2020年05月06日阅读 22

Nginx入门到实践

本文是对Nginx常用配置的整理及记录。

配置文件

目录 /etc/nginx/nginx.conf
默认配置语法

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}
复制代码

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}
复制代码

默认模块

http_stub_status_module:nginx客户端状态
- 配置语法：stub_status;需写在location或server下
```
location /status {
        stub_status;
    }
复制代码
```

http_sub_module:http内容替换

配置语法
sub_filter string replacement
sub_filter_last_modified on|off
sub_filter_once on|off：是否只替换第一个

location / {
    root   /usr/share/nginx/html;
    index  index.html index.htm;
    sub_filter '要替换的内容' '被替换后的内容';
    sub_filter_once off;
}
复制代码

请求限制

连接频率限制：limit_conn_module
语法
- limit_conn_zone key zone=name:size;
- limit_conn zone number;
请求频率限制：limit_reg_module
语法
- limit_req_zone key zone=name:size rate=rate;
- limit_req zone=name [burst=numer][nodelay];
  - burst保留遗留number数的请求到下一秒执行

limit_conn_zone $binanry_remote_addr zone=conn_zone:1m;
# 同个ip过来请求，每秒只允许一个请求
limit_req_zone $binanry_remote_addr zone=req_zone:1m rate=1r/s;
http {
    server {
   
    location / {
        root   /usr/share/nginx/html;
        limit_conn conn_zone 1;
        limit_conn req_zone;
        limit_conn req_zone burst=3 nodealy;
        index  index.html index.htm;
        }
    }
}
复制代码

压测工具：ab（apache bench）
- ab -n 100 -c 10 test.com/ :－n表示请求数，－c表示并发数

访问限制

基于IP的的访问控制：http_access_module
语法
- allow address|CIDR|UNIX:|all;
- deny address|CIDR|UNIX:|all;

location ~ ^/admin.html {
    root   /usr/share/nginx/html;
    allow all;
    deny  222.122.191.3;
    # deny  222.122.191.0/24;
    index  index.html index.htm;
    }
}
复制代码

基于用户的信任登录：http_auth_basic_module
语法
- auth_basic string |off;
- auth_basic_user_file file;
工具htpasswd

location ~ ^/admin.html {
    root   /usr/share/nginx/html;
    auth_basic "Auth access error！input your password！";
    auth_basic_user_file /etc/nginx/auth_conf;
    index  index.html index.htm;
    }
}
复制代码

静态资源web服务

静态资源服务场景-CDN
- sendfile on|off：文件读取
- tcp_nopush on|off：sendfile开启下才能使用。提高网络包的传输效率
- tcp_nodelay on|off:keeplive连接下有效，提高网络包的传输实时性
- gzip on|off:压缩传输
- gzip_comp_level level;
- gzip_http_version 1.0|1.1;
- 压缩模块拓展，预读gzip功能：http_gzip_static_modules，语法gzip_status on|off
浏览器缓存
- expires [modified] time;
- expires epoch|max|off;

location ~ ^/admin.html {
    root   /usr/share/nginx/html;
    expires 24h;
    index  index.html index.htm;
    }
}
复制代码

跨域访问-Access-Control-Allow-Origin
- add_header name value [always];

location ~ ^/admin.html {
    root   /usr/share/nginx/html;
    add_header Access-Control-Allow-Origin http://www.baidu.com;
    add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
    }
}
复制代码

防盗链http_refer
valid_referers none|blocked|server_names|string;

location ~ .*\.(jpg|png) {
    valid_referers blocked 116.66.111.222 ~/google\./;
    if($invalid_referer) {
        return 403;
    }
    root   /usr/share/nginx/html;
    }
}
复制代码

代理服务

proxy_pass URL;

# 反向代理
location ~ /test_proxy.html$ {
    proxy_pass http://127.0.0.1:8080;
}

复制代码

location / {
    if($http_x_forwarded_for !~* "^116\.62\.103\.228") {
        return 403;
    }
    root   /usr/share/nginx/html;
    index index.html;
}

# 正向代理
location / {
    proxy_pass http://$http_host$request_uri;
}
复制代码

缓冲区：proxy_buffering on|off;
跳转重定向：proxy_redirect default;
头信息：proxy_set_header field value;
超时：proxy_connect_timeout time;

location / {
    proxy_pass http://127.0.0.1:8080;
    proxy_redirect default;
    
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    
    proxy_connect_timeout 30;
    proxy_send_timeout 60;
    proxy_read_timeout 60;
    
    proxy_buffering on;
    proxy_buffer_size 32k;
    proxy_buffers 4 128k;
    proxy_busy_buffers_size 256k;
    proxy_max_temp_file_size 256k;
}

# 可以把上面的配置参数写到proxy_params文件中再引用
location / {
    proxy_pass http://127.0.0.1:8080;
    include proxy_params;
}
复制代码

负载均衡

upstream name {...}; 结合proxy_pass;

http {
upstream oden {
    server 116.62.103.222:8001 down; 
    server 116.62.103.222:8002 backup;
    server 116.62.103.222:8003 max_fail=1 fail_timeout=10s;
    server 116.62.103.222:8004 weight = 5;
}
    server {
        listen 80;
        server_name localhost;
        location / {
        proxy_pass http://oden;
        include proxy_params;
        }
    }
}
复制代码

调度算法
轮询
加权轮询，weight越大分配到的几率更高
ip_hash:每个请求按访问IP的hash结果分配，这样来自同一个IP固定访问一个后端服务器
least_conn:最少链接数，哪个机器连接数少就分发
url_hash：按照访问的URL的hash结果分配请求，是每个URL定向到同一个后端服务器
hash关键数值：hash自定义的key
- hash key[consistent]

upstream oden {
    ip_hash;
    server 116.62.103.222:8001; 
}

upstream oden {
    hash $request_uri;
    server 116.62.103.222:8001; 
}
复制代码

缓存服务

proxy_cache
proxy_cache_path path
proxy_cache zone | off
proxy_cache_valid[code...] time
缓存维度：proxy_cache_key string
- $scheme$ proxy_host $request_uri

http {
proxy_cache_path /opt/app/cache levels=1:2 keys_zone=oden_cache:10m max_size=10g inactive=60m use_tep_path=off;

upstream oden {
    server 116.62.103.222:8001; 
    server 116.62.103.222:8002;
}
    server {
        listen 80;
        server_name localhost;
    location / {
        proxy_cache oden_cache;
        proxy_pass http://oden;
        # 在这些情况下缓存的时间
        proxy_cache_valid 200 304 12h;
        proxy_cache_valid any 10m;
        proxy_cache_key $host$uri$is_args$args;
        add_header Nginx-Cache "$upstrem_cache_status";
        
        # 发生错误时跳到下一台服务器
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        
        include proxy_params;
        }
    }
}
复制代码

清理指定缓存
- rm -rf缓存目录内容
- 第三方拓展模块ngx_cache_purge
让部分页面不缓存
- proxy_no_cache string;
- proxy_no_cache
分片请求
- slice size;

命令

重启：systemctl restart nginx.service
配置文件语法正确性检查：nginx -t -c /etc/nginx/nginx.conf