Nginx入门到实践

本文是对Nginx常用配置的整理及记录。

配置文件

• 目录 /etc/nginx/nginx.conf
• 默认配置语法

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

默认模块

• http_stub_status_module:nginx客户端状态

  • 配置语法：stub_status;需写在location或server下

  location /status {
          stub_status;
      }
  

• http_sub_module:http内容替换

  • 配置语法
  • sub_filter string replacement
  • sub_filter_last_modified on|off
  • sub_filter_once on|off：是否只替换第一个

  location / {
      root   /usr/share/nginx/html;
      index  index.html index.htm;
      sub_filter '要替换的内容' '被替换后的内容';
      sub_filter_once off;
  }
  

请求限制

• 连接频率限制：limit_conn_module

• 语法

  • limit_conn_zone key zone=name:size;
  • limit_conn zone number;

• 请求频率限制：limit_reg_module

• 语法

  • limit_req_zone key zone=name:size rate=rate;
  • limit_req zone=name [burst=numer][nodelay];
    • burst保留遗留number数的请求到下一秒执行

limit_conn_zone $binanry_remote_addr zone=conn_zone:1m;
# 同个ip过来请求，每秒只允许一个请求
limit_req_zone $binanry_remote_addr zone=req_zone:1m rate=1r/s;
http {
    server {
   
    location / {
        root   /usr/share/nginx/html;
        limit_conn conn_zone 1;
        limit_conn req_zone;
        limit_conn req_zone burst=3 nodealy;
        index  index.html index.htm;
        }
    }
}

• 压测工具：ab（apache bench）
  • ab -n 100 -c 10 http://test.com/ :－n表示请求数，－c表示并发数

访问限制

• 基于IP的的访问控制：http_access_module
• 语法
  • allow address|CIDR|UNIX:|all;
  • deny address|CIDR|UNIX:|all;

location ~ ^/admin.html {
    root   /usr/share/nginx/html;
    allow all;
    deny  222.122.191.3;
    # deny  222.122.191.0/24;
    index  index.html index.htm;
    }
}

• 基于用户的信任登录：http_auth_basic_module
• 语法
  • auth_basic string |off;
  • auth_basic_user_file file;
• 工具htpasswd

location ~ ^/admin.html {
    root   /usr/share/nginx/html;
    auth_basic "Auth access error！input your password！";
    auth_basic_user_file /etc/nginx/auth_conf;
    index  index.html index.htm;
    }
}

静态资源web服务

• 静态资源服务场景-CDN
  • sendfile on|off：文件读取
  • tcp_nopush on|off：sendfile开启下才能使用。提高网络包的传输效率
  • tcp_nodelay on|off:keeplive连接下有效，提高网络包的传输实时性
  • gzip on|off:压缩传输
  • gzip_comp_level level;
  • gzip_http_version 1.0|1.1;
  • 压缩模块拓展，预读gzip功能：http_gzip_static_modules，语法gzip_status on|off
• 浏览器缓存
  • expires [modified] time;
  • expires epoch|max|off;

location ~ ^/admin.html {
    root   /usr/share/nginx/html;
    expires 24h;
    index  index.html index.htm;
    }
}

• 跨域访问-Access-Control-Allow-Origin
  • add_header name value [always];

location ~ ^/admin.html {
    root   /usr/share/nginx/html;
    add_header Access-Control-Allow-Origin http://www.baidu.com;
    add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
    }
}

• 防盗链http_refer
• valid_referers none|blocked|server_names|string;

location ~ .*\.(jpg|png) {
    valid_referers blocked 116.66.111.222 ~/google\./;
    if($invalid_referer) {
        return 403;
    }
    root   /usr/share/nginx/html;
    }
}

代理服务

• proxy_pass URL;

# 反向代理
location ~ /test_proxy.html$ {
    proxy_pass http://127.0.0.1:8080;
}

location / {
    if($http_x_forwarded_for !~* "^116\.62\.103\.228") {
        return 403;
    }
    root   /usr/share/nginx/html;
    index index.html;
}

# 正向代理
location / {
    proxy_pass http://$http_host$request_uri;
}

• 缓冲区：proxy_buffering on|off;
• 跳转重定向：proxy_redirect default;
• 头信息：proxy_set_header field value;
• 超时：proxy_connect_timeout time;

location / {
    proxy_pass http://127.0.0.1:8080;
    proxy_redirect default;
    
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    
    proxy_connect_timeout 30;
    proxy_send_timeout 60;
    proxy_read_timeout 60;
    
    proxy_buffering on;
    proxy_buffer_size 32k;
    proxy_buffers 4 128k;
    proxy_busy_buffers_size 256k;
    proxy_max_temp_file_size 256k;
}

# 可以把上面的配置参数写到proxy_params文件中再引用
location / {
    proxy_pass http://127.0.0.1:8080;
    include proxy_params;
}

负载均衡

• upstream name {…}; 结合proxy_pass;

http {
upstream oden {
    server 116.62.103.222:8001 down; 
    server 116.62.103.222:8002 backup;
    server 116.62.103.222:8003 max_fail=1 fail_timeout=10s;
    server 116.62.103.222:8004 weight = 5;
}
    server {
        listen 80;
        server_name localhost;
        location / {
        proxy_pass http://oden;
        include proxy_params;
        }
    }
}

• 调度算法
• 轮询
• 加权轮询，weight越大分配到的几率更高
• ip_hash:每个请求按访问IP的hash结果分配，这样来自同一个IP固定访问一个后端服务器
• least_conn:最少链接数，哪个机器连接数少就分发
• url_hash：按照访问的URL的hash结果分配请求，是每个URL定向到同一个后端服务器
• hash关键数值：hash自定义的key
  • hash key[consistent]

upstream oden {
    ip_hash;
    server 116.62.103.222:8001; 
}

upstream oden {
    hash $request_uri;
    server 116.62.103.222:8001; 
}

缓存服务

• proxy_cache
• proxy_cache_path path
• proxy_cache zone | off
• proxy_cache_valid[code…] time
• 缓存维度：proxy_cache_key string
  • $scheme $proxy_host $request_uri

http {
proxy_cache_path /opt/app/cache levels=1:2 keys_zone=oden_cache:10m max_size=10g inactive=60m use_tep_path=off;

upstream oden {
    server 116.62.103.222:8001; 
    server 116.62.103.222:8002;
}
    server {
        listen 80;
        server_name localhost;
    location / {
        proxy_cache oden_cache;
        proxy_pass http://oden;
        # 在这些情况下缓存的时间
        proxy_cache_valid 200 304 12h;
        proxy_cache_valid any 10m;
        proxy_cache_key $host$uri$is_args$args;
        add_header Nginx-Cache "$upstrem_cache_status";
        
        # 发生错误时跳到下一台服务器
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        
        include proxy_params;
        }
    }
}

• 清理指定缓存
  • rm -rf缓存目录内容
  • 第三方拓展模块ngx_cache_purge
• 让部分页面不缓存
  • proxy_no_cache string;
  • proxy_no_cache
• 分片请求
  • slice size;

命令

• 重启：systemctl restart nginx.service
• 配置文件语法正确性检查：nginx -t -c /etc/nginx/nginx.conf