Table of contents
UrlRewrite (resource path rewriting)
High availability configuration
Https certificate configuration
Install BBS (the originator of the open source world)
forward proxy
The user knows the existence of the nginx server and is in the same group as the nginx server. For example: computers in the company need to connect to the external network through a proxy server (nginx)
reverse proxy
Users do not know the existence of nginx, nginx is a group with the server.
There is a performance bottleneck, because all data passes through Nginx, so the performance of the Nginx server is critical
load balancing
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream httpsd {
server 192.168.23.101:80;
server 192.168.23.102:80;
}
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://httpsd;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
load balancing strategy
upstream httpd {
server 127.0.0.1:8050 weight=10 down;
server 127.0.0.1:8060 weight=1;
server 127.0.0.1:8060 weight=1 backup;
}
- down : Indicates that the current server does not participate in the load temporarily
- weight : The default is 1. The larger the weight, the greater the weight of the load.
- backup : When all other non- backup machines are down or busy, request the backup machine.
static and dynamic separation
Now there is a tomcat and an nginx reverse proxy tomcat. Static resource types are usually accessed more frequently. Therefore, placing static resources directly on the nginx server can make access much faster.
location /css {
root /usr/local/nginx/static;
index index.html index.htm;
}
location /images {
root /usr/local/nginx/static;
index index.html index.htm;
}
location /js {
root /usr/local/nginx/static;
index index.html index.htm;
}
Here you can also use regular expressions to match, so you only need to write a location
- / Universal matching, any request will be matched.
- = Exact match, does not start with the specified pattern
- ~ Regular matching, case sensitive
- ~* regular match, case insensitive
- ^~ Non-regular match, match the location beginning with the specified pattern
location ~*/(css|img|js) {
root /usr/local/nginx/static;
index index.html index.htm;
}
- Multiple regular locations are matched directly in the order of writing, and will not continue to match after success
- Ordinary (non-regular) locations will go down until the highest matching degree is found (maximum prefix match)
- When the normal location and the regular location exist at the same time, if the regular match is successful , the normal match will not be performed
- When all types of location exist, "=" match > "^~" match > regular match > normal (maximum prefix match)
alias and root
location /css {
alias /usr/local/nginx/static/css;
index index.html index.htm;
}
UrlRewrite (resource path rewriting)
- last #After the matching of this rule is completed, continue to match the new location URI rule downward
- break #This rule is terminated when it is matched, and no longer matches any subsequent rules
- redirect #Return 302 temporary redirection, the browser address will display the redirected URL address
- permanent #Return 301 permanent redirection, the browser address bar will display the redirected URL address
example
rewrite ^/([0-9]+).html$ /index.jsp?pageNum=$1 break;
Access: http://192.168.23.100/3.html
The real access uri is: http://192.168.23.100/index.jsp?pageNum=3
Anti-leech configuration
valid_referers none | blocked | server_names | strings ....;
- none , to detect the absence of the Referer header field.
- blocked , which detects that the value of the Referer header field is deleted or disguised by a firewall or proxy server. In this case, the value of the header field does not start with "http://" or "https://" .
- server_names , set one or more URLs , and check whether the value of the Referer header field is one of these URLs .
valid_referers 192.168.44.101;
if ($invalid_referer) {
return 403;
}
curl -I http://192.168.44.101/img/logo.png
curl -e "http://baidu.com" -I http://192.168.44.101/img/logo.png
High availability configuration
Using keepalived to maintain the high availability of the nginx cluster is a relatively simple way. By installing keepalived and configuring keepalived.conf, the client can access a virtual ip. When the host nginx hangs up, the slave can also go up
https://www.keepalived.org/download.html#
configure: error:!!! OpenSSL is not properly installed on your system. !!!!!! Can not include OpenSSL headers files. !!!
yum install openssl-devel
yum install keepalived
! Configuration File for keepalived
global_defs {
router_id lb100
}
vrrp_instance atguigu {
state MASTER # 备份服务器上这里写的是BACKUP
interface ens33 # 网卡的名称
virtual_router_id 51 # 主备机的virtual_router_id必须相同
priority 100 # 主备机取不同的优先级,主机值较大,备份机值较小
advert_int 1 # 隔多久发一次心跳
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.23.200
}
}
second machine
! Configuration File for keepalived
global_defs {
router_id lb110
}
vrrp_instance atguigu {
state BACKUP
interface ens33
virtual_router_id 51
priority 50
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.44.200
}
}
systemctl start keepalived
At this time, through ip addr on the first machine, you can see that there is a virtual IP 192.168.44.200 under ens33, but the second machine does not. After shutting down the first machine to simulate nginx offline, the virtual IP will also appear under the second machine.
hadoop100
hadoop101
Manually close the nginx service and keepalived service of Hadoop100
At this time hadoop100
hadoop101
Https certificate configuration
insecure http protocol
Using a symmetric encryption algorithm (Caesar algorithm), that is, the client and the server each have a specific key that does not change for encryption and decryption, which is inflexible and insecure
When accessing through a domain name, it shows an insecure connection
At this time, the request through the https:// domain name will find that the website refuses to access
First apply for an SSL certificate, here we choose Alibaba Cloud
Download the certificate of nginx after issuing it
Put the certificate in the conf directory of nginx, add the configuration in the nginx.conf directory, and the certificate will be automatically searched in the conf directory
server {
listen 443 ssl;
server_name localhost;ssl_certificate pem file name;
ssl_certificate_key key file name;
}
Restart the nginx.service service and access it through the https:// domain name. At this time, the website security has been displayed
Install BBS (the originator of the open source world)
Put the installation package in the html directory
Unzip by unzip Discuz_X3.4_SC_UTF8_20220131.zip in the html directory
Then visit bbs/install through the domain name to install