- 2-1 什么是Nginx
- 2-2 常见的中间件服务
- 2-3 Nginx的特性_实现优点1
- 2-4 Nginx特性_实现优点2
- 2-5 Nginx特性_实现优点3
- 2-6 Nginx特性_实现优点4
- 2-7Nginx的快速安装
- 2-8Nginx的目录和配置语法_Nginx 安装目录
- 2-9Nginx的目录和配置语法_Nginx编译配置参数;
- 2-10 Nginx的目录和配置语法_默认语法规则
- 2-11 Nginx的目录和配置语法_默认配置与默认站点启动
- 2-12 HTTP请求;
- 2-13 Nginx日志_Log_format1;
- 2-14Nginx日志_Log_format2;
- 2-15 Nginx模块讲解;
- 2-16 Nginx的模块讲解 _sub_status
- 2-17 Nginx模块讲解_random_index
- 2-18 Nginx模块讲解_sub_module
- 2-19 Nginx模块讲解_sub_module配置演示;
- 2-20 Nginx的请求限制_配置语法与原理1
- 2-21 Nginx的请求限制_配置语法与原理2;
- 2-22 Nginx的请求限制_配置语法与原理3;
- 2-23 Nginx的访问控制_介绍访问控制的基本方式;
- 2-24 Nginx的访问控制-access_module配置语法介绍;
- 2-25 Nginx的访问控制-access_module配置
- 2-26 Nginx的访问控制-access_module局限性;
- 2-27 Nginx的访问控制-auth_basic_module配置;
- 2-28 Nginx的访问控制-auth_basic_module局限性;
2-1 什么是Nginx
1、Nginx是一个开源且高性能、可靠的HTTP中间件、代理服务;(例如淘宝的Tengine基于Nginx的源代码二次开发修改的。)
2、Nginx的中间件架构;
-
中间件可以有效地避免应用与操作系统的直接调用,使网站更有层次性;
Nginx的官方网站:http://nginx.org/
Nginx的下载地址:http://nginx.org/en/download.html
2-2 常见的中间件服务
1、常见的HTTP服务
- Apache-HTTPD-Apache基金会;
- IIS-Microsoft;
- GWS-Google Web Server(谷歌自用,据说性能也十分优越,例如JDWS,京东的WebServer);
权威网站netcraft:https://www.netcraft.com/
Netcraft公司于1994年底在英国成立,多年来一直致力于互联网市场以及在线安全方面的咨询服务,其中在国际上最具影响力的当属其针对网站服务器,域名解析/主机提供商,以及SSL市场所做的客观严谨的分析研究。
公司官网每月公布的调研数据(Web Server Survey)已成为当今人们了解全球网站数量以及服务器市场分额情况的主要参考依据,时常被诸如华尔街杂志,英国BBC,Slashdot等媒体报道或引用。
2-3 Nginx的特性_实现优点1
1、为什么选择Nginx?
1)原因一:IO多路复用epoll;
多线程处理方式,主动上报机制,效率高!
多个描述符的I/O操作都能在一个线程内并发交替地顺序完成,这就叫I/O多路复用,这里的“复用”是指复用同一个线程;
IO多路复用的实现方式有select、poll、epoll;
2)IO多路复用的模型;
- select模型; 1)能够监视文件描述符的数量存在最大限制1024
- 2)线性扫描效率低下
- epoll模型;
1)每当FD就绪,效率更高;
2)最大连接无限制;
3)可以使用——结合餐厅用餐结束后,结账的场景理解;
- 用户呼叫老板进行结账,会出现排队现象;
- 用户主动告诉服务员,我们要结账,服务员带领,效率要高;
2-4 Nginx特性_实现优点2
1、轻量级;
- 功能模块化(充分考虑性能,减少不必要的功能);
- 代码模块化;
2、举例:阿里开源的Tengine,就是基于Nginx1.6二次开发的;
Tengine官网:http://tengine.taobao.org/
Tengine下载地址:http://tengine.taobao.org/download.html
- Tengine是由淘宝网发起的Web服务器项目。它在Nginx的基础上,针对大访问量网站的需求,添加了很多高级功能和特性。Tengine的性能和稳定性已经在大型的网站如淘宝网,天猫商城等得到了很好的检验。它的最终目标是打造一个高效、稳定、安全、易用的Web平台。
- 从2011年12月开始,Tengine成为一个开源项目,Tengine团队在积极地开发和维护着它。Tengine团队的核心成员来自于淘宝、搜狗等互联网企业。Tengine是社区合作的成果,我们欢迎大家参与其中,贡献自己的力量。
特性
- 继承Nginx-1.8.1的所有特性,兼容Nginx的配置;
- 动态模块加载(DSO)支持。加入一个模块不再需要重新编译整个Tengine;
- 支持HTTP/2协议,HTTP/2模块替代SPDY模块;
- 流式上传到HTTP后端服务器或FastCGI服务器,大量减少机器的I/O压力;
- 支持异步OpenSSL,可使用硬件如:QAT进行HTTPS的加速与卸载;
- 更加强大的负载均衡能力,包括一致性hash模块、会话保持模块,还可以对后端的服务器进行主动健康检查,根据服务器状态自动上线下线,以及动态解析upstream中出现的域名;
- 输入过滤器机制支持。通过使用这种机制Web应用防火墙的编写更为方便;
- 支持设置proxy、memcached、fastcgi、scgi、uwsgi在后端失败时的重试次数
- 动态脚本语言Lua支持。扩展功能非常高效简单;
- 支持按指定关键字(域名,url等)收集Tengine运行状态;
- 组合多个CSS、JavaScript文件的访问请求变成一个请求;
- 自动去除空白字符和注释从而减小页面的体积
- 自动根据CPU数目设置进程个数和绑定CPU亲缘性;
- 监控系统的负载和资源占用从而对系统进行保护;
- 显示对运维人员更友好的出错信息,便于定位出错机器;
- 更强大的防攻击(访问速度限制)模块;
- 更方便的命令行参数,如列出编译的模块列表、支持的指令等;
- 可以根据访问文件类型设置过期时间;
- ……
2-5 Nginx特性_实现优点3
1、CPU亲和(Affinity与什么是CPU亲和?
