服务器架构--lamp架构基础功能
一.实验环境
1.新建vm1虚拟机
[root@foundation13 Downloads]# cd /var/lib/libvirt/images
[root@foundation13 images]# ls
base.qcow2 vm1 vm1-1.qcow2 vm1.qcow2 vm2 vm3 vm3.qcow2 vm4
[root@foundation13 images]# rm -f vm1
[root@foundation13 images]# qemu-img create -f qcow2 -b base.qcow2 vm1
Formatting 'vm1', fmt=qcow2 size=21474836480 backing_file=base.qcow2 cluster_size=65536 lazy_refcounts=off refcount_bits=16
[root@foundation13 images]# qemu-img info vm1
image: vm1
file format: qcow2
virtual size: 20G (21474836480 bytes)
disk size: 196K
cluster_size: 65536
backing file: base.qcow2
Format specific information:
compat: 1.1
lazy refcounts: false
refcount bits: 16
corrupt: false
[root@foundation13 images]# virsh start vm1
Domain vm1 started
2.安装并配置nginx服务
[root@server1 ~]# ls
nginx-1.18.0.tar.gz
[root@server1 ~]# tar zxf nginx-1.18.0.tar.gz
[root@server1 nginx-1.18.0]# yum install gcc pcre-devel openssl-devel
[root@server1 nginx-1.18.0]# ./configure --prefix=/usr/local/lnmp/nginx --with-http_ssl_module --with-http_stub_status_module --with-threads --with-file-aio
[root@server1 nginx-1.18.0]# make && make install
[root@server1 nginx-1.18.0]# ln -s /usr/local/lnmp/nginx/sbin/nginx /usr/local/bin
[root@server1 nginx-1.18.0]# which nginx
/usr/local/bin/nginx
[root@server1 nginx-1.18.0]# nginx -t
nginx: the configuration file /usr/local/lnmp/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conf test is successful
[root@server1 nginx-1.18.0]# vi auto/cc/gcc
[root@server1 nginx-1.18.0]# nginx -t
nginx: the configuration file /usr/local/lnmp/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conf test is successful
[root@server1 nginx-1.18.0]# useradd -M -d /usr/local/lnnmp/nginx/ -s /sbin/nologin nginx
[root@server1 nginx-1.18.0]# id nginx
uid=1000(nginx) gid=1000(nginx) groups=1000(nginx)
[root@server1 nginx-1.18.0]# nginx
/etc/security/limits.conf
给server1配置四个cpu,4096MB内存
访问server1000000次
只有一个cpu工作
二.lamp架构基础功能
1.nginx并发优化
worker_processes 2; //最多开启8个worker
worker_cpu_affinity 0001 0010; //cpu有多少个核,就有几位数,1代表内核开启,0代表内核关闭
两个cpu工作(第一第二个)
2.Linux下高并发socket最大连接数所受的各种限制
修改用户进程可打开文件数限制
/etc/security/limits.conf
nginx - nofile 65535
Linux系统级的最大打开文件数限制
fs.file-max = 188414 //和内存容量相关
修改网络内核对TCP连接的有关限制
net.ipv4.ip_local_port_range = 1024 65535
限制接收新 TCP 连接侦听队列的大小
net.core.somaxconn = 2048
启用tcp连接timewait快速回收和重用
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
[root@server1 nginx-1.18.0]# vim /etc/sysctl.d/nginx.conf
[root@server1 nginx-1.18.0]# sysctl --system
* Applying /usr/lib/sysctl.d/00-system.conf ...
