文章目录
Nginx负载均衡
Nginx负载均衡需要用到upstream模块,upstream模块用于定义多个web server,通过算法将访问请求分发到不同的web server。
使用dig命令可以查看域名IP,安装# yum install -y bind-utils
查看qq.com解析的IP
# dig qq.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57052
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com. IN A
;; ANSWER SECTION:
qq.com. 600 IN A 111.161.64.48
qq.com. 600 IN A 111.161.64.40
;; Query time: 30 msec
;; SERVER: 100.100.2.136#53(100.100.2.136)
;; WHEN: Mon Sep 24 21:25:25 CST 2018
;; MSG SIZE rcvd: 67
在/usr/local/nginx/conf/vhost/目录下创建一个文件qq.conf,写入如下的内容
upstream qq_com //qq_com只是代表服务器组的名称,可以随意定义,用于proxy_pass调用
{
ip_hash; //让同一个用户始终保持在同一个机器上,避免数据混乱
server 111.161.64.48:80;
server 111.161.64.40:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com; //proxy_pass 调用upstream qq_com
proxy_set_header Host $host; //下面的配置跟Nginx的代理一样
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
测试
# curl -x127.0.0.1:80 www.qq.com
didibibabo
这时候访问的还是默认页,因为我们还没有重新加载配置文件
检查配置文件并重新加载
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
# /usr/local/nginx/sbin/nginx -s reload
再次测试
# curl -x127.0.0.1:80 www.qq.com
(正常访问,内容过多已省略)
知识点:
- Nginx不支持代理HTTPS,配置文件里server的端口号不支持443,只能代理http;
- 新版本Nginx还能代理tcp,代表其他端口也支持;
ssl原理
SSL就是那个服务器的证书,就是访问流程第二步服务器的公钥和私钥
生产ssl密钥对
查询openssl包,,没有安装的需要安装此包
# rpm -qf `which openssl `
openssl-1.0.2k-12.el7.x86_64
进入/usr/local/nginx/conf目录
# cd /usr/local/nginx/conf
生成类型为rsa格式的私钥,key文件为私钥:
# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
.............................................................+++
.....................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
-
genrsa表示生成rsa类型的私钥文件
-
des3表示使用des3加密算法
-
out 指定生成的私钥文件名,2048表示加密算法的长度为2048位
过程中需要输入密码和确认密码,为了方便使用我们可以转换一下key,取消密码
# openssl rsa -in tmp.key -out yolkslinux.key
Enter pass phrase for tmp.key:
writing RSA key
输入前面的密码确认,再删除tmp.key文件
# rm -f tmp.key
生成证书请求文件,需要拿证书请求文件和没有密码私钥一起生产公钥文件
# openssl req -new -key yolkslinux.key -out yolkslinux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家名
State or Province Name (full name) []:SC #省份
Locality Name (eg, city) [Default City]:CD #城市
Organization Name (eg, company) [Default Company Ltd]:Test #组织名称
Organizational Unit Name (eg, section) []:Test #组织单位
Common Name (eg, your name or your server's hostname) []:test.com #一般填服务器的域名
Email Address []:[email protected] 邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #密码不填写
An optional company name []: #密码不填写
生成公钥文件
# openssl x509 -req -days 365 -in yolkslinux.csr -signkey yolkslinux.key -out yolkslinux.crt
Signature ok
subject=/C=CN/ST=YC\x08\x08\x08/L=\x1B[A/O=tesr/OU=test/CN=test.com
Getting Private key
crt文件为公钥,key文件为私钥
-
x509 代表生成的x509的证书
-
-req 证书请求,用于生成证书文件
-
-days 证书的有效期,365表示一年
-
-in 指定证书请求文件,
-
-signkey 指定私钥文件
-
-out 指定生成的公钥文件名
查看刚才生成的文件
# ls yolkslinux.*
yolkslinux.crt yolkslinux.csr yolkslinux.key
Nginx配置ssl
虚拟主机下创建新配置文件/usr/local/nginx/conf/vhost/ssl.conf
# vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
listen 443;
server_name hsy.com;
index index.html index.php;
root /data/wwwroot/hsy.com;
ssl on; //开启ssl即支持https
ssl_certificate yolkslinux.crt; //指定公钥
ssl_certificate_key yolkslinux.key; //指定私钥
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; //协议
}
创建/data/wwwroot/hsy.com目录
# mkdir /data/wwwroot/hsy.com
检查配置文件是否正确
# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
错误原因:没有安装相对应的ssl配置
解决方法:重新编译nginx,添加ssl相关参数
知识点:使用-V参数查看编译时相关配置
# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.8.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
configure arguments: --prefix=/usr/local/nginx
进入Nginx源码包,重新编译
# cd /usr/local/src/nginx-1.8.0
# ./configure --prefix=/usr/local/nginx --with-http_ssl_module //添加对应模块参数编译
# echo $? //检查是否正确
0
安装
# make
# echo $?
0
# make install
# echo $?
0
重新启动Nginx,查看端口号是否有ssl.conf中配置的443端口
# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ OK ]
# netstat -lntp |grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 21887/nginx: master
在/data/wwwroot/hsy.com创建测试文件
# cd /data/wwwroot/hsy.com/
# vim index.html
this is the ssl test page!
