nginx从入门到实战（三）

nginx从入门到实战（三）

• location匹配优先级

  #第一先匹配精确匹配“=”，第二匹配前缀匹配“^~”，第三匹配正则“~”
  
  server {
      listen       80;
      server_name  testserver1 jeson.t.imoocc.io;
  
      #charset koi8-r;
      #access_log  /var/log/nginx/log/host.access.log  main;
      root   /opt/app;
  
      location = /code1/ {
          rewrite ^(.*)$ /code1/index.html break;
      }
      
      location ~ /code.* {
          rewrite ^(.*)$ /code3/index.html break;
      }
      
      
      location ^~ /code {
          rewrite ^(.*)$ /code2/index.html break;
      }
  
      #error_page  404              /404.html;
  
      # redirect server error pages to the static page /50x.html
      #
      error_page   500 502 503 504 404  /50x.html;
      location = /50x.html {
          root   /usr/share/nginx/html;
      }
  }
  
  

• try_files,顺序检查是否存在

  server {
      listen       80;
      server_name  testserver1;
      
      location / {
          root /opt/app/code;
          #先检查缓存，再查看root目录，最后转发给tomcat9090
          try_files /cache $uri @java_page;
      }
  
      location @java_page{
          proxy_pass http://127.0.0.1:9090;
      } 
  
   }
  
  

• 常见错误

  #error:nginx:413 request entity too large
  用户上传文件限制 client_max_body_size
  # error: 502 bad gateway
  后端服务无响应
  # error： 504 gateway time-out
  后端服务执行超时
  
  

• 性能优化

  #安装ab测试工具
  yum install httpd-tools
  ab -n 2000 -c 2 http://127.0.0.1/jesonc.html
  
  动静分离
  网络
  系统
  服务
  程序
  数据库、底层服务
  
  文件句柄，一切皆文件，文件句柄就是一个索引
  #/etc/security/limits.conf
  
  #nginx.conf
  worker_rlimit_nofile 35535;
  
  

  • CPU亲和

  
  user  nginx;
  worker_processes  16;
  #worker_cpu_affinity 0000000000000010 0000000000000010 0000000000000100 0000000000001000 0000000000010000 0000000000100000 0000000001000000 0000000010000000 0000000100000000 0000001000000000 0000010000000000 0000100000000000 0001000000000000 0010000000000000 0100000000000000 1000000000000000;
  #worker_cpu_affinity 1010101010101010 0101010101010101;
  worker_cpu_affinity auto;
  
  
  error_log  /var/log/nginx/error.log warn;
  pid        /var/run/nginx.pid;
  
  worker_rlimit_nofile 35535;
  
  events {
      use epoll;
      worker_connections  10240;
  }
  
  
  
  http {
      include       /etc/nginx/mime.types;
      default_type  application/octet-stream;
      #######
      #Charset
      charset utf-8;
  
      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for" "$request_uri"';
  
      access_log  /var/log/nginx/access.log  main;
      
      #######
      #Core modlue
      sendfile        on;
      #tcp_nopush     on;
      #tcp_nodeny     on;
      keepalive_timeout  65;
      
      ########
      #Gzip module
      gzip  on;
      gzip_disable "MSIE [1-6]\.";  
      gzip_http_version 1.1; 
      
      ########
      #Virtal Server
      include /etc/nginx/conf.d/*.conf;
  }
  
  

• 安全

  防盗链

  secure_link_module

  access_module

  #文件上传漏洞
  # http://www.abc.com/upload/1.jpg/1.php
  #nginx 将1.jpg作为php代码执行
  
  location ^~ /upload{
  	root /opt/app/images;
  	
  	if ($request_filename ~* (.*)\.php){
  		return 403;
  	}
  }
  

  sql注入

  #参考https://github.com/loveshell/ngx_lua_waf
  
  http {
        
      lua_package_path "/etc/nginx/waf/?.lua";
      lua_shared_dict limit 10m;
      init_by_lua_file  /etc/nginx/waf/init.lua; 
      access_by_lua_file /etc/nginx/waf/waf.lua;
     
  }