- 多核心服务器,应用在密集计算型场景;
- 多个Nginx的work进程绑定CPU核心进行计算,减少性能损耗;
是一种把CPU核心和Nginx工作进程绑定的方式,把每个Worker进程固定在一个CPU上执行,
减少切换CPU的cache miss,获得较好的性能;
2-6 Nginx特性_实现优点4
1、nginx的sendfile机制;
1)Nginx在处理静态文件是非常有优势的(sendfile机制);
2)请求文件时候,要经过操作系统的“内核空间”和“用户空间”,最终到达socket然后传递相应给用户;对于操作系统而言,要经过“内核空间”和“用户空间”,即发生多次的切换操作;我们知道,静态文件不需要经过复杂的逻辑处理,可直接通过“内核空间”传输处理;
3)sendfile正是利用了以上的机制,在Linux2.2内核之后出来的“零拷贝”的传输模式,即将文件只通过“内核空间”进行传递给socket,响应给用户,避免了频繁切换,效率十分高;例如在CDN服务中,处理静态文件效率非常高;
2-7Nginx的快速安装
1、Nginx快速搭建与基本参数使用;
- Mainline version-开发版;测试、研究学习,企业生产环境不建议使用!
- Stable Version-稳定版;企业生产环境可以使用;
- Legacy Version -历史版本,不再建议使用;
Nginx的官方网站:http://nginx.org/
Nginx的下载地址:http://nginx.org/en/download.html
Nginx的历史变动:http://nginx.org/en/CHANGES
用于安全校验的PGB:http://nginx.org/download/nginx-1.13.12.tar.gz.asc
-----BEGIN PGP SIGNATURE----- iQEcBAABAgAGBQJazMZtAAoJEFIKmZOhwFL4ck4H/jktPkExP1M1U/BKmOfK4whT R4fyPT4JW6Sl8fWP26Ws//b9VwqBsfMgrh+tosS26gFqU/PY17hgD12mfGSKIvSh DyQZ2G2bD140s3KCHUKbEuKp0JfAm2p+Fj88gys1oWf5Jy+U1YRFQqEA9SYjDGXQ Do0TEcX34jNkGViDWTFH/WxrVpuO/X0UMqZ5Pi1UprZDXRXmufzt5171llVMrc57 3+DAYAn+Ve6L+XEYOI4N3YPgPrwZCbO4ZzPw5xdjd7LFRYfnu5eBdPcUAATTmnIb orxow0q/wHJN+Nze1M+iDK6kEDw/RYQcBfNBR27fra4lW7jXTIoHS1vRK0l2Trg= =cCkV -----END PGP SIGNATURE-----
2、CentOS下Yum安装,基于CentOS7或RHEL7安装方式;
稳定版本的介绍:http://nginx.org/en/linux_packages.html#stable
1 Pre-Built Packages for Stable version 2 To set up the yum repository for RHEL/CentOS, create the file named /etc/yum.repos.d/nginx.repo with the following contents: 3 4 [nginx] 5 name=nginx repo 6 baseurl=http://nginx.org/packages/OS/OSRELEASE/$basearch/ 7 gpgcheck=0 8 enabled=1 9 #注意下方的提示说明,依据Linux发行版是RHEL或者CentOS以及大版本的数值,来指定OSRELEASE的值为6或者7以及centos还是rhel 10 Replace “OS” with “rhel” or “centos”, depending on the distribution used, and “OSRELEASE” with “6” or “7”, for 6.x or 7.x versions, respectively.
