preface
nginx was designed and developed by lgor Sysoev for rambler.ru, the second most visited site in Russia. Since its release in 2004, with the power of open source, it has been close to maturity and perfection. Nginx has rich functions and can be used as HTTP server, reverse proxy server and mail server. Support FastCGI, SSL, Virtual Host, URL Rewrite, Gzip and other functions, and support many third-party module extensions.
1. Nginx overview
1.1 nginx features
nginx is a high-performance and lightweight web service software with the following characteristics:
- High stability
- Low system resource consumption
- High processing capacity for HTTP concurrent connections (a single physical server can support 30000 ~ 50000 concurrent requests)
1.2 differences between nginx and apache
nginx is an event based web application, and apache is a process based application
All nginx requests are processed by one thread, and apache single thread processes a single request
nginx avoids the concept of sub process, and apache is based on sub process
nginx is better in memory consumption and connection, while apache is generally better in memory consumption and connection
The performance and scalability of nginx do not depend on hardware, and apache depends on hardware such as CPU and memory
nginx supports hot deployment, while apache does not
nginx is more efficient for static file processing than apache
nginx has obvious advantages in the reverse proxy scenario, and apache is relatively general
2. Nginx compilation, installation and service control
2.1 compilation and installation process
Preparation before installation
systemctl stop firewalld && systemctl disable firewalld setenforce 0 iptables -F yum -y install epel-release && yum clean all && yum makecache
Install package
yum -y install pcre-devel zlib-devel gcc gcc-c++ make wget
Create and run users, groups
# The nginx service program runs as nobody by default. It is recommended to create a special user account for it to more accurately control its access rights useradd -M -s /sbin/nologin nginx
Download installation package
#Version optional wget http://nginx.org/download/nginx-1.12.2.tar.gz -P /opt
Compile and install nginx
tar xf /opt/nginx-1.12.2.tar.gz -C /opt/ /opt/nginx-1.12.2/configure \ --prefix=/usr/local/nginx \ #Specify the installation path of nginx --user=nginx \ #Specify user name --group=nginx \ #Specify group name --with-http_stub_status_module #Enable http_stub_status_module module to support status statistics cd /opt/nginx-1.12.2 make -j 4 && make install ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/ #Optimize the path so that the system can recognize the operation commands of nginx
Start nginx
nginx #We have made a soft connection to the system path. Executing nginx can directly start nginx
2.2 nginx service control
Check, start, restart and stop nginx service
###Check whether the configuration file is correct nginx -t ###start-up nginx ###stop it cat /usr/local/nginx/logs/nginx.pid #File for storing nginx process number kill -3 <Process number> kill -s QUIT <Process number> killall -3 nginx killall -s QUIT nginx ###heavy load kill -1 <Process number> kill -s HUP <Process number> killall -1 nginx killall -s HUP nginx ###Log separator, reopen log file kill -USR1 <Process number> ###Smooth upgrade kill -USR2 <Process number>
2.3 nginx registration system service
Method 1: applicable to Centos 6
cat > /etc/init.d/nginx <<EOF
#!/bin/bash
#chkconfig: - 99 20
#description:Nginx Service Control Script
COM="/usr/local/nginx/sbin/nginx"
PID="/usr/local/nginx/logs/nginx.pid"
case "$1" in
start)
$COM
;;
stop)
kill -s QUIT $(cat $PID)
;;
restart)
$0 stop
$0 start
;;
reload)
kill -s HUP $(cat $PID)
;;
*)
echo "Usage:$0 {start|stop|restart|reload}"
exit 1
esac
exit 0
EOF
chmod +x /etc/init.d/nginx
chkconfig --add nginx #Add as system service
systemctl stop nginx
systemctl start nginx
Method 2: applicable to Centos 7
