Nginx筆記（二）Nginx基礎

時間 2019-11-08

標籤 nginx 筆記基礎欄目 Nginx 简体版

原文原文鏈接

Nginx配置文件

nginx.conf是主配置文件，在文件尾經過include /etc/nginx/conf.d/*.conf引入了default.conf配置，組成完整的Nginx配置：php

# 查看nginx.conf配置
cat /etc/nginx/nginx.conf

# nginx服務的系統使用用戶
user  nginx;
# 工做進程數，設置爲CPU核心數就能夠了
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

# 查看default.conf配置
cat /etc/nginx/conf.d/default.conf

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

能夠觀察到，整個配置上下文分http、server和location三個層級，分別對應着http請求的全局性配置、server級配置和請求路徑級配置。nginx.conf負責http請求的全局配置，default.conf負責具體server及其下具體location的配置。html

驗證和重載配置
當修改了配置文件，無需重啓Nginx。可經過如下命令驗證配置文件正確性，並重載配置node

# 校驗配置
nginx -tc /etc/nginx/nginx.conf
# 重載配置
systemctl reload nginx.service

Nginx變量

咱們在Nginx相關應用場景的配置中，能夠充分利用這些變量。

HTTP請求變量python

arg_參數名
例如，咱們用$arg_userid，就能夠引用到請求參數userid的值
http_請求HEADER名
例如，咱們用$http_user_agent，就能夠引用到請求頭信息User-Agent的值
sent_http_返回HEADER名
在響應客戶端可添加header頭信息

內置變量
能夠參考Nginx文檔的Logging to syslog頁，好比你要查看access log，能夠看到各類內置變量nginx

自定義變量chrome

Nginx日誌

Nginx默認訪問日誌存放路徑：/var/log/nginx/access.log
Nginx默認錯誤日誌存放路徑：/var/log/nginx/error.logapache

日誌格式由nginx.conf配置中的log_format指定：centos

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

咱們查看下Nginx的訪問日誌：服務器

cat /var/log/nginx/access.log

115.198.157.60 - - [03/Feb/2018:10:04:04 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36" "-"
115.198.157.60 - - [03/Feb/2018:10:04:05 +0800] "GET /favicon.ico HTTP/1.1" 404 571 "http://39.104.93.171/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36" "-"

日誌格式定製架構

# 配置nginx.conf
vi /etc/nginx/nginx.conf

# 修改log_format，在日誌最前面增長輸出host頭信息
log_format  main  '$http_host '
                      '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

# 校驗配置
nginx -tc /etc/nginx/nginx.conf
# 重載配置
nginx -s reload -c /etc/nginx/nginx.conf

# 客戶端再次訪問
http://39.104.93.171/

# 再次查看訪問日誌
tail -n 200 /var/log/nginx/access.log

# 能夠看到日誌最前面已經輸出host了
39.104.93.171 115.198.157.60 - - [03/Feb/2018:11:24:23 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36" "-"

Nginx虛擬主機配置

Nginx做爲接入層，主要以虛擬主機的方式對外提供多套業務服務

3種配置方式

基於多個IP的配置

server {
    listen       192.168.1.100:80;
    server_name  localhost;
    ...
}
server {
    listen       192.168.1.101:80;
    server_name  localhost;
    ...
}

基於多個端口的配置

server {
    listen       80;
    server_name  localhost;
    ...
}
server {
    listen       81;
    server_name  localhost;
    ...
}

基於域名的配置

server {
    listen       80;
    server_name  1.zhutx.com;
    ...
}
server {
    listen       80;
    server_name  2.zhutx.com;
    ...
}

Nginx模塊

Nginx採用模塊化的架構，Nginx中大部分功能都是經過模塊方式提供的，比方Http模塊、Mail模塊等。經過開發模塊擴展Nginx，可以將Nginx打形成一個全能的應用server。

# 查看nginx編譯參數，--with開頭的就是nginx依賴的模塊
nginx -V

# 能夠看到上一節咱們用官方yum源安裝的nginx，已經把一些經常使用模塊都編譯進來了
nginx version: nginx/1.12.2
......
--with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

