目录
1. Nginx 负载均衡
2. SSL 原理
3. 生成 SSL 密钥对
4. Nginx 配置 SSL
5. php-fpm 的 pool
6. php-fpm 慢执行日志
7. open_basedir
8. php-fpm 进程管理
1. Nginx 负载均衡
应用于服务器前端,起到分流的作用,能够充分、合理地利用后面服务器的资源
1.1 测试
- 无法通过本机访问 Baidu
[root@LNMP vhost]# curl -x 127.0.0.1:80 www.baidu.com
This is the default virtual site.
1.2 配置
1.2.1 在 Nginx 的 conf 目录下,新建负载均衡的配置文件
[root@LNMP ~]# vim /usr/local/nginx/conf/vhost/load_balance.conf
upstream baidu
{
ip_hash;
server 14.215.177.38:80;
server 14.215.177.39:80;
}
server
{
listen 80;
server_name www.baidu.com;
location /
{
proxy_pass http://baidu;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
1.2.2 语法检查、刷新配置
[root@LNMP ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@LNMP ~]# nginx -s reload
1.3 验证
- 能够通过本地去访问 baidu
[root@LNMP ~]# curl -x 127.0.0.1:80 www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>©2017 Baidu <a href=http://www.baidu.com/duty/>使用百度前必读</a> <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a> 京ICP证030173号 <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
2. SSL 原理
3. 生成 SSL 密钥对
3.1 建立带密码的临时私钥
[root@LNMP conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
........................................+++
.........+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
3.2 去掉临时私钥的密码,生成正式私钥
[root@LNMP conf]# openssl rsa -in tmp.key -out chocolee.key
Enter pass phrase for tmp.key:
writing RSA key
3.3 删除临时私钥
[root@LNMP conf]# ls *.key
chocolee.key tmp.key
[root@LNMP conf]# rm tmp.key
rm: remove regular file ‘tmp.key’? y
3.4 生成证书请求文件
[root@LNMP conf]# openssl req -new -key chocolee.key -out chocolee.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:86
State or Province Name (full name) []:Zhejiang
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:DP
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:Choco Lee
Email Address []:chocolee911@123.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123123
An optional company name []:DP
[root@LNMP conf]#
3.5 生成公钥
[root@LNMP conf]# openssl x509 -req -days 365 -in chocolee.csr -signkey chocolee.key -out chocolee.crt
Signature ok
subject=/C=86/ST=Zhejiang/L=Hangzhou/O=DP/OU=IT/CN=Choco Lee/emailAddress=chocolee911@123.com
Getting Private key
[root@LNMP conf]# ls chocolee*
chocolee.crt chocolee.csr chocolee.key
4. Nginx 配置 SSL
4.1 配置
4.1.1 在 vhost 配置目录下增加 ssl.conf
[root@LNMP ~]# vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
listen 443;
server_name chocolee.com;
index index.html;
root /data/wwwroot/chocolee.com;
ssl on;
ssl_certificate chocolee.crt;
ssl_certificate_key chocolee.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
4.1.2 根据配置,新建站点目录及索引页
[root@LNMP ~]# mkdir /data/wwwroot/chocolee.com
[root@LNMP ~]# vim /data/wwwroot/chocolee.com/index.html
This is chocolee's site.
4.1.3 语法检查(报错,因为编译 nginx 时未加入 https 模块)
[root@LNMP ~]# nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:8
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
4.1.4 重新编译 nginx ,加入 SSL 的支持
[root@LNMP ~]# cd /usr/local/src/nginx-1.12.2
[root@LNMP nginx-1.12.2]# ./configure --prefix=/usr/local/nginx/ --with-http_ssl_module
[root@LNMP nginx-1.12.2]# make
[root@LNMP nginx-1.12.2]# make install
4.1.5 再次语法检查并刷新配置
[root@LNMP ~]# nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:8
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
4.2 验证
4.2.1 curl 验证(修改 hosts,chocolee.com 与 127.0.0.1 对应)
[root@LNMP ~]# curl https://chocolee.com/index.html
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@LNMP ~]# curl https://chocolee.com/index.html -k
This is chocolee's site.
