1.Nginx负载均衡
1.1 什么是Nginx负载均衡
网站的访问量越来越大,服务器的服务模式也得进行相应的升级,比如分离出数据库服务器、分离出图片作为单独服务,这些是简单的数据的负载均衡,将压力分散到不同的机器上。有时候来自web前端的压力,也能让人十分头痛。怎样将同一个域名的访问分散到两台或更多的机器上呢?这其实就是另一种负载均衡了,nginx自身就可以做到,只需要做个简单的配置就行。
nginx不单可以作为强大的web服务器,也可以作为一个反向代理服务器,而且nginx还可以按照调度规则实现动态、静态页面的分离,可以按照轮询、ip哈希、URL哈希、权重等多种方式对后端服务器做负载均衡,同时还支持后端服务器的健康检查。
Nginx负载均衡一些基础知识:
1.2 nginx的upstream支持的4种方式
nginx 的 upstream目前支持 4 种方式的分配
1)、轮询(默认)
每个请求按时间顺序逐一分配到不同的后端服务器,如果后端服务器down掉,能自动剔除。
2)、weight
指定轮询几率,weight和访问比率成正比,用于后端服务器性能不均的情况。
2)、ip_hash
每个请求按访问ip的hash结果分配,这样每个访客固定访问一个后端服务器,可以解决session的问题。
3)、fair(第三方)
按后端服务器的响应时间来分配请求,响应时间短的优先分配。
4)、url_hash(第三方)
1.3 配置文件
//新建一个load.conf,写入以下这段配置文件
[root@knightlai ~]# vim /usr/local/nginx/conf/vhost/load.conf
upstream qq
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location / {
proxy_pass http://qq;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}1.4 测试负载均衡
//没有配置前出现的是默认页面
[root@knightlai ~]#curl -x127.0.0.1:80 www.qq.com
This is the default directory.
//如果配置了负载均衡就会出现原代码
[root@knightlai ~]# curl -x127.0.0.1:80 www.qq.com
<div class="txtArea">
<h3><a href="http://new.qq.com/omn/20180920/20180920A1ZV4G.html" target="_blank">אɼۈºǿˆɱɫ8ǿ Ԑλ´³ɫ¾?/a></h3>
</div>
<ul>
<li>
<a href="http://new.qq.com/omn/20180921/20180921A0J6D8.html" target="_blank">¼ªЩɽ±¦°ְ»Ȼȥˀ£¬Ū½?躯a>
</li>
<li>
<a href="http://new.qq.com/omn/20180921/20180921A0KUHD.html" target="_blank">¸ࠌ?Ȗ·¸³˿ͺϷ¨ȨӦ ˭4Ϊ̻ćñµ¥£¿</a>
</li>
......................................................
var _mtac = {};
(function() {
var mta = document.createElement("script");
mta.src = "//pingjs.qq.com/h5/stats.js?v2.0.2";
mta.setAttribute("name", "MTAH5");
mta.setAttribute("sid", "500460529");
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(mta, s);
})();
</script>
</body>
</html><!--[if !IE]>|xGv00|f6adb1516cb9c807847e8347fd4c6dde<![endif]-->
2.ssl原理
2.1 什么是ssl
SSL:Secure Sockets Layer,即安全套接层,及其继任者传输层安全是为网络通信提供安全及数据完整性的一种安全协议。例如:我们输入网址时,例如我们访问百度时,访问的网址是www.baidu.com,但是你可以试一下,你在网址栏上输入后回车跳转,会加上HTTPS,这就是加上了HTTPS协议,加密传输,安全性更高。
2.2 SSL处理过程
1.浏览器发送地址到服务器。
2.服务器发送数字证书以及服务器的公钥给浏览器。
3.浏览器用预制的CA列表验证证书,如果有问题,立即提示风险。
4.如果正确,浏览器产生随机对称密钥,并且用服务器的公钥加密。
5.服务器用自己的私钥进行解密,并且得到对称密钥。
6.服务器给浏览器发送它想要的内容,通信通道建立并安全。
3.生成ssl密钥对
3.1 生成类型为rsa格式的私钥
//密码设置为123456
[root@knightlai conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
..............+++
............................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
3.2 转换key,取消密码
//转换key,取消密码
[root@knightlai conf]# openssl rsa -in tmp.key -out knightlai.key
Enter pass phrase for tmp.key:
writing RSA key
删除密钥文件
[root@knightlai conf]# rm -f tmp.key
3.3 生成证书请求文件
//生成请求文件目的是为了让请求文件和私钥一起去生成一个公钥。
[root@knightlai conf]# openssl req -new -key knightlai.key -out knightlai.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:11
State or Province Name (full name) []:knightlai
Locality Name (eg, city) [Default City]:jiangxiang^H^H^H^[[D^[[D
Organization Name (eg, company) [Default Company Ltd]:px
Organizational Unit Name (eg, section) []:px
Common Name (eg, your name or your server's hostname) []:px
Email Address []:359175536@qq.o^H^H
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:px
//创建公钥
[root@knightlai conf]# openssl x509 -req -days 365 -in knightlai.csr -signkey knightlai.key -out knightlai.crt
Signature ok
subject=/C=11/ST=knightlai/L=jiangxiang\x08\x08\x08\x1B[D\x1B[D/O=px/OU=px/CN=px/emailAddress=359175536@qq.o\x08\x08
Getting Private key
//crt是公钥,key是私钥
[root@knightlai conf]# ll
