Nginx configuration and infrastructure

characteristic

1. Modular design, good scalability, dynamic loading.
2. High Availability
3. It supports hot deployment, non-stop updating configuration files, version upgrade, replace the log file.
4. Low memory consumption, 10k keep-alive connection approximately 2.5M in inactive mode.
5. Event-driven model, Aio, mmap, sendfile.

Traditional transmission network

硬盘 >> kernel buffer >> user buffer>> kernel socket buffer >>协议栈

1. System call read () to generate a context switch: switch from user mode to kernel mode, and then perform the copy DMA, to read the file data from the hard disk in a kernel buffer.
2. Copying data from the kernel buffer to the user buffer, then the system returns to the calling read (), and time to produce a context switch: switching from kernel mode to user mode.
3. System call write () generates a context switch: switch from user mode to kernel mode, then the data read in step 2 is copied to the user buffer kernel Buffer (2nd data copied to the kernel buffer), but this is a different kernel buffer, the buffer and associated socket.
4. System call write () returns, generating a context switch: switching from kernel mode to user mode, and then DMA kernel buffer to copy data from the protocol stack.

After opening sendfile

Hard disk >> kernel buffer (fast copy to kernelsocket buffer) >> protocol stack

1. The sendfile system call () by DMA to copy the data to the hard disk kernel buffer, then data is copied directly to the kernel Buffer kernel associated with the socket another. There is no switching between user mode and kernel mode, the kernel is done directly from a copy of a buffer to another buffer.
2. DMA data is copied from the stack to kernelbuffer directly, it does not, do not need to copy data from user mode to kernel MODE, just because the data in kernel.
3. sendfile is a higher performance than the read and write system interface, sendfile is to send content in_fd to out_fd, but in_fd can not be a socket, which is the only file handle.
4. When Nginx is a static file server, the open SENDFILE configuration items can greatly improve the performance of Nginx.
5. When Nginx as a reverse proxy to use when, SENDFILE is useless, because when Nginx reverse proxy. in_fd but it is not a file handle socket, this case does not meet the requirements of the sendfile function parameters.

In summary, sendfile can only accept handle parameter, can not receive socket file, open the static server can greatly enhance the performance, the reverse proxy due to transmission socket, there is no need to open up.

Nginx basic functions

1. Static resources web server does not support the way php module, supports only install php-fpm (Tcp: 9000, FastCGI communication), there is an internal Apache module supports php.
2. Reverse proxy server, set up multiple back-end web server for seven scheduled by Nginx, stronger than LVS function, but weak performance, concurrency theory LVS 4,000,000, Nginx 3 million.
3. LNMP architecture, if you want to access dynamic resource, FastCGI as a server, Nginx as a client; structure should be for the client -> Nginx server -> php-fpm-> DB.
4. uWSGI Django-based servers, similar LNMP, PHP into Python: Client -> Nginx server -> (Django, communication is uWCGI) python-> DB.
5. Dynamic loading and unloading modules.

Web server function

1. Web Hosting: vhosts, include.d.
2. Supports keep-alive and pipeline links.
3. Access logs (log buffer-based support to improve their performance).
4. url rewrite: After visiting redirected to a new address.
5. Path Alias: alias alias jump to the folder.
6. IP and user access control, speed, number of concurrent links can be controlled.
7. Reconfiguration and online upgrade heating operation.
8. The GET Memcached interface.

Nginx architecture

1. Master start and manage a small number of worker (1C corresponds 1worker, or direct auto), worker is not open many threads, the thread can not see, but only the various processes of IO multiplexing.
2. It contained inside of each worker different modules, complete http, fastcgi, memcache functions example.
3. Proxy-Cache function provides local caching retained to facilitate follow-up client access, improve access efficiency.
   Nginx Program Structure
4. Process is no thread, IO multiplexing, a worker receives more requests.
5. Module Category: core, standard, three-way
6. Core modules: Core Module; standard modules: HttP module (back-end http server), Mail module, Stream module (can schedule database); tripartite module
7. Module too much, for there are frequently used to understand.

Nginx's function

1. Static Web server, html, jpg, css, js, txt and other static resources can be accessed.
2. Binding FastCGI, uWSGI, SCGI other dynamic resource requests towards the protocol proxy.
3. Request TCP / UDP protocol forwarding.
4. Reverse proxy, back-end server Nginx Nginx is seen ip, while the back-end server LVS see is access clients, equal LVS is transparent.

