差异对比
Apache | Nginx |
---|---|
配置繁琐 | 配置相对简单 |
原生支持动态和静态页面 | 支持静态页面 |
模块相对安全 | 高性能模块出产迅速、社区活跃 |
BUG 相对较少,消耗资源较多 | BUG相对较多,节省资源 |
对加密支持较好 | 对反向代理支持较好 |
同步阻塞型应用 | 异步非阻塞型应用 |
Nginx 的安装
yum -y install gcc gcc-c++ lrzsz zlib zlib-devel pcre pcre-devel
tar -zxvf nginx-xxx
tar -zxvf openssl-xxx
./configure --user=nginx --group=nginx --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-openssl=/root/openssl-1.0.2h --with-stream && make && make install
make && make install
Nginx 实验
1、模块启用
vi /usr/local/nginx/conf/nginx.conf
location /abc {
stub_status on;
}
2、Nginx 访问控制列表(ACL)
-
基于用户名密码的访问控制
vi /usr/local/nginx/conf/nginx.conf location /abc { stub_status on; auth_basic "Welcome to nginx!"; auth_basic_user_file /usr/local/nginx/html/a.psd; } htpasswd -c /usr/local/nginx/html/a.psd zhangsan htpasswd -m /usr/local/nginx/html/a.psd lisi
-
基于 IP 的访问控制
vi /usr/local/nginx/conf/nginx.conf location /abc { stub_status on; auth_basic "Welcome to nginx!"; auth_basic_user_file /usr/local/nginx/html/a.psd; allow 192.168.66.250; 允许250拒绝所有 deny 192.168.66.0/24; }
3、虚拟主机
在主配置文件中复制 server{} 区域, 不同的 server 区域则是不同的虚拟主机, 同 apache 拥有基于域名端口的虚拟主机
4、反向代理
location / {
proxy_pass http://192.168.1.3:80;
}
5、七层负载调度 - 基于 Apache
Nginx 负载区域构建
upstream atguigu.com {
ip_hash;
server 192.168.1.240:80 weight 2;
server 192.168.1.241:80 weight 1;
server 192.168.1.242:80 weight 1 backup;
}
location / {
proxy_pass http://atguigu.com;
}
6、HTTPS 加密访问
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
cp server.key server.key.org
openssl x509 -req -days 365 -sha256 -in server.csr -signkey server.key -out servernew.crt
cp servernew.crt /usr/local/nginx/conf/server.crt
cp server.key /usr/local/nginx/conf/server.key
ssl on;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1;
ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
ssl_prefer_server_ciphers on;
7、地址跳转
server {
listen 80;
server_name www.hongfu.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
8、Nginx 配置 HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
9、避免点击劫持,还要添加 X-Frame-Options 头部,确保不会嵌入到 frame 或 iframe,使得网站的内容不会嵌入到其他网站**
add_header X-Frame-Options "DENY";
10、HTTP 2.0 配置
server {
listen 443 ssl http2;
server_name pan.rocblog.top;
ssl_certificate /usr/local/nginx/html/https/pan.pem;
ssl_certificate_key /usr/local/nginx/html/https/pan.key;
}
# http2.0 模板网站
https://http2.akamai.com/demo
# 检测网站是否开启 http2.0 协议
1:chrome浏览器:下载插件:HTTP/2 and SPDY indicator
2:firefox浏览器:下载插件HTTP/2 and SPDY indicator 2.3
传递真实地址至后端服务器
1、前端 Nginx,后端 Tomcat
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_intercept_errors on;
}
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="access_log." suffix=".txt"
pattern="Remote User[ %{X-Forwarded-For}i %l %u %t ] Request[ "%r" ] Status Code[ %s ] Bytes[ %b ] Referer[ "%{Referer}i" ] Agent[ "%{User-agent}i" ]" />
2、前端 Nginx,后端 Nginx
location / {
proxy_pass http://localhost:8000;
# Forward the user's IP address to Rails
proxy_set_header X-Real-IP $remote_addr;
# needed for HTTPS
# proxy_set_header X_FORWARDED_PROTO https;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
# 后端的 Nginx 需要安装一个 Module: NginxHttpRealIpModule,编译的时候默认不包含此 Module, –with-http_realip_module
location / {
proxy_pass http://localhost:8000;
# Forward the user's IP address to Rails
proxy_set_header X-Real-IP $remote_addr;
# needed for HTTPS
# proxy_set_header X_FORWARDED_PROTO https;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
# NginxHttpRealIpModule
set_real_ip_from 192.168.1.0/24;
set_real_ip_from 192.168.2.1;
real_ip_header X-Real-IP;
}
3、前端 Nginx 后端 Apache
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# apache 端需要安装一个第三方模块"mod_rpaf"了, 官方网站: http://stderr.net/apache/rpaf/
wget https://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
tar zxvf mod_rpaf-0.6.tar.gz
cd mod_rpaf-0.6
sed -i 's/remote_addr/client_addr/' mod_rpaf-2.0.c
sed -i 's/remote_ip/client_ip/' mod_rpaf-2.0.c
/usr/local/apache2/bin/apxs -i -c -n mod_rpaf-2.0.slo mod_rpaf-2.0.c
vi /usr/local/apache/conf/httpd.conf
Include conf/extra/httpd-rpaf.conf
vi /usr/local/apache/conf/extra/httpd-rpaf.conf
LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1 10.8.0.110
RPAFheader X-Forwarded-For
Nginx 缓存设置
server {
location ~* \.(html)$ {
access_log off;
# 使用 Last-Modified。no-cache 会发起往返通信来验证缓存的响应,但如果资源未发生变化,则不会下载,返回304
add_header Cache-Control max-age=no-cache;
}
location ~* \.(css|js|png|jpg|jpeg|gif|gz|svg|mp4|ogg|ogv|webm|htc|xml|woff)$ {
access_log off;
add_header Cache-Control max-age=360000;
}
}
反向代理会让缓存失效,可以进行如下设置
# Nginx 主配置文件
http {
...
include nginx_proxy.conf;
proxy_cache_path /data/nuget-cache levels=1:2 keys_zone=nuget-cache:20m max_size=50g inactive=168h;
server {
listen 80;
server_name xxx.abc.com;
location / {
proxy_pass http://localhost:7878;
add_header Cache-Control max-age=no-cache;
}
location ~* \.(css|js|png|jpg|jpeg|gif|gz|svg|mp4|ogg|ogv|webm|htc|xml|woff)$ {
access_log off;
add_header Cache-Control "public,max-age=30*24*3600";
proxy_pass http://localhost:7878;
}
}
}
# nginx_proxy.conf 配置文件
proxy_cache nuget-cache;
proxy_cache_valid 168h;
proxy_ignore_headers Set-Cookie Cache-Control;
proxy_hide_header Cache-Control;
proxy_hide_header Set-Cookie;
Nginx 开启压缩
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 9;
gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php application/javascript application/json;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;