Nginx服务配置综合实例
################################1.安装nginx,yum安装,编译安装
Nginx是一个免费,开源,高性能的HTTP服务器,同时也可以作为反向代理服务器,支持IMAP/POP3邮件代理服务器,支持模块化定制功能。
Nginx支持三种运行模式,默认为worker模式:
prefork:进程模型,两级结构,主进程master负责生成和管理子进程,每个子进程负责响应一个请求;
worker:线程模型,三级结构,主进程负责生成子进程,每个子进程负责生成多个线程,每个线程响应一个请求;
event:两级结构,主进程负责生成子进程,每个子进程响应多个请求;
更改nginx运行模式,通过ps/pstree来查看进程状态变化。
nginx的安装配置:
系统版本:centos-7.3
软件版本:nginx-1.12.1
安装方式:yum-epel源
官方的预制包:
http://nginx.org/packages/centos/7/x86_64/RPMS/
vi /etc/yum.repos.d/epel.repo
name=nginx repo
baseurl=http://nginx.org/packages/centos/6/x86_64/
#baseurl=http://nginx.org/packages/centos/7/x86_64/
gpgcheck=0
enabled=1
# yum info nginx
# yum list nginx*
# yum install nginx
# rpm -ql nginx//查看生成的相关文件
# nginx -V//查看yum-epel源安装nginx的默认参数及模块
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
编译安装:
# yum groupinstall "Development Tools"
# yum install pcre-devel openssl-devel zlib-devel
# useradd -r nginx
# ./configure --prefix=/usr/local/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_dav_module --with-http_stub_status_module --with-threads --with-file-aio
# make && make install
配置文件:
主配置文件:/etc/nginx/nginx.conf
独立配置文件 conf.d/*.conf
fastcgi,uwsgi,scgi等协议相关的配置文件
mime.types:支持的mime类型
主程序文件:/usr/sbin/nginx
模块文件:/usr/lib64/nginx/modules
服务文件:/usr/lib/systemd/system/nginx.service
查看命令帮助:nginx -h
测试配置:nginx -t
停止或重载:nginx -s stop|reload|reopen
指定配置文件:nginx -c /etc/nginx/nginx.conf
显示编译时的参数选项:nginx -V
################################
2.搭建简单web站点,定义多个虚拟主机,实现负载均衡
nginx1:192.168.10.71
nginx2:192.168.10.72
nginx_proxy:192.168.10.73
================
定义一个虚拟主机:
mkdir -pv /app/vhost1//确保网站目录和文件的other权限有r读权限,否则nginx用户则无法访问,会导致4xx错误
echo "Nginx vhost1 1111." > /app/vhost1/index.html
vi /etc/nginx/conf.d/vhost1.conf
server {
server_name 192.168.10.71;
listen 8080;
root "/app/vhost1";
}
重启服务
systemctl start nginx
nginx -t
nginx -s reload
ss -tnlp
访问测试:
curl 192.168.10.71
================
定义多个虚拟主机-通过不同的端口:
mkdir -pv /app/vhost2//确保网站目录和文件的other权限有r读权限,否则nginx用户则无法访问,会导致4xx错误
echo "Nginx vhost2 2222." > /app/vhost2/index.html
vi /etc/nginx/conf.d/vhost1.conf//增加如下server配置
server {
server_name 192.168.10.71;
listen 8081;
root "/app/vhost2";
}
nginx -t
nginx -s reload
ss -tnl
访问测试:
curl 192.168.10.71:8080
curl 192.168.10.71:8081
或者通过域名来定义虚拟主机:
vi /etc/nginx/conf.d/vhost2.conf
server {
server_name www.a.com;
listen 80;
root "/app/vhost1";
}
server {
server_name www.b.com;
listen 80;
root "/app/vhost2";
}
vi /etc/hosts
192.168.10.71 www.a.com www.b.com
访问测试:
nginx -s reload
curl www.a.com
curl www.b.com
================
负载均衡:
这里使用两个虚拟主机来模拟两台web服务器
vi /etc/nginx/conf.d/vhost1.conf
server {
server_name 192.168.10.71;
listen 8080;
root "/app/vhost1";
}
server {
server_name 192.168.10.71;
listen 8081;
root "/app/vhost2";
}
upstream websrvs {//设置群组名称,以下对应上面的两个虚拟主机
server 192.168.10.71:8080;
server 192.168.10.71:8081;
}
server {
listen 8080;//设置访问端口
server_name www.c.com;//设置访问地址
location / {
proxy_pass http://websrvs;//对应上面定义的群组名称
