Article Directory
1. Introduction:
1. Introduction to Nginx
Nginx is a free and open source web server project, commonly used as a web server, reverse proxy server, and load balancing server. The features are as follows:
- Free and Open Source: Free trial, open source.
- Lightweight and modular: consumes less memory, retains core modules, does not require full installation, and supports third-party modules.
- High performance: Nginx supports high concurrency.
- Hot deployment: upgrade or add new modules without restarting the web server.
2. Four major distributions are commonly used
Nginx open source version official website:
Nginx plus commercial version official website:
Openresty: It is a high-performance web platform based on Nginx and Lua, which integrates a large number of excellent Lua libraries, third-party modules and most of its dependencies.
Tengine: It is a web server project initiated by Taobao.com. Based on Nginx, it adds many advanced functions and features for the needs of high-traffic websites.
Two, Nginx compilation and installation:
1. Nginx compilation and installation
1. Depending on the environment installation
yum -y install pcre-devel pcre gcc gcc-c++ zlib zlib-devel openssl openssl-devel
# gcc: C语言编辑器 nginx是C语言编写的 所以需要C环境
# pcre: 支持正则表达式
# openssl: 支持HTTPS加密协议
# zlib: 支持数据包头压缩
2. Compile and install
wget http://nginx.org/download/nginx-1.18.0.tar.gz
tar xf nginx-1.18.0.tar.gz -C /usr/src/
cd /usr/src/nginx-1.18.0/
./configure --prefix=/usr/local/nginx --with-http_ssl_module
make && make install
3. Start
cd /usr/local/nginx/sbin/
./nginx
netstat -anput | grep 80
4. Firewall settings
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-service=http --add-service=https --permanent
firewall-cmd --reload
5. Verification
The browser can access your own IP address!
2. Nginx directory structure
/usr/local/nginx # 服务安装目录
/usr/local/nginx/sbin # 服务主程序目录
/usr/local/nginx/sbin/nginx # 服务程序文件
/usr/local/nginx/conf # 服务主配置文件目录
/usr/local/nginx/logs/ # 服务日志文件目录
/usr/local/nginx/logs/nginx.pid # 服务pid文件
/usr/local/nginx/logs/error.log # 服务错误日志文件
/usr/local/nginx/logs/access.log # 服务访问日志文件
3. Nginx related commands
/usr/local/nginx/sbin/nginx # 启动nginx
/usr/local/nginx/sbin/nginx -v # 小写v查看nginx版本信息
/usr/local/nginx/sbin/nginx -V # 大写V除版本信息外还显示配置参数信息
/usr/local/nginx/sbin/nginx -t # 检查nginx配置文件是否正确
/usr/local/nginx/sbin/nginx -s reload # 重新加载nginx
/usr/local/nginx/sbin/nginx -s quit # 正常关闭nginx
/usr/local/nginx/sbin/nginx -s stop # 快速关闭nginx
The difference between quit and stop:
- quit: When the nginx service has been started, if you want to stop the service, you can use the quit signal to stop the service normally. The quit signal will not stop the service immediately, but will not receive new requests first, but will stop after processing the received connections Service, this way of stopping is called "graceful stop"
- stop: When the nginx service has started, if you want to stop the service, you can use the stop signal to quickly stop the service. The stop signal will stop the service immediately. This way of stopping the service is called " violent stop".
Three, Nginx configuration file analysis
1. Minimum configuration
Remove comments and other content in the Nginx configuration file -r supports regular expressions -i.bak backup
sed -r -i.bak '/(^$|^#|#)/d' nginx.conf
worker_processes 1; # worker工作进程数
events {
worker_connections 1024; # 每个worker进程可以创建的连接数
}
http {
include mime.types; # 解析类型定义
default_type application/octet-stream; # 默认解析类型
sendfile on; # 减少Copy的过程
keepalive_timeout 65; # 保持连接超时时间
server {
# 虚拟主机 vhost
listen 80; # 监听端口号
server_name localhost; # 主机名、域名
location / {
# 根据规则匹配URL
root html; # 网页主目录 nginx根目录中的html
index index.html index.htm; # 默认页
}
error_page 500 502 503 504 /50x.html; # 错误网页指定
location = /50x.html {
root html;
}
}
}
2. Virtual host
Originally, one server could only correspond to one site, but multiple sites can be virtualized to provide external services through virtual host technology.
