LNMP
nginx 功能
- http服务,反向代理,负载均衡,邮件代理,缓存加速,ssl,flv/mp4流媒体
- 和LAMP不同的是,提供web服务的是Nginx
- php是作为一个独立服务存在的,这个服务叫做php-fpm
- Nginx直接处理静态请求,动态请求会转发给php-fpm,尤其是处理静态请求功能卓越。
- nginx用户并发几千条,apache做不到!
PHP-FPM安装
和LAMP安装PHP方法有差别,需要开启php-fpm服务 //service php-fpm start..
配置步骤如下:
cd /usr/local/src/
wget http://cn2.php.net/distributions/php-5.6.30.tar.gz
tar zxf php-5.6.30.tar.gz
useradd -s /sbin/nologin php-fpm
cd php-5.6.30
./configure --prefix=/usr/local/php-fpm --with-config-file-path=/usr/local/php-fpm/etc --enable-fpm --with-fpm-user=php-fpm --with-fpm-group=php-fpm --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-pdo-mysql=/usr/local/mysql --with-mysql-sock=/tmp/mysql.sock --with-libxml-dir --with-gd --with-jpeg-dir --with-png-dir --with-freetype-dir --with-iconv-dir --with-zlib-dir --with-mcrypt --enable-soap --enable-gd-native-ttf --enable-ftp --enable-mbstring --enable-exif --with-pear --with-curl --with-openssl
make && make install
cp php.ini-production /usr/local/php-fpm/etc/php.ini //配置文件
vi /usr/local/php/etc/php-fpm.conf //写入如下内容
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm //启动文件
chmod 755 /etc/init.d/php-fpm
chkconfig --add php-fpm
chkconfig php-fpm on
service php-fpm start
ps aux |grep php-fpm
checking for cURL in default path... not found
yum -y install curl-devel
nginx介绍安装
Nginx官网 nginx.org,最新版1.13,最新稳定版1.12 Nginx应用场景:web服务、反向代理、负载均衡 Nginx著名分支,淘宝基于Nginx开发的Tengine,使用上和Nginx一致,服务名,配置文件名都一样,和Nginx的最大区别在于Tenging增加了一些定制化模块,在安全限速方面表现突出,另外它支持对js,css合并 Nginx核心+lua相关的组件和模块组成了一个支持lua的高性能web容器openresty
安装步骤如下:
cd /usr/local/src
wget http://nginx.org/download/nginx-1.12.1.tar.gz
tar zxf nginx-1.12.1.tar.gz
./configure --prefix=/usr/local/nginx
make && make install
vim /etc/init.d/nginx //复制如下内容
#!/bin/bash
# chkconfig: - 30 21
# description: http service.
# Source Function Library
. /etc/init.d/functions
# Nginx Settings
NGINX_SBIN="/usr/local/nginx/sbin/nginx"
NGINX_CONF="/usr/local/nginx/conf/nginx.conf"
NGINX_PID="/usr/local/nginx/logs/nginx.pid"
RETVAL=0
prog="Nginx"
start()
{
echo -n $"Starting $prog: "
mkdir -p /dev/shm/nginx_temp
daemon $NGINX_SBIN -c $NGINX_CONF
RETVAL=$?
echo
return $RETVAL
}
stop()
{
echo -n $"Stopping $prog: "
killproc -p $NGINX_PID $NGINX_SBIN -TERM
rm -rf /dev/shm/nginx_temp
RETVAL=$?
echo
return $RETVAL
}
reload()
{
echo -n $"Reloading $prog: "
killproc -p $NGINX_PID $NGINX_SBIN -HUP
RETVAL=$?
