Nginx的基本架构:
master/worker
一个master进程,可生成一个或多个worker进程;
master:加载配置文件、管理worker进程、平滑升级……
worker:如果是http请求:提供http服务、http代理、fastCGI代理
事件驱动:epoll(Linux), kqueue(FreeBSD), /dev/poll(Solaris)
消息通知:select, poll, rt signals
支持sendfile, sendfile64
支持AIO,mmap
master: 只有一个,作用:加载配置文件、管理worker进程、平滑升级,...
worker:http服务,http代理,fastcgi代理,...
cache loader:缓存加载
cache manager:缓存管理
模块类别:
核心模块:core module
标准模块:
Standard HTTP modules 标准模块
Optional HTTP modules 可选模块
Mail modules 邮件模块
3 rd part modules 第三方模块
nginx用来做什么:
静态资源的web服务器
http协议反向代理
nginx安装配置
准备开发环境:
yum group install -y "development tools" "server platform delvelopment"
yum -y install openssl-devel pcre-devel zlib-devel
安装:
[root@promote nginx-1.8.1]# ./configure --prefix=/usr/local/nginx --conf-path=/etc/nginx/nginx.conf --user=nginx --group=nginx --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx/nginx.id --lock-path=/var/lock/nginx.lock --with-http_ssl_module --with-http_gzip_static_module --with-debug --with-http_stub_status_module
[root@promote nginx-1.8.1]#make && make -j4 install
命令帮助:
[root@promote nginx]# /usr/local/nginx/sbin/nginx -h
nginx version: nginx/1.8.1
Usage: nginx [-?hvVtq] [-s signal] [-c filename] [-p prefix] [-g directives]
Options:
-?,-h : this help
-v : show version and exit
-V : show version and configure options then exit
-t : test configuration and exit
-q : suppress non-error messages during configuration testing
-s signal : send signal to a master process: stop, quit, reopen, reload
-p prefix : set prefix path (default: /usr/local/nginx/)
-c filename : set configuration file (default: /etc/nginx/nginx.conf)
-g directives : set global directives out of configuration file
启动服务:
[root@promote nginx]# /usr/local/nginx/sbin/nginx
查看服务:
[root@promote nginx]# ps aux |grep nginx
root 38371 0.0 0.1 45788 1112 ? Ss 15:12 0:00 nginx: master process /usr/local/nginx/sbin/nginx
nginx 38372 0.0 0.2 48320 2212 ? S 15:12 0:00 nginx: worker process
root 38984 0.0 0.0 112680 972 pts/1 D+ 15:17 0:00 grep --color=auto nginx
配置文件的组成部分:
主配置文件:nginx.conf
include conf.d/*.conf
fastcgi,scgi,uwscgi的相关配置
mime.types
配置指令(必须以分号结尾)
directive value [value1] [value2]……
支持使用变量:
内置变量:由模块引入,可直接引用
自定义变量:set variable_name value
引用变量:$variable_name
配置文件组织结构
main blokc:全局配置
event{ 事件驱动的相关配置
……
}
mail{ 邮件服务的相关配置
……
}
http相关的配置:
http{
……
……
server{
……
server_name 当前域名
root 指明根文档路径
alias
location /uri/{ 当访问该uri时的专用配置
……
}
……
}
server{
……
……
}
}
#user nobody; 安装时已注明用户,故注释掉
worker_processes 1; 启动时的进程数
#error_log logs/error.log; 安装时已注明,故注释,下二同
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024; 最大并发量
}
main block(main 配置段):
配置指令的类别:
1、 正常运行务必的配置
2、 优化性能的配置
3、 用于调试、定位问题的配置
正常运行必务的配置:
1、 user USERNAME [GROUPNAME]; 指定用于运行worker进程的用户和组,组可省略。
如: user nginx nginx
2、 pid /PATH/TO/PID_FILE;指明nginx进程的pid文件路径
如:pid /var/run/nginx.pid;
3、 worker_rlimit_nofile # :指定一个worker进程所能够打开的最大文件描述符数量
性能优化相关的配置
1、 worker_processes number|auto;
The optimal value depends on many factors including (but not limited to) the number of CPU cores, the number of hard disk drives that store data, and load pattern. When one is in doubt, setting it to the number of available CPU cores would be a good start (the value “auto” will try to autodetect it).
