前言:
Nginx中有许多的动态模块,例如:文本、图片压缩,ssl加密等。本文我们挑选几个我们日常生产环境中常用的几个动态模块,加以介绍、配置。以及防盗链的配置等。
环境
- server1:172.25.75.1 Nginx服务器
- 客户端: 172.25.75.250
一、添加动态模块
这三个模块都需要重新编译nginx,我们直接将三个模块所需要的依赖包,及重新编译所加的模块一同编译,避免多次编译!!!
[root@server1 ~]# yum install openssl-devel gd-devel-2.0.35-26.el7.x86_64.rpm -y
openssl-devel为ssl加密所需的依赖包,而gd为图片压缩所需的依赖包
重新编译:
[root@server1 ~]# cd nginx-1.15.8
[root@server1 nginx-1.15.8]# ./configure --prefix=/usr/local/nginx --with-http_realip_module --with-http_image_filter_module=dynamic --with-http_ssl_module
安装:
root@server1 nginx-1.15.8]# make && make install
查看模块是否已经加载成功:
[root@server1 objs]# vim /root/nginx-1.15.8/objs/ngx_modules.c
模块添加成功!!!
1、Nginx开启gzip压缩
1、更改Nginx配置文件
vim /usr/local/nginx/conf/nginx.conf
33 gzip on; #打开gzip压缩
34 gzip_min_length 1; #不压缩临界值,大于1K的才压缩
35 gzip_comp_level 2; #压缩级别,1-10,数字越大压缩的越好,时间也越长
36 gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd/php image/jpeg image/gif image/png; #进行压缩的文件类型
2、我们制作一个测试的文件
[root@server1 sbin]# cp /etc/passwd ../html/
[root@server1 sbin]# cd ../html/
[root@server1 html]# ls
50x.html index.html passwd
[root@server1 html]# rm -rf index.html
[root@server1 html]# mv passwd index.html
[root@server1 html]# vim index.html
[root@server1 html]# du -sh index.html
28K index.html
[root@server1 html]# vim index.html
[root@server1 html]# vim index.html
[root@server1 html]# du -sh index.html
420K index.html
现在我们Nginx的默认发布文件已经有420k了,大于压缩的临界值!!!
3、启动Nginx或者重新加载nginx配置文件(已经启动的情况下)
[root@server1 sbin]# ./nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@server1 sbin]# ./nginx
[root@server1 sbin]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2151/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 981/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1949/master
tcp6 0 0 :::3306 :::* LISTEN 1236/mysqld
tcp6 0 0 :::22 :::* LISTEN 981/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1949/master
4、测试
我们在客户端浏览器访问:
172.25.75.1
F12 -->Network -->reload
可以看到文件总大小417.89k,而调动7.67kb。
2、制作Nginx启动脚本
[root@server1 sbin]# yum install httpd -y
[root@server1 sbin]# cd /usr/lib/systemd/system
[root@server1 system]# cp httpd.service /etc/systemd/system/nginx.service
[root@server1 system]# vim /etc/systemd/system/nginx.service
[Unit]
Description=The nginx HTTP Server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
PrivateTmp=true
[Install]
WantedBy=multi-user.target
[root@server1 system]# chmod +x nginx.service
[root@server1 system]# systemctl start nginx.service
[root@server1 system]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2305/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 981/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1949/master
tcp6 0 0 :::3306 :::* LISTEN 1236/mysqld
tcp6 0 0 :::22 :::* LISTEN 981/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1949/master
3、图片压缩
1、编译时加入图片过滤模块的路径以及下载相关的依赖包
这一步我们已经在刚开始编译的时候加入参数,已经下载了gd-devel-2.0.35-26.el7.x86_64.rpm
2、修改配置文件,创建search目录
vim /usr/local/nginx/conf/nginx.conf
1 load_module modules/ngx_http_image_filter_module.so;
38 limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; #区域名称为one(自定义),占用空间大小为10m,平均处理的请求频率不能超过每秒一次
53 location /search/ {
54 limit_req zone=one burst=5;
55 image_filter resize 100 150; #根据给定的长宽生成缩略图
56 }
[root@server1 sbin]# cd ../html/search/
[root@server1 search]# ls
girl.jpg
[root@server1 search]# du -sh girl.jpg #原图大小为204k
204K girl.jpg
3、启动Nginx或者重新加载nginx配置文件(已经启动的情况下)
[root@server1 sbin]# ./nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@server1 sbin]# ./nginx -s reload
4、测试
客户端输入:
浏览器输入172.25.26.1/download/girl.jpg(F12操作下进入Network标签下F5刷新会发现图片大小显示2.21kb)
4、访问限速
1、编辑配置文件
[root@server1 sbin]# pwd
/usr/local/nginx/sbin
[root@server1 sbin]# vim ../conf/nginx.conf
38 limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; #区域名称为one(自定义),占用空间大小为10m,平均处理的请求频率不能超过每秒一次。
53 location /search/ {
54 limit_req zone=one burst=5;
55 }
2、重新加载nginx配置文件
[root@server1 sbin]# ./nginx -s reload
3、客户端压力测试
ab -c 1 -n 10 http://172.25.75.1/search/girl.jpg #每秒并发一个请求,共请求10次
花费十秒时间!!
