Nginx status page
nginx module ngx_http_auth_basic_module achieve, you need to add the compiler parameters when compiling the installation of nginx --with-http_stub_status_module, or after the completion of the monitoring will be prompted to configure syntax errors based.
查看是否加载了ngx_http_auth_basic_module模块
[root@CentOS7 ~]#/apps/nginx/sbin/nginx -V
nginx version: nginx/1.14.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --with-http_perl_module[root@CentOS7 ~]#vim /apps/nginx/conf/nginx.conf
location /nginx_status {
stub_status;
allow 192.168.36.0/24;
deny all;
}
[root@CentOS7 ~]#/apps/nginx/sbin/nginx -s reloadAccess tests
[root@CentOS-Test ~]#curl 192.168.36.104/nginx_status
Active connections: 1
server accepts handled requests
124 124 223 # 这三个数字分别对应accepts,handled,requests三个值
Reading: 0 Writing: 1 Waiting: 0
Active connections: 当前处于活动状态的客户端连接数,包括连接等待空闲连接数。
accepts:统计总值,Nginx自启动后已经接受的客户端请求的总数。
handled:统计总值,Nginx自启动后已经处理完成的客户端请求的总数,通常等于accepts,除非有因
worker_connections限制等被拒绝的连接。
requests:统计总值,Nginx自启动后客户端发来的总的请求数。
Reading:当前状态,正在读取客户端请求报文首部的连接的连接数。
Writing:当前状态,正在向客户端发送响应报文过程中的连接数。
Waiting:当前状态,正在等待客户端发出请求的空闲连接数,开启 keep-alive的情况下,这个值等于active – (reading+writing),Nginx third-party modules
添加第三方模块:echo-nginx-module
[root@CentOS7 ~]#yum install git -y
[root@CentOS7 ~]#git clone https://github.com/openresty/echo-nginx-module.git
[root@CentOS7 ~]#cd nginx-1.14.2/
[root@CentOS7 nginx-1.14.2]#./configure \ # 重新编译安装
> --prefix=/apps/nginx \
> --user=nginx --group=nginx \
> --with-http_ssl_module \
> --with-http_v2_module \
> --with-http_realip_module \
> --with-http_stub_status_module \
> --with-http_gzip_static_module \
> --with-pcre \
> --with-stream \
> --with-stream_ssl_module \
> --with-stream_realip_module \
> --with-http_perl_module \
> --add-module=/root/echo-nginx-module # 添加echo模块
[root@CentOS7 nginx-1.14.2]#make && make install # make安装[root@CentOS7 ~]#vim /apps/nginx/conf.d/pc.conf
[root@CentOS7 ~]#cat /apps/nginx/conf.d/pc.conf
server {
listen 80;
server_name www.darius.com;
error_log logs/www_darius_com_error.log;
access_log logs/www_darius_com_access.log;
location /main {
index index.html;
default_type text/html;
echo_reset_timer;
echo_location /sub1;
echo_location /sub2;
echo "took $echo_timer_elapsed sec for total.";
}
location /sub1 {
echo_sleep 1;
echo sub1;
}
location /sub2 {
echo_sleep 1;
echo sub2;
}
}
[root@CentOS7 ~]#/apps/nginx/sbin/nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
[root@CentOS7 ~]#/apps/nginx/sbin/nginx -s reloadAccess tests
[root@CentOS7 ~]#curl www.darius.com/main
sub1
sub2
took 2.008 sec for total.Nginx variables
nginx variables can be referenced in the configuration file, or the log is determined as a function of the use of other scenes, can be divided into variable and custom built-in variables variables, the variables are built nginx module comes, you can obtain access to a large number of clients through the variable related values.
Built-in variables
$remote_addr;
