Table of contents
- 1. Introduction to Nginx
- 2. Compile and install Nginx service
-
- 1. Turn off the firewall and install the installed Nginx software package to the opt directory
- 2. Compile and install Nginx
- 3. Create users and groups for better management
- 4. Create a soft connection and start it
- 5. Stop Nginx
- 6. Add Nginx system service
- 7. Nginx configuration file
- 8. Open the browser test
- 4. Access status statistics configuration
- 5. Authorization-based access control
- 6. Client-based access control
- 7. Nginx virtual host based on domain name
- 8. Nginx virtual host based on IP address
- Nine, port-based Nginx virtual host
- SSH log inspection (secure)
1. Introduction to Nginx
1. Introduction to Nginx
Nginx (features: less memory usage, strong concurrency)
Nginx is a high-performance HTTP and reverse proxy server.
Nginx is a lightweight web server/reverse proxy server and e-mail.
A single physical server can support 30,000 to 50,000 concurrent requests.
Tengin
Tengine is a web server project initiated by Taobao.com. Based on Nginx, it adds many advanced functions and features for the needs of high-traffic websites. The performance and stability of Tengine have been well tested on large websites such as Taobao and Tmall. (It can be understood in this way: after Taobao got the Nginx source code, it filled in functions, optimized it, etc., and then submitted it to the official
Nginx, but because the official Nginx response was slow or even unresponsive, and the language communication was not smooth, Taobao The company packaged it by itself, and carried out secondary development in accordance with the principle of GPL, so the current version of Tengine came out)
Note: NG concurrent connection capability is affected by 2 factors
1. The number of CPUs
2. The maximum number of files in the local physical server system
Apache
Apache is a process-based structure. Processes consume more system overhead than threads, and are not suitable for multi-processor environments. Therefore, when an apache Web site expands, it is usually to increase servers or expand cluster nodes instead of Add processors.
2. I/O model related concepts
- The Nginx service uses an asynchronous non-blocking mode: the request does not need to be queued, and the completion result of the task will be fed back.
- The Apache service uses a synchronous blocking mode: requests need to be queued, and results will not be actively returned.
- Synchronous/asynchronous: The focus is on the message communication mechanism, that is, when the caller is waiting for the processing result of one thing. Whether the callee provides completion.
- Synchronous: The caller needs to actively ask for the result.
- Asynchronous: The caller does not need to actively ask for the result, and the callee will actively return the result.
- Blocking: The system can only process one request at a time, and other requests need to be queued.
- Non-blocking: The system handles multiple requests at the same time.
3. Nginx event-driven model
1. select : an application program, the proxy system function handles asynchronous requests, and the maximum number of connections is 1024.
It only knows that an I/O event has occurred, but it doesn't know which streams it is (there may be one, multiple, or even all of them). We can only poll all streams indiscriminately to find out the Data, or streams that write data, operate on them. So select has an indiscriminate polling complexity of O(n), and the more streams processed at the same time, the longer the indiscriminate polling time.
2. poll : The enhanced version of select cancels the maximum number of connections of 1024.
poll is essentially the same as select, it copies the array passed in by the user to the kernel space, and then queries the device status corresponding to each fd, but it has no limit on the maximum number of connections because it is stored based on a linked list.
3. epoll : Enhanced version of poll.
epoll can be understood as event poll. Unlike busy polling and indiscriminate polling, epoll will notify us of which stream has occurred and what I/O event has occurred. So we say that epoll is actually event-driven (each event is associated with fd), and our operations on these streams are meaningful at this time.
4. The difference between Nginx and Apache
1. Nginx is a web server more than events; Apache is a process-based server
2. All requests of Nginx are processed by one thread; Apache single thread processes a single request
3. Nginx avoids the concept of sub-processes; Apache is based on sub-processes 4.
Nginx is better in terms of memory consumption and connection; Apache is generally good in terms of memory consumption and connection
5. The performance and scalability of Nginx do not depend on hardware; Apache depends on hardware such as CPU and memory
6. Nginx supports hot deployment; Apache does not support hot deployment
7. Nginx has higher efficiency for static file processing; Apache is relatively general
8. Nginx has obvious advantages in reverse proxy scenarios; Apache is relatively general
Generally speaking, web services that require performance use nginx. If you don't need performance but stability, choose apache.
