1、详细描述常见nginx常用模块和模块的使用示例
access_module
- allow
deny
auth_basic_module
- auth_basic "auth_info"
autho_basic_user_file /etc/nginx/.ngxpasswd
stub_status_module
- stub_status
- active accepts活动连接数
- accepts 已经接受的报文
- handled 处理完成的报文
- requests 请求报文
- reading:读io
- writing:写io
waiting:空闲io
log_module
- log_format
- access_log off;关闭访问日志
open_log_file_cache 缓存日志元数据
gzip_module
- gzip on;开启gzip
- gzip_comp_level 6;设定压缩比
- gzip_disable regex; 不支持的浏览器关闭gzip
- gzip_proxied off;默认不开启代理压缩
- gzip_types text/html text/css text/xml javascript/js
[root@web1 nginx]# mkdir /var/spool/nginx/client_temp/ -p
[root@web1 nginx]# chown nginx.nginx /var/spool/nginx/client_temp/
[root@web1 ~]# htpasswd -c -m /etc/nginx/.ngxpasswd jason
New password:
Re-type new password:
Adding password for user jason
[root@web1 ~]# grep -Ev "^[[:space:]]*#|^[[:space:]]*$" /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
worker_cpu_affinity auto;
worker_priority -5;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 20480;
use epoll;
accept_mutex off;
multi_accept on;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
keepalive_timeout 30;
client_header_buffer_size 4k;
client_header_timeout 15;
client_body_buffer_size 64k;
client_body_temp_path /var/spool/nginx/client_temp 1 2;
client_body_timeout 15;
client_max_body_size 100m;
send_timeout 15;
reset_timedout_connection on;
aio on;
open_file_cache max=65535 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 1;
gzip on;
gzip_disable "MSIE [1-6]\.";
gzip_buffers 4 32k;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml;
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset utf-8;
include /etc/nginx/conf.d/*.conf;
}
[root@web1 ~]# cat /etc/nginx/conf.d/www.xlc.com.conf
server {
listen 80;
server_name www.xlc.com;
error_log /var/log/nginx/error_www.xlc.com.log;
access_log /var/log/nginx/access_www.xlc.com.log main;
root /home/www;
error_page 404 /error.html;
location = /status {
stub_status;
allow 192.168.1.3;
deny all;
auth_basic "status";
auth_basic_user_file /etc/nginx/.ngxpasswd;
}
}
status
Active connections: 2
server accepts handled requests
18 18 221
Reading: 0 Writing: 1 Waiting: 1
ssl模块
- ssl on;
- ssl_certificate file; 证书路径
- ssl_certificate_key file;私钥路径
- ssl_protocal 协议,默认tls
- ssl_session_cache shared;SSL;10m; 1m 4000个会话
- ssl_session_timeout time;会话超时时间 默认5m,10m
listen 443 ssl;
rewrite 模块
- 目的:80转443,访问更改
- rewrite /(.*).png /$1.jpg last;
- rewrite /(.*)$ https://www.ilinux.io/$1 permanent;
- 模式:
- 1.last 提前结束本次循环
- 2.break 结束循环
- 3.redirect 重定向302
- 4.permanent 重定向301
if条件判断,可以return 403或url;
referer_module
- valid_referers none blocked server_names *.magedu.com
- if ($invalid_referers) {return 403;}
- 防盗链功能
[root@web1 conf.d]# cat www.xlc.com.conf
server {
listen 80;
server_name www.xlc.com;
error_log /var/log/nginx/error_www.xlc.com.log;
access_log /var/log/nginx/access_www.xlc.com.log main;
root /home/www;
rewrite /(.*) https://www.xlc.com/$1 permanent;
}
[root@web1 conf.d]# cat www.xlc.com_ssl.conf
server {
listen 443 ssl;
server_name www.xlc.com;
error_log /var/log/nginx/error_www.xlc.com_ssl.log;
access_log /var/log/nginx/access_www.xlc.com_ssl.log main;
root /home/www;
error_page 404 /error.html;
ssl on;
ssl_certificate /etc/nginx/ssl/httpd_crt.pem;
ssl_certificate_key /etc/nginx/ssl/httpd_key.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location ~* \.(gif|jpg|png|swf|flv)$ {
valid_referers *.xlc.com;
