nginx 编译安装
yum install -y vim lrzsz tree screen psmisc lsof tcpdump wget \
ntpdate gcc gcc-c++ glibc glibc-devel pcre pcre-devel openssl openssl-devel \
systemd-devel net-tools iotop bc zip unzip zlib-devel bash-completion nfs-utils automake libxml2 libxml2-devel libxslt libxslt-devel perl perl-ExtUtils-Embed
cd /usr/local/src/
wget https://nginx.org/download/nginx-1.16.1.tar.gz
tar -xf nginx-1.16.1.tar.gz
cd nginx-1.16.1
./configure --prefix=/apps/nginx \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-file-aio
make && make install
[root@localhost ~]# cat /usr/lib/systemd/system/nginx.service
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/apps/nginx/logs/nginx.pid
# Nginx will fail to start if /run/nginx.pid already exists but has the wrong
# SELinux context. This might happen when running `nginx -t` from the cmdline.
# https://bugzilla.redhat.com/show_bug.cgi?id=1268621
ExecStartPre=/usr/bin/rm -f /apps/nginx/logs/nginx.pid
ExecStartPre=/apps/nginx/sbin/nginx -t
ExecStart=/apps/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
[Install]
WantedBy=multi-user.target
useradd nginx -s /sbin/login
sed -i 's@#pid logs/nginx.pid;@pid /apps/nginx/logs/nginx.pid;@' /apps/nginx/conf/nginx.conf
systemctl daemon-reload
systemctl start nginx
systemctl enable nginx
###################################################################################################################
匹配优先级:=, ^~, ~/~*,/
location优先级:(location =) > (location 完整路径) > (location ^~ 路径) >
(location ~,~* 正则顺序) > (location 部分起始路径) > (/)
拒绝访问配置(403)
location /mysql.conf {
deny all;
}
精确匹配 =
location = /ABc.jpg {
root /data/static;
}
匹配大小写 ~
location ~ /A.?\.jpg {
index index.html;
root /opt/nginx/html/image;
}
访问测试:http://www.magedu.net/aA.jpg
不匹配大小写 ~*
location ~* /A.?\.jpg {
index index.html;
root /opt/nginx/html/image;
}
访问测试:http://www.magedu.net/aA.jpg
匹配案例-URI开始
location ^~ /images {
root /data/nginx;
index index.html;
}
location /images1 {
alias /data/nginx/html/pc;
index index.html;
}
匹配案例-文件名后缀
location ~* \.(gif|jpg|jpeg|bmp|png|tiff|tif|ico|wmf|js)$ {
root /data/nginx/images1;
index index.html;
}
Nginx 四层访问控制
location /about {
alias /data/nginx/html/pc;
index index.html;
deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
deny all; #先允许小部分,再拒绝大部分
}
Nginx账户认证功能
yum install httpd-tools -y
htpasswd -cbm /apps/nginx/conf/.htpasswd user1 123456
htpasswd -bm /apps/nginx/conf/.htpasswd user2 123456
[root@s2 ~]# vim /apps/nginx/conf/conf.d/pc.conf
location = /login/ {
root /data/nginx/html/pc;
index index.html;
auth_basic "login password";
auth_basic_user_file /apps/nginx/conf/.htpasswd;
}
检测文件是否存在
location /about {
root /data/nginx/html/pc;
#alias /data/nginx/html/pc;
index index.html;
#try_files $uri /about/default.html;
#try_files $uri $uri/index.html $uri.html /about/default.html;
try_files $uri $uri/index.html $uri.html =489;
}
作为下载服务器配置:
[root@s2 about]# mkdir /data/nginx/html/pc/download
#download不需要index.html
[root@s2 about]# vim /apps/nginx/conf/conf.d/pc.conf
location /download {
autoindex on; #自动索引功能
autoindex_exact_size on; #计算文件确切大小(单位bytes),off只显示大概大小(单位
kb、mb、gb)
autoindex_localtime on; #显示本机时间而非GMT(格林威治)时间
root /data/nginx/html/pc;
}
[root@s2 pc]# cp /root/anaconda-ks.cfg /data/nginx/html/pc/download/
作为上传服务器
client_max_body_size 500m; #设置允许客户端上传单个⽂件的最⼤值,默认值为1m