# 存放了客户端的地址,注意是客户端的公网IP,也就是一家人访问一个网站,则会显示为路由器的公网IP。$args;
# 变量中存放了URL中的指令,例如http://www.darius.com/main/index.do?
id=20190221&partner=search中的id=20190221&partner=search$document_root;
# 保存了针对当前资源的请求的系统根目录,如/apps/nginx/html$document_uri;
# 保存了当前请求中不包含指令的URI,注意是不包含请求的指令,比如
http://www.darius.com/main/index.do?id=20190221&partner=search会被定义为/main/index.do$host;
#存放了请求的host名称。$http_user_agent;
# 客户端浏览器的详细信息$http_cookie;
# 客户端的cookie信息limit_rate 10240;
echo $limit_rate;
# 如果nginx服务器使用limit_rate配置了显示网络速率,则会显示,如果没有设置, 则显示0$remote_port;
# 客户端请求Nginx服务器时随机打开的端口,这是每个客户端自己的端口$remote_user;
# 已经经过Auth Basic Module验证的用户名$request_body_file;
# 做反向代理时发给后端服务器的本地资源的名称$request_method;
# 请求资源的方式,GET/PUT/DELETE等$request_filename;
# 当前请求的资源文件的路径名称,由root或alias指令与URI请求生成的文件绝对路径,如/apps/nginx/html/main/index.html$request_uri;
# 包含请求参数的原始URI,不包含主机名,如:/main/index.do?id=20190221&partner=search$scheme;
# 请求的协议,如ftp,https,http等$server_protocol;
# 保存了客户端请求资源使用的协议的版本,如HTTP/1.0,HTTP/1.1,HTTP/2.0等$server_addr;
# 保存了服务器的IP地址$server_name;
# 请求的服务器的主机名$server_port;
# 请求的服务器的端口号Custom Variables
假如需要自定义变量名称和值,使用指令set $variable value;,则方法如下:
set $name magedu;
echo $name;
set $my_port $server_port;
echo $my_port;
echo "$server_name:$server_port";example
1, see the built-in variable Nginx
[root@CentOS7 ~]#vim /apps/nginx/conf.d/pc.conf
[root@CentOS7 ~]#cat /apps/nginx/conf.d/pc.conf
server {
listen 80;
server_name www.darius.com;
error_log logs/www_darius_com_error.log;
access_log logs/www_darius_com_access.log;
location /main {
index index.html;
default_type text/html;
echo $request_uri;
}
}
[root@CentOS7 ~]#/apps/nginx/sbin/nginx -s reload
[root@CentOS7 ~]#curl www.darius.com/main
/main
[root@CentOS7 ~]#curl www.darius.com/main/xxx
/main/xxx2, view the custom variable Nginx
[root@CentOS7 ~]#vim /apps/nginx/conf.d/pc.conf
[root@CentOS7 ~]#cat /apps/nginx/conf.d/pc.conf
server {
listen 80;
server_name www.darius.com;
error_log logs/www_darius_com_error.log;
access_log logs/www_darius_com_access.log;
location /main {
index index.html;
default_type text/html;
set $name Darius;
echo $name;
}
}
[root@CentOS7 ~]#/apps/nginx/sbin/nginx -s reload
[root@CentOS7 ~]#curl www.darius.com/main
DariusCustom Nginx access logs
The access log recording client i.e. the user's specific request for the content information, the global configuration module error_log recording level log storage path and logging nginx server is running, and thus are essentially different, and the error log Nginx generally only a , but may define a plurality of access logs, the definition requires the use of a log stored in the log specified path access_log different server, a log log_format specified format, the format defined in the specific contents of the log to be saved.
The default log format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;Custom json format of the log
[root@CentOS7 ~]#vim /apps/nginx/conf/nginx.conf
log_format access_json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"uri":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"tcp_xff":"$proxy_protocol_addr",'
'"http_user_agent":"$http_user_agent",'
'"status":"$status"}';
access_log /apps/nginx/logs/access_json.log access_json;Reload nginx and access the test log format
[root@CentOS7 ~]#/apps/nginx/sbin/nginx -s reload
[root@CentOS7 ~]#tail -f /apps/nginx/logs/access_json.log
{"@timestamp":"2019-05-30T18:58:23+08:00","host":"192.168.36.104","clientip":"192.168.36.110","size":15,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"192.168.36.104","uri":"/index.html","domain":"192.168.36.104","xff":"-","referer":"-","tcp_xff":"","http_user_agent":"curl/7.29.0","status":"200"}python json format to achieve log access statistics
[root@CentOS7 logs]#cat nginx_json.py
#!/usr/bin/env python
#coding:utf-8
status_200= []
status_404= []
with open("access_json.log") as f:
for line in f.readlines():
line = eval(line)
if line.get("status") == "200":
status_200.append(line.get)
elif line.get("status") == "404":
status_404.append(line.get)
else:
print("状态码 ERROR")
f.close()
print "状态码200的有--:",len(status_200)
print "状态码404的有--:",len(status_404)
# 保存日志文件到指定路径并进测试:
[root@CentOS7 ~]# python nginx_json.py
....
