一、搭建nginx服务器及平滑升级
1.搭建基本的nginx服务器
准备nginx-0.8和nginx-1.0两个源码包
[root@localhost nginx-package]# tar -zxf nginx-0.8.55.tar.gz
[root@localhost nginx-package]# tar -zxf nginx-1.0.5.tar.gz
关闭HTTP服务,否则端口被占用
[root@localhost ~]# service httpd stop
创建nginx运行时的所有者
[root@localhost ~]# useradd -s /sbin/nologin -M www
[root@localhost ~]# tail -1 /etc/passwd
www:x:500:500::/home/www:/sbin/nologin
[root@localhost ~]# tail -1 /etc/group
www:x:500:
安装开发工具
[root@localhost nginx-package]# yum -y install gcc*
[root@localhost ~]# yum -y install pcre-devel
[root@localhost nginx-package]# cd nginx-0.8.55
[root@localhost nginx-0.8.55]# ./configure --help
[root@localhost nginx-0.8.55]# ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_ssl_module
如果最后提示没有安装openssl库需要重新安装
[root@localhost nginx-0.8.55]# yum -y install openssl-devel
重新执行配置
[root@localhost nginx-0.8.55]# ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_ssl_module
[root@localhost nginx-0.8.55]# make && make install
启动服务
[root@localhost nginx-0.8.55]# /usr/local/nginx/sbin/nginx
[root@localhost nginx-0.8.55]# netstat -anput | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 8466/nginx
[root@localhost nginx-0.8.55]# elinks --dump 192.168.118.5
Welcome to nginx!
2.平滑升级
[root@localhost nginx-package]# cd nginx-1.0.5
查看当前版本和配置信息
[root@localhost nginx-1.0.5]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/0.8.55
TLS SNI support disabled
configure arguments: --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_ssl_module
[root@localhost nginx-1.0.5]# ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_ssl_module
[root@localhost nginx-1.0.5]# make
将之前的版本移除,将新版本的执行文件移动过去
[root@localhost nginx-1.0.5]# mv /usr/local/nginx/sbin/{nginx,nginx-low}
[root@localhost nginx-1.0.5]# cp objs/nginx /usr/local/nginx/sbin/
平滑升级
[root@localhost nginx-1.0.5]# make upgrade
/usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid`
sleep 1
test -f /usr/local/nginx/logs/nginx.pid.oldbin
kill -QUIT `cat /usr/local/nginx/logs/nginx.pid.oldbin`
查看现在版本
[root@localhost nginx-1.0.5]# /usr/local/nginx/sbin/nginx -v
nginx: nginx version: nginx/1.0.5
发现已经成功升级
[root@localhost nginx-1.0.5]# elinks --dump 192.168.118.5
Welcome to nginx!
关闭服务
[root@localhost nginx-1.0.5]# /usr/local/nginx/sbin/nginx -s stop
二、nginx虚拟主机
客户端:192.168.1.1
nginx服务器:192.168.1.2
1.基于域名的虚拟主机
配置nginx服务器
[root@localhost conf]# cd /usr/local/nginx/conf/
分离出有用配置
[root@localhost conf]# grep -vE "#|^$" nginx.conf.default > nginx.conf
[root@localhost conf]# vim nginx.conf
添加虚拟主机
server {
listen 80;
server_name www.baidu.com;
location / {
root /baidu;
index index.html index.htm;
}
}
server {
listen 80;
server_name www.qq.com;
location / {
root /qq;
index index.html index.htm;
}
}
[root@localhost conf]# /usr/local/nginx/sbin/nginx -s stop
[root@localhost conf]# /usr/local/nginx/sbin/nginx
[root@localhost conf]# echo "baidu" > /baidu/index.html
[root@localhost conf]# echo "qq" > /qq/index.html
配置客户机
添加域名解析
[root@www ~]# vim /etc/hosts
添加
192.168.1.2 www.baidu.com www
192.168.1.2 www.qq.com www
[root@www ~]# elinks --dump www.baidu.com
baidu
[root@www ~]# elinks --dump www.qq.com
实现了基于域名的虚拟主机的访问
2.基于端口的虚拟主机