下面先介紹幾個模塊的使用配置，後面介紹Nginx場景應用時，將會繼續接觸到其餘的模塊。

咱們每次將從/backup目錄恢復一個default.conf默認配置，並改成具名。

Nginx運行狀態監控

使用模塊
http_stub_status_module

配置上下文
server | location

配置實踐

# 編輯stub_status.conf
cd /etc/nginx/conf.d
mv default.conf stub_status.conf
vi stub_status.conf

# 配置以下
server {
    ...
    # 增長一個location配置
    location /nginx-status {
        stub_status on; # 這裏寫這個
        access_log off;
        allow 127.0.0.1;
        deny all;
    }
    ...
}

# 校驗配置
nginx -tc /etc/nginx/nginx.conf
# 重載配置
systemctl reload nginx.service

驗證結果

Nginx隨機首頁

使用模塊
http_random_index_module

配置上下文
location

配置實踐

咱們先在/opt/app/code目錄下準備3個頁面index_1.html、index_2.html和index_3.html

cd /opt/app/code

vi index_1.html

<!DOCTYPE HTML>
<html lang="zh-CN">
<head>
    <title>index_1</title>
    <meta charset="UTF-8"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1"/>
</head>
<body>hello world</body>
</html>

vi index_2.html

<!DOCTYPE HTML>
<html lang="zh-CN">
<head>
    <title>index_2</title>
    <meta charset="UTF-8"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1"/>
</head>
<body>hello world</body>
</html>

vi index_3.html

<!DOCTYPE HTML>
<html lang="zh-CN">
<head>
    <title>index_3</title>
    <meta charset="UTF-8"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1"/>
</head>
<body>hello world</body>
</html>

以上3個頁面，只是title不一樣。body內容都是hello world。

接下來開始配置

# 先把以前的配置示例保留下來
cd /etc/nginx/conf.d
mv stub_status.conf stub_status.conf.bak
# 從備份目錄恢復一個配置並更名
cp /opt/backup/default.conf random_index.conf
# 編輯配置
vi random_index.conf

# 配置以下
server {
    ...
    location / {
        #root   /usr/share/nginx/html;
        #index  index.html index.htm;
        root /opt/app/code; # 根路徑指定到咱們的這個目錄
        random_index on; # 打開隨機開關
    }
    ...
}

# 驗證配置
nginx -tc /etc/nginx/nginx.conf
# 重載配置
systemctl reload nginx.service

驗證結果

# 咱們直接在nginx服務上用curl命令屢次發起http請求：
[root@centos7 conf.d]# curl http://127.0.0.1
<!DOCTYPE HTML>
<html lang="zh-CN">
<head>
    <title>index_2</title>
    <meta charset="UTF-8"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1"/>
</head>
<body>hello world</body>
</html>
[root@centos7 conf.d]# curl http://127.0.0.1
<!DOCTYPE HTML>
<html lang="zh-CN">
<head>
    <title>index_3</title>
    <meta charset="UTF-8"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1"/>
</head>
<body>hello world</body>
</html>
[root@centos7 conf.d]# curl http://127.0.0.1
<!DOCTYPE HTML>
<html lang="zh-CN">
<head>
    <title>index_1</title>
    <meta charset="UTF-8"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1"/>
</head>
<body>hello world</body>
</html>

能夠看到，3次請求分別輸出了<title>index_2</title>、<title>index_3</title>、<title>index_1</title>

Nginx請求返回字符替換

使用模塊
http_sub_module

配置上下文
http | server | location

配置實踐

# 先把以前的配置示例保留下來
cd /etc/nginx/conf.d
mv random_index.conf random_index.conf.bak
# 從備份目錄恢復一個配置並更名
cp /opt/backup/default.conf sub.conf
# 編輯配置
vi sub.conf

# 配置以下
server {
    ...
    location / {
        #root   /usr/share/nginx/html;
        #index  index.html index.htm;
        root /opt/app/code;
        random_index on;
        sub_filter 'world' 'python'; # 將response信息中的world替換爲python
        sub_filter_once off; # 若匹配到多個，都進行替換
    }
    ...
}