状态码200的有--: 403428
状态码404的有--: 125712Nginx compression
Nginx support for the specified type of file is compressed and then transmitted to the client, but also the compression set compression ratio, the compressed file size will be significantly smaller source, which helps to reduce the export bandwidth utilization, reduce IT spending, but will take the appropriate CPU resources. Nginx compressed files is dependent on the function module ngx_http_gzip_module
# 启用或禁用gzip压缩,默认关闭
gzip on | off;
# 压缩比由低到高从1到9,默认为1
gzip_comp_level level;
# 禁用IE6 gzip功能
gzip_disable "MSIE [1-6]\.";
# gzip压缩的最小文件,小于设置值的文件将不会压缩
gzip_min_length 1k;
# 启用压缩功能时,协议的最小版本,默认HTTP/1.1
gzip_http_version 1.0 | 1.1;
# 指定Nginx服务需要向服务器申请的缓存空间的个数*大小,默认32 4k|16 8k;
gzip_buffers number size;
# 指明仅对哪些类型的资源执行压缩操作;默认为gzip_types text/html,不用显示指定,否则出错
gzip_types mime-type ...;
# 如果启用压缩,是否在响应报文首部插入“Vary: Accept-Encoding”
gzip_vary on | off;Modify the configuration file
gzip on;
gzip_comp_level 5;
gzip_min_length 1;
gzip_types text/plain application/javascript application/x-javascript text/cssapplication/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary on;
[root@CentOS7 ~]#/apps/nginx/sbin/nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
[root@CentOS7 ~]#/apps/nginx/sbin/nginx -s reloadAccess tests
[root@CentOS-Test ~]#curl --head --compressed http://www.darius.com/test1.html
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 30 May 2019 11:26:49 GMT
Content-Type: text/html
Last-Modified: Thu, 30 May 2019 11:26:31 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: W/"5cefbde7-720"
Content-Encoding: gzipHTTPS function
Web site login page using https are encrypted transmission of encrypted data to ensure data security, HTTPS can encrypt information, so as not to acquire sensitive information by a third party, so high many banking sites or e-mail, and so will the level of security services in HTTPS, HTTPS is actually composed of two parts: HTTP + SSL / TLS, i.e. on an HTTP module added a layer of processing encrypted information. Service and client information transmitted is encrypted by TLS, so after the data transmission is encrypted data.
https implementation process
- The client initiates HTTPS request:
Client Access https address of a web side, usually port 443 - Configure the server: The
server uses the https protocol must have a certificate, you can through a number of organizations to apply, you can make your own, many domestic sites are do it yourself, when you visit a Web site when prompted certificate can not be trusted, says the certificate is do it yourself, the certificate is a public key and a private key, like a lock and key, under normal circumstances, only the keys you can open your locks, you can give this to someone else locked him in a box, which put full of money or secret, others do not know what to put inside and others are not open, only your keys can be opened. - Transfer certificates:
server certificates delivered to the client, in fact, a public key, which contains a lot of information, for example, to obtain a certificate authority, expiration date and so on. - Client parses the certificate:
This part of the work is completed the client, first back to verify the validity of the public key, such as authority, expiration date and so on, if you find a warning box will pop up prompt certificate abnormal there may be a problem, if the certificate no problem generating a random value, and then encrypted with the certificate of the random value, as step 2 said the random value locked up, not allowing people to see. - Encrypted data transfer step 4:
is a random value passes the encrypted certificate to the server, the server object is to allow to obtain the random value, after the communication client and server may be encrypted by the decrypted random value. - Decryption information server:
after the random value encrypted using the server private key to decrypt Step 5, to obtain a pass over the client random value (private key), and then the encrypted symmetric content values, and a symmetric encryption is information by mixing together the private key algorithm, so unless you know the private key, or is unable to obtain the contents of its internal, but just the client and server are aware of this private key, so long as the secret algorithm can be complicated enough to guarantee the security of data . - Traffic encryption information:
the server transmitting the private key to encrypt the data to the client, the client may be reduced to the original data content. - The client decrypts the message:
the client won the decrypted data transfer from the server with the private key generation earlier, because the data has been encrypted, so even if a third party to acquire the data can not know the details.
