day12-nginx
nginx
前台服务器并发大
安装nginx
useradd –s /sbin/nologin nginx
tar xf nginx-xxx.tar.gz
yum install –y gcc pcre-devel openssl-devel
./configure --prefix=/etc/nginx --user=nginx --group=nginx --with-http_ssl_module --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log
1 nginx path prefix: "/etc/nginx" 2 3 nginx binary file: "/etc/nginx/sbin/nginx" 4 5 nginx modules path: "/etc/nginx/modules" 6 7 nginx configuration prefix: "/etc/nginx/conf" 8 9 nginx configuration file: "/etc/nginx/conf/nginx.conf" 10 11 nginx pid file: "/etc/nginx/logs/nginx.pid" 12 13 nginx error log file: "/var/log/nginx/error.log" 14 15 nginx http access log file: "/var/log/nginx/access.log" 16 17 nginx http client request body temporary files: "client_body_temp" 18 19 nginx http proxy temporary files: "proxy_temp" 20 21 nginx http fastcgi temporary files: "fastcgi_temp" 22 23 nginx http uwsgi temporary files: "uwsgi_temp" 24 25 nginx http scgi temporary files: "scgi_temp" 26 27 make && make install
注意:默认该软件不提供启动脚本
nginx配置文件及目录
/etc/nginx 安装目录
/etc/nginx/conf/nginx.conf 主配置文件
/etc/nginx/html 网页目录
/etc/nginx/logs 日志文件
sbin/nginx 启动脚本
启动nginx服务
-v 查看nginx
-V 查看编译参数
-t 测试默认配置文件
-c 指定配置文件
[root@localhost sbin]# ./nginx -v
nginx version: nginx/1.10.1
[root@localhost sbin]# ./nginx -V
nginx version: nginx/1.10.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
built with OpenSSL 1.0.0-fips 29 Mar 2010
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --user=nginx --group=nginx --with-http_ssl_module --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log
[root@localhost sbin]# ./nginx -t
nginx: the configuration file /etc/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/conf/nginx.conf test is successful
停止nginx
格式:pkill/kill 信号 进程名/pid号
常用信号
TERM,INT 快速关闭
QUIT 从容关闭,关闭主进程顺便关闭工作子进程
HUP 重载配置用新的配置 相当于服务reload,服务不关闭,重新读取配置文件
kill -HUP `cat /var/run/nginx.pid`
USR1 重新打开日志文件
USR2 平滑升级可执行程序 服务不关闭,升级程序
WINCH 从容关闭工作进程,不会立即关闭子进程
可使用kill –l 查看
kill PID 默认是 15) SIGTERM
kill -9 为 9) SIGKILL
ctrl+c 为 2) SIGINT
/usr/local/nginx/sbin/nginx 开启服务
/usr/local/nginx/sbin/nginx –s stop 关闭服务
升级nginx
[root@localhost sbin]# /etc/nginx/sbin/nginx -V
nginx version: nginx/1.10.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
built with OpenSSL 1.0.0-fips 29 Mar 2010
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --user=nginx --group=nginx --with-http_ssl_module --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log
tar xf nginx-xxx1.tar.gz
./configure --prefix=/etc/nginx --user=nginx --group=nginx --with-http_ssl_module --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log
make
cd /etc/nginx/sbin
mv nginx nginxold 备份以前版本的nginx程序
cd nginx/objs 打开新版本的nginx目录下的objs
[root@localhost nginx-1.11.4]# cp objs/nginx /etc/nginx/sbin/nginx 复制新版本的nginx程序
cd ..
make upgrade
[root@localhost ~]# /etc/nginx/sbin/nginx -v
nginx version: nginx/1.11.4
主配置选项:
1 user nginx 进程所有者 2 3 worker_processes 1; 启动进程数量,(推荐:最好等于CPU核心的数量) 4 5 error_log /var/log/nginx/error.log; 日志文件 6 7 pid /var/run/nignx.pid; PID文件 8 9 events { 10 11 use epoll; 12 13 worker_connections 1024; 单个进程最大并发量 14 15 } 16 17 keepalive_timeout 65 保持连接,超时时间 18 19 tcp_nodelay on; 禁用nagle 禁用延迟.无等待(要求并发量高,设置) 20 21 gzip on; 开启gzip压缩 提高速度 22 23 gzip_min_length 1000; 最小压缩文件大小 24 25 gzip_disable "MISE[1-6]\.(?!.*SV1)"; 针对IE禁用gzip 26 27 28 29 server{ 定义虚拟主机 30 31 listen 80; 32 33 server_name web1.myweb.com; 34 35 location / { 发布目录 相当于http://192.168.100.100/根下 36 37 root html; 38 39 index index.html index.htm index.php; 40 41 allow 192.168.100.101; 只允许192.168.100.101访问 42 43 deny all; 44 45 auth_basic "auth-domain"; //开启账户验证 46 47 auth_basic_user_file /usr/local/nginx/conf/user.list; //指定账户及密码的保存文件路径 48 49 } 50 51 }
