Operation and maintenance notes-nginx detailed explanation

Nginx is widely used because of its stability, rich module library, flexible configuration and low system resource consumption. When it is used as a web server, compared with apache, it is more efficient in processing static files, and has the advantages of high concurrency and less resource consumption. Secondly, when it acts as a reverse proxy, it can achieve load balancing. This article mainly introduces nginx from these two main functions

2. Forward proxy and reverse proxy

Here is an introduction. A major function of nginx is reverse proxy. What is reverse proxy? And what is the opposite forward proxy? What is the difference between the two?

Both the forward proxy and the reverse proxy are deployed between the client and the server. The forward proxy is the client, and the reverse proxy is the server. The forward proxy can hide client information, solve the problem of access restrictions, use cache to improve access efficiency, and can also access some websites that cannot be accessed normally (such as over the wall, etc.). The reverse proxy hides the network information of the server, plays a role of security protection, and can achieve load balancing.

3. Installation and deployment of nginx (based on Centos-stream operating system)

The installation of nginx is very simple. Here we use yum to install the required software package with one click, and then compile and install it. The software that needs to be installed are: zlib, zlib-devel, pcre, pcre-devel, openssl, openssl-devel, GCC

1. Use the following command to install the software package

yum install -y zlib zlib-devel openssl openssl-devel gcc pcre pcre-devel

2. After the software package is installed, download the tar package of nginx from the following website, you can customize the download path, and then decompress it

wget http://nginx.org/download/nginx-1.21.6.tar.gz

3. Decompression command

tar -zxvf nginx-1.21.6.tar.gz

4. After decompression, enter the nginx-1.21.6 directory. Since the security authentication and status monitoring functions may be used later, you can first execute the following commands to install the two modules http_stub_status_module and http_ssl_module

./configure --with-http_stub_status_module --with-http_ssl_module

5. Then start the installation

make && make install

6. After the installation is complete, the default installation path of the nginx service is /usr/local/nginx/, and the following command starts the nginx service

/usr/local/nginx/sbin/nginx

7. nginx common commands

/usr/local/nginx/sbin/nginx -s reload     //重启nginx服务，配置文件修改后重新加载

/usr/local/nginx/sbin/nginx -s stop       //停止nginx服务

/usr/local/nginx/sbin/nginx -t            //检查nginx配置文件

/usr/local/nginx/sbin/nginx -v            //查看nginx版本号

/usr/local/nginx/sbin/nginx -V            //查看nginx已经编译的参数，可以看到这里有刚刚安装的两 
                                            个模块http_stub_status和http_ssl

4. Detailed nginx configuration file

The following is the default nginx configuration file installed by default, nginx configuration file path: /usr/local/nginx/conf/nginx.conf

The outermost block of the nginx configuration file is main, which contains the events block and the http block, and the http block has upstream and one or more server blocks, and the server block has one or more location blocks

//全局配置
#user  nobody;          //默认用户，nobody是一个不能登录的用户，只能看到所有人均可读可写的文 
                          件，用来完成特定的任务，不能登录是为了安全，防止入侵
worker_processes  1;    //工作进程，nginx一般是一个master进程加一个或多个工作进程，这里定义工 
                          作进程数量。该参数一般建议与CPU数量一致

#error_log  logs/error.log;  //错误日志路径，以下可定义错误日志级别，debug模式日志最详细
#error_log  logs/error.log  notice; 
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;  //进程id文件，nginx启动时记载进程号的文件


events {
    use  epoll              //定义nginx工作模式，参数有select/poll/epoll/kqueue/等，epoll是 
                              高效的网络IO模式，一般在linux系统使用；kqueue一般在FreeBSD系统 
                              中使用
    worker_connections  1024; //每个工作进程允许的最大连接数，nginx的最大客户端连接数 
                                =worker_connections*worker_processes
}


http {
    include       mime.types;      //引用mime.types文件中的mime类型定义
    default_type  application/octet-stream;  //定义默认类型为任意的二进制流

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"'; //定义日志文件内容格 
                                                                       式,main为此格式名称

    #access_log  logs/access.log  main;  //日志文件路径并引用上面定义的名为main的日志格式

    sendfile        on;   //高效文件传输模式开关，提高文件读写效率，一般在做Web服务器时打开开关
    #tcp_nopush     on;   //sendfile开关打开时使用，用来防止网络堵塞

    #keepalive_timeout  0;  
    keepalive_timeout  65;  //客户端连接保持的超时时间，超出该时间服务端断开与客户端的连接

