一般在实际生产环境中,nginx服务是不能随便重启或者reload,所以nginx的升级不能直接用reload来重新更新nginx的配置,而是需要发送信号来平滑升级
一 、nginx的平滑升级
需要两个版本的nginx
[root@base1 ~]# ls
nginx-1.14.2.tar.gz
nginx-1.15.8.tar.gz
[root@base1 ~]# tar zxf nginx-1.14.2.tar.gz
[root@base1 ~]# yum install -y gcc pcre-devel zlib-devel # 这是编译nginx的依赖包
[root@base1 ~]# cd nginx-1.14.2
[root@base1 nginx-1.14.2]# vim auto/cc/gcc # 关闭debug日志
171 # debug
172 # CFLAGS=“KaTeX parse error: Expected 'EOF', got '#' at position 37: …1 nginx-1.14.2]#̲ ./configure --…CFLAGS -g”
[root@base1 nginx-1.15.8]# ./configure --prefix=/usr/local/nginx/ # 必须和旧版本的nginx在相同的目录
[root@base1 nginx-1.15.8]# make # 第二次不能make install,会覆盖原来的nginx,即所有的nginx配置都不会生效
[root@base1 nginx-1.15.8]# ls
auto CHANGES.ru configure html Makefile objs src
CHANGES conf contrib LICENSE man README
[root@base1 nginx-1.15.8]# ll objs/
[root@base1 nginx-1.15.8]# cd /usr/local/nginx/sbin/
[root@base1 sbin]# ls
nginx
[root@base1 sbin]# cp nginx nginx.old # 备份旧版本的nginx,防止新版本的nginx出问题
[root@base1 sbin]# cd
[root@base1 ~]# cd nginx-1.15.8/objs/
[root@base1 objs]# cp nginx /usr/local/nginx/sbin/
[root@base1 objs]# ps -ef | grep nginx
[root@base1 objs]# kill -USR2 7175 # 发送信号告诉系统要升级,7175 是旧版本nginx的进程号
[root@base1 objs]# ps -ef | grep nginx # 查看,发现新版本的nginx已经启动
[root@base1 objs]# ps -ef | grep nginx
[root@base1 objs]# kill -WINCH 7175 # 停止旧的nginx,只会停止掉旧的nginx的worker
[root@base1 objs]# ps -ef | grep nginx
[root@base1 objs]# /usr/local/nginx/sbin/nginx -v
[root@base1 objs]# cd /usr/local/nginx/sbin/
[root@base1 sbin]# ll /usr/local/nginx/sbin/
当我们发现新版本的nginx有问题时,可以还原
[root@base1 sbin]# cp nginx.old nginx -f
[root@base1 sbin]# kill -HUP 7175 # 告诉系统要重新拉回旧的nginx,相当于reload
[root@base1 sbin]# ps -ef | grep nginx
[root@base1 sbin]# kill -USR2 7179
[root@base1 sbin]# kill -WINCH 7179 # 停止新的nginx,只会停止掉新的nginx的worker
[root@base1 sbin]# ps -ef | grep nginx
[root@base1 sbin]# /usr/local/nginx/sbin/nginx -v
编写nginx二进制脚本
[root@base1 sbin]# cd
[root@base1 ~]# yum install -y httpd
[root@base1 ~]# cd /usr/lib/systemd/system
[root@base1 system]# cp httpd.service /etc/systemd/system/nginx.service
[root@base1 system]# vim /etc/systemd/system/nginx.service
[Unit]
Description=The nginx HTTP Server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDfile=/usr/local/nginx/logs/nginx.pid
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
PrivateTmp=true
[Install]
WantedBy=multi-user.target
[root@base1 system]# ll /usr/local/nginx/logs/nginx.pid
-rw-r–r-- 1 root root 5 Feb 21 16:15 /usr/local/nginx/logs/nginx.pid
[root@base1 system]# ps -ef | grep nginx
[root@base1 system]# kill 7175 # 之前的nginx是通过二进制指令启动的,所以编写好启动脚本之后需要先kill掉之前的进程,重新开启即可