}
}
增加host解析
vi /etc/hosts
192.168.10.71 www.c.com
访问测试:
nginx -t
nginx -s reload
curl www.c.com:8080//默认显示为轮询
for i in {1..10};do curl www.c.com:8080;done
################################
3.配置访问限制和用户认证,压缩,日志,代理,防盗链,rewrite,https,nginx状态信息查看
================
优化nginx配置:
vi /etc/nginx/nginx.conf
worker_processesauto;
worker_cpu_affinity auto;
worker_priority -3;
查看进程和优先级
ps axo pid,comm,psr,ni | grep nginx
ngx_http_access_module模块:
实现基于ip的访问控制功能
vi /etc/nginx/conf.d/vhost1.conf
server {
server_name 192.168.10.71;
listen 8080;
root "/app/vhost1";
location / {
deny 192.168.10.72;
allow 192.168.10.73;
deny all;
}
}
================
ngx_http_auth_basic_module模块:
实现基于用户的访问控制,使用basic机制进行用户认证
vi /etc/nginx/conf.d/vhost1.conf替换location配置如下
location / {
auth_basic "admin auth";
auth_basic_user_file "/etc/nginx/.ngxpasswd";
}
yum install httpd-tools
htpasswd -c -m /etc/nginx/.ngxpasswd user1//提示输入密码,首个用户需要加-c参数
htpasswd -m /etc/nginx/.ngxpasswd user2
more /etc/nginx/.ngxpasswd
测试访问:
yum install elinks
elinks 192.168.10.71:8080//提示输入用户名和密码才能访问
================
ngx_http_stub_status_module模块:
用于输出nginx的基本状态信息
vi /etc/nginx/conf.d/vhost1.conf替换location配置如下
location/basic_status {
stub_status;
}
测试访问:
curl192.168.10.71:8080/status
Active connections: 1
server accepts handled requests
67 67 102
Reading: 0 Writing: 1 Waiting: 0
================
ngx_http_gzip_module模块:
用于压缩页面文件,减少带宽的浪费
location / {
gzipon;
gzip_comp_level 6;
gzip_min_length 64;
gzip_proxied any;
gzip_types text/xml text/css text/txt application/javascript;
}
cp /var/log/messages /app/vhost1/messages.txt
chmod 644 /app/vhost1/messages.txt
测试访问:
通过chrome或者Firefox访问
http://192.168.10.71:8080/messages.txt
按F12显示开发者工具栏,强制刷新会显示Size大小明显变小,并显示如下调试信息
Accept-Encoding:gzip, deflate
================
ngx_http_ssl_module模块:
配置加密的https
配置CA证书服务器,IP-10.72:
cd /etc/pki/CA
touch index.txt
echo 01 > serial
(umask 077; openssl genrsa -out private/cakey.pem 2048)
openssl req -new -x509 –key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
提示输入国家,省,市,公司名称,部门名称,CA主机名(颁发者名称)
C=CN, ST=HA, L=ZZ, O=c73, OU=IT, CN=ca.a.com
查看生成的证书
openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
生成并发送web服务器(10.71)的证书请求文件到CA服务器(10.72):
在web服务器上生成证书请求文件,此处的key文件对应nginx中的ssl-key配置路径
(umask 077; openssl genrsa -out /app/service.key 2048)
openssl req -new -key /app/service.key -out /app/service.csr
同样提示输入国家,省,市等信息。注意:国家,省,公司名称三项必须和CA一致。主机名称必须和网站域名相同,如www.a.com。或者使用泛域名,即*.a.com,匹配所有。
scp /app/service.csr 192.168.10.72:/etc/pki/CA/certs/
CA服务器签署证书,并将证书颁发给web服务器,注意证书文件后缀为*.crt
openssl ca -in /etc/pki/CA/certs/service.csr –out /etc/pki/CA/certs/service.crt -days 365
scp /etc/pki/CA/certs/service.crt 192.168.10.71:/app/
配置nginx支持https访问:
vi /etc/nginx/vhost1.conf
server {
listen 443 ssl;
server_name www.a.com;
root /app/vhost1;
ssl on;
ssl_certificate /app/service.crt;//证书文件路径
ssl_certificate_key /app/service.key;//key文件路径
ssl_session_cache shared:sslcache:20m;
}
通过浏览器访问:
