1. Nginx负载均衡配置
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
#httpds命名要和proxy_pass代理的名一样,下面就就是轮询两台nginx服务器
upstream httpds{
server 192.168.3.11:80;
server 192.168.3.12:80;
}
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://httpds;
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
2. 轮询权重配置
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
# httpds命名要和proxy_pass代理的名一样,下面就就是轮询两台nginx服务器
# weight 代表权重
# down 代表下线
# backup备用机,其他机器都下线或者宕机了,就用备用机
upstream httpds{
server 192.168.3.11:80 weight=8 down;
server 192.168.3.12:80 weight=2 down;
server 192.168.3.13:80 weight=1 backup;
}
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://httpds;
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
3. nginx动静分离(把一些静态资源放在nginx,而不是在后台服务中)
在nginx.conf中配置多个location放在server块中,把静态资源放在html目录下
# css配置
location /css {
root html;
index index.html index.htm;
}
#js配置
location /js {
root html;
index index.html index.htm;
}
# 图片配置
location /img {
root html;
index index.html index.htm;
}
合并配置(正则匹配)
location ~*/(js|img|css) {
root html;
index index.html index.htm;
}
4. URLrewrite 伪静态配置(隐藏真实地址)
location / {
#^/2.html是要访问的地址
# /index.jsp?pageNum=2 真实访问地址
rewrite ^/2.html /index.jsp?pageNum=2 break;
proxy_pass http://192.168.3.13;
}
正则匹配
location / {
# 这样就不用和上面一样写死
rewrite ^/([0-9]+).html$ /index.jsp?pageNum=&1 break;
proxy_pass http://192.168.3.13;
}
5. 开启防火墙,只能由指定的服务器访问
开启对应的防火墙(不对外开放的)
systemctl start firewalld
添加指定端口和ip访问(添加之后记得重新启动防火墙)
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.3.10" port protocol="tcp" port="80" accept"
移除规则
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.3.10" port protocol="tcp" port="80" accept"
重启防火墙
firewall-cmd --reload
查看已配置规则
firewall-cmd --list-all
6. 防盗链
下面防止图片被盗
location ^~/images/ {
valid_referers 192.168.3.10; #valid_referers 指令,配置是否允许 referer 头部以及允许哪些 referer 访问。 192.168.3.10 不是ip而是域名(去掉http:// 前缀)
if ($invalid_referer) { # 注意这里if后要加空格
return 403; ## 返回错误码
}
root /www/resources;
}
-
参数值
-
none:允许没有 referer 信息的请求访问,即直接通过url访问。
-
blocked:请求头Referer字段不为空(即存在Referer),但是值可以为空(值被代理或者防火墙删除了),并且允许refer不以“http://”或“https://”开头,通俗点说就是允许“http://”或"https//"以外的请求。
-
server_names:若 referer 中站点域名与 server_name 中本机域名某个匹配,则允许该请求访问
-
其他字符串类型:检测referer与字符串是否匹配,如果匹配则允许访问,可以采用通配符*
-
正则表达式:若 referer 的值匹配上了正则,就允许访问
7. 利用curl测试防盗链
下载curl
yum install -y curl
测试curl 192.168.3.10
没有referer详情下
curl -I http://192.168.3.10/img/2.jpg
有referer详情下
# -e 后面跟着就是referer的地址
curl -e "http://baidu.com" -I http://192.168.3.10/img/2.jpg
8. 防盗链资源返回页面错误提示和图片提示
新建一个错误提示页面
location ~*/(js|img|css) {
valid_referers 192.168.3.10;
if ($invalid_referer) {
# 需要调到的错误页面
return 401;
}
root html;
index index.html index.htm;
}
# 错误页面配置
error_page 401 /401.html;
location = /401.html {
root html;
}
图片提示
valid_referers 192.168.3.10;
if ($invalid_referer) {
# rewrite 到需要提示的图片上面
rewrite ^/ /img/3.jpg break;
# return 401;
}
9. nginx高可用及Keepalived实战
- 安装命令
yum install -y keepalived
- 修改配置/etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LB_10
}
vrrp_instance VI_102 {
state MASTER
interface ens33
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.3.200
}
}
! Configuration File for keepalived
global_defs {
router_id LB_14
}
vrrp_instance VI_102 {
state BACKUP
interface ens33
virtual_router_id 51
priority 50
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.3.200
}
}
- 启动keepalived
systemctl start keepalived
-
可以ping通
-
把10关闭
-
还是可以ping通
-
通过页面访问
10. nginx线上实战
-
前面需要买域名和买服务器
-
申请证书
3. 申请完就可以下载对应的证书了
4. 上传到nginx
- nginx配置证书(在nginx.conf里面配置):
server {
listen 443 ssl;
server_name localhost; # 接收所有访问443端口的请求
ssl_certificate 9028382_upczt.com.pem;
ssl_certificate_key 9028382_upczt.com.key;
index index.html index.htm index.php;
#error_page 404 /404.html;
#error_page 502 /502.html;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location ~ [^/]\.php(/|$) {
#fastcgi_pass remote_php_ip:9000;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ ^/(\.user.ini|\.ht|\.git|\.svn|\.project|LICENSE|README.md) {
deny all;
}
location /.well-known {
allow all;
}
}
server {
listen 80;
server_name upczt.com www.upczt.com; #修改成自己的域名
access_log /data/wwwlogs/access_nginx.log combined;
return 301 https:// s e r v e r n a m e server_name servernamerequest_uri;
root html;
}
6. 保存配置文件重启nginx
systemctl reload nginx
7. 加上https:// 变为安全协议了
8. 安装discuz.net
9. 上传到服务器
10. 解压
11. 修改名字为bbs
12. Nginx配置springboot项目使用httos协议
- springboot 项目配置文件
server.tomcat.remote_ip_header=x-forwarded-for
server.tomcat.protocol_header=x-forwarded-proto
server.tomcat.port-header=X-Forwarded-Port
- 打包上传到服务器,简单写了个接口
3. 配置服务器的安全组端口8080
- nginx配置文件
server {
listen 80;
server_name upczt.com www.upczt.com;
access_log /data/wwwlogs/access_nginx.log combined;
return 301 https://$server_name$request_uri;
root html;
}
server {
listen 443;
server_name www.upczt.com;
ssl on;
#配置证书的路径
ssl_certificate 9028382_upczt.com.pem;
ssl_certificate_key 9028382_upczt.com.key;
location / {
#配置转发到8080端口
proxy_pass http://www.upczt.com:8080;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}
- 重启nginx