修改nginx服务器的配置文件
[root@localhost conf]# vim nginx.conf
修改
server {
listen 192.168.1.2:80;
server_name www.baidu.com;
location / {
root /baidu;
index index.html index.htm;
}
}
server {
listen 192.168.1.2:8080;
server_name www.qq.com;
location / {
root /qq;
index index.html index.htm;
}
}
[root@localhost conf]# /usr/local/nginx/sbin/nginx -s stop
[root@localhost conf]# /usr/local/nginx/sbin/nginx
客户机测试
[root@www ~]# elinks --dump 192.168.1.2:80
baidu
[root@www ~]# elinks --dump 192.168.1.2:8080
实现了基于端口的虚拟主机的访问
3.基于IP地址的虚拟主机
添加子接口
[root@localhost ~]# ifconfig eth0:1 192.168.1.3
[root@localhost ~]# ifconfig eth0:1
eth0:1 Link encap:Ethernet HWaddr 00:0C:29:FD:5B:B1
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
修改nginx服务器的配置文件
[root@localhost conf]# vim nginx.conf
server {
listen 192.168.1.2:80;
server_name www.baidu.com;
location / {
root /baidu;
index index.html index.htm;
}
}
server {
listen 192.168.1.3:80;
server_name www.qq.com;
location / {
root /qq;
index index.html index.htm;
}
}
客户端测试
[root@www ~]# elinks --dump 192.168.1.2
baidu
[root@www ~]# elinks --dump 192.168.1.3
实现了基于IP地址的虚拟主机的访问
三、防盗链
目标:防止其他网站通过超链接盗用本地网站的图片、视频等资源
nginx服务器:192.168.2.1
http服务器:192.168.2.2
1.修改nginx服务器
在nginx服务器的主目录里面添加一个图片
[root@localhost conf]# cp /root/Desktop/one.png /usr/local/nginx/html/
[root@localhost conf]# /usr/local/nginx/sbin/nginx -s stop
[root@localhost conf]# /usr/local/nginx/sbin/nginx
[root@localhost conf]# elinks --dump 192.168.2.2
Welcome to nginx!
2.配置http服务器
[root@localhost ~]# yum -y install httpd
[root@localhost ~]# service httpd start
建立盗链网页
[root@localhost ~]# vim /var/www/html/115.html
<html>
<body><a href=http://192.168.2.2/one.png>this Images</a>
</body>
</html>
[root@localhost ~]# elinks --dump 192.168.2.1
Welcome to nginx!
[root@localhost ~]# elinks --dump 192.168.2.2
浏览器测试盗链网页
http://192.168.2.2/115.html
点击超链接能够显示图片,盗用了nginx服务器网站的图片
3.配置nginx服务器
修改nginx的配置文件
[root@localhost conf]# vim nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
#添加防盗链设置
location ~* \.(png|jpg|jif|flv)$ {
valid_referers none blocked www.tarena.com tarena.com;
if ($invalid_referer) {
return 404;
}
}
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
[root@localhost conf]# /usr/local/nginx/sbin/nginx -s stop
[root@localhost conf]# /usr/local/nginx/sbin/nginx
4.http服务器验证
浏览器验证
http://192.168.2.2/115.html
点击超链接,出现404错误,实现了防盗链
四、访问控制和用户认证 (控制客户端对网站服务器的访问)
目标:实现nginx服务器对客户机根据IP地址,网段进行访问控制
允许的IP地址还可以输入用户名和密码进行认证登陆增加安全性
客户机IP:192.168.1.1
nginx服务器IP:192.168.1.2
1.访问控制
修改nginx配置文件
[root@localhost conf]# cd /usr/local/nginx/conf/
[root@localhost conf]# vim nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
#拒绝192.168.1.1访问,允许其他所有主机访问
deny 192.168.1.1;
allow all;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
[root@localhost conf]# ../sbin/nginx -s stop
[root@localhost conf]# ../sbin/nginx
客户机测试
[root@www ~]# ifconfig eth0 | head -2
eth0 Link encap:Ethernet HWaddr 00:0C:29:C7:AD:28
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
[root@www ~]# elinks --dump 192.168.1.2
403 Forbidden
更换IP地址重新访问
[root@www ~]# ifconfig eth0 192.168.1.11
[root@www ~]# elinks --dump 192.168.1.2
Welcome to nginx!