2. Compile and install Nginx service
1. Turn off the firewall and install the installed Nginx software package to the opt directory
systemctl stop firewalld
systemctl disable firewalld #关闭防火墙
yum -y install pcre-devel zlib-devel gcc gcc-c++ make #安装依赖包
2. Compile and install Nginx
cd /opt/
tar zxvf nginx-1.22.2.tar.gz
cd nginx-1.22.0/
./configure \
--prefix=/usr/local/nginx \ #指定Nginx的安装路径
--user=nginx \ #指定用户名
--group=nginx \ #指定组名
--with-http_stub_status_module #启动http_stub_status_module模块,支持状态统计
make -j2 && make install
3. Create users and groups for better management
(The Nginx service program runs as nobody by default. It is recommended to create a special user account for it to control its access rights more accurately) Nginx service program runs anonymously by default
useradd -M -s /sbin/nologin nginx
4. Create a soft connection and start it
#创建软连接,让系统识别Nginx命令
ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
#检查文件是否正确
nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
#启动nginx
nginx
#查看是否启动nginx
netstat -antulp | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5964/nginx: master
#如果遇到占用80端口的情况我们可以先查看pid号
cat /usr/local/nginx/logs/nginx.pid
netstat -antulp | grep nginx
#在用kill -3命令暂停
kill -3 5964
5. Stop Nginx
#First check the PID number of nginx
cat /usr/local/nginx/logs/nginx.pid
netstat -antulp | grep nginx
#Stop nginx
kill -3 5964
netstat -antulp|grep nginx
#At this time, the process number cannot be found
6. Add Nginx system service
vim /lib/systemd/system/nginx.service
[Unit]
Description=nginx
After=network.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
#赋予权限并启动服务
chmod 754 /lib/systemd/system/nginx.service
systemctl start nginx.service
#再次查看80端口
lsof -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 6032 root 6u IPv4 35351 0t0 TCP *:http (LISTEN)
nginx 6033 nginx 6u IPv4 35351 0t0 TCP *:http (LISTEN)
nginx -v #查看nginx版本信息
nginx version: nginx/1.22.0
7. Nginx configuration file
Nginx main configuration file
Global block : Configure directives that affect nginx globally. Generally, there are user groups running the nginx server, nginx process pid storage path, log storage path, configuration file import, and the number of worker processes allowed to be generated.
events block : Configurations that affect the nginx server or the network connection to the user. There is a maximum number of connections for each process, which event-driven model to choose to handle connection requests, whether to allow multiple network connections to be accepted at the same time, and serialization of multiple network connections to be enabled.
http block : multiple servers can be nested, configuration of most functions such as proxy, cache, log definition and third-party module configuration. Such as file import, mime-type definition, log customization, whether to use sendfile to transfer files, connection timeout, number of single connection requests, etc.
Server block : configure the relevant parameters of the virtual host, and there can be multiple servers in one http.
location block : configure the routing of the request, and the processing of various pages.
vim /usr/local/nginx/conf/nginx.conf #nginx.conf是主配置文件
Detailed explanation of nginx.conf
worker_processes 1;
#全局配置本机可运行多少个master进程,根据本机cpu数量设置数量,可设置为auto按cpu核数自动化调整
events {
#events事件处理模块
worker_connections 1024;
#每个worker子进程可以处理多少个请求即可以打开多少个文件
}
http {
#http模块,web服务器与网页有关配置写在此模块中
include mime.types;
#mime.type中规定了那些文件是给用户查看的,若文件类型不在此文件中则是下载文件。
default_type application/octet-stream;
#默认支持文件类型
sendfile on;
#开启文件传输
keepalive_timeout 65;
#长连接超时时间,单位为秒
server {
#http模块中的server模块,主要配置监听端口,虚拟主机,dns域名等
listen 80;
#监听所有ip的80端口
server_name localhost;
#主机名为本机,可虚拟域名
location / {
#http模块下的location模块
root html;
#此location的根目录位置
index index.html index.htm;
#配置默认寻找文件,先寻找index.html若无此文件则找index.htm
}
error_page 500 502 503 504 /50x.html;