修改虚拟机/etc/hosts文件,curl 访问本地的https需要添加hosts
# echo '127.0.0.1 hsy.com' >> /etc/hosts
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 hsy.com
curl测试
# curl -x127.0.1:443 https://hsy.com
curl: (56) Received HTTP code 400 from proxy after CONNECT
如果直接访问会提示证书不被信任。
# curl https://hsy.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
使用 -k 选项忽略证书检查就可以访问了
[root@iz2zef1im6qv29viqhtk3qz hsy.com]# curl -k https://hsy.com
This is the ssl test page!
windows测试
先在Windows机器hosts文件里配置将hsy.com解析到nginx服务器的ip上
然后用浏览器访问https://hsy.com
点击忽略警告,继续访问
php-fpm的pool
php-fpm也可以配置类似nginx虚拟主机的pool
可以将每个pool做成一个单独的配置文件,php-fpm.conf可以设置多个pool,在其中一个pool资源耗尽,会导致其他站点无法访问资源,报502错误。有必要把站点进行分离,分别使用单独的pool。
查看当前pool
# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www] //[www]处即为一个pool
listen = /tmp/php-fcgi.sock
# listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
进程管理
pm = dynamic
#使用动态进程管理 ,也可以改为static使用静态进程管理
#当 pm = static时,使用静态线程管理,只有pm.max_children会生效,其他 pm参数都无效
pm.max_children = 50
#这个pool的最大线程数
pm.start_servers = 20
#初始的线程数
pm.min_spare_servers = 5
#最小空闲线程数,如果线程低于这个数值,会自动新建线程
pm.max_spare_servers = 35
#最大空闲线程数,如果空闲的线程大于这个数值,会自动清理
pm.max_requests = 500
#每个线程最大出来的请求数
rlimit_files = 1024
#使用文件描述符数量,
#系统每打开一个文件就会消耗一个文件描述符
#当文件描述符消耗完了就会报错
配置1
新增pool即在/usr/local/php-fpm/etc/php-fpm.conf配置文件中新增一段配置代码
[hsy.com]
listen = /tmp/hsy.sock
#listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
检查配置文件是否正确,重新加载
# /usr/local/php-fpm/sbin/php-fpm -t
[27-Sep-2018 22:24:59] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
# /etc/init.d/php-fpm reload
Reload service php-fpm done
查看进程
# ps aux |grep php-fpm
root 5575 0.0 0.4 227252 4964 ? Ss 22:25 0:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 5576 0.0 0.4 227192 4708 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5577 0.0 0.4 227192 4708 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5578 0.0 0.4 227192 4708 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5579 0.0 0.4 227192 4708 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5580 0.0 0.4 227192 4712 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5581 0.0 0.4 227192 4712 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5582 0.0 0.4 227192 4712 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5583 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5584 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5585 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5586 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5587 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5588 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5589 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5590 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5591 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5592 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5593 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5594 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5595 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool www
php-fpm 5596 0.0 0.4 227192 4712 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5597 0.0 0.4 227192 4712 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5598 0.0 0.4 227192 4712 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5599 0.0 0.4 227192 4716 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5600 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5601 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5602 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5603 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5604 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5605 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5606 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5607 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5608 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5609 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5610 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5611 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5612 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5613 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5614 0.0 0.4 227192 4720 ? S 22:25 0:00 php-fpm: pool hsy.com
php-fpm 5615 0.0 0.4 227192 4724 ? S 22:25 0:00 php-fpm: pool hsy.com
root 5620 0.0 0.0 112660 964 pts/0 R+ 22:26 0:00 grep --color=auto php-fpm
可以很明显看到右边多了hsy.com的pool
进入虚拟主机配置文件目录下给aaa.com.conf文件添加以下配置
注意添加到server{}里
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/hsy.sock; //修改此处sock文件配置
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/default$fastcgi_script_name; //修改为默认文件配置
}
配置2 动态加载
给php-fpm主配置文件也增加对应的include实现动态加载文件
注意添加到[global]下
include = etc/php-fpm.d/*.conf
并且删除之前配置的pool池
添加删除完配置文件如下:
# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
include = etc/php-fpm.d/*.conf
创建pool配置文件存放目录
# mkdir /usr/local/php-fpm/etc/php-fpm.d
在pool配置文件存放目录创建pool配置文件 www.conf 并写入以下内容