# 配置校驗
nginx -tc /etc/nginx/nginx.conf
# 重載配置
systemctl reload nginx.service

驗證結果

# 發起屢次http請求，輸出結果字符串都已經被替換成python了：
[root@centos7 conf.d]# curl http://127.0.0.1
<!DOCTYPE HTML>
<html lang="zh-CN">
<head>
    <title>index_1</title>
    <meta charset="UTF-8"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1"/>
</head>
<body>hello python</body>
</html>
[root@centos7 conf.d]# curl http://127.0.0.1
<!DOCTYPE HTML>
<html lang="zh-CN">
<head>
    <title>index_2</title>
    <meta charset="UTF-8"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1"/>
</head>
<body>hello python</body>
</html>
[root@centos7 conf.d]# curl http://127.0.0.1
<!DOCTYPE HTML>
<html lang="zh-CN">
<head>
    <title>index_3</title>
    <meta charset="UTF-8"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1"/>
</head>
<body>hello python</body>
</html>

Nginx的請求限制

使用模塊
limit_conn_module、limit_req_module
前者控制鏈接頻率，後者控制請求頻率。

配置上下文
limit_conn_zone和limit_req_zone可配置於http內
limit_conn和limit_req可配置於http、server或location內

配置實踐

# 先把以前的配置示例保留下來
cd /etc/nginx/conf.d
mv sub.conf sub.conf.bak
# 從備份目錄恢復一個默認配置並更名
cp /opt/backup/default.conf conn_req.conf
# 編輯配置
vi conn_req.conf

# 配置以下
# 開闢一個1m的鏈接空間，命名爲conn_zone。
limit_conn_zone $binary_remote_addr zone=conn_zone:1m;
# 開闢一個1m的請求空間，命名爲req_zone。接受每一個IP每秒1個的請求頻率
limit_req_zone $binary_remote_addr zone=req_zone:1m rate=1r/s;
server {
    ...
    location / {
        #root   /usr/share/nginx/html;
        #index  index.html index.htm;
        root /opt/app/code;
        # 最多容許創建100個鏈接
        limit_conn conn_zone 100;
        # 按req_zone指定限制請求，即同一IP 1秒只容許1個請求
        limit_req zone=req_zone;
        # 再寬限3個請求，延時處理，按配置速率1秒處理1個
        #limit_req zone=req_zone burst=3;
        # 再寬限3個請求，當即處理，不延時
        #limit_req zone=req_zone burst=3 nodelay;
    }
    ...
}

# 校驗配置
nginx -tc /etc/nginx/nginx.conf
# 重載配置
systemctl reload nginx.service

驗證結果

# 爲方便驗證，先按如下命令安裝下apache的壓測工具ab
yum install apr-util
yum install yum-utils
mkdir /opt/ab
cd /opt/ab
yum install yum-utils.noarch
yumdownloader httpd-tools*
rpm2cpio httpd-*.rpm | cpio -idmv
cp /opt/ab/usr/bin/ab /usr/bin/

