1. nginx service
nginx is a high performance, lightweight web service software.
nginx has high stability, low system resource consumption, and high processing power for HTTP concurrent connections. A single physical server can support 30,000 to 50,000 concurrent requests.
2. Compile and install nginx service
1. Preparing the installation environment
Close the firewall and upload the nignx installation package to the / opt directory
[root@localhost ~]# cd /opt [root@localhost opt]# ls nginx-1.12.2.tar.gz rh [root@localhost opt]# systemctl stop firewalld.service [root@localhost opt]# systemctl disable firewalld.service Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@localhost opt]# setenforce 0 [root@localhost opt]#vim /etc/resolv.conf
[root@localhost ~]# ping www.baidu.com PING www.a.shifen.com (36.152.44.95) 56(84) bytes of data. 64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=1 ttl=128 time=4.15 ms 64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=2 ttl=128 time=4.36 ms 64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=3 ttl=128 time=5.38 ms 64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=4 ttl=128 time=3.85 ms 64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=5 ttl=128 time=5.46 ms ^C --- www.a.shifen.com ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4008ms rtt min/avg/max/mdev = 3.856/4.644/5.466/0.658 ms
2. Install software dependency packages
[root@localhost opt]#yum -y install gcc gcc-c++ pcre-devel zlib-devel make
3. Compile and install nginx
(1) Unzip the package into the / opt directory
[root@localhost ~]# cd /opt [root@localhost opt]# ls nginx-1.12.2.tar.gz rh [root@localhost opt]# tar zxvf nginx-1.12.2.tar.gz -C /opt [root@localhost opt]# ls nginx-1.12.2 nginx-1.12.2.tar.gz rh
(2) Customize detailed related configurations
[root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
cd /opt/nginx-1.12.2./ ./configure \ --prefix=/usr/local/nginx \ --user=nginx \ //Manage user identity --group=nginx \ //Manage Users'Groups --with-http_stub_status_module //http status statistics module
(3)make compile and make install installation
make && make install
(4) Create soft links
Create soft links to perform path optimization on nginx commands
[root@localhost nginx-1.12.2]# ln -s /usr/local/nginx/sbin/* /usr/local/sbin
(5) Program users who create nginx
Creator user does not specify home directory
[root@localhost nginx-1.12.2]# useradd -M -s /sbin/nologin nginx
3. nginx Run Control
1. Check the service and start the service
Nginx-t Check that the configuration file is configured correctly
nginx Start Service
[root@localhost nginx-1.12.2]# nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost nginx-1.12.2]# nginx [root@localhost nginx-1.12.2]# netstat -antp | grep nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 33752/nginx: master [root@localhost nginx-1.12.2]#
View services occupying ports
[root@localhost nginx-1.12.2]# lsof -i:80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 33752 root 6u IPv4 297426 0t0 TCP *:http (LISTEN) nginx 33753 nginx 6u IPv4 297426 0t0 TCP *:http (LISTEN) [root@localhost nginx-1.12.2]#
2. Stop service and overload service
(1) Stop service
Process killing can be used
First look at the PID number of nginx
cat /usr/local/nginx/logs/nginx.pid
Violent Kill
Kill-3. < PID number>
Friendly Kill
Kill-s QUI'T <PID number>
killall -3 nginx
killall -s QUIT nginx
(2) Overloaded services
Kill-1 <PID number>
Kill-s HUP <PID number>
killall -1 nginx
Killall-s HUP <PID number>
Option Description
-s: Specify signal type
HUP: Overload Configuration
QUIT: Exit the process
3. Add System Management
Two ways to add nginx system services
(1) service management
[root@localhost opt]# cd /etc/init.d/ [root@localhost init.d]# ls functions netconsole network README [root@localhost init.d]# vim /etc/init.d/nginx
[root@localhost init.d]# ls
functions netconsole network nginx README
[root@localhost init.d]chmod +x /etc/init.d/nginx //Give permission
[root@localhost init.d]chkconfig --add nginx //Add as System Service
[root@localhost init.d]# systemctl stop nginx
[root@localhost init.d]# systemctl start nginx
[root@localhost init.d]# systemctl status nginx
● nginx.service - SYSV: Nginx Service Control Script
Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)
Active: active (running) since 2021-06-22 22:53:34 CST; 2s ago
Docs: man:systemd-sysv-generator(8)
Process: 36101 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=0/SUCCESS)