[root@base1 system]# systemctl start nginx
[root@base1 system]# systemctl status nginx
nginx配置文件
限制并发数
[root@base1 system]# cd
[root@base1 ~]# vim /usr/local/nginx/conf/nginx.conf
user nginx nginx; # 设置用户和用户组
事件模块
events {
worker_connections 65536; # 最大连接数
}
sendfile on; # 启动高效传输文件的模式,这个开启下面的tcp_nopush才生效
#tcp_nopush on; # 避免磁盘阻塞
#tcp_nodelay on # 避免网络阻塞
keepalive_timeout 65; # 保持连接
限制并发数
limit_conn_zone $binary_remote_addr zone=addr:10m;
#gzip on; # 网页压缩
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
location download/ {
limit_conn addr 1; # 只允许并发数为1
}
[root@base1 ~]# vim /etc/security/limits.conf # 网络连接数满足当前的最大软件限制
nginx - nofile 65536
[root@base1 ~]# ln -s /usr/local/nginx/sbin/nginx /sbin
[root@base1 ~]# nginx -s reload
测试
[root@foundation78 Desktop]# ab -c 10 -n 10 http://172.25.78.11/download/1.jpg # 10个并发,共进行10次
[root@foundation78 Desktop]# ab -c 1 -n 10 http://172.25.78.11/download/1.jpg
限速
[root@base1 html]# vim /usr/local/nginx/conf/nginx.conf
限速
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
location /download/ {
#limit_conn addr 1; # 只允许并发为1
limit_rate 50k; # 带宽为50k
}
[root@base1 html]# nginx -s reload
测试
[root@foundation78 Desktop]# ab -c 1 -n 10 http://172.25.78.11/download/1.jpg
限制请求(连接速率)
[root@base1 html]# vim /usr/local/nginx/conf/nginx.conf
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
location /download/ {
#limit_conn addr 1; # 只允许并发为1
#limit_rate 50k;
limit_req zone=one burst=5 delay=3;
}
[root@base1 html]# nginx -s reload
[root@foundation78 Desktop]# ab -c 1 -n 10 http://172.25.78.11/download/1.jpg
动态模块编译
[root@base1 ~]# cd
[root@base1 ~]# ls
nginx-1.14.2
gd-devel-2.0.35-26.el7.x86_64.rpm
[root@base1 ~]# yum install -y gd-devel-2.0.35-26.el7.x86_64.rpm # 这是编译动态模块的依赖包
[root@base1 ~]# cd nginx-1.14.2
[root@base1 nginx-1.14.2]# make clean
[root@base1 nginx-1.14.2]# ./configure --prefix=/usr/local/nginx/ --with-http_image_filter_module=dynamic --with-http_realip_module
[root@base1 nginx-1.14.2]# make
[root@base1 nginx-1.14.2]# cd objs/
[root@base1 objs]# nginx -s stop
[root@base1 objs]# cp nginx /usr/local/nginx/sbin/nginx
[root@base1 objs]# cd /usr/local/nginx/conf/
[root@base1 conf]# vim nginx.conf
第1行 load_module modules/ngx_http_image_filter_module.so;
49 location /download/ {
50 #limit_conn addr 1;
51 #limit_rate 50k;
52 limit_req zone=one burst=5;
53 image_filter resize 100 200;
54 }
[root@base1 conf]# nginx
[root@base1 conf]# nginx -s reload
测试
[root@base1 nginx]# pwd
/usr/local/nginx
[root@base1 nginx]# vim /usr/local/nginx/conf/nginx.conf
54 autoindex on; # nginx默认是不允许列出整个目录的,on表示允许
