本文详细介绍了Linux环境中Nginx的实践操作,包括日志管理、平滑回退与版本升级、限制用户访问、获取真实客户端IP、图片过滤与压缩、HTTPS配置、rewrite规则应用以及防盗链设置,内容涵盖了Nginx在企业级应用中的关键配置技巧。
目录标题
1. 日志管理
访问日志存放在/usr/local/nginx/logs中
[root@server1 logs]# cat access.log
172.25.60.250 - - [25/Feb/2020:16:57:51 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0"
172.25.60.250 - - [25/Feb/2020:16:57:51 +0800] "GET /favicon.ico HTTP/1.1" 404 153 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0"
172.25.60.250 - - [26/Feb/2020:21:44:17 +0800] "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0"
172.25.60.250 - - [26/Feb/2020:21:45:13 +0800] "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0"
172.25.60.250 - - [26/Feb/2020:21:46:44 +0800] "GET / HTTP/1.1" 200 8 "-" "curl/7.29.0"
172.25.60.250 - - [26/Feb/2020:21:46:47 +0800] "GET / HTTP/1.1" 200 8 "-" "curl/7.29.0"
使用ab命令访问
[root@foundation60 kiosk]# yum install httpd-tools-2.4.6-45.el7.x86_64
[root@foundation60 kiosk]# ab -c 1 -n 10000 http://www.westos.org/index.org
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking www.westos.org (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 10000 requests
Finished 10000 requests
Server Software: nginx/1.17.8
Server Hostname: www.westos.org
Server Port: 80
Document Path: /index.org
Document Length: 153 bytes
Concurrency Level: 1
Time taken for tests: 6.451 seconds
Complete requests: 10000
Failed requests: 0
Write errors: 0
Non-2xx responses: 10000
Total transferred: 3030000 bytes
HTML transferred: 1530000 bytes
Requests per second: 1550.20 [#/sec] (mean)
Time per request: 0.645 [ms] (mean)
Time per request: 0.645 [ms] (mean, across all concurrent requests)
Transfer rate: 458.70 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.1 0 7
Processing: 0 0 0.2 0 8
Waiting: 0 0 0.1 0 7
Total: 0 0 0.2 0 8
Percentage of the requests served within a certain time (ms)
50% 0
66% 0
75% 0
80% 0
90% 0
95% 0
98% 1
99% 1
100% 8 (longest request)
查看nginx服务器的日志文件
[root@server1 logs]# du -sh access.log # 查看文件大小
1.0M access.log
日志的备份
[root@server1 logs]# ls
2020-02-25_access.log error.log nginx.pid
[root@server1 logs]# nginx -s reopen # 重新生成日志文件,用于日志分割
[root@server1 logs]# ls
2020-02-25_access.log access.log error.log nginx.pid
2. nginx的平滑回退和版本升级
[root@server3 sbin]# /usr/local/nginx/sbin/nginx -v # 再server3上安装1.14.2版本的nginx
nginx version: nginx/1.14.2
启动nginx的注意事项:
Cd /usr/local/nginx/sbin/
. nginx
启动脚本备份
cp nginx nginx.old
高版本nginx使用make安装
./configure --prefix=/usr/local/nginx
make
将新版本的nginx启动脚本覆盖
cp -f /root/nginx-1.17.8/objs/nginx /usr/local/nginx/sbin/
版本升级
[root@server3 objs]# ps -ef|grep nginx|grep -v grep
root 4888 1 0 22:23 ? 00:00:00 nginx: master process ./nginx
nobody 4889 4888 0 22:23 ? 00:00:00 nginx: worker process
[root@server3 objs]# kill -USR2 4888
[root@server3 objs]# ps -ef|grep nginx|grep -v grep
root 4888 1 0 22:23 ? 00:00:00 nginx: master process ./nginx
nobody 4889 4888 0 22:23 ? 00:00:00 nginx: worker process
root 7446 4888 0 22:43 ? 00:00:00 nginx: master process ./nginx
nobody 7447 7446 0 22:43 ? 00:00:00 nginx: worker process
[root@server3 objs]# kill -WINCH 4888
[root@server3 objs]# ps -ef|grep nginx|grep -v grep
root 4888 1 0 22:23 ? 00:00:00 nginx: master process ./nginx
root 7446 4888 0 22:43 ? 00:00:00 nginx: master process ./nginx
nobody 7447 7446 0 22:43 ? 00:00:00 nginx: worker process
[root@server3 objs]# /usr/local/nginx/sbin/nginx -v # 更新为新的版本
nginx version: nginx/1.17.8
还原nginx版本
[root@server3 sbin]# ls
nginx nginx.old
[root@server3 sbin]# cp -f nginx.old nginx
cp: overwrite ‘nginx’? y
[root@server3 sbin]# ps -ef|grep nginx|grep -v grep
root 4888 1 0 22:23 ? 00:00:00 nginx: master process ./nginx
root 7446 4888 0 22:43 ? 00:00:00 nginx: master process ./nginx
nobody 7447 7446 0 22:43 ? 00:00:00 nginx: worker process
