nginx [engine x]是Igor Sysoev编写的一个HTTP和反向代理服务器,另外它也可以作为邮件代理服务器。 它从2004开始已经在众多流量很大的俄罗斯网站上使用,之前apache的时候已经看过他的市场占有率正在逐步的向上提升。
基本的HTTP服务器特性
处理静态文件,索引文件以及自动索引;打开文件描述符缓存;
使用缓存加速反向代理;简单负载均衡以及容错;
远程FastCGI服务的缓存加速支持;简单的负载均衡以及容错;
模块化的架构。过滤器包括gzip压缩、ranges支持、chunked响应、XSLT,SSI以及图像缩放。在SSI 过滤器中,一个包含多个SSI的页面,如果经由FastCGI或反向代理处理,可被并行处理;
支持SSL,TLS SNI。
其他的HTTP服务器特性
基于名字和IP的虚拟主机;
Keep-alive和pipelined连接支持;
灵活的配置;
重新加载配置以及在线升级时,不需要中断正在处理的请求;
自定义访问日志格式,带缓存的日志写操作以及快速日志轮转;
3xx-5xx错误代码重定向;
重写(rewrite)模块;
基于客户端IP地址和HTTP基本认证机制的访问控制;
支持PUT、DELETE、MKCOL、COPY以及MOVE方法;
支持FLV流和MP4流;
速度限制;
来自同一地址的同时连接数或请求数限制;
嵌入Perl语言。
nginx的安装:
www.nginx.org下载软件包:
- # yum -y install pcre-devel
- # groupadd -r nginx
- # useradd -r -g nginx -s /sbin/nologin -M nginx
- # tar xf nginx-1.2.2.tar.gz
# cd nginx-1.2.2 - # ./configure \
- --prefix=/usr \
- --sbin-path=/usr/sbin/nginx \
- --conf-path=/etc/nginx/nginx.conf \
- --error-log-path=/var/log/nginx/error.log \
- --http-log-path=/var/log/nginx/access.log \
- --pid-path=/var/run/nginx/nginx.pid \
- --lock-path=/var/lock/nginx.lock \
- --user=nginx \
- --group=nginx \
- --with-http_ssl_module \
- --with-http_flv_module \
- --with-http_stub_status_module \
- --with-http_gzip_static_module \
- --http-client-body-temp-path=/var/tmp/nginx/client/ \
- --http-proxy-temp-path=/var/tmp/nginx/proxy/ \
- --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ \
- --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi \
- --http-scgi-temp-path=/var/tmp/nginx/scgi \
- --with-pcre
- # make && make install
为nginx提供启动脚本:
/etc/rc.d/init.d/nginx,内容如下:
- #!/bin/sh
- #
- # nginx - this script starts and stops the nginx daemon
- #
- # chkconfig: - 85 15
- # description: Nginx is an HTTP(S) server, HTTP(S) reverse \
- # proxy and IMAP/POP3 proxy server
- # processname: nginx
- # config: /etc/nginx/nginx.conf
- # config: /etc/sysconfig/nginx
- # pidfile: /var/run/nginx.pid
- # Source function library.
- . /etc/rc.d/init.d/functions
- # Source networking configuration.
- . /etc/sysconfig/network
- # Check that networking is up.
- [ "$NETWORKING" = "no" ] && exit 0
- nginx="/usr/sbin/nginx"
- prog=$(basename $nginx)
- NGINX_CONF_FILE="/etc/nginx/nginx.conf"
- [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx
- lockfile=/var/lock/subsys/nginx
- make_dirs() {
- # make required directories
- user=`nginx -V 2>&1 | grep "configure arguments:" | sed 's/[^*]*--user=\([^ ]*\).*/\1/g' -`
- options=`$nginx -V 2>&1 | grep 'configure arguments:'`
- for opt in $options; do
- if [ `echo $opt | grep '.*-temp-path'` ]; then
- value=`echo $opt | cut -d "=" -f 2`
- if [ ! -d "$value" ]; then
- # echo "creating" $value
- mkdir -p $value && chown -R $user $value
- fi
- fi
- done
- }
- start() {
- [ -x $nginx ] || exit 5
- [ -f $NGINX_CONF_FILE ] || exit 6
- make_dirs
- echo -n $"Starting $prog: "
- daemon $nginx -c $NGINX_CONF_FILE
- retval=$?