- vim /etc/yum.repos.d/nginx.repo#新增一个nginx的repo文件,内容填写nginx的yum源信息;
repo文件详解:https://www.cnblogs.com/nineep/p/6795692.html
[nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/7/$basearch/#注意此处的centos以及大版本号7; gpgcheck=0 enabled=1
- yum list|grep nginx
- yum install -y nginx
3、nginx 安装成功的标致
- nginx -v#查看版本号;
- nginx -V#查看Nginx的编译安装参数;
nginx快速安装的操作命令:
[BEGIN] 2018/5/26 星期六 11:30:59 [root@iZqmo9i3j77p7eZ opt]# cd /etc/yum.repos.d/ [root@iZqmo9i3j77p7eZ yum.repos.d]# ls CentOS-Base.repo epel.repo [root@iZqmo9i3j77p7eZ yum.repos.d]# ll total 8 -rw-r--r-- 1 root root 1047 May 26 11:18 CentOS-Base.repo -rw-r--r-- 1 root root 331 May 26 11:18 epel.repo [root@iZqmo9i3j77p7eZ yum.repos.d]# vim nginx.repo total 8 -rw-r--r-- 1 root root 1047 May 26 11:18 CentOS-Base.repo -rw-r--r-- 1 root root 331 May 26 11:18 epel.repo [root@iZqmo9i3j77p7eZ yum.repos.d]# vim nginx.repo [root@iZqmo9i3j77p7eZ yum.repos.d]# yum list|grep nginx collectd-nginx.x86_64 5.8.0-3.el7 epel munin-nginx.noarch 2.0.33-1.el7 epel nextcloud-nginx.noarch 10.0.4-2.el7 epel nginx.x86_64 1:1.14.0-1.el7_4.ngx nginx nginx-all-modules.noarch 1:1.12.2-2.el7 epel nginx-debug.x86_64 1:1.8.0-1.el7.ngx nginx nginx-debuginfo.x86_64 1:1.14.0-1.el7_4.ngx nginx nginx-filesystem.noarch 1:1.12.2-2.el7 epel nginx-mod-http-geoip.x86_64 1:1.12.2-2.el7 epel nginx-mod-http-image-filter.x86_64 1:1.12.2-2.el7 epel nginx-mod-http-perl.x86_64 1:1.12.2-2.el7 epel nginx-mod-http-xslt-filter.x86_64 1:1.12.2-2.el7 epel nginx-mod-mail.x86_64 1:1.12.2-2.el7 epel nginx-mod-stream.x86_64 1:1.12.2-2.el7 epel nginx-module-geoip.x86_64 1:1.14.0-1.el7_4.ngx nginx nginx-module-geoip-debuginfo.x86_64 1:1.14.0-1.el7_4.ngx nginx nginx-module-image-filter.x86_64 1:1.14.0-1.el7_4.ngx nginx nginx-module-image-filter-debuginfo.x86_64 1:1.14.0-1.el7_4.ngx nginx nginx-module-njs.x86_64 1:1.14.0.0.2.0-1.el7_4.ngx nginx nginx-module-njs-debuginfo.x86_64 1:1.14.0.0.2.0-1.el7_4.ngx nginx nginx-module-perl.x86_64 1:1.14.0-1.el7_4.ngx nginx nginx-module-perl-debuginfo.x86_64 1:1.14.0-1.el7_4.ngx nginx nginx-module-xslt.x86_64 1:1.14.0-1.el7_4.ngx nginx nginx-module-xslt-debuginfo.x86_64 1:1.14.0-1.el7_4.ngx nginx nginx-nr-agent.noarch 2.0.0-12.el7.ngx nginx owncloud-nginx.noarch 9.1.5-1.el7 epel pcp-pmda-nginx.x86_64 3.12.2-5.el7 base python2-certbot-nginx.noarch 0.24.0-1.el7 epel [root@iZqmo9i3j77p7eZ yum.repos.d]# yum install -y nginx Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * epel: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com Resolving Dependencies --> Running transaction check ---> Package nginx.x86_64 1:1.14.0-1.el7_4.ngx will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================== Installing: nginx x86_64 1:1.14.0-1.el7_4.ngx nginx 750 k Transaction Summary ======================================================================================================================================== Install 1 Package Total download size: 750 k Installed size: 2.6 M Downloading packages: nginx-1.14.0-1.el7_4.ngx.x86_64.rpm | 750 kB 00:00:02 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 1:nginx-1.14.0-1.el7_4.ngx.x86_64 1/1 ---------------------------------------------------------------------- Thanks for using nginx! Please find the official documentation for nginx here: * http://nginx.org/en/docs/ Please subscribe to nginx-announce mailing list to get the most important news about nginx: * http://nginx.org/en/support.html Commercial subscriptions for nginx are available on: * http://nginx.com/products/ ---------------------------------------------------------------------- Verifying : 1:nginx-1.14.0-1.el7_4.ngx.x86_64 1/1 Installed: nginx.x86_64 1:1.14.0-1.el7_4.ngx Complete! [root@iZqmo9i3j77p7eZ yum.repos.d]# nginx -v nginx version: nginx/1.14.0 [root@iZqmo9i3j77p7eZ yum.repos.d]# nginx -V nginx version: nginx/1.14.0 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