[root@server3 sbin]# kill -HUP 4888
[root@server3 sbin]# kill -USR2 7446
[root@server3 sbin]# kill -WINCH 7446
[root@server3 sbin]# ps -ef|grep nginx|grep -v grep
root 4888 1 0 22:23 ? 00:00:00 nginx: master process ./nginx
root 7446 4888 0 22:43 ? 00:00:00 nginx: master process ./nginx
nobody 7463 4888 0 22:49 ? 00:00:00 nginx: worker process
[root@server3 sbin]# /usr/local/nginx/sbin/nginx -v # 回退到以前的nginx版本
nginx version: nginx/1.14.2
3. nginx限制用户访问
只能一个并发
[root@server1 nginx]# cat conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name www.westos.org;
location / {
root html;
index index.html index.htm;
}
location /download{
limit_conn addr 1;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
[root@server1 nginx]# nginx -t
[root@server1 nginx]# nginx -s reload
[root@server1 nginx]# mkdir /usr/local/nginx/html/download
[root@server1 nginx]# mv 47b2782dc51aa2eeae8b007ed17d9b7d.jpg vim.jpg
测试:
[root@foundation60 images]# ab -c 5 -n 1000 http://www.westos.org/download/vim.jpg
[root@server1 nginx]# cat logs/access.log
172.25.60.250 - - [27/Feb/2020:09:44:42 +0800] "GET /download/vim.jpg HTTP/1.0" 200 469511 "-" "ApacheBench/2.3"
172.25.60.250 - - [27/Feb/2020:09:44:42 +0800] "GET /download/vim.jpg HTTP/1.0" 503 494 "-" "ApacheBench/2.3"
限制带宽
[root@server1 nginx]# cat conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name www.westos.org;
location / {
root html;
index index.html index.htm;
}
location /download{
# limit_conn addr 1;
limit_rate 50k;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
4. nginx获取真实的客户端ip
server1是nginx的web服务器
server2是proxy(代理)
server3是客户端
server2上安装nginx
[root@server2 nginx]# vim conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
upstream westos{
server 172.25.60.253:80; # 做172.25.60.253的反向代理
}
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name www.westos.org;
location / {
proxy_pass http://westos;
}
}
}
[root@server2 nginx]# nginx -t
[root@server2 nginx]# nginx -s reload
测试:
[root@server3 sbin]# cat /etc/hosts
172.25.60.253 server1
172.25.60.02 server2 www.westos.org
172.25.60.03 server3
172.25.60.04 server4
[root@server3 sbin]# curl www.westos.org
server1
在server1的nginx服务器中显示的是172.25.60.2(代理服务器)的访问,说明nginx服务器不知道客户端是谁
[root@server1 nginx]# cat logs/access.log
172.25.60.2 - - [27/Feb/2020:11:04:50 +0800] "GET / HTTP/1.0" 200 8 "-" "curl/7.29.0"
172.25.60.2 - - [27/Feb/2020:11:04:51 +0800] "GET / HTTP/1.0" 200 8 "-" "curl/7.29.0"
设置让nginx服务器知道客户端访问的ip而不是代理的ip
注意:在./configure时必须有 --with-http_realip_module这个模块
[root@server1 nginx]# vim conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name www.westos.org;
set_real_ip_from 172.25.60.2;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
location / {
root html;
index index.html index.htm;
}
location /download{
# limit_conn addr 1;
limit_rate 50k;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
[root@server2 nginx]# vim conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
upstream westos{
server 172.25.60.253:80;
}
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name www.westos.org;
location / {
proxy_pass http://westos;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
[root@server1 nginx]# nginx -t
[root@server1 nginx]# nginx -s reload
[root@server2 nginx]# nginx -t
[root@server2 nginx]# nginx -s reload
测试:
[root@server3 sbin]# curl www.westos.org
server1
[root@server1 nginx]# cat logs/access.log
172.25.60.3 - - [27/Feb/2020:11:17:12 +0800] "GET / HTTP/1.0" 200 8 "-" "curl/7.29.0"
5. nginx图片的过滤和压缩
[root@server1 nginx]# vim conf/nginx.conf
load_module modules/ngx_http_image_filter_module.so; # 加载模块
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#limit_conn_zone $binary_remote_addr zone=addr:10m;
#limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name www.westos.org;
#set_real_ip_from 172.25.60.2;
#real_ip_header X-Forwarded-For;
#real_ip_recursive on;
location / {
root html;
index index.html index.htm;
}
location /download{
# limit_conn addr 1;
#limit_rate 50k;
image_filter resize 150 100; # 重新调整图片尺寸
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
测试:
图片压缩大小:
f12—>network—>f5
图片的实际大小:
[root@server1 nginx]# du -sh html/download/vim.jpg
460K html/download/vim.jpg
6. https的实现
./configure --prefix=/usr/local/nginx --with-http_realip_module --with-http_image_filter_module=dynamic --with-http_ssl_module
[root@server1 nginx]# vim conf/nginx.conf
load_module modules/ngx_http_image_filter_module.so;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#limit_conn_zone $binary_remote_addr zone=addr:10m;
#limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name www.westos.org;
#set_real_ip_from 172.25.60.2;
#real_ip_header X-Forwarded-For;
#real_ip_recursive on;
location / {
root html;
index index.html index.htm;
}
location /download{
# limit_conn addr 1;
#limit_rate 50k;
image_filter resize 150 100;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 ssl;
server_name www.westos.org;
ssl_certificate cert.pem;
ssl_certificate_key cert.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root web;
index index.html index.htm;
}
}
}
[root@server1 nginx]# mkdir web
[root@server1 nginx]# cd web/
[root@server1 web]# vim index.html
https://server1.westos.org
生成自签名证书
[root@server1 nginx]# cd /etc/pki/tls/certs
[root@server1 certs]# make cert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > cert.pem ; \
echo "" >> cert.pem ; \
cat $PEM2 >> cert.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
..............................+++
...+++
writing new private key to '/tmp/openssl.h2da7k'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:changzhi
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:root@westos.org
[root@server1 certs]# ls
ca-bundle.crt cert.pem Makefile
ca-bundle.trust.crt make-dummy-cert renew-dummy-cert
[root@server1 certs]# cp cert.pem /usr/local/nginx/conf/
[root@server1 nginx]# nginx -t
[root@server1 nginx]# nginx -s reload
测试:
主机中有解析:172.25.60.253 www.westos.org
7. nginx的rewrite规则
实现访问www.westos.org跳转到https://www.westos.org
[root@server1 nginx]# cat conf/nginx.conf
load_module modules/ngx_http_image_filter_module.so;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#limit_conn_zone $binary_remote_addr zone=addr:10m;
#limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
# server {
# listen 80;
# server_name www.westos.org;
# #set_real_ip_from 172.25.60.2;
# #real_ip_header X-Forwarded-For;
# #real_ip_recursive on;
# location / {
# root html;
# index index.html index.htm;
# }
# location /download{
# # limit_conn addr 1;
# #limit_rate 50k;
# image_filter resize 150 100;
# }
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root html;
# }
# }
server {
listen 443 ssl;
server_name www.westos.org;
ssl_certificate cert.pem;
ssl_certificate_key cert.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root web;
index index.html index.htm;
}
}
server{
listen 80;
server_name www.westos.org;
rewrite ^/(.*)$ https://www.westos.org/$1; # $1表示用户在这里输入的内容保留,只会从定向$1前面的
# rewrite ^/(.*)$ https://www.westos.org/$1 permanent; # 永久重定向(可以缓存,临时的不允许缓存)
}
}
[root@server1 nginx]# nginx -t
[root@server1 nginx]# nginx -s reload
测试:
[root@server1 nginx]# cat conf/nginx.conf
load_module modules/ngx_http_image_filter_module.so;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#limit_conn_zone $binary_remote_addr zone=addr:10m;
#limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
