环境准备:使用vagrant启动一台服务器,操作系统CentOS 7
参考:
windows10安装VirtualBox及vagrant
服务器网络配置简介
查看网卡配置文件
vi /etc/sysconfig/network-scripts/ifcfg-ens33
#可能文件名不同 vi /etc/sysconfig/network-scripts/ifcfg-eth0 或ifcfg-eth01
#自动分配地址dhcp,可能每次开机ip地址会变更,可以修改成static
BOOTPROTO=dhcp
ONBOOT=yes
#修改成静态IP
BOOTPROTO=static
IPADDR=192.168.56.101
NETMASK=255.255.255.0
GATEWAY=192.168.56.2
DNS1=8.8.8.8
DNS2=8.8.4.4
DNS3=223.5.5.5
DNS4=119.29.29.29
#重启网络服务
systemctl restart network
不能上网的错误排查
#检查是否能访问外网(DNS)
ping 8.8.8.8
#检查GATEWAY的值
vi /etc/sysconfig/network-scripts/ifcfg-ens33
nginx编译安装
sudo yum install -y gcc
sudo yum install -y pcre pcre-devel
sudo yum install -y zlib zlib-devel
#官网下载nginx-1.21.6.tar.gz
tar -zxvf nginx-1.21.6.tar.gz
cd nginx-1.21.6
./configure --prefix=/usr/local/nginx
make
sudo make install
启动Nginx
cd /usr/local/nginx/sbin
sudo ./nginx #启动
sudo ./nginx -s stop #快速停止
sudo ./nginx -s quit #优雅关闭,在退出前完成已经接受的连接请求
sudo ./nginx -s reload #重新加载配置
nginx关闭时异常处理
sudo ./nginx -s quit #如果执行出现错误
nginx: [error] open() "/usr/local/nginx/logs/nginx.pid" failed (2: No such file or directory)
#kill线程,在启动时指定配置文件路径
sudo ./nginx -c /usr/local/nginx/conf/nginx.conf
sudo ./nginx -s quit
关闭防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service
放行端口
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
把nginx安装成系统服务
sudo vi /usr/lib/systemd/system/nginx.service
sudo vi /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - web server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
ExecQuit=/usr/local/nginx/sbin/nginx -s quit
PrivateTmp=true
[Install]
WantedBy=multi-user.target
使用服务名启动、停止nginx
sudo systemctl daemon-reload
sudo systemctl start nginx.service
sudo systemctl status nginx.service
sudo systemctl enable nginx.service
nginx进程模型
master进程读取并校验配置文件,开启多个子进程(worker)接受响应请求
master进程不处理业务,协调worker子进程工作
reload配置信息,旧的子进程(worker)不再接收新的请求,处理完请求后杀掉子进程,新的worker进程读取新的配置文件,处理请求
Nginx配置
#引入其它配置文件
include vhost/*.conf;
include mime.types; #引入http mime类型,根据文件后缀返回文件类型
default_type application/octet-stream; #如果mime类型没匹配上,默认使用二进制流的方式传输
sendfile on; #数据零拷贝
虚拟主机配置
server {
listen 80; #监听端口号
server_name localhost; #主机名
location / { #匹配路径
root html; #文件根目录
index index.html index.htm; #默认页名称
}
error_page 500 502 503 504 /50x.html; #报错编码对应页面
location = /50x.html {
root html;
}
}
注意:server_name + listen 监听端口号组合在一起,且必须是唯一的
#通配符匹配
server_name _; #匹配任意服务器域名
server_name *.intmall.com
server_name vod.*;
server_name ~^[0-9]+\.intmall\.com$;
3台tomcat集群正常可以提供QPS >= 300
反向代理
proxy_pass http://baidu.com;
#在location配置中,proxy_pass和root只能配置其中的一个
location / {
proxy_pass http://www.intmall.com/;
#root html; #文件根目录
}
proxy_pass http://baidu.com; #反向代理二级域名时,浏览器中的访问地址不会变;如果反向代理一级域名,则会在访问时返回302跳转到其它域名
反向代理不支持https(证书限制)
内网反向代理
location / {
proxy_pass http://192.168.56.101;
}
基于反向代理的负载均衡
upstream backend {
server 192.168.56.102:8080;
server 192.168.56.103:8080;
}
location / {
proxy_pass http://backend;
}
权重负载均衡,weight越大负载的权重就越大
upstream backend {
server 192.168.56.102:8080 weight=8;
server 192.168.56.103:8080 weight=2;
}
down表示当前的server暂时不参与负载
upstream backend {
server 192.168.56.102:8080 weight=8;
server 192.168.56.103:8080 weight=2 down;
}
backup备用服务器,其它所有的非backup机器down或者忙的时候,请求backup机器
upstream backend {
server 192.168.56.102:8080 weight=8;
server 192.168.56.103:8080 weight=2;
server 192.168.56.104:8080 weight=1 backup;
}
动静分离
#根目录/通用匹配,优先级比较低
location / {
proxy_pass http://127.0.0.1:8080;
}
# ~ 表示开启正则表达式,* 表示不区分大小写
location ~*/(css|img|js) {
root /usr/local/nginx/static;
index index.html index.htm;
}
rewrite隐藏后端真实的服务器请求地址
#http://127.0.0.1/2.html 转发到http://127.0.0.1:8080/index.jsp?pageNum=2
location / {
#正则表达式匹配所有数字,$1表示第1个匹配到的值
rewrite ^/([0-9]+).html$ /index.jsp?pageNum=$1 break;
#rewrite ^/2.html$ /index.jsp?pageNum=2 break;
proxy_pass http://127.0.0.1:8080;
}
http请求转发到https