2-8Nginx的目录和配置语法_Nginx 安装目录
- 安装目录——rpm -ql nginx
etc/logrotate.d/nginx#Nginx日志轮转,用于logrotate服务的日志切割,利用了Linux系统的logrotate; /etc/nginx /etc/nginx/conf.d /etc/nginx/nginx.conf#Nginx的主配置文件,nginx启动时候会主要读取该文件; /etc/nginx/conf.d/default.conf#Nginx的默认配置文件,主配置文件中include包含,conf.d目录下内容; /etc/nginx/fastcgi_params /etc/nginx/scgi_params /etc/nginx/uwsgi_params#以上3处,cgi配置,fastcgi配置; /etc/nginx/koi-utf /etc/nginx/koi-win /etc/nginx/win-utf#以上3处,用于nginx编码转换的映射转化文件,很少用,了解即可! /etc/nginx/mime.types#设置http协议的Content-Type与拓展名的对应关系;应用场景:当Nginx无法识别某种文件类型的时候,编辑该配置文件进行添加; /etc/sysconfig/nginx #Nginx服务的启动管理的终端命令;如systemctl start nginx;stop nginx;reload nginx; /etc/sysconfig/nginx-debug#用于nginx启动的调试; /usr/lib/systemd/system/nginx-debug.service /usr/lib/systemd/system/nginx.service#以上4处,用于配置出CentOS7.X系统守护进程管理器管理方式,基于systemd; /etc/nginx/modules#Nginx模块目录 /usr/lib64/nginx#Nginx模块目录 /usr/lib64/nginx/modules#Nginx模块目录 /usr/libexec/initscripts/legacy-actions/nginx /usr/libexec/initscripts/legacy-actions/nginx/check-reload /usr/libexec/initscripts/legacy-actions/nginx/upgrade /usr/sbin/nginx#Nginx服务的启动管理的终端命令; /usr/sbin/nginx-debug#Nginx服务的启动管理的终端命令;调试模式 /usr/share/doc/nginx-1.12.2 /usr/share/doc/nginx-1.12.2/COPYRIGHT /usr/share/man/man8/nginx.8.gz#以上3处,Nginx的手册和帮助文件; /usr/share/nginx /usr/share/nginx/html /usr/share/nginx/html/50x.html /usr/share/nginx/html/index.html /var/cache/nginx#Nginx的缓存目录; /var/log/nginx#nginx的日志目录;如access.log、error.log
命令代码:
[BEGIN] 2018/5/26 星期六 12:44:38 [root@iZqmo9i3j77p7eZ yum.repos.d]# rpm -ql nginx /etc/logrotate.d/nginx /etc/nginx /etc/nginx/conf.d /etc/nginx/conf.d/default.conf /etc/nginx/fastcgi_params /etc/nginx/koi-utf /etc/nginx/koi-win /etc/nginx/mime.types /etc/nginx/modules /etc/nginx/nginx.conf /etc/nginx/scgi_params /etc/nginx/uwsgi_params /etc/nginx/win-utf /etc/sysconfig/nginx /etc/sysconfig/nginx-debug /usr/lib/systemd/system/nginx-debug.service /usr/lib/systemd/system/nginx.service /usr/lib64/nginx /usr/lib64/nginx/modules /usr/libexec/initscripts/legacy-actions/nginx /usr/libexec/initscripts/legacy-actions/nginx/check-reload /usr/libexec/initscripts/legacy-actions/nginx/upgrade /usr/sbin/nginx /usr/sbin/nginx-debug /usr/share/doc/nginx-1.14.0 /usr/share/doc/nginx-1.14.0/COPYRIGHT /usr/share/man/man8/nginx.8.gz /usr/share/nginx /usr/share/nginx/html /usr/share/nginx/html/50x.html /usr/share/nginx/html/index.html /var/cache/nginx /var/log/nginx
2-9 Nginx的目录和配置语法_Nginx编译配置参数;
1、Nginx -V#查看编译参数命令;
[root@iZqmo9i3j77p7eZ ~]# nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
2、--with 的编译参数特别说明(代表官网模块);
3、安装编译参数详解;
nginx的主目录; --prefix=/etc/nginx#nginx的主目录; --sbin-path=/usr/sbin/nginx#nginx的执行命令目录; --modules-path=/usr/lib64/nginx/modules#nginx的模块目录; --conf-path=/etc/nginx/nginx.conf#nginx的配置文件目录; --error-log-path=/var/log/nginx/error.log#nginx的错误日志目录; --http-log-path=/var/log/nginx/access.log#nginx的访问日志目录; --pid-path=/var/run/nginx.pid#nginx的pid进程文件路径; --lock-path=/var/run/nginx.lock#Nginx锁文件目录; 执行对应模块时,Nginx所保留的临时性文件;带有temp后缀字样的文件; --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp 处于服务器安全性的考虑,设定Nginx进程启动的用户和组用户;不建议使用root用户; --user=nginx --group=nginx --with-cc-opt=parameters#设置额外的参数将被添加到CFLAGS变量; --with-ld-opt=parameters#设置附加的参数,链接系统库,如pcre库;
2-10 Nginx的目录和配置语法_默认配置语法
1、主配置文件nginx.conf讲解;
[root@iZqmo9i3j77p7eZ nginx]# cat nginx.conf user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$http_user_agent' '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf;#注意此处的包含关系; } [root@iZqmo9i3j77p7eZ nginx]#
