Tengine

官网地址：http://tengine.taobao.org/

版本记录：http://tengine.taobao.org/changelog_cn.html

下载链接：http://tengine.taobao.org/download_cn.html

一、基本环境说明

硬件配置	4核8G
系统版本	Centos6.8
Tengine版本	2.2.2
Keepalive版本	1.4.5

二、Tenginx目录结构

根目录	二级目录	二级目录说明	三级目录	三级目录说明
/usr/local/nginx/	certs	存放证书文件
	conf	存放主配置文件
	conf.d	虚拟主机配置	demo	示例配置文件
			backconfig	配置文件备份
	logs	存放日志文件	bak	日志文件备份

三、安装部署

安装依赖包：yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel gcc gcc-c++ autoconf automake jemalloc jemalloc-devel 配置：./configure --prefix=/usr/local/nginx --with-http_stub_status_module \  --with-http_ssl_module --with-http_gzip_static_module \  --with-http_concat_module --with-jemalloc \  --with-http_v2_module --with-http_secure_link_module \ --add-module=nginx_tcp_proxy_module-master 编译：make  安装：make install

编译参数说明：
--prefix=/usr/local/nginx                   #指定安装路径
--with-http_stub_status_module      #获取nginx自上次启动以来的工作状态
--with-http_ssl_module                    #支持https请求，需已安装openssl
--with-http_gzip_static_module        #静态预压缩文件
--with-http_concat_module              #用于合并多个文件在一个响应报文中
--with-jemalloc                                 #Tengine链接jemalloc库，使用jemalloc来分配和释放内存
--with-http_v2_module                    #提供对HTTP/2的支持
--with-http_secure_link_module      #保护服务器文件不被任意下载盗用

--add-module=nginx_tcp_proxy_module-master #（待确认是否需要默认编译）

四、配置文件

1.主配置文件nginx.conf

nginx.conf

user nginx nginx;          worker_processes  auto;      worker_cpu_affinity auto;    worker_rlimit_nofile 102400; pid        logs/nginx.pid;     events {    use epoll;                    worker_connections  65535;    }   http {     req_status_zone server "$server_addr:$server_port" 10M;     include           mime.types;                               default_type      application/octet-stream;                 sendfile          on;      tcp_nopush        on;      tcp_nodelay       on;     server_tokens     off;     server_info off;           keepalive_timeout 20s;        keepalive_requests 1000;      check_shm_size 40M;       gzip              on;         gzip_min_length   1024;       gzip_buffers      16 8k;      gzip_comp_level   6;          gzip_proxied      any;        gzip_types        text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;                                  gzip_vary  on;                 # 以下配置用于php环境     fastcgi_intercept_errors    on;        fastcgi_connect_timeout     75s;       fastcgi_send_timeout        300s;      fastcgi_read_timeout        300s;      fastcgi_buffer_size         16k;       fastcgi_buffers             4 16k;                                             fastcgi_busy_buffers_size   32k;         client_body_timeout         90s;            client_max_body_size        20m;            client_body_buffer_size     1m;             client_header_buffer_size   128k;           large_client_header_buffers 256 16k;          proxy_buffer_size 16k;                      proxy_buffers 8 32k;                        proxy_busy_buffers_size 64k;                proxy_connect_timeout 300s;                 proxy_send_timeout 300s;                    proxy_read_timeout 300s;                           map $upstream_addr $short_address {         ~^\d+\.\d+\.(.*) '';     }     add_header X-from $short_address$1;       proxy_set_header Host $host;     proxy_set_header X-User-IP  $clientRealIp;     proxy_set_header X-Real-IP  $remote_addr;     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;     proxy_pass_header User-Agent;     proxy_set_header  X-Forwarded-Proto $scheme;            map $http_x_forwarded_for  $clientRealIp {        ""      $remote_addr;        ~^(?P<firstAddr>[0-9\.]+),?.*$  $firstAddr;      }        log_format main  '{ "@timestamp": "$time_iso8601", '                          '"remote_addr": "$remote_addr", '                          '"upstream_addr": "$upstream_addr", '                          '"server_addr": "$server_addr", '                          '"http_host": "$http_host",'                          '"request_time": $request_time, '                          '"request_uri": "$request_uri", '                          '"status": "$status", '                          '"request": "$request", '                          '"request_method": "$request_method", '                          '"http_referer": "$http_referer", '                          '"body_bytes_sent": $body_bytes_sent, '                          '"http_x_forwarded_for": "$http_x_forwarded_for", '                          '"request_length": $request_length, '                          '"http_user_agent": "$http_user_agent", '                          '"scheme": "$scheme",'                          '"uri": "$uri",'                          '"clientRealIp": "$clientRealIp"}';       include /usr/local/nginx/conf.d/*.conf; }

