Nginx extended third-party modules

Brief introduction

Nginx is a lightweight Web server / reverse proxy and e-mail proxy server. It features occupy less memory, high concurrency, asynchronous, multiple connections (million level) may correspond to a process, to respond. Event-driven model.

Nginx basis - single Nginx performance optimization

A simple comparison Nginx, Apache, Tomcat's

Nginx

Advantages: load balancing, reverse proxy, static files advantage.

Apache

Advantage: Apache is static resolution, suitable for static HTML, images, etc., processing speed. Although the processing speed of less than Nginx, but to provide a multi-component Apache than Nginx.

Disadvantages: simultaneous multi-process model belongs, a connection request a process manner. In terms of speed and consumption, though, Apache can not withstand high concurrency, can lead to downtime.

Tomcat

Advantages: Processing dynamic request, processing the request in the manner of a thread.

Nginx official source installation of Yum

Nginx as a series of advantages, it has gradually become the mainstream of the Web server.

Add Source

Here to talk about the Nginx Yum installation, the default source in no case Centos7 Nginx recently discovered Nginx official website provides the source address of Centos. Add commands can be performed as follows Source:

sudo rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm复制代码

Install Nginx

By yum search nginx to see if the source has been added successfully. If successful, execute the following command to install Nginx.

sudo yum install -y nginx复制代码

Nginx start and set to start automatically

sudo systemctl enable nginx.service
sudo systemctl start nginx.service
sudo systemctl restart nginx.service复制代码

Add third-party expansion modules

You know, Nginx integration module itself has limitations, so there are many excellent third-party module developers to open source some convenient and practical modules, available to everyone.

Pre-installation environment

In order to successfully install Nginx and its expansion module, we need to pre-installed environment.

yum -y install libxml2 libxml2-dev libxslt-devel 
yum -y install gd-devel 
yum -y install perl-devel perl-ExtUtils-Embed 
yum -y install zip unzip复制代码

Nginx can compile download

Because we downloaded by Yum Nginx can not be recompiled. So Nginx may need to download the compiled version.

cd /usr/local/src
wget http://nginx.org/download/nginx-1.14.2.tar.gz
tar -zxvf nginx-1.14.2.tar.gz复制代码

Third-party modules download

Extended module operation is the same, first make sure wget command can be used by wget to download the extension file / usr / local / src folder, extract.

health examination

In actual application, the application if you are able to quickly restart the back-end application, such as Nginx, then, comes the module is to meet the demand. But the need to pay attention. If there is an unhealthy back-end nodes, the load balancer will still put forward the request to the healthy node, and then forwarded to other nodes, this will waste time forwarding.

However, if and when the back-end application restart, reboot the operation takes a long time to complete when there will likely slow death, the entire load balancer. At this time, since the node can not judge the state of health, leading to handle requests live, suspended animation, ultimately, to all nodes on the entire load balancer can not respond to normal requests.

So health check module is very important. nginx upstream check_module-Master this is the Taobao technical team developed Nginx module, through which can be used to detect the state of health of the back-end realserver. If the rear end realserver unavailable, all requests will not be forwarded to that node.

Module download, unzip

wget -O /usr/local/src/nginx_upstream_check_module.zip https://codeload.github.com/yaoweibin/nginx_upstream_check_module/zip/master
unzip nginx_upstream_check_module.zip复制代码

interval detection interval, in milliseconds, rsie request 2 times normal, the flag state of this realserver is up, fall indicating a request 5 are in case of failure, the status flag this realserver is down, timeout is a timeout, is millisecond.

Inspection rule configuration:

upstream test {
    server [ip1]:[port1];
    server [ip2]:[port2];
    check interval=3000 rise=2 fall=5 timeout=1000;
}复制代码

clear cache

In order to accelerate the speed of our site visit, so often it requires a static file cache site, but to control the cache time, we are not very good grasp. Although there are configured expiration time, but in the case of some tests, we just want to modify some cache, this time we can use the purge module to handle.

Module download, unzip

wget -O /usr/local/src/ngx_cache_purge-2.3.tar.gz  http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz
tar -zxvf ngx_cache_purge-2.3.tar.gz复制代码

NGX Cache role purge module: removes the specified url cache.

Cache configuration

#设置缓存空间，存储缓存文件
proxy_cache_path /data/nginx-cache levels=1:2 keys_zone=nginx-cache:20m max_size=50g inactive=168h;

#在location中使用缓存空间
location /pathname { 
    proxy_set_header X-Real-IP $remote_addr;
    proxy_cache nginx-cache;
    proxy_cache_valid 200 304 302 5d;
    proxy_cache_valid any 5d;
    proxy_cache_key '$host:$server_port$request_uri';
    add_header X-Cache '$upstream_cache_status from $host';
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass http://localhost/pathname;
}复制代码

Clear Cache mode

http://[ip:port]/purge #清除所有缓存文件
http://[ip:port]/purge/test #清除单个文件夹缓存
http://[ip:port]/purge/test/123.jpg #清除单个文件复制代码

Session keeping

Question: Why do we use to keep the Session?

