > --with-http_image_filter_module > --with-http_gunzip_module > --with-http_gzip_static_module > --with-http_stub_status_module > --http-log-path=/var/log/nginx/access.log > --error-log-path=/var/log/nginx/error.log
[[email protected] nginx-1.12.0]# make -j 2 && make install
‘配置环境变量‘
[[email protected] ~]# echo ‘export PATH=/usr/local/nginx/sbin:$PATH‘ > /etc/profile.d/nginx.sh
[[email protected] ~]# source /etc/profile.d/nginx.sh
‘启动nginx‘
[[email protected] ~]# nginx
[[email protected] ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
最后在浏览器通过IP访问,出现如下界面就是正确
服务控制方式,使用nginx命令
-t 检查配置文件语法
-v 输出nginx的版本
-c 指定配置文件的路径
-s 发送服务控制信号,可选值有stop、quit、 reopen、reload
nginx的配置文件,nginx的基本配置文件在/usr/local/nginx/conf/nginx.conf,nginx.conf的内容分为以下几段:
main配置段:全局配置段,其中main配置段中可能包含event配置段
event{}:定义event模型工作特性
http{}:定义http协议相关的配置,要以分号结尾
/usr/local/nginx/conf/nginx.conf修改后的配置文件如下:
[[email protected] conf]# vim nginx.conf
user nginx; #‘event配置段,指定运行worker进程的用户和组‘
worker_processes 3; #‘启动n个worker进程,这里的n为了避免上下文切换,通常设置为cpu总核心数,设置几个人工作‘
worker_cpu_affinity 00000001 00000010 00000100; #‘将进程绑定到某cpu中,避免频繁刷新缓存,优化性能的配置参数‘
error_log logs/error.log; #‘位置 级别;配置错误日志,相对路径,级别:notice、info‘
lock_file logs/nginx.lock;
pid logs/nginx.pid; ‘指定nginx守护进程的pid文件‘
worker_rlimit_nofile 35000;
daemon on; ‘#这行是添加的,daemon {on|off}; //是非法以守护进程方式运行nginx,调试时应设置为off‘
events {
worker_connections 35000; #‘每个进程能够接受的最大连接数‘
accept_mutex on; #‘master调度用户请求至各worker进程使用的负载均衡锁‘
}
http { ‘//协议级别‘
include mime.types;
default_type application/octet-stream;
log_format main ‘$remote_addr - $remote_user [$time_local] "$request" ‘ #‘远程主机的地址、远程主机的用户、本地时间、请求‘
‘$status $body_bytes_sent "$http_referer" ‘
‘"$http_user_agent" "$http_x_forwarded_for"‘;
access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
server { ‘服务器级别,每个server类似于httpd中的一个<VirtualHost>,定义一个虚拟主机‘
listen 80;
server_name localhost;
access_log logs/host.access.log main;
location / ‘请求级别,类似于httpd中的<Location>,用于定义URL与本地文件系统的映射关系‘
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ .php$ {
root html;
fastcgi_pass 127.0.0.1:9000; //定义反向代理
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
网络连接相关的配置参数
keepalive_timeout number; ‘//长连接的超时时长,默认为75s‘
keepalive_requests number; ‘//在一个长连接上所能够允许请求的最大资源数‘
keepalive_disable [msie6|safari|none]; ‘//为指定类型的UserAgeng禁用长连接‘
tcp_nodelay on|off; ‘是否对长连接使用TCP_nodelay选项,为了提升用户体验,通常设为on‘
client_header_timeout number; ‘//读取http请求报文首部的超时时长‘
client_body_timeout number; ‘//读取http请求报文body部分的超时时长‘
send_timeout number; ‘发送响应报文的超时时长‘
访问控制,用于location段
allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
deny:设置禁止哪台或哪些主机访问,多个参数间用空格隔开
[[email protected] conf]# vim nginx.conf
....
location / {
root html;
index index.html index.htm;
allow 192.168.228.1;
deny all;
}
....
[[email protected] conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] conf]# nginx -s reload
如图:
**设置拒绝本机访问***
[[email protected] conf]# vim nginx.conf
access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
deny 192.168.228.1;
allow all;
}
[[email protected] conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] conf]# nginx -s reload
如图:
基于用户认证
[[email protected] ~]# cd /usr/local/nginx/
[[email protected] nginx]# mkdir auth
[[email protected] nginx]# cd auth
[[email protected] auth]# pwd
/usr/local/nginx/auth
[[email protected] auth]# yum provides *bin/htpasswd
[[email protected] auth]# yum -y install httpd-tools
[[email protected] auth]# htpasswd -c -m /usr/local/nginx/auth/.user_auth_file tom ‘这里的密码为加密后的密码串,建议用htpasswd来创建此文件‘
New password: ‘此处设的密码是"yaoxiaorong!",可设为自己想设的密码‘
Re-type new password:
Adding password for user tom
[[email protected] auth]# cat /usr/local/nginx/auth/.user_auth_file
tom:$apr1$VBVYAKxN$5wQz/LPtuebYWeWRwqnjq/
[[email protected] auth]# vim /usr/local/nginx/conf/nginx.conf
.....
location / {
root html;
index index.html index.htm;
auth_basic "welcome to there";
auth_basic_user_file ../auth/.user_auth_file; ‘路径要带上绝对路径,或者在/usr/local/nginx的相对路径‘
}
.....
[[email protected] auth]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] auth]# nginx -s reload
如图:
https配置
‘openssl实现私有CA:‘
CA的配置文件:/etc/pkil/tls/openssl.cnf
CA生成一对密钥
[[email protected] ~]# cd /etc/pki/CA
[[email protected] CA]# ls
certs crl newcerts private
[[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) ‘#生成密钥,括号必须要‘
[[email protected] CA]# openssl rsa -in private/cakey.pem -pubout ‘提取公钥‘
CA生成自签署证书
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 ‘生成签署证书‘
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organizational Unit Name (eg, section) []:www.wangqing.com
Common Name (eg, your name or your server‘s hostname) []:www.wangqing.com
Email Address []:[email protected]
[[email protected] CA]# openssl x509 -text -in cacert.pem ‘读出cacert.pem证书的内容‘
[[email protected] CA]# mkdir certs newcerts crl
[[email protected] CA]# touch index.txt && echo 01 > serial
‘客户端生成密钥‘
[email protected] CA]# cd /usr/local/nginx/
[[email protected] nginx]# ls
auth conf html proxy_temp scgi_temp
client_body_temp fastcgi_temp logs sbin uwsgi_temp
[[email protected] nginx]# mkdir ssl
[[email protected] nginx]# cd ssl/
[[email protected] ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
................................+++
...................+++
e is 65537 (0x10001)
客户端生成证书签署请求
[[email protected] ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
客户端把证书签署请求文件发送给CA
scp httpd.csr [email protected]端IP:/root
CA签署客户端提交上来的证书
[[email protected] ssl]# openssl ca -in /root/nginx.csr -out nginx.crt -days 365
CA把签署好的证书httpd.ctr发给客户端
scp httpd.crt [email protected]客户端IP:/etc/httpd/ssl/
以上是关于nginx的主要内容,如果未能解决你的问题,请参考以下文章