Nginx进阶
Nginx配置文件详解
#user nobody; **运行时用户,默认nobody** worker_processes 1; **运行时线程数,一般设置为和CPU核数相同** #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; **全局错误日志** #pidlogs/nginx.pid; **Nginx的PID文件** events { worker_connections 1024; **最大并发连接数** } http { include mime.types; **设定mime类型,类型由mime.type文件决定** default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' **Nginx访问日志,默认不开启** # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main;
**sendfile 指令指定 nginx 是否调用 sendfile 函数(zero copy 方式)来输出文件,对于普通应用,** **必须设为 on,如果用来进行下载等应用磁盘IO重负载应用,可设置为 off,以平衡磁盘与网络I/O处理速度,降低系统的uptime.** sendfile on; #tcp_nopush on; **连接超时时间** #keepalive_timeout 0; keepalive_timeout 65; #gzip on; **定义虚拟主机** server { listen 443; server_name localhost; ssl on; ssl_certificate /usr/local/nginx/conf/ssl/server.crt; **配置https** ssl_certificate_key /usr/local/nginx/conf/ssl/server.key; #charset koi8-r; #access_log logs/host.access.log main; location / { auth_basic "Need_auth"; auth_basic_user_file /usr/local/nginx/conf/htpasswd; **配置访问控制,访问需要授权** rewrite ^/(.*)$ http://testxa.360scm.com/$1 permanent; **配置域名跳转 permanent表示永久跳转 redirect表示临时跳转** root html; index index.html index.htm; } #error_page 404 /404.html; location /test { root html; index index.html index.htm; rewrite ^/(.*)$ http://www.baidu.com/$1 permanent; } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #}}
nginx使用Https
-
编译安装nginx,指定必要模块
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-stream_ssl_module --with-stream - 创建自签证书
cd /usr/local/nginx/conf/ssl openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr cp server.key server.key.org **加载ssl时使用上述密钥除去必要口令** openssl rsa -in server.key.org -out server.key openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt **标记证书使用上述密钥** -
修改默认nginx配置文件 启用ssl
server { listen 443; server_name localhost; ssl on; ssl_certificate /usr/local/nginx/conf/ssl/server.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/server.key; ...... ...... ...... }
Nginx 使用账户密码
-
创建账户密码(账户localhost,密码test)
printf "localhost:$(openssl passwd -crypt test)\n" > /usr/local/nginx/conf/htpasswd -
修改nginx配置文件
location / { auth_basic "Need_auth"; auth_basic_user_file /usr/local/nginx/conf/htpasswd; root html; index index.html index.htm; }
Nginx 域名跳转
- 域名跳转
- 301跳转: 永久(搜索引擎不会再抓取原域名地址的内容)
- 302跳转: 临时 (搜索引擎还是会抓取原域名地址的内容)
-
永久301跳转和302跳转
rewrite ^/(.*)$ http://www.baidu.com/$1 permanent ##永久跳转rewrite ^/(.*)$ http://www.baidu.com/$1 redirect ##临时跳转 -
当整个域名需要跳转时,只能有个location /,不能再有其他的
location /test { root html; index index.html index.htm ##这一段不会跳转 }
Nginx location 优先级
-
两个普通的location进行测试,当访问/test的时候,两个都会匹配到,但是以匹配多的那个为主,返回401
location /{ return 400; } location /test{ return 401; } -
加入正则的location测试,当访问/test的时候,优先匹配正则,返回402
location /{ return 400; } location /test{ return 401; } location ~^/test { return 402; } -
两个正则对比,当访问/test/aaa的时候,只匹配了第一个,返回402,说明正则的匹配后就会退出,不再匹配后面的正则
location ~^/test { return 402; } location ~^/test/aaa { return 403; } -
正则匹配和精准匹配的测试,访问/test/aaa,会匹配到精准匹配的,也就是精准匹配的优先级最高,无论它放在那个位置
location ~^/test { return 402; } location ~^/test/aaa { return 403; } location = /test/aaa{ return 404; }
Nginx使用反向代理
-
编译时必须加入
--with-http_ssl_module --with-stream_ssl_module --with-stream参数 -
代理到后端服务器
server { listen 9090; location /{ proxy_pass http://127.0.0.1:90; } }
Nginx使用负载均衡
-
平均轮询
//定义后端服务器 upstream backends{ server 127.0.0.1:9000; server 127.0.0.1:9001; server 127.0.0.1:9002; } //配置代理到后端服务器组 location /{ root html; index index.html index.htm; proxy_pass http://backends; } -
加权轮询
//定义后端服务器 upstream backends{ server 127.0.0.1:9000 weight=4; server 127.0.0.1:9001 weight=5; server 127.0.0.1:9002 weight=6; } //配置代理到后端服务器组 location /{ root html; index index.html index.htm; proxy_pass http://backends; } -
ip_hash(主要是为了解决session保留问题)
//定义后端服务器 upstream backends{ ip_hash; server 127.0.0.1:9000 max_fails=3 fail_timeout=30; server 127.0.0.1:9001 max_fails=3 fail_timeout=30; server 127.0.0.1:9002 max_fails=3 fail_timeout=30; } //配置代理到后端服务器组 location /{ root html; index index.html index.htm; proxy_pass http://backends; } -
其他常用配置
//定义后端服务器 upstream backends{ ip_hash; server 127.0.0.1:9000 max_fails=3 fail_timeout=30; *max_fails 达到指定次数后判定服务器挂掉*** server 127.0.0.1:9001 max_fails=3 fail_timeout=30; **fail_timeout 挂掉多久后再次测试是否已经挂掉** server 127.0.0.1:9002 max_fails=3 fail_timeout=30; server 127.0.0.1:9002 max_fails=3 fail_timeout=30 backup; ** backup指定服务器正在备份,不参与转发** server 127.0.0.1:9002 max_fails=3 fail_timeout=30 down; **down 临时停机维护,不参与转发,是关闭状态** } //配置代理到后端服务器组 location /{ root html; index index.html index.htm; proxy_pass http://backends; }