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
kernel.yama.ptrace_scope = 0
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/nginx.conf ...
net.ipv4.ip_local_port_range = 1024 65535
net.core.somaxconn = 2048
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
* Applying /etc/sysctl.conf ...
worker_rlimit_nofile //worker进程的最大打开文件数限制。如果没设置的话,这个值为操作系统的限制。
3.日志轮询
nginxlog.sh
#!/bin/bash
cd /usr/local/nginx/logs && mv access.log access_$(date +%F -d -1day).log
/usr/local/nginx/sbin/nginx -s reload
再加入crontab定时任务
00 00 * * * /opt/scripts/nginxlog.sh &> /dev/null
为了安全,日志目录不需要给你nginx用户访问权限
chmod -R 700 /usr/local/nginx/logs
[root@server1 nginx-1.18.0]# vim /opt/nginxlog.sh
[root@server1 nginx-1.18.0]# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab
[root@server1 nginx-1.18.0]# cd /opt
[root@server1 opt]# chmod +x nginxlog.sh
[root@server1 opt]# /opt/nginxlog.sh
[root@server1 opt]# cd /usr/local/lnmp/nginx/logs
[root@server1 logs]# ll
total 32528
-rw-r--r-- 1 root root 33299968 Aug 13 12:04 access_2020-08-12.log
-rw-r--r-- 1 root root 0 Aug 13 12:25 access.log
-rw-r--r-- 1 root root 338 Aug 13 12:25 error.log
-rw-r--r-- 1 root root 5 Aug 13 11:20 nginx.pid
[root@foundation13 images]# ab -c1 -n100 http://172.25.13.1/index.html
[root@server1 logs]# ll #新产生的日志依然加入access.log中
total 32540
-rw-r--r-- 1 root root 33299968 Aug 13 12:04 access_2020-08-12.log
-rw-r--r-- 1 root root 10400 Aug 13 12:27 access.log
-rw-r--r-- 1 root root 338 Aug 13 12:25 error.log
-rw-r--r-- 1 root root 5 Aug 13 11:20 nginx.pid
4.nginx并发优化
multi_accept on; //告诉nginx收到一个新连接通知后接受尽可能多的连接
use epoll; //使用epoll模型
开启文件高效传输模式,同时设置tcp_nopush 和tcp_nodelay 为on,可以防止网路和磁盘IO阻塞。
sendfile on;
tcp_nopush on;
tcp_nodelay on;
5.nginx平滑升级
[root@server1 ~]# ls
nginx-1.18.0 nginx-1.18.0.tar.gz nginx-1.19.1.tar.gz
[root@server1 ~]# tar zxf nginx-1.19.1.tar.gz
[root@server1 ~]# ls
nginx-1.18.0 nginx-1.18.0.tar.gz nginx-1.19.1 nginx-1.19.1.tar.gz
[root@server1 ~]# cd nginx-1.19.1
[root@server1 nginx-1.19.1]# ./configure --prefix=/usr/local/lnmp/nginx --with-http_stub_status_module --with-threads --with-http_ssl_module --with-http_stub_status_module --with-file-aio
[root@server1 nginx-1.19.1]# make
#####不要进行make install
root@server1 nginx-1.19.1]# ls
auto CHANGES CHANGES.ru conf configure contrib html LICENSE Makefile man objs README src
[root@server1 nginx-1.19.1]# cd objs/
[root@server1 objs]# ls
autoconf.err Makefile nginx nginx.8 ngx_auto_config.h ngx_auto_headers.h ngx_modules.c ngx_modules.o src
[root@server1 objs]# cd /usr/local/lnmp/nginx/sbin
[root@server1 sbin]# ls
nginx
[root@server1 sbin]# cp nginx nginx.old
[root@server1 sbin]# ls
nginx nginx.old
[root@server1 nginx]# cd ~/nginx-1.19.1/objs/
[root@server1 objs]# ls
autoconf.err Makefile nginx nginx.8 ngx_auto_config.h ngx_auto_headers.h ngx_modules.c ngx_modules.o src
[root@server1 objs]# cp -f nginx /usr/local/lnmp/nginx/sbin/
cp: overwrite ‘/usr/local/lnmp/nginx/sbin/nginx’? y
[root@server1 objs]# ps ax | grep nginx
19070 ? Ss 0:00 nginx: master process nginx
