我就是认真:nginx作为web服务器
nginx官网,是一个俄罗斯人在2002年开始开发的,第一版在2004年问世。
nginx不像传统的web服务器,一个线程响应一个请求,使用事件驱动(异步IO)架构,所以接受的连接数特别大。从而解决了c10k问题(支持三五万并发)。
nginx定义:
开源的,高性能、轻量级的web服务器
反向代理服务器:http协议、mail协议
作为web服务器,nginx的特点:
高性能
稳定性
丰富特性
简单的配置
低资源消耗
nginx是一个基于事件驱动(event driven),支持边缘触发,mmap,AIO的一种轻量级web服务器。同时nginx还支持Web反向代理,mail(smtp,pop3,imap)反向代理
web服务器
Nginx会按需同时运行多个进程:一个主进程(master)和几个工作进程(worker),配置了缓存时还会有缓存加载器进程(cache loader)和缓存管理器进程(cache manager)等。所有进程均是仅含有一个线程,并主要通过“共享内存”的机制实现进程间通信。主进程以root用户身份运行,而worker、cache loader和cache manager均应以非特权用户身份运行。
主进程主要完成如下工作:
读取并验正配置信息;
创建、绑定及关闭套接字;
启动、终止及维护worker进程的个数;
无须中止服务而重新配置工作特性;
控制非中断式程序升级,启用新的二进制程序并在需要时回滚至老版本;
重新打开日志文件,实现日志滚动;
编译嵌入式perl脚本;
worker进程主要完成的任务包括:
接收、传入并处理来自客户端的连接;
提供反向代理及过滤功能;
nginx任何能完成的其它任务;
cache loader进程主要完成的任务包括:
检查缓存存储中的缓存对象;
使用缓存元数据建立内存数据库;
cache manager进程的主要任务:
缓存的失效及过期检验;
nginx配置
Nginx的配置有着几个不同的上下文:main、http、server、upstream和location(还有实现邮件服务反向代理的mail)。配置语法的格式和定义方式遵循所谓的C风格,因此支持嵌套,还有着逻辑清晰并易于创建、阅读和维护等优势。
Nginx的代码是由一个核心和一系列的模块组成, 核心主要用于提供Web Server的基本功能,以及Web和Mail反向代理的功能;还用于启用网络协议,创建必要的运行时环境以及确保不同的模块之间平滑地进行交互。不过,大多跟协议相关的功能和某应用特有的功能都是由nginx的模块实现的。这些功能模块大致可以分为事件模块、阶段性处理器、输出过滤器、变量处理器、协议、upstream和负载均衡几个类别,这些共同组成了nginx的http功能。事件模块主要用于提供OS独立的(不同操作系统的事件机制有所不同)事件通知机制如kqueue或epoll等。协议模块则负责实现nginx通过http、tls/ssl、smtp、pop3以及imap与对应的客户端建立会话。
在nginx内部,进程间的通信是通过模块的pipeline或chain实现的;换句话说,每一个功能或操作都由一个模块来实现。例如,压缩、通过FastCGI或uwsgi协议与upstream服务器通信,以及与memcached建立会话等。
配置文件
配置文件路径:
[root@nginx_rs nginx]# pwd /etc/nginx [root@nginx_rs nginx]# ls fastcgi.conf fastcgi_params.default mime.types nginx.conf.default uwsgi_params fastcgi.conf.default koi-utf mime.types.default scgi_params uwsgi_params.default fastcgi_params koi-win nginx.conf scgi_params.default win-utf
以default后缀结束的是nginx默认提供的配置文件
其他的是根据编译选项生成的不同的配置文件:
nginx.conf:nginx的主配置文件
mime.types:提供各种非文本文件格式
fastcgi.conf、fastcgi_params:实现fastcgi功能
nginx.conf
nginx.conf是nginx服务的主配置文件
user nginx; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #} }
Nginx的配置文件有着几个不同的上下文:main、http、server、upstream和location(还有实现邮件服务反向代理的mail)。
main段:
user nginx; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid;
user:运行nginx服务的用户
worker_processes:如果负载以CPU密集型应用为主(计算多),如SSL或压缩应用,则worker数应与CPU数相同;如果负载以IO密集型为主(读取数据多),如响应大量内容给客户端,则worker数应该为CPU个数的1.5或2倍。
events:
events { worker_connections 1024; }
worker_connections:每个cpu的连接数,具体最优的取值应该在测试后得到。
修改worker_connections值的方法
http段:
http { include mime.types; //包含的文件 default_type application/octet-stream; //默认支持的类型 #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; //日志格式 #access_log logs/access.log main; //访问日志 sendfile on; //sendfile功能 #tcp_nopush on; //不做推送 #keepalive_timeout 0; //使用长连接,并指定超时时长 keepalive_timeout 65; #gzip on; //对于给用户响应的内容,是否先压缩再发送 //server段,每一个server段定义一个虚拟主机 server { listen 80; //监听的端口 server_name localhost; //基于名称的虚拟主机,主机名 #charset koi8-r; #access_log logs/host.access.log main; location / { //定义本地资源位置、格式。基于uri路径,根目录为nginx安装根目录 root html; //相对uri,网页位置路径 index index.html index.htm; //主页面 } #error_page 404 /404.html; //错误代码 # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #} }