echo
return $RETVAL
}
restart()
{
stop
start
}
configtest()
{
$NGINX_SBIN -c $NGINX_CONF -t
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
restart
;;
configtest)
configtest
;;
*)
echo $"Usage: $0 {start|stop|reload|restart|configtest}"
RETVAL=1
esac
exit $RETVAL
chmod 755 /etc/init.d/nginx
chkconfig --add nginx
chkconfig nginx on
cd /usr/local/nginx/conf/; mv nginx.conf nginx.conf.bak
vim nginx.conf //写入如下内容
user nobody nobody; //定义运行服务的用户
worker_processes 2; //进程数,几核cpu开几个
error_log /usr/local/nginx/logs/nginx_error.log crit; //定义记录日志等级
pid /usr/local/nginx/logs/nginx.pid; //定义pid
worker_rlimit_nofile 51200;
events
{
use epoll; //事件驱动器模型 windows使用select
worker_connections 6000;
}
http
{
include mime.types; //定义nginx能识别的网络资源媒体类型(如文本,html,js,css,流媒体等)
default_type application/octet-stream;
server_names_hash_bucket_size 3526;
server_names_hash_max_size 4096;
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
sendfile on;
tcp_nopush on; //数据包累计到一定量再一起发送
keepalive_timeout 30; //服务器和客户端结束后仍旧保持的最大事件
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m; //服务器给client发数据,client一直没响应,超过该时间将关闭这个连接
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 8 4k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
client_max_body_size 10m;
client_body_buffer_size 256k;
client_body_temp_path /usr/local/nginx/client_body_temp;
proxy_temp_path /usr/local/nginx/proxy_temp;
fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
fastcgi_intercept_errors on;
tcp_nodelay on;
gzip on; //是否开启压缩功能,下面都是具体压缩参数
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm //会压缩哪些文件
application/xml;
server
{
listen 80;
server_name localhost;
index index.html index.htm index.php;
root /usr/local/nginx/html;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
}
}
}
/usr/local/nginx/sbin/nginx -t
/etc/init.d/nginx start
netstat -lntp |grep 80
Nginx默认虚拟主机
配置案例如下:
vim /usr/local/nginx/conf/nginx.conf //删掉原有的 增加虚拟主机
include vhost/*.conf;
mkdir /usr/local/nginx/conf/vhost
cd !$; vim default.conf //加入如下内容
server
{
listen 80 default_server; // 有这个标记的就是默认虚拟主机
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}
mkdir -p /data/wwwroot/default/
echo “This is a default site.”>/data/wwwroot/default/index.html
/usr/local/nginx/sbin/nginx -t //检测格式是否正确
/usr/local/nginx/sbin/nginx -s reload
curl localhost
curl -x127.0.0.1:80 123.com
按照案例自己配置一个
[root@localhost vhost]# vi /usr/local/nginx/conf/nginx.conf
[root@localhost etc]# cd /usr/local/nginx/conf
[root@localhost conf]# mkdir xxoo
[root@localhost conf]# vi ./xxoo/test.xxoo
server
{
listen 8999 ;
server_name xxoo.com;
index index.html index.htm index.php;
root /data/xxoo;
}
[root@localhost conf]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost conf]# mkdir /data/xxoo
[root@localhost conf]# vi /data/xxoo/test.html
xxoo test file !
~
[root@localhost conf]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost conf]# curl -x127.0.0.1:8999 xxoo.com/test.html
xxoo test file !
Nginx用户认证
配置案例如下:
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location / || /admin || ~ admin.php //全局,目录,特定页面认证
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
[root@localhost vhost]# curl -x127.0.0.1:80 -uhello:helllo tea.com/222.html
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost vhost]# curl -x127.0.0.1:80 -uhello:hello tea.com/222.html
22222222
location个人理解就是match的意思,匹配到该元素,然后下面执行动作!
语法规则: location [=|~|~*|^~] /uri/ { … }
- = 开头表示精确匹配
- ^~ 开头表示uri以某个常规字符串开头,理解为匹配 url路径即可。nginx不对url做编码,因此请求为/static/20%/aa,可以被规则^~ /static/ /aa匹配到(注意是空格)。
- ~ 开头表示区分大小写的正则匹配
- ~* 开头表示不区分大小写的正则匹配
- !~和!~*分别为区分大小写不匹配及不区分大小写不匹配 的正则
- / 通用匹配,任何请求都会匹配到。
多个location配置的情况下匹配顺序为(参考资料而来,还未实际验证,试试就知道了,不必拘泥,仅供参考): 首先匹配 =,其次匹配^~, 其次是按文件中顺序的正则匹配,最后是交给 / 通用匹配。当有匹配成功时候,停止匹配,按当前匹配规则处理请求
Nginx域名重定向
配置案例如下:
更改test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
}
server_name后面支持写多个域名,这里要和httpd的做一个对比
permanent为永久重定向,状态码为301,如果写redirect则为302
按照案例自己配置
[root@localhost vhost]# vi coffee.com.conf
server
{
listen 8080 ;
server_name coffee.com,redir.com;
index index.html index.htm index.php;
root /data/coffee;
if ($host != 'coffee.com' ) {
rewrite ^/(.*)$ http://coffee.com/$1 permanent;
}
}
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost vhost]# curl -x127.0.0.1:8080 redir.com/111.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.1
Date: Sun, 30 Dec 2018 02:30:37 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://coffee.com/111.html
[root@localhost vhost]# curl -x127.0.0.1:8080 redir.com/1sdfsdf11.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.1
Date: Sun, 30 Dec 2018 02:30:43 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://coffee.com/1sdfsdf11.html
Nginx访问日志
[root@localhost vhost]# vi /usr/local/nginx/conf/nginx.conf
自定义host 日志格式
除了在主配置文件nginx.conf里定义日志格式外,还需要在虚拟主机配置文件中进行调用!