19168 ? S 0:00 nginx: worker process
19169 ? S 0:00 nginx: worker process
21910 pts/0 S+ 0:00 grep --color=auto nginx
[root@server1 objs]# cat /usr/local/lnmp//nginx/logs/nginx.pid
19070
[root@server1 objs]# kill -USR2 19070
[root@server1 objs]# ps ax | grep nginx
19070 ? Ss 0:00 nginx: master process nginx
19168 ? S 0:00 nginx: worker process
19169 ? S 0:00 nginx: worker process
21915 pts/0 S+ 0:00 grep --color=auto nginx
[root@server1 sbin]# nginx -s stop
[root@server1 sbin]# ps ax | grep nginx
21928 pts/0 S+ 0:00 grep --color=auto nginx
[root@server1 sbin]# ./nginx.old -v
nginx version: nginx/1.18.0
[root@server1 sbin]# ./nginx -v
nginx version: nginx/1.19.1
[root@server1 sbin]# rm -fr nginx
[root@server1 sbin]# cp nginx.old nginx
[root@server1 sbin]# ./nginx -v
nginx version: nginx/1.18.0
[root@server1 sbin]# ps ax | grep nginx
21935 pts/0 R+ 0:00 grep --color=auto nginx
[root@server1 sbin]# nginx
[root@server1 sbin]# ps ax | grep nginx
21937 ? Ss 0:00 nginx: master process nginx
21938 ? S 0:00 nginx: worker process
21939 ? S 0:00 nginx: worker process
21941 pts/0 S+ 0:00 grep --color=auto nginx
[root@server1 sbin]# cp nginx nginx.old
cp: overwrite ‘nginx.old’? y
[root@server1 sbin]# rm -fr nginx
[root@server1 sbin]# cp ~/nginx-1.19.1/nginx /usr/local/lnmp/nginx/sbin/
cp: cannot stat ‘/root/nginx-1.19.1/nginx’: No such file or directory
[root@server1 sbin]# cp ~/nginx-1.19.1/objs/nginx /usr/local/lnmp/nginx/sbin/
[root@server1 sbin]# ls
nginx nginx.old
[root@server1 sbin]# ps ax | grep nginx
23867 ? Ss 0:00 nginx: master process nginx
23868 ? S 0:00 nginx: worker process
23869 ? S 0:00 nginx: worker process
23873 pts/0 S+ 0:00 grep --color=auto nginx
[root@server1 sbin]# kill -USR2 23867
[root@server1 sbin]# ps ax | grep nginx
23867 ? Ss 0:00 nginx: master process nginx
23868 ? S 0:00 nginx: worker process
23869 ? S 0:00 nginx: worker process
23897 ? S 0:00 nginx: master process nginx
23898 ? S 0:00 nginx: worker process
23899 ? S 0:00 nginx: worker process
23903 pts/0 S+ 0:00 grep --color=auto nginx
[root@server1 sbin]# kill -WINCH 23867
[root@server1 sbin]# ps ax | grep nginx
23867 ? Ss 0:00 nginx: master process nginx
23897 ? S 0:00 nginx: master process nginx
23898 ? S 0:02 nginx: worker process
23899 ? S 0:11 nginx: worker process
24058 pts/0 S+ 0:00 grep --color=auto nginx
[root@server1 sbin]# cp -f nginx.old nginx
cp: overwrite ‘nginx’? yes
[root@server1 sbin]# kill -HUP 23867
[root@server1 sbin]# kill -WINCH 23897
[root@server1 sbin]# ps ax | grep nginx
23867 ? Ss 0:00 nginx: master process nginx
23897 ? S 0:00 nginx: master process nginx
24094 ? S 0:00 nginx: worker process
24095 ? S 0:00 nginx: worker process
24160 pts/0 R+ 0:00 grep --color=auto nginx
[root@server1 sbin]# kill -QUIT 23867
[root@server1 sbin]# ps ax | grep nginx
23897 ? S 0:00 nginx: master process nginx
24094 ? S 0:00 nginx: worker process
24095 ? S 0:00 nginx: worker process
24198 pts/0 S+ 0:00 grep --color=auto nginx
[root@foundation13 images]# ab -c1 -n100000 http://172.25.13.1/index.html
新老版本的worker同时工作
旧版本的worker停止工作
6.开启监控
[root@server1 nginx]# vim conf/nginx.conf
[root@server1 nginx]# nginx -s reload
7.制作证书
[root@server1 nginx]# vim conf/nginx.conf
[root@server1 nginx]# nginx -t
nginx: [emerg] cannot load certificate "/usr/local/lnmp/nginx/conf/cert.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/lnmp/nginx/conf/cert.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conf test failed
[root@server1 nginx]# cd /etc/pki/tls/certs
[root@server1 certs]# make cert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 ; \
cat $PEM1 > cert.pem ; \
echo "" >> cert.pem ; \
cat $PEM2 >> cert.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
................................................+++
...........+++
writing new private key to '/tmp/openssl.DmxkUS'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:root@localhost
[root@server1 certs]# ll cert.pem
-rw------- 1 root root 3096 Aug 13 15:09 cert.pem
[root@server1 certs]# mv cert.pem /usr/local/lnmp/nginx/conf/
[root@server1 certs]# nginx -t
nginx: the configuration file /usr/local/lnmp/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conf test is successful
[root@server1 certs]# nginx -s reload
8.nginx限流
控制单IP并发连接数:
http {
limit_conn_zone $binary_remote_addr zone=addr:10m;
//$binary_remote_addr 表示通过remote_addr这个标识来做限制
//zone=addr:10m 表示生成一个大小为10M,名字为one的内存区域
...
server {
location /download/ {
limit_conn addr 1; #限制并发数 1次下载一个
limit_rate 50k; #限制带宽 1s下载速率为50k
}
}
[root@server1 conf]# vim nginx.conf
[root@server1 conf]# cd ..
[root@server1 nginx]# cd html
[root@server1 nginx]# cd html
[root@server1 html]# mkdir download
[root@server1 html]# cd download
[root@server1 download]# ls
redhat.jpg
[root@server1 download]# cd ..
[root@server1 html]# cd ..
[root@server1 nginx]# nginx -t
nginx: the configuration file /usr/local/lnmp/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conf test is successful
[root@server1 nginx]# nginx -s reload
[root@server1 nginx]# ll html/download
total 56
-rw-r--r-- 1 root root 54157 Aug 13 15:26 redhat.jpg
限制单位时间内的请求数目,以及速度限制:
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
//rate=1r/s表示允许相同标识的客户端的访问频次,这里限制的是每秒1次
...
server {
location / {
limit_req zone=one; #一次处理一个请求
# limit_req zone=one burst=5 #一次处理一个,但后面可以有五个请求等候,延迟,请求处理时间长
# limit_req zone=one burst=5 nodelay; #一次处理一个,后面五个等候,不延迟
}
}
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_req zone=one;
limit_req zone=one burst=5
limit_req zone=one burst=5 nodelay;
9.自动索引
自动索引:下载方便
location / {
autoindex on;
}
[root@server1 nginx]# vim conf/nginx.conf
[root@server1 nginx]# ls html/download/
20.8.8 daolian.jpg dcb2a08d513f6616854cd96ead4746ba.gif redhat.jpg
[root@server1 nginx]# nginx -t
nginx: the configuration file /usr/local/lnmp/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conf test is successful
[root@server1 nginx]# nginx -s reload
10.Nginx expire缓存配置
Nginx expire缓存配置: 缓存可以降低网站带宽,加速用户访问
location ~ .*\.(gif|jpg|png)$ {
expires 365d;
access_log off;
}
[root@foundation13 Documents]# date
