1. 基本安装
官方站点 http://nginx.net/
wiki: http://wiki.codemongers.com/Main
模块用法 http://wiki.codemongers.com/NginxModules
mp4支持模块 http://wiki.codemongers.com/NginxMP4StreamingLite
地址加密模块 http://wiki.codemongers.com/NginxHttpAccessKeyModule
#Unpack, edit the “config” file, replace “$HTTP_ACCESSKEY_MODULE” to “ngx_http_accesskey_module”
依赖软件包 zlib-devel pcre-devel openssl-devel
编译参数: ./configure �Cprefix=/blog.zhangjianfeng.com/app/nginx-0.7.27 �Cuser=www �Cgroup=www �Cwith-http_stub_status_module �Cwith-http_flv_module �Cadd-module=./nginx_mp4_streaming_public �Cadd-module=/tmp/nginx-0.7.27/nginx-accesskey-2.0.3 �Cwith-http_ssl_module �Cwith-cc-opt=’-O3′
# flv/mp4模块是支持拖动播放的,是否需要flv/mp4/accesskey根据需要决定
# accesskey需要
2. 配置
++ Nginx Redirect
#如果正规中有大括号{},需要用”"引号包起来
#支持last break redirect permanent
# http://wiki.codemongers.com/NginxHttpRewriteModule#rewrite
server
{
listen 80;
server_name linuxtone.org abc.linuxtone.org;
index index.html index.php;
root /data/www/wwwroot;
if ($http_host !~ “^www\.linxtone\.org$”) {
rewrite ^(.*) http://www.linuxtone.org$1 redirect;
}
……………………
}
++ 目录自动加斜线,解决IE浏览器不识别
if (-d $request_filename){
rewrite ^/(.*)([^/])$ http://$host/$1$2/ permanent;
}
++ Nginx 防盗链
#Preventing hot linking of images and other file types
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip)$ {
valid_referers none blocked server_names *.linuxtone.org http://localhost baidu.com;
if ($invalid_referer) {
rewrite ^/ http://www.linuxtone.org/images/default/logo.gif;
# return 403;
}
}
++ Nginx expires
第一种方法:根据文件类型expires
# Add expires header for static content
location ~* \.(js|css|jpg|jpeg|gif|png|swf)$ {
if (-f $request_filename) {
root /data/www/wwwroot/bbs;
expires 1d;
break;
}
第二种方法:根据判断某个目录
# serve static files
location ~ ^/(images|javascript|js|css|flash|media|static)/ {
root /data/www/wwwroot/down;
expires 30d;
}
++ Nginx 访问控制
#/usr/local/apache2/bin/htpasswd -c /usr/local/nginx/conf/htpasswd/tongji linuxtone 创建用户
location ~ ^/(tongji)/ {
root /data/www/wwwroot/count;
auth_basic “LT-COUNT-TongJi”;
auth_basic_user_file /usr/local/nginx/conf/htpasswd/tongji;
}
++ Nginx 禁止访问某类型的文件.
方法一:
location ~* \.(txt|doc)$ {
if (-f $request_filename) {
root /data/www/wwwroot/linuxtone/test;
break;
}
}
方法二
location ~* \.(txt|doc)${
root /data/www/wwwroot/linuxtone/test;
deny all;
}
}
++ 禁止访问某个目录
location ~ ^/(WEB-INF)/ {
deny all;
}
++使用ngx_http_access_module限制ip访问
location / {
deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
deny all;
}
详细参见wiki: http://wiki.codemongers.com/NginxHttpAccessModule#allow
++ Nginx 下载限制并发和速率
limit_zone one $binary_remote_addr 10m;
server
{
listen 80;
server_name down.linuxotne.org;
index index.html index.htm index.php;
root /data/www/wwwroot/down;
#Zone limit
location / {
limit_conn one 1;
limit_rate 20k;
}
……….