[root@localhost vhost]# vi /usr/local/nginx/conf/vhost/tea.com.conf
server
{
listen 80 default_server;
server_name tea.com;
index index.html index.htm index.php;
root /data/tea;
location ~* 222.html
{
auth_basic "Auth";
auth_basic_user_file /data/pass;
}
access_log /data/log/tea.com Pudge; //新增该配置,调用Pudge
}
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: [emerg] open() "/data/log/tea.com" failed (2: No such file or directory)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@localhost vhost]# mkdir -p /data/log //创建日志存放目录,日志文件会自动创建并写入
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost vhost]# curl -x127.0.0.1:80 tea.com/111.php
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost vhost]# curl -x127.0.0.1:80 tea.com/111.html
this is a test site
[root@localhost vhost]# curl -x127.0.0.1:80 tea.com/222.html
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost vhost]# curl -x127.0.0.1:80 -uhello:hello tea.com/222.html
22222222
[root@localhost vhost]# cat /data/log/tea.com
127.0.0.1 - [30/Dec/2018:11:02:38 +0800] tea.com "/111.php" 404 "-" "curl/7.29.0"
127.0.0.1 - [30/Dec/2018:11:02:44 +0800] tea.com "/111.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [30/Dec/2018:11:02:48 +0800] tea.com "/222.html" 401 "-" "curl/7.29.0"
127.0.0.1 - [30/Dec/2018:11:02:57 +0800] tea.com "/222.html" 200 "-" "curl/7.29.0"
Nginx日志切割
配置案例如下:
自定义shell 脚本
vim /usr/local/sbin/nginx_log_rotate.sh//写入如下内容
#! /bin/bash
## 假设nginx的日志存放路径为/data/logs/
d=`date -d "-1 day" +%Y%m%d`
logdir="/data/logs"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
任务计划
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
[root@localhost vhost]# vi /usr/local/sbin/nginx_log_rotate.sh
#! /bin/bash
d=`date -d "-1 day" +%Y%m%d` //定义时间
logdir="/data/log" //定义操作目录对象
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log` //定义ls出来的文件
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
[root@localhost sbin]# sh /usr/local/sbin/nginx_log_rotate.sh
[root@localhost sbin]# mv /data/log/tea.com /data/log/tea.log
[root@localhost sbin]# ls /data/log/tea.
tea.com tea.log-20181229
静态文件不记录日志和过期时间
配置案例如下:
配置如下
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 7d;
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
[root@localhost sbin]# vi /usr/local/nginx/conf/vhost/coffee.com.conf
server
{
listen 8080 ;
server_name coffee.com,redir.com;
index index.html index.htm index.php;
root /data/coffee;
if ($host != 'coffee.com' ) {
rewrite ^/(.*)$ http://coffee.com/$1 permanent;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{ expires 7d;
access_log off;
}
location ~ .*\.(js|css)$
{ expires 12h;
access_log off;
}
access_log /data/log/coffee.com Pudge; //不要忘记定义日志存放目录
}
[root@localhost sbin]# vi /data/coffee/picture.jpg
jdlfsjdflksjdfl
[root@localhost sbin]# curl -x127.0.0.1:8080 coffee.com/picture.jpg
jdlfsjdflksjdfl
[root@localhost log]# curl -x127.0.0.1:8080 coffee.com/222.html
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost log]# cat coffee.com
127.0.0.1 - [30/Dec/2018:11:58:00 +0800] coffee.com "/222.html" 404 "-" "curl/7.29.0"
Nginx防盗链
配置如下,可以和上面的配置结合起来
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
[root@localhost init.d]# vi /usr/local/nginx/conf/vhost/water.conf
server //新建一个虚拟主机
{
listen 9999;
server_name water.com;
index index.html index.htm index.php;
root /data/water;
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.water.com ;
if ($invalid_referer) {
return 403;
}
# access_log off;
}
access_log /data/log/water.com Pudge;
}
[root@localhost init.d]# mkdir /data/water
[root@localhost init.d]# vi /data/water/1.rar
[root@localhost init.d]# curl -x127.0.0.1:9999 -e "http://water.com " water.com/1.rar
sdjfsdkfjseifjsljdflnn
sd
f
sdf
sd
g
g
sd
s
df
[root@localhost init.d]# curl -x127.0.0.1:9999 -e "http://www.1111r.com " water.com/1.rar
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
Nginx访问控制
需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:
location /admin/ //针对目录
{
allow 192.168.133.1; //规则和apache不一样,从头开始匹配,匹配到就不匹配了!
