LNMP之Nginx

Nginx初探

概念:

  Nginx是一款免费、开源、高性能的HTTP服务器和反向代理,同时也可作为邮件代理服务器。其因为高性能、稳定、丰富的功能集、配置简单和低系统资源消耗而闻名。

  Tengine是由淘宝网发起的Web服务器项目。它在Nginx的基础上,针对大访问量网站的需求,添加了很多高级功能和特性。Tengine的性能和稳定性已经在大型的网站如淘宝、天猫商城等得到了很好的检验。它的最终目标是打造一个高效、稳定、安全、易用的Web平台。之所以选用Tengine是因为其支持动态加载模块(DSO),加入一个模块不再需要编译整个Tengine.

 

安装

OS Version:CentOS 6.5

Tengine Version:2.1.1

依赖包安装:可通过yum安装,也可通过源码编译安装

yum -y install zlib zlib-devel openssl openssl-devel pcre-devel

pcre:用于实现rewrite模块的功能,不安装编译无法通过。 ps:此模块建议yum安装,个人在动态加载lua模块时碰到和系统版本不兼容问题。

zlib:nginx的gzip模块,传输数据打包,省流量(但消耗资源)。

openssl:提供ssl加密协议

编译安装:

wget http://tengine.taobao.org/download/tengine-2.1.1.tar.gz

tar zxf tengine-2.1.1.tar.gz

cd tengine-2.1.1

./configure --prefix=/usr/local/nginx    #指定nginx安装路径   (更多选项可使用configure --help进行查看)

make && make install

基本命令:

/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf     # -t:检验配置文件是否正确   -c:指定配置文件路径

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf    #启动nginx

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf -s reload    # -s reload:重读配置文件而不用重启nginx服务

启动nginx后,访问http://127.0.0.1,有出现Nginx的界面即表示成功。

nginx.conf 部分配置:

作为web服务器的配置,且支持PHP

 http{

   ......

   server{

     listen  80;

     server_name  domain;

     #root  /var/www/html;            //下面的配置也可直接配在这里

     #index.html;                       

     location / {

       root  /var/www/html;               //存放目录

       index index.html index.htm;      //默认主页面,可添加

     }

        location ~ \.php$ {                   //PHP支持
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
include fastcgi_params;
}   }   ...... }

作为反向代理的配置

 http{

   ......

   upstream test {

     server 127.0.0.1:8080;

   }

   server {

     listen 80;

     server_name domain;

     ......

     location / {

       proxy_pass:http://test;      //此处也可以直接配置想要代理的链接地址

     }

   }

 }

动态加载模块:

此处示例为加载lua模块

tar -zxvf LuaJIT-2.0.4.tar.gz
cd LuaJIT-2.0.4
make && make install
    
tar -zxvf lua-nginx-module-0.9.16.tar.gz
/usr/local/nginx/sbin/dso_tool  --add-module=/path/to/lua-nginx-modoule     # 在/usr/local/nginx/module/生成.so文件

在nginx.conf 添加以下配置重启即可 (之后会带nginx.conf的部分解释)

 dso {
load ngx_http_lua_module.so;
}
 
 
HTTPS配置:需要生成证书
生产环境的证书一般由其他服务提供商提供,需要付费购买
测试环境可自己生成证书:
openssl genrsa -des3 -out server.key 1024                    
openssl req -new -key server.key -out server.csr
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
openssl x509 -req -days 364 -in server.csr -signkey server.key -out server.crt
 http {
  ......
  server {
    listen 443;
    server_name domain;     ssl on;
    ssl_certificate    /usr/local/nginx/conf/cert/server.crt;
    ssl_certificate_key /usr/local/nginx/conf/cert/server.key;
    
    location / {
      proxy_pass:https://127.0.0.1:8443
    }
  }
}
 
 

nginx.conf 参考:

user www www;
worker_processes 1; error_log logs/error.log;
pid logs/nginx.pid; events {
use epoll;
worker_connections 1024;
} dso {
load ngx_http_lua_module.so;
} http {
include mime.types;
default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'; limit_conn_zone $binary_remote_addr zone=limit:10m; access_log logs/access.log main; sendfile on;
keepalive_timeout 65;
gzip on; #performance
large_client_header_buffers 4 16k;
client_max_body_size 300m;
client_body_buffer_size 128k;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffer_size 64k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k; #Security
server_tokens off;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'";
   upstream test {
server 127.0.0.1:8080;
} server {
listen 80;
server_name www.ccc.com; charset utf-8;
access_log logs/test.access.log main;
error_log logs/test.error.log error; location / {
proxy_pass http://test;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
} #HTTPS server
server {
listen 443;
server_name www.ccc.com;
ssl on;
ssl_certificate /usr/local/nginx/conf/cert/server.crt;
ssl_certificate_key /usr/local/nginx/conf/cert/server.key; ssl_session_timeout 30m; ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on; access_log logs/test.https.access.log main;
error_log logs/test.https.error.log error; location / {
proxy_pass http://test;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
}

LNMP自动化安装:https://github.com/Code-CC/LinuxSever/tree/master/lnmp

参考:

https://www.nginx.com/

http://tengine.taobao.org/

上一篇:Redis学习笔记(二)-key相关命令【转载】


下一篇:Flask之项目配置,目录构建,闪现