    #gzip  on;      //压缩打包传输开关
//一个server块就是一个虚拟主机
    server {        
        listen       80;             //监听端口，默认80
        server_name  localhost;      //服务名称ip或者域名

        #charset koi8-r;             //网页编码格式

        #access_log  logs/host.access.log  main;   //日志路径并引用日志格式 main

        location / {           
            root   html;             //网页发布文件的根目录
            index  index.html index.htm;    //网页发布文件
        }
        
        //下面一段额外添加，为nginx作为反向代理时的负载均衡配置，用upstream块实现
        upstream test {
        ip_hash    //负载均衡调度算法，默认为Weight轮询，还有ip_hash/url_hash/fair算法
        server 192.168.91.128:80 weight=1;   //服务器ip端口配置，Weight轮询算法权重值，值越 
        server 192.168.91.128:81 weight=2;     大被分配到的几率越高
        server 192.168.91.128:82 weight=3;
        }
        
        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;   
        location = /50x.html {
            root   html;
        }
        //上面一段配置是指当网页访问报错500/502/503/504时，显示html目录下50x.html文件内容
        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;  //被代理服务器ip
        #}
        //上面三行指做php格式的脚本文件的反向代理
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}
        //nginx支持fastcgi功能
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;      //用作Web服务器时的访问控制，禁止访问.htxx格式文件
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;      //支持ssl安全认证功能

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}

5. Efficient web server-nginx

5.1 Basic configuration of nginx server

When nginx is used as a web server, the main focus is on the following configurations

After installing nginx, start the nginx service and use the browser to access http://localhost:80. You may encounter access denial. In this case, check whether port 80 of the firewall is opened. Use the following command to open the firewall.

firewall-cmd --list-all  //查看防火墙所有信息

也可以分开查看端口和服务信息
firewall-cmd --list-ports  //查看放行端口信息
firewall-cmd --list-services  //查看放行服务信息


若80端口未放行，使用下面命令放行80端口
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload      //防火墙重新加载策略

若http服务未放行，使用下面命令放行http服务
firewall-cmd --permanent --add-services=http  
firewall-cmd --reload      //防火墙重新加载策略

After the firewall is released, visit the web page as follows, indicating that nginx is successfully installed

Regarding the modification of the default release file and release directory, I will not go into details here. For issues such as modifying ports, please refer to another apache operation and maintenance notes: CSDN https://mp.csdn.net/mp_blog/creation/editor/124062101

5.2nginx-IP-based access control

Like the Apache server, the nginx server implements IP access control by setting allow and deny in the location block through the built-in module http_access_module. The configuration is as follows

deny 192.168.91.131;
allow all;
//允许除192.168.91.131以外的客户端访问

At this time, the browser access shows that the connection is refused

5.2 Authorization-based access control

The nginx server implements authorization-based access control through the built-in module http_auth_basic_module

1. Add the following configuration to the /usr/local/nginx/conf/nginx.conf configuration file:

auth_basic "secret";
auth_basic_user_file /usr/local/nginx/passwd;

2. The htpasswd command generates a user authentication file, and then enters the password of the test1 user according to the prompt, the command is as follows:

htpasswd -cm /usr/local/nginx/passwd test1

3. When the browser accesses the url, it prompts to enter the username and password

5.3Access control comparison between apache and nginx

The access control of apache and nginx can be based on ip and authorization, and the configurations of the two are similar. For the access control configuration of apache, please refer to the link:

CSDNhttps://mp.csdn.net/mp_blog/creation/editor/124062101

6. Reverse proxy server-nginx

6.1. Configuration environment instructions

The ip and port environment used when deploying apache before is still there, so here we use nginx as the reverse proxy of the previously installed apache server. The environment is as follows:

Apache server ip: 192.168.91.128

Port number: 80

The interface is as follows:

6. 2. Reverse proxy configuration

The configuration is as follows (you only need to add a line of proxy_pass in the location block: the server ip and port to be proxied:

location / {
        #    proxy_pass   http://192.168.91.128:80;  //被代理服务器ip
           }

After the configuration is complete, restart the nginx service, and then use http://192.168.91.131:80 to return to the apache server web page to publish the file content