2.监控配置文件admin.conf

admin.conf

server {         listen 8000;         location ~ ^/(phpfpm_status|ping)$ {                 fastcgi_pass   127.0.0.1:9000;                 include fastcgi.conf;         }         location = /nginx_status {                 stub_status on;                 access_log off;         }         location = /nginx_status_detail {                 req_status_show;         } }

3.安全防护配置文件defend.conf

defend.conf

#禁止IP直接访问 （必需） server {          listen 80 default;          server_name _;         return 403;  } server {         listen 443 default;         server_name _;         #域名和证书对应         ssl_certificate      /usr/local/nginx/certs/cardniu.crt;         ssl_certificate_key  /usr/local/nginx/certs/cardniu.key;         return 403; } #防止DDOS、CC攻击 （按实际情况添加） map $http_x_forwarded_for $clientRealIp {         "" $remote_addr;         ~^(?P<firstAddr>[0-9\.]+),?.*$ $firstAddr; }   geo $clientRealIp $whiteiplist {         default 1;         172.22.23.241 1;         172.22.23.251 0;         192.168.31.236 0;         172.22.25.0/24 0; }   map $whiteiplist $limit {         1 $clientRealIp;         0 ""; }   limit_conn_zone $limit zone=TotalConnLimitZone:20m ; limit_conn TotalConnLimitZone 50; limit_conn_log_level notice;   limit_req_zone $limit zone=ConnLimitZone:20m rate=20r/s; limit_req zone=ConnLimitZone burst=10 nodelay; limit_req_log_level notice;

 

4.其他说明

  （1）配置文件命名

         文件目录：/usr/local/nginx/conf.d/
         命名规则：<域名>.conf

  （2）upstream命名

          命名规则：二级域名+映射，二级域名+资源类型
          示例：test_order，test_product（二级域名+映射）
                     test_static（静态资源）
                     test_server（后端服务）

五、脚本

1.日志切割脚本

脚本存放目录：/home/ops/nginx_daily_log.sh
定时任务：59 23 * * * /bin/sh /home/ops/nginx_daily_log.sh > /dev/null 2>&1

nginx_daily_log.sh

# /bin/bash   logs_path="/usr/local/nginx/logs/" pid_path="/usr/local/nginx/logs/nginx.pid" cut_path="/usr/local/nginx/logs/bak/"   [ -e $cut_path ] || mkdir -p $cut_path cd $logs_path for log_name in `ls *.log`;do         mv ${logs_path}${log_name} ${cut_path}${log_name}_$(date  +"%Y-%m-%d").log done if [[ -s $pid_path ]]; then         kill -USR1 `cat ${pid_path}` fi find  ${cut_path} -type f -name "*.log" -mtime +7 | xargs rm -f

 

2.服务化脚本

脚本存放目录：/etc/init.d/nginx

nginx

#!/bin/bash # # nginx - this script starts and stops the nginx daemon # # chkconfig: - 85 15 # description: Nginx is an HTTP(S) server, HTTP(S) reverse # proxy and IMAP/POP3 proxy server # processname: nginx # config: /etc/nginx/nginx.conf # config: /etc/sysconfig/nginx # pidfile: /var/run/nginx.pid   # Source function library. . /etc/rc.d/init.d/functions   # Source networking configuration. . /etc/sysconfig/network   # Check that networking is up. [ "$NETWORKING" = "no" ] && exit 0   TENGINE_HOME="/usr/local/nginx" nginx="/usr/local/nginx/sbin/nginx" prog=$(basename $nginx)   NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"   [ -f /etc/sysconfig/nginx ] && /etc/sysconfig/nginx   lockfile=/var/lock/subsys/nginx   start() {     [ -x $nginx ] || exit 5     [ -f $NGINX_CONF_FILE ] || exit 6     echo -n $"Starting $prog: "     daemon $nginx -c $NGINX_CONF_FILE     retval=$?     echo     [ $retval -eq 0 ] && touch $lockfile     return $retval }   stop() {     echo -n $"Stopping $prog: "     killproc $prog -QUIT     retval=$?     echo     [ $retval -eq 0 ] && rm -f $lockfile     return $retval     killall -9 nginx }   restart() {     configtest || return $?     stop     sleep 1     start }   reload() {     configtest || return $?     echo -n $"Reloading $prog: "     killproc $nginx -HUP     RETVAL=$?     echo }   force_reload() {     restart }   configtest() {     $nginx -t -c $NGINX_CONF_FILE }   rh_status() {     status $prog }   rh_status_q() {     rh_status >/dev/null 2>&1 }   case "$1" in start)     rh_status_q && exit 0     $1 ;; stop)     rh_status_q || exit 0     $1 ;; restart|configtest)     $1 ;; reload)     rh_status_q || exit 7         $1 ;; force-reload)     force_reload ;; status)     rh_status ;; condrestart|try-restart)     rh_status_q || exit 0 ;; *)   echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}" exit 2 esac

