Nginx
1.安装为了解决nginx安装过程中的依赖性,我们可以先安装以下两个安装包:
[root@server1 ~]# yum install openssl-devel -y
[root@server1 ~]# yum install pcre-devel -y
[root@server1 ~]# ls
nginx-1.12.0.tar.gz
[root@server1 ~]# tar zxf nginx-1.12.0.tar.gz ##解压
[root@server1 ~]# ls
nginx-1.12.0 nginx-1.12.0.tar.gz
[root@server1 ~]# cd nginx-1.12.0 ##进入nginx目录
[root@server1 nginx-1.12.0]# ls
auto CHANGES.ru configure html man srcCHANGES conf contrib LICENSE README
[root@server1 nginx-1.12.0]# less README
[root@server1 nginx-1.12.0]# pwd/root/nginx-1.12.0
[root@server1 nginx-1.12.0]# useradd -M -d /usr/local/lnmp/nginx -s /sbin/nologin -u 800 nginx ##创建nginx用户
[root@server1 nginx-1.12.0]# id nginx ##查看nginx用户的id
uid=800(nginx) gid=800(nginx) groups=800(nginx)
[root@server1 ~]# vim nginx-1.12.0/auto/cc/gcc
172 #CFLAGS="$CFLAGS -g" ##注释掉这行,去掉 debug 模式编译,编译以后程序只有几百k
[root@server1 ~]# vim nginx-1.12.0/src/core/nginx.h ##为了安全起见,
"nginx"--->去掉后面的 “ NGINX_VERSION”,不显示nginx的版本
14 #define NGINX_VER "nginx/"
为了便于启动nginx,做个软连接:
[root@server1 nginx-1.12.0]# ln -s /usr/local/lnmp/nginx/sbin/nginx /usr/sbin/ [root@server1 nginx-1.12.0]# ./configure --prefix=/usr/local/lnmp/nginx --user=nginx --group=nginx --with-threads --with-file-aio --with-http_ssl_module --with-http_stub_status_module ##进行源码编译
[root@server1 nginx-1.12.0]# make && make install ##编译,安装
测试:
[root@server1 nginx-1.12.0]# curl -I localhost
HTTP/1.1 200 OK
Server: nginx/1.12.0
Date: Tue, 25 Jul 2017 14:45:22 GMT
Content-Type: text/htmlContent-Length: 612
Last-Modified: Tue, 25 Jul 2017 14:14:31 GMT
Connection: keep-alive
ETag: "59775247-264"
Accept-Ranges: bytes
或者在物理机上:[root@localhost ~]# curl -I 172.25.80.1
HTTP/1.1 200 OK
Server: nginx/1.12.0
Date: Tue, 25 Jul 2017 14:44:18 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 25 Jul 2017 14:14:31GMT
Connection: keep-alive
ETag: "59775247-264"
Accept-Ranges: bytes
在浏览器上的测试:https://172.25.80.1
绑定多块cpu
(1)先打开虚拟控台,给server1再添加一块cpu,变成两块:
在真实物理机用超级用户的身份执行命令:virt-manager
如下图所示:
(2)用命令查看cpu是否添加上:
[root@server1 ~]# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 2 ##成功添加
(3)编辑nginx主配置文件:
[root@server1 ~]# cd /usr/local/lnmp/nginx/
[root@server1 nginx]# cd conf/
[root@server1 conf]# vim nginx.conf
作出如下修改:
3 worker_processes 2; ##开启的进程数
4
5 worker_cpu_affinity 01 10; ##01表示启用第一个CPU内核,10表示启用第二个CPU内核worker_cpu_affinity 01 10;表示开启两个进程,第一个进程对应着第一个CPU内核,第二个进程对应着第二个CPU内核。
(4)语法检查和重载:
[root@server1 conf]# nginx -t ##语法检查
nginx: the configuration file /usr/local/lnmp/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conf test is successful ##语法正确
