nginx service introduction

preface

  nginx was designed and developed by lgor Sysoev for rambler.ru, the second most visited site in Russia. Since its release in 2004, with the power of open source, it has been close to maturity and perfection. Nginx has rich functions and can be used as HTTP server, reverse proxy server and mail server. Support FastCGI, SSL, Virtual Host, URL Rewrite, Gzip and other functions, and support many third-party module extensions.

1. Nginx overview

1.1 nginx features

nginx is a high-performance and lightweight web service software with the following characteristics:

  • High stability
  • Low system resource consumption
  • High processing capacity for HTTP concurrent connections (a single physical server can support 30000 ~ 50000 concurrent requests)

1.2 differences between nginx and apache

nginx is an event based web application, and apache is a process based application
All nginx requests are processed by one thread, and apache single thread processes a single request
nginx avoids the concept of sub process, and apache is based on sub process
nginx is better in memory consumption and connection, while apache is generally better in memory consumption and connection
The performance and scalability of nginx do not depend on hardware, and apache depends on hardware such as CPU and memory
nginx supports hot deployment, while apache does not
nginx is more efficient for static file processing than apache
nginx has obvious advantages in the reverse proxy scenario, and apache is relatively general


nginx Andrew Alexeev

2. Nginx compilation, installation and service control

2.1 compilation and installation process

Preparation before installation

systemctl stop firewalld && systemctl disable firewalld
setenforce 0
iptables -F
yum -y install epel-release && yum clean all && yum makecache

Install package

yum -y install pcre-devel zlib-devel gcc gcc-c++ make wget

Create and run users, groups

# The nginx service program runs as nobody by default. It is recommended to create a special user account for it to more accurately control its access rights
useradd -M -s /sbin/nologin nginx

Download installation package

#Version optional
wget http://nginx.org/download/nginx-1.12.2.tar.gz -P /opt

Compile and install nginx

tar xf /opt/nginx-1.12.2.tar.gz -C /opt/

/opt/nginx-1.12.2/configure \
--prefix=/usr/local/nginx \		#Specify the installation path of nginx
--user=nginx \					#Specify user name
--group=nginx \					#Specify group name
--with-http_stub_status_module	#Enable http_stub_status_module module to support status statistics

cd /opt/nginx-1.12.2
make -j 4 && make install 
ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/	#Optimize the path so that the system can recognize the operation commands of nginx

Start nginx

nginx	#We have made a soft connection to the system path. Executing nginx can directly start nginx

2.2 nginx service control

Check, start, restart and stop nginx service

###Check whether the configuration file is correct
nginx -t	

###start-up
nginx		

###stop it
cat /usr/local/nginx/logs/nginx.pid		#File for storing nginx process number

kill -3 <Process number>
kill -s QUIT <Process number>
killall -3 nginx
killall -s QUIT nginx 

###heavy load
kill -1 <Process number>
kill -s HUP <Process number>
killall -1 nginx
killall -s HUP nginx

###Log separator, reopen log file
kill -USR1 <Process number>

###Smooth upgrade
kill -USR2 <Process number>

2.3 nginx registration system service

Method 1: applicable to Centos 6

cat > /etc/init.d/nginx <<EOF
#!/bin/bash
#chkconfig: - 99 20
#description:Nginx Service Control Script
COM="/usr/local/nginx/sbin/nginx"
PID="/usr/local/nginx/logs/nginx.pid"
case "$1" in
start)
  $COM
;;
 
stop)
  kill -s QUIT $(cat $PID)
;;
 
restart)
  $0 stop
  $0 start
;;
 
reload)
  kill -s HUP $(cat $PID)
;;
 
*)
echo "Usage:$0 {start|stop|restart|reload}"
  exit 1
 
esac
exit 0
EOF

chmod +x /etc/init.d/nginx
chkconfig --add nginx         #Add as system service
systemctl stop nginx
systemctl start nginx

