Construction and optimization of Nginx

1, Introduction to Nginx

1.1 general

Nginx:

Nginx is a high-performance HTTP and reverse proxy server.
It is a lightweight high-performance web server / reverse proxy server / e-mail (IMAP/POP3) proxy server
A single physical server can support 30000 ~ 50000 concurrent requests.

Apache:

Apache is a process based architecture. Processes consume more system expenses than threads and are not suitable for multiprocessor environments. Therefore, when an apache Web site is expanded, it is usually to add servers or cluster nodes rather than processors.

1.2 comparison of advantages and disadvantages between nginx and Apache

(1) Advantages of nginx over apache:

Lightweight, it also serves as a web service, occupying less memory and resources than apache
Anti concurrency, nginx handles requests asynchronously and non blocking, while apache is blocking. Under high concurrency, nginx can maintain low resource consumption and high performance
Highly modular design, writing modules is relatively simple

(2) Advantages of apache over nginx:

Rewrite is more powerful than nginx's rewrite (the main function of rewrite is to jump the URL of the uniform resource locator)
There are many modules. You can find everything you think of
Fewer bugs, and nginx has more bugs
Superstable

Reason for existence: Generally speaking, web services that need performance, using nginx. If you don't need performance and just want stability, choose apache.

1.3Nginx as a web server compared with Apache

Compared with apache, nginx uses less resources and supports more concurrent connections, which reflects higher efficiency.

As a load balancing server, nginx can support both rails and php programs internally and http proxy servers externally.
Nginx is written in C, which has good system resource overhead and CPU efficiency.
As a mail proxy server: one of the earliest purposes of developing this product is also as a mail proxy server.

1.4 nginx configuration is simple and apache is complex

The core difference between 1.5 nginx and Apache

apache is a synchronous multi process model. One connection corresponds to one process. nginx is asynchronous. Multiple connections can correspond to one process.
Nginx handles static files well and consumes less memory. It is only suitable for static and reverse.
Apache has an advantage in dealing with dynamic,
nginx has good concurrency and low CPU memory consumption. If rewrite s are frequent, apache is the best choice.
In general, apache is still the first choice for most companies.

2, I/O in Linux

I/O in a computer refers to Input/Output. lOPS (Input/Output Per Second) is the Input/Output per second (or read / write times). It is one of the main indicators to measure disk performance. IOPS refers to the number of I/O requests that can be processed by the system in a unit time. Generally, the unit is the number of IO requests processed per second. I/O requests are usually read or write data operation requests.

A complete I/O is the complete exchange of messages between process data in user space and kernel data in kernel space. However, due to the strict isolation between kernel space and user space, the process in user space cannot directly call the stored data in kernel space, Instead, you need to copy the memory data in kernel space to the process memory in user space, so I/O is simply to copy the data from the memory data in kernel space to the process memory in user space.

Disk I/O: the difference between buff and cache

Network I/O: everything is a file. Its essence is to read and write socket files

Get the request data, the client establishes a connection with the server, sends a request, and the server accepts the request(1-3)
Build the response. When the server receives the request, it processes the client's request in user space until the build response is completed (4))
After returning the data, the server passes the constructed response through the network in kernel space I/0 Send back to client(5-7)

Synchronous / asynchronous: it focuses on the message communication mechanism, that is, whether the callee provides notification of completion status when the caller is waiting for the processing result of an event.

Synchronization: synchronous. The callee does not provide notification messages related to the processing results of the event. The caller needs to actively ask whether the processing is completed
Asynchronous: asynchronous. The callee actively notifies the caller of the running status of the callee through the status, notification or callback mechanism

Blocking / non blocking: focus on the state of the caller before waiting for the result to return

Blocking: blocking, which means that the IO operation needs to be completely completed before returning to user space. Before the result is returned, the caller is hung up and unable to do anything else.
Non blocking: nonblocking, which means that the IO operation is immediately returned to the user after being invoked. It does not need to wait until the IO operation is completed. Before the final result is returned, the caller will not be hung up and can do other things.