}
#针对flv的下载请求,对指定IP作特殊处理
set $limit_rate 300k;
if ($remote_addr ~ 192.168.0.13$) {
set $limit_rate 200k;
}
++ Nginx 实现Apache一样目录列表
location / {
autoindex on;
}
++nginx 如何不记录部分日志
location ~ .*\.(js|jpg|JPG|jpeg|JPEG|css|bmp|gif|GIF)$
{
access_log off;
}
++虚拟主机配置
http {
server {
listen 80;
server_name www.domain1.com;
access_log logs/domain1.access.log main;
location / {
index index.html;
root /var/www/domain1.com/htdocs;
}
}
server {
listen 80;
server_name www.domain2.com;
access_log logs/domain2.access.log main;
location / {
index index.html;
root /var/www/domain2.com/htdocs;
}
}
}
++flv/mp4配置
location ~ \.flv$ {
flv;
}
location ~ \.mp4$ {
mp4;
}
++accesskey_module地址加密
location /download {
accesskey on;
accesskey_hashmethod md5;
accesskey_arg “key”;
accesskey_signature “blog.zhangjianfeng.com$remote_addr”;
}
# 写一个php程序产生加密key
\<\?php echo md5(’blog.zhangjianfeng.com’.$_SERVER["REMOTE_ADDR"]);\?\>
#手工测试用 \<\?php echo md5(’blog.zhangjianfeng.com’.'192.169.0.21′);\?\>
# 下载URL http://blog.zhangjianfeng.com/download/file10m.zip?key=1e49fa4ed26486938742e24d2040cc84
# 下载flv并带start参数 http://blog.zhangjianfeng.com/download/file10m.flv?key=1e49fa4ed26486938742e24d2040cc84&start=xxx
++NginxStatus配置
location ~ ^/NginxStatus/ {
stub_status on;
access_log off;
allow 218.5xx.xx.xx;
deny all;
}
#输出状态中
#Active connections=Reading+Writing+Waiting
#Reading 从客户端读取数据的链接数目, Writing向客户端返回数据的链接数目,Waiting通常与KeepAlive设置有关
#active connections ― 对后端发起的活动连接数
#reading ― nginx 读取到客户端的Header信息数
#writing ― nginx 返回给客户端的Header信息数
#waiting ― 开启 keep-alive 的情况下,这个值等于 active �C (reading + writing),意思就是Nginx已经处理完成,正在等候下一次请求指令的驻留连接。
++页面访问控制
location / {
auth_basic “Restricted”;
auth_basic_user_file conf/htpasswd;
}
#conf/htpasswd可以用Apache 的 htpasswd创建
++ssi支持
location / {
ssi on;
}
++其它
user www users;
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
}
++在日志中记录虚拟主机名信息
log_format vhost ‘$remote_addr �C $remote_user [$time_local] “$request” ‘
‘”$status” $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for” $host $server_name’;
3.Nginx 日志处理
#contab -e
59 23 * * * /blog.zhangjianfeng.com/sh/logcron-nginx.sh >> /blog.zhangjianfeng.com/logs/crontab/logcron-nginx_log 2>&1
附件: logcron-nginx.sh
++Nginx 如何不记录部分日志
location ~ .*\.(js|jpg|JPG|jpeg|JPEG|css|bmp|gif|GIF)$
{
access_log off;
}
4.Nginx Cache服务配置
如果需要将文件缓存到本地,则需要增加如下几个子参数
proxy_store on;
proxy_store_access user:rw group:rw all:rw;
proxy_temp_path 缓存目录;其中,
proxy_store on用来启用缓存到本地的功能,
proxy_temp_path用来指定缓存在哪个目录下,如:proxy_temp_path html;
#在经过上一步配置之后,虽然文件被缓存到了本地磁盘上,但每次请求仍会向远端拉取文件,为了避免去远端拉取文件,必须修改proxy_pass:代码:
if ( !-e $request_filename) {
proxy_pass http://mysvr;
}
#即改成有条件地去执行proxy_pass,这个条件就是当请求的文件在本地的proxy_temp_path指定的目录下不存在时,再向后端拉取。
5.Nginx 负载均衡
1. Nginx 基础知识