Nginx source installation shell script
<> After writing out the Internet more to go, I was too lazy to write

Nginx installation

1. epel-release source has been included, after installation using nginx -V can see the Red Hat enabled by default TLS SNI Support enabled: https one server to support multiple virtual hosts
   in Apache, a server allows only one virtual host https .
2. /etc/nginx/conf.d/ .conf support multiple virtual hosts, each .conf file to write a server, in the main configuration file which contains /etc/nginx/nginx.conf.
3. Global module is in http {...} before, http {} contains many server {...}, each server are used to define a virtual host.

Nginx Global Configuration

Configuration files are as follows:

user nginx;                    //安装nginx时候就创建了
worker_processes auto;         //多少个CPU对应多少个work进程，用auto即可
worker_rlimit_nofile 65535;    //这个一定要写，支持多少用户并发

# (worker_cpu_affinity auto) 或者直接根据CPU个数绑定   //CPU绑定，提高命中缓存几率，亲缘性
# 4c: (worker_cpu_affinity 0001 0010 0100 1000)
# 8c: (worker_cpu_affinity 00000001 00000010 ...)
# ps axo pid,cmd,psr |grep nginx    //查看当前worker都是绑定在哪个CPU上的

# worker_priority <num>;     //[-20,19]，指定nice值，越小优先级越高

error_log /var/log/nginx/error.log;     //错误日志所在位置，可以发送到远程日志服务器上
                //还可以定义日志级别 debug|info|notice|warn|error|crit|alert|emerg
pid /run/nginx.pid;                     //pid所在文件夹

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;    //使用include可供选择模块放在不同地方
# load_module <file>;                       //具体加载哪个模块
# daemon on|off;                            //nginx是否编程一个后台守护进程，默认就是on，
                                            //如果off后再启动nginx就会卡在界面上，适合调试测试环境
# master process on|off;                    //默认是on的，如果off，重启后只有一个nginx进程，不会出现master_worker多个进程
/* 
这段没什么说的，文件打开最大用户数和最大进程数
vim /etc/security/limit.conf 
#hard limit ，嚴格的設定，必定不能超過這個設定的數值；
#soft limit ，警告的設定，可以超過這個設定值，但是若超過則有警告訊息。 
*   soft noproc   65535  
*   hard noproc   65535  
*   soft nofile   65535  
*   hard nofile   65535 
 */
events {
    worker_connections 1024;  //每个worker支持的最大连接数，总数：worker_processes * worker_connections
    use epoll;                //默认就是epoll，写不写都行
    # accept_mutex on|off;    //默认on就好了，来了连接几个worker轮流处理，off的话则会惊群可能造成性能下降。
}

Nginx Http configuration:

The most important part: ngx_http_core_module

A socket configuration:

   server {                           //这个可以定义在conf.d的文件夹下
       listen [:PORT]PORT;            //监听地址和端口，default为 *:80，IP:PORT也可以，可以绑定具体ip或所有ip。                 
       server_name SERVER_NAME;       //一般都是www.xx.com类似域名
       location {
      		 root /PATH/TO/HTML/LOCATION;   //可以写绝对路径，如果是相对路径要看default root是哪儿，yum安装/usr/share/nginx/html/为根目录
       }                                      
   }	                             //root 对应路径下必须为 index.html，否则403 forbbiden

listen []

1. PORT | IP: PORT | unix: <socket location>, these types of formats are supported.
2. default_server for keywords, generally used in the back listen address, default access without ip port number, select the default server web hosting.
3. ssl: ssl connections is limited only able to provide services.
4. backlog =: backup queue, exceeds the maximum limit after the session, the new backup request enters the queue length, for example, 20,000 concurrent connections over connection 5000 = 6000 is set, what it means.
5. rcvbuf =: receive buffer size, nginx client access time, are placed in the first queue for the buffer;
   sndbuf =: send buffer size, nginx return data to the client, also first into the buffer queue.

server_name []

1. Supports wildcards and regular expression matching: server_name ~ * .a.com, by wildcard DNS set up as long as you can judge, xacom site will be directed to the final in the initial www.a.com.
2. Match mode is not recommended, consume server resources, precisely the best site.

LOCATION [] can be placed server {...} and location {...}

1. Must be understood root defined in distinction and the location outside the location .

2. root: this is nothing to say, site path, the root directory to determine a good location, location can be placed outside, can point to a file.