创建密码文件:
yum install -y
yum whatprovides /usr/bin/htpasswd 查看这条命令来自哪个包
htpasswd –c /etc/nginx/conf/user.list 用户名 第一次创建加-c选项 下次创建用户无需加c
htpasswd /etc/nginx/conf/user.list用户名
可以对密码进行加密
htpasswd –cm /usr/local/nginx/conf/ user.list 用户名
启动脚本(简单实现功能,以后会改善)
1 #!/bin/bash 2 3 # chkconfig: - 85 15 4 5 case "$1" in 6 7 start) 8 9 /etc/nginx/sbin/nginx 10 11 echo "$0:nginx ok..." 12 13 ;; 14 15 stop) 16 17 /etc/nginx/sbin/nginx -s stop 18 19 #kill -INT `cat /var/run/nginx.pid` 20 21 echo "$0:nginx stop..." 22 23 ;; 24 25 reload) 26 /etc/nginx/sbin/nginx -s reload 27 #kill -HUP `cat /var/run/nginx.pid` 28 29 echo "$0:nginx reload..." 30 31 ;; 32 33 *) 34 35 echo "$0:start|stop|restart|reload" 36 37 esac
虚拟主机
1 server{ 2 3 listen 80; 4 5 server_name www.web1.com; 6 7 location / { 8 9 root web1; 10 11 index index.html index.htm; 12 13 } 14 15 } 16 17 server{ 18 19 listen 80; 20 21 server_name www.web2.com; 22 23 location / { 24 25 root web2; 26 27 index index.html; 28 29 }
基于SSL的网站
加密算法:对称加密,非对称加密
基于SSL的网站基于非对称加密算法
需要生产:私钥、证书
生产私钥和证书
# openssl genrsa -out cert.key 2048
生成密钥,gen后面是RSA算法,cret.key是文件名字
# openssl req -new -x509 -key cert.key -out cert.pem 用私钥生成证书
[root@localhost nginx]# ls cert.*
cert.key cert.pem
# cp cert.* /etc/nginx/conf 默认放在nginx/conf目录下
配置文件
1 keepalive_timeout 65; 2 gzip on; 3 gzip_min_length 1000; 4 gzip_disable "MISE[1-6]\.(?!.*SV1)"; 5 server{ 6 listen 80; 7 server_name www.web1.com; 8 location / { 9 root web1; 10 index index.html index.htm; 11 # auth_basic "auth-domain"; 12 # auth_basic_user_file /etc/nginx/conf/user.list; 13 } 14 } 15 16 #user nobody; 17 user nginx; 18 worker_processes 1; 19 error_log /var/log/nginx/error.log; 20 #error_log logs/error.log notice; 21 #error_log logs/error.log info; 22 pid /var/run/nginx.pid; 23 events { 24 use epoll; 25 worker_connections 1024; 26 } 27 http { 28 include mime.types; 29 default_type application/octet-stream; 30 #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 31 # '$status $body_bytes_sent "$http_referer" ' 32 # '"$http_user_agent" "$http_x_forwarded_for"'; 33 #access_log logs/access.log main; 34 sendfile on; 35 tcp_nopush on; 36 #keepalive_timeout 0; 37 server{ 38 listen 80; 39 server_name www.web2.com; 40 location / { 41 root web2; 42 index index.html; 43 } 44 } 45 46 server { 47 listen 443; 48 server_name www.web3.com; 49 ssl on; 50 ssl_certificate cert.pem; 51 ssl_certificate_key cert.key; 52 location / { 53 root web3; 54 index index.html; 55 }} 56 server { 57 listen 443; 58 server_name www.web4.com; 59 ssl on; 60 ssl_certificate /etc/nginx/ssl/test.pem; 61 ssl_certificate_key /etc/nginx/ssl/test.key; 62 location / { 63 root web4; 64 index index.html; 65 } 66 } 67 }
nginx反向代理
优势:调度快,调试机制丰富
缺点:ACL访问控制简单(没有SQUID功能多),缓存机制
主服务配置文件
upstream test { server 192.168.100.101; server 192.168.100.102; } server { listen 80; server_name www.test.com; location / { proxy_pass http://test; } }
其他两台192.168.100.101和102,开启WEB服务即可
客户端验证
这是轮询访问
nginx目前支持4种分配方式
轮询(默认)逐一手循环调度
weight指定轮询机率,权重值和访问比率正比
ip_hash每个请求根据访问IP分配一个固定t后端服务器
fair按后端服务器响应时间短的优先分配
状态类型
down:表示当前server暂时不参与负载
max_fails:允许请求失败的次数(默认为1)
fail_timeout:max_fails次失败后,暂停提供服务时间
backup:备份服务器
当server 192.168.100.101 weight=2;改为
验证
1 upstream test { 2 ip_hash; 给同一用户分配固定服务器 3 server 192.168.100.101 weight=2;权重为2 4 server 192.168.100.102 max_fails=2 fail_timeout=30;如何该地址有三次连接失败,则宕机30秒 5 server 192.168.100.103 down; 宕机服务器 6 server 192.168.100.104 backup;备份服务器 (当前面的服务器都宕机才会启用) 7 } 8 server { 9 listen 80; 10 server_name www.test.com; 11 location / { 12 proxy_pass http://test; 13 } 14 }