static and dynamic separation
In order to speed up the parsing speed of the website, dynamic pages and static pages can be parsed by different servers to speed up the machine speed. Reduce the pressure on the original single server. It is more obvious when tomcat is separated from static and dynamic, because tomcat parses static is very slow. In fact, these principles are easy to understand. In simple terms, it is to use regular expressions to match and filter, and then hand it over to different servers.
Servers that handle static: nginx, Apache
Handle dynamic servers: web container/web middleware, php (php), tomcat (java), uwsgi (python)
Let's do a simple experiment
lab environment:
192.168.242.138 (proxy + load balancing + dynamic and static separation)
192.168.242.134 static server
192.168.242.140 Dynamic Server
The purpose of the experiment: access the proxy server ip on the computer browser, forward the dynamic request to the dynamic server, and forward the static request to the static server.
Experiment idea: deploy the static server first, put a picture in the website publishing directory of the static server, and configure the corresponding publishing page. Install php, php-mysql, mysql, nginx and other services on the dynamic server, and launch the open source qqfarm. On the basis of normal access to static servers and dynamic servers, deploy dynamic and static separation on the proxy server.
Note: When doing similar experiments, you must ensure that firewalld and selinux are turned off. If the results of the experiment are wrong because of the source of all evils of these two people, it will be very disgusting.
experiment procedure:
Deploy a static server:
下载nginx,步骤省略
[root@localhost ~]# systemctl start nginx
[root@localhost ~]# vim /etc/nginx/conf.d/abc.conf
server {
listen 80;
server_name localhost;
location / {
root /abc;
index index.html;
}
}
[root@localhost ~]# mkdir /abc 创建网站发布目录 要与nginx的子配置文件对应好
[root@localhost ~]# vim /abc/index.html 编辑网站发布页面
<html> #这些内容都是引用别人的,我们不需要自己写
<head>
<meta charset="utf-8">
<title>qf.com</title>
</head>
<body>
<center><img src="../1.png" alt="xingdian" /></center> #1.png引用发布目录中的图片
</body>
</html>
在网站发布目录中上传一张图片
[root@localhost ~]# cd /abc/
[root@localhost abc]# ls
1.png index.html #图片名字要与index.html引用的名字相同,不然会报错
[root@localhost abc]# nginx -t
[root@localhost abc]# nginx -s reloadBrowser access to static server ip verification. (success)
Deploy dynamic server
下载nginx、php php-fpm php-mysql php-gd gd 过程省略
下载mysql5.37,下载之后grep password /var/log/mysqld.log查看初识密码,进入mysql数据库创建项目需要的数据库'farm',创建一个用户就以项目名为用户名'farm'。
然后配置动态服务器的nginx网站发布目录
[root@localhost ~]# vim /etc/nginx/conf.d/php.conf 配置子配置文件
server {
listen 80;
server_name localhost;
location / {
root /php;
index index.php ;
}
location ~ \.php$ { #使nginx支持php
root /php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
[root@localhost ~]# mkdir /php #创建网站发布目录
编辑php的配置文件
[root@localhost ~]# vim /etc/php.ini
.....
short_open_tag = On #将这个配置打开
....
将项目文件上传到网站发布目录下
[root@localhost ~]# cp -r upload/* /php
[root@localhost ~]# chmod 777 /php -R #将网站发布目录的权限递归修改为777
将qqfarm项目的数据导入mysql数据库的farm库中
[root@localhost ~]# mysql -uroot -p1 farm </php/qqfarm.sql
[root@localhost ~]# systemctl restart nginx php-fpm.service #重启nginx和php服务Access the dynamic server ip verification (success) on the browser. (Note: This page is not the first visit. There will be a page to check whether the server is configured successfully. If the configuration is successful, it will enter the guide page, and the user who logs in to the database. If there is a problem with the configuration, you can see what went wrong on the page. question)
Next deploy our proxy server
下载nginx。过程省略
[root@localhost ~]# systemctl start nginx
[root@localhost ~]# vim /etc/nginx/nginx.conf 编辑主配置文件
如下图:
然后添加编辑子配置文件做动静分离
[root@localhost ~]# vim /etc/nginx/conf.d/proxy.conf
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://php;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ \.(html|gif|jpg|png|bmp|swf|css|js)$ {
proxy_pass http://abc;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@localhost ~]# nginx -t
[root@localhost ~]# nginx -s reloadThe browser accesses the ip of the proxy server, remember to add the path after the ip, add /index.html when accessing the static server, and do not need to add anything when accessing the dynamic server. Because the dynamic server access we set in the sub-configuration file uses the wildcard character '/'.