 

六、高可用Keepalive

详见《https://blog.csdn.net/weixin_43046724/article/details/91127026》

七、常用命令

1.Keepalive常用命令

service keepalived stop
service keepalived status
service keepalived start

2.Tenignx常用命令

/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload
service nginx stop
service nginx status
service nginx start

八、版本升级

升级脚本

update_tenginx2.2.2.sh

#!/bin/bash   OLD_VERSION=2.2.0 NEW_VERSION=2.2.2   check=`/usr/local/nginx/sbin/nginx -v 2>&1|grep ${NEW_VERSION}`   if [ "$check" ];then     echo "nginx Already is ${NEW_VERSION}."     exit 0 fi   yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel gcc gcc-c++ autoconf automake jemalloc jemalloc-devel patch || exit 0   cd /usr/local/src/tengine_update tar -zxf tengine-${NEW_VERSION}.tar.gz cp -r nginx_tcp_proxy_module-master tengine-${NEW_VERSION} cd tengine-${NEW_VERSION}   /usr/bin/patch -p1 < nginx_tcp_proxy_module-master/tcp.patch ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_concat_module --with-jemalloc --with-http_v2_module --with-http_secure_link_module --add-module=nginx_tcp_proxy_module-master &> /dev/null if [ $? -ne 0 ];then         exit 0 fi make &> /dev/null cp -af /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.${OLD_VERSION} cp -af /usr/local/nginx/sbin/dso_tool /usr/local/nginx/sbin/dso_tool.${OLD_VERSION} \cp -af objs/nginx /usr/local/nginx/sbin chmod 755 objs/dso_tool \cp -af objs/dso_tool /usr/local/nginx/sbin make upgrade /usr/local/nginx/sbin/nginx -v   #rollback nginx #rm -f /usr/local/nginx/sbin/nginx && mv /usr/local/nginx/sbin/nginx.${OLD_VERSION} /usr/local/nginx/sbin/nginx #/usr/local/nginx/sbin/nginx -s restart

salt脚本

update.sls

nginx_updated:   file.recurse:     - name: /usr/local/src/tengine_update     - source: salt://nginx/files/tengine_update     - file_mode: 644     - dir_mode: 755     - user: root     - group: root     - mkdir: True #    - unless: test -d /usr/local/src/tengine_update     cmd.run:     - name: cd /usr/local/src/tengine_update && /bin/bash update_tenginx2.2.2.sh && mv /usr/local/src/tengine_update /usr/local/src/tengine_update_$(date  +"%Y-%m-%d-%H-%S")

目录文件

 

九、获取用户源IP

一、Tegine处理逻辑：

1.如果存在remote_addr，则将remote_addr传给变量clientRealIp；

2.如果不存在remote_addr，则取x_forwarded_for第一个地址传给变量clientRealIp；

3.将变量clientRealIp添加到HTTP头，程序读取HTTP头获取用户IP；（目前定义的字段名为X-User-IP）

具体在Tegine主配置文件nginx.conf 进行添加（红色字体）：

    proxy_set_header Host $host;
    proxy_set_header X-User-IP  $clientRealIp;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass_header User-Agent;
    proxy_set_header  X-Forwarded-Proto $scheme;
     
     map $http_x_forwarded_for  $clientRealIp {
       ""      $remote_addr;
       ~^(?P<firstAddr>[0-9\.]+),?.*$  $firstAddr;
     }

二、通过CDN的访问：用户通过CDN访问的要想获取源IP信息必须先将CDN配置字段修改为：“X-Forwarded-For”.

 以网宿CDN为例，默认字段为“Cdn-Src-Ip” ,须登录CDN后台将默认字段修改为X-Forwarded-For，如下图：