2.用户认证
修改nginx配置文件
[root@localhost conf]# vim nginx.conf
修改
location / {
root html;
index index.html index.htm;
deny 192.168.1.1;
allow all;
auth_basic "please input your username and password";
auth_basic_user_file /usr/local/nginx/user.txt;
}
[root@localhost conf]# ../sbin/nginx -s stop
[root@localhost conf]# ../sbin/nginx
生成user.txt认证文件
[root@localhost conf]# yum -y install httpd
添加两个认证的用户admin,feng 如果文件已经存在不需要-c选项
[root@localhost conf]# htpasswd -c /usr/local/nginx/user.txt admin
[root@localhost conf]# htpasswd /usr/local/nginx/user.txt feng
[root@localhost conf]# cat /usr/local/nginx/user.txt
admin:sfbEMSjDZbA4.
feng:4SH4NvORhXMFs
客户机用浏览器测试
http://192.168.1.2
输入刚刚添加用户名和密码
访问成功!
五、nginx反向代理(分发服务器 后端服务器状态设置)
目标:外网客户机能够通过nginx服务器访问内网的web服务器,并可以配置nginx来实现不同的分发策略
准备环境:
外网客户端:192.168.1.1
nginx代理服务器:192.168.1.2(外网IP地址) 192.168.2.1(内网IP地址)
内网web1:192.168.2.2
内网web2:192.168.2.3
保证外网客户机,两台内网web服务器分别与nginx互通
1.在两台web服务器上搭建HTTP服务(web1 web2)
web1:
[root@localhost ~]# yum -y install httpd
[root@localhost ~]# service httpd start
[root@localhost ~]# echo "web1" > /var/www/html/index.html
测试本机能否访问
[root@localhost ~]# elinks --dump 192.168.2.2
web1
web2:
[root@localhost ~]# yum -y install httpd
[root@localhost ~]# service httpd start
[root@localhost ~]# echo "web2" > /var/www/html/index.html
测试本机能否访问
[root@localhost ~]# elinks --dump 192.168.2.3
web2
2.配置nginx服务器
[root@localhost conf]# cd /usr/local/nginx/conf/
分离出有用配置
[root@localhost conf]# grep -vE "#|^$" nginx.conf.default > nginx.conf
[root@localhost conf]# vim nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#添加分发组
upstream "webgroup" {
server 192.168.2.2:80;
server 192.168.2.3:80;
}
server {
listen 80;
server_name localhost;
location / {
# root html;
# index index.html index.htm;
#将80端口转发到分发组里的web服务器上
proxy_pass http://webgroup;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
重启服务
[root@localhost conf]# ../sbin/nginx -s stop
[root@localhost conf]# ../sbin/nginx
3.外网客户机测试
[root@www ~]# elinks --dump 192.168.1.2
web2
[root@www ~]# elinks --dump 192.168.1.2
web1
4.更改nginx的分发策略
(1)默认情况下是轮询的方式
(2)weight 指定轮询几率
权重和访问比率成正比
通常用于后断服务器性能不同的情况
默认值为1
修改nginx的配置文件
[root@localhost conf]# vim nginx.conf
修改
upstream "webgroup" {
server 192.168.2.2:80 weight=1;
server 192.168.2.3:80 weight=3;
}
[root@localhost conf]# ../sbin/nginx -s stop
[root@localhost conf]# ../sbin/nginx
客户机测试
[root@www ~]# elinks --dump 192.168.1.2
web1
[root@www ~]# elinks --dump 192.168.1.2
web2
[root@www ~]# elinks --dump 192.168.1.2
web2
[root@www ~]# elinks --dump 192.168.1.2
web2
(3)其他分发策略
ip_hash 每个请求按访问ip的hash结果分配
这样可以让每个访客固定访问一个后端服务器 ,可以解决session的问题
down: 表示当前server暂时不参与负载
max_fails:允许请求失败的次数(默认为1), 当超过此次数时,返回
backup:当其他所有的非backup机器down或者忙的时候,请求会发给backup机器,所以这台机器压力会最轻
upstream sergrp {
#ip_hash;
#server 192.168.8.5:80 weight=2;
server 192.168.8.5:80 down;
server 192.168.8.4:80;
server 192.168.8.6:80 backup;
server 192.168.8.3:80 max_fails=2 fail_timeout=30s;
}