Tasks: 2
CGroup: /system.slice/nginx.service
├─36103 nginx: master process /usr/local/nginx/sbin/nginx
└─36104 nginx: worker process
6 February 22nd:53:34 localhost.localdomain systemd[1]: Starting SYSV: Nginx Servi...
6 February 22nd:53:34 localhost.localdomain systemd[1]: Started SYSV: Nginx Servic...
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost init.d]#
Available at/etc/rc. D/init. View nginx service in directory D
(2) systemctl management
vim /usr/lib/systemd/system/nginx.service
[root@localhost init.d]# Chmod 754/lib/systemd/system/nginx. Service //Setting 754 permissions is a security optimization
[root@localhost init.d]# systemctl start nginx.service
[root@localhost init.d]# systemctl enable nginx.service
[root@localhost init.d]# systemctl status nginx.service
● nginx.service - SYSV: Nginx Service Control Script
Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)
Active: active (running) since 2021-06-22 23:11:46 CST; 41min ago
Docs: man:systemd-sysv-generator(8)
Process: 36493 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=0/SUCCESS)
Tasks: 2
CGroup: /system.slice/nginx.service
├─36495 nginx: master process /usr/local/nginx/sbin/nginx
└─36496 nginx: worker process
6 February 2223:11:46 localhost.localdomain systemd[1]: Starting SYSV: Nginx Servi...
6 February 2223:11:46 localhost.localdomain systemd[1]: Started SYSV: Nginx Servic...
Hint: Some lines were ellipsized, use -l to show in full.
4. nginx configuration file
1. Location of configuration file/usr/local/nginx/conf/nginx.conf
[root@localhost ~]# cd /usr/local/nginx/conf/ [root@localhost conf]# ls fastcgi.conf koi-win scgi_params fastcgi.conf.default mime.types scgi_params.default fastcgi_params mime.types.default uwsgi_params fastcgi_params.default nginx.conf uwsgi_params.default koi-utf nginx.conf.default win-utf [root@localhost conf]# cp nginx.conf nginx.conf.bak //Back up the configuration file [root@localhost conf]# ls fastcgi.conf mime.types scgi_params.default fastcgi.conf.default mime.types.default uwsgi_params fastcgi_params nginx.conf uwsgi_params.default fastcgi_params.default nginx.conf.bak win-utf koi-utf nginx.conf.default koi-win scgi_params
2. Profile Details
[root@localhost conf]# cat nginx.conf
#User nobody; // Default Run/Manage User
worker_processes 1; //Number of worker processes running, configurable as server cores*2, generally set to 1 if site visits are small
#Error_ Log logs/error. Log; // Error log file path/level
#Error_ Log logs/error. Log notice; // Here is the relative path
#error_log logs/error.log info;
#pid logs/nginx. pid; // pid file location
events { //Event
worker_connections 1024; //Maximum number of connections processed per process
}
http { //Configuration of the http protocol
include mime.types; //File extension and file type mapping table
default_type application/octet-stream; //Default file type
#Log_ Format main'$remote_ Addr - $remote_ User [$time_local]'$request'' // Log formatting (the format that logs mainly support)
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#Access_ Log logs/access. Log main; // Access log location, default comment
sendfile on; //Supports file sending (downloading)
#tcp_nopush on;
#Keepalive_ Timeout 0; // This allows or prohibits the use of TCP_for socket s Option for CORK (caching data before sending packets), which is used only Use when sendfile
keepalive_timeout 65; //Connection retention timeout in seconds
#Gzip on; // Compression module on means on
server { //Some configurations related to web Services
listen 80; //Default listening port
server_name localhost; //Site domain name; Domain name access can be supported without a local dns Service
#charset koi8-r; // Character Set Support (Modified to Chinese) UTF-8
#Access_ Log logs/host. Access. Log main; // The primary access log for this web service only saves the access log for the htpd service
location / { //"/" Root directory configuration (in browser, www.baidu.com.)/
root html; //Catalog files for Web pages; Location of site root directory/usr/local/nginx/html (relative path)
index index.html index.htm; //Supported Home Page File Formats
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html; //Display a predefined error page when an error occurs
location = /50x.html { //Error Page Configuration
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80 //The following configuration supports PHP and jumps
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Other virtual host using mix of IP-, name-, and port-based configuration//related configuration of virtual host
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server // nginx encryption module: annotate the configuration of the template https
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
3. Maximum number of open files
On Linux platforms, when processing high concurrent TCP connections, the maximum number of concurrent connections is limited by the number of files that can be opened simultaneously by a single user process. You can use the ulimit-a command to see how many files the system allows the current user process to open.
The maximum number of open files is 65535
[root@localhost ~]# ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 7144 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 7144 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited [root@localhost ~]# Ulimit-n 65535 //This command only temporarily modifies the maximum number of open files [root@localhost ~]# ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 7144 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 65535 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 7144 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited
Maximum number of open files that can be modified to the profile
vim /usr/local/nginx/conf/nginx.conf
4. Configuration Profiles and Local Mapping Use domain names to access nginx web pages
vim /usr/local/nginx/conf/nginx.conf
vim /etc/hosts
Browser Access
5. Access Status Statistics
1. View HTTP_ STUB STATUS Module
Check if nginx is configured to contain HTTP_ STUB STATUS Module
[root@localhost ~]# nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
2. Modify the configuration file to set HTTP_ STUB STATUS Module
vim /usr/local/nginx/conf/nginx.conf
[root@localhost ~]# nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost ~]# systemctl restart nginx.service [root@localhost ~]# netstat -natp | grep nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 39298/nginx: master [root@localhost ~]# netstat -natp | grep 80 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 39298/nginx: master
3. Visit browser to verify status statistics
Active connections: Indicates the current number of active connections;
service accepts handled requests: Represents the connection information that has been processed. The three numbers in turn represent the number of connections processed, the number of successful TCP handshakes, and the number of requests processed.
Six. access control
1. Authorization-based access control
(1) Generate user password authentication files
Htpawwd: htpasswd is a tool for directory access authentication.
-c: Create a password file, and if the file exists, the contents are emptied and rewritten
[root@localhost ~]# yum -y install httpd-tools [root@localhost ~]# Htpasswd-c/usr/local/nginx/passwd. DB Lisi // Create password data file, user-defined New password: Re-type new password: Adding password for user lisi [root@localhost ~]# cd /usr/local/nginx/ [root@localhost nginx]# ls client_body_temp fastcgi_temp logs proxy_temp scgi_temp conf html passwd.db sbin uwsgi_temp [root@localhost nginx]# cat passwd.db lisi:$apr1$uZdiPpZm$2K8TwwB9MSHhV0l9AVWmK0 [root@localhost nginx]# Chown nginx/usr/local/nginx//passwd. DB //Add nginx Group Management [root@localhost nginx]# Chmod 400/usr/local//nginx//passwd. DB // Give read-only permission [root@localhost nginx]# ll Total usage 8 drwx------. 2 nginx root 6 6 February 2218:47 client_body_temp drwxr-xr-x. 2 root root 4096 6 23/01:34 conf drwx------. 2 nginx root 6 6 February 2218:47 fastcgi_temp drwxr-xr-x. 2 root root 40 6 February 2218:43 html drwxr-xr-x. 2 root root 58 6 23/01:34 logs -r--------. 1 nginx root 43 6 23/01:51 passwd.db drwx------. 2 nginx root 6 6 February 2218:47 proxy_temp drwxr-xr-x. 2 root root 19 6 February 2218:43 sbin drwx------. 2 nginx root 6 6 February 2218:47 scgi_temp drwx------. 2 nginx root 6 6 February 2218:47 uwsgi_temp
(2) Modify the corresponding directory of the configuration file and add authentication configuration
vim /usr/local/nginx/conf/nginx.conf
[root@localhost nginx]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost nginx]# systemctl restart nginx.service
[root@localhost nginx]# systemctl status nginx
● nginx.service - SYSV: Nginx Service Control Script
Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)
Active: active (running) since 3 2021-06-23 02:17:46 CST; 47s ago
Docs: man:systemd-sysv-generator(8)
Process: 39871 ExecStop=/etc/rc.d/init.d/nginx stop (code=exited, status=0/SUCCESS)
Process: 39874 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=0/SUCCESS)
Tasks: 2
CGroup: /system.slice/nginx.service
├─39876 nginx: master process /usr/local/nginx/sbin/nginx
└─39877 nginx: worker process
6 February 2302:17:46 localhost.localdomain systemd[1]: Starting SYSV: Nginx Service Control Script...
6 February 2302:17:46 localhost.localdomain systemd[1]: Started SYSV: Nginx Service Control Script.
(3) Browser Access Test
Access prompt to enter account password verification
Enter account password for normal access
(4) Generally set in the location/status module
We can restrict functionality in different location s, for example, we can allow users to access the home page directly
However, users are not allowed to access the status statistics module directly. How can I configure it?
