苏耀东的博客

Nginx入门到实践

2020/03/08 Nginx

本文是对Nginx常用配置的整理及记录。 ## 配置文件 - 目录 /etc/nginx/nginx.conf - 默认配置语法 ``` user nginx; worker_processes 1;

error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid;

events { worker_connections 1024; }

http { include /etc/nginx/mime.types; default_type application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#gzip  on;

include /etc/nginx/conf.d/*.conf; } ```

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

默认模块

  • http_stub_status_module:nginx客户端状态
    • 配置语法:stub_status;需写在location或server下 location /status { stub_status; }
  • http_sub_module:http内容替换
    • 配置语法
    • sub_filter string replacement
    • sub_filter_last_modified on off
    • sub_filter_once on off:是否只替换第一个

    location / { root /usr/share/nginx/html; index index.html index.htm; sub_filter '要替换的内容' '被替换后的内容'; sub_filter_once off; }

请求限制

  • 连接频率限制:limit_conn_module
  • 语法
    • limit_conn_zone key zone=name:size;
    • limit_conn zone number;
  • 请求频率限制:limit_reg_module
  • 语法
    • limit_req_zone key zone=name:size rate=rate;
    • limit_req zone=name [burst=numer][nodelay];
      • burst保留遗留number数的请求到下一秒执行
limit_conn_zone $binanry_remote_addr zone=conn_zone:1m;
# 同个ip过来请求,每秒只允许一个请求
limit_req_zone $binanry_remote_addr zone=req_zone:1m rate=1r/s;
http {
    server {

    location / {
        root   /usr/share/nginx/html;
        limit_conn conn_zone 1;
        limit_conn req_zone;
        limit_conn req_zone burst=3 nodealy;
        index  index.html index.htm;
        }
    }
}
  • 压测工具:ab(apache bench)
    • ab -n 100 -c 10 http://test.com/ :-n表示请求数,-c表示并发数

访问限制

  • 基于IP的的访问控制:http_access_module
  • 语法
    • allow address CIDR UNIX: all;
    • deny address CIDR UNIX: all; 
location ~ ^/admin.html {
    root   /usr/share/nginx/html;
    allow all;
    deny  222.122.191.3;
    # deny  222.122.191.0/24;
    index  index.html index.htm;
    }
}
  • 基于用户的信任登录:http_auth_basic_module
  • 语法
    • auth_basic string off;
    • auth_basic_user_file file;
  • 工具htpasswd location ~ ^/admin.html { root /usr/share/nginx/html; auth_basic "Auth access error!input your password!"; auth_basic_user_file /etc/nginx/auth_conf; index index.html index.htm; } }

静态资源web服务

  • 静态资源服务场景-CDN
    • sendfile on off:文件读取
    • tcp_nopush on off:sendfile开启下才能使用。提高网络包的传输效率
    • tcp_nodelay on off:keeplive连接下有效,提高网络包的传输实时性
    • gzip on off:压缩传输
    • gzip_comp_level level;
    • gzip_http_version 1.0 1.1;
    • 压缩模块拓展,预读gzip功能:http_gzip_static_modules,语法gzip_status on off
  • 浏览器缓存
    • expires [modified] time;
    • expires epoch|max|off; location ~ ^/admin.html { root /usr/share/nginx/html; expires 24h; index index.html index.htm; } }
  • 跨域访问-Access-Control-Allow-Origin
    • add_header name value [always]; location ~ ^/admin.html { root /usr/share/nginx/html; add_header Access-Control-Allow-Origin http://www.baidu.com; add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS; } }
  • 防盗链http_refer
  • valid_referers none|blocked|server_names|string; location ~ .*\.(jpg|png) { valid_referers blocked 116.66.111.222 ~/google\./; if($invalid_referer) { return 403; } root /usr/share/nginx/html; } }

代理服务

  • proxy_pass URL; ``` # 反向代理 location ~ /test_proxy.html$ { proxy_pass http://127.0.0.1:8080; }

location / { if($http_x_forwarded_for !~* “^116.62.103.228”) { return 403; } root /usr/share/nginx/html; index index.html; }

正向代理

location / { proxy_pass http://$http_host$request_uri; } ``` - 缓冲区:proxy_buffering on|off; - 跳转重定向:proxy_redirect default; - 头信息:proxy_set_header field value; - 超时:proxy_connect_timeout time;

location / {
    proxy_pass http://127.0.0.1:8080;
    proxy_redirect default;

    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;

    proxy_connect_timeout 30;
    proxy_send_timeout 60;
    proxy_read_timeout 60;

    proxy_buffering on;
    proxy_buffer_size 32k;
    proxy_buffers 4 128k;
    proxy_busy_buffers_size 256k;
    proxy_max_temp_file_size 256k;
}

# 可以把上面的配置参数写到proxy_params文件中再引用
location / {
    proxy_pass http://127.0.0.1:8080;
    include proxy_params;
}

负载均衡

  • upstream name {…}; 结合proxy_pass;
http {
upstream oden {
    server 116.62.103.222:8001 down;
    server 116.62.103.222:8002 backup;
    server 116.62.103.222:8003 max_fail=1 fail_timeout=10s;
    server 116.62.103.222:8004 weight = 5;
}
    server {
        listen 80;
        server_name localhost;
        location / {
        proxy_pass http://oden;
        include proxy_params;
        }
    }
}
  • 调度算法
  • 轮询
  • 加权轮询,weight越大分配到的几率更高
  • ip_hash:每个请求按访问IP的hash结果分配,这样来自同一个IP固定访问一个后端服务器
  • least_conn:最少链接数,哪个机器连接数少就分发
  • url_hash:按照访问的URL的hash结果分配请求,是每个URL定向到同一个后端服务器
  • hash关键数值:hash自定义的key
    • hash key[consistent]
upstream oden {
    ip_hash;
    server 116.62.103.222:8001;
}

upstream oden {
    hash $request_uri;
    server 116.62.103.222:8001;
}

缓存服务

  • proxy_cache
  • proxy_cache_path path
  • proxy_cache zone off
  • proxy_cache_valid[code…] time
  • 缓存维度:proxy_cache_key string
    • $scheme $proxy_host $request_uri ``` http { proxy_cache_path /opt/app/cache levels=1:2 keys_zone=oden_cache:10m max_size=10g inactive=60m use_tep_path=off;

upstream oden { server 116.62.103.222:8001; server 116.62.103.222:8002; } server { listen 80; server_name localhost; location / { proxy_cache oden_cache; proxy_pass http://oden; # 在这些情况下缓存的时间 proxy_cache_valid 200 304 12h; proxy_cache_valid any 10m; proxy_cache_key $host$uri$is_args$args; add_header Nginx-Cache “$upstrem_cache_status”;

    # 发生错误时跳到下一台服务器
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

    include proxy_params;
    }
} } ``` - 清理指定缓存
- rm -rf缓存目录内容
- 第三方拓展模块ngx_cache_purge - 让部分页面不缓存
- proxy_no_cache string;
- proxy_no_cache - 分片请求
- slice size;

命令

  • 重启:systemctl restart nginx.service
  • 配置文件语法正确性检查:nginx -t -c /etc/nginx/nginx.conf

Search

    Table of Contents