ssl configuration parameters
The https nginx function ngx_http_ssl_module implementation module based, so if it is compiled and installed nginx want to use parameter ngx_http_ssl_module open ssl function, but as a core function of nginx, yum install nginx is turned on by default, compiled and installed nginx need to specify the build parameters - with-http_ssl_module open
ssl on | off;
# 为指定的虚拟主机配置是否启用ssl功能,此功能在1.15.0废弃,使用listen [ssl]替代。
ssl_certificate /path/to/file;
# 当前虚拟主机使用使用的公钥文件,一般是crt文件
ssl_certificate_key /path/to/file;
# 当前虚拟主机使用的私钥文件,一般是key文件
ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2];
# 支持ssl协议版本,早期为ssl现在是TSL,默认为后三个
ssl_session_cache off | none | [builtin[:size]] [shared:name:size];
# 配置ssl缓存
off: 关闭缓存
none: 通知客户端支持ssl session cache,但实际不支持
builtin[:size]:使用OpenSSL内建缓存,为每worker进程私有
[shared:name:size]:在各worker之间使用一个共享的缓存,需要定义一个缓存名称和缓存空间大小,一兆可以存储4000个会话信息,多个虚拟主机可以使用相同的缓存名称。
ssl_session_timeout time; # 客户端连接可以复用ssl session cache中缓存的有效时长,默认5mCreate a self-signed certificate
# 创建自签名CA证书
[root@CentOS7 ~]#cd /apps/nginx/
[root@CentOS7 nginx]#mkdir certs
[root@CentOS7 nginx]# cd certs/
[root@CentOS7 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt # 自签名CA证书
Generating a 4096 bit RSA private key
.............................................................................................................................................................................................................................................................................................................................................++
........................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 国家代码
State or Province Name (full name) []:BeiJing # 省份
Locality Name (eg, city) [Default City]:BeiJing # 城市名称
Organization Name (eg, company) [Default Company Ltd]:magedu.com # 公司名称
Organizational Unit Name (eg, section) []:magedu # 部门
Common Name (eg, your name or your server's hostname) []:M36 # 通用名称
Email Address []: # 邮箱
[root@CentOS7 certs]#ll ca.crt
-rw-r--r-- 1 root root 2009 5月 30 19:34 ca.crt
# 创建自定义额key和csr文件
[root@CentOS7 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.darius.com.key -out www.darius.com.csr
Generating a 4096 bit RSA private key
............++
..........................++
writing new private key to 'www.darius.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:magedu
Common Name (eg, your name or your server's hostname) []:M36
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@CentOS7 certs]#ll
总用量 16
-rw-r--r-- 1 root root 2009 5月 30 19:34 ca.crt
-rw-r--r-- 1 root root 3272 5月 30 19:34 ca.key
-rw-r--r-- 1 root root 1695 5月 30 19:38 www.darius.com.csr
-rw-r--r-- 1 root root 3272 5月 30 19:38 www.darius.com.key
# 证书签发
[root@CentOS7 certs]#openssl x509 -req -days 3650 -in www.darius.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.darius.com.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=magedu.com/OU=magedu/CN=M36
Getting CA Private Key
验证证书内容
[root@CentOS7 certs]#openssl x509 -in www.darius.com.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
fe:15:2c:1a:9d:a5:df:f5
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BeiJing, L=BeiJing, O=magedu.com, OU=magedu, CN=M36
Validity
Not Before: May 30 11:42:02 2019 GMT
Not After : May 27 11:42:02 2029 GMT
Subject: C=CN, ST=BeiJing, L=BeiJing, O=magedu.com, OU=magedu, CN=M36
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)Modify the configuration file Nginx
[root@CentOS7 ~]#vim /apps/nginx/conf.d/pc.conf
[root@CentOS7 ~]#cat /apps/nginx/conf.d/pc.conf
server {
listen 80;
listen 443 ssl;
ssl_certificate /apps/nginx/certs/www.darius.com.crt;
ssl_certificate_key /apps/nginx/certs/www.darius.com.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
server_name www.darius.com;
error_log logs/www_darius_com_error.log;
access_log logs/www_darius_com_access.log;
location / {
index index.html;
root /data/nginx/html/pc;
}
}
[root@CentOS7 ~]#/apps/nginx/sbin/nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
[root@CentOS7 ~]#/apps/nginx/sbin/nginx -s reloadAccess tests