[root@base1 nginx]# nginx -s reload
expires 缓存提升网站负载
静态数据设置为缓存,降低网站带宽,缓存提升网站负载
[root@base1 nginx]# vim /usr/local/nginx/conf/nginx.conf
71 location ~ .*.(jpg|png|css|js)?$ {
72 expires 30d; # 控制图片等过期时间为30天
73 }
[root@base1 nginx]# nginx -s reload
测试
[root@foundation78 Desktop]# curl -I 172.25.78.11/download/1.jpg
重定向
[root@base1 certs]# cd /usr/local/nginx/conf/
[root@base1 conf]# vim nginx.conf
当访问域名 www.westos.org时,实际上访问的是 /web/index.html文件
128 server {
129 listen 80; # 监听80端口
130 server_name www.westos.org; # 定义域名
131
132 location / {
133 root /web;
134 index index.html;
135 }
136 }
[root@base1 conf]# mkdir /web
[root@base1 conf]# vim /web/index.html
www.westos.org
测试
[root@base1 conf]# vim /etc/hosts
172.25.78.11 base1 www.westos.org
[root@base1 conf]# curl www.westos.org # 测试成功
www.westos.org
添加443端口,实现http到https的加密
编译ssl模块
[root@base1 nginx]# nginx -s stop
[root@base1 nginx]# cd
[root@base1 ~]# cd nginx-1.14.2
[root@base1 nginx-1.14.2]# make clean
[root@base1 nginx-1.14.2]# yum install -y openssl-devel # 编译ssl模块需要的依赖包
[root@base1 nginx-1.14.2]# ./configure --prefix=/usr/local/nginx/ --with-http_image_filter_module=dynamic --with-http_realip_module --with-http_ssl_module
[root@base1 nginx-1.14.2]# make
[root@base1 nginx-1.14.2]# cd objs/
[root@base1 objs]# cp nginx /usr/local/nginx/sbin/
[root@base1 objs]# cp ngx_http_image_filter_module.so /usr/local/nginx/modules/
[root@base1 objs]# cd /etc/pki/tls/certs/
[root@base1 certs]# make cert.pem # 制作证书
[root@base1 certs]# cp cert.pem /usr/local/nginx/conf/ # 证书在 /usr/local/nginx/conf/才会生效
[root@base1 certs]# cd /usr/local/nginx/conf/
[root@base1 conf]# vim nginx.conf
server {
listen 443 ssl; # 监听端口为443
server_name www.westos.org;
ssl_certificate cert.pem; # 证书位置
ssl_certificate_key cert.pem; # 私钥位置
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5; # 密码加密方式
ssl_prefer_server_ciphers on;
location / {
root /web; # 根目录位置
index index.html index.htm;
}
}
server {
listen 80;
server_name www.westos.org;
location / {
root /web;
index index.html;
}
}
[root@base1 conf]# nginx -t # 检测语法
[root@base1 conf]# nginx -s reload
[root@base1 conf]# netstat -antlp # 查看443端口已开启
[root@foundation78 Desktop]# vim /etc/hosts # 在客户端写解析
172.25.78.11 server1 www.westos.org
测试,生成证书
重定向,无论访问什么,都会重定向到https://www.westos.org
[root@base1 conf]# pwd
/usr/local/nginx/conf
[root@base1 conf]# vim nginx.conf
128 server {
129 listen 80;
130 server_name www.westos.org;
131 rewrite ^/(.)$ https://www.westos.org/KaTeX parse error: Expected 'EOF', got '}' at position 10: 1; 132 }̲ # 重定向域名后的第一串… https://www.westos.org/
1
;
132
r
e
w
r
i
t
e
/
b
b
s
(
.