2、nginx.default.conf详解;
[root@iZqmo9i3j77p7eZ conf.d]# cat default.conf server { listen 80; server_name localhost; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { root /usr/share/nginx/html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ .php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ .php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /.ht { # deny all; #} }
1)user#设置nginx服务的系统使用用户,即Linux系统中的用户;
2)worker_processes#工作进程数,一般和CPU核数保持一致即可,开启CPU亲和!增大连接数的并发处理能力;
3)error_log#定义nginx的错误日志,绝对路径;
4)pid#nginx #服务启动时候的nginx.pid文件,绝对路径;
5)events区块;
- worker_connections#每个进程允许的最大连接数,最大调整到65535;企业应用场景,必须要调节的;
- use#工作进程的内核模型,如select、poll或epoll;
6)http区块;
- 每一个server设置独立的站点;
- location,控制每一层访问的路径,配置默认访问的路径定义的位置配置;
- error_page,定义错误页面,友好提示,提醒错误;
- location中的root,不是计算机root用户,而是表示文件存储的“根路径”
- 一个http区块可以存在多个server;
- 一个server可以存在多个location;
2-11 Nginx的目录和配置语法_默认配置与默认站点启动
1、nginx.conf配置文件;
[root@iZqmo9i3j77p7eZ conf.d]# cat ../nginx.conf user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; }
其中,
- log_format#定义日志类型;
- access_log#定义访问日志;
- sendfile#默认打开on状态;
- keepalive_timeout#设置客户端与服务器的超时时间;存在默认值65s;
2、conf.d/default.conf配置文件;
[root@iZqmo9i3j77p7eZ backup]# cat default.conf server { listen 80;#监听端口; server_name localhost;#域名地址; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { root /usr/share/nginx/html;#此处是Linux服务器的绝对路径; index index.html index.htm;#HTML是一个静态文件,不需要重启Nginx服务; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 404 /50x.html;#新增了404错误状态码,定义错误页面,修改后需要重启Nginx服务systemctl restart nginx.service location = /50x.html { root /usr/share/nginx/html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ .php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ .php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /.ht { # deny all; #} } [root@iZqmo9i3j77p7eZ backup]#
3、/usr/share/nginx/html/index.html;
[root@iZqmo9i3j77p7eZ html]# cat index.html <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx! tqtl911@163.com</h1>#添加了文件内容tqtl911@163.com <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> [root@iZqmo9i3j77p7eZ html]#
4、/usr/share/nginx/html/50x.html;#返回错误页面;
[root@iZqmo9i3j77p7eZ html]# cat 50x.html <!DOCTYPE html> <html> <head> <title>Error</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>An error occurred. tqtl add this error!</h1> <p>Sorry, the page you are looking for is currently unavailable.<br/> Please try again later.</p> <p>If you are the system administrator of this resource then you should check the <a href="http://nginx.org/r/error_log">error log</a> for details.</p> <p><em>Faithfully yours, nginx.</em></p> </body> </html>
[BEGIN] 2018/5/26 星期六 12:58:17 [root@iZqmo9i3j77p7eZ yum.repos.d]# nginx -v nginx version: nginx/1.14.0 [root@iZqmo9i3j77p7eZ yum.repos.d]# nginx -V nginx version: nginx/1.14.0 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' [root@iZqmo9i3j77p7eZ yum.repos.d]# cd /etc/nginx/ [root@iZqmo9i3j77p7eZ nginx]# ll total 40 drwxr-xr-x 2 root root 4096 May 26 12:36 conf.d -rw-r--r-- 1 root root 1007 Apr 17 23:48 fastcgi_params -rw-r--r-- 1 root root 2837 Apr 17 23:48 koi-utf -rw-r--r-- 1 root root 2223 Apr 17 23:48 koi-win -rw-r--r-- 1 root root 5170 Apr 17 23:48 mime.types lrwxrwxrwx 1 root root 29 May 26 12:36 modules -> ../../usr/lib64/nginx/modules -rw-r--r-- 1 root root 643 Apr 17 23:46 nginx.conf -rw-r--r-- 1 root root 636 Apr 17 23:48 scgi_params -rw-r--r-- 1 root root 664 Apr 17 23:48 uwsgi_params -rw-r--r-- 1 root root 3610 Apr 17 23:48 win-utf [root@iZqmo9i3j77p7eZ nginx]# vim nginx.conf [root@iZqmo9i3j77p7eZ nginx]# cat nginx.conf