#Note: if you use nginx to start the service first, you need to kill the process first, otherwise there will be a conflict cat > /usr/lib/systemd/system/nginx.service <<EOF [Unit] Description=nginx After=network.target [Service] Type=forking PIDFile =/usr/local/nginx/logs/nginx.pid ExecStart=/usr/local/nginx/sbin/nginx ExecrReload=/bin/kill -s HUP $MAINPID ExecrStop=/bin/kill -s QUIT $MAINPID PrivateTmp=true [Install] WantedBy=multi-user.target EOF chmod 754 /usr/lib/systemd/system/nginx.service #Setting 754 permissions is a security optimization systemctl daemon-reload systemctl start nginx.service && systemctl enable nginx.service
2.4 one click compilation and installation script
#!/bin/bash
iptables -F
yum -y install epel-release && yum clean all && yum makecache
yum -y install pcre-devel zlib-devel gcc gcc-c++ make wget
useradd -M -s /sbin/nologin nginx
wget http://nginx.org/download/nginx-1.12.2.tar.gz -P /opt
tar zxvf /opt/nginx-1.12.2.tar.gz -C /opt
cd /opt/nginx-1.12.2
./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-http_stub_status_module
cd /opt/nginx-1.12.2
make -j 4 && make install
ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
cat > /usr/lib/systemd/system/nginx.service <<EOF
[Unit]
Description=nginx
After=network.target
[Service]
Type=forking
PIDFile =/usr/local/nginx/logs/nginx.pid
ExecStart=/usr/local/nginx/sbin/nginx
ExecrReload=/bin/kill -s HUP $MAINPID
ExecrStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
chmod 754 /usr/lib/systemd/system/nginx.service
systemctl daemon-reload && systemctl start nginx.service && systemctl enable nginx.service
echo " "
pgrep "nginx" &> /dev/null
if [ $? -eq 0 ];then
echo -e "\033[32mnginx The service is running normally and can be curl see\033[0m"
else
echo -e "\033[31mnginx The service is running abnormally. Please check\033[0m"
fi
3. Nginx configuration file
3.1 nginx.conf overview
Structure diagram I
Structure diagram II
Main profile content
[root@c7-1 ~]#cat /usr/local/nginx/conf/nginx.conf
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
3.2 detailed explanation of nginx.conf module
(1) Global module
configure instructions that affect the nginx global. Generally, there are user groups running nginx server, pid storage path of nginx process, log storage path, introduction of configuration file, number of worker process es allowed to be generated, etc.
user nobody; #Run the user. If it is not specified during compilation, it defaults to nobody worker_processes 1; #The number of working processes can be configured as the number of server cores * 2. If the website traffic is small, it is generally set to 1 #eror_log logs/error.log; #Location of the error log file #pid logs/nginx.pid; # Location of PID file
(2) events module
configuration affects nginx server or network connection with users. There is the maximum number of connections per process, which event driven model is selected to process connection requests, whether multiple network connections are allowed to be accepted at the same time, and starting multiple network connection serialization.
events {
use epoll; #Epoll model is used, and the system kernel of version 2.6 and above is recommended to use epoll model to improve performance
worker_connections 4096; #Each process handles 4096 connections
}
- To increase the number of connections per process, you need to execute the command "ulimit -n 65535" to temporarily modify the maximum number of files that can be opened simultaneously by each local process
- When dealing with highly concurrent TCP connections on Linux platform, the maximum number of concurrent connections is most limited by the system's limit on the number of files that can be opened simultaneously by a single user process (this is because the system creates a socket handle for each TCP connection, and each socket handle is also a file handle)
- You can use the ulimit -a command to view the limit on the number of files that the system allows the current user process to open
(3) HTTP module
multiple server s can be nested to configure most functions such as proxy, cache, log definition and the configuration of third-party modules. Such as file import, MIME type definition, log customization, whether to use sendfile to transfer files, connection timeout, number of single connection requests, etc.
