目录
1. Centos7设置IP地址
#设置第一台服务器的IP
vim /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="701bb76a-cb2d-446d-a835-6f24911dfc14"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.235.130
NETMASK=255.255.255.0
GATEWAY=192.168.235.2
DNS1=8.8.8.8
DNS2=180.76.76.76
systemctl restart network
2. 下载并源码编译安装Nginx
cd /opt/
wget -c https://nginx.org/download/nginx-1.21.6.tar.gz
tar -zxvf nginx-1.21.6.tar.gz
cd nginx-1.21.6/
./configure --prefix=/usr/local/nginx
###如果出现警告或错误提示
# checking for OS
# + Linux 3.10.0-693.el7.x86_64 x86_64
# checking for C compiler ... not found
# ./configure: error: C compiler cc is not found
yum install -y gcc
# /configure: error: the HTTP rewrite module requires the PCRE library.
# You can either disable the module by using --without-http_rewrite_module
# option, or install the PCRE library into the system, or build the PCRE library
# statically from the source with nginx by using --with-pcre=<path> option.
yum install -y pcre pcre-devel
# ./configure: error: the HTTP gzip module requires the zlib library.
# You can either disable the module by using --without-http_gzip_module
# option, or install the zlib library into the system, or build the zlib library
# statically from the source with nginx by using --with-zlib=<path> option.
yum install -y zlib zlib-devel
make && make install
cd /usr/local/nginx/
ll
#total 0
#drwxr-xr-x 2 root root 333 May 6 15:56 conf
#drwxr-xr-x 2 root root 40 May 6 15:56 html
#drwxr-xr-x 2 root root 6 May 6 15:56 logs
#drwxr-xr-x 2 root root 19 May 6 15:56 sbin
3. 启停服务
cd /usr/local/nginx/sbin
./nginx -c /usr/local/nginx/conf/nginx.conf # 启动
./nginx -s stop #快速停止
./nginx -s quit #优雅关闭,在退出前完成已经接受的连接请求
./nginx -s reload #重新加载配置
ps -ef | grep nginx
# root 11441 1 0 16:08 ? 00:00:00 nginx: master process ./nginx
# nobody 11442 11441 0 16:08 ? 00:00:00 nginx: worker process
# root 11444 3971 0 16:09 pts/1 00:00:00 grep --color=auto nginx
# 检查防火墙设置
firewall-cmd --state
# running
firewall-cmd --zone=public --add-port=80/tcp --permanent
# Warning: ALREADY_ENABLED: 80:tcp
# success
systemctl restart firewalld
firewall-cmd --reload
#success
firewall-cmd --list-ports
#3306/tcp 3690/tcp 80/tcp 6379/tcp
打开浏览器,输入IP地址,如果正确,会显示如下图效果
4. 配置成系统服务
vim /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - web server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
ExecQuit=/usr/local/nginx/sbin/nginx -s quit
PrivateTmp=true
[Install]
WantedBy=multi-user.target
# 重新加载系统服务
systemctl daemon-reload
#启动Nginx服务
systemctl start nginx
#开机自启
systemctl enable nginx.service
#Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
5. Nginx基本运行原理
Nginx的进程是使用经典的「Master-Worker」模型,Nginx在启动后,会有一个master进程和多个
worker进程。master进程主要用来管理worker进程,包含:接收来自外界的信号,向各worker进程发送信号,监控worker进程的运行状态,当worker进程退出后(异常情况下),会自动重新启动新的worker进程。worker进程主要处理基本的网络事件,多个worker进程之间是对等的,他们同等竞争来自客户端的请求,各进程互相之间是独立的。一个请求,只可能在一个worker进程中处理,一个worker进程,不可能处理其它进程的请求。worker进程的个数是可以设置的,一般会设置与机器cpu核数一致,这里面的原因与nginx的进程模型以及事件处理模型是分不开的。
6. Nginx配置文件的最低配置
6.1 配置内容
vim /usr/local/nginx/conf/nginx.conf
# 允许进程数量,建议设置为cpu核心数或者auto自动检测,
# 注意Windows服务器上虽然可以启动多个processes,但是实际只会用其中一个
worker_processes 1;
events {
# 单个进程最大连接数(最大连接数=连接数*进程数)
# 根据硬件调整,和前面工作进程配合起来用,尽量大,但是别把cpu跑到100%就行。
worker_connections 1024;
}
http {
# 文件扩展名与文件类型映射表(是conf目录下的一个文件)
include mime.types;
# 默认文件类型,如果mime.types预先定义的类型没匹配上,默认使用二进制流的方式传输
default_type application/octet-stream;
# sendfile指令指定nginx是否调用sendfile 函数(zero copy 方式)来输出文件,
# 对于普通应用,必须设为on。如果用来进行下载等应用磁盘IO重负载应用,可设置
# 为off,以平衡磁盘与网络IO处理速度。
sendfile on;
# 长连接超时时间,单位是秒
keepalive_timeout 65;
# 虚拟主机的配置
server {
# 监听端口
listen 80;
# 域名,可以有多个,用空格隔开
server_name localhost;
# 配置根目录以及默认页面
location / {
root html;
index index.html index.htm;
}
# 出错页面配置
error_page 500 502 503 504 /50x.html;
# /50x.html文件所在位置
location = /50x.html {
root html;
}
}
}
6.2 sendfile关闭和启用对比
6.3 server
7. 虚拟主机与域名解析
7.1 本地host文件模拟域名解析
打开C:\Windows\System32\drivers\etc 下的hosts文件
192.168.235.130 xxoo.com
ping xxoo.com
浏览器访问 http://xxoo.com
7.2 配置不同端口号或域名
cd /
mkdir www
cd www
mkdir www
mkdir vod
cd vod/
vim index.html
cat index.html
#this is vod web site.