Asynchronous non blocking I/O model

3, Detailed explanation of compilation and installation steps of Nginx

3.1 close the firewall and install the dependency package

1. #Turn off firewall
[root@localhost opt]#systemctl stop firewalld
[root@localhost opt]#setenforce 0

2. #Install dependency package
[root@localhost opt]#yum -y install pcre-devel zlib-devel gcc gcc-c++ make

3.2 create new users and groups to facilitate management

3. #The new user nginx service program runs as nobody by default. It is recommended to create a special user account for it to more accurately control access rights
[root@localhost opt]#useradd -M -s /sbin/nologin nginx

3.3 transfer the compressed package to / opt directory, compile and install

4.#Switch to the opt directory and transfer the downloaded compressed package
[root@localhost opt]#cd /opt
[root@localhost opt]#ls
nginx-1.12.0.tar.gz

5.#Unzip file
[root@localhost opt]#tar -zxf nginx-1.12.0.tar.gz 
[root@localhost opt]#ls
nginx-1.12.0  nginx-1.12.0.tar.gz

6.#Switch to the unzipped folder and compile
[root@localhost nginx-1.12.0]#
./configure \
> --prefix=/usr/local/nginx \
> --user=nginx \
> --group=nginx \
> --with-http_stub_status_module

//explain
--prefix=/usr/local/nginx \
#Installation path
--user=nginx \
#Specify user name
--group=nginx \
#Specify user groups
--with-http_stub_status_module
#Enable this module to support status statistics
//

7.#install
[root@localhost nginx-1.12.0]#make && make install -j4

3.4 make soft connection and start nginx

8. #Make a soft connection and let the system recognize the operation commands of nginx
[root@localhost sbin]#ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/

9. #Check whether the configuration file is configured correctly 
[root@localhost sbin]#nginx -t

10. #start nginx 
[root@localhost sbin]#nginx 

11. #Check whether the startup is successful
[root@localhost sbin]#ss -ntap|grep nginx
LISTEN     0      128          *:80                       *:*                   users:(("nginx",pid=9123,fd=6),("nginx",pid=9122,fd=6))

3.5 stop nginx

1. #First check the PID number of nginx
[root@localhost sbin]#cat /usr/local/nginx/logs/nginx.pid 
9122

2.#Direct kill
kill -3 <PID number> 
[root@localhost sbin]#kill -3 9122
#You can't find the process
[root@localhost logs]#ss -ntap|grep nginx

#You must kill the parent process. It is useless to kill the child process
 #Check process number
[root@localhost logs]#lsof -i :80
COMMAND   PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   10298  root    6u  IPv4  68323      0t0  TCP *:http (LISTEN)
nginx   10299 nginx    6u  IPv4  68323      0t0  TCP *:http (LISTEN)
#View main process
[root@localhost logs]#cat /usr/local/nginx/logs/nginx.pid  
10298
#Kill child process
[root@localhost logs]#kill -3 10299 
#Process not killed
[root@localhost logs]#cat /usr/local/nginx/logs/nginx.pid  
10298
#Kill parent process
[root@localhost logs]#kill -3 10298
#The process killed
[root@localhost logs]#cat /usr/local/nginx/logs/nginx.pid   #The process killed
cat: /usr/local/nginx/logs/nginx.pid: There is no such file or directory

3.6 adding nginx system services

3.6.1 method 1: Script Writing

#Write the script as follows
[root@localhost init.d]#vim /etc/init.d/nginx	

cmd="/usr/local/nginx/sbin/nginx"
pid="/usr/local/nginx/logs/nginx.pid" 

start)
$cmd
;;

stop)
kill -3 `cat $pid`
;;

restart)
$0 stop
$0 start
;;

reload)
kill -1 `cat $pid`
;;

*)
echo "please input,start,reload,restart "
exit 0
;;
esac
exit 1


#Execute script
[root@localhost init.d]#chmod +x /etc/init.d/nginx 
[root@localhost init.d]#chkconfig --add nginx 
#start nginx 
[root@localhost init.d]#service nginx start 
#Close nginx
[root@localhost init.d]#service nginx stop

3.6.2 add nginx command to service

[root@localhost system]#cd /lib/systemd/system

#It is recommended to copy the script directly
[root@localhost system]#vim nginx.service

#!/bin.bash
[Unit]
Description=nginx
After=network.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/bin/kill -s HUP $MAINPID
ExecStop=/usr/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target

##When the ngin service on the disk changes, run 'systemctl daemon reload' to reload the unit.
[root@localhost system]#systemctl daemon-reload 
##Start service
[root@localhost system]#systemctl start nginx

3.7 viewing nginx version information

[root@localhost system]#nginx -v
nginx version: nginx/1.12.0

4, Nginx profile

4.1 main configuration file of nginx service

[root@localhost system]#vim /usr/local/nginx/conf/nginx.conf

4.2 global configuration

#user  nobody;                     ##Run user
worker_processes 1;                ##The number of working processes can be configured as the number of server cores * 2. If the website traffic is small, it is generally set to 1