# 額外開2個終端窗口分別觀察錯誤日誌和訪問日誌
# 開啓錯誤日誌滾動查看
tail -f /var/log/nginx/error.log
# 開啓訪問日誌滾動查看
tail -f /var/log/nginx/access.log

# 用ab命令發出總共10個請求，最大容許同時併發10個
ab -n 10 -c 10 http://127.0.0.1/index_1.html

# 觀察error.log日誌，能夠看到9個被限制的請求：
2018/02/03 17:41:08 [error] 19812#19812: *77 limiting requests, excess: 0.999 by zone "req_zone", client: 127.0.0.1, server: localhost, request: "GET /index_1.html HTTP/1.0", host: "127.0.0.1"
2018/02/03 17:41:08 [error] 19812#19812: *78 limiting requests, excess: 0.999 by zone "req_zone", client: 127.0.0.1, server: localhost, request: "GET /index_1.html HTTP/1.0", host: "127.0.0.1"
2018/02/03 17:41:08 [error] 19812#19812: *79 limiting requests, excess: 0.999 by zone "req_zone", client: 127.0.0.1, server: localhost, request: "GET /index_1.html HTTP/1.0", host: "127.0.0.1"
2018/02/03 17:41:08 [error] 19812#19812: *80 limiting requests, excess: 0.999 by zone "req_zone", client: 127.0.0.1, server: localhost, request: "GET /index_1.html HTTP/1.0", host: "127.0.0.1"
2018/02/03 17:41:08 [error] 19812#19812: *81 limiting requests, excess: 0.999 by zone "req_zone", client: 127.0.0.1, server: localhost, request: "GET /index_1.html HTTP/1.0", host: "127.0.0.1"
2018/02/03 17:41:08 [error] 19812#19812: *82 limiting requests, excess: 0.999 by zone "req_zone", client: 127.0.0.1, server: localhost, request: "GET /index_1.html HTTP/1.0", host: "127.0.0.1"
2018/02/03 17:41:08 [error] 19812#19812: *83 limiting requests, excess: 0.999 by zone "req_zone", client: 127.0.0.1, server: localhost, request: "GET /index_1.html HTTP/1.0", host: "127.0.0.1"
2018/02/03 17:41:08 [error] 19812#19812: *84 limiting requests, excess: 0.999 by zone "req_zone", client: 127.0.0.1, server: localhost, request: "GET /index_1.html HTTP/1.0", host: "127.0.0.1"
2018/02/03 17:41:08 [error] 19812#19812: *85 limiting requests, excess: 0.999 by zone "req_zone", client: 127.0.0.1, server: localhost, request: "GET /index_1.html HTTP/1.0", host: "127.0.0.1"

# 觀察access.log日誌，能夠看到只有第1個請求返回200，後面9個都返回503：
127.0.0.1 127.0.0.1 - - [03/Feb/2018:17:41:08 +0800] "GET /index_1.html HTTP/1.0" 200 208 "-" "ApacheBench/2.3" "-"
127.0.0.1 127.0.0.1 - - [03/Feb/2018:17:41:08 +0800] "GET /index_1.html HTTP/1.0" 503 537 "-" "ApacheBench/2.3" "-"
127.0.0.1 127.0.0.1 - - [03/Feb/2018:17:41:08 +0800] "GET /index_1.html HTTP/1.0" 503 537 "-" "ApacheBench/2.3" "-"
127.0.0.1 127.0.0.1 - - [03/Feb/2018:17:41:08 +0800] "GET /index_1.html HTTP/1.0" 503 537 "-" "ApacheBench/2.3" "-"
127.0.0.1 127.0.0.1 - - [03/Feb/2018:17:41:08 +0800] "GET /index_1.html HTTP/1.0" 503 537 "-" "ApacheBench/2.3" "-"
127.0.0.1 127.0.0.1 - - [03/Feb/2018:17:41:08 +0800] "GET /index_1.html HTTP/1.0" 503 537 "-" "ApacheBench/2.3" "-"
127.0.0.1 127.0.0.1 - - [03/Feb/2018:17:41:08 +0800] "GET /index_1.html HTTP/1.0" 503 537 "-" "ApacheBench/2.3" "-"
127.0.0.1 127.0.0.1 - - [03/Feb/2018:17:41:08 +0800] "GET /index_1.html HTTP/1.0" 503 537 "-" "ApacheBench/2.3" "-"
127.0.0.1 127.0.0.1 - - [03/Feb/2018:17:41:08 +0800] "GET /index_1.html HTTP/1.0" 503 537 "-" "ApacheBench/2.3" "-"
127.0.0.1 127.0.0.1 - - [03/Feb/2018:17:41:08 +0800] "GET /index_1.html HTTP/1.0" 503 537 "-" "ApacheBench/2.3" "-"

# 從ab命令執行後的輸出結果，咱們也能夠看到共10次請求，9次失敗：
Concurrency Level:      10
Time taken for tests:   0.002 seconds
Complete requests:      10
Failed requests:        9
   (Connect: 0, Receive: 0, Length: 9, Exceptions: 0)

