环境如下:
[root@xxxxx ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@xxxxx ~]# ls
nginx-1.19.6 nginx-module-vts-master nginx-vts-exporter-0.10.7
nginx-1.19.6.tar.gz nginx-module-vts-master.zip nginx-vts-exporter-0.10.7.zip
安装
# 添加用户
useradd nginx && usermod -s /sbin/nologin nginx
# 安装依赖
yum install gcc gcc-c++ pcre-devel openssl-devel zlib zlib-devel pcre -y
# 编译安装 nginx-module-vts-master 是监控用的,后面会细说
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-module=/root/nginx-module-vts-master/ && make && make install
配置
nginx.conf
user nginx;
worker_processes auto;
worker_cpu_affinity auto;
error_log logs/error.log warn;
pid /var/run/nginx.pid;
worker_rlimit_nofile 65535;
events {
use epoll;
worker_connections 65535;
}
http {
fastcgi_intercept_errors on;
proxy_intercept_errors on;
include mime.types;
default_type application/octet-stream;
charset UTF-8;
large_client_header_buffers 4 16k;
client_body_buffer_size 64k;
proxy_connect_timeout 300;
proxy_read_timeout 300;
proxy_send_timeout 300;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
client_header_buffer_size 64k;
client_max_body_size 50m;
proxy_buffer_size 64k;
proxy_buffers 8 32k;
log_format access ' $remote_addr; -; $remote_user; [$time_local]; "$request"; $status; $body_bytes_sent; "$http_referer"; "$http_user_agent"; $http_x_forwarded_for; $server_addr; $upstream_addr; $upstream_response_time; $request_time;';
access_log logs/access.log access buffer=32k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 120s 120s;
keepalive_requests 300;
gzip on;
gzip_min_length 1k;
gzip_buffers 32 4k;
gzip_http_version 1.1;
gzip_comp_level 4;
gzip_types text/plain application/x-javascript application/javascript application/css text/css application/xml text/javascript;
gzip_vary on;
include /usr/local/nginx/conf/vhost/*.conf;
}
https.conf (性能提升的关键)
server {
listen 443 ssl reuseport http2;
server_name xx.cn;
ssl_certificate /usr/local/nginx/cert/xx.cer;
ssl_certificate_key /usr/local/nginx/cert/xx.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";ssl_prefer_server_ciphers on;
error_page 400 401 402 403 404 408 410 412 413 414 415 500 501 502 503 506 = /error.html;
}
监控
由于要监控 Nginx 的 qps,需要用到 https://github.com/hnlq715/nginx-vts-exporter,而 Nginx-vts-exporter 又依赖于 nginx-module-vts,nginx-module-vts 前面编译的时候已经添加了该模块了。下面配置一下:
http {
vhost_traffic_status_zone;
...
server {
...
location /status {
allow 192.168.201.0/24;
deny all;
vhost_traffic_status_display;
vhost_traffic_status_display_format html;
}
}
}
打开浏览器访问 http://192.168.201.179/status/format/json 即可看到相应指标。这不是重点,看下一个Nginx-vts-exporter,这个自己编译老是有问题,找同事要了现成的包
nohup ./nginx-vts-exporter --nginx.scrape_uri=http://127.0.0.1/status/format/json &
同步
使用 lsyncd + rsyncd 做实时同步。将179的/usr/local/nginx/conf/、/usr/local/nginx/html目录实时同步到180机器上。
179操作:
yum install lsyncd -y
配置
[root@yyyyy web-service]# cat /etc/lsyncd.conf
settings {
logfile = "/tmp/lsyncd.log",
statusFile = "/tmp/lsyncd.status",
pidfile = "/var/run/lsyncd.pid",
statusInterval = 1,
nodaemon = false,
inotifyMode = "CloseWrite",
maxProcesses = 1,
maxDelays = 1,
}
sync {
default.rsync,
source = "/usr/local/nginx/conf/",
target = "xx@192.168.201.180::conf",
default.rsync,
source = "/usr/local/nginx/html/",
target = "xx@192.168.201.180::html",
exclude = "/image",
rsync = {
binary = "/usr/bin/rsync",
archive = true,
compress = false,
owner = true,
perms = true,
whole_file = false,
password_file = "/etc/passwd.txt"
}
}
sync {
default.rsync,
source = "/usr/local/nginx/html/",
target = "xx@192.168.201.180::html",
exclude = "/image",
rsync = {
binary = "/usr/bin/rsync",
archive = true,
compress = false,
owner = true,
perms = true,
whole_file = false,
password_file = "/etc/passwd.txt"
}
}
密码文件
[root@yyyyy]# cat /etc/passwd.txt
RFSiGjEgP$$062Lm
[root@yyyyy]# chmod 400 /etc/passwd.txt
180操作:
安装
yum install rsync -y
配置
[root@xxxxx web-service]# cat /etc/rsyncd.conf
log file = /var/log/rsyncd.log
pidfile = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
secrets file = /etc/rsync.pass
max connections = 0
uid = root
gid = root
port = 873
use chroot = no
read only = no
list = no
timeout = 600
auth users = xx
hosts allow = 192.168.201.179
hosts deny = 0.0.0.0/32
[html]
path = /usr/local/nginx/html/
comment = html
[conf]
path = /usr/local/nginx/conf/
comment = conf
验证文件
/etc/rsync.pass
[root@xxxxx]# chmod 400 /rsync.pass
[root@xxxxx]# cat /etc/rsync.pass
xx:RFSiGjEgP$$062Lm
在179新建一个文件,看看是否会实时同步到180