[root@server1 conf]# nginx -s reload ##重新加载
[root@server1 conf]# ##加载成功
注:在启动nginx时,若出现以下情况:
[root@server1 conf]# nginx
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] still could not bind()
原因:地址已被使用。可能nginx服务卡死了,导致80端口占用,就出现此错误。
我是这么解决的:用该命令查看80端口被什么服务占用:
[root@server1 conf]# lsof -i:80COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 1274 root 4u IPv6 9554 0t0 TCP *:http (LISTEN)
httpd 1288 apache 4u IPv6 9554 0t0 TCP *:http (LISTEN)
httpd 1289 apache 4u IPv6 9554 0t0 TCP *:http (LISTEN)
httpd 1290 apache 4u IPv6 9554 0t0 TCP *:http (LISTEN)
httpd 1291 apache 4u IPv6 9554 0t0 TCP *:http (LISTEN)
httpd 1292 apache 4u IPv6 9554 0t0 TCP *:http (LISTEN)
httpd 1293 apache 4u IPv6 9554 0t0 TCP *:http (LISTEN)
httpd 1294 apache 4u IPv6 9554 0t0 TCP *:http (LISTEN)
httpd 1295 apache 4u IPv6 9554 0t0 TCP *:http (LISTEN)
得知apache服务占用了80端口,我用一下命令停掉apache:
(我将apache服务设置成开机自动开启,所以在配置nginx时出现端口被占用的问题)
[root@server1 conf]# /etc/init.d/httpd stopStopping httpd: [ OK ]
启动nginx:
[root@server1 conf]# nginx
检查nginx配置文件的语法是否正确:
[root@server1 conf]# nginx -t
nginx: the configuration file /usr/local/lnmp/nginx/conf/nginx.conf syntax is ok
重新加载nginx:
[root@server1 conf]# nginx -s reload
[root@server1 conf]# ##成功nginx: configuration file
/usr/local/lnmp/nginx/conf/nginx.conf test is successful ##语法正确
3.其他配置
(1)创建nginx用户:
[root@server1 conf]# usermod -s /bin/bash nginx
[root@server1 conf]# su - nginx
-bash-4.1$ ulimit -a
(2)max_file的限制:
编辑nginx主配置文件:
[root@server1 conf]# vim nginx.conf
做如下修改:
14 events {
15 worker_connections 65535; ##最大连接数是2 的 16 次方是 65526,这是系统端口的极限
16 }
编辑安全限制文件:
做如下修改:
[root@server1 conf]# vim /etc/security/limits.conf
52 nginx - nofile 65535
(4)登陆nginx用户:
[root@server1 conf]# su - nginxopen files (-n) 65535
[root@server1 conf]# vim nginx.conf
119 server {120 listen 80; ##监听的端口
121 server_name www.westos.org; ##服务名
122
123 location / {
124 root /web1; ##本地目录
125 index index.html; ##测试页文件
126
127 }
128 }
129
130 }
创建web1目录:
[root@server1 conf]# mkdir /web1
[root@server1 conf]# cd /web1/
[root@server1 web1]# ls
编写测试网页文件:
[root@server1 web1]# vim index.html
<h1>server1-www.westos.org</h1>
(5)测试:在firefox浏览器的地址栏输入网址:www.westos.org,可以看到如下内容:
4.证书加密:
[root@server1 tls]# cd private/
[root@server1 private]# ls
[root@server1 private]# openssl genrsa 2048 > localhost.key
Generating RSA private key, 2048 bit long modulus....................................................+++
...........................................+++
e is 65537 (0x10001)
5.网页重写:[root@server1 private]# cd ..