上面配置裏註釋掉的burst=3和burst=3 nodelay的狀況，可自行嘗試。

Nginx的訪問控制

基於規則

使用模塊
http_access_module

配置上下文

http | server | location | limit_except

配置實踐

# 先把以前的配置示例保留下來
cd /etc/nginx/conf.d
mv conn_req.conf conn_req.conf.bak
# 從備份目錄恢復一個默認配置並更名
cp /opt/backup/default.conf access.conf
# 編輯配置
vi access.conf

# 配置以下
...
server {
    ...
    location ~ ^/index_1.html {
        root   /opt/app/code;
        deny 115.198.157.60; # 拒絕這個IP訪問
        allow all; # 容許其餘全部IP訪問
    }

    location ~ ^/index_2.html {
        root   /opt/app/code;
        allow 115.198.157.60; # 容許這個IP訪問
        deny all; # 拒絕其餘全部IP訪問
    }
    ...
}

# 校驗配置
nginx -tc /etc/nginx/nginx.conf
# 重載配置
systemctl reload nginx.service

驗證結果

# 監控錯誤日誌
tail -f /var/log/nginx/error.log

咱們用IP爲115.198.157.60的客戶端去請求。

訪問index_1.html：

# 輸出錯誤日誌：
2018/02/03 18:34:02 [error] 20000#20000: *10 access forbidden by rule, client: 115.198.157.60, server: localhost, request: "GET /index_1.html HTTP/1.1", host: "39.104.93.171"

訪問index_2.html，正常：

當切換另外一個IP客戶端去訪問時，狀況是正好相反。

基於認證

使用模塊
http_auth_basic_module

配置上下文
http | server | location | limit_except

配置實踐

# 咱們先建立一個管理頁admin.html，咱們只容許認證用戶訪問這個頁面
cd /opt/app/code
# 編輯頁面內容
vi admin.html

# 輸入頁面內容以下
<!DOCTYPE HTML>
<html lang="zh-CN">
<head>
    <title>admin</title>
    <meta charset="UTF-8"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1"/>
</head>
<body>welcome!!!</body>
</html>

# 安裝httpd-tools工具
yum -y install httpd-tools

# 建立帳號密碼文件, 這裏我指定帳號爲admin
cd /etc/nginx
htpasswd -c ./auth_conf admin

按照提示重複輸入兩次密碼後，auth_conf這個密碼文件就建立成功了。

# 查看下密碼文件
cat auth_conf

# 長這個樣子，就是成對的帳號密碼，密碼加密過
admin:$apr1$NCYCrCl7$3ylJcPn3LEa7FgmwOi1Hy.

接下來咱們進行Nginx配置：

# 先把以前的配置示例保留下來
cd /etc/nginx/conf.d
mv access.conf access.conf.bak
# 從備份目錄恢復一個默認配置並更名
cp /opt/backup/default.conf auth_basic.conf
# 編輯配置
vi auth_basic.conf

# 配置以下
...
server {
    ...
    location ~ ^/admin.html {
        root    /opt/add/code;
        auth_basic "Auth access!input your password!";
        auth_basic_user_file /etc/nginx/auth_conf;
    }
    ...
}

# 校驗配置
nginx -tc /etc/nginx/nginx.conf
# 重載配置
systemctl reload nginx.service

驗證結果

客戶端網頁訪問nginx服務器的admin.html頁面時顯示：

當輸錯用戶名或密碼時，會顯示：

同時error.log輸出：

2018/02/03 19:00:52 [error] 20045#20045: *12 user "hello" was not found in "/etc/nginx/auth_conf", client: 115.198.157.60, server: localhost, request: "GET /admin.html HTTP/1.1", host: "39.104.93.171"
2018/02/03 19:01:11 [error] 20045#20045: *12 user "admin": password mismatch, client: 115.198.157.60, server: localhost, request: "GET /admin.html HTTP/1.1", host: "39.104.93.171"

再次訪問，輸入正確的帳號密碼，顯示：

相關標籤/搜索

openresty+nginx+lua+nginx

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。