client_body_buffer_size 1024k; #⽤于接收每个客户端请求报⽂的body部分的缓冲区⼤⼩;默认16k;超出此⼤⼩时,其将被暂存到磁盘上的由下⾯client_body_temp_path指令所定义的位置
client_body_temp_path path [level1 [level2 [level3]]];
#设定存储客户端请求报⽂的body部分的临时存储路径及⼦⽬录结构和数量,⽬录名为16进制的数字,使⽤hash之后的值从后往前截取1位、2位、2位作为⽂件名:
client_max_body_size 500m;
client_body_buffer_size 2048k;
client_body_temp_path /apps/nginx/temp 1 2 2;
#gzip on;
aio on;
directio 2048;
output_buffers 10 128k;
Nginx 状态页面
location /nginx_status {
stub_status;
allow 192.168.0.0/16;
allow 127.0.0.1;
deny all;
}
Active connections: 当前处于活动状态的客户端连接数,包括连接等待空闲连接数。
accepts:统计总值,Nginx⾃启动后已经接受的客户端请求的总数。
handled:统计总值,Nginx⾃启动后已经处理完成的客户端请求的总数,通常等于accepts,除⾮有因
worker_connections限制等被拒绝的连接。
requests:统计总值,Nginx⾃启动后客户端发来的总的请求数。
Reading:当前状态,正在读取客户端请求报⽂⾸部的连接的连接数。
Writing:当前状态,正在向客户端发送响应报⽂过程中的连接数。
Waiting:当前状态,正在等待客户端发出请求的空闲连接数,开启 keep-alive的情况下,这个值等于
active – (reading+writing),
#################################################
Nginx 反向代理功能
location /web {
index index.html;
proxy_pass http://192.168.7.103:80;
#不带斜线将访问的/web,等于访问后端服务器
http://192.168.7.103:80/web/index.html,即后端服务器配置的站点根⽬录要有web⽬录才可以
被访问,这是⼀个追加/web到后端服务器 http://servername:port/WEB/INDEX.HTML的操作
proxy_pass http://192.168.7.103:80/;
#带斜线,等于访问后端服务器的http://192.168.7.103:80/index.html 内容返回给客户端
}
总结:
server {
listen 80;
server_name test.jenkins.rpdns.com;
root /usr/local/nginx/html;
location /jenkins/ {
index index.html;
proxy_pass http://10.1.1.249:8080;
}
访问:(localtion /jenkins 加/ 和不加结果一样 )http://test.jenkins.rpdns.com/jenkins = http://10.1.1.249:8080/jenkins
location /jenkins {
index index.html;
proxy_pass http://10.1.1.249:8080/;
}
访问:http://test.jenkins.rpdns.com/jenkins = http://10.1.1.249:8080 (返回的是tomcat首页)
带斜线,等于访问后端服务器内容给客户端如:http://test.jenkins.rpdns.com/jenkins = http://10.1.1.249:8080
不带斜线等于访问后端服务器地址的基础上加上localtion的方法:如 http://test.jenkins.rpdns.com/jenkins = http://10.1.1.249:8080/jenkins
proxy_hide_header ETag;
nginx作为反向代理的时候,在返回给客户端http响应的时候,隐藏后端服务版本相应头部的信息
proxy_pass_request_body on | off;
#是否向后端服务器发送HTTP包体部分,可以设置在http/server或location块,默认即为开启
proxy_pass_request_headers on | off;
#是否将客户端的请求头部转发给后端服务器,可以设置在http/server或location块,默认即为开启
proxy_set_header X-Forwarded-For $remote_addr;
#添加HOST到报文头部,如果客户端为NAT上那么其值为客户端的共用的公网IP地址,常用于在记录客户端的真实IP地址
proxy_connect_timeout 60s;
#60s为⾃定义nginx与后端服务器建立连接的超时时间,配置nginx服务器与后端服务器尝试建立连接的超时时间,默认为60秒
proxy_read_timeout 60s;
#配置nginx服务器向后端服务器或服务器组发起read请求后,等待的超时时间,默认60s
proxy_send_timeout 60s;
#配置nginx项后端服务器或服务器组发起write请求后,等待的超时时间,默认60s
proxy_http_version 1.0;
#⽤于设置nginx提供代理服务的HTTP协议的版本,默认http 1.0
proxy_ignore_client_abort off;
#当客户端⽹络中断请求时,nginx服务器中断其对后端服务器的请求。即如果此项设置为on开启,则服务
器会忽略客户端中断并⼀直等着代理服务执⾏返回,如果设置为off,则客户端中断后Nginx也会中断客户
端请求并⽴即记录499⽇志,默认为off。
缓存配置
proxy_cache_path /apps/nginx/proxycache levels=1:1:1 keys_zone=proxycache:20m inactive=120s max_size=1g;
location /web {
proxy_pass http://10.1.1.103/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_hide_header ETag;
proxy_set_header clientip $remote_addr;
proxy_cache proxycache;
proxy_cache_key $request_uri;
proxy_cache_valid 200 302 301 1h;
proxy_cache_valid any 1m;
add_header X-Via $server_addr;
add_header X-Cache $upstream_cache_status;
add_header X-Accel $server_name;
}
######################################################################
nginx TCP代理
#server⽀持的parameters如下:
weight=number #设置权重,默认为1。
max_conns=number #给当前server设置最⼤活动链接数,默认为0表示没有限制。
max_fails=number #对后端服务器连续监测失败多少次就标记为不可⽤。
