1.安装
cd /usr/local
wget http://nginx.org/download/nginx-1.23.1.tar.gz
tar zxvf nginx-1.23.1.tar.gz
- 直接安装会报错,所以解压后还需要安装依赖项pcre,zlib,gcc
configure: error: You need a C++ compiler for C++ support.
error: the HTTP gzip module requires the zlib library
- 安装zlib,gcc
yum install -y gcc gcc-c++
yum install -y zlib-devel
- 安装pcre
wget http://downloads.sourceforge.net/project/pcre/pcre/8.37/pcre-8.37.tar.gz
tar -xzpvf pcre-8.37.tar.gz
cd pcre-8.37
./configure
make && make install
pcre-config --version
- 安装nginx
cd nginx-1.23.1
./configure
make && make install
2.启动nginx
- 上面流程走完后会在nginx-1.23.1同级生成nginx目录
cd nginx/sbin
./nginx
- 浏览器访问host:80,如下说明启动成功
3.自签https证书
- the “ssl“ parameter requires ngx_http_ssl_module in,参考
- host not found in upstream xxxx.com,绑host,etc/hosts
如下图所示【不安全】说明成功
- 证书信息测试
双击crt证书 (如果是pem改后缀),检查:颁发者、dns name
4.配置文件
upstream负载均衡,location指令块处理url。
nginx配置规范
- 指令名和指令值用空格隔开,多个值用空格、回车隔开
server_name www.qq.com www.jd.com
;
- 指令必须以英文分号结尾(;),如果没有以分号结尾,则会将和下文识别成一个指令
主配置文件: nginx.conf
nginx嵌入子配置文件规范
http {
...
include vhost/*.conf; # 表示在/usr/local/nginx/conf/vhost下的*.conf文件
include vhost/*/*.conf; # 表示在/usr/local/nginx/conf/vhost/xxx/的*.conf文件
}
- 注意文件结尾有
}
,别误删了 -
include可以多条
-
被嵌套的配置文件中也可以写include,比如在vhost/a.conf中也可以写
include vhost/a/b/c.conf;
-
include的相对地址,永远相对于
/usr/local/nginx/conf/
,即使在被嵌套文件里使用include也是这个相对地址 -
增删后,需查看配置是否被正确的include,嵌套的配置文件会出现在config_files中,不能有缺失
server配置
非https配置
server {
listen 80;
server_name www.qq.com www.baidu.com;
index index.html;
location / {
index index.php index.html;
...
proxy_pass http://127.0.0.1/abc/;
}
location /abc/*.(jpg|png|gif) {
...
proxy_pass http://s3-backend;
}
}
-
listen支持多条(这种情况不多,但是也需要测试),一条监听一个端口。
-
listen 80;
仅有端口,等同*:80
-
listen 0.0.0.0:80;
有监听ip和端口 -
listen 127.0.0.1;
仅有ip,表示使用默认端口:如果启动nginx的用户有root权限,为80,否则为8000。(我们一般情况下都用root起的nginx)
-
https配置
server {
listen 443 ssl;
server_name www.qq.com www.baidu.com;
index index.html;
ssl on;
ssl_certificate /usr/local/nginx/ssl/server.pem;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
location / {
index index.php index.html;
...
proxy_pass http://s3-backend/def/;
}
location /abc/*.(jpg|png|gif) {
...
proxy_pass https://s3-end;
if xxx { # 更多的proxy_pass需要位于if中
proxy_pass http://127.0.0.1:10000/abc/;
}
}
}
-
listen 443 ssl http2
-
ssl_certificate 和 ssl_certificate_key 必须配对出现
-
一般情况下只有1组证书,但是nginx可以支持多组证书
-
ssl on;
和listen中ssl
都表示使用https
-
proxy_pass 位于location中,一个location主块只能有1条,但是可以用
if
嵌套更多的proxy_pass
upstream配置
upstream s3-backend {
server 1.1.1.1 weight=100;
server 2.2.2.2:8080;
}
- upstream会出现在任意配置文件中,和server是平级关系
-
名称不允许有重复
-
upstream不一定会被proxy_pass使用
demo
upstream go-backend {
server *:8080;
}
server
{
listen 80;
listen 0.0.0.0:80;
listen 127.0.0.1;
server_name aaa.bbb.ccc.com;
server_name *.aaa.bbb.ccc.com;
index index.html index.htm index.php;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
req_status server;
lua_code_cache off;
location / {
set $nocache 0;
# limit_rate 3m;
#limit_req zone=session_limit burst=5;
slice 10m;
add_header X-Cache $upstream_cache_status;
proxy_cache_bypass $nocache;
proxy_no_cache $nocache;
proxy_cache_convert_head off;
access_by_lua_file "/webser/tengine/lua_code/fs/cache_access.lua";
proxy_cache cache_one;
proxy_cache_valid 200 206 304 15m;
proxy_cache_key $host$uri?$slice_range;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Range $slice_range;
#add_header X-Cache $upstream_cache_status;
proxy_pass http://go-backend;
body_filter_by_lua_file "/webser/tengine/lua_code/body_filter.lua";
log_by_lua_file "/webser/tengine/lua_code/log_by_fs.lua";
}
location ~* /(.*)\.(png|gif|jpg) {
slice 10m;
set $nocache 0;
set $if "${request_method}/${arg_width}${arg_height}";
proxy_cache_bypass $nocache;
proxy_no_cache $nocache;
proxy_cache_convert_head off;
access_by_lua_file "/webser/tengine/lua_code/fs/cache_access.lua";
proxy_cache cache_one;
proxy_cache_valid 200 206 304 15m;
proxy_cache_key $host$uri?$width-$height-$slice_range;