worker的进程数;通常应该为CPU的核心数减1;可以为"auto",实现自动设定(设定值为CPU核心数量)
2、 Syntax: worker_cpu_affinity cpumask ...;
worker_cpu_affinity auto [cpumask];
Default: —
Context: main
Binds worker processes to the sets of CPUs. Each CPU set is represented by a bitmask of allowed CPUs. There should be a separate set defined for each of the worker processes. By default, worker processes are not bound to any specific CPUs.
worker_processes 4;
worker_cpu_affinity 0001(第0颗CPU) 0010 (第1颗)0100(第2颗) 1000(第3颗)
EX:
worker_processes 2;
worker_cpu_affinity 0010 0100;
3、 Syntax: worker_priority number; 指明进程优先级
Default: worker_priority 0;
Context: main
number范围:[-20,19] ,代表数值:100-139
Defines the scheduling priority for worker processes like it is done by the nice command: a negative number means higher priority. Allowed range normally varies from -20 to 20.
调试、定位问题:
1、 daemon on | off;
Default:daemon on
Context: main
是否以守护进程方式启动nginx进程
2、 master_process on | off;
Default: master_process on
是否以master/worker模型启动nginx进程;
3、 error_log file_ [level];
Default: error_log logs/error.log error;
Context: main, http, mail, stream, server, location
错误日志文件及其级别;出于调试的需要,可以设定为debug;但 方式:
file /PATH/TO/SOME_LOG_FILE
stderr:发送到错误输出
syslog:serer=address[,paravmeter=value]:发送到syslog服务器
memory:size
日志级别:debug, info, notice, warn, error, crit, alert, or emerg.
debug仅在编译时使用了“--with-debug”选项时才有效;
nginx.conf:
main block
event{
....
}
1、 Syntax: worker_connections number; 每个worker进程所能够并发打开的最大连接数。最大并发响应数
Default: worker_connections 512; number不能比worker_rlimit_nofile大
Context: events 只能用在events中
Sets the maximum number of simultaneous connections that can be opened by a worker process.
It should be kept in mind that this number includes all connections (e.g. connections with proxied servers, among others), not only connections with clients. Another consideration is that the actual number of simultaneous connections cannot exceed the current limit on the maximum number of open files, which can be changed by worker_rlimit_nofile.
当前系统能响应的最大并发数量:worker_proccesses*worker_connections
2、 Syntax: use method; 并发连接请求处理时使用的方法
Default: —
Context: events
Specifies the connection processing method to use. There is normally no need to specify it explicitly, because nginx will by default use the most efficient method.
linux系统只有一种:use epoll;
默认开启
3、 Syntax: accept_mutex on | off
Default: accept_mutex off;
Context: events
If accept_mutex is enabled, worker processes will accept new connections by turn. Otherwise, all worker processes will be notified about new connections, and if volume of new connections is low, some of the worker processes may just waste system resources.
There is no need to enable accept_mutex on systems that support the EPOLLEXCLUSIVE flag (1.11.3) or when using reuseport.
Prior to version 1.11.3, the default value was on.
各worker接收用户的请求的负载均衡锁;启用时,表示用于让多个worker轮流地、序列化地响应新请求。
在各worker之间负载均衡的机制
默认开启
#4、 Syntax: lock_file file;
# Default: lock_file logs/nginx.lock;
# Context: main
#nginx uses the locking mechanism to implement accept_mutex and serialize access to shared memory. On most #systems the locks are implemented using atomic operations, and this directive is ignored. On other systems the “lock #file” mechanism is used. This directive specifies a prefix for the names of lock files.
http {
...
}
定义套接字相关功能
1、 Syntax: server { ... } 配置一个虚拟主机
Default: —
Context: http
配置方法:
server{
listen PORT;
server_name HOSTNAME;
root /PATH/TO/DOCUMENTROOT;
....
