nginx模块
官方模块(默认支持的)
第三方模块
1. --with-http_stub_status_module nginx的客户端状态
配置
syntax: sub_status;
default:-
Context:server,location
location /mystatus{
stub_status;
}
http://192.168.1.251/mystatus
Active connections: 2
server accepts handled requests
134 134 291
Reading: 0 Writing: 1 Waiting: 1 (空的连接的数量,无读写等待)
第一个数字:nginx处理的接收的握手的总的次数
处理的连接数
总的请求数
正常握手和连接数相等表示请求未丢失
location /mystatus{
stub_status;
}
location = /status{
stub_status;
}
/string 开头即可 /string122..均可匹配到
= /string
必须是 /string才能访问到 当然/string?a也是可以的
2. --with-http_random_index_module 目录中随机选择一个文件(非目录,非.开头的隐藏文件)访问
random_index_module
Syntax: random_index on|off;
Default:random_index off;
Context:location
location /random {
root /usr/share/nginx/html;
random_index on;
}
[root@localhost110 random]# pwd /usr/share/nginx/html/random [root@localhost110 random]# ls -al 总用量 32 drwxr-xr-x. 3 root root 4096 2017-10-08 08:30:34 . drwxr-xr-x. 5 root root 4096 2017-10-08 08:10:36 .. -rw-r--r--. 1 root root 7 2017-10-08 08:11:14 1.html -rw-r--r--. 1 root root 7 2017-10-08 08:11:32 2.html -rw-r--r--. 1 root root 7 2017-10-08 08:11:51 3.html -rw-r--r--. 1 root root 8 2017-10-08 08:17:33 .4.html drwxr-xr-x. 2 root root 4096 2017-10-08 08:30:34 a (里有a.html) -rw-r--r--. 1 root root 20 2017-10-08 08:19:35 a.php
随机文件的选择在1.html,2.html,3.html和a.php之间
3. --with-http_sub_module HTTP内容替换
http_sub_module
Syntax: sub_filter string replacement;
Default:-
Context:http,server,location
Syntax: sub_filter_last_modified on|off;
Default:sub_filter_last_modified off;
Context:http,server,location
Syntax: sub_filter_once on|off;
Default:sub_filter_once on;
Context:http,server,location
类似正则的贪婪匹配
location / {
root /usr/share/nginx/html;
index index.html index.htm;
sub_filter 'php' 'PHP';
sub_filter 'js' 'javascript';
sub_filter_once off;
}
submodule.html
php js php Python
java Php JS
被替换成
PHP javascript PHP Python java PHP javascript
发现不区分大小写
不支持正则,可使用 第三方模块 ngx_http_substitutions_filter_module 来实现
nginx请求限制
连接频率限制:limit_conn_module
请求频率限制:limit_req_module
http协议的连接与请求
一个连接可发起多个请求
协议版本与请求的关系
|
HTTP协议版本 |
连接关系 |
|
1.0 |
TCP不能复用 |
|
1.1 |
顺序性TCP复用 |
|
2.0 |
多路复用TCP复用 |
HTTP请求建立在一次TCP连接基础上
一次TCP请求至少产生一次HTTP请求
连接限制语法
Syntax:limit_conn_zone key zone=name:size;
default:-
Context:httpSyntax:limit_conn zone number;
Default:-
Context:http ,server,location请求限制
Syntax:limit_req_zone key zone=name:size rate=rate;
Default:-
Context:httpSyntax:limit_req zone=name [burst=number] [nodelay];
Default:-
Context:http,server,location
测试时使用ab
ab -n 总请求数 -c 并发数 -t 多少时间内 url
ab -n 500 -c 200 http://192.168.1.251/1.html
Concurrency Level: 200 Time taken for tests: 0.466 seconds Complete requests: 500 Failed requests: 0 Write errors: 0 Total transferred: 71981 bytes HTML transferred: 3905 bytes Requests per second: 1072.16 [#/sec] (mean) Time per request: 186.539 [ms] (mean) Time per request: 0.933 [ms] (mean, across all concurrent requests) Transfer rate: 150.73 [Kbytes/sec] received 配置请求限制后 server外层,http里 limit_req_zone $binary_remote_addr zone=req_zone:1m rate=1r/s; server { listen 80; server_name localhost; access_log /var/log/nginx/host.access.log main; root /usr/share/nginx/html; location / { root /usr/share/nginx/html; index index.html index.htm; limit_req zone=req_zone; } }
req_zone表示开辟的空间名,1m表示大小 rate=1r/s 表示1s 1个请求