Method 2: applicable to Centos 7

#Note: if you use nginx to start the service first, you need to kill the process first, otherwise there will be a conflict
cat > /usr/lib/systemd/system/nginx.service <<EOF
[Unit]
Description=nginx
After=network.target
[Service]
Type=forking
PIDFile =/usr/local/nginx/logs/nginx.pid
ExecStart=/usr/local/nginx/sbin/nginx
ExecrReload=/bin/kill -s HUP $MAINPID
ExecrStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF

chmod 754 /usr/lib/systemd/system/nginx.service		#Setting 754 permissions is a security optimization
systemctl daemon-reload
systemctl start nginx.service && systemctl enable nginx.service

2.4 one click compilation and installation script

#!/bin/bash
iptables -F
yum -y install epel-release && yum clean all && yum makecache
yum -y install pcre-devel zlib-devel gcc gcc-c++ make wget
useradd -M -s /sbin/nologin nginx
wget http://nginx.org/download/nginx-1.12.2.tar.gz -P /opt
tar zxvf /opt/nginx-1.12.2.tar.gz -C /opt
cd /opt/nginx-1.12.2

./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-http_stub_status_module

cd /opt/nginx-1.12.2
make -j 4 && make install
ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/

cat > /usr/lib/systemd/system/nginx.service <<EOF
[Unit]
Description=nginx
After=network.target
[Service]
Type=forking
PIDFile =/usr/local/nginx/logs/nginx.pid
ExecStart=/usr/local/nginx/sbin/nginx
ExecrReload=/bin/kill -s HUP $MAINPID
ExecrStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF

chmod 754 /usr/lib/systemd/system/nginx.service
systemctl daemon-reload && systemctl start nginx.service && systemctl enable nginx.service

echo " "
pgrep "nginx" &> /dev/null
if [ $? -eq 0 ];then
        echo -e "\033[32mnginx The service is running normally and can be curl see\033[0m"
else
        echo -e "\033[31mnginx The service is running abnormally. Please check\033[0m"
fi

3. Nginx configuration file

3.1 nginx.conf overview

Structure diagram I

Structure diagram II

Main profile content

[root@c7-1 ~]#cat /usr/local/nginx/conf/nginx.conf

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}

3.2 detailed explanation of nginx.conf module

(1) Global module

  configure instructions that affect the nginx global. Generally, there are user groups running nginx server, pid storage path of nginx process, log storage path, introduction of configuration file, number of worker process es allowed to be generated, etc.

user nobody;				#Run the user. If it is not specified during compilation, it defaults to nobody
worker_processes 1;			#The number of working processes can be configured as the number of server cores * 2. If the website traffic is small, it is generally set to 1
#eror_log logs/error.log;	#Location of the error log file
#pid logs/nginx.pid;		# Location of PID file

(2) events module

  configuration affects nginx server or network connection with users. There is the maximum number of connections per process, which event driven model is selected to process connection requests, whether multiple network connections are allowed to be accepted at the same time, and starting multiple network connection serialization.

events {
    use epoll;	#Epoll model is used, and the system kernel of version 2.6 and above is recommended to use epoll model to improve performance
    worker_connections 4096;	#Each process handles 4096 connections
}
  • To increase the number of connections per process, you need to execute the command "ulimit -n 65535" to temporarily modify the maximum number of files that can be opened simultaneously by each local process
  • When dealing with highly concurrent TCP connections on Linux platform, the maximum number of concurrent connections is most limited by the system's limit on the number of files that can be opened simultaneously by a single user process (this is because the system creates a socket handle for each TCP connection, and each socket handle is also a file handle)
  • You can use the ulimit -a command to view the limit on the number of files that the system allows the current user process to open

(3) HTTP module

  multiple server s can be nested to configure most functions such as proxy, cache, log definition and the configuration of third-party modules. Such as file import, MIME type definition, log customization, whether to use sendfile to transfer files, connection timeout, number of single connection requests, etc.

http {
    ##File extension and file type mapping table
    include     mime.types;
    ##Default file type
    default_type  application/octet-stream;
    ##Log format setting
    #log_format  main   '$remote_ addr - $remote. user [stime_ local] "$request" '
    #                   '$status $body_ bytes_ sent "Shttp_ referer" '
    #                   "$http_user_agent" "$http_x_forwarded_for"';
    ##Access log location
    #access_Log logs/access.log main;
    #Support file sending (downloading) 
    sendfile    on;
    ##This option allows or disables TCP using socket s_ The option of cork (cache data before sending packets), which is only used when sendfile is used
    #tcp_nopush        on;
    ##Connection hold timeout, in seconds
    #keepalive_timeout  0;
    keepalive.timeout  65;
    ##Gzip module settings, setting whether to enable gzip compressed output
    #gzip   on; 