# cd /usr/local/php-fpm/etc/php-fpm.d
# vim www.conf
[www] //pool名称可以随意定义
listen = /tmp/php-fcgi.sock //指定这个pool监听的socket文件或者ip:port
#listen = 127.0.0.1:9000
listen.mode = 666 //监听sock文件时,sock文件的权限
user = php-fpm //进程用户
group = php-fpm //进程用户组
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
再将www.conf文件复制一份命名为hsy.conf,重新编辑一下pool名称和监听socket文件
# cp www.conf hsy.conf
# vim hsy.conf
[hsy.com]
listen = /tmp/hsy.sock
#listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
检查php-fpm配置语法错误。重载配置文件
# /usr/local/php-fpm/sbin/php-fpm -t
[27-Sep-2018 22:50:27] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
# /etc/init.d/php-fpm reload
Reload service php-fpm done
检查php-fpm进程
# ps -ef | grep php
root 5774 1 0 22:50 ? 00:00:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 5775 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5776 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5777 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5778 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5779 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5780 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5781 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5782 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5783 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5784 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5785 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5786 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5787 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5788 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5789 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5790 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5791 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5792 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5793 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5794 5774 0 22:50 ? 00:00:00 php-fpm: pool hsy.com
php-fpm 5795 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5796 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5797 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5798 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5799 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5800 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5801 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5802 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5803 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5804 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5805 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5806 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5807 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5808 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5809 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5810 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5811 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5812 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5813 5774 0 22:50 ? 00:00:00 php-fpm: pool www
php-fpm 5814 5774 0 22:50 ? 00:00:00 php-fpm: pool www
root 5819 4915 0 22:51 pts/0 00:00:00 grep --color=auto php
php-fpm慢执行日志
配置慢日志有助于优化程序,方便具体分析。当有时候访问php网页慢的时候可以开启慢执行日志来查看是否是PHP代码执行时间过长,还可以看到具体是哪个PHP文件的哪一行导致的慢执行。
以当前虚拟机环境下的[www]来操作慢日志查询
编辑/usr/local/php-fpm/etc/php-fpm.d/www.conf添加如下代码配置
# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf
//原来代码
request_slowlog_timeout = 1 //当执行时间超过指定的时间(单位:秒),记录慢执行日志
slowlog = /usr/local/php-fpm/var/log/www-slow.log //指定慢执行日志文件路径
在/data/wwwroot/test.com/目录下创建一个测试文件pool.php
# vim /data/wwwroot/test.com/pool.php
<?php
echo 'test slow log';
sleep(3);
echo 'done';
?>
php的sleep()函数可以让程序睡眠指定的秒数,用于模拟PHP执行慢的情况。
开启错误日志并且进行重新加载php-fpm
# vim /usr/local/php-fpm/etc/php.ini
display_errors = On //开启错误日志
# /usr/local/php-fpm/sbin/php-fpm -t
[27-Sep-2018 23:45:17] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
# /etc/init.d/php-fpm reload
Reload service php-fpm done
测试
# curl -x127.0.0.1:80 test.com/pool.php
test slow logdone
查看慢执行日志
# ls /usr/local/php-fpm/var/log/
php-fpm.log www-slow.log
# cat /usr/local/php-fpm/var/log/www-slow.log
[27-Sep-2018 23:49:50] [pool www] pid 6158 //发生慢执行的时间 pool名,pid
script_filename = /data/wwwroot/test.com/pool.php //php文件路径
[0x00007fdc9f47b248] sleep() /data/wwwroot/test.com/pool.php:3 //具体哪一行代码产生的慢执行
open_basedir
设定open_basedir可以使PHP只能访问指定目录下的文件,可以在虚拟主机配置中配置open_basedir,也可以在php的pool池中配置open_basedir。
错误配置
修改/usr/local/php-fpm/etc/php-fpm.d/www.conf 配置文件
添加open_basedir的配置
# cd /usr/local/php-fpm/etc/php-fpm.d/
# ls
hsy.conf www.conf
# echo "php_admin_value[open_basedir]=/data/wwwroot/www.test1com:/tmp/" >> www.conf
-
php_admin_value[open_basedir]这个参数就是定义open_basedir -
/data/wwwroot/www.test1com:/tmp/这个地址现在是错误的,[www]池现在test.com在用
重启php-fpm
# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
测试
# curl -x127.0.0.1:80 test.com/pool.php
No input file specified.
