1.Nginx Contents Index
ngx_http_autoindex_module module processes the request with a slash character ( '/') end, and generates a directory listing.
When the module is not found ngx_http_index_module index file, usually it passes the request to the module.
1. Instruction
#启用或禁用目录列表输出,on开启,off关闭。
Syntax: autoindex on | off;
Default: autoindex off;
Context: http, server, location
#指定是否应在目录列表中输出确切的文件大小,on显示字节,off显示大概单位。
Syntax: autoindex_exact_size on | off;
Default: autoindex_exact_size on;
Context: http, server, location
#指定目录列表中的时间是应以本地时区还是UTC输出。on本地时区,off UTC时间。
Syntax: autoindex_localtime on | off;
Default: autoindex_localtime off;
Context: http, server, location
2. Example Configuration
[root@web ~]# cat /etc/nginx/conf.d/module.conf
server {
listen 80;
server_name module.bgx.com; charset utf-8,gbk; #设定字符集,防止中文字符乱码显示。 location /download { root /code/; autoindex on; autoindex_exact_size off; } }
2.Nginx status monitoring
ngx_http_stub_status_module module provides access to basic status information.
This module does not build by default, use the configuration parameters --with-http_stub_status_module enable it.
1. Instruction
Syntax: stub_status;
Default: —
Context: server, location
2. Example Configuration
[root@web ~]# cat /etc/nginx/conf.d/module.conf
server {
listen 80;
server_name module.bgx.com; access_log off; location /nginx_status { stub_status; } }
3. This configuration creates a simple Web page, the basic state data may appear as follows:
4. The following status information
Active connections # 当前活动客户端连接数,包括Waiting等待连接数。
accepts # 已接受总的TCP连接数。
handled # 已处理总的TCP连接数。
requests # 客户端总的http请求数。
Reading # 当前nginx读取请求头的连接数。 Writing # 当前nginx将响应写回客户端的连接数。 Waiting # 当前等待请求的空闲客户端连接数。 # 注意, 一次TCP的连接,可以发起多次http的请求, 如下参数可配置进行验证 keepalive_timeout 0; # 类似于关闭长连接 keepalive_timeout 65; # 65s没有活动则断开连接
3.Nginx access control
ngx_http_access_module module allows to restrict access to certain client address.
1. Instruction
#允许配置语法
Syntax: allow address | CIDR | unix: | all;
Default: —
Context: http, server, location, limit_except
#拒绝配置语法
Syntax: deny address | CIDR | unix: | all;
Default: —
Context: http, server, location, limit_except
2. The sample configuration, refused to specify the IP access to the site / nginx_status, allows access to all other IP
[root@web ~]# cat /etc/nginx/conf.d/module.conf
server {
listen 80;
server_name module.bgx.com;
location /nginx_status {
stub_status;
deny 10.0.0.1/32; #拒绝指定的地址或地址段 allow all; #允许所有的地址 } }
3. The example configuration, allowing only specified access source IP / nginx_status, Deny all other segments
[root@web ~]# cat /etc/nginx/conf.d/module.conf
server {
listen 80;
server_name module.bgx.com;
location /nginx_status {
stub_status;
allow 127.0.0.1;
allow 10.0.0.1/32; #允许地址或地址段 deny all; #拒绝所有人 } }
Note: The order of deny and allow influential
default, the first rule to match
if the match is successful, continue not match following.
If a match is not successful, then continue down looking to match the success of content.
4.Nginx resource constraints
ngx_http_auth_basic_module module allows the use of HTTP basic authentication to verify the user name and password to restrict access to resources.
1. Instruction
#使用HTTP基本身份验证协议启用用户名和密码验证。
Syntax: auth_basic string| off;
Default: auth_basic off;
Context: http, server, location, limit_except
#指定保存用户名和密码的文件
Syntax: auth_basic_user_file file;
Default: -
Context: http, server, location, limit_except
2. Specify the user name and password to save files in the following format:
#可以使用htpasswd程序或"openssl passwd"命令生成对应的密码;
name1:passwd1
name2:passwd2
#使用htpaaswd创建新的密码文件, -c创建新文件 -b允许命令行输入密码
[root@xuliangwei ~]# yum install httpd-tools
[root@xuliangwei ~]# htpasswd -b -c /etc/nginx/auth_conf xuliangwei 123456
3. The sample configuration, user name and password authentication based practice
server {
listen 80;
server_name module.bgx.com;
access_log off; location /nginx_status { stub_status; auth_basic "Auth access Blog Input your Passwd!"; auth_basic_user_file /etc/nginx/auth_conf; } }
4.Nginx access restrictions
Often encounter this situation, server traffic anomaly, the load is too large, and so on. For high-volume access to malicious attacks, will bring a waste of bandwidth, server stress, thus affecting the business, we can consider this situation a number of connections to the same ip, requests, limited.
ngx_http_limit_conn_module means for limiting the number of connections defined key, especially connections from a single IP address.
However, not all connections are counted, only when the connection request has already read the entire header calculated when connected.