    #Listening configuration for Web Services
    ##Listening configuration for Web Services
    server (
        ##Listening address and port
        listen 80;
        ##The site domain name can have multiple, separated by spaces
        server.name www.xcf.com;
        ##Default character set for web pages
        charset utf-8;
        ##Root configuration
        location / {
            ##Location of the site root directory / usr/local/nginx/html
            root html;
            ##Default home page file name
            index index.html index.php;
        }
        ##Feedback page for internal errors
        error_page 500 502 503 504 /50x.html;
        #Error page configuration
        location = /50x.html {
            root html;
        }
    }
}

① Log format setting

Log format setting:
$remote_addr And $http_x_forwarded_for Used to record the client's ip address;
$remote_user: Used to record the client user name;
$time_local: Used to record access time and time zone;
$request: Used to record requests url And http agreement;
$status: Used to record the request status code. Success is 200;
$body_bytes_sent: Records the content size of the file body sent to the client;
$http_referer: It is used to record which page link is accessed from;
$http_user_agent: Record information about the client browser;
  • Usually, the web server is placed behind the reverse proxy, so you can't get the customer's IP address through $remote_ The IP address obtained by add is the IP address of the reverse proxy server
  • The rhetorical proxy server can add x to the http header information of the forwarding request_ forwarded_ For information, which is used to record the IP address of the original client and the server address requested by the original client

② location configuration

Common configuration instructions: root, alias, proxy_pass

root(Root path configuration)
#If you request www.test.com/test/1.jpg, the file / usr/local/nginx/html/test/1.jpg will be returned

alias(Alias configuration)
#If you request www.test.com/test/1.jpg, the file / usr/local/nginx/html/1.jpg will be returned	

proxy_pass(Reverse proxy configuration)
# proxy_ pass  http://127.0.0.1:8080/ ; 	// Forward request to http://127.0.0.1:8080/1.jpg

(4) server block

Configure the relevant parameters of the virtual host. There can be multiple server s in one http.

server {
    keepalive_requests 120; 	#Maximum number of single connection requests
    listen 		 4545;   		#Listening port
    server_name  127.0.0.1;   	#Listening address       
    location  ~*^.+$ {       	#url filtering of requests, regular matching, ~ is case sensitive, ~ * is case insensitive
       #root path;  			#root directory
       #index vv.txt;  			#Set default page
       proxy_pass  http://mysvr; 	# The request goes to the list of servers defined by mysvr
       deny 127.0.0.1;			#Rejected ip
       allow 172.18.5.54;		#Allowed ip           
    } 
}

(5) location block

Configure the routing of requests and the processing of various pages.

location / {
    root   html;
    index  index.html index.htm;
}
 
location /status {
    stub_status on;
    access_log off;
}

location  ~*^.+$ {
    #root path;
    #index vv.txt;
    proxy_pass  http://mysvr;
    deny 127.0.0.1;
    allow 172.18.5.54;
}

reference resources:
nginx website service
nginx service details
nginx configuration details - rookie tutorial
Detailed explanation of nginx configuration file (nginx.conf)

4. Nginx access control

4.1 access status statistics

Check whether the installed nginx module contains -- with HTTP_ stub_ status_ Module module

/usr/local/nginx/sbin/nginx -V or nginx -V

Modify the nginx.conf configuration file and add a stub_status configuration

Restart the service and access the test

systemctl restart nginx
echo "192.168.10.20 www.test.com" >> /etc/hosts


Field meaning

Active connections: 1              #Current number of active links
server accepts handled requests    #Processed connection information
 1 1 1                             #Number of connections processed, number of successful TCP handshakes, number of requests processed
Reading: 0 Writing: 1 Waiting: 0   #The number of connections that are reading, writing, and waiting