4.2.2 浏览器验证 (修改 hosts,chocolee.com 与 虚机地址对应)
5. php-fpm 的 pool
可以通过 pool ,将不同站点所用的 PHP 资源分隔开来,从而避免互相影响
5.1 查看当前 php-fpm 的 pool
[root@LNMP ~]# ps aux | grep php-fpm
root 1178 0.0 0.2 227292 4948 ? Ss 09:33 0:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 1180 0.0 0.2 227292 4712 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1181 0.0 0.2 227292 4712 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1184 0.0 0.2 227292 4712 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1185 0.0 0.2 227292 4712 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1186 0.0 0.2 227292 4716 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1187 0.0 0.2 227292 4716 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1188 0.0 0.2 227292 4716 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1193 0.0 0.2 227292 4716 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1194 0.0 0.2 227292 4716 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1195 0.0 0.2 227292 4716 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1196 0.0 0.2 227292 4716 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1197 0.0 0.2 227292 4720 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1200 0.0 0.2 227292 4720 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1202 0.0 0.2 227292 4720 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1203 0.0 0.2 227292 4720 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1204 0.0 0.2 227292 4720 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1205 0.0 0.2 227292 4720 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1207 0.0 0.2 227292 4720 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1208 0.0 0.2 227292 4720 ? S 09:33 0:00 php-fpm: pool www
php-fpm 1209 0.0 0.2 227292 4720 ? S 09:33 0:00 php-fpm: pool www
5.2 修改 php-fpm.conf ,使其支持读取某目录下的不同 conf 文件
[root@LNMP ~]# vim /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
include = etc/php-fpm.d/*.conf # 加入该行
5.3 新建相关目录
[root@LNMP ~]# mkdir /usr/local/php-fpm/etc/php-fpm.d/
5.4 将原 php-fpm.conf 中的 [www] pool 移至单独的 conf 文件,并删除 php-fpm.conf 中 [www] 的内容
[root@LNMP ~]# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf
listen = /tmp/www.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
5.5 创建自己站点单独的 conf 文件
[root@LNMP ~]# vim /usr/local/php-fpm/etc/php-fpm.d/chocolee.conf
[chocolee]
listen = /tmp/chocolee.sock
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children= 50
pm.start_servers= 20
pm.min_spare_servers= 5
pm.max_spare_servers= 35
pm.max_requests= 500
rlimit_files= 1024
5.6 检查语法
[root@LNMP ~]# /usr/local/php-fpm/sbin/php-fpm -t
[09-Jul-2018 11:09:57] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
5.7 重启 php-fpm
[root@LNMP ~]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
5.8 修改 Nginx 中 vhost test.com 的配置文件
[root@LNMP ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com;
index index.html;
root /data/wwwroot/test.com;
access_log /tmp/nginx_access.log combined_realip;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/www.sock; # 仅修改此处即可
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
}
5.8 语法检查、刷新配置
[root@LNMP ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@LNMP ~]# nginx -s reload
5.9 查看当前 pool
[root@LNMP ~]# ps aux | grep php-fpm
root 4380 0.1 0.2 227380 4980 ? Ss 11:23 0:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 4381 0.0 0.2 227320 4724 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4382 0.0 0.2 227320 4724 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4383 0.0 0.2 227320 4724 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4384 0.0 0.2 227320 4724 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4385 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4386 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4387 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4388 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4389 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4390 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4391 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4392 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4393 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4394 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4395 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4396 0.0 0.2 227320 4732 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4397 0.0 0.2 227320 4732 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4398 0.0 0.2 227320 4732 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4399 0.0 0.2 227320 4732 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4400 0.0 0.2 227320 4732 ? S 11:23 0:00 php-fpm: pool chocolee
php-fpm 4401 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4402 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4403 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4404 0.0 0.2 227320 4728 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4405 0.0 0.2 227320 4732 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4406 0.0 0.2 227320 4732 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4407 0.0 0.2 227320 4732 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4408 0.0 0.2 227320 4732 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4409 0.0 0.2 227320 4732 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4410 0.0 0.2 227320 4732 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4411 0.0 0.2 227320 4732 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4412 0.0 0.2 227320 4736 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4413 0.0 0.2 227320 4736 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4414 0.0 0.2 227320 4736 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4415 0.0 0.2 227320 4736 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4416 0.0 0.2 227320 4736 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4417 0.0 0.2 227320 4736 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4418 0.0 0.2 227320 4736 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4419 0.0 0.2 227320 4736 ? S 11:23 0:00 php-fpm: pool www
php-fpm 4420 0.0 0.2 227320 4736 ? S 11:23 0:00 php-fpm: pool www
6. php-fpm 慢执行日志
有时站点较慢,可能是由于php执行较慢造成的,此时可以开启 php-fpm 慢执行日志,能够快速定位到原因
6.1 配置
6.1.1 修改 [www] pool 的配置文件
[root@LNMP ~]# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf
[www]
listen = /tmp/www.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
## 增加如下两行
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
6.1.2 在 test.com 站点下,创建测试文件
[root@LNMP ~]# vim /data/wwwroot/test.com/sleep.php
<?php
echo "test slow log\n";
sleep(2);
echo "done\n";
?>
6.2 验证
6.2.1 访问 sleep.php 文件
[root@LNMP ~]# curl -x 127.0.0.1:80 test.com/sleep.php
test slow log
done
6.2.2 查看慢执行日志
[root@LNMP ~]# cat /usr/local/php-fpm/var/log/www-slow.log
[09-Jul-2018 11:48:13] [pool www] pid 4459
script_filename = /data/wwwroot/test.com/sleep.php
[0x00007f01af50d280] sleep() /data/wwwroot/test.com/sleep.php:4
#此处提示,慢的原因是 sleep.php 的第四行造成的
6.2.3 查看 /data/wwwroot/test.com/sleep.php 的第四行,其实就是 sleep 语句
[root@LNMP ~]# vim /data/wwwroot/test.com/sleep.php
1 <?php
2
3 echo "test slow log\n";
4 sleep(2);
5 echo "done\n";
6
7 ?>