# server {
# listen 80;
# server_name www.westos.org;
# #set_real_ip_from 172.25.60.2;
# #real_ip_header X-Forwarded-For;
# #real_ip_recursive on;
# location / {
# root html;
# index index.html index.htm;
# }
# location /download{
# # limit_conn addr 1;
# #limit_rate 50k;
# image_filter resize 150 100;
# }
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root html;
# }
# }
server {
listen 443 ssl;
server_name www.westos.org bbs.westos.org;
ssl_certificate cert.pem;
ssl_certificate_key cert.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# location / {
# root web;
# index index.html index.htm;
# }
location / {
root bbs;
index index.html index.htm;
}
}
server{
listen 80;
server_name www.westos.org;
# rewrite ^/(.*)$ https://www.westos.org/$1;
# rewrite ^/(.*)$ https://www.westos.org/$1 permanent;
rewrite ^/bbs$ https://bbs.westos.org/index.html permanent; # 表示访问www.westos.org并且以bbs结尾的,都定向到https://bbs.westos.org
}
}
[root@server1 nginx]# mkdir bbs
[root@server1 nginx]# vim bbs/index.html
https://bbs.westos.org
[root@server1 nginx]# nginx -t
[root@server1 nginx]# nginx -s reload
测试:
输入:
可跳转到https://bbs.westos.org
8. 防盗链
盗用链接:
[root@server1 nginx]# cat conf/nginx.conf
load_module modules/ngx_http_image_filter_module.so;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#limit_conn_zone $binary_remote_addr zone=addr:10m;
#limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name www.westos.org;
location / {
root web;
index index.html;
}
}
}
[root@server1 nginx]# ll web/
total 464
-rw-r--r-- 1 root root 469511 Feb 27 15:46 a.jpg
-rw-r--r-- 1 root root 27 Feb 27 12:05 index.html
[root@server2 nginx]# cat conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name daolian.westos.org;
charset utf-8; # 可是看到网页上的中文
location / {
root web;
index index.html;
}
}
}
[root@server2 nginx]# cat web/index.html
<html>
<body>
<br>盗链图片</br>
<img src="http://www.westos.org/a.jpg">
</body>
</html>
[root@server2 nginx]# cat /etc/hosts
172.25.60.253 server1 www.westos.org
172.25.60.02 server2
172.25.60.03 server3
172.25.60.04 server4
172.25.60.05 server5
172.25.60.06 server6
172.25.60.250 foundation60.example.com
[root@server2 nginx]# nginx -t
[root@server2 nginx]# nginx -s reload
测试:
[root@foundation60 ~]# cat /etc/hosts
172.25.60.2 daolian.westos.org
防盗链:
[root@server1 nginx]# cat conf/nginx.conf
load_module modules/ngx_http_image_filter_module.so;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#limit_conn_zone $binary_remote_addr zone=addr:10m;
#limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name www.westos.org;
location / {
root web;
index index.html;
}
location ~* \.(gif|jpg|png|jpeg)$ {
root web;
valid_referers none blocked www.westos.org;
if ($invalid_referer) {
return 403;
}
}
}
}
[root@server1 nginx]# nginx -t
[root@server1 nginx]# nginx -s reload
测试:
防盗时指定跳转到指定链接
[root@server1 nginx]# cat conf/nginx.conf
load_module modules/ngx_http_image_filter_module.so;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#limit_conn_zone $binary_remote_addr zone=addr:10m;
#limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name www.westos.org;
location / {
root web;
index index.html;
}
location ~* \.(gif|jpg|png|jpeg)$ {
root web;
valid_referers none blocked www.westos.org;
if ($invalid_referer) {
rewrite ^/(.*)$ http://bbs.westos.org/daolian.jpg;
}
}
}
server {
listen 80;
server_name bbs.westos.org;
location / {
root bbs;
index index.html;
}
}
}
[root@server1 nginx]# ll bbs/
total 24
-rw-r--r-- 1 root root 18744 Feb 27 16:13 daolian.jpg
-rw-r--r-- 1 root root 23 Feb 27 15:02 index.html
[root@server1 nginx]# nginx -t
[root@server1 nginx]# nginx -s reload
测试:
[root@foundation60 ~]# cat /etc/hosts
172.25.60.2 daolian.westos.org
172.25.60.253 www.westos.org bbs.westos.org
扫一扫
1556
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