Each section of server is a virtual host as follows:
server {
.. ..
}
Experiment: Setting up multi-instance virtual hosts through different ports
Create a different index.html file
mkdir /www
cd /www/
mkdir www video
echo "This is the www site." > /www/www/index.html
echo "This is the video site." > /www/video/index.html
http {
.. ..
server {
listen 80;
server_name localhost;
location / {
root /www/www; # 设置80端口网页主目录
index index.html index.htm;
}
}
server {
listen 88;
server_name localhost;
location / {
root /www/video; # 设置88端口网页主目录
index index.html index.htm;
}
}
}
/usr/local/nginx/sbin/nginx -s reload
test:
curl 127.0.0.1
This is the www site.
curl 127.0.0.1:88
This is the video site.
3. Match regular expressions
= # 开头表示精确匹配
~ # 区分大小写匹配
~* # 不区分大小写匹配
!~和!~* # 分别为区分大小写不匹配及不区分大小写不匹配的正则
^ # 以什么字符开头
$ # 以什么字符结尾
^~ # 开头表示uri以某个常规字符串开头,理解为匹配 url路径即可
* # 任意字符
/ # 通用匹配,任何请求都会匹配到
Example:
Universal match Any request will be matched
location / {
}
Strictly case-sensitive, matching the end of .php
location ~ \.php$ {
fastcgi_pass http://127.0.0.1:9000;
}
Strictly case-sensitive, matching the end of .jsp
location ~ \.jsp$ {
proxy_pass http://127.0.0.1:8080;
}
case insensitive match
location ~* "\.(sql|bak|tgz|tar.gz|.git)$ {
default_type text/html;
return 403 "启用访问控制";
}
Four, Nginx reverse proxy
1. Theory
The reverse proxy can remember the word proxy_pass
The working principle of the reverse proxy is that the proxy server accepts the client's network access connection request, and then the server strategically forwards the request to the actual working business server in the network, and returns the result processed from the business server to the network initiator The client of the connection request.
2. Practice: Nginx anti-generation proxy Tomcat
![[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-KcfBNDV7-1687140794614) (D:\MD Archives\IMG\image-20220405194618578.png)]](https://img-blog.csdnimg.cn/33f1a8c3043647bf8319f92e603c7320.png)
1. Deploy and install Tomcat (two simultaneous operations)
Install the JDK environment and verify
yum install -y java-1.8.0-openjdk-devel.x86_64
java -version
Download Tomcat and unzip it to start
wget https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.tar.gz --no-check-certificate
tar xf apache-tomcat-9.0.62.tar.gz -C /usr/local/
cd /usr/local/apache-tomcat-9.0.62/bin/
./startup.sh
ps -aux |grep java
firewall configuration
# 开启8080端口
firewall-cmd --add-port=8080/tcp --permanent
firewall-cmd --reload
# 开启8081端口
firewall-cmd --add-port=8081/tcp --permanent
firewall-cmd --reload
2. Change the port number of one of them to 8081
cd /usr/local/apache-tomcat-9.0.62/conf/
vim server.xml
.. ..
<Connector port="8081" protocol="HTTP/1.1"
Restart Tomcat
./shutdown.sh
./startup.sh
netstat -anput |grep 8081
3. Insert different pages
# 101 操作
mv /usr/local/apache-tomcat-9.0.62/webapps/ROOT/index.jsp{
,.bak}
cd /usr/local/apache-tomcat-9.0.62/webapps/ROOT
echo "This is 101" > index.jsp
# 105 操作
mv /usr/local/apache-tomcat-9.0.62/webapps/ROOT/index.jsp{
,.bak}
cd /usr/local/apache-tomcat-9.0.62/webapps/ROOT
echo "This is 105" > index.jsp
test
curl 10.10.14.101:8081
This is 101
curl 10.10.14.105:8080
This is 105
4. Nginx reverse generation configuration
http {
.. ..
server {
listen 8888;
server_name 10.10.14.100;
location = /8080/ {
proxy_pass http://10.10.14.105:8080/;
}
location = /8081/ {
proxy_pass http://10.10.14.101:8081/;
}
}
}
verify
curl 10.10.14.100:8888/8080/
This is 105
curl 10.10.14.100:8888/8081/
This is 101
Five, Nginx load balancing
Load balancing is based on the reverse proxy and needs to be used together with proxy_pass. Requests can be forwarded to the backend cluster by configuring the load balancing strategy.
