1、请列出 nginx 常用模块的各个优缺点以及区别
答:
2、请写出用户通过 nginx 访问的工作过程
答:
- nginx生成一个mater进程
- master进程建立监听的socket,并且fork出指定个数的worker进程
- 当有用户请求到来时,worker进程会竞争accept_mutex,从而获得读事件的资格,即处理请求的资格
- worker进程处理请求,生成响应报文
3、请写出实现 nginx-https 访问得步骤过程
答:
- 建立私有CA
#创建一个目录,专门用于放相关证书及私钥
[root@centos8 nginx]#cd certs
[root@centos8 certs]#pwd
/etc/nginx/certs、
#创建私有CA
[root@centos8 certs]#openssl req -x509 -newkey rsa:2048 -nodes -keyout ca.key -days 3650 -out ca.crt
......
[root@centos8 certs]#ls
ca.crt ca.key
[root@centos8 certs]#openssl x509 -in ca.crt -noout -subject
subject=C = CN, ST = Shanghai, L = Shanghai, O = Priv_CA, CN = root_ca
- 创建nginx服务器所需私钥、证书请求
[root@centos8 certs]#openssl req -newkey rsa:2048 -nodes -keyout nginx.key -out nginx.csr
......
[root@centos8 certs]#openssl req -in nginx.csr -noout -subject
subject=C = CN, ST = Shanghai, L = Shanghai, O = Priv_CA, CN = nginx
- 给nginx颁发证书
[root@centos8 certs]#openssl x509 -req -in nginx.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out nginx.crt
Signature ok
subject=C = CN, ST = Shanghai, L = Shanghai, O = Priv_CA, CN = nginx
Getting CA Private Key
[root@centos8 certs]#ls
ca.crt ca.key ca.srl nginx.crt nginx.csr nginx.key
- 设置nginx配置文件,使nginx支持https
server {
listen 443 ssl;
root /usr/share/nginx/html;
ssl_certificate "/etc/nginx/certs/nginx.crt";
ssl_certificate_key "/etc/nginx/certs/nginx.key";
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
}
}
- 测试
4、请写出隐藏 Nginx 版本号得过程
答:
- 修改源码相关文件
[root@centos8 core]#vim /usr/local/src/nginx-1.18.0/src/core/nginx.h
#define NGINX_VERSION "666"
#define NGINX_VER "magedu" NGINX_VERSION
[root@centos8 core]#vim /usr/local/src/nginx-1.18.0/src/http/ngx_http_header_filter_module.c
static u_char ngx_http_server_string[] = "Server: magedu" CRLF;
- 重新编译安装
- 当server_tokens指令为on时,显示效果如下
[root@localhost ~]#curl -I 10.0.0.8
HTTP/1.1 200 OK
Server: magedu666
Date: Tue, 13 Oct 2020 08:13:46 GMT
- 当server_tokens指令为off时,显示效果如下
[root@localhost ~]#curl -I 10.0.0.8
HTTP/1.1 200 OK
Server: magedu
5、请写出 nginx 各种优化参数。以及每个参数得作用是什么
答:
worker_processes:指定woker进程个数,最好和cpu核心数量相同
worker_cpu_affinity:将worker进程绑定在固定的cpu核心上,避免了worker进程在不同的cpu核心上跳转
worker_rlimit_nofile 65536:所有worker进程能打开的文件数量上限
accept_mutex on:一个客户端请求进来时,只有持有accept_mutex的worker进程来处理,而不是唤醒所有进程
use epoll:使用epoll模型
worker_connections 65536:单个进程最大并发连接数
multi_accept on:每个worker进程可用同时接收多个新的网络连接