http {
##File extension and file type mapping table
include mime.types;
##Default file type
default_type application/octet-stream;
##Log format setting
#log_format main '$remote_ addr - $remote. user [stime_ local] "$request" '
# '$status $body_ bytes_ sent "Shttp_ referer" '
# "$http_user_agent" "$http_x_forwarded_for"';
##Access log location
#access_Log logs/access.log main;
#Support file sending (downloading)
sendfile on;
##This option allows or disables TCP using socket s_ The option of cork (cache data before sending packets), which is only used when sendfile is used
#tcp_nopush on;
##Connection hold timeout, in seconds
#keepalive_timeout 0;
keepalive.timeout 65;
##Gzip module settings, setting whether to enable gzip compressed output
#gzip on;
#Listening configuration for Web Services
##Listening configuration for Web Services
server (
##Listening address and port
listen 80;
##The site domain name can have multiple, separated by spaces
server.name www.xcf.com;
##Default character set for web pages
charset utf-8;
##Root configuration
location / {
##Location of the site root directory / usr/local/nginx/html
root html;
##Default home page file name
index index.html index.php;
}
##Feedback page for internal errors
error_page 500 502 503 504 /50x.html;
#Error page configuration
location = /50x.html {
root html;
}
}
}
① Log format setting
Log format setting: $remote_addr And $http_x_forwarded_for Used to record the client's ip address; $remote_user: Used to record the client user name; $time_local: Used to record access time and time zone; $request: Used to record requests url And http agreement; $status: Used to record the request status code. Success is 200; $body_bytes_sent: Records the content size of the file body sent to the client; $http_referer: It is used to record which page link is accessed from; $http_user_agent: Record information about the client browser;
- Usually, the web server is placed behind the reverse proxy, so you can't get the customer's IP address through $remote_ The IP address obtained by add is the IP address of the reverse proxy server
- The rhetorical proxy server can add x to the http header information of the forwarding request_ forwarded_ For information, which is used to record the IP address of the original client and the server address requested by the original client
② location configuration
Common configuration instructions: root, alias, proxy_pass
root(Root path configuration) #If you request www.test.com/test/1.jpg, the file / usr/local/nginx/html/test/1.jpg will be returned alias(Alias configuration) #If you request www.test.com/test/1.jpg, the file / usr/local/nginx/html/1.jpg will be returned proxy_pass(Reverse proxy configuration) # proxy_ pass http://127.0.0.1:8080/ ; // Forward request to http://127.0.0.1:8080/1.jpg
(4) server block
Configure the relevant parameters of the virtual host. There can be multiple server s in one http.
server {
keepalive_requests 120; #Maximum number of single connection requests
listen 4545; #Listening port
server_name 127.0.0.1; #Listening address
location ~*^.+$ { #url filtering of requests, regular matching, ~ is case sensitive, ~ * is case insensitive
#root path; #root directory
#index vv.txt; #Set default page
proxy_pass http://mysvr; # The request goes to the list of servers defined by mysvr
deny 127.0.0.1; #Rejected ip
allow 172.18.5.54; #Allowed ip
}
}
(5) location block
Configure the routing of requests and the processing of various pages.
