一、nginx安装
1. yum 安装
yum install nginx
2.编译安装
useradd nginx -r -s /sbin/nologin
wget http://nginx.org/download/nginx-1.12.2.tar.gz
tar xf nginx-1.12.2.tar.gz
cd nginx-1.12.2
./configure –prefix=/usr/local/nginx –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log
–pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –user=nginx –group=nginx –with-http_ssl_module –with-http_v2_module –with-http_dav_module
–with-http_stub_status_module –with-threads –with-file-aio make && make install
二、nginx虚拟主机三种实现方式
虚拟主机的实现方式有三种。
基于多ip
基于多端口
基于多虚拟主机名
1. 安装nginx
[root@localhost ~]# yum install nginx
方案1-基于多ip
# 查看ip信息
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b3:02:e2 brd ff:ff:ff:ff:ff:ff
inet 192.168.46.151/24 brd 192.168.46.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::df7e:1d50:d858:d479/64 scope link
valid_lft forever preferred_lft forever
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b3:02:ec brd ff:ff:ff:ff:ff:ff
inet 172.18.46.151/16 brd 172.18.255.255 scope global ens37
valid_lft forever preferred_lft forever
inet6 fe80::f0f5:59a9:d186:e6a7/64 scope link
valid_lft forever preferred_lft forever
# 构建主页
[root@localhost nginx]# pwd
/usr/share/nginx
[root@localhost nginx]# mkdir multi_ip_1
[root@localhost nginx]# mkdir multi_ip_2
[root@localhost nginx]# echo multi_ip_1 >> multi_ip_1/index.html
[root@localhost nginx]# echo multi_ip_2 >> multi_ip_2/index.html
# 编辑配置文件
[root@localhost ~]# cd /etc/nginx/conf.d/
[root@localhost conf.d]# ls
[root@localhost conf.d]# vim multi_ip.conf
[root@localhost conf.d]# cat multi_ip.conf
server {
listen 172.18.46.151:80;
root /usr/share/nginx/multi_ip_1;
}
server {
listen 192.168.46.151:80;
root /usr/share/nginx/multi_ip_2;
}
# 测试下
[root@localhost conf.d]# systemctl restart nginx
[root@localhost conf.d]# curl 172.18.46.151
multi_ip_1
[root@localhost conf.d]# curl 192.168.46.151
multi_ip_2
方案2-基于多port
# 编辑配置文件
[root@localhost conf.d]# cp multi_ip.conf multi_port.conf
[root@localhost conf.d]# vim multi_port.conf
[root@localhost conf.d]# cat multi_port.conf
server {
listen 172.18.46.151:81;
root /usr/share/nginx/multi_port_1;
}
server {
listen 172.18.46.151:82;
root /usr/share/nginx/multi_port_2;
}
# 构建主页
[root@localhost conf.d]# cd /usr/share/nginx/
[root@localhost nginx]# ls
html modules multi_ip_1 multi_ip_2
[root@localhost nginx]# mkdir multi_port_1
[root@localhost nginx]# mkdir multi_port_2
[root@localhost nginx]# echo "multi_port_1" > multi_port_1/index.html
[root@localhost nginx]# echo "multi_port_2" > multi_port_2/index.html
# 测试下
[root@localhost nginx]# systemctl restart nginx
[root@localhost nginx]# curl 172.18.46.151:81
multi_port_1
[root@localhost nginx]# curl 172.18.46.151:82
multi_port_2
方案3-基于多虚拟主机名
这种方式是用的比较多的。
# 其他影响的配置文件备份下
[root@localhost conf.d]# mv multi_host.conf{,.bak}
[root@localhost conf.d]# mv multi_ip.conf{,.bak}
# 编辑配置文件
[root@localhost conf.d]# cp multi_ip.conf multi_host.conf
[root@localhost conf.d]# vim multi_host.conf
[root@localhost conf.d]# cat multi_host.conf
server {
listen 80;
server_name www.linuxpanda.tech;
root /usr/share/nginx/multi_host_1;
}
server {
listen 80;
server_name blog.linuxpanda.tech;
root /usr/share/nginx/multi_host_2;
}
# 创建主页
[root@localhost conf.d]# cd /usr/share/nginx/
[root@localhost nginx]# ls
html modules multi_ip_1 multi_ip_2 multi_port_1 multi_port_2
[root@localhost nginx]# mkdir multi_host_1
[root@localhost nginx]# mkdir multi_host_2
[root@localhost nginx]# echo "multi_host_1" > multi_host_1/index.html
[root@localhost nginx]# echo "multi_host_2" > multi_host_2/index.html
# 测试
虚拟主机需要配合dns解析使用的, 我这里就简单点使用hosts文件解析了。
[root@localhost conf.d]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.46.151 www.linuxpanda.tech blog.linuxpanda.tech
[root@localhost conf.d]# systemctl restart nginx
[root@localhost conf.d]# curl www.linuxpanda.tech
multi_host_1
[root@localhost conf.d]# curl blog.linuxpanda.tech
multi_host_2
三、nginx支持https
1、安装nginx
[root@localhost ~]# yum install nginx
2、 配置
[root@localhost conf.d]# cd /etc/pki/tls/certs/
[root@localhost certs]# ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
[root@localhost certs]# make www.crt
umask 77 ;
/usr/bin/openssl genrsa -aes128 2048 > www.key
Generating RSA private key, 2048 bit long modulus
...................................+++
..........................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ;