4、编辑配置文件限制访问速度为每次50k
[root@server1 sbin]# vim ../conf/nginx.conf
更改:
53 location /search/ {
54 limit_rate 50k; #限制访问速度每次50k。
55 limit_req zone=one burst=5;
56 }
5、重新加载nginx配置文件,在客户端进行压力测试
重新加载配置文件:
[root@server1 sbin]# ./nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@server1 sbin]# ./nginx -s reload
压力测试:
[root@foundation75 ~]# ab -c 1 -n 5 http://172.25.75.1/search/girl.jpg
我们的图片大小为200k左右,设置一次访问50k,请求频率每秒不超过一次。也就是访问一次需要4秒左右,我们压力测试共5次,并发量为1,大概共需20秒左右!!!
6、我们还可以设置默认发布页的访问速度
[root@server1 sbin]# vim ../conf/nginx.conf
修改:
48 location / {
49 root html;
50 set $limit_rate 1k;
51 index index.html index.htm;
52 }
重新加载:
客户端测试:
客户端在访问时会1k的不断的加载!!!
7、配置日志对客户端访问本地资源进行监控
[root@server1 sbin]# vim …/conf/nginx.conf
21 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
22 '$status $body_bytes_sent "$http_referer" '
23 '"$http_user_agent" "$http_x_forwarded_for"';
46 access_log logs/redhat.access.log main;
[root@server1 sbin]# ./nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@server1 sbin]# ./nginx -s reload
在客户端进行访问,查看日志文件
[root@foundation75 ~]# ab -c 1 -n 5 http://172.25.75.1/search/girl.jpg
查看日志文件:
5、realip获取真实IP
环境准备:准备server2:安装nginx用来作负载均衡
tar zxf nginx-1.16.0.tar.gz
[root@server2 ~]# ls
gd-devel-2.0.35-26.el7.x86_64.rpm nginx-1.16.0 nginx-1.16.0.tar.gz
yum install gd-devel-2.0.35-26.el7.x86_64.rpm -y
yum install gcc pcre-devel.x86_64 openssl-devel.x86_64 -y
[root@server2 nginx-1.16.0]# ./configure --prefix=/usr/local/nginx --with-http_realip_module --with-http_image_filter_module=dynamic --with-http_ssl_module
[root@server2 nginx-1.16.0]# make && make install
[root@server2 ~]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
[root@server2 ~]# useradd nginx
1、修改作为web服务器的nginx配置文件
40 server {
41 listen 80;
42 server_name localhost;
43 set_real_ip_from 172.25.75.2;
44 real_ip_header X-Forwarded-For;
45 real_ip_recursive on;
重新加载配置文件:
[root@server1 ~]# cd /usr/local/nginx/sbin/
[root@server1 sbin]# ./nginx -s reload
2、修改用来做反代的nginx配置文件
vim /usr/local/nginx/conf/nginx.conf
修改:
2 user nginx nginx;
3 worker_processes 2;
17 http {
18 include mime.types;
19 default_type application/octet-stream;
20 upstream westos {
21 server 172.25.75.1:80;
22 }
98 server { #添加虚拟主机
99 listen 80;
100 server_name www.westos.org;
101
102 location / {
103 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
104 proxy_pass http://westos;
105 }
106 }
启动nginx,创建nginx用户
nginx
useradd nginx
3、测试
在客户端写入解析,curl www.westos.org会发现访问的是代理,但获得的内容是server1:nginx作为web服务器。
[root@foundation75 ~]# curl www.westos.org
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
在server1的nginx的日志里看到访问信息:
可以看到,这里我们web服务器的日志查看到的是真实的客户端IP地址,而不是反向代理server2的地址。
我们把web服务器的配置文件还原:
重新加载配置后,再用客户端访问,查看日志:
日志会显示是由反向代理服务器GET访问的!!!