- echo
- [ $retval -eq 0 ] && touch $lockfile
- return $retval
- }
- stop() {
- echo -n $"Stopping $prog: "
- killproc $prog -QUIT
- retval=$?
- echo
- [ $retval -eq 0 ] && rm -f $lockfile
- return $retval
- }
- restart() {
- configtest || return $?
- stop
- sleep 1
- start
- }
- reload() {
- configtest || return $?
- echo -n $"Reloading $prog: "
- killproc $nginx -HUP
- RETVAL=$?
- echo
- }
- force_reload() {
- restart
- }
- configtest() {
- $nginx -t -c $NGINX_CONF_FILE
- }
- rh_status() {
- status $prog
- }
- rh_status_q() {
- rh_status >/dev/null 2>&1
- }
- case "$1" in
- start)
- rh_status_q && exit 0
- $1
- ;;
- stop)
- rh_status_q || exit 0
- $1
- ;;
- restart|configtest)
- $1
- ;;
- reload)
- rh_status_q || exit 7
- $1
- ;;
- force-reload)
- force_reload
- ;;
- status)
- rh_status
- ;;
- condrestart|try-restart)
- rh_status_q || exit 0
- ;;
- *)
- echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
- exit 2
- esac
# chmod +x /etc/rc.d/init.d/nginx
# service nginx start
配置文件,注意Nginx的配置文件都是以;结尾的:
- # egrep -v "^[[:space:]]*#|^$" /etc/nginx/nginx.conf
- worker_processes 1;
- events {
- worker_connections 1024;
- }
- http {
- include mime.types;
- default_type application/octet-stream;
- sendfile on;
- keepalive_timeout 65;
- server {
- listen 80;
- server_name localhost;
- location / {
- root html;
- index index.html index.htm;
- }
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root html;
- }
- }
- }
其中worker_processes和events是全局配置:
worker_processes 是指Nginx开启的进程数,建议进程数和CPU的个数一样即可
http中是对服务器的配置
server类似apache的虚拟主机,可以指定多可,这里是默认主机
location / 这里是没加=号,代表匹配这个/目录下的所有文件,这里的/是相对编译安装指定--prefix=/usr的路径的
location = /50x.html 仅匹配当个文件,明确指匹配文件本身,或目录本身。
这里还有“~”和“~*”:“~”代表匹配时区别大小写,而“~*”代表不区别大小写
“^~” 表示不作正则表达式匹配
当然配置文件中还有一些注释的也需要了解下
- #location ~ \.php$ {
- # proxy_pass http://127.0.0.1;
- #}
- # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
- #
- #location ~ \.php$ {
- # root html;
- # fastcgi_pass 127.0.0.1:9000;
- # fastcgi_index index.php;
- # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
- # include fastcgi_params;
- #}
这里是整合PHP时候需要了解的。其中:
proxy_pass http://127.0.0.1; 表示反向代理的。
以下表示使用fastcgi模式的
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
基于ip的虚拟主机:
修改/etc/nginx/nginx.conf的如下内容
- ……
- server {
- listen 192.168.80.140:80;
- server_name localhost;
- location / {
- root html;
- index index.html index.htm;
- }
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root html;
- }
- }
- server {
- listen 192.168.80.141:80;
- server_name www.peace.com;
- location / {
- root html/peace.com;
- index index.html;
- }
- }
- }
# mkdir /usr/html/peace.com
# echo "peace.com" > /usr/html/peace.com/index.html
# echo "hello" > /usr/html/index.html
# service nginx restart
基于域名的虚拟主机只需将 server_name 改成不同即可
基于端口的话就将更改listen 后面的监听端口即可
这里的root定义路径的,也可以写成alias 定义别名
也可以指定访问控制,可以控制网段,ip 如下:
location / {
deny 192.168.0.1/24
deny 192.168.0.100
allow all
}