#error_log  logs/error.log;        ####Location of the error log file
#pid        logs/nginx.pid;        ####Location of PID file

4.3 I / O event configuration

events {
    use epoll；                 #Epoll model is used to improve performance. It is recommended to use epoll model above version 2.6
    worker_connections  4096;   #Each process handles 4096 connections
}

epoll (socket descriptor) is a poll improved by the Linux kernel] to handle a large number of file descriptors. It is multiplexed under Linux IO An enhanced version of the interface select/poll, which can significantly improve the system CPU utilization when there are only a few active programs in a large number of concurrent connections

If the number of working processes is 8 and each process processes 4096 connections, the number of connections allowed for Nginx to provide services normally has exceeded 30000 (4096) × 8 = 32 768), of course, it depends on the performance of server hardware, network bandwidth and other physical conditions.

To increase the number of connections per process, you also need to execute the command "ulimit -n 65535" to temporarily modify the maximum number of files that can be opened simultaneously by each local process.
On the Linux platform, when processing highly concurrent TCP connections, the maximum number of concurrent connections is limited by the system to the number of files that can be opened by a single user process at the same time (this is because the system creates a socket handle for each TCP connection, and each socket handle is also a file handle).

You can use the ulimit -a command to view the limit on the number of files that the system allows the current user process to open.

#View the number of files that the system allows the current user process to open
[root@localhost conf]#ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 6911
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 6911
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

#Temporarily modify the maximum number of files that each local process can open at the same time
[root@localhost conf]#ulimit -n 6000
#View modified
[root@localhost conf]#ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 6911
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 6000
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 6911
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

4.3 HTTP configuration

Use "http {}" to define the tag, including access log, HTTP port, Web page directory, default character set, connection retention, virtual Web host, PHP parsing and a series of settings to be discussed later. Most of the configuration statements are contained in the sub definition tag "server {}"

http {
    include       mime.types;		##File extension and file type mapping table
    default_type  application/octet-stream;		##Default file type
	##Log format setting
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;		#Log format setting
	
    sendfile        on;				##Support file sending (downloading)
    ##This option allows or prohibits the use of the TCP cORK option of socket (cache data before sending packets). This option is only used when sendfile is used
    #tcp_nopush     on;
	##Connection hold timeout, in seconds
    #keepalive_timeout  0;
    keepalive_timeout  65;
	
    #gzip  on;			##Gzip module settings, setting whether to enable gzip compressed output
    
server {
        listen       80;					##Listening address and port
        server_name  www.yxp.com;			##The site domain name can have multiple, separated by spaces

        #charset utf-8;						#Default character set for web pages

        #access_log  logs/host.access.log  main;		

        location / {						##Root configuration
            root   html;					##Location of the site root directory / usr/local/nginx/html
            index  index.html index.htm;	##Default home page file name
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;		##Feedback page for internal errors
        location = /50x.html {							##Error page configuration
            root   html;
        }

Log format setting: $remote_addr and $http x forwarded for are used to record the ip address of the client$ remote user: used to record the client user name$ time local: used to record the access time and time zone$ Request: the url and http protocol used to record the request$ Status: used to record the request status; Success is 200, $body bytes sent: record the size of the body content of the file sent to the client$ http referer: used to record which page link to access from$ http user agent: record the relevant information of the client browser;

Usually, the web server is placed behind the reverse proxy, so you can't get the customer's IP address through sremote_ The IP address obtained by add is the IP address of the reverse proxy server. The reverse proxy server can add x to the http header information of the forwarding request_ forwarded_ For information, which is used to record the IP address of the original client and the server address requested by the original client.

location common configuration instructions, root, alias, proxy_ pass root: request ww.clj.com/test/1.jpg, and the file / usr/local/nginx/html/test/1.jpg alias (alias configuration) will be returned: www.clj.com/test/1.jpg , the file / usr / local / nginx / HTML / 1.jpg proxy is returned_ Pass (reverse proxy configuration): proxy_pass http://127.0.0.1:8080/ ; ------------- It will forward the request to http://127.0.0.1:8080/1.jpg proxy_pass http://127.0.0.1:8080 ; -------------- It will forward the request to http: / / 127.0.0.1 ∶ 8080/test/1.jpg

