玩转nginx各种优化及模块配置
调整worker进程数
vim vim /apps/nginx/conf/nginx.conf
worker_processes auto;
#auto 为自动,即自动适应内核数,也可手动设置数量
调整最大打开文件数
vim /etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535
vim vim /apps/nginx/conf/nginx.conf
worker_rlimit_nofile 65535;
采用Gzip压缩
vim vim /apps/nginx/conf/nginx.conf
#在http段中
gzip on;
#指定小于1k的不压缩
gzip_min_length 1k;
#类型
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
nginx状态统计
#通过域名访问,查看nginx状态
#监控网站状态用到了--with-http_stub_status_module模块,需要在configure时配置
server {
listen 80;
server_name www.bestit.com;
location / {
root html;
index index.html index.htm index.php;
}
location /nginx_status{
stub_status;
access_log off;
#allow白名单
allow 10.0.0.11;
#黑名单 all
deny 10.0.0.0/24;
}
}
#allow与deny为控制访问
nginx目录保护
#设置虚拟用户,密码。对目录或文件进行加密
server {
listen 80;
server_name www.bestit.com;
location / {
root html;
index index.html index.htm index.php;
}
location /nginx_status{
stub_status;
access_log off;
auth_basic "Welcome to nginx_status!";
auth_basic_user_file /apps/nginx/html/htpasswd.nginx;
}
}
#创建用户,密码
htpasswd -c /apps/nginx/html/htpasswd.nginx user1
htpasswd -m /apps/nginx/html/htpasswd.nginx user2
基于域名访问
server {
listen 80;
server_name www.bestit.com;
location / {
root html;
index index.html index.htm index.php;
}
}
#需添加本地DNS解析
实现HTTPS
#只需在虚拟主机配置文件中添加
server {
listen 80;
server_name it.houpu.com;
index index.html index.htm index.php;
root html/it;
listen 443 ssl;
#ssh on;
ssl_certificate /apps/nginx/conf/ssl/hopu.crt;
ssl_certificate_key /apps/nginx/conf/ssl/hopu.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers
"EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
}
#生成密钥
openssl genrsa -out hopu.key 1024
openssl req -new -key hopu.key -out hopu.csr
openssl x509 -req -days 365 -sha256 -in hopu.csr -signkey hopu.key -out hopu.crt
cp hopu.* /apps/nginx/conf/ssl/
设置HTTP自动跳转HTTPS
#在server段中添加if判断
server {
listen 80;
server_name it.houpu.com;
index index.html index.htm index.php;
root html/it;
listen 443 ssl;
if ( $scheme = http ) {
rewrite / https://it.houpu.com/$1 permanent;
}
#ssh on;
ssl_certificate /apps/nginx/conf/ssl/hopu.crt;
ssl_certificate_key /apps/nginx/conf/ssl/hopu.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers
"EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
}
rewrite地址重写
#实现地址跳转
server {
listen 80;
server_name www.bestit.com;
rewrite ^(.*)$ http://www.myhopu.com/$1 permanent;
location / {
root html;
index index.html index.htm index.php;
}
}
#将www.bestit.com跳转到www.myhopu.com上
#permanent为301 永久重定向
平滑升级
#解压新版源码包到指定路径
tar -zxf nginx-1.25.2.tar.gz -C /usr/local/src/
#使用nginx -V查看上一版本编译的配置,必须同样配置编译
nginx -V
./configure --prefix=/apps/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --user=nginx --group=nginx --add-module=/usr/local/src/nginx-1.25.2/third_module/echo-nginx-module-0.61 --add-module=/usr/local/src/nginx-1.25.2/third_module/ngx-fancyindex-master
#进行编译安装
make -j 8 &&make -j 8 install
#/nginx/sbin下的老版本nginx会变成nginx.old,会生成一个新版的nginx
kill -USR2 (旧nginx pid) 使新老版本同时运行
kill -WINCH (旧nginx pid) 杀死旧nginx master
kill -QUIT (旧nginx pid) 杀死旧nginx worker
案例:系统维护,只有个别人可以访问
server {
listen 80;
server_name www.bestit.com;
location / {
root html;
index index.html index.htm;
}
set $rewrite true;
if ($remote_addr = "10.0.0.10") {
set $rewrite false;
}
if ($rewrite = true) {
rewrite (.+) /weihu.html;
}
location = /weihu.html {
root /apps/nginx/html;
}
}
return
#禁止访问某一些后缀名
location ~ .*\.(sh|flv|mp3)$
{
return 403;
}