add_header X-Cache $upstream_cache_status;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Range $slice_range;
body_filter_by_lua_file "/webser/tengine/lua_code/body_filter.lua";
log_by_lua_file "/webser/tengine/lua_code/log_by_fs.lua";
if ($if ~* "^GET/[0-9]+$") {
proxy_pass http://127.0.0.1:10000;
}
proxy_pass http://go-backend;
}
}
server
{
listen 443 ssl http2;
server_name aaa.bbb.ccc.com;
server_name *.aaa.bbb.ccc.com;
index index.html index.htm index.php;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
ssl_certificate /server.pem;
ssl_certificate_key /server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers '***************';
#ssl_ciphers **************;
ssl_prefer_server_ciphers on;
req_status server;
location / {
slice 10m;
set $nocache 0;
#limit_rate 3m;
proxy_cache_bypass $nocache;
proxy_no_cache $nocache;
proxy_cache_convert_head off;
access_by_lua_file "/*.lua";
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_cache cache_one;
proxy_cache_valid 200 206 304 3600s;
proxy_cache_key $host$uri?$slice_range;
add_header X-Cache $upstream_cache_status;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Range $slice_range;
proxy_pass http://go-backend;
body_filter_by_lua_file "*.lua";
log_by_lua_file "*.lua";
}
location ~* /(.*)\.(png|gif|jpg) {
slice 10m;
set $img_flag 0;
set $nocache 0;
set $width $arg_width;
set $height $arg_height;
if ($request_method = GET) {
set $img_flag "${img_flag}1";
}
if ($width ~* "^([0-9]+)$") {
set $img_flag "${img_flag}2";
}
proxy_cache_bypass $nocache;
proxy_no_cache $nocache;
proxy_cache_convert_head off;
access_by_lua_file "/*.lua";
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_cache cache_one;
proxy_cache_valid 200 206 304 3600s;
proxy_cache_key $host$uri?$width-$height-$slice_range;
add_header X-Cache $upstream_cache_status;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Range $slice_range;
body_filter_by_lua_file "*.lua";
log_by_lua_file "/webser/tengine/lua_code/log_by_fs.lua";
if ($img_flag = 012 ) {
proxy_pass http://127.0.0.1:10000;
}
proxy_pass http://go-backend;
# image_filter resize $width $height;
}
include /*.include;
}
5.nginx测试
需求期望:将主配置文件、vhost/*.conf、vhost/*/*.conf中的信息提取出来,包含证书列表、配置目录、配置文件列表、所有server、upstream列表
目标文件数据结构
{
"certs": [], <---- 证书列表
"config_base_dir": "", <---- 配置目录
"config_files": [], <---- 所有配置文件列表
"servers": [], <---- 所有server
"upstreams": [], <---- upstream列表
}
"servers": [
{
"https": true, <---- 两个:listen中的ssl,或者ssl on
"http2": false, <---- listen中是否有http2
"listen": [
{
"host": "*",
"port": 80 <---- 对应 listen的第一个参数
}
],
"domains": [ <---- 对应server_name
"www.qq.com",
"www.baidu.com"
],
"index": [ <---- 对应index,没有为null
"index.php",
"index.html"
],
"certs": [ <---- 开启https,需要有证书
{
"cert": "/server.pem", <-- 对应ssl_certificate
"key": "m/server.key" <-- 对应ssl_certificate_key
}
]
"locations": [ <---- 对应location
{
"uri": "/abc/*.(jpg|png|gif)",
"index": [ <---- 对应location中的index,没有为null
]
"pass": [ <---- 对应proxy_pass, fastcgi_pass,没有为null
{
"address": "http://s3-backend/def/" <--- proxy_pass 之后的参数
"host": "s3-backend" <--- address中的域名部分
"port": 0 <--- address中的端口部分
"upstream": { <--- 如果host能找到upstream的数据,此处则有数据,查看下文upstream
"name": "s3-backend", <---- 对应 upstream后的名字
"servers": [ <---- 对应 server
{
"host": "1.1.1.1", <---- 对应server的ip
"port": 0, <---- 对应server后的端口,没有为0
"parameters": { <---- 参数 key=value,可以多个
"weight": "100"
}
},
{
"host": "2.2.2.2",
"port": 8080,
"parameters": []
}
]
}
},
{
"address": "http://127.0.0.1:10000/abc/" <--- proxy_pass 之后的参数
"host": "127.0.0.1" <--- address中的域名部分
"port": 10000 <--- address中的端口部分
"upstream": null <--- 如果host能找到upstream的数据,此处则有数据,查看下文upstream
}
]
}
]
}
]
{
"upstreams": [
{
"name": "s3-backend", <---- 对应 upstream后的名字
"servers": [ <---- 对应 server
{
"host": "1.1.1.1", <---- 对应server的ip
"port": 0, <---- 对应server后的端口,没有为0
"parameters": { <---- 参数 key=value,可以多个
"weight": "100"
}
},
{
"host": "2.2.2.2",
"port": 8080,
"parameters": []
}
]
}
]
}