∗
)
1; 132 rewrite ^/bbs (.*)
1;132rewrite/bbs(.∗) http://bbs.westos.org/KaTeX parse error: Expected 'EOF', got '}' at position 146: …0 141 }̲ 142 143 s… https://www.westos.org/KaTeX parse error: Expected 'EOF', got '#' at position 16: 1; 132 #̲rewrite ^/bbs/(… http://bbs.westos.org/
1
p
e
r
m
a
n
e
n
t
;
133
i
f
(
1 permanent; 133 if (
1permanent;133if(host = “bbs.westos.org”){
134 rewrite ^/(.)$ http://www.westos.org/bbs/$1 permanent;
135 }
136 location / {
137 root /web;
138 index index.html;
139 }
140 }
[root@base1 web]# nginx -s reload
测试
[root@foundation78 Desktop]# curl -I bbs.westos.org
如果没有找到想要匹配的域名解析时,就会访问到默认用户,容易造成恶意解析
[root@base1 conf]# vim /usr/local/nginx/html/test.html
test.westos.org
测试
[root@foundation78 Desktop]# vim /etc/hosts # 先写解析
172.25.78.11 base1 www.westos.org bbs.westos.org test.westos.org
[root@foundation78 Desktop]# curl -I test.westos.org # 解析成功
[root@base1 conf]# vim nginx.conf
server {
listen 80;
server_name _; # 这是一个无效的域名
rewrite ^(.*) http://www.westos.org; # 其余未知域名解析到这个地址
location / {
root html;
index index.html index.htm;
}
[root@base1 conf]# nginx -s reload
测试
[root@foundation78 Desktop]# curl -I test.westos.org
但是在实际生产环境中,我们一般会注释掉默认页面,而不会做重定向
盗链
base1 172.25.78.11 被盗链服务器
base2 172.25.78.12 盗链服务器
模拟盗链
在base1上
[root@base2 ~]# yum install -y gd-devel-2.0.35-26.el7.x86_64.rpm cc gcc pcre-devel zlib-devel
[root@base2 ~]# tar zxf nginx-1.14.2.tar.gz
[root@base2 ~]# cd nginx-1.14.2
[root@base2 nginx-1.14.2]# vim auto/cc/gcc
171 # debug
172 #CFLAGS="$CFLAGS -g"
[root@base2 nginx-1.14.2]# ./configure --prefix=/usr/local/nginx/ --with-http_image_filter_module=dynamic --with-http_realip_module
[root@base2 nginx-1.14.2]# make && make install
[root@base2 nginx-1.14.2]# cd /usr/local/nginx/conf/
[root@base2 conf]# vim nginx.conf
35 server {
36 listen 80;
37 server_name daolian.westos.org;
38
39 charset utf-8;
40
41 #access_log logs/host.access.log main;
42
43 location / {
44 root /web;
45 index index.html index.htm;
46 }
[root@base2 conf]# ln -s /usr/local/nginx/sbin/nginx /sbin
[root@base2 conf]# nginx
[root@base2 conf]# mkdir /web
[root@base2 conf]# vim /web/index.html
daolian.westos.org
[root@base2 conf]# vim /etc/hosts # 写解析
172.25.78.12 base2 daolian.westos.org
[root@base2 conf]# curl daolian.westos.org # 测试
daolian.westos.org
[root@base2 conf]# vim /web/index.html
盗链图片
 在base1上 [root@base1 conf]# cp /usr/local/nginx/html/download/1.jpg /web/ [root@base1 conf]# ls /web/ 1.jpg 测试 [root@foundation78 Desktop]# vim /etc/hosts 172.25.78.12 base2 daolian.westos.org  [root@base1 conf]# cat /usr/local/nginx/logs/access.log # 在被盗链服务器上查看日志  现在防止盗链 [root@base1 conf]# cd /bbs [root@base1 bbs]# ls daolian.png index.html [root@base1 bbs]# cd /usr/local/nginx/conf/ [root@base1 conf]# vim nginx.conf 143 location ~* \.(gif|jpg|png|jpeg)$ { 144 root /web; 145 valid_referers none blocked www.westos.org;# 原是站点访问的是www.westos.otg时,不做禁止 146 if ($invalid_referer){ 147 rewrite ^/ http://bbs.westos.org/daolian.png; 148 } 149 } 150 151 } 152 153 server { 154 listen 80; 155 server_name bbs.westos.org; 156 157 location / { 158 root /bbs; 159 index index.html; 160 }  [root@base1 conf]# nginx -s reload 测试  nginx的日志 编写脚本,使得每天00:00备份前一天的数据在日志里 [root@base1 ~]# cd /opt/ [root@base1 opt]# vim nginx_log.sh #!/bin/bash cd /usr/local/nginx/logs && mv access.log access.log_$(date +%F -d -1day) /usr/local/nginx/sbin/nginx -s reload  [root@base1 opt]# crontab -e # 这是定时任务 00 00 * * * /opt/nginx_log.sh [root@base1 opt]# chmod +x /opt/nginx_log.sh # 脚本已经编写完成 [root@base1 opt]# cd /usr/local/nginx/logs/ 为了测试脚本是否生效,我们先手动执行一下脚本,看是否会自动生日志 [root@base1 logs]# /opt/nginx_log.sh [root@base1 logs]# ls # 日志备份成功,说明脚本编写的没有问题 access.log access.log_2019-03-07 error.log nginx.pid 
1097
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