The so-called cluster definition is that multiple servers provide the same service , and it seems that there is only one server on the client side.
1. Practice: Nginx load balancing Tomcat
![[External link image transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the image and upload it directly (img-9rahWOdU-1687140794615) (D:\MD Archives\IMG\image-20220405203919554.png)]](https://img-blog.csdnimg.cn/e7dd1428b83941dab7ad9a19b8698a3b.png)
1. Configure Tomcat for reference. 四、Nginx反向代理The final effect is as follows:
curl 10.10.14.101:8080
This is 101
curl 10.10.14.105:8080
This is 105
2. Nginx configuration
The upstream load balancing configuration needs to be defined under the http field
http {
.. ..
upstream tomcat {
server 10.10.14.101:8080 weight=8;
server 10.10.14.105:8080 weight=2;
# server 10.10.14.101:8080 weight=8 down;
# server 10.10.14.105:8080 weight=2 backup;
}
.. ..
}
weight weight value, the higher the value, the higher the assigned priority
down Do not use this server
backup The backup server is automatically started when no one is available to provide services
Virtual host configuration:
http {
.. ..
server {
listen 8888;
server_name localhost;
location / {
proxy_pass http://tomcat;
# 当使用proxy_pass 就需要注释掉下面内容
# root /www/www;
# index index.html index.htm;
}
}
}
3. Firewall configuration
The back-end Tomcat cannot be accessed from the external network, but can only be accessed through Nginx as shown below:
![[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-WyZKaS90-1687140794615) (D:\MD Archives\IMG\image-20220409133146085.png)]](https://img-blog.csdnimg.cn/cf05c5c516c74823a462aff498b5a5c8.png)
Configure the firewall on the Tomcat server:
systemctl start firewalld.service
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.10.14.100" port protocol="tcp" port="8080" accept"
firewall-cmd --reload
Remove rules:
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="10.10.14.100" port protocol="tcp" port="8080" accept"
firewall-cmd --reload
4. Restart Nginx and verify
curl 10.10.14.100:8888
This is 101
curl 10.10.14.100:8888
This is 105
2. Load balancing strategy
So far, there are 3 built-in strategies: round-robin strategy, weighted strategy and ip_hash strategy, and the round-robin strategy is used by default.
1. Polling strategy
By default, one-by-one forwarding using the round-robin strategy is suitable for stateless requests.
2. Weighting strategy (weight)
The size of the priority weight is proportional to the access rate.
3. ip_hash strategy
The same server can be forwarded according to the client ip address, and the session can be maintained.
4、least_conn
Minimal connection access.
5、url_hash
Directly forward requests according to the user's access url.
6. Nginx + Keepalived High Availability
1. Environmental description
![[External link image transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the image and upload it directly (img-sbsZN6MW-1687140794615) (D:\MD Archives\IMG\image-20220409165640177.png)]](https://img-blog.csdnimg.cn/a613eb8f498143de8a66120a7bcd690e.png)
environment:
| IP address | illustrate | Remark |
|---|---|---|
| 10.10.14.100 | Nginx_Master node | Master and Backup configuration files are consistent |
| 10.10.14.102 | Nginx_Backup node | Master and Backup configuration files are consistent |
| 10.10.14.105 | Tomcat node 1 | |
| 10.10.14.101 | Tomcat-node 2 |
2. Practice
1. The configuration of Nginx_Master node and Nginx_Salve node is consistent. The nginx configuration file is as follows
http {
.. ..
upstream tomcat {
server 10.10.14.101:8080;
server 10.10.14.105:8080;
}
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://tomcat;
}
}
.. ..