nginx的upstream目前支持4种方式的分配
1)、轮询(默认)
每个请求按时间顺序逐一分配到不同的后端服务器,如果后端服务器down掉,能自动剔除。
2)、weight
指定轮询几率,weight和访问比率成正比,用于后端服务器性能不均的情况。
2)、ip_hash
每个请求按访问ip的hash结果分配,这样每个访客固定访问一个后端服务器,可以解决session的问题。
3)、fair(第三方)
按后端服务器的响应时间来分配请求,响应时间短的优先分配。
4)、url_hash(第三方)
Nginx 负载均衡
实例1代码:
upstream bbs.linuxtone.org {#定义负载均衡设备的Ip及设备状态
server 127.0.0.1:9090 down;
server 127.0.0.1:8080 weight=2;
server 127.0.0.1:6060;
server 127.0.0.1:7070 backup;
}
在需要使用负载均衡的server中增加代码:
proxy_pass http://bbs.linuxtone.org/;
每个设备的状态设置为:代码:
1.down 表示单前的server暂时不参与负载
2.weight 默认为1.weight越大,负载的权重就越大。
3.max_fails :允许请求失败的次数默认为1.当超过最大次数时,返回proxy_next_upstream 模块定义的错误
4.fail_timeout:max_fails次失败后,暂停的时间。
5.backup: 其它所有的非backup机器down或者忙的时候,请求backup机器。所以这台机器压力会最轻。nginx支持同时设置多组的负载均衡,用来给不用的server来使用。
client_body_in_file_only 设置为On 可以讲client post过来的数据记录到文件中用来做debug
client_body_temp_path 设置记录文件的目录 可以设置最多3层目录
location 对URL进行匹配.可以进行重定向或者进行新的代理 负载均衡
++Nginx 负载均衡实例 2
按访问url的hash结果来分配请求,使每个url定向到同一个后端服务器,后端服务器为缓存时比较有效,也可以用作提高Squid缓存命中率.
简单的负载均等实例:
#loadblance cacheblog.zhangjianfeng.com
upstream flvsrv {
ip_hash;
server 58.2xx.xxx.xx:80 weight=2;
server 218.xx.xx.xx:80;
}
server
{
listen 80;
server_name cacheblog.zhangjianfeng.com;
index index.html index.php;
root /blog.zhangjianfeng.com/data/cache/cached1/;
if (-f $request_filename) {
break;
}
location / {
if ( !-e $request_filename) {
proxy_pass http://flvsrv;
break;
}
## include conf/proxy.conf
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 50m;
client_body_buffer_size 256k;
proxy_connect_timeout 30;
proxy_send_timeout 30;
proxy_read_timeout 60;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
proxy_max_temp_file_size 8m;
proxy_store on;
proxy_store_access user:rw group:rw all:r;
#nginx cache
client_body_temp_path /blog.zhangjianfeng.com/data/cache/nginx_cache/client_body 1 2;
proxy_temp_path /blog.zhangjianfeng.com/data/cache/nginx_cache/proxy_temp 1 2;
6.Nginx 优化
1).编译优化
编译时加参数�Cwith-cc-opt=’-O3′
2).修改Nginx的header伪装服务器
代码:
# vi src/core/nginx.h
#ifndef _NGINX_H_INCLUDED_
#define _NGINX_H_INCLUDED_
#define NGINX_VERSION “1.3″
#define NGINX_VER “LTWS/” NGINX_VERSION
#define NGINX_VAR “NGINX”
#define NGX_OLDPID_EXT “.oldbin”
#endif /* _NGINX_H_INCLUDED_ */
# curl -I my.linuxtone.org
HTTP/1.1 200 OK
Server: LTWS/1.3
Date: Mon, 24 Nov 2008 02:42:51 GMT
Content-Type: text/html; charset=gbk
Transfer-Encoding: chunked
Connection: keep-alive
3)几个配置
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
7.nginx服务简单控制脚本
见附件. jeffrey-nginxd
其它说明
++nginx几个参数
-c 为 Nginx 指定一个配置文件,来代替缺省的。
-t 不运行,而仅仅测试配置文件。nginx 将检查配置文件的语法的正确性,并尝试打开配置文件中所引用到的文件。
-v 显示 nginx 的版本。
-V 显示 nginx 的版本,编译器版本和配置参数。
++处理信号
重载配置文件 kill -HUP `cat $PATH/nginx.pid`
其它的信号
相关的处理信号
A)主进程可以处理的信号
TERM ,INT 快速关闭
QUIT 从容关闭
