Nginx 常见配置总结
前面总结了几篇nginx的配置文档,但忽略了一些常用的配置,例如访问控制,目录索引,重定向等,因而需要在此记录下,方便熟悉nginx,在此总结的内容也比较肤浅,毕竟刚开始学习nginx,生产环境中使用的也都是Apache,要走的路还很长,要学习的内容也很多,多多努力吧…
1:针对主机的访问控制
[root@yunwei ~]# grep -A 3 -B 3 '192.168.50.40' /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
allow 192.168.50.40; //支持整个网段,192.168.50.0/24这样的语法
deny all;
}
[root@yunwei ~]# /usr/local/nginx/sbin/nginx -t
the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yunwei ~]# tail -f /usr/local/nginx/logs/access.log
192.168.50.40 - - [21/Jun/2010:15:42:58 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; 360SE)"
[root@yunwei ~]# tail -f /usr/local/nginx/logs/error.log
2010/06/21 15:43:53 [error] 21164#0: *15 access forbidden by rule, client: 192.168.50.27, server: localhost, request: "GET / HTTP/1.1", host: "192.168.50.3"
2:针对用户的访问控制
[root@yunwei ~]# grep -A 5 -B 5 'auth' /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
allow 192.168.50.0/24;
deny all;
auth_basic "test";
auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
}
error_page 404 /404.html;
[root@yunwei ~]# /usr/local/apache2.2.15/bin/htpasswd -cd /usr/local/nginx/conf/.htpasswd yang
New password:
Re-type new password:
Adding password for user yang
3:开启自动索引功能
[root@yunwei ~]# grep -A 3 -B 3 'autoindex' /usr/local/nginx/conf/nginx.conf
location / {
root html;
autoindex on;
index index.html index.htm;
allow 192.168.50.0/24;
deny all;
4:整合ZendOptimizer
[root@yunwei ~]# cd /usr/local/src/tarbag/
[root@yunwei tarbag]# wget http://downloads.zend.com/optimizer/3.3.9/ZendOptimizer-3.3.9-linux-glibc23-x86_64.tar.gz
[root@yunwei tarbag]# tar -zxvf ZendOptimizer-3.3.9-linux-glibc23-x86_64.tar.gz -C ../software/
[root@yunwei tarbag]# mv ../software/ZendOptimizer-3.3.9-linux-glibc23-x86_64/ /usr/local/Zend3
[root@yunwei tarbag]# grep -i 'zend3' /usr/local/php5.2.13/etc/php.ini |grep -v ';'
zend_extension=/usr/local/Zend3/data/5_2_x_comp/ZendOptimizer.so
[root@yunwei tarbag]# service php-fpm restart
Shutting down php_fpm . done
Starting php_fpm done
[root@yunwei tarbag]# service nginx restart
nginx is restarted...
[root@yunwei tarbag]# /usr/local/php5.2.13/bin/php -m |grep -i zend
[Zend Modules]
Zend Optimizer
5: 整合memcached
[root@yunwei ~]# cd /usr/local/src/tarbag/
[root@yunwei tarbag]# wget http://pecl.php.net/get/memcache-2.2.5.tgz
[root@yunwei tarbag]# tar -zxvf memcache-2.2.5.tgz -C ../software/
[root@yunwei tarbag]# cd ../software/memcache-2.2.5/
[root@yunwei memcache-2.2.5]# /usr/local/php5.2.13/bin/phpize
Configuring for:
PHP Api Version: 20041225
Zend Module Api No: 20060613
Zend Extension Api No: 220060519
[root@yunwei memcache-2.2.5]# ./configure
--enable-memcache --with-php-config=/usr/local/php5.2.13/bin/php-config
--with-zlib-dir
[root@yunwei memcache-2.2.5]# make && make install
………………………………………………输出省略………………………………………………
Installing shared extensions: /usr/local/php5.2.13/lib/php/extensions/no-debug-non-zts-20060613/
[root@yunwei memcache-2.2.5]# grep -A 2 'extension_dir' /usr/local/php5.2.13/etc/php.ini |grep -v ';'
extension_dir = "/usr/local/php5.2.13/lib/php/extensions/no-debug-non-zts-20060613/"
extension=memcache.so
[root@yunwei memcache-2.2.5]# service php-fpm restart
Shutting down php_fpm . done
Starting php_fpm done
[root@yunwei memcache-2.2.5]# service nginx restart
nginx is restarted...