}
注意:
1)、基于port的虚拟主机,listen指令要使用不同的端口
2)、基于Hostname的虚拟主机,server_name指令指向不同的主机名
3)、基于IP的虚拟主机,listen IP:PORT;
2、
Syntax: listen address[:port] [default_server] [ssl] [http2 | spdy] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];
listen port [default_server] [ssl] [http2 | spdy] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];
listen unix:path [default_server] [ssl] [http2 | spdy] [proxy_protocol] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];
Default: listen *:80 | *:8000;
Context: server
ets the address and port for IP, or the path for a UNIX-domain socket on which the server will accept requests. Both address and port, or only address or only port can be specified. An address may also be a hostname, for example:
UNIX-domain sockets (0.8.21) are specified with the “unix:” prefix:
listen unix:/var/run/nginx.sock;
listen address[:port] [default_server] [ssl] [http2 | spdy] [backlog=number] [rcvbuf=size]接收缓冲大小[sndbuf=size]发送缓存大小
可用地址的所有端口
listen port [default_server] [ssl] [http2 | spdy]
listen unix:path [default_server] [ssl] [http2 | spdy]
unix sock机制:客户端和服务端是同一台电脑时,不通过客户端数据加应用层首部-->加端口首部-->加IP首部-->发送给服务端。而是直接在内存中找一段空间,把数据发送到内存,服务端直接从内存中读取数据;响应时,服务端把数据发送到内存,客户端直接从内存读取数据。节省资源。
default_server:设置默认主机
ssl:限制只能通过ssl连接提供服务
backlog:后援队列的长度
rcvbuf:接收缓冲区大小
sndbuf:发送缓冲区大小
3、 Syntax: server_name name ...; 指明当前server的主机名
Default: server_name "";
Context: server
指明当前server的主机名;后跟一个或空白字符分隔的多个主机;
支持使用*任意长度的任意字符
支持~起始的正则表达式模式字符串
应用策略:
1、 首先精确匹配 www.magedu.com
2、 左侧*通配符匹配 *.magedu.com
3、 右侧*通配符匹配 www.magedu.*
4、 正则表达式模式匹配 ~^.*\.magedu\.com$
4、 Syntax: tcp_nodelay on | off;
Default: tcp_nodelay on;
Context: http, server, location
Enables or disables the use of the TCP_NODELAY option. The option is enabled only when a connection is transitioned into the keep-alive state.
对keepalived模式下的连接是否启用TCP_NODELAY选项
delay:将多个较小的数据块合并成一个大的数据块后发送
开启可提高数据的实时传输,但是会浪费带宽资源。关闭会节省带宽,但是数据传输的实时性会受影响。
5、 Syntax: tcp_nopush on | off;
Default: tcp_nopush off;
Context: http, server, location
Enables or disables the use of the TCP_NOPUSH socket option on FreeBSD or the TCP_CORK socket option on Linux. The options are enabled only when sendfile is used. Enabling the option allows
sending the response header and the beginning of a file in one packet, on Linux and FreeBSD 4.*;
sending a file in full packets.
6、 Syntax: sendfile on | off;
Default: sendfile off;
Context: http, server, location, if in location
Enables or disables the use of sendfile().
直接在内核中封装响应报文,响应用户请求。默认关闭。
定义路径相关的配置
7、 root Sets the root directory for requests. 设置web资源路径映射;用于指明请求的URL所对应的文档的目录路径
Syntax: root path;
Default: root html;
Context: http, server, location, if in location
EXP:
location /i/ {
root /data/w3;
}
8、 location:根据用户请求的URI来匹配定义的location,匹配到时,此请求将被相应的location块中的配置所处理。隐藏有if的意思。
Syntax: location [ = | ~ | ~* | ^~ ] uri { ... }
location @name { ... }
Default: —
Context: server, location
EXP:
server{
...
location / {
...
}
location {
....
}
=:URI的精确匹配
~:做正则表达式模式匹配,区分字符大小写
~*:做正则表达式模式匹配,不区分字符大小写
^~:URI的左半部分模式匹配,不区分字符大小写
匹配优先级:精确匹配=、^~、~或~*、以上四种模式不带符号的URL
9、 alias 定义路径别名,文档映射的一种机制。仅用于location上下文
Syntax: alias path;
Default: —
Context: location
location /images/ {
root /data/imgs/;
}
location /images/ {
alias /data/imgs/;
}
注意:
root指令:给定的路径对应于location中的/url/左侧的/;
/images/test.jpg --> /data/imgs/images/test.jpg
alias指令:给定的路径对应于location中的/url/右侧的/;
/images/test.jpg --> /data/imgs/test.jpg
10、index 设置默认主页
Syntax: index file ...;
Default: index index.html;
Context: http, server, location
用在http中,对所有server生效。用在server中,只对当前server生效。用在location中,只对当前Location有效
11、error_page 自定义错误页,根据用户请求的资源的http响应的状态码实现错误页重定向
Syntax: error_page code ... [=[response]] uri;
Default: —
Context: http, server, location, if in location
根据http的状态码重定向错误页面;
error_page 404 /404.html
error_page 404 =200 /404.html (以指定的响应状态码进行响应)
12、try_files
Syntax: try_files file ... uri;
try_files file ... =code;
Default: —
Context: server, location
定义客户端请求的相关配置
13、keepalive_timeout 设定keepalive连接的超时时长;0表示禁止长连接;默认为75s;
Syntax: keepalive_timeout timeout [header_timeout];
Default: keepalive_timeout 75s;
Context: http, server, location
14、keepalive_requests 在keepalived连接上所允许请求的最大资源数量;默认为100
Syntax: keepalive_requests number;
Default: keepalive_requests 100;
Context: http, server, location
This directive appeared in version 0.8.0.