启动StubStatus 模块配置,这个模块式做工作状态统计功能的,如下我在配置文件中开启,一个server中可以有多个location,这里的access_log 也可以指定路径的:
- ……
- server {
- listen 192.168.80.141:80;
- server_name www.peace.com;
- location / {
- alias /web/www/;
- index index.html;
- }
- location /stubstatus {
- stub_status on;
- access_log off;
- }
- }
- ……
访问http://www.peace.com/stubstatus即可:
Active connections: 2 表示当前活跃的连接数
第三行的数字分别表示位:总共处理连接数,成功握手数,总共处理请求数
Reading: 表示Nginx读取客户端Header信息数,
Writing: 表示Nginx返回给客户端的Header信息数
Waiting: 表示Nginx已经处理完,正等下次请求是的驻留连接数,
基于用户认证:
- server {
- listen 192.168.80.141:80;
- server_name www.peace.com;
- location / {
- alias /web/www/;
- index index.html;
- auth_basic "Restricted";
- auth_basic_user_file /etc/nginx/.htpasswd;
- }
- location /stubstatus {
- stub_status on;
- access_log off;
- }
- }
这里值得注意的是nginx没有htpasswd命令来生成文件,所以得用apache的命令,yum安装httpd使用命令即可
# htpasswd -cm /etc/nginx/.htpasswd redhat //第一次加-c创建,之后就不再需要了
我们访问www.peace.com是已经要求要密码了,输入即可访问了:
这里是基于明文的,下面设置https的访问
首先先建立CA:
- # vim /etc/pki/tls/openssl.cnf
- # cd /etc/pki/CA/
- # (umask 077; openssl genrsa 1024 > private/cakey.pem)
- # openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
- Country Name (2 letter code) [GB]:CN
- State or Province Name (full name) [Berkshire]:BJ
- Locality Name (eg, city) [Newbury]:beijing
- Organization Name (eg, company) [My Company Ltd]:peace
- Organizational Unit Name (eg, section) []:Tech
- Common Name (eg, your name or your server's hostname) []:ca.peace.com
- Email Address []:admin@peace.com
- # mkdir certs newcerts crl
- # touch index.txt
- # echo 01 > serial
- # mkdir -p /etc/nginx/ssl
- # cd /etc/nginx/ssl
- # (umask 077 ; openssl genrsa 1024 > nginx.key)
- # openssl req -new -key nginx.key -out nginx.csr
- Country Name (2 letter code) [GB]:CN
- State or Province Name (full name) [Berkshire]:BJ
- Locality Name (eg, city) [Newbury]:beijing
- Organization Name (eg, company) [My Company Ltd]:peace
- Organizational Unit Name (eg, section) []:Tech
- Common Name (eg, your name or your server's hostname) []:www.peace.com
- Email Address []:admin@peace.com
- # openssl ca -in nginx.csr -out nginx.crt
- Certificate is to be certified until Jul 13 08:22:55 2013 GMT (365 days)
- Sign the certificate? [y/n]:y
- 1 out of 1 certificate requests certified, commit? [y/n]y
编辑nginx配置文件修改如下信息
- server {
- listen 192.168.80.141:443;
- server_name www.peace.com;
- ssl on;
- ssl_certificate /etc/nginx/ssl/nginx.crt;
- ssl_certificate_key /etc/nginx/ssl/nginx.key;
- ssl_session_timeout 5m;
- ssl_protocols SSLv2 SSLv3 TLSv1;
- ssl_ciphers HIGH:!aNULL:!MD5;
- ssl_prefer_server_ciphers on;
- location / {
- alias /web/www/;
- index index.html;
- }
- location /stubstatus {
- stub_status on;
- access_log off;
- }
- }
这时候访问https://www.peace.com/和https://www.peace.com/stubstatus都是加密的,不过证书不是信任的这里导入即可,之前有介绍这里不讲解了
转载于:https://blog.51cto.com/peaceweb/930267
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