user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; } [root@iZqmo9i3j77p7eZ nginx]# cd /usr/share/nginx/html/ [root@iZqmo9i3j77p7eZ html]# ls 50x.html index.html [root@iZqmo9i3j77p7eZ html]# vim index.html [root@iZqmo9i3j77p7eZ html]# systemctl status nginx ● nginx.service - nginx - high performance web server Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: http://nginx.org/en/docs/ [root@iZqmo9i3j77p7eZ html]# systemctl start nginx [root@iZqmo9i3j77p7eZ html]# systemctl status nginx ● nginx.service - nginx - high performance web server Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2018-05-26 14:11:31 CST; 1s ago Docs: http://nginx.org/en/docs/ Process: 20491 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS) Main PID: 20492 (nginx) CGroup: /system.slice/nginx.service ├─20492 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf └─20493 nginx: worker process May 26 14:11:31 iZqmo9i3j77p7eZ systemd[1]: Starting nginx - high performance web server... May 26 14:11:31 iZqmo9i3j77p7eZ systemd[1]: PID file /var/run/nginx.pid not readable (yet?) after start. May 26 14:11:31 iZqmo9i3j77p7eZ systemd[1]: Started nginx - high performance web server. [root@iZqmo9i3j77p7eZ html]# vim /etc/nginx/conf.d/default.conf [root@iZqmo9i3j77p7eZ html]# cd /usr/share/nginx/ [root@iZqmo9i3j77p7eZ nginx]# ls html [root@iZqmo9i3j77p7eZ nginx]# cd html/ [root@iZqmo9i3j77p7eZ html]# ll total 8 -rw-r--r-- 1 root root 537 Apr 17 23:48 50x.html -rw-r--r-- 1 root root 628 May 26 14:11 index.html [root@iZqmo9i3j77p7eZ html]# vim 50x.html -rw-r--r-- 1 root root 628 May 26 14:11 index.html [root@iZqmo9i3j77p7eZ html]# vim 50x.html [root@iZqmo9i3j77p7eZ html]# cat index.html <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx! tqtl911@163.com</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> [root@iZqmo9i3j77p7eZ html]# cat 50x.html <!DOCTYPE html> <html> <head> <title>Error</title> <style> body { 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>An error occurred. tqtl add this error!</h1> <p>Sorry, the page you are looking for is currently unavailable.<br/> Please try again later.</p> <p>If you are the system administrator of this resource then you should check the <a href="http://nginx.org/r/error_log">error log</a> for details.</p> <p><em>Faithfully yours, nginx.</em></p> </body> </html> [root@iZqmo9i3j77p7eZ html]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@iZqmo9i3j77p7eZ html]# systemctl reload nginx [root@iZqmo9i3j77p7eZ html]# systemctl status nginx ● nginx.service - nginx - high performance web server Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2018-05-26 14:11:31 CST; 6min ago Docs: http://nginx.org/en/docs/ Process: 20509 ExecReload=/bin/kill -s HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 20491 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS) Main PID: 20492 (nginx) CGroup: /system.slice/nginx.service ├─20492 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf └─20510 nginx: worker process May 26 14:11:31 iZqmo9i3j77p7eZ systemd[1]: Starting nginx - high performance web server... May 26 14:11:31 iZqmo9i3j77p7eZ systemd[1]: PID file /var/run/nginx.pid not readable (yet?) after start. May 26 14:11:31 iZqmo9i3j77p7eZ systemd[1]: Started nginx - high performance web server. May 26 14:17:54 iZqmo9i3j77p7eZ systemd[1]: Reloaded nginx - high performance web server. [root@iZqmo9i3j77p7eZ html]# pwd /usr/share/nginx/html
2-12 HTTP请求;
1、客户端<--->服务端(request与response请求)
2、curl -v http://www.jd.com >/dev/null
[root@iZqmo9i3j77p7eZ ~]# curl -v http://www.jd.com >/dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to www.jd.com port 80 (#0)
* Trying 106.39.178.1...