4.4 access status statistics configuration

nginx has built-in http_ STUB_ The status statistics module is used to feed back the current Web access. When configuring compilation parameters, you can add -- with HTTP_STUB_STATUS_ Module to enable this module support. You can use the command
You can use the command / usr/local/nginx/sbin/nginx – v to see if the installed Nginx contains HTTP_STUB_STATUS module.
Operation steps:

Modify the nginx.conf configuration file, specify the access location and add the stub_status configuration (backup before modification)

#Copy a configuration file first
[root@localhost conf]#cp /usr/local/nginx/conf/nginx.conf nginx.conf.bak

#  Modify nginx.conf configuration file
[root@localhost conf]#vim /usr/local/nginx/conf/nginx.conf

events {
    use epoll;
    worker_connections  1024;
}

    server {
        listen       80;
        server_name  www.yxp.com;


        charset utf-8;
      location / {
            root   html;
            index  index.html index.htm;
        }

        location /status {  ##The access location is / status
            stub_status on;  ##Turn on the status statistics function
            access_log off;  ##Turn off logging at this location
        }

2. Enter in the web page 192.168.59.108/status test

Active connections: 2 
server accepts handled requests
 2 2 4 
Reading: 0 Writing: 1 Waiting: 1

Active connections: 2 # current number of active links server accepts handled requests 6 6 5 # indicates the connection information that has been processed. Three numbers at a time indicate the number of connections that have been processed, the number of successful TCP handshakes, and the number of requests that have been processed. Reading: 0 Writing: 1 Waiting: 1

3. Write shell script in combination with awk. If the number of links is too high, alarm

#/bin/bash
a=$(curl 192.168.59.108/status)
b=$(echo $a|awk '{print $3}')
if [ $b -ge 1000 ]
then 
echo "Too many connections"|mail -s test 1943466298@qq.com
else
echo "Good operation"
fi

4.5 access control based on authorization password

1. Generate user password authentication file

#Installation tools
[root@localhost conf]#yum install -y httpd-tools.x86_64 

#Set if there is no password
[root@localhost conf]#htpasswd -c /usr/local/nginx/passwd.db zhangsan
#Do not add - c for the second time
[root@localhost conf]#htpasswd /usr/local/nginx/passwd.db lisi
[root@localhost conf]#chown nginx /usr/local/nginx/passwd.db
[root@localhost conf]#chmod 400 /usr/local/nginx/passwd.db

Modify the directory corresponding to the main configuration file

        location /status { 
           #Add password authentication
           auth_basic "secret";
           auth_basic_user_file /usr/local/nginx/passwd.db;
           
           # stub_status on;
           # access_log off;
            root   html;
            index  index.html index.htm;
        }

Restart service

[root@localhost conf]#nginx -t
[root@localhost conf]#systemctl restart nginx.service

4. Test on the web

http://192.168.59.108 you need to enter your account and password to log in

4.6 client based access control

1. Introduction to client based access control client based access control determines whether to allow page access through the client IP address. Nginx client based access control is simpler than Apache. The rules are as follows: 1) deny IP/IP segment: deny client access to an IP or IP segment. 2) allow IP/IP segment: allows client access to an IP or IP segment. 3) The rule is executed from top to bottom. If it matches, it will stop and no longer match from bottom to top.

Modify profile

[root@localhost conf]#vim /usr/local/nginx/conf/nginx.conf
  location / {
            #auth_basic "secret";
            #auth_basic_user_file /usr/local/nginx/passwd.db;
            deny 192.168.59.130;                      ###Client IP
            allow all;
            root   html;
            index  index.html index.htm;
        }

Restart the service and access the test

4.7 domain name based nginx virtual host

Using the virtual host, there is no need to provide a separate Nginx server or run a group of Nginx processes for each website to run. The virtual host provides the function of running multiple websites on the same server and the same group of Nginx processes. Like Apache, Nginx can also configure many types of virtual hosts, namely IP based virtual host, domain name based virtual host and port based virtual host. When using Nginx to build a virtual host server, each virtual Web site has an independent "server {}" configuration section, and the IP address and port number of their listening can be specified separately. Of course, the website name is also different.

Create document for virtual host

[root@localhost html]#mkdir -p /var/www/html/{yxp,accp}
[root@localhost html]#echo "<h1>www.yxp.com</h1>" > /var/www/html/yxp/index.html
[root@localhost html]#echo "<h1>www.accp.com</h1>" > /var/www/html/accp/index.html