http段里面也是模块化的形式。
location
location在实现URI匹配时支持五种方式:
location URI {} :表示大括号中所定义的属性的对URI所有文件都生效(包括子路径资源)
location = URI {} :只对当前文件生效,精确匹配路径,不包括子路径
location ~ URI {} :实现模式匹配,可使用正则表达式,但区分大小写
location ~* URI {} :实现模式匹配,不区分大小写
location ^~ URI {} :实现禁用正则表达式匹配,做逐字符匹配
这五种方式有优先级:由高到底:2、5、3、4、1
location / { //相对root定义的路径,类似于URI root /web;//相对文件系统的路径,类似于URL index index.html index.htm; //当访问主页时,如IP:index.html,会找到服务器的/web/index.html } location /bbs/ { root /web/; index index.html index.htm; //访问ip:/bbs/时,会找到服务器的/web/bbs/index.html } error_page 404 /404.html; //设置404错误页面 location = /404.html { root /web/error/; //当访问到一个不存在的页面时,会被定义到/web/error/404.html } error_page 500 502 503 504 /error.html; location = /error.html { root /web/error/; }
location下的一些定义法则:
ip禁止和允许
deny IP 指定拒绝访问的IP地址,类似黑名单
allow IP 指定允许访问的IP地址,类似白名单
如:
location /bbs/ { root /web/; allow 172.25.254.11; deny 172.25.254.18; index index.html index.htm; }
记得重启nginx服务器
IP为172.25.254.11的主机访问:
[root@bogon ~]# curl 172.25.254.18:/bbs/index.html nginx for BBS
IP为172.25.254.18的主机访问:
[root@nginx_rs error]# curl 172.25.254.18:/bbs/index.html
</span><span>403 Forbidden</span><span class="md-tag" style="font-family:Lato, Helvetica, sans-serif;"> 403 Forbidden nginx/fsx-1.0
auth_basic模块
auth_basic "restricted";
auth_basic_user_file htpasswd;
创建认证文件,存储用户和用户名
[root@nginx_rs error]# htpasswd -c -m /etc/nginx/.user fsx New password: Re-type new password: Adding password for user fsx //第一次添加使用-c,之后就不需要使用-c,-m使用md5加密 [root@nginx_rs nginx]# cat .user fsx:$apr1$of9jUy26$KvEEld92It/4rE2ULxYEu0
编译nginx.conf文件:
location /bbs/ { root /web/; #allow 172.25.254.11; #deny 172.25.254.18; auth_basic "Restricted Area"; auth_basic_user_file /etc/nginx/.user; index index.html index.htm; }
在浏览器上访问时,会让使用用户名和密码登陆。记得重启服务器。
autoindex自动索引模块
autoindex on|off
autoindex_exact_size :显示精确值
autoindex_localtime :当前操作系统得时间
如果没有index文件,将所有资源罗列出来。
stub_status显示状态信息模块
使用到得模块:--with-http_stub_status_module
定义一个location:
location /status { stub_status on; access_log off; allow 172.25.254.11; deny all; } //只允许172.25.254.11IP地址访问状态信息 //reload服务器
IP为172.25.254.11的主机可以访问状态信息
[root@bogon ~]# curl 172.25.254.18:/status Active connections: 1 //当前处于活动状态的连接个数 server accepts handled requests //服务器段已经处理的请求个数。 //accept接受的连接数、handled处理的连接数、requests处理的请求数 2 2 2 Reading: 0 Writing: 1 Waiting: 0 //reading:正在读请求首部的个数、writing:读的请求主体,进程请求,或正在响应客户端、waiting:处于长连接状态,处于活动状态
ssl模块
创建ssl证书:(实验环境服务器既是ca认证端,也是ca申请端)
服务端:
生成私钥
[root@nginx_rs CA]# (umask 077;openssl genrsa 2048 > private/cakey.pem) Generating RSA private key, 2048 bit long modulus ............+++ ............+++ e is 65537 (0x10001)
生成自签证书
[root@nginx_rs CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SX Locality Name (eg, city) [Default City]:XA Organization Name (eg, company) [Default Company Ltd]:westos Organizational Unit Name (eg, section) []:xupt Common Name (eg, your name or your server's hostname) []:ca.fsx.com Email Address []:[email protected]
创建几个文件
[root@nginx_rs CA]# touch serial [root@nginx_rs CA]# touch "01" > serial [root@nginx_rs CA]# touch index.txt
客户端:
创建目录存放证书
[root@nginx_rs nginx]# mkdir /etc/nginx/ssl [root@nginx_rs nginx]# cd /etc/nginx/ssl/
创建私钥
[root@nginx_rs ssl]# (umask 077;openssl genrsa 1024) > nginx.key Generating RSA private key, 1024 bit long modulus ....++++++ .................................................++++++ e is 65537 (0x10001)
创建自签证书
[root@nginx_rs ssl]# openssl req -new -key nginx.key -out nginx.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SX Locality Name (eg, city) [Default City]:XA Organization Name (eg, company) [Default Company Ltd]:westos Organizational Unit Name (eg, section) []:xupt Common Name (eg, your name or your server's hostname) []:www.fsx.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
创建ca认证证书
[root@nginx_rs ssl]# openssl ca -in nginx.csr -out nginx.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 15 07:19:18 2018 GMT Not After : Jun 12 07:19:18 2028 GMT Subject: countryName = CN stateOrProvinceName = SX organizationName = westos organizationalUnitName = xupt commonName = www.fsx.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 0C:A0:E2:41:95:2E:90:AE:EB:70:5E:F5:08:E2:BE:71:19:8E:AD:DE X509v3 Authority Key Identifier: keyid:E1:6A:FB:97:7C:7A:77:32:B8:B1:9C:EE:F6:A7:6A:5D:A2:A0:34:09 Certificate is to be certified until Jun 12 07:19:18 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
修改nginx配置文件:
server { listen 443 ssl; server_name nginx_rs; ssl_certificate nginx.crt; ssl_certificate_key nginx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root /web/https/; index index.html index.htm; } }
reload服务
查看nginx启动443端口:
[root@nginx_rs nginx]# netstat -antple |grep 443 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 44385 4594/nginx: master
使用浏览器访问:https:172.25.254.18即可成功访问https
基于主机名的nginx虚拟主机
在server模块外,重新定义一个server模块,即可实现虚拟主机。
添加新的server模块:
server { listen 80; server_name fsx.a.com; location / { root /web/virtul2/; //改目录需要创建 index index.html; //改文件需要新建 }
reload服务
添加域名解析:(这里仅仅实验,在客户端/etc/hosts内添加域名解析)
访问:
[root@bogon ~]# curl fsx.a.comnginx for virtul service
[root@bogon ~]# curl 172.25.254.18welcome to nginx