fail_timeout=time #对后端服务器的单次监测超时时间,默认为10秒。
backup #设置为备份服务器,当所有服务器不可⽤时将重新启⽤次服务器。
down #标记为down状态。
resolve #当server定义的是主机名的时候,当A记录发⽣变化会⾃动应⽤新IP⽽不⽤重启Nginx。
upstream webserver {
#hash $request_uri consistent;(首选)
#ip_hash;
#least_conn;
server 192.168.7.103:80 weight=1 fail_timeout=15s max_fails=3; #后端服务器状态监测
server 192.168.7.104:80 weight=1 fail_timeout=15s max_fails=3;
server 192.168.7.101:80 weight=1 fail_timeout=15s max_fails=3 backup;
hash $request_uri consistent;
}
server {
listen 80;
server_name www.magedu.net;
location / { # 关闭192.168.7.103和192.168.7.104,测试nginx backup服务器可⽤性:
index index.html index.php;
root /data/nginx/html/pc;
}
location /web {
index index.html;
proxy_pass http://webserver/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@s4 ~]# while true;do curl http://www.magedu.net/web;sleep 1;done
例子代理mysql redis
[root@s2 ~]# cat /apps/nginx/conf/tcp/tcp.conf
stream {
upstream redis_server {
server 192.168.7.104:6379 max_fails=3 fail_timeout=30s;
}
upstream mysql_server {
least_conn;
server 192.168.7.104:3306 max_fails=3 fail_timeout=30s;
}
server {
listen 192.168.7.102:3306;
proxy_connect_timeout 6s;
proxy_timeout 15s;
proxy_pass mysql_server;
}
server {
listen 192.168.7.102:6379;
proxy_connect_timeout 3s;
proxy_timeout 3s;
proxy_pass redis_server;
}
}
##############################################################
https 配置
server {
listen 443 ssl;
server_name www.upetmart.com;
#ssl on;
root /wwwroothtml/wwwroot/www.upetmart.com;
index index.html index.htm index.php;
ssl_certificate cert/3281594_www.upetmart.com.pem;
ssl_certificate_key cert/3281594_www.upetmart.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location /web {
index index.html;
proxy_pass http://webserver/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
#########################################################
nginx 配置实例
user nginx;
worker_processes auto;
worker_cpu_affinity 00000001 00000010 00000100 00001000;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
pid /apps/nginx/logs/nginx.pid;
worker_rlimit_nofile 65536;
events {
worker_connections 65535;
accept_mutex on;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
log_format access_json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"status":"$status"}';
access_log /apps/nginx/logs/access.log access_json;
sendfile on;
tcp_nopush on;
tcp_nodelay off;
#keepalive_timeout 0;
keepalive_timeout 65 65;
keepalive_requests 5;
client_max_body_size 500m;
client_body_buffer_size 2048k;
client_body_temp_path /apps/nginx/temp 1 2 2;
proxy_cache_path /apps/nginx/proxycache levels=1:1:1 keys_zone=proxycache:20m inactive=120s max_size=1g;
#gzip on;
aio on;
directio 2048;
output_buffers 10 128k;
server_tokens off;
server {
listen 80;
server_name localhost;
charset utf-8;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
location /web {
proxy_pass http://10.1.1.103/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_hide_header ETag;
proxy_set_header clientip $remote_addr;
proxy_cache proxycache;
proxy_cache_key $request_uri;
proxy_cache_valid 200 302 301 1h;
proxy_cache_valid any 1m;
add_header X-Via $server_addr;
add_header X-Cache $upstream_cache_status;
add_header X-Accel $server_name;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 404 /z4y06on3mm.png;
location = /z4y06on3mm.png {
root html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}