cd ../www/
vim index.html
cat index.html
#this is www web site.
### 配置nginx.conf里面的server,复制两份,两个端口
### 每个server的端口号+域名必须是唯一的
server {
listen 80;
server_name localhost;
location / {
root /www/www;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 88;
server_name localhost;
location / {
root /www/vod;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
systemctl reload nginx.service
systemctl status nginx.service
#● nginx.service - nginx - web server
# Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: #disabled)
# Active: active (running) since Fri 2022-05-13 05:22:10 PDT; 1h 15min ago
# Process: 2688 ExecReload=/usr/local/nginx/sbin/nginx -s reload (code=exited, #status=0/SUCCESS)
# Process: 1154 ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf #(code=exited, status=0/SUCCESS)
firewall-cmd --zone=public --add-port=88/tcp --permanent
# Warning: ALREADY_ENABLED: 80:tcp
# success
systemctl restart firewalld
firewall-cmd --reload
#success
firewall-cmd --list-ports
#3306/tcp 3690/tcp 80/tcp 6379/tcp 88/tcp
###配置hosts 模拟解析域名
192.168.235.130 www.xxoozmj.com
192.168.235.130 vod.xxoozmj.com
192.168.235.130 vod2.xxoozmj.com
192.168.235.130 678.xxoozmj.com
7.3 域名的各种匹配
server_name vod.xxoozmj.com vod2.xxoozmj.com;
server_name *.xxoozmj.com;
server_name ~^[0-9]+\.xxoozmj\.com$;
8. 反向代理
client使用正向代理隐藏了自己的真实身份,server用反向代理保护了server的安全
server {
listen 80;
server_name localhost;
location / {
#反向代理,当访问本地时,默认访问百度页面,不支持https
proxy_pass http://www.baidu.com;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
然后,发现地址栏变了,是因为它会再发起一次302请求,请求地址放到location里面
#将代理指向第二台服务器131
proxy_pass http://192.168.235.131;
9. 负载均衡
#upstream后面的名字,要与proxy_pass的http后面的名字一致
upstream myservers {
#weight 权重,越大,代表使用频率越高,由131和132两台服务器承担
server 192.168.235.131:80 weight=8;
server 192.168.235.132:80 weight=2;
}
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://myservers;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
10. 动静分离
为了提高网站的响应速度,减轻程序服务器(Tomcat,Jboss等)的负载,对于静态资源,如图片、js、css等文件,可以在反向代理服务器中进行缓存,这样浏览器在请求一个静态资源时,代理服务器就可以直接处理,而不用将请求转发给后端服务器。对于用户请求的动态文件,如servlet、jsp,则转发给Tomcat,Jboss服务器处理,这就是动静分离。即动态文件与静态文件的分离。
10.1 配置JDK并搭建Tomcat服务器
### 在192.168.235.133环境上搭建
mkdir /usr/local/java
cd /usr/local/java
tar -zxvf jdk-8u333-linux-x64.tar.gz
vim /etc/profile
###追加到/etc/profile文件的最末尾即可
export JAVA_HOME=/usr/local/java/jdk1.8.0_333
export CLASSPATH=.:%JAVA_HOME/lib/dt.jar:%JAVA_HOME/lib/tools.jar
export PATH=$PATH:$JAVA_HOME/bin
# 刷新profile,使其生效
source /etc/profile
java -version
#openjdk version "1.8.0_222-ea"
#OpenJDK Runtime Environment (build 1.8.0_222-ea-b03)
#OpenJDK 64-Bit Server VM (build 25.222-b03, mixed mode)
mkdir /usr/local/tomcat
wget http://mirrors.estointernet.in/apache/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.tar.gz
tar -zxvf apache-tomcat-8.5.78.tar.gz
cd apache-tomcat-8.5.78/bin
./startup.sh
#Using CATALINA_BASE: /usr/local/tomcat/apache-tomcat-8.5.78
#Using CATALINA_HOME: /usr/local/tomcat/apache-tomcat-8.5.78
#Using CATALINA_TMPDIR: /usr/local/tomcat/apache-tomcat-8.5.78/temp
#Using JRE_HOME: /usr/local/java/jdk1.8.0_333
#Using CLASSPATH: /usr/local/tomcat/apache-tomcat-#8.5.78/bin/bootstrap.jar:/usr/local/tomcat/apache-tomcat-8.5.78/bin/tomcat-juli.jar
#Using CATALINA_OPTS:
#Tomcat started.