}
2. Keepalived installation and configuration (both Nginx needs to be operated)
yum -y install openssl-devel libnl libnl-devel libnfnetlink-devel
wget https://www.keepalived.org/software/keepalived-2.0.20.tar.gz --no-check-certificate
tar zxf keepalived-2.0.20.tar.gz
cd keepalived-2.0.20/
./configure --sysconf=/etc
make && make install
# --sysconf 指定配置文件路径
3. Master keepalived configuration:
[root@nginx1 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 111
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 50
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.14.200
}
}
4, Slave keepalived placement:
cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 102
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 50
priority 50
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.14.200
}
}
5. Start verification
systemctl restart keepalived.service
ip a
# 配置正确应该 Master上可以看到200IP地址 Backup则不能
# 在Master上停止keepalived 看VIP是否可以票到Backup主机上
6. Prevent split-brain configuration
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
firewall-cmd --reload
7. Monitoring script
Monitor whether the local Nginx is normal, if not, stop keepalived
cat keep_nginx.sh
#!/bin/bash
if ! (which killall);then
(yum install psmisc -y) &>/dev/null
fi
killall -0 nginx
if [ $? -ne 0 ];then
systemctl stop keepalived
fi
# killall -0 nginx: 判断Nginx进程是否存在 存在则返回0
Add script tracking module to keepalived configuration file
cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 111
}
vrrp_script keep_nginx.sh {
script "/root/keep_nginx.sh"
interval 2
weight 5
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 50
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.14.200
}
track_script {
keep_nginx.sh
}
}
![[External link image transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the image and upload it directly (img-AEVrJtud-1687140794616) (D:\MD Archives\IMG\image-20220409174046153.png)]](https://img-blog.csdnimg.cn/9c1d265720c14263864c0b5cec817c46.png)
7. Nginx certificate authentication
1. SSL certificate configuration
# CA:证书颁发机构
# RA:证书注册机构
Certificate configuration:
mkdir /usr/local/nginx/ssl_key
cd /usr/local/nginx/ssl_key
Create a private key:
[root@loaclhost ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
......................................+++
.....+++
e is 65537 (0x10001)
Enter pass phrase for server.key: # 密码
Verifying - Enter pass phrase for server.key: # 密码
Generate a certificate to remove the private key password:
openssl req -days 3650 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
ls /usr/local/nginx/ssl_key
server.crt server.key
Nginx configuration:
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx/ssl_key/server.crt; # 指定证书位置
ssl_certificate_key /usr/local/nginx/ssl_key/server.key; # 指定私钥位置
ssl_session_timeout 5m;
}
Firewall configuration:
firewall-cmd --add-service=https --permanent
firewall-cmd --add-service=http --permanent
firewall-cmd --reload
Start the test:
echo "Test Service SSL" > html/index.html
nginx -t
nginx
Browser access: https://NginxIP
If it involves local domain name and other information, you need to modify the hosts file: C:\Windows\System32\drivers\etc\hosts
- Format: domain name IP address
2. rewrite address rewriting
server {
listen 80;
server_name https.benet.com;
# rewrite .* https://https.benet.com; #重定向任选其一
# rewrite .* https://$host$request_uri redirect;
# rewrite .* https://$server_name$request_uri redirect;
rewrite .* https://$server_name$1 redirect;
}
Eight, Nginx smooth upgrade
1. Nginx smooth upgrade principle
Generally, there are two situations in which nginx needs to be upgraded. One is to upgrade the version of nginx, and the other is to add new modules to nginx.
The principle of Nginx smooth upgrade is briefly summarized:
- (1) Start a new process without stopping the old process.
- (2) The old process is responsible for processing unfinished requests, but no longer accepts processing requests.
- (3) The new process accepts new requests.
- (4) After the old process processes all requests and closes all connections, it stops.