https://192.168.10.71
或者通过命令行访问
curlhttps://192.168.10.71 //直接访问会提示证书不可用
curl -k https://192.168.10.71//加上-k参数就可以忽略证书访问
================
ngx_http_rewrite_module模块:
配置URL重定向,将/bbs跳转到vhost2虚拟主机上
vi /etc/nginx/conf.d/vhost1.conf
server {
server_name 192.168.10.71;
listen 8080;
root "/app/vhost1";
location / {
rewrite ^/bbs/(.*)$ http://192.168.10.71:8081;
}
}
server {
server_name 192.168.10.71;
listen 8081;
root "/app/vhost2";
}
注意:需要创建/app/vhost1/bbs目录
mkdir /app/vhost1/bbs
通过浏览器访问自动跳转到vhost2定义的页面
http://192.168.10.71/bbs
通过命令行访问:
curl -I 192.168.10.71:8080/bbs
代码提示301,并显示
Location: http://192.168.10.71:8080/bbs/
------------------------
配置永久跳转http-->https
vi /etc/nginx/conf.d/default.conf//在server配置段增加如下一行内容
rewrite ^(.*)$https://$host$1 permanent;
通过浏览器访问http自动跳转到https
http://192.168.10.71
通过命令行访问
elinks http://192.168.10.71
curl -I 192.168.10.71//代码提示301跳转,并显示location位置为https://
================
ngx_http_referer_module模块:
nginx防盗链,配置只允许通过*.a.com和*.b.com来链接访问,其他均拒绝:
vi /etc/nginx/conf.d/vhost1.conf
server {
server_name www.a.com;
listen 8080;
root "/app/vhost1";
valid_referers none block server_names *.a.com *.b.com;
if ($invalid_referer) {
return 403;
}
}
通过命令行测试:
# curl -e "http://www.b.com:8080" "http://www.a.com:8080"
Nginx vhost1 1111.//访问正常
# curl -e "http://www.c.com:8080" "http://www.a.com:8080"
显示403 Forbidden//无法访问,链接失败
================
ngx_http_proxy_module模块:
http代理,配置/bbs/跳转到vhost2虚拟主机
vi /etc/nginx/conf.d/vhost1.conf
server {
server_name 192.168.10.71;
listen 8080;
root "/app/vhost1";
location /bbs/ {
proxy_pass http://192.168.10.71:8081/;
}
}
server {
server_name 192.168.10.71;
listen 8081;
root "/app/vhost2";
}
注意以下情况proxy_pass最后均不能添加URI:
当location中定义了正则表达式;当location包含在named localtion或者if语句或者limit_except三者中时,不能添加URI。
通过命令行访问:
curl 192.168.10.71:8080
curl 192.168.10.71:8080/bbs/跳转到vhost2的虚拟主机页面
================
ngx_http_log_module模块
日志
log_format compression '$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
access_log /spool/logs/nginx-access.log compression buffer=32k;
显示的日志格式如下:
more /var/log/nginx/access.log
192.168.10.71 - - "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0" "-"
================
ngx_http_fastcgi_module模块:
配置php-fpm服务
yum install -y php-fpm//注意fpm和php有冲突
vi /etc/php-fpm.d/www.conf
user = nginx
group = nginx
systemctl start php-fpm
ss -tnl//是否监听9000端口
vi /app/vhost2/index.php
<?php
phpinfo();
?>
配置fastcgi代理,配置通过/status和/ping来获取fpm server状态信息;
vi /etc/nginx/conf.d/vhost1.conf
server {
server_name 192.168.10.71;
listen 8080;
root "/app/vhost2";
index index.php;
location ~* \.php$ {
fastcgi_pass127.0.0.1:9000;
fastcgi_indexindex.php;
fastcgi_paramSCRIPT_FILENAME/app/vhost2$fastcgi_script_name;
include fastcgi_params;
}
location ~* ^/(status|ping)$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_paramSCRIPT_FILENAME$fastcgi_script_name;
include fastcgi_params;
}
}
浏览器测试:
http://192.168.10.71:8080
显示信息:Server API FPM/FastCGI
状态信息:
http://192.168.10.71:8080/status?full
http://192.168.10.71:8080/status?json
http://192.168.10.71:8080/status?xml
http://192.168.10.71:8080/ping//正常显示为pong,显示信息可以在php-fpm配置文件中更改ping.response参数
################################
4.搭建WordPress站点,两台主机实现lanmp-(nginx+httpd+php+mariadb)
nginx实现php解析的2中方式:
nginx+fastcgi_module+php-fpm--单台主机
nginx+httpd_lamp--两台主机(推荐)
server1: 192.168.10.71
server2: 192.168.10.72
server1配置nginx实现静态页面处理;server2配置lamp实现动态页面处理;server1配置代理,实现动静分离,即将*.php动态页面转发给server2,由server2处理后返回结果页面给server1。
配置lamp服务
yum install -y httpd php-mysql mariadb-server php
systemctl start httpd
systemctl start mariadb
测试httpd服务
echo "httpd test" >/var/www/html/index.html
vi /var/www/html/index.php
<?php
phpinfo();
?>
curl 127.0.0.1
curl 127.0.0.1/index.php
配置mariadb
mysql
mysql_secure_installation
mysql -uroot -p
创建数据库
MariaDB [(none)]> create database wpdb;
MariaDB [(none)]> grant all on wpdb.* to wpuser@'192.168.10.%' identified by"redhat";
配置WordPress站点
cp wordpress-4.7.4-zh_CN.tar.gz /var/www/html/
cp phpMyAdmin-4.0.10.20-all-languages.zip /var/www/html/
cd /var/www/html/
tar -xf wordpress-4.7.4-zh_CN.tar.gz
unzip phpMyAdmin-4.0.10.20-all-languages.zip //注意版本选择4.0版
ln -s wordpress wp
ln -s phpMyAdmin-4.0.10.20-all-languages pma
cp wp-config-sample.php wp-config.php
vi wp-config.php//更改wp的配置文件
define('DB_NAME', 'wpdb');
define('DB_USER', 'wpuser');
define('DB_PASSWORD', 'redhat');
define('DB_HOST', '192.168.10.71');
vi /etc/httpd/conf/httpd.conf//增加首页文件index.php
DirectoryIndex index.php index.html
yum install php-mbstring//使用pma需要安装此模块
systemctl restart httpd
访问测试:
http://192.168.10.72/wp
http://192.168.10.72/pma
账号和密码为本地数据库的账号和密码,pma默认登录本地数据库
配置nginx服务,实现动静分离
vi /etc/nginx/conf.d/default.conf
server {
listen 80;
server_name192.168.10.71;
location / {
root/usr/share/nginx/html;
indexindex.php index.html;
}
location ~* \.php$ {
proxy_passhttp://192.168.10.72;
index index.php index.html;
}
}
新建两个测试页
nginx-server1:
echo "nginx-web-server-10.71" > /usr/share/nginx/html/test.html
httpd-server2:
echo "httpd-php-web-server-10.72" /var/www/html/test.php
通过浏览器测试:
http://192.168.10.71/test.html
http://192.168.10.71/test.php
可以看到nginx实现*.php转发给后端的lamp处理,但是首页文件index.php测试无效果,即不能通过http://192.168.10.71/index.php直接访问到后端的WordPress站点。
可以通过URL跳转的方式来访问后端站点,增加如下的代理配置
location /wp/ {
proxy_pass http://192.168.10.72/;
index index.php;
}
测试,首次打开网站比较慢:
http://192.168.10.71/wp/
################################
5.配置stream模块,实现ssh代理和负载均衡
stream配置和http配置相冲突,所以需要注释或删除http配置段
vi /etc/nginx/nginx.conf
usernginx;
worker_processesauto;
worker_cpu_affinity auto;
worker_priority -3;
error_log/var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections1024;
#accept_mutex on;
}
stream {
upstream sshsrvs {
server 192.168.10.72:22;
server 192.168.10.73:22;
# ip_hash;
hash $remote_addr consistent;
}
server {
listen 192.168.10.71:22222;
proxy_pass sshsrvs;
proxy_timeout 60s;
proxy_connect_timeout 10s;
}
}
登录测试:
ssh 192.168.10.71 -p 22222
页:
[1]