ps -ef | grep tomcat
#root 2023 1 9 04:52 pts/0 00:00:05 /usr/local/java/jdk1.8.0_333/bin/java #-Djava.util.logging.config.file=/usr/local/tomcat/apache-tomcat-#8.5.78/conf/logging.properties -#Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -#Djdk.tls.ephemeralDHKeySize=2048 -firewall-cmd --zone=public --add-port=8080/tcp --permanent
#firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.235.130" port protocol="tcp" port="8080" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.235.131" port protocol="tcp" port="8080" accept"
systemctl restart firewalld
firewall-cmd --list-ports
#3306/tcp 3690/tcp 80/tcp 6379/tcp 88/tcp 8080/tcp
10.2 开启Redis
10.3 设置代理地址
# 在130服务器上,将代理指向133
proxy_pass http://192.168.235.133:8080/charts-project/;
将133服务器的charts-project工程的静态资源移动到130服务器的html目录下
#130服务器配置静态资源,并将静态资源放到html目录下
location / {
#proxy_pass http://myservers;
proxy_pass http://192.168.235.133:8080/charts-project/;
}
location /js {
root html;
index index.html index.htm;
}
location /css {
root html;
index index.html index.htm;
}
location /images {
root html;
index index.html index.htm;
}
11. URL Rewrite
upstream myservers {
server 192.168.235.133:8080;
}
server {
listen 80;
server_name localhost;
location / {
rewrite ^/test.html /charts-project/index.html break;
proxy_pass http://myservers/charts-project/;
}
location ~*/(js|images|css) {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
12. 防盗链
盗链是指服务提供商自己不提供服务的内容,通过技术手段绕过其它有利益的最终用户界面(如广告),直接在自己的网站上向最终用户提供其它服务提供商的服务内容,骗取最终用户的浏览和点击率。受益者不提供资源或提供很少的资源,而真正的服务提供商却得不到任何的收益。
这里设置130为网关服务器,132访问130进行盗链
### 130服务器的设置
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://192.168.235.133:8080/charts-project/;
}
location ~*/(js|images|css) {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
## 132服务器的设置
proxy_pass http://192.168.235.130;
### 130服务器的再次设置
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://192.168.235.133:8080/charts-project/;
}
location ~*/(js|images|css) {
# 这里增加防盗链
valid_referers 192.168.235.131;
if ($invalid_referer) {
return 403;
}
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
curl -I http://192.168.235.132
#HTTP/1.1 200
#Last-Modified: Mon, 23 May 2022 08:42:47 GMT
curl -I http://192.168.235.132/images/bg.jpg
#HTTP/1.1 403 Forbidden
13. 高可用配置Keepalived
设置130服务器为主机,131服务器为备用机
# 两个服务器都安装keepalived
yum install openssl-devel
yum install keepalived
vim /etc/keepalived/keepalived.conf
# 主机130的配置
! Configuration File for keepalived
global_defs {
router_id k130
}
vrrp_instance VI_1 {
state MASTER # 主机
interface ens33 # 通过ip addr获取
virtual_router_id 51
priority 100 # 优先级
advert_int 1
authentication { # 同一组要配置成相同的
auth_type PASS
auth_pass 1111
}
virtual_ipaddress { # 虚拟IP
192.168.235.200
}
}
# 备用机131的配置
! Configuration File for keepalived
global_defs {
router_id k131
}
vrrp_instance VI_1 {
state BACKUP # 备用机
interface ens33 # 通过ip addr获取
virtual_router_id 51
priority 50
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.235.200
}
}
systemctl start keepalived.service
关掉130主机(或是杀死keepalived进程)前后,都是可以ping通的
14. 搭建LNMP
登录 OneinStack - 一键PHP/JAVA安装工具
修改防火墙设置 安全组 配置规则
入方向 手动添加
15. 解析域名
16. Https证书配置
server {
listen 443 ssl;
server_name localhost;
ssl_certificate 7854453_lnmp.dream987.top.pem;
ssl_certificate_key 7854453_lnmp.dream987.top.key;
index index.html index.htm index.php;
#error_page 404 /404.html;
#error_page 502 /502.html;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location ~ [^/]\.php(/|$) {
#fastcgi_pass remote_php_ip:9000;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ ^/(\.user.ini|\.ht|\.git|\.svn|\.project|LICENSE|README.md) {
deny all;
}
location /.well-known {
allow all;
}
}
server {
listen 80;
server_name lnmp.dream987.top;
access_log /data/wwwlogs/access_nginx.log combined;
return 301 https://$server_name$request_uri;
root html;
}
17. 搭建Discuz
cd /usr/local/nginx/html/
wget http://discuz.net/files/DiscuzX/3.4/Discuz_X3.4_SC_UTF8_20220518.zip
unzip Discuz_X3.4_SC_UTF8_20220518.zip
mv upload bbs
chmod -R 777 bbs/