Signal description:
| Signal | nginx built-in shell | illustrate |
|---|---|---|
| HUP | nginx -s reload | Overload configuration file |
| USR1 | nginx -s reopen | Reopen the log file, configure mv, and use it for log cutting |
| USR2 | - | Hot upgrade nginx program |
| WINCH | - | Gracefully shut down related worker processes |
| QUIT | nginx -s squit | Stop nginx gracefully |
| TERM,INT | nginx -s stop | stop nginx now |
2. Practice: upgrade version 1.16 to version 1.18
nginx -v
nginx version: nginx/1.16.1
Install nginx according to the original compilation parameters, only need to make, do not make install . If make install will overwrite the original configuration file
wget http://nginx.org/download/nginx-1.18.0.tar.gz
tar zxvf nginx-1.18.0.tar.gz -C /usr/local/src
cd /usr/local/src/nginx-1.18.0
./configure --prefix=/usr/local/nginx --user=nginx --with-http_ssl_module
make
Backup replace nginx command:
mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_$(date +%F)
cp /usr/local/src/nginx-1.18.0/objs/nginx /usr/local/nginx/sbin/
Test the new version:
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -v
Find the nginx.pid file location
find / -name nginx.pid
/usr/local/nginx/logs/nginx.pid
Send smooth migration signal USR2: Start a new main process to achieve hot upgrade
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid`
Send the WINCH signal to the old moderator process, and the old moderator process will start to shut down calmly
kill -WINCH `cat /usr/local/nginx/logs/nginx.pid.oldbin`
3. Rollback operation on upgrade failure
1. Replace the original nginx command
cd /usr/local/nginx/sbin/
mv nginx_2022-03-21 nginx
2, kill -HUP old version of the Master process number
//Start the old worker process without overloading the configuration file
kill -HUP `cat /usr/local/nginx/logs/nginx.pid.oldbin`
3. Kill -USR2 The main process number of the new version
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid`
4. Kill -WINCH The main process number of the new version
kill -WINCH `cat /usr/local/nginx/logs/nginx.pid`
4. Encountered problems
**Problem:** Execution of "send smooth migration signal USR2" is completed, but no new Master process information appears
View the log error content as follows: roughly means that the nginx directory cannot be found
execve() failed while executing new binary process "nginx" (2: No such file or directory)
Reason: The Nginx smooth upgrade is carried out according to the environment variables. The nginx directory cannot be found because the nginx was not started with the full path last time, and there is no nginx directory in the environment variables, which leads to this problem!
**Solution:** Use the correct startup method
/usr/local/nginx/sbin/nginx
9. Nginx optimization scheme
10. Expansion
1. Website return code
200 # 请求成功
201 # 上传文件成功
301 # 永久重定向(redirect)
302,307 # 临时重定向(redirect)
304 # 浏览器缓存
403 # 请求不到首页,没有权限
404 # 请求的资源在前端查明不存在
405 # 请求方法不支持
500 # 服务器的内部错误,程序错误
502 # 请求的资源前端有记录指向后端数据库,却找不到后端资源
503 # 服务暂时不可用
504 # 请求超时
2. The difference between URL and URI
URL:统一资源定位符
格式:https://www.baidu.com/?tn=98010089_dg&ch=12
URL和URI的区别:
URI:可以理解成一个网站的首页
URL:可以理解成资源的具体路径
3. F12 network return parameter
General (approximate information):
Request URL: http://10.10.14.100/index.html # 请求的URL地址
Request Method: GET # 请求的方法
Status Code: 304 OK # 状态码
Remote Address: 10.10.14.100:80 # 请求地址(ipv4/ipv6)
Referrer Policy: no-referrer-when-downgrade # 降级(从https降级到http)
Request Headers (request header information):
Accept: text/html # 请求的类型
Accept-Encoding: gzip, deflate, br # 是否进行压缩
Accept-Language: zh-CN,zh;q=0.9 # 请求的语言
Connection: keep-alive # TCP长连接
cache-control:max-age=0 # 缓存时间
Cookie: # 客户端缓存,用户密码等网站信息
Host:www.baidu.com/ # 请求的域名
Upgrade-Insecure-Requests: 1 # 启用升级https访问
User-Agent: Mozilla/5.0 # 客户端浏览器(可以理解xxx浏览器是基于什么内核开发出开的)
Response Headers (server response header information):
Cache-Control: private # 缓存类型非公开(公开:pubLic)
Connection: keep-alive # 长连接
Content-Encoding: gzip # 压缩格式gzip
Content-Type: text/html;charset=utf-8 # 文档类型
Date: Sat, 14 Mar 2020 08:48:02 GMT # 响应时间
Expires: Sat, 14 Apr 2022 08:47:42 GMT # 失效时间
Server: BWS/1.1 # 网站服务器软件
status:200 # 状态码
4. Common test parameters of curl
-I parameter: only display the response content
curl -I 127.0.0.1:8080
HTTP/1.1 200
Set-Cookie: JSESSIONID=CA2EC2BDA2C9E6A0BE3EB87FDEEFA8FA; Path=/; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Sat, 09 Apr 2022 06:27:19 GMT
-i parameter: display response content + overall content
curl -i 127.0.0.1:8080