if ($invalid_referer) {
rewrite ^/ http://www.xlc.com/error.html;
}
expires 30d;
}
location = /status {
stub_status;
allow 192.168.1.3;
deny all;
auth_basic "status";
auth_basic_user_file /etc/nginx/.ngxpasswd;
}
}
2、简述Linux集群类型、系统扩展方式及调度方法
集群
- 单台:nginx epoll+aio 20000并发,prefork 2000并发
- scale up:向上扩展,性价比低
scale out:向外扩展,性价比高,cluster集群
集群分类
- LB load balance 负载均衡集群
- HA high availability 高可用集群
- HP high performance 超算集群
分布式集群:分布式存储,分布式计算
LB的三个问题
- 1.会话一致性:
- 用户绑定:dns记录,ip绑定,cookie绑定,单点故障
- session复制:浪费资源
- 内存存储共享:session server,推荐使用
- 2.图片一致性
- 图片共享存储:nfs,cifs
- 3.数据一致性
- 结构化数据访问同一个mysql
半结构化数据访问同一个nosql
HA 的问题
- 解决spof 单点故障 single point of failure问题
- 心跳包检测
- Failover和Failback策略
可用性:99.99% 1小时故障
LB的分类
- 硬件:F5,A10
- 传输层(4层):lvs,nginx,haproxy ,ats
应用层(7层):nginx,haproxy,fastcgi,Proxysql
3、简述lvs四种集群优点及使用场景
lvs
- linux virtual server
- 章文嵩
- 工作在OSI四层模型,netfilter内核级,最大400万并发
- nginx工作在7层,支持2万并发,受限套接字
- 20万并发,5亿pv
多级调度+页面切割,一个lvs,后面多个nginx
lvs原理
- lvs工作的内核框架为ipvs
- ipvs在filter表的input链上,关闭iptables的其他filter
- prerouting→input(ipvs)→postrouting
ipvsadm命令管理ipvs规则
概念
- VS DIRECTOR:虚拟主机,调度器
- RS:real server 后端主机
- CIP:客户源ip
- VIP:虚拟ip
- DIP:调度器ip
- RIP: 后端主机ip
CIP-VIP-DIP-RIP
lvs的四种工作模式
- lvs-nat:修改目标多IP DNAT
- lvs-dr:修改目标mac
- lvs-tun:添加新的ip首部
lvs-fullnat:修改源ip和目标ip
lvs-nat的工作原理
- CIP访问Director的VIP
- RIP的网关为DIP
- Dirctor将请求报文的目标ip修改为RIP
- Director将RS的响应报文的源ip修改为VIP发送给CIP
- VIP是公网
- DIP与RIP是同一网段,必须是私有网络
Director是系统瓶颈,请求响应都要Director转发
lvs-dr工作原理
- CIP访问Director的VIP
- VIP为公网ip
- RIP和DIP在同一网段,私网或公网都可,网关为路由器
- RS上同时在lo0:0上配置VIP,但通过修改内核参数抑制ARP广播的通告(arp_annouce)和响应(arp_ignore)
- Director将请求报文的目标mac修改为RIP的mac
- RS通过VIP将响应报文直接发送给CIP
不支持端口映射
lvs-tun工作原理
- CIP访问Director的VIP
- VIP为公网ip,DIP和RIP也为公网IP
- DIP和RIP跨机房,跨网段
- Director添加首部,从DIP到RIP,发送响应报文给VIP
- RS也配有VIP地址,直接响应报文到CIP
- 超过MTU1500容易分段,影响传输效率
不支持端口映射
lvs_fullnat工作原理
- CIP访问Director的VIP
- VIP为公网ip,DIP和RIP是内网IP,DIP和RIP跨网段
- director将请求修改为DIP-RIP
- 请求和响应都要director转发,有瓶颈
可以隐藏内部主机
最佳
lvs-dr模式的并发能力最强
调度方法
静态方法
- RR:轮询
- WRR:加权轮询
- SH:源地址hash,会话绑定,但造成负载失衡,故障后session丢失
DH:目标地址hash,正向代理的缓存绑定
动态方法
- LC:最少连接,活动连接*256+非活动连接
- WLC:加权最少连接,最优算法,除以权重
- SED:最少延迟,不计算非活动连接
- NQ:不排队
- LBLC:动态DH
LBLCR:动态DH复制缓存
ipvsadm
yum -y install ipvsadm
4、描述LVS-NAT、LVS-DR的工作原理并实现配置
ipvsadm
- ipvsadm.service 开机自动加载ipvs规则
- ipvsadm-save 保存规则 -S -n > /etc/sysconfig/ipvsadm
- ipvsadm-restort 恢复规则 -R < /etc/sysconfig/ipvsadm
- ipvsadm -C 清空
- ipvsadm -Z 清空统计数据
- -A :增加转发规则
- -t:指定转发ip和端口
- -s:指定转发算法
- -E:修改转发规则
- -m|-g 指定转发模式为nat或dr
- -w 指定权重
- -a:增加rs
- -r:指定rs的ip和端口
- -e:修改rs
- -L -n:查看
- -L -n --rate:查看速率
- -L -n --stats:查看统计
- ipvsadm -D 删除规则
ipvsadm -d 删除rs
lvs-nat模式设置
- director有双网卡
- rs只有内网网卡,2台主机
- rs的网关指向director
- director打开核心转发
[root@lvs1 ~]# ipvsadm -A -t 192.168.1.12:80 -s rr
[root@lvs1 ~]# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.1.12:80 rr
[root@lvs1 ~]# ipvsadm -a -t 192.168.1.12:80 -r 192.168.10.11 -m
[root@lvs1 ~]# ipvsadm -a -t 192.168.1.12:80 -r 192.168.10.13 -m
[root@lvs1 ~]# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.1.12:80 rr
-> 192.168.10.11:80 Masq 1 0 0
-> 192.168.10.13:80 Masq 1 0 0
[root@center ~]# for i in {1..10};do curl www.xlc.com;done
www.xlc.com web2
www.xlc.com web1
www.xlc.com web2
www.xlc.com web1
www.xlc.com web2
www.xlc.com web1
www.xlc.com web2
www.xlc.com web1
www.xlc.com web2
www.xlc.com web1
[root@lvs1 ~]# ipvsadm -L -n --stats
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Conns InPkts OutPkts InBytes OutBytes