3. LOCATION / ...
   // LOCATION corresponding part of the URL, be sure to understand this sentence, location / shit means that http: // <URL> / shit / this path.

4. Understand the relationship between root and location of:

   location /shit {        // URL：http://www.xx.com/shit/ 这个是URL拼接
      root /data/damn      // 真实路径 /data/damn/shit/<xx资源>，真实存在的东西
      }
      // 如果访问 http://<网址>/shit/<xx资源> 这个路径，
      // 取得的资源是在 /data/damn/shit/<xx资源>，这时location外部的root定义时不生效的
   

5. location = /index.html {...} // an exact match to a file, can only access http: // <URL> /, things are a little behind is not an exact match, http: // <URL> / xx is not right a.

6. priority issue location, location priority if there is a match, the root is higher than that of the external definition, high to low priority ~ ^ = { _/ / XX}, i.e. the lowest priority without sign *.

   生产中一般不会弄得这么复杂，消耗CPU计算资源
   Let’s illustrate the above by an example:
   
   location = / {            //匹配优先级最高       
       [ configuration A ]
   }
   
   location / {              //如果上面不匹配才轮到这儿，优先级最低
       [ configuration B ]
   }
   
   location /documents/ {    //比 / 更精确
       [ configuration C ]
   }
   
   location ^~ /images/ {    //左匹配比右匹配优先级高
       [ configuration D ]
   }
   
   location ~* \.(gif|jpg|jpeg)$ {     //右匹配比不带任何符号的优先级高，即大于B,C
       [ configuration E ]
   }
   /*
   The “/” request will match configuration A, 
   the “/index.html” request will match configuration B, 
   the “/documents/document.html” request will match configuration C, 
   the “/images/1.gif” request will match configuration D,
   the “/documents/1.jpg” request will match configuration E.
   */
   

7. alias / xx and root / xx distinction
   alias can only be used in location

   location /shit {
   	root /xx         //匹配 /xx/shit/下的资源
   	alias /xx        //匹配 /xx下的资源，alias相当于覆盖
   }
   

8. error page, as defined below, so you can define your own 404 page

   error_page 404 /404.html;
   	location /404.html {
       	root /data/a/error/;
   	}
   

   In order to prevent hijacking browser 404 page 360, the following protocol may be used to prevent hijacking pages:

   error_page 404 =200 /404.html;         //404依旧是404，但是对于浏览器响应头返回的是200，这样360就会认为这是个正常的页面，不会劫持了
    	location /404.html {
        	root /data/a/error/;
    	}
   

9. try_files xx xx xx XX: in accordance with the order of inspection, if the previous n-1 does not exist, then returns the final XX as a last redirects.

Second, other http {...} configuration items

1. tcp_nodelay on | off:
   connection in keep alive mode is enabled TCP_NODELAY options: You can use the server and location inside
   the time delay sending off, and then combine multiple requests; // little pressure on the server, but get together send affect the customer experience
   on when the delay is not transmitted to a send a. // server has consumed, but the customer experience is good, generally open.

2. sendfile on | off:
   off by default, you can not configure a reverse proxy server this; but access static resources is strongly recommended to start saving process and then send socketbuf kernel from the kernel copied to the user space.

3. server_token on | off | build | string
   : whether Server response headers message display Nginx version, server and location which can be used
   exposed nginx version The network security is very safe, easy for a hacker to find the corresponding version of vulnerability to attack, it is recommended use off, to improve security.
   This commercial version can be a string, just write some string, such as Jingdong site and found that server name JDWS, not Nginx.

4. keepalive_timeout: General Settings 30 seconds, according to the traffic situation.

5. keepalive_requests: again the length of the maximum number of connections allowed resource request.

6. keepalive_disable none | browser: Which browser is preventing long connection.

7. send_timeout <time>: length of the response packet to the client sends a timeout.

8. client_body_buffer_size 128k:
   receiving a client request buffer size of the body portion of the packet, the default 16K, exceeding the size of the scratch disk
   : client_max_body_size 10M
   receiving a client request message body is maximum 1OM;
   ; client_body_temp_path. 1 2 2
   After client_body_temp_path folder portion is constituted by a hash value, each file has a hash value calculation, taken from the back 5, 122 assigned by the ratio, formation / 1/2/2 file path pattern storage portion of the final body.