nginx配置文件结构
main:
user nginx; 进程发起的用户名 worker_processes auto; 进程数量auto为物理核心数量 error_log /var/log/nginx/error.log; 错误日志位置 pid /run/nginx.pid; 主进程文件号的文件位置 include /usr/share/nginx/modules/*.conf; 启动的模块 worker_processes auto; 的优化,可以把进程绑定固定核心减少上下文切换的消耗
CPU MASK:
00000000:
0000 0001:0号CPU
0000 0010:1号CPU
0000 0100:2号CPU
... ...
0000 0011:0和1号CPU;
worker_priority number;
指定worker进程的nice值,设定worker进程优先级;[-20,20]
worker_rlimit_nofile number;
worker进程所能够打开的文件数量上限;
调试、定位问题:
1、daemon on|off;
是否以守护进程方式运行Nignx;
2、master_process on|off;
是否以master/worker模型运行nginx;默认为on;
3、error_log file [level];
事件驱动相关的配置:
events {
...
}
1、worker_connections number;
每个worker进程所能够打开的最大并发连接数数量;
worker_processes * worker_connections
2、use method;
指明并发连接请求的处理方法;
use epoll;
3、accept_mutex on | off;
master 用户请求到worker进程时使用负载均衡锁,序列化的响应请求
处理新的连接请求的方法;on意味着由各worker轮流处理新请求,Off意味着每个新请求的到达都会通知所有的worker进程;
accept_mutex_delay time;worker忙碌其他请求等待时间
events { worker_connections 1024; use epoll; accept_mutex on; }
定义四个虚拟主机,混合使用三种类型的虚拟主机;
仅开放给来自于本地网络中的主机访问;
定义4个虚拟主机:
(1) 首先是字符串精确匹配;
(2) 左侧*通配符;
(3) 右侧*通配符;
(4) 正则表达式;
server { listen 80 default_server; server_name bbs.momoda1.com; root /var/www/html/bbs; include /etc/nginx/default.d/*.conf; } server { listen 80; root "/var/www/html/momoda1"; server_name *.memeda1.com; include /etc/nginx/default.d/*.conf; } server { listen 80; root "/var/www/html/ms/"; server_name www.memeda1.*; include /etc/nginx/default.d/*.conf; } server { listen 80; root "/var/www/html/re"; server_name ~.*\.\d+\.com; include /etc/nginx/default.d/*.conf; }
定义页面内容
配置本地dns解析
C:\Windows\System32\drivers\etc\hosts
192.168.91.133 bbs.momoda1.com momoda1.com www.momoda1.com www.158.com www.momoda1.cn
验证:
memeda1.com
server_name www.momoda1.com; root /var/www/html/; include /etc/nginx/default.d/*.conf; location /ms { root /var/www/html/mems; }
访问servername/ms时候相当于访问root /var/www/html/mems/ms下对应内容
指定匹配uri的root目录
[[email protected] www]# curl www.momoda1.com/ms/xx.html <h1>this is mems/xx.html</h1> location ~.*\.jpg { root /var/www/images; } location /msf/ { alias /mems/; } [[email protected] www]# curl www.momoda1.com/msf/xx.html <h1>this is mems/xx.html</h1>
对servername/msf/下内容对应到指定目录下
http:/ <--- /var/www/images location /images/ { alias "/var/www/images" } location后跟对应的uri,在访问指定的uri时,root路径是location定义的root/uri 而alias则是在location中定义的位置
client_body_temp_path path [level1 [level2 [level3]]];
设定用于存储客户端请求报文的body部分的临时存储路径及子目录结构和数量;
16进制的数字;
client_body_temp_path /var/tmp/client_body 1 2 2
1:表示用一位16进制数字表示一级子目录;0-f
2:表示用2位16进程数字表示二级子目录:00-ff
2:表示用2位16进程数字表示三级子目录:00-ff
ngx_http_access_module模块:
实现基于ip的访问控制功能
allow address | CIDR | unix: | all;
deny address | CIDR | unix: | all;
定义位置 http, server, location, limit_except
loaction / { allow 171.16.0.0/16 allow 192.16.0.0/16 denny all }
ngx_http_auth_basic_module模块
实现基于用户的访问控制,使用basic机制进行用户认证;
location / { auth_basic "input you passwd"; auth_basic_user_file /etc/htpasswd; } [[email protected] html]# yum install httpd-tools [[email protected] html]# htpasswd -c -m /etc/htpasswd momoda New password: Re-type new password: Adding password for user momoda [[email protected] html]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [[email protected] html]# nginx -s reload
ngx_http_stub_status_module模块
用于输出nginx的基本状态信息;
location /status { stub_status; }
结果
[[email protected] www]# curl www.momoda1.com/status Active connections: 1 server accepts handled requests 37 37 34 Reading: 0 Writing: 1 Waiting: 0
ngx_http_ssl_module模块:
1、 ssl on | off;
Enables the HTTPS protocol for the given virtual server.