#500、502等错误界面跳转访问指定的/下的50x.html页面
location = /50x.html {
#定义此location为精确匹配,必须是50x.html才能访问此页面
root html;
}
}
}
[root@localhost conf]# mkdir -p /var/www/{abc,123}
[root@localhost conf]# cd /var/www/
[root@localhost www]# ls
123 abc
[root@localhost www]# echo 'this is 123 test web!' > 123/index.html
[root@localhost www]# echo 'this is abc test web!' > abc/index.html
vim /usr/local/nginx/conf/nginx.conf
#增加location模块
location /abc {
root /var/www;
index index.html;
}
location /123 {
root /var/www;
index index.html;
}
systemctl reload nginx #改完重新读取 nginx.conf 主配置
8. Open the browser test
4. Access status statistics configuration
Modify the nginx.conf configuration file, specify the access location and add the stub_status configuration
#先使用命令/usr/local/nginx/sbin/nginx -V 查看已安装的Nginx是否包含HTTP_STUB_STATUS模块
[root@localhost ~]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.22.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
cat /opt/nginx-1.22.0/auto/options | grep YES #可查看 nginx 已安装的所有模块
vim /usr/local/nginx/conf/nginx.conf
#添加STUB_STATUS模块
location /state { #访问位置为/status
stub_status on; #打开状态统计功能
access_log off; #关闭此位置的日志记录
}
Write a script to monitor the number of concurrency
#!/bin/bash
while true
do
count=$(curl -Ls 192.168.154.10/state | grep 'Active connections' | awk '{print $3}')
if [ $count -ge 1 ];then
echo '警告当前并发负载过高,并发数为:$count '
fi
sleep 2 #每两秒警告一次
done
5. Authorization-based access control
[root@localhost ~]# yum install -y httpd-tools
#生成用户密码认证文件
[root@localhost ~]# htpasswd -c /usr/local/nginx/passwd.db zhangsan
New password: #密码123456
Re-type new password: #确认密码123456
Adding password for user zhangsan
[root@localhost ~]# cd /usr/local/nginx/
[root@localhost nginx]# cat passwd.db
[root@localhost nginx]# htpasswd ./passwd.db lisi
[root@localhost nginx]# cat passwd.db
[root@localhost nginx]# pwd
#降低权限
[root@localhost nginx]# chown nginx passwd.db
[root@localhost nginx]# chmod 400 passwd.db
vim /usr/local/nginx/conf/nginx.conf #更改配置文件
location /abc {
root /var/www;
index index.html;
auth_basic "Hello sir";
auth_basic_user_file /usr/local/nginx/passwd.db;
}
[root@localhost nginx]# nginx -t #检查语法格式
[root@localhost nginx]# systemctl restart nginx
6. Client-based access control
The access control rules are as follows:
deny IP/IP segment: Deny client access of a certain IP or IP segment.
allow IP/IP segment: allow clients of a certain IP or IP segment to access.
The rules are executed from top to bottom, and stop if they match, and do not match down.
vim /usr/local/nginx/conf/nginx.conf
location /state {
stub_status on;
access_log off;
allow 127.0.0.1; #允许本机访问
allow 192.168.154.11; #允许192.168.154.11的主机访问
deny all; #禁止其它主机访问
}
systemctl restart nginx
The test was successful using a virtual machine with an IP address of 192.168.154.11
The test using the virtual machine with IP address 192.168.154.12 failed, 403 was added to the blacklist
7. Nginx virtual host based on domain name
Preparing Web Documentation for Web Hosting
Modify the configuration file of Nginx
vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name www.accp.com;
charset utf-8;
access_log logs/accp.com-access.log;
location / {
root /var/www/abc;
index index.html index.htm;
}
:35,55 co 80 # After copying and modifying, add a brace at the end
Tested on Windows
Tested under Linux system
8. Nginx virtual host based on IP address
vim /usr/local/nginx/conf/nginx.conf #修改配置文件
Nine, port-based Nginx virtual host
vim /usr/local/nginx/conf/nginx.conf #修改配置文件
SSH log inspection (secure)
cd /var/log/
vim secure #ssh的连接信息
If there are other unfamiliar hosts with the same IP address trying to access the machine for many times, it means that the machine may be blasted.
Solve the problem: Write a script, if the strange IP fails to access the machine for many times, it will be added to the blacklist and the access to the machine will be prohibited.