6.3. Load balancing

When explaining the configuration file earlier, we mentioned the upstream block, which is where nginx realizes the load balancing configuration. Here is only the simplest configuration, which does not involve modification of parameters. The configuration is as follows:

    upstream test {
        server 192.168.91.128:80 weight=1;
        server 192.168.91.128:81 weight=2;
        server 192.168.91.128:82 weight=3;
       }
//配置负载均衡，此处使用默认Weight轮询算法，并分别配置权重值，可见根据配置权重值越大，访问概率越高，第一次访问应该访问的是192.168.91.128:82端口
    
    server {
        listen       8090;     //该处为了与上面配置的80端口区分，此处修改为8090端口
        server_name  localhost;



        location / {
            proxy_pass http://test;
            proxy_set_header   Host              $http_host;
            proxy_set_header   X-Real-IP         $remote_addr;

        }
//此处配置负载均衡，此处配置未涉及其它参数更改，基本可以算最简配置，proxy_set_header设置增加文件头，将真实的客户端信息传输到真实服务器上，要不然在真实服务器上收到的客户端信息永远都是代理服务器的ip与主机名。（此处配置了真实ip与主机名）

In the upstream block, multi-site access is realized through one server and three ports. The configuration here can also refer to:

CSDNhttps://mp.csdn.net/mp_blog/creation/editor/124062101

7. Working status statistics monitoring is turned on

We installed the http_stub_status_module module earlier, here we can enable the function of this module, this module can count the working status information of nginx since the last startup, including the number of active connections, the number of processing response requests and other information

Open the configuration as follows:

location ~ /status {     
        stub_status   on;        //开启状态统计功能
        access_log off;          //关闭此模块的日志
}

After success, visit: http://localhost:8090/status, and view the status statistics as follows:

Active connections: the number of current active connections

The three numbers in the third line respectively indicate: how many connections are currently processed in total / the total number of handshakes successfully created currently / how many requests are currently processed in total

Reading: Indicates the number of client Header information read by Nginx

Writing: the number of Header information returned by Nginx to the client

Waiting: Indicates that Nginx has finished processing and is waiting for the number of resident connections when the next request command is issued

8. nginx realizes the separation of dynamic and static files

When nginx is used as a web server, it can efficiently process static files, but it cannot process dynamic files. When it receives a request for a dynamic file, it needs to use its reverse proxy function to forward the request to the background tomcat server for processing. The combination of the two can not only realize the processing of dynamic files, but also efficiently process static files.

8.1 Introduction to matching rules

Nginx realizes the separation of dynamic and static files mainly by using the url matching function of the location block. The brief introduction is as follows:

(location =) > (location complete url) > (location ^~) > (location ,*) > (lcoaltion partial starting path) > (/)

location = at the beginning means an exact match

The beginning of location ^~ indicates that the url starts with a regular string, which can be understood as matching the url path.

The beginning of location ~ indicates a case-sensitive regular match

The beginning of location ~* indicates case-insensitive regular matching

location !~ and location !~* are case-sensitive and case-insensitive mismatches respectively

location / general matching, any request will be matched.

Matching priority order:

first exact match =;
Second, the prefix matches ^~;
The second is to match the regular pattern in the configuration file;
Then match a prefix match without any modifiers;
final/universal match;

8.2 Dynamic and static file separation configuration

                location / {
                        proxy_pass http://x.x.x.x;
                        }
//所有的路径都是/开头,表示匹配所有
                location ~ .*\.(php|php5)?$
                        {
                                proxy_pass http://x.x.x.x;
                        }
//匹配所有以.php或者.php5的URL, ~表示区分大小写
                location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
                        {
                                proxy_pass http://x.x.x.x;
                        }
//匹配以.gif,.jpg,.jpeg,.png,.bmp,.swf结尾的url
                location ~ .*\.(js|css)?$
                        {
                                proxy_pass http://x.x.x.x;
                        }
//匹配以.js或者.css结尾的url

The above configuration file indicates that the matched static files go to the url of the corresponding proxy respectively, and if none of them match, go to match all urls

9. nginx session persistence

When using nginx to achieve load balancing, it involves a session maintenance problem, that is, to ensure that the same client can stably access a fixed server in the background. There are generally two methods for nginx to implement session persistence, one is based on ip_hash, and the other is based on cookies. Using the ip_hash method will lead to load imbalance, so it is generally not recommended; using the cookie-based method requires compiling the sticky module. The following two methods are introduced

9.1 Session persistence based on ip_hash

This method is configured as follows. The basic principle is to convert the client's IP through hash conversion. The value of the same client after each conversion is fixed. Nginx distributes the request to a fixed server according to the converted value.