2、ssl_certificate file;
当前虚拟主机使用PEM格式的证书文件;
3、ssl_certificate_key file;
当前虚拟主机上与其证书匹配的私钥文件;
4、ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2];
支持ssl协议版本,默认为后三个;
5、ssl_session_cache off | none | [builtin[:size]] [shared:name:size];
builtin[:size]:使用OpenSSL内建的缓存,此缓存为每worker进程私有;
[shared:name:size]:在各worker之间使用一个共享的缓存;
6、ssl_session_timeout time;
客户端一侧的连接可以复用ssl session cache中缓存 的ssl参数的有效时长;
创建证书&签名
[[email protected] html]# cd /etc/pki/CA/ [[email protected] CA]# ls certs crl newcerts private [[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) #创建私钥 Generating RSA private key, 2048 bit long modulus ...................................................................+++ ........+++ e is 65537 (0x10001)
创建自签名文件
e is 65537 (0x10001) [[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ha 。。。。 [[email protected] CA]# touch index.txt [[email protected] CA]# touch serial [[email protected] CA]# echo 01 >serial [[email protected] CA]# cd /etc/nginx [[email protected] nginx]# mkdir ssl [[email protected] nginx]# (umask 077;openssl genrsa -out nginx.key 1024) Generating RSA private key, 1024 bit long modulus .........++++++ .............++++++ e is 65537 (0x10001)
申请证书
[[email protected] nginx]# openssl req -new -key nginx.key -out nginx.csr [[email protected] ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
修nginx配置文件结构改配置文件:
server { listen 443 default_server; listen [::]:443 default_server; server_name www.momoda.com; root /var/www/html; ssl on; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:sslcache:20m;
ngx_http_rewrite_module模块:
定义在location server
将用户请求的URI基于regex所描述的模式进行检查,而后完成替换;
1、rewrite regex replacement [flag]
将用户请求的URI基于regex所描述的模式进行检查,匹配到时将其替换为replacement指定的新的URI;
注意:如果在同一级配置块中存在多个rewrite规则,那么会自下而下逐个检查;被某条件规则替换完成后,会重新一轮的替换检查,因此,隐含有循环机制;[flag]所表示的标志位用于控制此循环机制;
如果replacement是以http://或https://开头,则替换结果会直接以重向返回给客户端;
301:永久重定向;
[flag]:
last:重写完成后停止对当前URI在当前location中后续的其它重写操作,而后对新的URI启动新一轮重写检查;提前重启新一轮循环;
break:重写完成后停止对当前URI在当前location中后续的其它重写操作,而后直接跳转至重写规则配置块之后的其它配置;结束循环;
redirect:重写完成后以临时重定向方式直接返回重写后生成的新URI给客户端,由客户端重新发起请求;不能以http://或https://开头;
permanent:重写完成后以永久重定向方式直接返回重写后生成的新URI给客户端,由客户端重新发起请求;
2、return
return code [text]; return code URL; return URL; Stops processing and returns the specified code to a client.
3、 rewrite_log on | off;
是否开启重写日志;
4、 if (condition) { ... }
引入一个新的配置上下文 ;条件满足时,执行配置块中的配置指令;server, location;
condition:
比较操作符:
== != ~:模式匹配,区分字符大小写; ~*:模式匹配,不区分字符大小写; !~:模式不匹配,区分字符大小写; !~*:模式不匹配,不区分字符大小写; 文件及目录存在性判断: -e, !-e -f, !-f -d, !-d -x, !-x
5、set $variable value;
用户自定义变量 ;
server { listen 80 default_server; listen [::]:80 default_server; server_name www.momoda.com; rewrite /(.*) https://www.momoda.com/$1 permanent; } server { listen 443 default_server; listen [::]:443 default_server; server_name www.momoda.com; root /var/www/html; ssl on; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 200s; include /etc/nginx/default.d/*.conf; }
ngx_http_referer_module模块:
The ngx_http_referer_module module is used to block access to a site for requests with invalid values in the “Referer” header field.
合法的引用:
1、valid_referers none | blocked | server_names | string ...;
定义referer首部的合法可用值;
none:请求报文首部没有referer首部;
blocked:请求报文的referer首部没有值;
server_names:参数,其可以有值作为主机名或主机名模式;
arbitrary_string:直接字符串,但可使用*作通配符;
regular expression:被指定的正则表达式模式匹配到的字符串;要使用~打头,例如 ~.*\.magedu\.com;