The request is forwarded to the static server
The request is forwarded to the dynamic server
Anti-leech
There are two websites A and B, website A quotes pictures on website B, this behavior is called hotlinking. Anti-leeching is to prevent A from referencing B's picture.
nginx prevents website resources from being stolen module: ngx_http_referer_module
HTTP Referer is a part of the Header. When the browser sends a request to the web server, it will usually bring the Referer and tell the server which page I am linking from. The server can obtain some information for processing, such as preventing unauthorized Allowed sites to hotlink pictures, files, etc. Therefore, the HTTP Referer header information can be disguised and generated by a program, so anti-leeching through Referer information is not 100% reliable, but it can limit most hotlinking situations.
lab environment:
192.168.242.134 is used for anti-leech deployment (A server)
192.168.242.137 hotlink (test whether the anti-hotlink is successful) (B server)
Make sure firewalld and selinux are closed before the experiment
Experiment idea: first upload the picture on the website publishing directory of server A, access the ip on the browser to see the picture, then steal the picture on server B, and access the ip of server B on the browser to see the service of A picture of. (It can be seen that hotlinking is successful) Then deploy anti-hotlinking on server A, and then access the ip of server B on the server. If you can’t see the picture, it means that the anti-hotlinking deployment is successful, otherwise it fails.
experiment procedure:
在A服务器上传图片
[root@localhost abc]# vim /etc/nginx/conf.d/abc.conf 编辑子配置文件
server {
listen 80;
server_name localhost;
location / {
root /abc;
index index.html;
}
}
[root@localhost abc]# mkdir /abc 创建网站发布目录
在目录中上传图片,并写一个index.html
[root@localhost abc]# ls
1.png index.html
[root@localhost abc]# vim index.html
<html>
<head>
<meta charset="utf-8">
<title>qf.com</title>
</head>
<body>
<center><img src="../1.png" alt="xingdian" /></center>
</body>
</html>
B machine
有一个网站发布目录,有index.html的测试网站(不需要有图片 图片直接从A盗用)
[root@localhost ~]# vim /etc/nginx/conf.d/daotu.conf 创建编辑子配置文件
server {
listen 80;
server_name localhost;
location / {
root /daotu;
index index.html;
}
}
[root@localhost ~]# mkdir /daotu
[root@localhost ~]# vim /daotu/index.html
<html>
<head>
<meta charset="utf-8">
<title>qf.com</title>
</head>
<body style="background-color:red;">
<img src="http://192.168.242.134/1.png" /> 盗链A服务器的图片
</body>
</html>
[root@localhost conf.d]# nginx -t
[root@localhost conf.d]# nginx -s reloadThe browser accesses the IP of server B (successful hotlinking)
Then deploy anti-leech on server A
[root@localhost ~]# vim /etc/nginx/nginx.conf
# 日志格式添加"$http_referer",如果存在就不需要重复添加
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
[root@localhost ~]# vim /etc/nginx/conf.d/abc.conf 编辑子配置文件,添加防盗链配置
server {
listen 80;
server_name localhost;
location ~ {
root /abc;
valid_referers none blocked 192.168.31.54;
if ($invalid_referer) {
return 403;
}
}
location / {
root /abc;
index index.html;
}
}
• none : 允许没有http_refer的请求访问资源;
• blocked : 允许不是http://开头的,不带协议的请求访问资源---被防火墙过滤掉的;
• server_names : 只允许指定ip/域名来的请求访问资源(白名单);
[root@localhost ~]# nginx -s reloadThe browser accesses the IP of server B to verify whether hotlinking is still possible (the hotlinking fails, indicating that the anti-hotlinking deployment of server A is successful)
We add the IP of the B server in the configuration file of the A server to allow the request to access the resource (white list) from the specified ip/domain name, and then verify it on the server.
Access the ip of the B server on the browser, and you can see the picture information.
location block
The HTTP configuration of Nginx mainly includes three blocks, the structure is as follows:
http { # 这个是协议级别
include mime.types;
default_type application/octet-stream;
keepalive_timeout 65;
gzip on;
server { # 这个是服务器级别
listen 80;
server_name localhost;
location / { # 这个是请求级别
root html;
index index.html index.htm;
}
location ~ \.(html|jpg)$ {
root /abc;
}
}
}1. Location section
• The location is configured in the server block, and different configurations are used according to different URIs to process different requests.