[root@yunwei memcache-2.2.5]# /usr/local/php5.2.13/bin/php -m |grep mem
memcache
6: 重定向
[root@yunwei ~]# grep -A 3 -B 8 'permanent' /usr/local/nginx/conf/nginx.conf
location / {
root html;
autoindex on;
index index.html index.htm;
allow 192.168.50.0/24;
deny all;
auth_basic "test";
auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
rewrite /download http://apt.sw.be permanent;
}
error_page 404 /404.html;
[root@yunwei ~]# tail -f /usr/local/nginx/logs/access.log
192.168.50.40 - - [21/Jun/2010:09:57:13 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; 360SE)"
7:定义日志格式:
[root@yunwei ~]# grep -A 3 'log_format' /usr/local/nginx/conf/nginx.conf
log_format access '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
[root@yunwei ~]# grep 'access_log' /usr/local/nginx/conf/nginx.conf
access_log /usr/local/nginx/logs/localhost.log access;
[root@yunwei ~]# tail -f /usr/local/nginx/logs/localhost.log
192.168.50.40 - - [30/Aug/2010:17:04:29 +0800] "GET /themes/original/img/ HTTP/1.1" 200 2144 "http://192.168.50.3/themes/original/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2) Gecko/20100115 Firefox/3.6" "-"
8: 按时间来切割日志:
[root@yunwei ~]# cat cut_nginx_log.sh
#!/bin/sh
#function: cut nginx's log at 00:00 wtih crontab
log_path=/usr/local/nginx/logs
mkdir -p $log_path/$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")
mv $log_path/localhost.log $log_path/$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/localhost_$(date -d "yesterday" +"%Y%m%d").log
kill -USR1 `cat /usr/local/nginx/logs/nginx.pid`
9: 优化linux内核参数,将如下参数写入/etc/sysctl.conf文件,使用sysctl -p命令生效
net.ipv4.tcp_max_syn_backlog = 65535 //表示SYN队列的长度,默认为1024,加大队列长度为65535,可以容纳更多等待连接的网络连接数
net.core.netdev_max_backlog = 32768 //表示当网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
net.core.somaxconn = 32768 //默认值是128,这个值不能调高系统的最大连接数,但是能调高系统同时发起连接的tcp连接数
net.core.wmem_default = 8388608 //默认的TCP数据发送缓冲大小
net.core.rmem_default = 8388608 //默认的TCP数据接收缓冲大小
net.core.wmem_max = 16777216 //默认的TCP数据发送缓冲大小
net.core.rmem_max = 16777216 //默认的TCP数据接收缓冲大小
net.ipv4.tcp_timestamps = 0 //时间戳可以避免序列号的卷绕。一个1Gbps的链路肯定会遇到以前用过的序列号。时间戳能够让内核接受这种“异常”的数据包
net.ipv4.tcp_synack_retries = 2 //这个设置决定了内核放弃连接之前发送SYN+ACK包的数量
net.ipv4.tcp_syn_retries = 2 //在内核放弃建立连接之前发送SYN包的数量
net.ipv4.tcp_tw_recycle = 1 //能够更快地回收TIME-WAIT套接字。缺省值是1。除非有技术专家的建议和要求,否则不应修改
net.ipv4.tcp_tw_reuse = 1 //默认值是0,该文件表示是否允许重新应用处于TIME-WAIT状态的socket用于新的TCP连接
net.ipv4.ip_local_port_range = 1024 65535 //用于向外连接的端口范围。缺省情况下其实很小:1024到4999。
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 327680
/proc/sys/net/ipv4/tcp_max_orphans
系 统中最多有多少个TCP套接字不被关联到任何一个用户文件句柄上。如果超过这个数字,孤儿连接将即刻被复位并打印出警告信息。这个限制仅仅是为了防止简单的DoS攻击,你绝对不能过分依靠它或者人为地减小这个值,更应该增加这个值(如果增加了内存之后)
tcp_mem(3个INTEGER变量):low, pressure, high
low:当TCP使用了低于该值的内存页面数时,TCP不会考虑释放内存。(理想情况下,这个值应与指定给 tcp_wmem 的第 2 个值相匹配 - 这第 2 个值表明,最大页面大小乘以最大并发请求数除以页大小 (131072 * 300 / 4096)。 )
pressure:当TCP使用了超过该值的内存页面数量时,TCP试图稳定其内存使用,进入pressure模式,当内存消耗低于low值时则退 出pressure状态。(理想情况下这个值应该是 TCP 可以使用的总缓冲区大小的最大值 (204800 * 300 / 4096)。 )
high:允许所有tcp sockets用于排队缓冲数据报的页面量。(如果超过这个值,TCP 连接将被拒绝,这就是为什么不要令其过于保守 (512000 * 300 / 4096) 的原因了。 在这种情况下,提供的价值很大,它能处理很多连接,是所预期的 2.5 倍;或者使现有连接能够传输 2.5 倍的数据)
10:nginx同tomcat的整合,java和tomcat的安装此处就不在赘述,可以参考
http://hi.baidu.com/naruto6006/blog/item/228bee425ee80b1b73f05da8.html
tomcat服务状态如下,监听80端口
[root@jsb-ylw-5024 ~]# netstat -ntpl |grep java
tcp 0 0 ::ffff:127.0.0.1:8005 :::* LISTEN 923/java
tcp 0 0 :::8009 :::* LISTEN 3923/java
tcp 0 0 :::80 :::* LISTEN 3923/java
修改nginx主配置文件相关内容如下:
upstream tomcat_server {
server 192.168.50.24:80;}
location ~\.(jsp|jspx|do)?$ {
proxy_set_header Host $host;
proxy_set_header X-forwarded-For $remote_addr;
proxy_pass http://tomcat_server;
检测配置文件语法,重启nginx服务:
[root@yunwei ~]# /usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yunwei ~]# service nginx restart
nginx is restarted..
[root@jsb-ylw-5024 ~]# cat /www/tmp/index.jsp
<%@ page contentType="text/html; charset=gb2312" language="java" import="java.sql.*" errorPage="" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>301??¨?</title>
</head>
<body>
this is a jsp test page.....
<%
String requestPage = request.getRequestURI();
String queryString = (request.getQueryString() == null ? "" : "?" + request.getQueryString());
if(request.getRequestURL().indexOf("http://192.168.50.3") >=0) {
%>
this is jsp!!
<%
}
%>
</body>
</html>