Table of contents

load balancing strategy

static and dynamic separation

alias and root

UrlRewrite (resource path rewriting)

Anti-leech configuration

High availability configuration

Https certificate configuration

Install BBS (the originator of the open source world)

forward proxy

The user knows the existence of the nginx server and is in the same group as the nginx server. For example: computers in the company need to connect to the external network through a proxy server (nginx)

reverse proxy

Users do not know the existence of nginx, nginx is a group with the server.

There is a performance bottleneck, because all data passes through Nginx, so the performance of the Nginx server is critical

load balancing

worker_processes  1;



events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;



    sendfile        on;

    keepalive_timeout  65;

    upstream httpsd {
	server 192.168.23.101:80;
	server 192.168.23.102:80;
    }
    server {
        listen       80;
        server_name  localhost;


        location / {
	
	        proxy_pass http://httpsd;

        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }


    }

}

load balancing strategy

polling

By default, the polling method is used and forwarded one by one, which is suitable for stateless requests.

weight ( weight )

Specify the polling probability, the weight is proportional to the access ratio, and it is used in the case of uneven performance of the backend server

upstream httpd {
server 127.0.0.1:8050 weight=10 down;
server 127.0.0.1:8060 weight=1;
server 127.0.0.1:8060 weight=1 backup;
}

down : Indicates that the current server does not participate in the load temporarily
weight : The default is 1. The larger the weight, the greater the weight of the load.
backup : When all other non- backup machines are down or busy, request the backup machine.

ip_hash

By forwarding the same server according to the client's ip address, the session can be maintained.

least_conn

least connection access

url_hash

Direct forwarding requests according to the url visited by the user

fair

Forward requests based on backend server response time

static and dynamic separation

Now there is a tomcat and an nginx reverse proxy tomcat. Static resource types are usually accessed more frequently. Therefore, placing static resources directly on the nginx server can make access much faster.

increase each location

location /css {
    root /usr/local/nginx/static;
    index index.html index.htm;
}
location /images {
    root /usr/local/nginx/static;
    index index.html index.htm;
}
location /js {
    root /usr/local/nginx/static;
    index index.html index.htm;
}

Here you can also use regular expressions to match, so you only need to write a location

location prefix

/ Universal matching, any request will be matched.
= Exact match, does not start with the specified pattern
~ Regular matching, case sensitive
~* regular match, case insensitive

^~ Non-regular match, match the location beginning with the specified pattern

location ~*/(css|img|js) {
    root /usr/local/nginx/static;
    index index.html index.htm;
}

location matching order

Multiple regular locations are matched directly in the order of writing, and will not continue to match after success
Ordinary (non-regular) locations will go down until the highest matching degree is found (maximum prefix match)
When the normal location and the regular location exist at the same time, if the regular match is successful , the normal match will not be performed
When all types of location exist, "=" match > "^~" match > regular match > normal (maximum prefix match)

alias and root

location /css {
    alias /usr/local/nginx/static/css;
    index index.html index.htm;
}

root is used to set the root directory, and alias will not add location to the path when accepting the request .

1 ) The directory specified by alias is accurate, that is, the files in the path directory accessed by location matching are directly searched in the alias directory;

2 ) The directory specified by root is the upper-level directory of the path directory accessed by location matching , and this path directory must actually exist under the directory specified by root ;

3 ) The rewrite break cannot be used in the directory block using the alias label (the specific reason is unknown); in addition, the "/" symbol must be added after the directory specified by the alias ! !

4 ) In the alias virtual directory configuration, if the path directory matching the location does not have "/" behind it, then adding "/" after the path directory in the accessed url address does not affect access, and it will automatically add "/ " when accessing " ; but if "/" is added after the path directory matched by the location , then "/" must be added to the path directory in the accessed URL address, and "/" will not be added automatically when accessing . If you don't add "/" , access will fail!

5 ) In the configuration of the root directory, access will not be affected with or without "/" after the path directory matching the location.