First of all, when we use a distributed architecture, the server node are numerous. Nginx default is unable to keep the Session session, so when the server node requests downtime, we need to re-login. Think about the user placing an order, the result of a sudden jump to the login page to go, and this time you can think about the user's face. Experience problems when load balancing session held Nginx, commonly used methods are:

1. ip hash, according to the client's IP, assigns the request to a different server
2. cookie, the server to the client issued a cookie, a cookie with a specific request will be allocated to its publisher

sticky nginx is a module, which is based on nginx load balancing one kind of cookie solution, through distribution and recognition cookie, to make the same request of a client falls on the same server, the default identity is named route. But can cause a problem if the server node goes down, the situation can not provide the service that will appear.

Note: cookie require browser support, and sometimes leak data.

Module download, unzip

wget -O /usr/local/src/nginx-sticky-module.zip https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/get/08a395c66e42.zip
unzip -D nginx-sticky-module.zip复制代码

sticky use

upstream test {
   sticky expires=1h domain=xxx.com path=/;
   server [ip1]:[port1];
   server [ip2]:[port2];
}复制代码

sticky configuration rules

sticky [name=route] [domain=.foo.bar] [path=/] [expires=1h] 
    [hash=index|md5|sha1] [no_fallback] [secure] [httponly];

[name=route]　　　　　　　设置用来记录会话的cookie名称
[domain=.foo.bar]　　　　设置cookie作用的域名
[path=/]　　　　　　　　  设置cookie作用的URL路径，默认根目录
[expires=1h] 　　　　　　 设置cookie的生存期，默认不设置，浏览器关闭即失效，需要是大于1秒的值
[hash=index|md5|sha1]   设置cookie中服务器的标识是用明文还是使用md5值，默认使用md5
[no_fallback]　　　　　　 设置该项，当sticky的后端机器挂了以后，nginx返回502 (Bad Gateway or Proxy Error) ，而不转发到其他服务器，不建议设置
[secure]　　　　　　　　  设置启用安全的cookie，需要HTTPS支持
[httponly]　　　　　　　  允许cookie不通过JS泄漏，没用过复制代码

Throughput Computing

Throughput real-time statistics website, it is relatively simple, nothing to say. Bandwidth, memory, hard drives and other hardware resources of the server can support much pressure under the main observation.

Module download, unzip

wget -O /usr/local/src/traffic-accounting-nginx-module.zip https://github.com/Lax/traffic-accounting-nginx-module/archive/master.zip
unzip -D traffic-accounting-nginx-module.zip复制代码

Dynamic expansion, volume reduction

In a distributed service, we will do load balancing with Nginx. Here are several questions to consider:

1. On the site offline problem: apply the update site when the monomer is directly overwrite the file, then restart. This will cause an interrupt request, if it is the core logic of the interrupt request, will certainly affect the consistency of the data, such as transactions, orders and other, more serious consequences.
2. Dynamic addition and subtraction machine, such as a site Sheremetyevo, to add the machine, it would need to modify Nginx configuration, and then reload, though reload quickly, but there was still a moment of interrupt requests.

So we do not need to restart the Nginx on the basis of the dynamic modification Nginx configuration will be demand. NGX Dynamic upstream module implements the above functions well.

Module download, unzip

wget -O /usr/local/src/ngx_dynamic_upstream.zip https://github.com/cubicdaiya/ngx_dynamic_upstream/archive/master.zip
unzip -D ngx_dynamic_upstream.zip复制代码

This learning module Github Address: HTTPS: //github.com/cubicdaiya/ngx Dynamic upstream

Environment Configuration

The above statistics module environment configuration, and then compile and install.

cd /usr/local/src/nginx-1.14.2

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-module=/usr/local/src/ngx_cache_purge-2.3 --add-module=/usr/local/src/nginx_upstream_check_module-master/ --add-module=/usr/local/src/nginx-goodies-nginx-sticky-module-ng-08a395c66e42/ --add-module=/usr/local/src/ngx_dynamic_upstream-master  --add-module=/usr/local/src/traffic-accounting-nginx-module-master复制代码

Compile Loaded

cd /usr/local/src/nginx-1.14.2
make -j2
cp /usr/sbin/nginx /usr/sbin/nginx.bak #备份
cp /opt/nginx-1.14.2/objs/nginx /usr/sbin/nginx #替换
systemctl restart nginx #重启 nginx 服务
nginx -t #检查配置文件
nginx -V #查看nginx环境
nginx -s reload #重载配置文件复制代码

We direct restart nginx how much will affect the normal business use by systemctl. It is recommended to use Nginx smooth upgrade .

Basic safety certification

If exposed directly to the address Nginx access to our services to configure all visible, it is therefore somewhat unsafe. So we can look at a simple configuration Basic authentication, the strange visitors at bay.

yum -y install httpd-tools
htpasswd -c /etc/nginx/passwd.db pgy
#输入密码

# 使用示例
location / {
    auth_basic  "show me pass";
    auth_basic_user_file /etc/nginx/passwd.db;
}复制代码

有朋自远方来，不亦乐乎？
为提供更好的知识分享，欢迎提出建议、指正问题，博客：风流三月1，微信号是 pgy1607974129 ，公众号是“ Ygo 工作室”。复制代码

This article posted by Merry March 1, Micro Signal: pgy1607974129