HUP 重载配置,用新的配置开始新的进程,从容关闭旧的工作进程
USR1 重新打开日志文件
USR2 平滑升级可执行程序
WINCH 从容关闭工作进程
B)工作进程可以处理的信号
TERM ,INT 快速关闭
QUIT 从容关闭
USR1 重新打开日志文件
++ Nginx Location
基本语法
location [=|~|~*|^~] /uri/ { … }
= 严格匹配。如果这个查询匹配,那么将停止搜索并立即处理此请求。
~ 为区分大小写匹配
~* 为不区分大小写匹配
!~和!~*分别为区分大小写不匹配及不区分大小写不匹配
^~ 如果把这个前缀用于一个常规字符串,那么告诉nginx 如果路径匹配那么不测试正则表达式。
例:
location = / { # 只匹配 / 查询。
location / { # 匹配任何查询,因为所有请求都已 / 开头。但正则表达式规则和长的块规则将被优先和查询匹配。
location ^~ /images/ { # 匹配任何已 /images/ 开头的任何查询并且停止搜索。任何正则表达式将不会被测试。
location ~* \.(gif|jpg|jpeg)$ { # 匹配任何已 gif、jpg 或 jpeg 结尾的请求。
++ 文件及目录匹配
* -f和!-f用来判断是否存在文件
* -d和!-d用来判断是否存在目录
* -e和!-e用来判断是否存在文件或目录
* -x和!-x用来判断文件是否可执行
++ 一些可用的全局变量
$args
$content_length
$content_type
$document_root
$document_uri
$host
$http_user_agent
$http_cookie
$limit_rate
$request_body_file
$request_method
$remote_addr
$remote_port
$remote_user
$request_filename
$request_uri
$query_string
$scheme
$server_protocol
$server_addr
$server_name
$server_port
$uri
++errorlog定义级别
error_log logs/error.log [ debug | info | notice | warn | error | crit ]
++ Invalid cross-device link错误
proxy_temp_path /data/temp;
alias /data/www;
解决办法: /data/www和/data/temp目录必须在同一个device
++实现类似apache的alias
location /installcd/ {
alias /media/installcd/;
allow 192.168.25.0/24;
deny all;
}
++防止多线程下载range206
if ($http_range) {
return 405;
}
++nginx.conf及vhost.conf示例
## nginx.conf
user nobody nobody;
worker_processes 8;
error_log logs/error.log;
pid logs/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main ‘$remote_addr �C $remote_user [$time_local] “$request” ‘
‘”$status” $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;
##for squid+nginx
log_format access ‘$remote_addr �C $remote_user [$time_local] “$request” ‘
‘”$status” $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for” “$host”‘;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 20m;
sendfile on;
tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
include vhost.conf;
}
## vhost.conf
server {
listen 80;
server_name blog.zhangjianfeng.com;
root /zhangjianfeng/data/www/blog;
access_log logs/blog.zhangjianfeng.com.log main;
location ~ .*\.(js|jpg|JPG|jpeg|JPEG|css|bmp|gif|GIF)$
{
access_log off;
}
location / {
index index.html index.htm index.php;
}
include rewrite-blog.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 7d;
}
location ~ .*\.(js|css)?$
{
expires 1d;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
error_page 404 500 502 503 504 =200 http://blog.zhangjianfeng.com/error.html;
# 加=200可以返回http200的状态码,可以正常被客户端cache住
location = /50x.html {
root html;
}
}
server {
listen 80;
server_name bbs.zhangjianfeng.com;
access_log logs/bbs.zhangjianfeng.com.log main;
root /zhangjianfeng/data/www/bbs;
location / {
index index.html index.htm index.php;
}