-> RemoteAddress:Port
TCP 192.168.1.12:80 44 339 229 42375 34261
-> 192.168.10.11:80 22 139 93 11712 10462
-> 192.168.10.13:80 22 200 136 30663 23799
[root@lvs1 ~]# ipvsadm -E -t 192.168.1.12:80 -s wrr
[root@lvs1 ~]# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.1.12:80 wrr
-> 192.168.10.11:80 Masq 1 0 5
-> 192.168.10.13:80 Masq 1 0 5
[root@lvs1 ~]# ipvsadm -e -t 192.168.1.12:80 -r 192.168.10.13 -m -w 1
[root@lvs1 ~]# ipvsadm -e -t 192.168.1.12:80 -r 192.168.10.11 -m -w 2
[root@center ~]# for i in {1..10};do curl www.xlc.com;done
www.xlc.com web2
www.xlc.com web1
www.xlc.com web1
www.xlc.com web2
www.xlc.com web1
www.xlc.com web1
www.xlc.com web2
www.xlc.com web1
www.xlc.com web1
www.xlc.com web2
[root@lvs1 ~]# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.1.12:80 wrr
-> 192.168.10.11:80 Masq 2 0 11
-> 192.168.10.13:80 Masq 1 0 9
[root@lvs1 ~]# ipvsadm -E -t 192.168.1.12:80 -s sh
[root@lvs1 ~]# ipvsadm -e -t 192.168.1.12:80 -r 192.168.10.11 -m
[root@lvs1 ~]# ipvsadm -e -t 192.168.1.12:80 -r 192.168.10.13 -m
[root@lvs1 ~]# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.1.12:80 sh
-> 192.168.10.11:80 Masq 1 0 6
-> 192.168.10.13:80 Masq 1 0 4
[root@center ~]# for i in {1..10};do curl www.xlc.com;done
www.xlc.com web1
www.xlc.com web1
www.xlc.com web1
www.xlc.com web1
www.xlc.com web1
www.xlc.com web1
www.xlc.com web1
www.xlc.com web1
www.xlc.com web1
www.xlc.com web1
lvs-dr模式配置
- VIP和DIP配置在Director的一块外网网卡上
- VIP DIP RIP都是在同一个外网网络里
- VIP配置在Director的eth0:0网卡上
- VIP配置在RS上的lo:0网卡上
- RS的arp_annouce 设置为2,接口总是与本网段通告
- RS的arp_ignore设置为1,接口总是应答本网段的报文
RS添加路由,到VIP需要走lo:0网卡
RS脚本
[root@web1 scripts]# cat real-server.sh
#!/bin/bash
# description:real-server start
# author:xuluchuan
# date:20180818
VIP=192.168.1.14
MASK=255.255.255.255
start() {
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
ifconfig lo:0 | grep $VIP &> /dev/null
if [ $? -ne 0 ]; then
ifconfig lo:0 $VIP netmask $MASK broadcast $VIP up
route add -host $VIP dev lo:0
fi
}
stop() {
echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce
ifconfig lo:0 | grep $VIP &> /dev/null
if [ $? -eq 0 ]; then
ifconfig lo:0 down
fi
}
status() {
ifconfig lo:0 | grep $VIP &> /dev/null
if [ $? -eq 0 ]; then
echo "real server is running!"
else
echo "real server is not running!"
fi
}
usage() {
echo "USAGE: start|stop|restart|status"
exit 2
}
case $1 in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status
;;
*)
usage
;;
esac
dr模式配置
[root@web1 scripts]# sh real-server.sh start
[root@web2 scripts]# sh real-server.sh start
[root@lvs1 ~]# ifconfig enp0s3:0 192.168.1.14 netmask 255.255.255.255 broadcast 192.168.1.14 up
[root@lvs1 ~]# ipvsadm -A -t 192.168.1.14:80 -s rr
[root@lvs1 ~]# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.1.14:80 rr
[root@lvs1 ~]# ipvsadm -a -t 192.168.1.14:80 -r 192.168.1.11 -g
[root@lvs1 ~]# ipvsadm -a -t 192.168.1.14:80 -r 192.168.1.13 -g
[root@lvs1 ~]# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.1.14:80 rr
-> 192.168.1.11:80 Route 1 0 0
-> 192.168.1.13:80 Route 1 0 0
[root@center ~]# for i in {1..10};do curl www.xlc.com;done
www.xlc.com web2
www.xlc.com web1
www.xlc.com web2
www.xlc.com web1
www.xlc.com web2
www.xlc.com web1
www.xlc.com web2
www.xlc.com web1
www.xlc.com web2
www.xlc.com web1
[root@lvs1 ~]# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.1.14:80 rr
-> 192.168.1.11:80 Route 1 0 5
-> 192.168.1.13:80 Route 1 0 5