6、ssl加密配置
编译需要加的模块以及相关的依赖包我们都已经配置好了。
[root@server1 ~]# yum install openssl-devel
这是编译时所需的模块:--with-http_ssl_module
1、编辑配置文件
[root@server1 sbin]# vim ../conf/nginx.conf
112 server {
113 listen 443 ssl;
114 server_name www.westos.com;
115
116 ssl_certificate cert.pem;
117 ssl_certificate_key cert.pem;
118
119 ssl_session_cache shared:SSL:1m;
120 ssl_session_timeout 5m;
121
122 ssl_ciphers HIGH:!aNULL:!MD5;
123 ssl_prefer_server_ciphers on;
124
125 location / {
126 root /web;
127 index index.html index.htm;
128 }
129 }
130 server {
131 listen 80;
132 server_name www.westos.com;
133
134 location / {
135 root /web;
136 index index.html;
137 }
138 }
2、创建/web本地资源
[root@server1 sbin]# mkdir /web
[root@server1 sbin]# vim /web/index.html
[root@server1 sbin]# cat /web/index.html
www.westos.com
3、制作证书
[root@server1 sbin]# cd /etc/pki/tls/certs/
[root@server1 certs]# ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
[root@server1 certs]# make cert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > cert.pem ; \
echo "" >> cert.pem ; \
cat $PEM2 >> cert.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
.................................................................................+++
...........................................................+++
writing new private key to '/tmp/openssl.cvOhc1'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:zhao
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:root@westos.com
[root@server1 certs]# ls
ca-bundle.crt cert.pem Makefile
ca-bundle.trust.crt make-dummy-cert renew-dummy-cert
证书制作完毕!
拷贝证书,重新加载配置文件信息:
[root@server1 certs]# cp cert.pem /usr/local/nginx/conf/
[root@server1 certs]# cd /usr/local/nginx/conf/
[root@server1 conf]# ls
cert.pem fastcgi_params.default mime.types.default scgi_params.default
fastcgi.conf koi-utf nginx.conf uwsgi_params
fastcgi.conf.default koi-win nginx.conf.default uwsgi_params.default
fastcgi_params mime.types scgi_params win-utf
[root@server1 conf]# ../sbin/nginx -s reload
4、更改客户端本地解析
vim /etc/hosts
4 172.25.75.2 www.westos.org
5 172.25.75.1 www.westos.com
5、测试
在客户端输入:https://www.westos.com
ssl加密成功!!!
7、Nginx重定向
在我们配置的web服务器上:
1、临时重定向
[root@server1 conf]# vim ../conf/nginx.conf
112 server {
113 listen 443 ssl;
114 server_name localhost;
115
116 ssl_certificate cert.pem;
117 ssl_certificate_key cert.pem;
118
119 ssl_session_cache shared:SSL:1m;
120 ssl_session_timeout 5m;
121
122 ssl_ciphers HIGH:!aNULL:!MD5;
123 ssl_prefer_server_ciphers on;
124
125 location / {
126 root /web;
127 index index.html index.htm;
128 }
129 }
130 server {
131 listen 80;
132 server_name www.westos.com;
133
134 rewrite ^/(.*) https://www.westos.com/$1;
135 }
重新加载配置文件:
[root@server1 conf]# ../sbin/nginx -s reload
[root@server1 conf]# pwd
/usr/local/nginx/conf
客户端测试:
要保证客户端有www.westos.com的本地解析
[root@foundation75 ~]# curl -I www.westos.com
HTTP/1.1 302 Moved Temporarily #302为临时重定向
Server: nginx/1.15.8
Date: Tue, 07 May 2019 08:52:40 GMT
Content-Type: text/html
Content-Length: 145
Connection: keep-alive
Location: https://www.westos.com/
[root@foundation75 ~]# curl -I www.westos.com/index.html
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.15.8
Date: Tue, 07 May 2019 08:52:43 GMT
Content-Type: text/html
Content-Length: 145
Connection: keep-alive
Location: https://www.westos.com/index.html
可以将www.westos.com 重定向到https://www.westos.com。
我们还可以在配置文件中加入一个虚拟主机,完成一台服务器部署两个web服务,对应一个IP地址,在实际生产环境中可以节约资源。
更改配置文件:
[root@server1 conf]# vim nginx.conf
130 server {
131 listen 80;
132 server_name www.westos.com;
133
134 rewrite ^/(.*) https://www.westos.com/$1;
135
136 }
137
138 server {
139 listen 80;
140 server_name bbs.westos.com;
141
142 location / {
143 root /bbs;
144 index index.html;
145 }
146 }
建立资源、重新加载配置文件:
[root@server1 conf]# mkdir /bbs
[root@server1 conf]# vim /bbs/index.html
[root@server1 conf]# cat /bbs/index.html
bbs.westos.com
[root@server1 conf]# ../sbin/nginx -s reload
添加本地解析:
[root@foundation75 ~]# vim /etc/hosts
测试:
2、永久重定向
[root@server1 conf]# vim nginx.conf
130 server {
131 listen 80;
132 server_name www.westos.com;
133
134 rewrite ^/(.*) https://www.westos.com/$1 permanent;
135
136 }
137
138 server {
139 listen 80;
140 server_name bbs.westos.com;
141
142 location / {
143 root /bbs;
144 index index.html;
145 }
146 }
[root@server1 conf]# ../sbin/nginx -s reload
客户端测试:
301表示永久重定向!!!