include rewrite-bbs.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 7d;
}
location ~ .*\.(js|css)?$
{
expires 1d;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /zhangjianfeng/data/www/bbs/$fastcgi_script_name;
}
location ~ ^/NginxStatus/ {
stub_status on;
access_log off;
auth_basic “Restricted”;
auth_basic_user_file /blog.zhangjianfeng.com/app/nginx-0.7.27/htpasswd/.htpasswd.status.users;
# allow 218.5xx.xx.xx;
# deny all;
}
error_page 404 500 502 503 504 http://bbs.zhangjianfeng.com/error.html;
location = /50x.html {
root html;
}
}
++php上传
1.nginx.conf的http{}中增加
client_max_body_size 300m;
2.php.ini需要修改
post_max_size = 300M
upload_max_filesize = 300M
## 如果出现413 Request Entity Too Large,看看是不是超过上面的限值了
附:logcron-nginx.sh
#!/bin/bash
YEAR=`date +%Y -d 'yesterday'`
MON=`date +%m -d 'yesterday'`
DAY=`date +%d -d 'yesterday'`
start()
{
PID=/blog.zhangjianfeng.com/app/nginx/logs/nginx.pid
SRCLOG=$SRCPATH\access.log
DSTLOG=$DSTPATH$DAY.log
[ ! -d $DSTPATH ] && mkdir -p $DSTPATH
echo "Starting at (`date +%Y%m%d-%H%M%S`)..."
cd $SRCPATH
/bin/mv $SRCLOG $DSTLOG
#kill -USR1 `cat $PID` && gzip $DSTLOG
/etc/init.d/jeffrey-nginxd && gzip $DSTLOG
echo "End! (`date +%Y%m%d-%H%M%S`)"
}
case "$1" in
blog)
SRCPATH=/blog.zhangjianfeng.com/logs/nginx/blog/
DSTPATH=/blog.zhangjianfeng.com/backup/logs/nginx/blog/$YEAR/$MON/
start
;;
bbs)
SRCPATH=/blog.zhangjianfeng.com/logs/nginx/bbs/
DSTPATH=/blog.zhangjianfeng.com/backup/logs/nginx/bbs/$YEAR/$MON/
start
;;
all)
$0 v
$0 bbs
;;
*)
echo "Usage: $0 { blog| bbs| all| help}"
;;
esac
jeffrey-nginxd.txt
#! /bin/sh
# Description: Startup script for nginx webserver
# blog.zhangjianfeng.com
set -e
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="nginx daemon"
NAME=nginx
DAEMON=/blog.zhangjianfeng.com/app/nginx/sbin/$NAME
CONFIGFILE=/blog.zhangjianfeng.com/app/nginx/conf/nginx.conf
PIDFILE=/blog.zhangjianfeng.com/app/nginx/logs/$NAME.pid
SCRIPTNAME=/etc/init.d/jeffrey-$NAME
# Gracefully exit if the package has been removed.
test -x $DAEMON || exit 0
d_start() {
$DAEMON -c $CONFIGFILE || echo -n " already running"
}
d_stop() {
# kill -QUIT `cat $PIDFILE` || echo -n " not running"
killall nginx
}
d_reload() {
kill -HUP `cat $PIDFILE` || echo -n " can't reload"
}
case "$1" in
start)
echo -n "Starting $DESC: $NAME"
d_start
echo "."
;;
stop)
echo -n "Stopping $DESC: $NAME"
d_stop
echo "."
;;
reload)
echo -n "Reloading $DESC configuration..."
d_reload
echo "reloaded."
;;
status)
pgrep -x $NAME > /dev/null && echo $NAME \(pid `pgrep $NAME`\) is running... || echo "$NAME is stoped."
;;
test|-t)
$DAEMON -t
;;
restart)
echo -n "Restarting $DESC: $NAME"
d_stop
sleep 2
d_start
echo "...done!"
;;
*)
echo "Usage: $SERVICENAME {start|stop|restart|reload|status|check}"
exit 3
;;
esac
exit 0