-rw-r--r-- 1 root root 1289 Sep 12 01:16 knightlai.crt
-rw-r--r-- 1 root root 1106 Sep 12 01:14 knightlai.csr
-rw-r--r-- 1 root root 1679 Sep 12 01:10 knightlai.key
4.Nginx配置ssl
4.1 创建配置文件
[root@knightlai conf]# vim ssl.conf
server
{
listen 443;
server_name aming.com;
index index.html index.php;
root /data/wwwroot/yolks.com;
ssl on; #开启ssl即支持https
ssl_certificate yolkslinux.crt; #指定公钥
ssl_certificate_key yolkslinux.key; #指定私钥
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #协议
}4.2 重新编译nginx
[root@knightlai vhost]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
//增加ssl_module模块重新编译
[root@knightlai nginx]# cd /usr/local/src/nginx-1.8.0
[root@knightlai nginx-1.8.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
checking for OS
+ Linux 3.10.0-862.el7.x86_64 x86_64
checking for C compiler ... found
+ using GNU C compiler
+ gcc version: 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
checking for gcc -pipe switch ... found
checking for gcc builtin atomic operations ... found
checking for C99 variadic macros ... found
checking for gcc variadic macros ... found
checking for unistd.h ... found
checking for inttypes.h ... found
checking for limits.h ... found
[root@knightlai nginx-1.8.0]# make &&make install
make -f objs/Makefile
make[1]: Entering directory `/usr/local/src/nginx-1.8.0'
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs \
-o objs/src/core/nginx.o \
src/core/nginx.c
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs \
-o objs/src/core/ngx_log.o \
src/core/ngx_log.c
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs \
-o objs/src/core/ngx_palloc.o \
src/core/ngx_palloc.c
.......................................4.3 重启nginx
[root@knightlai nginx-1.8.0]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@knightlai nginx-1.8.0]# /usr/local/nginx/sbin/nginx -s reload
[root@knightlai nginx-1.8.0]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ OK ]
//查看443端口启动了
[root@knightlai nginx-1.8.0]# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 53910/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 810/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 898/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 53910/nginx: master
4.4 测试ssl证书
//测试提示因为是我们自已创建的ssl证书,提示不安全的因素
[root@knightlai nginx-1.8.0]# curl https://test.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
5.php-fpm的pool
5.1 nginx中可以开多个虚拟机,他们都需要php提供服务,所以为了保证每个不同虚拟机的性能,可以开启多个php-fpm的pool服务。每个pool服务一个站点。
5.2 配置文件
//加入include = etc/php-fpm.d/*.conf
[root@knightlai nginx-1.8.0]# vim /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
include = etc/php-fpm.d/*.conf
[root@knightlai nginx-1.8.0]# mkdir /usr/local/php-fpm/etc/php-fpm.d/
5.3 新建 pool
//新建一个www的pool
[root@knightlai php-fpm.d]# vim www.conf
[www]
listen = /tmp/www.sock
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
//新建一个test的pool
[root@knightlai php-fpm.d]# vim test.conf
[test]
listen = /tmp/test.sock
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
5.4 测试php-fpm的pool
//重启一下php-fpm
[root@knightlai php-fpm.d]# service php-fpm stop
Gracefully shutting down php-fpm . done
[root@knightlai php-fpm.d]# service php-fpm start
Starting php-fpm done
//查看进程两个pool都有了 test和www
[root@knightlai php-fpm.d]# ps aux |grep php-fpm
root 53973 0.1 0.4 123740 4940 ? Ss 01:58 0:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 53974 0.0 0.4 123680 4712 ? S 01:58 0:00 php-fpm: pool test
..............................................