3、设置不同域名的重定向
[root@server1 conf]# vim nginx.conf
130 server {
131 listen 80;
132 server_name www.westos.com bbs.westos.com;
133
134 #rewrite ^/(.*) https://www.westos.com/$1 permanent;
135 rewrite ^/bbs$ http://bbs.westos.com permanent;
136 rewrite ^/bbs/(.*)$ http://bbs.westos.com/$1 permanent;
137 }
138
139 server {
140 listen 80;
141 server_name bbs.westos.com;
142
143 location / {
144 root /bbs;
145 index index.html;
146 }
147 }
重新加载配置文件:
[root@server1 conf]# ../sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@server1 conf]# ../sbin/nginx -s reload
客户端测试:
[root@foundation75 ~]# curl -I www.westos.com/bbs/index.html
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.8
Date: Tue, 07 May 2019 09:35:39 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://bbs.westos.com/index.html
4、设置不同域名访问同一资源
[root@server1 conf]# vim nginx.conf
130 server {
131 listen 80;
132 server_name www.westos.com bbs.westos.com;
133
134 #rewrite ^/(.*) https://www.westos.com/$1 permanent;
135 rewrite ^/bbs$ http://bbs.westos.com permanent;
136 rewrite ^/bbs/(.*)$ http://bbs.westos.com/$1 permanent;
137
138 if ($host = "bbs.westos.com") {
139 rewrite ^/(.*)$ http://www.westos.com/$1 permanent;
140 }
141 location / {
142 root /web;
143 index index.html;
144 }
145 }
重新加载配置后,客户端测试:
二、防盗链
- server1 172.25.75.1 被盗链的服务器
- server2 172.25.75.2 盗链服务器
1、模拟盗链
1、在server2上:
[root@server2 ~]# vim /usr/local/nginx/conf/nginx.conf
118 server {
119 listen 80;
120 server_name daolian.westos.com;
121 charset utf-8;
122 location / {
123 root /web;
124 index index.html;
125 }
126 }
创建资源:
[root@server2 ~]# mkdir /web
[root@server2 ~]# vim /web/index.html
2、在server1上创建被盗链的资源:
[root@server1 html]# vim ../conf/nginx.conf
server {
listen 80;
server_name www.westos.com bbs.westos.com;
#rewrite ^/(.*) https://www.westos.com/$1 permanent;
rewrite ^/bbs$ http://bbs.westos.com permanent;
rewrite ^/bbs/(.*)$ http://bbs.westos.com/$1 permanent;
if ($host = "bbs.westos.com") {
rewrite ^/(.*)$ http://www.westos.com/$1 permanent;
}
location / {
root /web;
index index.html;
}
}
[root@server1 html]# ls
50x.html girl.jpg index.html search
[root@server1 html]# cp girl.jpg /web/
[root@server1 html]# cd /web
[root@server1 web]# ls
girl.jpg index.html
3、重启server2上的nginx服务,在客户端增加本地解析并测试
[root@server2 ~]# nginx -s reload
客户端:
vim /etc/hosts
4 172.25.75.2 daolian.westos.com
5 172.25.75.1 www.westos.com bbs.westos.com
测试:
盗链成功!!!
2、防止盗链
1、 在我们的server1上编辑配置文件:
[root@server1 html]# vim ../conf/nginx.conf
130 server {
131 listen 80;
132 server_name www.westos.com;
133
134 #rewrite ^/(.*) https://www.westos.com/$1 permanent;
135 rewrite ^/bbs$ http://bbs.westos.com permanent;
136 rewrite ^/bbs/(.*)$ http://bbs.westos.com/$1 permanent;
137
138 if ($host = "bbs.westos.com") {
139 rewrite ^/(.*)$ http://www.westos.com/$1 permanent;
140 }
141 location / {
142 root /web;
143 index index.html;
144 }
145 location ~* \.(gif|jpg|png|jpeg)$ {
146 root /web;
147 valid_referers none blocked www.westos.com;
148 if ($invalid_referer) {
149 rewrite ^/ http://bbs.westos.com/daolian.jpg;
150 }
151 }
152 }
153
154 server {
155 listen 80;
156 server_name bbs.westos.com;
157
158 location / {
159 root /bbs;
160 index index.html;
161 }
162 }
2、创建检测到盗链后,重定向的资源:
[root@server1 ~]# cd /bbs/
[root@server1 bbs]# ls
daolian.jpg index.html
3、重新加载配置文件后,在客户端测试:
[root@server1 sbin]# ./nginx -s reload
测试:
盗链的服务器的资源请求,被我们重定向到指定到另一个站点了!!!