15、keepalive_disable 指明禁止为何种浏览器使用keepalive功能
Syntax: keepalive_disable none | browser ...;
Default: keepalive_disable msie6;
Context: http, server, location
16、send_timeout 向客户端发送响应报文的超时时长(指两次写操作之间的间隔时长),默认为60s
Syntax: send_timeout time;
Default: send_timeout 60s;
Context: http, server, location
17、client_body_buffer_size
接收客户请求报文body的缓冲区大小;默认为16k;超出此大小时,其将被暂存于磁盘上
Syntax: client_body_buffer_size size;
Default: client_body_buffer_size 8k|16k;
Context: http, server, location
18、client_body_temp_path 设定用于存储客户端请求报文body部分的临时存储路径及子目录结构和数量
Syntax: client_body_temp_path path [level1 [level2 [level3]]];
Default: client_body_temp_path client_body_temp;
Context: http, server, location
Defines a directory for storing temporary files holding client request bodies. Up to three-level subdirectory hierarchy can be used under the specified directory. For example, in the following configuration
client_body_temp_path /spool/nginx/client_temp 1 2;
a path to a temporary file might look like this:
/spool/nginx/client_temp/7/45/00000123457
19、limit_rate 限制客户端每秒钟所能够传输的字节数,默认为0表示无限制
Syntax: limit_rate rate;
Default: limit_rate 0;
Context: http, server, location, if in location
EXP:
配置文件server段中增加以下内容:
location /download {
limit_rate 20480;
root /web/host1;
}
创建试验文件:
[root@promote nginx]# dd if=/dev/zero of=/web/host1/download/test.img bs=1M count=50
记录了50+0 的读入
记录了50+0 的写出
52428800字节(52 MB)已复制,0.454343 秒,115 MB/秒
创建试验用目录:
[root@promote nginx]# tree /web
/web
├── host1
│ ├── 404.html
│ ├── download
│ │ ├── download.html
│ │ └── test.img
从另一主机下载该试验文件做测试:
[root@localhost nginx]# wget www.lxk.com/download/test.img
--2017-09-24 08:01:56-- http://www.lxk.com/download/test.img
Resolving www.lxk.com (www.lxk.com)... 192.168.2.234
Connecting to www.lxk.com (www.lxk.com)|192.168.2.234|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 52428800 (50M) [application/octet-stream]
Saving to: ‘test.img.5’
0% [ ] 122,880 20.1KB/s eta 42m 23s
对客户的请求进行限制的相关配置
20、limit_except 限制对指定请求方法之外的其它方法的使用客户端
Syntax: limit_except method ... { ... }
Default: —
Context: location
EXP:
limit_except GET {
allow 192.168.1.0/32;
deny all;
}
实例:除了GET和POST之外的其它方法仅允许192.168.2.154使用
location /download {
limit_except GET {
allow 192.168.2.154;
deny all;
}
root /web/host1;
}
文件操作优化相关的配置
21、aio 异步传输功能
Syntax: aio on | off | threads[=pool];
Default: aio off;
Context: http, server, location
This directive appeared in version 0.8.11.
Exp:
Enables or disables the use of asynchronous file I/O (AIO) on FreeBSD and Linux:
location /video/ {
aio on;
output_buffers 1 64k; 缓存池大小
}
22、directio 设定直接IO的大小或者关闭直接IO。
IO写请求的时候,数据不在内存中缓存而是直接刷到直接磁盘上。
数据的可靠性比较高,对性能有影响。
Syntax: directio size | off;
Default: directio off;
Context: http, server, location
This directive appeared in version 0.7.7.
23、open_file_cache
Syntax: open_file_cache off;
open_file_cache max=N [inactive=time];
Default: open_file_cache off;
Context: http, server, location
max=N缓存条目的上限,达到上限后,根据LRU算法(最近最少使用),删除相应缓存条目。
inactive=time:缓存项的超时时长。在此处指定的时长内没有被访问过的缓存项是为非活动缓存项,因此直接删除
nginx可以缓存以下三种信息提高性能:
1)、文件的描述符、文件大小和最近一次的修改时间
2)、打开的目录的结构
3)、没有找到的文件或者没有权限访问的文件的相关信息
24、open_file_cache_errors Enables or disables caching of file lookup errors by open_file_cache.