Concurrency Level: 200 Time taken for tests: 0.137 seconds Complete requests: 500 Failed requests: 514 (Connect: 0, Receive: 0, Length: 514, Exceptions: 0) Write errors: 0 Non-2xx responses: 514 Total transferred: 233078 bytes HTML transferred: 133133 bytes Requests per second: 3661.72 [#/sec] (mean) Time per request: 54.619 [ms] (mean) Time per request: 0.273 [ms] (mean, across all concurrent requests) Transfer rate: 1666.92 [Kbytes/sec] received ab -n 5 -c 2 http://192.168.1.251/1.html Concurrency Level: 2 Time taken for tests: 0.002 seconds Complete requests: 5 Failed requests: 4 (Connect: 0, Receive: 0, Length: 4, Exceptions: 0) Write errors: 0 Non-2xx responses: 4 Total transferred: 2048 bytes HTML transferred: 1043 bytes Requests per second: 3180.66 [#/sec] (mean) Time per request: 0.629 [ms] (mean) Time per request: 0.314 [ms] (mean, across all concurrent requests) Transfer rate: 1272.26 [Kbytes/sec] received 只有1个成功 请求日志 192.168.1.251 - - [08/Oct/2017:12:20:23 +0800] "GET /1.html HTTP/1.0" 200 7 "-" "ApacheBench/2.3" "-" 192.168.1.251 - - [08/Oct/2017:12:20:23 +0800] "GET /1.html HTTP/1.0" 503 259 "-" "ApacheBench/2.3" "-" 192.168.1.251 - - [08/Oct/2017:12:20:23 +0800] "GET /1.html HTTP/1.0" 503 259 "-" "ApacheBench/2.3" "-" 192.168.1.251 - - [08/Oct/2017:12:20:23 +0800] "GET /1.html HTTP/1.0" 503 259 "-" "ApacheBench/2.3" "-" 192.168.1.251 - - [08/Oct/2017:12:20:23 +0800] "GET /1.html HTTP/1.0" 503 259 "-" "ApacheBench/2.3" "-" 错误日志 2017/10/08 12:15:07 [error] 25599#25599: *2207 limiting requests, excess: 1.000 by zone "req_zone", client: 192.168.1.251, server: localhost, request: "GET /1.html HTTP/1.0", host: "192.168.1.251" 2017/10/08 12:15:07 [error] 25599#25599: *2208 limiting requests, excess: 0.999 by zone "req_zone", client: 192.168.1.251, server: localhost, request: "GET /1.html HTTP/1.0", host: "192.168.1.251" 2017/10/08 12:15:07 [error] 25599#25599: *2209 limiting requests, excess: 0.999 by zone "req_zone", client: 192.168.1.251, server: localhost, request: "GET /1.html HTTP/1.0", host: "192.168.1.251" 2017/10/08 12:15:07 [error] 25599#25599: *2210 limiting requests, excess: 0.999 by zone "req_zone", client: 192.168.1.251, server: localhost, request: "GET /1.html HTTP/1.0", host: "192.168.1.251" 如果上面配置改成 limit_req zone=req_zone burst=2 nodelay; ab -n 5 -c 2 http://192.168.1.251/1.html Concurrency Level: 2 Time taken for tests: 0.001 seconds Complete requests: 5 Failed requests: 2 (Connect: 0, Receive: 0, Length: 2, Exceptions: 0) Write errors: 0 Non-2xx responses: 2 Total transferred: 1614 bytes HTML transferred: 539 bytes Requests per second: 6720.43 [#/sec] (mean) Time per request: 0.298 [ms] (mean) Time per request: 0.149 [ms] (mean, across all concurrent requests) Transfer rate: 2118.51 [Kbytes/sec] received
brust表示2个时信任的,给予了2个信任的令牌
对于连接的限制 limit_conn one 1 ,限制客户端并发连接数量为1 http里 limit_conn_zone $binary_remote_addr zone=conn_zone:1m; server { listen 80; server_name localhost; access_log /var/log/nginx/host.access.log main; root /usr/share/nginx/html; location / { root /usr/share/nginx/html; index index.html index.htm; limit_conn conn_zone 1; } ... } 查看当前tcp连接数 netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
4. http_access_module(基于ip的访问控制 )
Syntax:allow address |CIDR|unix:|all; Default:- Context:http,server,location,limit_except CIDR 基于网段 Unix:socket方式 all:所有的 Syntax: deny address |CIDR|unix:|all; Default:- Context:http,server,location,limit_except
一般allow和deny成对出现
location /admin{ deny 10.88.1.83; allow all; index index.html; } 除了10.88.1.183,均可访问 location /admin1{ allow 10.88.1.0/24; allow 10.88.2.0/24; deny all; index index.html; } 只允许10.88.1.0/24,10.88.2.0/24的网段访问,可配置多个allow
http_access_module局限性
一般的解决方案
1.采用别的http头信息代替remote_addr,如HTTP_X_FORWARD_FOR
X-Forward-For是协议要求,不一定所有的cdn厂商或者代理厂商都会加上,而且可以被客户端修改
http_x_forwarded_for=client ip,proxy(1),proxy(2) ip,....
2.结合geo模块操作
3.通过http自定义变量传递
在访问下一端时通过自定义变量设置http头,把上一级的remote_addr携带到下一端