php-fpm 53993 0.0 0.4 123680 4720 ? S 01:58 0:00 php-fpm: pool test
php-fpm 53994 0.0 0.4 123680 4716 ? S 01:58 0:00 php-fpm: pool www
................................................................................
php-fpm 54013 0.0 0.4 123680 4724 ? S 01:58 0:00 php-fpm: pool www
6.php-fpm慢执行日志
6.1php-fpm有一个非常有用的功能,就是慢执行日志。可以非常有效的用来诊断系统的问题在哪里。尤其是当系统访问速度慢时。
6.2 配置文件
[root@knightlai php-fpm.d]# vim www.conf
request_slowlog_timeout = 1 //执行超过一秒的语句记录下来,生产环境中,这里一般写2秒钟
slowlog = /usr/local/php-fpm/var/log/www-slow.log //日志存放目录
[root@knightlai php-fpm.d]# vim /usr/local/nginx/conf/vhost/test.com.conf
6.3 新建php文件测试慢执行
[root@knightlai php-fpm.d]# vim /data/wwwroot/test.com/test.php
<?php echo "test slow log";
sleep(2);
echo "done";
?>6.4 测试慢执行配置是否成功
[root@knightlai etc]# curl -x127.0.0.1:80 test.com/test.php
test slow logdone
//我们这里监听的是1秒,实际上我们写的程序是2秒,所以会产生慢日志
[root@knightlai etc]# curl -x127.0.0.1:80 test.com/test.php
test slow logdone[root@knightlai etc]# cat /usr/local/php-fpm/var/log/www-slow.log
[12-Sep-2018 02:38:12] [pool www] pid 54137
script_filename = /data/wwwroot/test.com/test.php
[0x00007f0441ee91e8] sleep() /data/wwwroot/test.com/test.php:2
7.open_basedir
7.1 配置文件
[root@knightlai php-fpm.d]# vim test.conf
//加入这一行
php_admin_value[open_basedir]=/data/nginx/test.com:/tmp/
//重启服务
[root@knightlai php-fpm.d]# service php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
7.2 配置错误日志
[root@shuai-01 php-fpm.d]# vi /usr/local/php-fpm/etc/php.ini
error_log=/usr/local/php-fpm/var/log/php_errors.log
error_reporting=E_ALL
display_errors = Off
log_errors = On
//创建错误日志目录
[root@knightlai php-fpm.d]# touch /usr/local/php-fpm/var/log/php_errors.log
[root@knightlai php-fpm.d]# chmod 777 /usr/local/php-fpm/var/log/php_errors.log
8.php-fpm进程管理
[root@knightlai etc]# cat www.conf
[www]
listen = /tmp/www.sock
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic //动态的
;pm = static
pm.max_children = 50 //最大子进程50个
pm.start_servers = 20 // 启动的时候20个
pm.min_spare_servers = 5 //空闲时,最少有5个
pm.max_spare_servers = 35 //空闲时,最大有35个
pm.max_requests = 500 // 一个进程最多的请求数
rlimit_files = 1024
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
php_admin_value[open_basedir]=/data/wwwroot/test.com:/tmp/
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