 upstream test {
        ip_hash
        server 192.168.91.128:80;
        server 192.168.91.128:81;
        server 192.168.91.128:82;
       }
//配置负载均衡算法为ip_hash,该算法通过将某一客户端IP做hash转换，每次访问同一客户端的ip hash转换后的值不变，然后nginx根据该转换后的hash值来固定分配至某一固定服务端
    
    server {
        listen       8090;     //
        server_name  localhost;



        location / {
            proxy_pass http://test;
            proxy_set_header   Host              $http_host;
            proxy_set_header   X-Real-IP         $remote_addr;

9.2 Cookie-based session persistence

The cookie-based session persistence of nginx needs to introduce the third-party module sticky. This method requires the browser to support cookies. The basic principle is that when the user accesses the website through nginx, nginx forwards the request to the background server for processing, and returns it to nginx after the background processing is completed.

The compilation and installation of the sticky module will not be described here. After the installation is complete, the configuration is as follows:

upstream test {
        sticky expires=1h domain=test.cn path=/
        server 192.168.91.128:80;
        server 192.168.91.128:81;
        server 192.168.91.128:82;
       }
//配置sticky,expires参数代表cookie的有效期，domain表示作用域，path表示作用的url，默认也为/
    
    server {
        listen       8090;     //
        server_name  localhost;



        location / {
            proxy_pass http://test;
            proxy_set_header   Host              $http_host;
            proxy_set_header   X-Real-IP         $remote_addr;

10. Common functions and implementation modules of nginx

When we compile nginx, we can add the required modules as needed. What common modules does nginx have? Which modules are used to realize the various functions of nginx? This chapter gives a brief introduction

Check which module commands are loaded by nginx compilation:

/usr/local/nginx/sbin/nginx -V

http_core_module: nginx core module, including some core http parameters, corresponding to the http block part of nginx configuration

http_stub_status_module: nginx status monitoring module, which can monitor the working status of nginx, check the number of active connections, the number of processed requests, etc.

http_ssl_module: security authentication module for encrypted http links

http_access_module: access control module, which can realize IP-based access control, and restrict access through allow and deny parameters

http_auth_basic_module: user-based access control module, which can realize nginx account password access

http_log_module: The access log module of nginx, which records the log of client access to nginx in the specified format

http_upstream_module: nginx load balancing module, realize load balancing function

http_gzip_module: Realize the compression function of nginx

http_proxy_module: realize the reverse proxy function module of nginx

http_rewrite_module: URL rewriting function module, need to install pcre package

http_limit_conn_module: module used to limit the number of concurrent connections and requests for users

11. nginx performance tuning

1、worker_rlimit_nofile

The maximum number of file handles that can be opened by nginx should theoretically be consistent with the value of dividing the maximum number of files configured by ulimit -n by the number of working processes. However, since the load of nginx is not necessarily balanced, it is generally recommended to be consistent with the value of ulimit -n

2、worker_processes、worker_cpu_affinity

The number of nginx working processes is generally recommended to be consistent with the number of CPU cores of the server, or take the number of CPU cores * 2 in the case of high concurrency.

nginx configures cpu affinity and binds each CPU to a worker process to reduce performance loss caused by CPU core switching

3、use epoll

The model is processed using epoll (I/O multiplexing model). The freebsd system generally uses kqueue, linux generally uses epoll, and windows generally uses icop

4、sendfile on

Efficient file transfer mode, use the sendfile system call to replace the read() and write() function calls, reduce the process of context switching, so as to improve performance; generally used as a web server

5、client_max_body_size

The maximum uploaded file size allowed by the client, that is, the size of the file uploaded by the client cannot exceed this value

6、gzip

Compression transmission, before the data requested by the user is sent to the client through nginx, nginx compresses it according to the configured strategy to reduce the size of the request content sent to the client, so as to save the bandwidth of the website export and speed up the data transmission rate

7、worker_priority

Work process priority, the default value is 0, and the value range is -20~+19; the smaller the value, the higher the priority, but it is generally not recommended to set a value lower than the kernel process nice value -5

8、accept_mutex、accept_mutex_delay

Whether to open the accept lock, the accept lock of nginx is a solution proposed to solve the nginx's shocking problem, so as to ensure that when a request comes, only a single process processes the request.

accept_mutex_delay indicates the maximum timeout period for nginx to process epoll_wait, that is, how long it takes for another process to reacquire the accept lock

9.server_tokens

Hide the version number of nginx to prevent security attacks from inquiring about the vulnerabilities in the current version based on the version number after learning the version number