Use scripts to monitor the number of connections

[root@c7-1 /data]#cat connect.sh
#!/bin/bash
curl -s www.test.com/status > active.txt
connect=$(awk '/Active/ {print $3}' active.txt)

if [ $connect -gt 1 ];then
        echo -e "\033[31m The current number of connections is too high, please note!\033[0m"
else
        echo -e "\033[32m The number of connections is normal\033[0m"
fi

[root@c7-1 /data]#bash connect.sh 
The number of connections is normal

4.2 authorization based access control

Generate user password authentication file

yum -y install httpd-tools
htpasswd -c /usr/local/nginx/passwd.db zhangsan
chown nginx /usr/local/nginx/passwd.db
chmod 400 /usr/local/nginx/passwd.db

Modify the main configuration file and add authentication configuration items

[root@c7-1 ~]#vim /usr/local/nginx/conf/nginx.conf
......
        location / {
            root   html;
            index  index.html index.htm;
            ##Add authentication configuration
            auth_basic "secret";      ##Set password prompt box text message
            auth_basic_user_file /usr/local/nginx/passwd.db;
        }
......

Restart the service and access the test

nginx -t
systemctl restart nginx
//Visit www.test.com using the Firefox browser that comes with the virtual machine


4.3 client based access control – blacklist and whitelist

The access control rules are as follows:

  • deny IP/IP segment: deny client access to an IP or IP segment
  • allow IP/IP segment: allows client access to an IP or IP segment
  • The rule is executed from top to bottom. If it matches, it will stop and no longer match from bottom to top
systemctl restart nginx
#Test access on 192.168.10.30 machine

5. Nginx virtual host

5.1 domain name based nginx virtual host

Provide domain name resolution for virtual host

echo "192.168.10.20 www.test.com www.abc.com" >> /etc/hosts

Preparing web documents for virtual hosts

mkdir -p /var/www/html/test
mkdir -p /var/www/html/abc
echo "<h1>www.test.com</h1>" > /var/www/html/test/index.html
echo "<h1>www.abc.com</h1>" > /var/www/html/abc/index.html

Modify the nginx.conf configuration file and add the following configuration

......
    server {
        listen       80;
        server_name  www.test.com;

        charset utf-8;

        access_log  logs/test.access.log;

        location / {
            root   /var/www/html/test;
            index  index.html index.htm;
        }
    }

    server {
        listen       80;
        server_name  www.abc.com;

        charset utf-8;

        access_log  logs/abc.access.log;

        location / {
            root   /var/www/html/abc;
            index  index.html index.htm;
        }
    }
......

Restart the service and access the test

nginx -t
systemctl restart nginx


5.2 IP based nginx virtual host

add adapter

ifconfig ens33:0 192.168.10.21 netmask 255.255.255.0
#Delete: ifconfig ens33:0 del 192.168.10.21

Modify nginx.conf configuration file

......
    server {
        listen 192.168.10.20:80;
        server_name  www.test.com;

        charset utf-8;

        access_log  logs/test.access.log;

        location / {
            root   /var/www/html/test;
            index  index.html index.htm;
        }
    }

    server {
        listen 192.168.10.21:80;
        server_name  www.abc.com;

        charset utf-8;

        access_log  logs/abc.access.log;

        location / {
            root   /var/www/html/abc;
            index  index.html index.htm;
        }
    }
......

Restart the service and access the test

nginx -t
systemctl restart nginx


5.3 port based nginx virtual host

Modify nginx.conf configuration file

......
    server {
        listen 192.168.10.20:80;
        server_name  www.test.com;

        charset utf-8;

        access_log  logs/test.access.log;

        location / {
            root   /var/www/html/test;
            index  index.html index.htm;
        }
    }

    server {
        listen 192.168.10.20:8888;
        server_name  www.abc.com;

        charset utf-8;

        access_log  logs/abc.access.log;

        location / {
            root   /var/www/html/abc;
            index  index.html index.htm;
        }
    }
......

Restart the service and access the test

nginx -t
systemctl restart nginx



------------------------------
reference resources:
Nginx learning summary
Positive and negative agents and load balancing

Tags: Operation & Maintenance Nginx lua

Posted on Tue, 05 Oct 2021 14:59:50 -0400 by mausie