• The locations are sequential and will be processed by the first matching location.
The basic syntax is as follows:
location [=|~|~*|^~|@] pattern{……}2. The meaning of the location prefix
= indicates an exact match, and the priority is also the highest
^~ indicates that the uri starts with a regular string, which can be understood as matching the url path
~ indicates a case-sensitive regular match
~* indicates a case-insensitive Regular match
!~ Indicates a case-sensitive mismatched regular
!~* Indicates a case-insensitive mismatched regular
/universal match, any request will be matched
3. Example of location configuration
1)、没有修饰符 表示:必须以指定模式开始
location / {
root /abc/location; (/abc/location目录下:有abc的目录,index.html)
index 2.html;
}
2)、=表示:必须与指定的模式精确匹配(创建一个网站发布目录,下面分别a.html和b.html)
location = / {
root /usr/share/nginx/html;
index b.html index.htm;
}
location / {
root /usr/share/nginx/html;
index a.html index.htm;
} #优先匹配第一个location块,匹配不到的话再从第二个location匹配
3)、~ 表示:指定的正则表达式要区分大小写
location ~ \.(jpg|css)$ {
root location; //要在location目录下有一个以.jpg结尾的文件
}
4)、~* 表示:指定的正则表达式不区分大小写
location ~* \.(JPG|css)$ {
root location; //要在location目录下有一个以.jpg结尾的文件
}
Search order and priority
1: Exact match with "=" is preferred
2: Exact match without modifier
3: Regular expressions are in the order they are defined in the configuration file
4: With "^~" modifier, Match at the beginning
5: with "~" or "~*" modifier, if the regular expression matches the URI
6: without modifier, if the specified string matches the beginning of the URIPriority will only be used when there is a location that can match the request.
If the submitted url can only have one location, then the parameter of the location will process the request
= greater than ^~ greater than ~|~*|!~|!~*
When greater than/multiple location configurations, the matching order is: first match =, second match ^~, second match by regular pattern, and finally hand over to / general match. When a match is successful, stop matching and process the request according to the current matching rules.(1) =: Indicates a complete match;
(2) ^~: matches the prefix of the URI, and the following regular expression will no longer match, if a URI satisfies two rules at the same time, match the longest rule; (3)
~ : match regular expression, case-sensitive;
(4) ~*: match regular expression, case-insensitive;
priority: (1) > (2) > (3)
location segment match example
location = / {
# 只匹配 / 的查询.
[ configuration A ]
}
location / {
# 匹配任何以 / 开始的查询,但是正则表达式与一些较长的字符串将被首先匹配。
[ configuration B ]
}
location ^~ /images/ {
# 匹配任何以 /images/ 开始的查询并且停止搜索,不检查正则表达式。
[ configuration C ]
}
location ~* \.(gif|jpg|jpeg)$ {
# 匹配任何以gif, jpg, or jpeg结尾的文件,但是所有 /images/ 目录的请求将在Configuration C中处理。
[ configuration D ]
}
各请求的处理如下例:
/ → configuration A
/documents/document.html → configuration B
/images/1.gif → configuration C 虽然以.gif结尾,但是匹配到/images/就停止搜索了,所以不会交给D处理
/documents/1.jpg → configuration D The difference between root and alias commands
location /img/ {
alias /var/www/image/;
}
#若按照上述配置的话,则访问/img/目录里面的文件时,ningx会自动去/var/www/image/目录找文件
location /img/ {
root /var/www/image;
}
#若按照这种配置的话,则访问/img/目录下的文件时,nginx会去/var/www/image/img/目录下找文件。
• alias 是一个目录别名的定义,
• root 则是最上层目录的定义。
• 还有一个重要的区别是alias后面必须要用“/”结束,否则会找不到文件的,而root则可有可无example
location /img/ {
alias /abc/location/;
}
location /img/ {
root /abc/location;
}
网站内容
[root@localhost ~]# tree /abc/location
/abc/location
├── img
│ └── index.html
└── index.html
curl 192.168.242.134/img/index.html
会被alias这个location块处理访问到/abc/location/img/index.html
如果改成这样,root /abc/location/img 这样就会访问到/abc/location/img/index.html