1. Instruction
Syntax: limit_conn_zone key zone=name:size;
Default: —
Context: http
Syntax: limit_conn zone number;
Default: —
Context: http, server, location
2. Set the shared memory area and a given key the maximum number of connections allowed. When this limit is exceeded, the server returns an error in reply to a request
# http标签段定义连接限制
http{
limit_conn_zone $binary_remote_addr zone=conn_zone:10m;
}
server { # 同一时刻只允许一个客户端连接 limit_conn conn_zone 1; location / { root /code; index index.html; }
3) Use the ab
tools to conduct stress tests
[root@xuliangwei ~]# yum install -y httpd-tools
[root@xuliangwei ~]# ab -n 20 -c 2 http://127.0.0.1/index.html
4) .nginx log results
2018/10/24 18:04:49 [error] 28656#28656: *1148 limiting connections by zone "conn_zone", client: 123.66.146.123, server: www.xuliangwei.com, request: "GET / HTTP/1.0", host: "www.xuliangwei.com" 2018/10/24 18:04:49 [error] 28656#28656: *1155 limiting connections by zone "conn_zone", client: 123.66.146.123, server: www.xuliangwei.com, request: "GET / HTTP/1.0", host: "www.xuliangwei.com"
ngx_http_limit_req_module processing rate limiting means for the definition of the key request, the request processing rate of the particular single IP address.
1. Instruction
#模块名ngx_http_limit_req_module
Syntax: limit_req_zone key zone=name:size rate=rate;
Default: —
Context: http
Syntax: limit_conn zone number [burst=number] [nodelay];
Default: —
Context: http, server, location
2. Set the maximum burst size and the requested shared memory region. Too many requests are delayed until their number exceeds the maximum limit, in this case a request to terminate the error.
# http标签段定义请求限制, rate限制速率,限制一秒钟最多一个IP请求
http {
limit_req_zone $binary_remote_addr zone=req_zone:10m rate=1r/s; } server { listen 80; server_name module.bgx.com; # 1r/s只接收一个请求,其余请求拒绝处理并返回错误码给客户端 #limit_req zone=req_zone; # 请求超过1r/s,剩下的将被延迟处理,请求数超过burst定义的数量, 多余的请求返回503 limit_req zone=req_zone burst=3 nodelay; location / { root /code; index index.html; } }
3) Use the ab
tools to conduct stress tests
[root@xuliangwei ~]# yum install -y httpd-tools
[root@xuliangwei ~]# ab -n 20 -c 2 http://127.0.0.1/index.html
4) .nginx log results
2018/10/24 07:38:53 [error] 81020#0: *8 limiting requests, excess: 3.998 by zone "req_zone", client: 10.0.0.10, server: module.bgx.com, request: "GET /index.html HTTP/1.0", host: "10.0.0.10" 2018/10/24 07:38:53 [error] 81020#0: *9 limiting requests, excess: 3.998 by zone "req_zone", client: 10.0.0.10, server: module.bgx.com, request: "GET /index.html HTTP/1.0", host: "10.0.0.10"
Nginx connection limit no limit valid request?
Let's take a look at http protocol connection request, first of all HTTP is built on TCP basis, the completion of HTTP requests need to establish a TCP three-way handshake (known as TCP connection), based on the connection request completion of HTTP.
So multiple HTTP requests can be built on top of a TCP connection, then we, of course, will be more effective than the limits of the accuracy limitations of a connection request, since the same time allowing only a TCP connection to enter, but the same time multiple HTTP a TCP connection request can enter. So limit is relatively excellent solution for HTTP requests.
6.Nginx Location
Use Nginx Location path can control access to the site, but a location that allows multiple server configuration appears that multiple location conflict whose priority will be higher then
1. Location
Syntax Example
location [=|^~|~|~*|!~|!~*|/] /uri/ { ...
}
2. Location
Grammar prioritized
Matcher | Matching rules | priority |
---|---|---|
= | Exact match | 1 |
^~ | Beginning with a string | 2 |
~ | Case-insensitive regular match | 3 |
~* | Case-insensitive regular match | 4 |
!~ | Not case-sensitive match regular | 5 |
!~* | Case-insensitive regular mismatch | 6 |
/ | General match, any requests are matched to the | 7 |
3. Configure site verification Location
priority
[root@Nginx conf.d]# cat testserver.conf
server {
listen 80;
server_name module.oldboy.com;
location / {
default_type text/html;
return 200 "location /"; } location =/ { default_type text/html; return 200 "location =/"; } location ~ / { default_type text/html; return 200 "location ~/"; } # location ^~ / { # default_type text/html; # return 200 "location ^~"; # } }
4.测试Location优先级
# 优先级最高符号=
[root@Nginx conf.d]# curl module.oldboy.com
location =/
# 注释掉精确匹配=, 重启Nginx
[root@Nginx ~]# curl module.oldboy.com
location ~/
# 注释掉~, 重启Nginx [root@Nginx ~]# curl module.oldboy.com location /
5.Locaiton规则配置应用场景
# 通用匹配,任何请求都会匹配到
location / {
...
}
# 严格区分大小写,匹配以.php结尾的都走这个location
location ~ \.php$ {
...
}
# 严格区分大小写,匹配以.jsp结尾的都走这个location
location ~ \.jsp$ {
...
}
# 不区分大小写匹配,只要用户访问.jpg,gif,png,js,css 都走这条location
location ~* .*\.(jpg|gif|png|js|css)$ {
...
}
# 不区分大小写匹配 location ~* "\.(sql|bak|tgz|tar.gz|.git)$" { ... }