UrlRewrite (resource path rewriting)

rewrite is the key instruction to realize URL rewriting. According to the content of regex ( regular expression ) ,

Redirects to replacement and ends with a flag tag.

rewrite <regex> <replacement> [flag];

keyword regular alternative content flag

Keyword: The keyword error_log cannot be changed Regularity: perl compatible regular expression statement for rule matching

Replacement content: Replace the regular matching content with replacement

flag tag: the flag tag supported by rewrite

The tag segment position of the rewrite parameter:

server,location,if

Flag tag description:

last #After the matching of this rule is completed, continue to match the new location URI rule downward
break #This rule is terminated when it is matched, and no longer matches any subsequent rules
redirect #Return 302 temporary redirection, the browser address will display the redirected URL address
permanent #Return 301 permanent redirection, the browser address bar will display the redirected URL address

example

rewrite ^/([0-9]+).html$ /index.jsp?pageNum=$1 break;

Access: http://192.168.23.100/3.html

The real access uri is: http://192.168.23.100/index.jsp?pageNum=3

Anti-leech configuration

valid_referers none | blocked | server_names | strings ....;

none , to detect the absence of the Referer header field.
blocked , which detects that the value of the Referer header field is deleted or disguised by a firewall or proxy server. In this case, the value of the header field does not start with "http://" or "https://" .
server_names , set one or more URLs , and check whether the value of the Referer header field is one of these URLs .

Configure in the location that requires anti-leech

valid_referers 192.168.44.101;
if ($invalid_referer) {
    return 403;
}

Test with curl

curl -I http://192.168.44.101/img/logo.png

with quote

curl -e "http://baidu.com" -I http://192.168.44.101/img/logo.png

High availability configuration

Using keepalived to maintain the high availability of the nginx cluster is a relatively simple way. By installing keepalived and configuring keepalived.conf, the client can access a virtual ip. When the host nginx hangs up, the slave can also go up

Installation method 1. Compile and install

download link

https://www.keepalived.org/download.html#

Use ./configure to compile and install

In case of an error message

configure: error:

!!! OpenSSL is not properly installed on your system. !!!

!!! Can not include OpenSSL headers files. !!!

install dependencies

yum install openssl-devel

Installation method two, yum installation

yum install keepalived

configuration

After installation using yum , the configuration file is in

/etc/keepalived/keepalived.conf

minimum configuration

first machine

! Configuration File for keepalived

global_defs {

   router_id lb100
}

vrrp_instance atguigu {
    state MASTER  # 备份服务器上这里写的是BACKUP
    interface ens33  # 网卡的名称
    virtual_router_id 51  # 主备机的virtual_router_id必须相同
    priority 100   # 主备机取不同的优先级，主机值较大，备份机值较小
    advert_int 1  # 隔多久发一次心跳
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.23.200
    }
}

second machine

! Configuration File for keepalived
global_defs {
    router_id lb110
}
vrrp_instance atguigu {
    state BACKUP
    interface ens33
    virtual_router_id 51
    priority 50
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.44.200
    }
}

start service

systemctl start keepalived

At this time, through ip addr on the first machine, you can see that there is a virtual IP 192.168.44.200 under ens33, but the second machine does not. After shutting down the first machine to simulate nginx offline, the virtual IP will also appear under the second machine.

hadoop100

hadoop101

Manually close the nginx service and keepalived service of Hadoop100

At this time hadoop100

hadoop101

Https certificate configuration

insecure http protocol

Using a symmetric encryption algorithm (Caesar algorithm), that is, the client and the server each have a specific key that does not change for encryption and decryption, which is inflexible and insecure

openssl

openssl includes: SSL protocol library, application program and cryptographic algorithm library

Convert insecure http to secure https

Map the newly purchased domain name to the newly purchased host

When accessing through a domain name, it shows an insecure connection

At this time, the request through the https:// domain name will find that the website refuses to access

First apply for an SSL certificate, here we choose Alibaba Cloud

Download the certificate of nginx after issuing it

Put the certificate in the conf directory of nginx, add the configuration in the nginx.conf directory, and the certificate will be automatically searched in the conf directory