Thu Aug 13 16:14:14 CST 2020
[root@foundation13 Documents]# ab -c1 -n10 http://172.25.13.1/download/redhat.jpg
[root@server1 logs]# tail -f access.log ###访问图片的请求没有读取到内存中,没有产生新的日志
172.25.13.250 - - [13/Aug/2020:15:48:11 +0800] "GET /index.html HTTP/1.0" 200 612 "-" "ApacheBench/2.3"
172.25.13.250 - - [13/Aug/2020:15:48:11 +0800] "GET /index.html HTTP/1.0" 200 612 "-" "ApacheBench/2.3"
172.25.13.250 - - [13/Aug/2020:15:48:11 +0800] "GET /index.html HTTP/1.0" 503 494 "-" "ApacheBench/2.3"
172.25.13.250 - - [13/Aug/2020:15:48:11 +0800] "GET /index.html HTTP/1.0" 503 494 "-" "ApacheBench/2.3"
172.25.13.250 - - [13/Aug/2020:15:48:11 +0800] "GET /index.html HTTP/1.0" 503 494 "-" "ApacheBench/2.3"
172.25.13.250 - - [13/Aug/2020:15:48:11 +0800] "GET /index.html HTTP/1.0" 503 494 "-" "ApacheBench/2.3"
172.25.13.250 - - [13/Aug/2020:15:55:05 +0800] "GET /download/redaht.jpg HTTP/1.1" 404 153 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
172.25.13.250 - - [13/Aug/2020:15:55:17 +0800] "GET /download/redhat.jpg HTTP/1.1" 200 54157 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
172.25.13.250 - - [13/Aug/2020:15:55:24 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
172.25.13.250 - - [13/Aug/2020:15:59:36 +0800] "GET /download/ HTTP/1.1" 200 648 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
11.站点目录和文件的限制
禁止所有访问
站点目录和文件的限制
location ~ ^/download/.*\.(sh|php)$ {
deny all;
}
12.限制ip
限制IP
Location / {
Allow 172.25.13.2;
Deny all;
}
If ($remote_addr = 172.25.13.250) {
return 403;
}
13.nginx重定向
(1)防止域名恶意解析到服务器IP
防止域名恶意解析到服务器IP:
server {
listen 80;
server_name _;
return 500;
}
也可以重定向:
server {
listen 80;
server_name _;
rewrite ^(.*) http://www.westos.org permanent;
}
(2)80重定向443
80重定向443:
server {
listen 80;
server_name www.westos.org;
rewrite ^/(.*)$ https://www.westos.org/$1 permanent;
}
访问www.westos.org
(3)www.westos.org/bbs 重定向bbs.westos.org
www.westos.org/bbs 重定向bbs.westos.org:
rewrite ^/bbs$ http://bbs.westos.org permanent;
rewrite ^/bbs/(.*)$ http://bbs.westos.org/$1 permanent;
rewrite ^/bbs/(.*)$ http://bbs.westos.org/$1 permanent;
(4)bbs.westos.org 重定向www.westos.org/bbs
bbs.westos.org 重定向www.westos.org/bbs:
if ($host = "bbs.westos.org"){
rewrite ^/(.*)$ http://www.westos.org/bbs/$1 permanent;
}
14.防盗链
(1)server3安装nginx,server1,3安装rsync
[root@server1 nginx]# yum install rsync -y
[root@server3 nginx]# yum install rsync -y
[root@server1 lnmp]# rsync -a nginx server3:/usr/local
[root@server3 nginx]# cp nginx.conf.default nginx.conf
[root@server3 nginx]# cd /usr/local
[root@server3 local]# mkdir lnmp
[root@server3 local]# mv nginx/ lnmp/
[root@server3 local]# cd /usr/local/bin
[root@server3 bin]# ln -s /usr/local/lnmp/nginx/sbin/nginx .
[root@server3 bin]# rm -f nginx
[root@server3 bin]# ln -s /usr/local/lnmp/nginx/sbin/nginx .
(2)编辑发布目录test.html
[root@server3 html]# vim test.html
[root@server3 html]# ls
50x.html download index.html test.html
(3)修改nginx配置文件
[root@server1 nginx]# ll bbs/
total 12
-rw-r--r-- 1 root root 11122 Aug 13 19:27 daolian.jpg