location / {
root html;
index index.html index.htm;
}
location /status {
stub_status on;
access_log off;
}
location ~*^.+$ {
#root path;
#index vv.txt;
proxy_pass http://mysvr;
deny 127.0.0.1;
allow 172.18.5.54;
}
reference resources:
nginx website service
nginx service details
nginx configuration details - rookie tutorial
Detailed explanation of nginx configuration file (nginx.conf)
4. Nginx access control
4.1 access status statistics
Check whether the installed nginx module contains -- with HTTP_ stub_ status_ Module module
/usr/local/nginx/sbin/nginx -V or nginx -V
Modify the nginx.conf configuration file and add a stub_status configuration
Restart the service and access the test
systemctl restart nginx echo "192.168.10.20 www.test.com" >> /etc/hosts
Field meaning
Active connections: 1 #Current number of active links server accepts handled requests #Processed connection information 1 1 1 #Number of connections processed, number of successful TCP handshakes, number of requests processed Reading: 0 Writing: 1 Waiting: 0 #The number of connections that are reading, writing, and waiting
Use scripts to monitor the number of connections
[root@c7-1 /data]#cat connect.sh
#!/bin/bash
curl -s www.test.com/status > active.txt
connect=$(awk '/Active/ {print $3}' active.txt)
if [ $connect -gt 1 ];then
echo -e "\033[31m The current number of connections is too high, please note!\033[0m"
else
echo -e "\033[32m The number of connections is normal\033[0m"
fi
[root@c7-1 /data]#bash connect.sh
The number of connections is normal
4.2 authorization based access control
Generate user password authentication file
yum -y install httpd-tools htpasswd -c /usr/local/nginx/passwd.db zhangsan chown nginx /usr/local/nginx/passwd.db chmod 400 /usr/local/nginx/passwd.db
Modify the main configuration file and add authentication configuration items
[root@c7-1 ~]#vim /usr/local/nginx/conf/nginx.conf
......
location / {
root html;
index index.html index.htm;
##Add authentication configuration
auth_basic "secret"; ##Set password prompt box text message
auth_basic_user_file /usr/local/nginx/passwd.db;
}
......
Restart the service and access the test
nginx -t systemctl restart nginx //Visit www.test.com using the Firefox browser that comes with the virtual machine
4.3 client based access control – blacklist and whitelist
The access control rules are as follows:
- deny IP/IP segment: deny client access to an IP or IP segment
- allow IP/IP segment: allows client access to an IP or IP segment
- The rule is executed from top to bottom. If it matches, it will stop and no longer match from bottom to top
systemctl restart nginx #Test access on 192.168.10.30 machine
5. Nginx virtual host
5.1 domain name based nginx virtual host
Provide domain name resolution for virtual host
echo "192.168.10.20 www.test.com www.abc.com" >> /etc/hosts
Preparing web documents for virtual hosts
mkdir -p /var/www/html/test mkdir -p /var/www/html/abc echo "<h1>www.test.com</h1>" > /var/www/html/test/index.html echo "<h1>www.abc.com</h1>" > /var/www/html/abc/index.html
Modify the nginx.conf configuration file and add the following configuration
......
server {
listen 80;
server_name www.test.com;
charset utf-8;
access_log logs/test.access.log;
location / {
root /var/www/html/test;
index index.html index.htm;
}
}
server {
listen 80;
server_name www.abc.com;
charset utf-8;
access_log logs/abc.access.log;
location / {
root /var/www/html/abc;
index index.html index.htm;
}
}
......
Restart the service and access the test
nginx -t systemctl restart nginx
5.2 IP based nginx virtual host
add adapter
ifconfig ens33:0 192.168.10.21 netmask 255.255.255.0 #Delete: ifconfig ens33:0 del 192.168.10.21
Modify nginx.conf configuration file
......
server {
listen 192.168.10.20:80;
server_name www.test.com;
charset utf-8;
access_log logs/test.access.log;
location / {
root /var/www/html/test;
index index.html index.htm;
}
}
server {
listen 192.168.10.21:80;
server_name www.abc.com;
charset utf-8;
access_log logs/abc.access.log;
location / {
root /var/www/html/abc;
index index.html index.htm;
}
}
......
Restart the service and access the test
nginx -t systemctl restart nginx
5.3 port based nginx virtual host
Modify nginx.conf configuration file
......
server {
listen 192.168.10.20:80;
server_name www.test.com;
charset utf-8;
access_log logs/test.access.log;
location / {
root /var/www/html/test;
index index.html index.htm;
}
}
server {
listen 192.168.10.20:8888;
server_name www.abc.com;
charset utf-8;
access_log logs/abc.access.log;
location / {
root /var/www/html/abc;
index index.html index.htm;
}
}
......
Restart the service and access the test
nginx -t systemctl restart nginx
------------------------------
reference resources:
Nginx learning summary
Positive and negative agents and load balancing