1, Nginx
1. Introduction
1.Nginx is a high-performance, lightweight Web service software
2. High stability
3. Low system resource consumption
4. The processing capacity of HTTP concurrent connections is high. A single physical server can support 30000-500 concurrent requests. Insert code slice 00 concurrent requests here
2. Differences between Nginx and Apache
Nginx | Apache |
---|---|
Event based | Process based |
All requests are processed by one thread | A single thread handles a single request |
Avoid child processes | Based on sub process |
Better in memory consumption and connectivity | commonly |
Performance and scalability are independent of hardware | It depends on hardware such as CPU and memory |
Support hot deployment | Hot deployment is not supported |
More efficient for static file processing | commonly |
It is more advantageous in the reverse proxy scenario | commonly |
2, Compiling and installing Nginx services
Transfer the software package required to install nginx to the / opt directory
1. Turn off firewall
systemctl stop firewalld systemctl disable firewalld setenforce 0
2. Upload package
3. Install dependent packages
yum install -y pcre-devel zlib-devel gcc gcc-c++ make #The configuration and operation of Nginx requires the support of software packages such as pcre and zlib. Therefore, these installed development packages need to be installed to provide corresponding libraries and header files
4. Create and run users, groups
useradd -M -s /sbin/nologin nginx #The Nginx service program runs as nobody by default. It is recommended to create a special user account for it to more accurately control its access rights
5. Compile and install nginx
cd /opt tar zxvf nginx-1.12.0.tar.gz cd nginx-1.12.0/ ./configure \ > --prefix=/usr/local/nginx \ #Specify the installation path of nginx > --user=nginx \ #Specify user name > --group=nginx \ #Specify group name > --with-http_stub_status_module #Enable http_stub_status_module module is calculated by variable holding state line make && make install ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/ #Let the system recognize the operating commands of nginx
After compilation:
After installation:
6. Check, start, restart and stop nginx service
1.nginx -t #Check whether the configuration file is configured correctly 2.nginx #start-up 3.stop it 1)cat /usr/local/nginx/logs/nginx.pid #First check the PID number of nginx 2)kill -3 <PID number> #Direct kill 3)kill -s QUIT <PID number> #Elegant kill 4)killall -3 nginx 5)killall -s QUIT nginx 4.heavy load kill -1 <PID number> kill -s HUP <PID number> killall -1 nginx killall -s HUP nginx 5.Log split, reopen log file kill -USR1 <PID number> 6.Smooth upgrade kill -USR2 <PID number> 7.New version upgrade∶ 1)tar -zxvf nginx-1.xx.xX. tar.gz 2)cd nginx-1.xx. xx ./configure \ --prefix=/usr/local/nginx \ --user=nginx \ --group=nginx \ --with-http_stub_status_module \ --with-http_ssl_module 3)make 4)mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_old 5)cp objs/nginx /usr/local/nginx/sbin/nginx 6)make upgrade #Or kill nginx first, and then / usr/local/nginx/sbin/nginx
7. Add nginx system service
Method 1:
vim /etc/init.d/nginx #!/bin/bash #chkconfig: - 99 20 #description:Nginx Server Control Script COM="/usr/local/nginx/sbin/nginx" PID="/usr/local/nginx/logs/nginx.pid" case "$1" in start) $COM ;; stop) kill -s QUIT $(cat $PID) ;; restart) $0 stop $0 start ;; reload) kill -s HUP $(cat $PID) ;; *) echo "Usage:$0 {start|stop|restart|reload}" exit 1 esac exit 0 chmod +x /etc/init.d/nginx chkconfig --add nginx systemctl daemon-reload #When the ngin service on the disk changes, run systemctl daemon reload to reload the unit systemctl start nginx systemctl stop nginx
Method 2:
vim /lib/systemd/system/nginx.service [Unit] Description=nginx After=network.target [Service] Type=forking PIDFile=/usr/local/nginx/logs/nginx.pid ExecStart=/usr/local/nginx/sbin/nginx ExecrReload=/bin/kill -s HUP SMAINPID ExecrStop=/bin/kill-s QUIT $MAINPID PrivateTmp=true [Install] WantedBy=multi-user.target chmod 754 /lib/systemd/ system/nginx.service systemctl start nginx.service systemctl enable nginx.service
Note:
1.[Unit]∶Description of the service Description∶ Describe service After∶Dependency: start the customized service after the dependent service is started 2.[Service]: Setting of service operation parameters 1)Type=forking Is the form of background operation. This startup type should be specified at the same time PIDFile=,so that systemd Be able to track the main process of the service 2)ExecStart Specific run commands for the service ExecReload Restart command for ExecStop Stop command for 3)PrivateTmp=True Indicates that a separate temporary space is allocated to the service∶ Absolute paths are required for start, restart and stop commands 3.[Install]: The related settings of service installation can be set to multi-user
8. Browser Test
3, Main configuration file of nginx service
3.1. Global configuration
1.#user nobody #Run the user. If it is not specified during compilation, it defaults to nobody 2.worker_processes 1 #The number of working processes can be configured as the number of server cores * 2. If the website traffic is small, it is generally set to 1 3.#error_log logs/error.log #Location of the error log file 4.#pid logs/nginx.pid #Location of PID file
3.2 I/O event configuration
events { use epoll; #Epoll model is used, and the system kernel of version 2.6 and above is recommended to use epoll model to improve performance worker_connections 4096; #Each process handles 4096 connections } To increase the number of connections per process, you need to perform"ulimit -n 65535"The command temporarily modifies the maximum number of files that each local process can open at the same time. stay Linux On the platform, high concurrency TCP During connection processing, the maximum number of concurrent files is limited by the system to the number of files that can be opened simultaneously in a single process (This is because the system is for each TCP Create one for each connection socket Handle, each socket The handle is also a file handle). Available ulimit -a Command to view the limit on the number of files the system allows the current user process to open.