As shown in the figure below, the configuration of the root directory is unchanged, just add two in the stuatus module
2. Client-based access control
(1) Access control rules
deny IP/IP segment: Deny client access to an IP or IP segment
allow IP/IP segment: Allow client access to an IP or IP segment
Rules are executed from top to bottom, stops if they match, and no longer matches down
(2) Settings deny access to 192.168.206.1 and allow access to other addresses
1. Modify configuration files and set access rules
vim /usr/local/nginx/conf/nginx.conf
Restart service systemctl restart nginx
(2) Test Verification
192.168.206.100 Access 192.168.206.186 Access
Host 192.168.206.1 Access 192.168.206.186 Unable to Access Denied
7. nginx virtual host
1. Domain Name Based nginx Virtual Host
(1) Modify local mapping records
vim /etc/hosts
(2) Documentation for creating virtual sites
[root@www ~]# mkdir -p /var/www/html/jojo [root@www ~]# mkdir -p /var/www/html/momo [root@www ~]# cd /var/www/html [root@www html]# ls jojo momo [root@www html]# cd jojo/ [root@www jojo]# vim index.html
[root@www jojo]# cat index.html <h1> www.jojo.com </h1> [root@www jojo]# cd .. [root@www html]# ls jojo momo [root@www html]# cd momo/ [root@www momo]# vim index.html
[root@www momo]# cat index.html <h1> www.momo.com </h1> [root@www momo]#
(3) Modify the configuration file
vim /usr/local/nginx/conf/nginx.conf
[root@www momo]# nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@www ~]# cd /usr/local/nginx/logs access.log error.log nginx.pid [root@www logs]# systemctl restart nginx [root@www logs]# ls access.log error.log jojo.access.log momo.access.log nginx.pid
(4) Browser verification
Access different domain names
You can check the access log
[root@www logs]# cat jojo.access.log 192.168.206.186 - - [23/Jun/2021:11:10:38 +0800] "GET / HTTP/1.1" 200 25 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" 192.168.206.186 - - [23/Jun/2021:11:10:38 +0800] "GET /favicon.ico HTTP/1.1" 404 169 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" [root@www logs]# cat momo.access.log 192.168.206.186 - - [23/Jun/2021:11:13:40 +0800] "GET / HTTP/1.1" 200 25 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" 192.168.206.186 - - [23/Jun/2021:11:13:40 +0800] "GET /favicon.ico HTTP/1.1" 404 169 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" [root@www logs]#
2. Port-based nginx virtual host
(1) Create a web file on port 8080
[root@www ~]# mkdir -p /var/www/html/jojo8080 [root@www ~]# cd /var/www/html [root@www html]# ls jojo jojo8080 momo [root@www html]# cd jojo8080/ [root@www jojo8080]# ls [root@www jojo8080]# vim index.html
[root@www jojo8080]# cat index.html <h1> www.jojo8080.com </h1> [root@www jojo8080]#
(2) Modify the configuration file
vim /usr/local/nginx/conf/nginx.conf
[root@www jojo8080]# nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@www jojo8080]# systemctl restart nginx [root@www jojo8080]# netstat -antp | grep nginx tcp 0 0 192.168.206.186:8080 0.0.0.0:* LISTEN 47552/nginx: master tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 47552/nginx: master
(3) Enter browser authentication
Different ports for access
3. nginx virtual hosts based on different IP access
(1) Add local mappings
vim /etc/hosts
(2) Add a virtual network card
[root@www ~]# ifconfig ens33:0 192.168.206.100 netmask 255.255.255.0
(3) Create the site root directory and new page site files
[root@www ~]# mkdir /var/www/html/momo100 [root@www ~]# cd /var/www/html [root@www html]# ls jojo jojo8080 momo momo100 [root@www html]# cd momo100/ [root@www momo100]# ls [root@www momo100]# vim index.html
[root@www momo100]# cat index.html <h1> www.momo.com </h1> [root@www momo100]#
(4) Modify the configuration file
vim /usr/local/nginx/conf/nginx.conf
[root@www momo100]# nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@www momo100]# systemctl stop nginx [root@www momo100]# systemctl start nginx [root@www momo100]# netstat -antp | grep nginx tcp 0 0 192.168.206.100:80 0.0.0.0:* LISTEN 47888/nginx: master tcp 0 0 192.168.206.186:80 0.0.0.0:* LISTEN 47888/nginx: master [root@www momo100]#
(5) Browser verification
Access by different IP
View the following log
[root@www nginx]# cd logs [root@www logs]# ls access.log jojo8080.access.log momo100.access.log nginx.pid error.log jojo.access.log momo.access.log [root@www logs]# cat momo100.access.log 192.168.206.186 - - [23/Jun/2021:12:04:11 +0800] "GET / HTTP/1.1" 200 25 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" 192.168.206.186 - - [23/Jun/2021:12:04:11 +0800] "GET /favicon.ico HTTP/1.1" 404 169 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" 192.168.206.186 - - [23/Jun/2021:12:05:17 +0800] "GET / HTTP/1.1" 200 25 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" [root@www logs]#