allow 127.0.0.1;
deny all;
}
mkdir /data/wwwroot/test.com/admin/
echo “test,test”>/data/wwwroot/test.com/admin/1.html
-t && -s reload
curl -x127.0.0.1:80 test.com/admin/1.html -I
curl -x192.168.133.130:80 test.com/admin/1.html -I
可以匹配正则
location ~ .*(abc|image)/.*\.php$ //禁止解析php
{
deny all;
}
根据user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') //隐藏网站 不被蜘蛛爬到!
{
return 403;
}
deny all和return 403效果一样
[root@localhost init.d]# curl -x127.0.0.1:9999 water.com/water.html
this is a test file of water.vhost~
[root@localhost init.d]# curl -x192.168.182.222:9999 water.com/water.html
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost init.d]# !cat
cat /data/log/water.com
127.0.0.1 - [30/Dec/2018:22:22:01 +0800] water.com "/water.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [30/Dec/2018:22:24:30 +0800] water.com "/water.html" 200 "-" "curl/7.29.0"
192.168.182.129 - [30/Dec/2018:22:26:10 +0800] water.com "/water.html" 403 "-" "curl/7.29.0"
[root@localhost init.d]# curl -x127.0.0.1:80 tea.com/www.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost init.d]# mv /data/tea/www.php /data/tea/www.ph
[root@localhost init.d]# curl -x127.0.0.1:80 tea.com/www.ph
disable lookup php script
[root@localhost init.d]# curl -A "Tomato" -x127.0.0.1:80 tea.com/111.html
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost init.d]# curl -A "tomato" -x127.0.0.1:80 tea.com/111.html
this is a test site
[root@localhost init.d]#
Nginx解析php的配置
配置如下:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
fastcgi_pass 用来指定php-fpm监听的地址或者socket
2个路径必须一致
[root@localhost init.d]# !vi
vi /data/coffee/123.php
<?php
echo "hello world !";
[root@localhost init.d]# curl -x127.0.0.1:8080 coffee.com/123.php
hello world ![root@localhost init.d]#
curl
- -e refer
- -u user
- -x 源ip
- -A user_agent
Nginx代理
cd /usr/local/nginx/conf/vhost
vim proxy.conf //加入如下内容
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://47.104.7.242/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Nginx负载均衡
vim /usr/local/nginx/conf/vhost/load.conf // 写入如下内容
upstream qq_com
{
ip_hash; //保持同一个用户始终在同一个机器上
server 61.135.157.156:80; //不能代理https
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
upstream来指定多个web server
SSL工作流程
浏览器发送一个https的请求给服务器;
服务器要有一套数字证书,可以自己制作(后面的操作就是阿铭自己制作的证书),也可以向组织申请,区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出>提示页面,这套证书其实就是一对公钥和私钥;
服务器会把公钥传输给客户端;
客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密;
客户端把加密后的随机字符串传输给服务器;
服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起,这样除非知道私钥,否则无法获取数据内容);
服务器把加密后的数据传输给客户端;
客户端收到数据后,再用自己的私钥也就是那个随机字符串解密;
cd /usr/local/nginx/conf
openssl genrsa -des3 -out tmp.key 2048//key文件为私钥
openssl rsa -in tmp.key -out aminglinux.key //转换key,取消密码
rm -f tmp.key
openssl req -new -key aminglinux.key -out aminglinux.csr//生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件
openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
这里的aminglinux.crt为公钥
[root@localhost init.d]# cd /usr/local/nginx/conf
[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++
...........................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
[root@localhost conf]# openssl rsa -in tmp.key -out grape.key
Enter pass phrase for tmp.key:
writing RSA key
[root@localhost conf]# openssl rsa -in tmp.key -out grape.key
Enter pass phrase for tmp.key:
writing RSA key
[root@localhost conf]# openssl req -new -key grape.key -out grape.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:zj
Locality Name (eg, city) [Default City]:wz
...