/usr/bin/openssl req -utf8 -new -key www.key -x509 -days 365 -out www.crt
Enter pass phrase for www.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhenzhou
Organization Name (eg, company) [Default Company Ltd]:linuxpanda.tech
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.linuxpanda.tech
Email Address []:
[root@localhost certs]# ll
total 20
lrwxrwxrwx. 1 root root 49 Jan 11 01:00 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Jan 11 01:00 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 Aug 4 2017 make-dummy-cert
-rw-r--r--. 1 root root 2516 Aug 4 2017 Makefile
-rwxr-xr-x. 1 root root 829 Aug 4 2017 renew-dummy-cert
-rw------- 1 root root 1359 Mar 15 18:00 www.crt
-rw------- 1 root root 1766 Mar 15 17:59 www.key
[root@localhost certs]# openssl rsa -in www.key -out www2.key
Enter pass phrase for www.key:
writing RSA key
[root@localhost certs]# ll
total 24
lrwxrwxrwx. 1 root root 49 Jan 11 01:00 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Jan 11 01:00 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 Aug 4 2017 make-dummy-cert
-rw-r--r--. 1 root root 2516 Aug 4 2017 Makefile
-rwxr-xr-x. 1 root root 829 Aug 4 2017 renew-dummy-cert
-rw-r--r-- 1 root root 1675 Mar 15 18:00 www2.key
-rw------- 1 root root 1359 Mar 15 18:00 www.crt
-rw------- 1 root root 1766 Mar 15 17:59 www.key
[root@localhost certs]# mkdir /etc/nginx/conf.d/ssl
[root@localhost certs]# cp www2.key /etc/nginx/conf.d/ssl/www.key
[root@localhost certs]# cp www.crt /etc/nginx/conf.d/ssl/
[root@localhost certs]# cd /etc/nginx/conf.d/
[root@localhost conf.d]# ls
bak ssl vhosts.conf
[root@localhost conf.d]# vim vhosts.conf
[root@localhost conf.d]# cat vhosts.conf
server {
listen 443 ssl;
server_name www.linuxpanda.tech;
root /usr/share/nginx/multi_host_1;
ssl on ;
ssl_certificate /etc/nginx/conf.d/ssl/www.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl/www.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
}
3、 测试
[root@localhost conf.d]# curl https://www.linuxpanda.tech -k
multi_host_1
四、 nginx常用案例
1、 反向代理http和负载均衡
代理就是中介,那有反向代理就有正向代理,两者的区别是什么嘞?
正向代理隐藏真实客户端,服务端不知道实际发起请求的客户端.,proxy和client同属一个LAN,对server透明;
反向代理隐藏真实服务端,客户端不知道实际提供服务的服务端,proxy和server同属一个LAN,对client透明。
基本配置项
(1)proxy_pass
将当前请求反向代理到URL参数指定的服务器上
(2)proxy_method
表示转发时的协议方法名
proxy_method POST; 客户端转发来的GET请求在转发时方法名会改为POST请求
(3)proxy_redirect
当上游服务器返回的响应是重定向或者刷新请求(HTTP响应码是301或者302),可以重设HTTP头部的location或refresh
proxy_redirect http://location:8000/two/ http://location:8000/noe/
(4)proxy_next_upstream
当上游服务器请求出现错误,继续换一台服务器转发请求。
error:在与服务器建立连接,向其传递请求或读取响应标头时发生错误;
timeout:在与服务器建立连接,向其传递请求或读取响应头时发生超时
invalid_header:服务器返回空响应或无效响应;
http_500:服务器返回了带有代码500的响应;
http_502:服务器返回具有代码502的响应;
HTTP_503:服务器返回具有代码503的响应;
http_504:服务器返回具有代码504的响应;
http_403:服务器返回带有代码403的响应;
http_404:服务器返回具有代码404的响应;
off:禁用将请求传递到下一个服务器。
示例:
#当其中一台返回错误码404,500...等错误时,可以分配到下一台服务器程序继续处理,提高平台访问成功率,多可运用于前台程序负载,设置proxy_next_upstream
proxy_next_upstream http_500 | http_502 | http_503 | http_504 |http_404;
#proxy_next_upstream off 关闭向下转发请求
[root@localhost conf.d]# vim vhosts.conf
upstream backend {
server 172.18.46.152 weight=5;
server 172.18.46.153;
}
server {
listen 172.18.46.151:80;
location / {
proxy_pass http://backend;
}
}
[root@localhost conf.d]# for i in {1..10} ; do curl 172.18.46.151; done;
153
152
152
152
152
152
153
152
152
152
2、 反向代理mysql
stream {
upstream mysqlsrvs {
server 192.168.22.2:3306;
server 192.168.22.3:3306;
least_conn;
}
server {
listen 10.1.0.6:3306;
proxy_pass mysqlsrvs;
}
}
3、 动静分离
server {
listen 80;
server_name www.linuxpanda.tech.com;
root /data/web1/;
location / {
proxy_pass http://172.18.46.152;
}
location ~* .php$ {
proxy_pass http://172.18.46.153;
}
}
4、 防盗链
server {
server_name www.b.com;
root /data/web2;
valid_referers none block server_names *.b.com b.* ~.baidu.;
if ($invalid_referer) {
return 403 http://www.magedu.com/;
}
}
5、 代理服务器的缓存功能
server {
listen 80;
server_name www.linuxpanda.tech;
root /data/web1/;
proxy_cache proxycache;
proxy_cache_key $request_uri;
proxy_cache_valid 200 302 301 1h;
proxy_cache_valid any 1m;
add_header X-Via $server_addr;
add_header X-Cache $upstream_cache_status;
add_header X-Accel $server_name;
location / {
proxy_pass http://192.168.27.17;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~* .php$ {
proxy_pass http://192.168.27.6;
}
}