03.Nginx common base module

1.Nginx Contents Index

ngx_http_autoindex_module module processes the request with a slash character ( '/') end, and generates a directory listing.
When the module is not found ngx_http_index_module index file, usually it passes the request to the module.

1. Instruction

#启用或禁用目录列表输出，on开启，off关闭。
Syntax: autoindex on | off;
Default:    autoindex off;
Context:    http, server, location

#指定是否应在目录列表中输出确切的文件大小，on显示字节，off显示大概单位。
Syntax: autoindex_exact_size on | off;
Default: autoindex_exact_size on;
Context:    http, server, location

#指定目录列表中的时间是应以本地时区还是UTC输出。on本地时区，off UTC时间。
Syntax: autoindex_localtime on | off;
Default: autoindex_localtime off;
Context: http, server, location

2. Example Configuration

[root@web ~]# cat /etc/nginx/conf.d/module.conf 
server {
    listen 80;
    server_name module.bgx.com; charset utf-8,gbk; #设定字符集，防止中文字符乱码显示。 location /download { root /code/; autoindex on; autoindex_exact_size off; } } 

2.Nginx status monitoring

ngx_http_stub_status_module module provides access to basic status information.
This module does not build by default, use the configuration parameters --with-http_stub_status_module enable it.

1. Instruction

Syntax: stub_status;
Default: —
Context: server, location

2. Example Configuration

[root@web ~]# cat /etc/nginx/conf.d/module.conf
server {
    listen 80;
    server_name module.bgx.com; access_log off; location /nginx_status { stub_status; } } 

3. This configuration creates a simple Web page, the basic state data may appear as follows:

4. The following status information

Active connections  # 当前活动客户端连接数，包括Waiting等待连接数。
accepts             # 已接受总的TCP连接数。
handled             # 已处理总的TCP连接数。
requests            # 客户端总的http请求数。

Reading             # 当前nginx读取请求头的连接数。 Writing # 当前nginx将响应写回客户端的连接数。 Waiting # 当前等待请求的空闲客户端连接数。 # 注意, 一次TCP的连接，可以发起多次http的请求, 如下参数可配置进行验证 keepalive_timeout 0; # 类似于关闭长连接 keepalive_timeout 65; # 65s没有活动则断开连接 

3.Nginx access control

ngx_http_access_module module allows to restrict access to certain client address.

1. Instruction

#允许配置语法
Syntax: allow address | CIDR | unix: | all;
Default:    —
Context:    http, server, location, limit_except

#拒绝配置语法
Syntax: deny address | CIDR | unix: | all;
Default:    —
Context:    http, server, location, limit_except

2. The sample configuration, refused to specify the IP access to the site / nginx_status, allows access to all other IP

[root@web ~]# cat /etc/nginx/conf.d/module.conf
server {
    listen 80;
    server_name module.bgx.com;

    location /nginx_status {
        stub_status;
        deny 10.0.0.1/32; #拒绝指定的地址或地址段 allow all; #允许所有的地址 } } 

3. The example configuration, allowing only specified access source IP / nginx_status, Deny all other segments

[root@web ~]# cat /etc/nginx/conf.d/module.conf
server {
    listen 80;
    server_name module.bgx.com;
        
    location /nginx_status {
        stub_status;
        allow 127.0.0.1;
        allow 10.0.0.1/32; #允许地址或地址段 deny all; #拒绝所有人 } } 

Note: The order of deny and allow influential
default, the first rule to match
if the match is successful, continue not match following.
If a match is not successful, then continue down looking to match the success of content.

4.Nginx resource constraints

ngx_http_auth_basic_module module allows the use of HTTP basic authentication to verify the user name and password to restrict access to resources.

1. Instruction

#使用HTTP基本身份验证协议启用用户名和密码验证。
Syntax: auth_basic string| off;
Default: auth_basic off;
Context: http, server, location, limit_except

#指定保存用户名和密码的文件
Syntax: auth_basic_user_file file;
Default: -
Context: http, server, location, limit_except

2. Specify the user name and password to save files in the following format:

#可以使用htpasswd程序或"openssl passwd"命令生成对应的密码;
name1：passwd1
name2：passwd2

#使用htpaaswd创建新的密码文件, -c创建新文件 -b允许命令行输入密码
[root@xuliangwei ~]# yum install httpd-tools
[root@xuliangwei ~]# htpasswd -b -c /etc/nginx/auth_conf xuliangwei 123456

3. The sample configuration, user name and password authentication based practice

server {
    listen 80;
    server_name module.bgx.com;
    access_log off; location /nginx_status { stub_status; auth_basic "Auth access Blog Input your Passwd!"; auth_basic_user_file /etc/nginx/auth_conf; } } 

4.Nginx access restrictions

Often encounter this situation, server traffic anomaly, the load is too large, and so on. For high-volume access to malicious attacks, will bring a waste of bandwidth, server stress, thus affecting the business, we can consider this situation a number of connections to the same ip, requests, limited.

ngx_http_limit_conn_module means for limiting the number of connections defined key, especially connections from a single IP address.
However, not all connections are counted, only when the connection request has already read the entire header calculated when connected.