是否缓存查找时发生错误的文件一类的信息
Syntax: open_file_cache_errors on | off;
Default: open_file_cache_errors off;
Context: http, server, location
25、open_file_cache_min_uses 在open_file_cache指令的inactive参数指定的时长内,至少访问此处指定的次数,方可被归类到非活动项。
Sets the minimum number of file accesses during the period configured by the inactive parameter of the open_file_cache directive, required for a file descriptor to remain open in the cache.
Syntax: open_file_cache_min_uses number;
Default: open_file_cache_min_uses 1;
Context: http, server, location
26、open_file_cache_valid Sets a time after which open_file_cache elements should be validated.
多长时间检查一次open_file_cache中缓存项是否为非活动项
Syntax: open_file_cache_valid time;
Default: open_file_cache_valid 60s;
Context: http, server, location
ngx_http_access_module 实现基于IP的访问控制
27、Syntax: allow address | CIDR | unix: | all;
Default: —
Context: http, server, location, limit_except
Allows access for the specified network or address. If the special value unix: is specified (1.5.1), allows access for all UNIX-domain sockets.
28、Syntax: deny address | CIDR | unix: | all;
Default: —
Context: http, server, location, limit_except
Denies access for the specified network or address. If the special value unix: is specified (1.5.1), denies access for all UNIX-domain sockets.
ngx_http_auth_basic_module
29、auth_basic 使用basic机制进行用户认证
Syntax: auth_basic string | off; string:
Default: auth_basic off;
Context: http, server, location, limit_except
30、auth_basic_user_file 使用basic机制认证时,认证文件存放位置
Syntax: auth_basic_user_file file;
Default: —
Context: http, server, location, limit_except
文件格式:
name1:password1
name2:password2:comment
密码格式:
htpasswd命令
EXP:
[root@promote nginx]# htpasswd -c -m /etc/nginx/.nginxpasswd tom
New password:
Re-type new password:
Adding password for user tom
[root@promote nginx]# htpasswd -m /etc/nginx/.nginxpasswd lxk
New password:
Re-type new password:
Adding password for user lxk
[root@promote nginx]# vim /web/host1/admin/index.html
主配置文件中增加以下内容:
location /admin/ {
auth_basic "Admin Area";
auth_basic_user_file /etc/nginx/.nginxpasswd;
root /web/host1;
}
ngx_http_stub_status_module 输出nginx的基本状态信息 重要
The ngx_http_stub_status_module module provides access to basic status information.
31、Syntax: stub_status;
Default: —
Context: server, location
EXP:
location /basic_status {
stub_status;
}
状态页面显示以下内容:
Active connections: 2
server accepts handled requests
81 81 102
Reading: 0 Writing: 1 Waiting: 1
Active connections:处于活动状态的客户端连接的数量
accepts:已经接受的客户端连接总数量
handled:已经处理过后客户端连接总数量
requests:客户端的总的请求数量
Readking:处于读取的客户端请求报文首部的数量
Writing:处于向客户端发送响应报文首部的连接数量
Waiting:处于等待客户端发出请求的空闲连接数量
ngx_http_referer_module
32、referer_hash_bucket_size
The ngx_http_referer_module module is used to block access to a site for requests with invalid values in the “Referer” header field.
Syntax: valid_referers none | blocked | server_names | string ...;
Default: —
Context: server, location
none 请求报文首部没有referer首部
the “Referer” field is missing in the request header;
blocked 请求报文的referer首部没有值
the “Referer” field is present in the request header, but its value has been deleted by a firewall or proxy server; such values are strings that do not start with “http://” or “https://”;
server_names 其值是主机名
the “Referer” request header field contains one of the server names;
arbitrary string 直接字符串,可以使用*作为通配符
defines a server name and an optional URI prefix. A server name can have an “*” at the beginning or end. During the checking, the server’s port in the “Referer” field is ignored;
regular expression 被指定的正则表达式模式匹配到的字符串,要使用~开头
the first symbol should be a “~”. It should be noted that an expression will be matched against the text starting after the “http://” or “https://”.
Example:
valid_referers none blocked server_names
*.example.com example.* www.example.org/galleries/
~\.google\.;
valid_referers none blocked server_names *.example.com example.* www.example.org/galleries/ ~\.google\.;
if ($invalid_referer) {
return 403;
}
转载于:https://blog.51cto.com/11975865/2091390
扫一扫
888
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