[root@server1 tls]# cd certs/
[root@server1 certs]# make testcert
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out
/etc/pki/tls/certs/localhost.crt -set_serial 0
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:1550850435@qq.com
[root@server1 certs]# ls
ca-bundle.crt localhost.crt Makefile
ca-bundle.trust.crt make-dummy-cert renew-dummy-cert
[root@server1 certs]# make cert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > cert.pem ; \
echo "" >> cert.pem ; \
cat $PEM2 >> cert.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
..............................................................+++
.................................+++
writing new private key to '/tmp/openssl.Yu2vj4'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:1550850435@qq.com
[root@server1 certs]# mv cert.pem /usr/local/lnmp/nginx/conf/
[root@server1 conf]# pwd
/usr/local/lnmp/nginx/conf
[root@server1 conf]# vim nginx.conf
108 server {
109 listen 443 ssl;
110 server_name www.westos.org;
111
112 ssl_certificate cert.pem;
113 ssl_certificate_key cert.pem;
114
115 ssl_session_cache shared:SSL:1m;
116 ssl_session_timeout 5m;
117
118 ssl_ciphers HIGH:!aNULL:!MD5;
119 ssl_prefer_server_ciphers on;
120
121 location / {
122 root html;
123 index index.html index.htm;
124 }
125 }
126
127 server {
128 listen 80;
129 server_name www.westos.org;
130
131 rewrite ^(.*)$ https://www.westos.org permanent; ##永久
132 }
133
134 }
测试:
[root@server1 conf]# curl www.westos.org -I
HTTP/1.1 301 Moved Permanently ##永久
Server: nginx/1.12.0
Date: Wed, 26 Jul 2017 02:36:43 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://www.westos.org/
用浏览器访问:https://www.westos.org
显示:
[root@server1 conf]# vim nginx.conf
131 rewrite ^(.*)$ https://www.westos.org$1 redirect; ##临时
[root@server1 conf]# curl www.westos.org -I
HTTP/1.1 302 Moved Temporarily ##临时
Server: nginx/1.12.0
Date: Wed, 26 Jul 2017 02:40:41 GMT
Content-Type: text/html
Content-Length: 161
Connection: keep-alive
Location: https://www.westos.org/
6.访问控制:
[root@server1 conf]# vim nginx.conf
51 stub_status on;
52 access_log off;
53 allow 127.0.0.1; ##只允许本地回环接口访问
54 deny all; ##拒绝所有
55
56 }
测试:
在浏览器访问:172.25.801/status
vim index.html
<h1>admin page</h1>
访问:https://www.westos.org/admin
7.反向代理:[root@server1 conf]# vim nginx.conf
19 http {
20
21 upstream westos {
22 server 172.25.80.2:80;
23 server 172.25.80.3:8080;
24 server 127.0.0.1:8000 backup;
25 }
26
27 include mime.types;
25 default_type application/octet-stream;
133 # rewrite ^(.*)$https://www.westos.org$1 redirect;
134 location / {
135 proxy_passhttp://westos; ##--->反向代理模块(自定义,也叫,反向代理负载均衡)--域名:westos
136 }
注:每次修改nginx的主配置文件后,都要用-t进行语法检查和用-s进行重载。
测试:
在server1测试:
[root@server1 conf]# for i in {1..10}; do curl www.westos.org;done
<h1>server2-westos.org</h1>
<h1>server3-westos.org</h1>
<h1>server2-westos.org</h1>
<h1>server3-westos.org</h1>
<h1>server2-westos.org</h1>
<h1>server3-westos.org</h1>
<h1>server2-westos.org</h1>
<h1>server3-westos.org</h1>
<h1>server2-westos.org</h1>
<h1>server3-westos.org</h1>
8.权重
18 http {
19 upstream westos {
20 server 172.25.90.2:80 weight=2;###权重
21 server 172.25.90.3:8080;
22 server 127.0.0.1:8000 backup;
nginx -t
nginx -s reload
访问:
[root@server1 conf]# for i in {1..10}; do curl www.westos.org;done
<h1>server2-westos.org</h1>
<h1>server3-westos.org</h1>
<h1>server2-westos.org</h1>
<h1>server2-westos.org</h1>
<h1>server3-westos.org</h1>
<h1>server2-westos.org</h1>
<h1>server2-westos.org</h1>
9.健康检查:
vim nginx.conf
http {
upstream westos {
ip_hash;---->确定一个ip,一直访问此后台服务端的
server 172.25.80.2:80weight=2;---->确定一个ip,一直访问此后台服务端的
server 172.25.80.3:8080;
#server 127.0.0.1:8000 backup;
nginx -t
nginx -s reload
测试:
[root@server1 conf]# for i in {1..10}; do curl www.westos.org;done
<h1>server3-westos.org</h1>
<h1>server3-westos.org</h1>
<h1>server3-westos.org</h1>
<h1>server3-westos.org</h1>