# curl -x127.0.0.1:80 test.com/pool.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.8.0
Date: Fri, 28 Sep 2018 14:09:50 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.32
正确配置
修改/usr/local/php-fpm/etc/php-fpm.d/www.conf 配置文件
# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf
//将最后一行修改为
php_admin_value[open_basedir]=/data/wwwroot/test.com:/tmp/
要定义成正确的路径,因为test.com用的是[www]的php-fcgi.sock
重启php-fpm
# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
测试
# curl -x127.0.0.1:80 test.com/pool.php
test slow logdone
# curl -x127.0.0.1:80 test.com/pool.php -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 28 Sep 2018 14:15:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.32
正常
查看错误日志
先到/usr/local/php-fpm/etc/php.ini里修改下配置
# vim /usr/local/php-fpm/etc/php.ini
display_errors = Off //正常情况下生产环境都是关掉的,不能让别人通过浏览器获取到错误日志
log_errors = On //将日志记录到某一个文件里
error_log = /usr/local/php-fpm/var/log/php_errors.log //增加错误日志位置
error_reporting = E_ALL //日志级别定义为所有,注释掉原有的error_reporting,新增一行
创建错误日志文件并赋予777权限
# cd /usr/local/php-fpm/var/log
# ls
php-fpm.log www-slow.log
# touch /usr/local/php-fpm/var/log/php_errors.log
# chmod 777 /usr/local/php-fpm/var/log/php_errors.log
将/usr/local/php-fpm/etc/php-fpm.d/www.conf改成上面的错误配置,参考上面
重启php-fpm服务
测试
# curl -x127.0.0.1:80 test.com/pool.php
No input file specified.
# curl -x127.0.0.1:80 test.com/pool.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.8.0
Date: Fri, 28 Sep 2018 14:32:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.32
//查看错误日志
# cat /usr/local/php-fpm/var/log/php_errors.log
[28-Sep-2018 14:31:53 UTC] PHP Deprecated: Comments starting with '#' are deprecated in Unknown on line 1 in Unknown on line 0
[28-Sep-2018 14:31:53 UTC] PHP Deprecated: Comments starting with '#' are deprecated in Unknown on line 1 in Unknown on line 0
[28-Sep-2018 14:32:01 UTC] PHP Warning: Unknown: open_basedir restriction in effect. File(/data/wwwroot/test.com/pool.php) is not within the allowed path(s): (/data/wwwroot/wwtest.com:/tmp/) in Unknown on line 0
[28-Sep-2018 14:32:01 UTC] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[28-Sep-2018 14:32:29 UTC] PHP Warning: Unknown: open_basedir restriction in effect. File(/data/wwwroot/test.com/pool.php) is not within the allowed path(s): (/data/wwwroot/wwtest.com:/tmp/) in Unknown on line 0
[28-Sep-2018 14:32:29 UTC] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
最后记得将配置文件修改为正确的
php-fpm进程管理
##位置
# cat /usr/local/php-fpm/etc/php-fpm.d/www.conf
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
php_admin_value[open_basedir]=/data/wwwroot/test.com:/tmp/
需要注释用;不用#
参数解释
- pm = dynamic : 动态进程管理,也可以是static;动态,即初始启动一些,然后根据需求会启动或空闲自动销毁
- pm.max_children = 50 最大子进程数,ps aux可以查看
- pm.start_servers =20 启动服务时会启动的进程数
- pm.min_spare_servers = 5 定义在空闲时段,子进程数的最少数量,如果达到这个数值时,- php-fpm服务会自动派生新的子进程。
- pm.max_spare_servers = 35 定义在空闲时段,子进程数的最大值,如果高于这个数值就开始清理空闲的子进程。
- pm.max_requests = 500 定义一个子进程最多处理的请求数,也就是说在一个php-fpm的子进程最多可以处理这么多请求,当达到这个数值时,它会自动退出。
测试方法
修改对应配置然后使用ps aux查看进程数即可
拓展
ssl相关
https://coding.net/u/aminglinux/p/nginx/git/blob/master/ssl/ca.md
https://coding.net/u/aminglinux/p/nginx/git/blob/master/ssl/ssl.md
负载均衡
https://coding.net/u/aminglinux/p/nginx/git/blob/master/proxy/lb.md
nginx算法分析https://blog.whsir.com/post-1482.html
root和alias
http://www.ttlsa.com/nginx/nginx-root_alias-file-path-configuration/