1. Instruction

Syntax:  limit_conn_zone key zone=name:size;
Default: —
Context: http

Syntax: limit_conn zone number;
Default: —
Context: http, server, location

2. Set the shared memory area and a given key the maximum number of connections allowed. When this limit is exceeded, the server returns an error in reply to a request

# http标签段定义连接限制
http{
    limit_conn_zone $binary_remote_addr zone=conn_zone:10m;
}
server { # 同一时刻只允许一个客户端连接 limit_conn conn_zone 1; location / { root /code; index index.html; } 

3) Use the abtools to conduct stress tests

[root@xuliangwei ~]# yum install -y httpd-tools
[root@xuliangwei ~]# ab -n 20 -c 2  http://127.0.0.1/index.html

4) .nginx log results

2018/10/24 18:04:49 [error] 28656#28656: *1148 limiting connections by zone "conn_zone", client: 123.66.146.123, server: www.xuliangwei.com, request: "GET / HTTP/1.0", host: "www.xuliangwei.com" 2018/10/24 18:04:49 [error] 28656#28656: *1155 limiting connections by zone "conn_zone", client: 123.66.146.123, server: www.xuliangwei.com, request: "GET / HTTP/1.0", host: "www.xuliangwei.com" 

ngx_http_limit_req_module processing rate limiting means for the definition of the key request, the request processing rate of the particular single IP address.

1. Instruction

#模块名ngx_http_limit_req_module
Syntax:  limit_req_zone key zone=name:size rate=rate;
Default: —
Context: http

Syntax: limit_conn zone number [burst=number] [nodelay];
Default: —
Context: http, server, location

2. Set the maximum burst size and the requested shared memory region. Too many requests are delayed until their number exceeds the maximum limit, in this case a request to terminate the error.

# http标签段定义请求限制, rate限制速率，限制一秒钟最多一个IP请求
http {
    limit_req_zone $binary_remote_addr zone=req_zone:10m rate=1r/s; } server { listen 80; server_name module.bgx.com; # 1r/s只接收一个请求,其余请求拒绝处理并返回错误码给客户端 #limit_req zone=req_zone; # 请求超过1r/s,剩下的将被延迟处理,请求数超过burst定义的数量, 多余的请求返回503 limit_req zone=req_zone burst=3 nodelay; location / { root /code; index index.html; } } 

3) Use the abtools to conduct stress tests

[root@xuliangwei ~]# yum install -y httpd-tools
[root@xuliangwei ~]# ab -n 20 -c 2  http://127.0.0.1/index.html

4) .nginx log results

2018/10/24 07:38:53 [error] 81020#0: *8 limiting requests, excess: 3.998 by zone "req_zone", client: 10.0.0.10, server: module.bgx.com, request: "GET /index.html HTTP/1.0", host: "10.0.0.10" 2018/10/24 07:38:53 [error] 81020#0: *9 limiting requests, excess: 3.998 by zone "req_zone", client: 10.0.0.10, server: module.bgx.com, request: "GET /index.html HTTP/1.0", host: "10.0.0.10" 

Nginx connection limit no limit valid request?

Let's take a look at http protocol connection request, first of all HTTP is built on TCP basis, the completion of HTTP requests need to establish a TCP three-way handshake (known as TCP connection), based on the connection request completion of HTTP.

So multiple HTTP requests can be built on top of a TCP connection, then we, of course, will be more effective than the limits of the accuracy limitations of a connection request, since the same time allowing only a TCP connection to enter, but the same time multiple HTTP a TCP connection request can enter. So limit is relatively excellent solution for HTTP requests.

6.Nginx Location

Use Nginx Location path can control access to the site, but a location that allows multiple server configuration appears that multiple location conflict whose priority will be higher then

1. LocationSyntax Example

location [=|^~|~|~*|!~|!~*|/] /uri/ { ...
}

2. LocationGrammar prioritized

Matcher	Matching rules	priority
=	Exact match	1
^~	Beginning with a string	2
~	Case-insensitive regular match	3
~*	Case-insensitive regular match	4
!~	Not case-sensitive match regular	5
!~*	Case-insensitive regular mismatch	6
/	General match, any requests are matched to the	7

3. Configure site verification Locationpriority

[root@Nginx conf.d]# cat testserver.conf 
server {
    listen 80;
    server_name module.oldboy.com;
    location / {
        default_type text/html;
        return 200 "location /"; } location =/ { default_type text/html; return 200 "location =/"; } location ~ / { default_type text/html; return 200 "location ~/"; } # location ^~ / { # default_type text/html; # return 200 "location ^~"; # } } 

4.测试Location优先级

# 优先级最高符号=
[root@Nginx conf.d]# curl module.oldboy.com
location =/

# 注释掉精确匹配=, 重启Nginx
[root@Nginx ~]# curl module.oldboy.com
location ~/

# 注释掉~, 重启Nginx [root@Nginx ~]# curl module.oldboy.com location / 

5.Locaiton规则配置应用场景

# 通用匹配，任何请求都会匹配到
location / {
    ...
}

# 严格区分大小写，匹配以.php结尾的都走这个location    
location ~ \.php$ {
    ...
}

# 严格区分大小写，匹配以.jsp结尾的都走这个location 
location ~ \.jsp$ {
    ...
}

# 不区分大小写匹配，只要用户访问.jpg,gif,png,js,css 都走这条location
location ~* .*\.(jpg|gif|png|js|css)$ {
    ...
}

# 不区分大小写匹配 location ~* "\.(sql|bak|tgz|tar.gz|.git)$" { ... }