* Connected to www.jd.com (106.39.178.1) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.jd.com
> Accept: */*
>
< HTTP/1.1 302 Moved Temporarily
< Server: JDWS/2.0
< Date: Wed, 13 Jun 2018 11:20:10 GMT
< Content-Type: text/html
< Content-Length: 157
< Connection: keep-alive
< Location: https://www.jd.com/
< Strict-Transport-Security: max-age=360
<
{ [data not shown]
100 157 100 157 0 0 17367 0 --:--:-- --:--:-- --:--:-- 19625
* Connection #0 to host www.jd.com left intact
[root@iZqmo9i3j77p7eZ ~]#
3、window或Mac下使用浏览器开发者工具进行查看!F12
2-13 Nginx日志_Log_format1;
1、主配置文件nginx.conf中日志相关;
[root@iZqmo9i3j77p7eZ nginx]# cat nginx.conf user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn;#warn是错误日志的级别; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$http_user_agent' '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main;#main是log_foramt的名称,Nginx的变量,定义了日志输出的形式 sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; } [root@iZqmo9i3j77p7eZ nginx]#
2、/var/log/nginx/error.log#错误日志;
3、/var/log/nginx/access.log#访问日志;
4、Nginx变量;
[root@iZqmo9i3j77p7eZ nginx]# curl -v www.imooc.com/ * About to connect() to www.imooc.com port 80 (#0) * Trying 117.121.101.40... * Connected to www.imooc.com (117.121.101.40) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: www.imooc.com > Accept: */* > < HTTP/1.1 301 Moved Permanently < Server: nginx < Date: Thu, 22 Mar 2018 03:01:41 GMT < Content-Type: text/html < Content-Length: 178 < Connection: keep-alive < Location: https://www.imooc.com < <html> <head><title>301 Moved Permanently</title></head> <body bgcolor="white"> <center><h1>301 Moved Permanently</h1></center> <hr><center>nginx</center> </body> </html> * Connection #0 to host www.imooc.com left intact [root@iZqmo9i3j77p7eZ nginx]#
Nginx的内置变量:http://nginx.org/en/docs/syslog.html
5、依赖于log_format模块;
[root@iZqmo9i3j77p7eZ nginx]# cat nginx.conf user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$http_user_agent' '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; } [root@iZqmo9i3j77p7eZ nginx]#
6、Nginx语法检查#nginx -t -c /etc/nginx/nginx.conf #或者nignx -tc
7、Nginx重启服务#nginx -s reload -c /etc/nginx/nginx.conf#systemctl reload nginx
2-14Nginx日志_Log_format2;
1、log_format;
log_format main '$http_user_agent' '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" '#referer表示上一级 '"$http_user_agent" #表示客户端内容"$http_x_forwarded_for"';#记录每一级用户的信息 access_log /var/log/nginx/access.log main;#此处的main与log_format是一一对应的;
2、HTTP请求变量 -arg_PARAMETER 、http_HEADER、sent_http_HEADER ;
3、内置变量-Nginx内置的变量;
4、自定义变量-用户自行定义的变量;
2-15 Nginx模块讲解
1、查看Nginx官网模块;
[root@iZqmo9i3j77p7eZ nginx]# nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix(前缀)=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat(兼容) --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param(参数)=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' [root@iZqmo9i3j77p7eZ nginx]#
2、第三方模块;(第三方公司开发的模块,如FastDFS中的nginx相关模块)
2-16 Nginx的模块讲解 _sub_status
1、 --with-http_stub_status_module #展示Nginx的客户端状态
2、配置语法;
Syntax:stub_status;#末尾分号是一定要有的;
Default:-
Context:server,location
3、配置
server { listen 80; server_name localhost; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location /mystatus{ stub_status; } location / { root /usr/share/nginx/html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 404 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ .php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:900 0 # #location ~ .php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /.ht { # deny all; #} }
4、访问验证:http://47.95.234.20/mystatus
日志输出:
Active connections: 3
server accepts handled requests
135 135 278
Reading: 0 Writing: 1 Waiting: 2
2-17 Nginx模块讲解_random_index
1、--with-http_random_index_module#目录中选择一个随机主页;
2、随机展示主页;
3、配置语法:
Syntax:random_index on|off;
Default:random_index off;
Context:location
4、注意事项
- 修改完之后重新reload nginx服务;
- 隐藏文件不会被加载显示,如:.1.html
2-18 Nginx模块讲解_sub_module
1、--with-http_sub_module模块#HTTP内容替换
2、应用场景:多个虚拟主机的内容变更替换;
3、配置语法:
1、对字符串进行替换,Syntax:sub_filter string(要替换的内容) replacement(被替换的内容); Default:- Context:http,server,location#可以加载的位置区块 2、Syntax:sub_filter_last_modified on|off Default:sub_filter_last_modified off; Context:http,server,location 3、Syntax:sub_filter_once on|off#匹配所有html代码中的第一个还是最后一个所有字符串 Default:sub_filter_once off; Context:http,server,location
2-19 Nginx模块讲解_sub_module配置演示;
1、vim /etc/nginx/conf.d/default.conf
location / { root /opt/app/code;#根路径 index index.html index.html sub_filter '<a>imooc' '<a>IMOOC'; sub_filer_once on;#注意Nginx与SQL一样,默认结尾加分号; }#完成指定字符串替换的配置语法;
3、完成内容替换后,先清理浏览器缓存或者新建立窗口,强制刷新页面;
4、单一替换以及全局替换参数配置说明;
2-20 Nginx的请求限制_配置语法与原理1
1、连接频率限制=limit_conn_module
2、请求频率限制-limit_req_module
3、HTTP协议连接与请求;
- HTTP协议是建立在TCP协议的基础之上;
- 要完成一次HTTP的请求,先要完成TCP/IP的三次握手
- 仅进行TCP的“三次握手”,然后进行HTTP的“请求”与“相应”,接着保持长连接和keepalive;
- HTTP请求建立在一次TCP连接基础之上;
- 一次TCP请求至少产生一次HTTP请求;
4、配置语法:
Syntax:limit_conn_zone key zone=name:size; Default:—— Context:http Syntax:limit_conn zone number; Default:- Context:http,server,location
2-21 Nginx的请求限制_配置语法与原理2;
1、请求限制;
2、语法规则:
Syntax:limit_req_zone key zone=name:size rate=rate#此处有速率; Default:- Context:http Syntax:limit_req zone=name [burst=number][nodelay]; Default:- Context:http,server,location
3、请求限制测试-apache下ab压力测试工具:
- ab -n 50 -c 20 http://www.jd.com/
[root@iZqmo9i3j77p7eZ conf.d]# ab -n 50 -c 20 http://www.jd.com/ This is ApacheBench, Version 2.3 <$Revision: 1430300 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking(标记,确定基准点) www.jd.com (be patient).....done Server Software: JDWS/2.0 Server Hostname: www.jd.com Server Port: 80 Document Path: / Document Length: 157 bytes Concurrency Level: 20 Time taken for tests: 0.019 seconds Complete requests: 50 Failed requests: 0 Write errors: 0 Non-2xx responses: 50 Total transferred: 19100 bytes HTML transferred: 7850 bytes Requests per second: 2646.90 [#/sec] (mean) Time per request: 7.556 [ms] (mean) Time per request: 0.378 [ms] (mean, across all concurrent requests) Transfer rate: 987.42 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 2 2 0.4 2 3 Processing: 2 3 0.4 2 4 Waiting: 2 2 0.4 2 4 Total: 4 5 0.8 5 7 ERROR: The median and mean for the processing time are more than twice the standard deviation apart. These results are NOT reliable. Percentage of the requests served within a certain time (ms) 50% 5 66% 5 75% 6 80% 6 90% 6 95% 6 98% 7 99% 7 100% 7 (longest request)
2-22 Nginx的请求限制_配置语法与原理3;
1、
2、通过访问日志及错误日志进行判断配置是否生效;
2-23 Nginx的访问控制_介绍访问控制的基本方式;
1、基于IP的访问控制-http_access_module;
2、基于用户的信任登录-http_auth_basic_module;
2-24 Nginx的访问控制-access_module配置语法介绍;
1、语法规则:
Syntax:deny address |CIDR|unix:|all; Default:- Context:http,server,location,limit_except Syntax:allow address |CIDR(可变长子网掩码,即网段)|unix:|all; Default:- Context:http,server,location,limit_except
2-25 Nginx的访问控制-access_module配置;
1、配置举例;
[root@iZqmo9i3j77p7eZ conf.d]# cat access_mode.conf server { listen 80; server_name localhost; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { root /opt/app/code; index index.html index.htm; } location ~ ^/ { root /opt/app/code; deny 117.119.97.51; allow all; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ .php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ .php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /.ht { # deny all; #} }
2-26 Nginx的访问控制-access_module局限性;
1、
2、
3、
4、
5、x_forwarded_for会解决http_access_module的局限性问题,但对协议有要求
- 结合geo模块做
- 通过HTTP自定义变量传递
2-27 Nginx的访问控制-auth_basic_module配置;
1、
2、 htpasswd -c ./user_passwd cuixiaozhao#htpasswd工具属于httpd-tools
3、配置举例
[root@iZqmo9i3j77p7eZ conf.d]# cat auth_modele.conf server { listen 80; server_name localhost; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { root /opt/app/code; index index.html index.htm; } location ~ ^/ { root /opt/app/code; auth_basic "cuixiaozhao"; auth_basic_user_file /etc/nginx/user_passwd; allow all; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ .php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ .php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /.ht { # deny all; #} }
4、访问限制截图
2-28 Nginx的访问控制-auth_basic_module(基本认证模块)局限性;
1、用户信息依赖文件方式,效率低下;
2、操作管理机械,效率低下;
3、解决方案:
- Nginx结合LUA实现高效验证;
- Nginx和LDAP打通,利用nginx-auth-ldap模块;