server {
listen 80;
server_name m.intmall.com;
rewrite ^/(.*) https://m.intmall.com/$1 permanent;
}
开启防火墙
systemctl start firewalld
systemctl restart firewalld
#重载规则
firewall-cmd --reload
#查看已配置规则
firewall-cmd --list-all
#指定端口和ip访问
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.56.101" port protocol="tcp" port="8080" accept"
#移除规则
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.56.101" port port="8080" protocol="tcp" accept"
防盗链配置
valid_referers none | blocked | server_names | strings …;
none:检测Referer头域不存在的情况
blocked:允许不是http://开头的,不带协议的请求访问资源
要求请求头中必须包含指定值的referer,不能直接访问原文件
location ~*/(css|img|js) {
#valid_referers www.baidu.com;
valid_referers 192.168.56.101;
if ($invalid_referer) {
return 403;
}
root /usr/local/nginx/static;
index index.html index.htm;
}
配置防盗链返回一张特殊的图片(http://192.168.56.101/img/x.png)
location ~*/(css|img|js) {
#valid_referers www.baidu.com;
valid_referers 192.168.56.101;
if ($invalid_referer) {
rewrite ^/ /img/x.png break;
}
root /usr/local/nginx/static;
index index.html index.htm;
}
请求头中如果有referer的值,则做校验;没有值时直接访问原文件
location ~*/(css|img|js) {
valid_referers none 192.168.56.101;
if ($invalid_referer) {
return 403;
}
root /usr/local/nginx/static;
index index.html index.htm;
}
测试:
#不带http_refer
curl -I http://119.28.190.215/1.jpg
#带非法http_refer
curl -e "http://www.baidu.com" -I http://119.28.190.215/1.jpg
自定义错误页
error_page 403 /403.html;
location = /403.html {
root html;
}
nginx高可用配置
准备两台机器,一台作为主机,一台从机
Keepalived虚拟出一个IP,IP在两台机器上做动态飘移
#两台机器都安装Keepalived
sudo yum install -y keepalived
master配置,注意:interface是实际物理网卡的名称,virtual_ipaddress是虚拟IP
vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id lb_intmall_1
}
vrrp_instance intmall {
state MASTER
interface ens33
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.56.200
}
}
systemctl start keepalived
systemctl status keepalived
#查看主机上是否有虚拟IP 192.168.56.200
ip addr
backup配置
vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id lb_intmall_2
}
vrrp_instance intmall {
state BACKUP
interface ens33
virtual_router_id 51
priority 50
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.56.200
}
}
systemctl start keepalived
systemctl status keepalived
#主机正常时,备机上不会有虚拟IP 192.168.56.200
ip addr
测试:
ping 192.168.56.200 -t
#把主机服务器关机,看是否还能ping通(有短暂超时,自动恢复)
#主机已关机,在从机上可以看到虚拟IP 192.168.56.200
ip addr
外部域名关联到虚拟IP上
keepalived选举方式通过priority优先级,优先级高为master
https原理
非对称加密,客户端第一次连接服务端时,下载公钥
客户端发送:公钥加密 私钥解密
服务端响应:私钥加密 公钥解密
公钥加密 公钥解不开
CA机构:认证公钥
HTTPS流程主要分为:
- 首先客户端向服务端443端口发送连接请求,当TCP请求建立之后,服务端向客户端返回证书(也就是公钥)。以明文传输TLS版本、加密套件候选列表、压缩算法候选列表。
- 服务端根据客户端的内容返回相应的明文证书,明文证书中,客户端可以用自己CA仓库中的公钥去解密对应的证书,若解密成功,则证明该证书是可信的。
- 客户端将生成一个随机数字,用证书中的公匙加密,再发送给服务器。
- 服务器根据私钥解密出来客户端发来的随机数,得到对称私钥。
从此之后就服务器客户端可以用通信对称密钥和加密算法进行加密通信了。
https://oneinstack.com/
nginx集成环境(mysql+apache+php)
勾选nginx、php7.4(不需要php扩展)、mysql5.7、其它项都不要选
wget -c http://mirrors.linuxeye.com/oneinstack-full.tar.gz && tar xzf oneinstack-full.tar.gz && ./oneinstack/install.sh --nginx_option 1 --php_option 9 --phpcache_option 1 --db_option 2 --dbinstallmethod 1 --dbrootpwd root --reboot
配置证书
upstream intmall-2 {
server 10.168.0.101:9099 weight=1 max_fails=3 fail_timeout=100;
server 10.168.0.102:9099 weight=1 max_fails=3 fail_timeout=100;
}
server{
listen 443 ssl;
server_name intmall.com;
index index.html;
ssl_certificate "/etc/nginx/vhost/ssl/1_intmall.com_bundle.crt";
ssl_certificate_key "/etc/nginx/vhost/ssl/2_intmall.com.key";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
root /data/wwwroot/intmall.com/;
try_files $uri $uri/ /index.html;
add_header Last-Modified $date_gmt;
}
location /intmall-backend {
proxy_pass http://intmall-2/intmall-backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
http请求直接跳转到https上
server {
listen 80;
server_name intmall.com;
return 301 https://$server_name$request_uri;
}