最后用grape.csr 和grape.key 生成 crt
[root@localhost conf]# openssl x509 -req -days 365 -in grape.csr -signkey grape.key -out grape.crt
Signature ok
subject=/C=cn/ST=zj/L=wz/O=grape/OU=ope/CN=ape/emailAddress=ape@mail.com
Getting Private key
Nginx配置SSL
vim /usr/local/nginx/conf/vhost/ssl.conf//加入如下内容
server
{
listen 443;
server_name aming.com;
index index.html index.php;
root /data/wwwroot/aming.com;
ssl on;
ssl_certificate aminglinux.crt;
ssl_certificate_key aminglinux.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
-t && -s reload //若报错unknown directive “ssl” ,需要重新编译nginx,加上--with-http_ssl_module
mkdir /data/wwwroot/aming.com
echo “ssl test page.”>/data/wwwroot/aming.com/index.html
编辑hosts,增加127.0.0.1 aming.com
curl https://aming.com/
[root@localhost ~]# /usr/local/nginx/sbin/nginx -V //查看编译参数
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
configure arguments: --prefix=/usr/local/nginx
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@localhost nginx-1.12.1]# cd /usr/local/src/nginx-1.12.1
[root@localhost nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@localhost nginx-1.12.1]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
[root@localhost conf]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 确定 ]
php-fpm的pool
vim /usr/local/php/etc/php-fpm.conf//在[global]部分增加
include = etc/php-fpm.d/*.conf
mkdir /usr/local/php/etc/php-fpm.d/
cd /usr/local/php/etc/php-fpm.d/
vim www.conf //内容如下
[www]
listen = /tmp/www.sock
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
php-fpm解析php会消耗资源,当一个网站由于各种原因占用全部pool之后,其他的网站就无法正常工作了。所以最好要隔离各个pool。一个vhost使用一个pool(通过socket参数来区分)。
[root@localhost conf]# vi /usr/local/php-fpm/etc/php-fpm.conf
[root@localhost etc]# vi /usr/local/php-fpm/etc/php-fpm.conf //想定义vhost一样 各自定义各自的配置文件然后都存放到etc/php-fpm.d/*.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
include = etc/php-fpm.d/*.conf
定义完include路径之后,就要在$include里创建相应的pool了。最后在nginx的vhost里修改php解析的参数了。一切done之后,所有服务reload一下!==socket文件会自动生成==
php-fpm慢执行日志
vim /usr/local/php-fpm/etc/php-fpm.d/www.conf//加入如下内容
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
配置nginx的虚拟主机test.com.conf,把unix:/tmp/php-fcgi.sock改为unix:/tmp/www.sock
重新加载nginx服务
vim /data/wwwroot/test.com/sleep.php//写入如下内容
<?php echo “test slow log”;sleep(2);echo “done”;?>
curl -x127.0.0.1:80 test.com/sleep.php
cat /usr/local/php-fpm/var/log/www-slow.log
针对php网站运行过程中出现的卡顿情况,可以使用php-fpm的慢执行日志。找出卡顿的原因!
[root@localhost vhost]# vi /usr/local/php-fpm/etc/php-fpm.d/coffee.conf
[root@localhost nginx]# /etc/init.d/php-fpm reload
[root@localhost nginx]# vi /data/coffee/slow.php
<?php
echo "test slow log";
sleep(2);
echo "done";
?>
[root@localhost nginx]# curl -x127.0.0.1:8080 coffee.com/slow.php
test slow logdone[root@localhost nginx]#
[root@localhost nginx]# cat /usr/local/php-fpm/var/log/coffee-slow.log //查看日志文件
[31-Dec-2018 12:14:11] [pool coffee] pid 6005
script_filename = /data/coffee/slow.php
[0x00007f83ea9e8240] sleep() /data/coffee/slow.php:3 //找出造成卡顿的原因在第三行代码
/usr/local/php-fpm/etc/php.ini 下的dispaly_erros临时开启,不然php语法错误都不知道!
php-fpm定义open_basedir
vim /usr/local/php-fpm/etc/php-fpm.d/aming.conf //加入如下内容(定义socket的文件)
php_admin_value[open_basedir]=/data/wwwroot/aming.com:/tmp/
[root@localhost nginx]# vi /usr/local/php-fpm/etc/php.ini
display_errors 最好关掉,不然错误信息会显示到浏览器上的。error_log和error_reporting也定义好!
php-fpm进程管理
pm = dynamic //动态进程管理,也可以是static
pm.max_children = 50 //最大子进程数,ps aux可以查看
pm.start_servers = 20 //启动服务时会启动的进程数
pm.min_spare_servers = 5 //定义在空闲时段,子进程数的最少数量,如果达到这个数值时,php-fpm服务会自动派生新的子进程。
pm.max_spare_servers = 35 //定义在空闲时段,子进程数的最大值,如果高于这个数值就开始清理空闲的子进程。
pm.max_requests = 500 //定义一个子进程最多处理的请求数,也就是说在一个php-fpm的子进程最多可以处理这么多请求,当达到这个数值时,它会自动退出。
查看启动进程 ps aux | grep php