3.3 HTTP configuration
http { 1.include mime.types; #File extension and file type mapping table 2.default_type application/octet-stream; #Default file type 3.Log format setting 1)#log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 2)# '$status $body_bytes_sent "$http_referer" ' 3)# '"$http_user_agent" "$http_x_forwarded_for"'; 4)#access_log logs/access.log main; #Log format setting 4.sendfile on; #Support file sending (downloading) 5.#tcp_nopush on; #This option allows or disables TCP using socket s_ The option of cork (cache data before sending packets), which is only used when sendfile is used 6.#keepalive_timeout 0; keepalive_timeout 65; #Connection hold timeout, in seconds 7.#gzip on; #Gzip module settings, setting whether to enable gzip compressed output 8.server { 1)listen 80; #Listening address and port 2)server_name www.gxd.com; #The site domain name can have multiple, separated by spaces 3)#charset utf-8; #Default character set for web pages 4)#access_log logs/host.access.log main; location / { #Root configuration root html; #Location of the site root directory / usr/local/nginx/html index index.html index.htm; #Default home page file name } 5)#error_page 404 /404.html; 6)# redirect server error pages to the static page /50x.html 7)# error_page 500 502 503 504 /50x.html; #Feedback page for internal errors location = /50x.html { #Error page configuration root html; }
Log format setting:
$remote_addr And $http x forwarded for Used to record the client's ip address; $remote user∶ Used to record the client user name; $time local∶ Used to record access time and time zone;$request∶Used to record requests url And http agreement; $status∶ Used to record request status;Success is 200, $body bytes sent ∶ Record the size of the body content of the file sent to the client; $http referer∶ It is used to record which page link is accessed from; $http user agent∶Record information about the client browser; 2.usually web The server is placed behind the reverse proxy, so the client's information cannot be obtained IP Address, through Sremote_add Got it IP The address is the address of the reverse proxy server iP Address. The reverse proxy server is forwarding the request http Header information can be added x_forwarded_for Information to record the information of the original client IP Address and the server address requested by the original client. 3.location Common configuration instructions, root,alias,proxy_ pass 1)root (Root path configuration)∶ request ww.gxd.com/test/1.jpg,The file is returned/usr/local/nginx/html/test/1.jpg 2)alias (Alias configuration)∶request www.gxd.com/test/1.jpg,The file is returned/usr/local/nginx/html/1.jpg 3)proxy_pass (Reverse proxy configuration)∶ proxy_pass http://127.0. 0.1:8080/; ------------- Will forward the request to http: / / 127.0 0.1∶8080/1.jpg proxy_pass http://127.0. 0.1:8080; -------------- Will forward the request to http: / / 127.0 0.1∶8080/test/1.jpg
3.4 access status statistics configuration
① Check that stub is installed_ Status module
② Modify nginx Conf configuration file, specify the access location and add stub_status configuration
3.5 Browser Test
4, Authorization based access control
1 generate user password authentication file
yum install -y httpd-tools htpasswd -c /usr/local/nginx/passwd.db zhangsan chown nginx /usr/local/nginx/passwd.db chmod 400 /usr/local/nginx/passwd.db
2. Modify the directory corresponding to the main configuration file and add authentication configuration items
vim /usr/local/nginx/conf/nginx.conf ..... server { location / { ..... ##Add authentication configuration## auth basic "secret"; #Set password prompt box text message auth_basic_user_file /usr/local/nginx/passwd.db; } }
3 restart the service and access the test
[root@cm conf]# systemctl restart nginx
Correct: login required
5, Client based access control
1 operation steps based on client access control
The access control rules are as follows: • deny IP/IP paragraph: Reject a IP or IP Segment client access • allow IP/IP paragraph: Allow a IP or IP Segment client access • The rule is executed from top to bottom. If it matches, it will stop and no longer match from bottom to top
vim /usr/local/nginx/conf/nginx.conf location / { root html; index index.html index.htm; auth_basic "secret"; auth_basic_user_file /usr/local/nginx/passwd.db; # Add control rule deny 192.168.80.77; #Access denied client IP allow all; #Allow all other clients to access } systemctl restart nginx
Use 192.168 100.101 client access (denied)
cannot access
Using other clients to access
Normal: