nginx配置文件結構
main:
user nginx; 進程發起的用戶名 worker_processes auto; 進程數量auto爲物理核心數量 error_log /var/log/nginx/error.log; 錯誤日誌位置 pid /run/nginx.pid; 主進程文件號的文件位置 include /usr/share/nginx/modules/*.conf; 啓動的模塊 worker_processes auto; 的優化,可以把進程綁定固定核心減少上下文切換的消耗
CPU MASK:
00000000:
0000 0001:0號CPU
0000 0010:1號CPU
0000 0100:2號CPU
... ...
0000 0011:0和1號CPU;
worker_priority number;
指定worker進程的nice值,設定worker進程優先級;[-20,20]
worker_rlimit_nofile number;
worker進程所能夠打開的文件數量上限;
調試、定位問題:
1、daemon on|off;
是否以守護進程方式運行Nignx;
2、master_process on|off;
是否以master/worker模型運行nginx;默認爲on;
3、error_log file [level];
事件驅動相關的配置:
events {
...
}
1、worker_connections number;
每個worker進程所能夠打開的最大併發連接數數量;
worker_processes * worker_connections
2、use method;
指明併發連接請求的處理方法;
use epoll;
3、accept_mutex on | off;
master 用戶請求到worker進程時使用負載均衡鎖,序列化的響應請求
處理新的連接請求的方法;on意味着由各worker輪流處理新請求,Off意味着每個新請求的到達都會通知所有的worker進程;
accept_mutex_delay time;worker忙碌其他請求等待時間
events {
worker_connections 1024;
use epoll;
accept_mutex on;
}定義四個虛擬主機,混合使用三種類型的虛擬主機;
僅開放給來自於本地網絡中的主機訪問;
定義4個虛擬主機:
(1) 首先是字符串精確匹配;
(2) 左側*通配符;
(3) 右側*通配符;
(4) 正則表達式;
server {
listen 80 default_server;
server_name bbs.momoda1.com;
root /var/www/html/bbs;
include /etc/nginx/default.d/*.conf;
}
server {
listen 80;
root "/var/www/html/momoda1";
server_name *.memeda1.com;
include /etc/nginx/default.d/*.conf;
}
server {
listen 80;
root "/var/www/html/ms/";
server_name www.memeda1.*;
include /etc/nginx/default.d/*.conf;
}
server {
listen 80;
root "/var/www/html/re";
server_name ~.*\.\d+\.com;
include /etc/nginx/default.d/*.conf;
}定義頁面內容
配置本地dns解析
C:\Windows\System32\drivers\etc\hosts
192.168.91.133 bbs.momoda1.com momoda1.com www.momoda1.com www.158.com www.momoda1.cn
驗證:
memeda1.com
server_name www.momoda1.com;
root /var/www/html/;
include /etc/nginx/default.d/*.conf;
location /ms {
root /var/www/html/mems;
}訪問servername/ms時候相當於訪問root /var/www/html/mems/ms下對應內容
指定匹配uri的root目錄
[root@localhost www]# curl www.momoda1.com/ms/xx.html
<h1>this is mems/xx.html</h1>
location ~.*\.jpg {
root /var/www/images;
}
location /msf/ {
alias /mems/;
}
[root@localhost www]# curl www.momoda1.com/msf/xx.html
<h1>this is mems/xx.html</h1>對servername/msf/下內容對應到指定目錄下
http:/ <--- /var/www/images
location /images/ {
alias "/var/www/images"
}
location後跟對應的uri,在訪問指定的uri時,root路徑是location定義的root/uri
而alias則是在location中定義的位置client_body_temp_path path [level1 [level2 [level3]]];
設定用於存儲客戶端請求報文的body部分的臨時存儲路徑及子目錄結構和數量;
16進制的數字;
client_body_temp_path /var/tmp/client_body 1 2 2
1:表示用一位16進制數字表示一級子目錄;0-f
2:表示用2位16進程數字表示二級子目錄:00-ff
2:表示用2位16進程數字表示三級子目錄:00-ff
ngx_http_access_module模塊:
實現基於ip的訪問控制功能
allow address | CIDR | unix: | all;
deny address | CIDR | unix: | all;
定義位置 http, server, location, limit_except
loaction / {
allow 171.16.0.0/16
allow 192.16.0.0/16
denny all
}ngx_http_auth_basic_module模塊
實現基於用戶的訪問控制,使用basic機制進行用戶認證;
location / {
auth_basic "input you passwd";
auth_basic_user_file /etc/htpasswd;
}
[root@localhost html]# yum install httpd-tools
[root@localhost html]# htpasswd -c -m /etc/htpasswd momoda
New password:
Re-type new password:
Adding password for user momoda
[root@localhost html]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@localhost html]# nginx -s reload
ngx_http_stub_status_module模塊
用於輸出nginx的基本狀態信息;
location /status {
stub_status;
}結果
[root@localhost www]# curl www.momoda1.com/status Active connections: 1 server accepts handled requests 37 37 34 Reading: 0 Writing: 1 Waiting: 0
ngx_http_ssl_module模塊:
1、 ssl on | off;
Enables the HTTPS protocol for the given virtual server.
2、ssl_certificate file;
當前虛擬主機使用PEM格式的證書文件;
3、ssl_certificate_key file;
當前虛擬主機上與其證書匹配的私鑰文件;
4、ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2];
支持ssl協議版本,默認爲後三個;
5、ssl_session_cache off | none | [builtin[:size]] [shared:name:size];
builtin[:size]:使用OpenSSL內建的緩存,此緩存爲每worker進程私有;
[shared:name:size]:在各worker之間使用一個共享的緩存;
6、ssl_session_timeout time;
客戶端一側的連接可以複用ssl session cache中緩存 的ssl參數的有效時長;
創建證書&簽名
[root@localhost html]# cd /etc/pki/CA/ [root@localhost CA]# ls certs crl newcerts private [root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) #創建私鑰 Generating RSA private key, 2048 bit long modulus ...................................................................+++ ........+++ e is 65537 (0x10001)
創建自簽名文件
e is 65537 (0x10001) [root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ha 。。。。 [root@localhost CA]# touch index.txt [root@localhost CA]# touch serial [root@localhost CA]# echo 01 >serial [root@localhost CA]# cd /etc/nginx [root@localhost nginx]# mkdir ssl [root@localhost nginx]# (umask 077;openssl genrsa -out nginx.key 1024) Generating RSA private key, 1024 bit long modulus .........++++++ .............++++++ e is 65537 (0x10001)
申請證書
[root@localhost nginx]# openssl req -new -key nginx.key -out nginx.csr [root@localhost ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
修nginx配置文件結構改配置文件:
server {
listen 443 default_server;
listen [::]:443 default_server;
server_name www.momoda.com;
root /var/www/html;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_cache shared:sslcache:20m;ngx_http_rewrite_module模塊:
定義在location server
將用戶請求的URI基於regex所描述的模式進行檢查,而後完成替換;
1、rewrite regex replacement [flag]
將用戶請求的URI基於regex所描述的模式進行檢查,匹配到時將其替換爲replacement指定的新的URI;
注意:如果在同一級配置塊中存在多個rewrite規則,那麼會自下而下逐個檢查;被某條件規則替換完成後,會重新一輪的替換檢查,因此,隱含有循環機制;[flag]所表示的標誌位用於控制此循環機制;
如果replacement是以http://或https://開頭,則替換結果會直接以重向返回給客戶端;
301:永久重定向;
[flag]:
last:重寫完成後停止對當前URI在當前location中後續的其它重寫操作,而後對新的URI啓動新一輪重寫檢查;提前重啓新一輪循環;
break:重寫完成後停止對當前URI在當前location中後續的其它重寫操作,而後直接跳轉至重寫規則配置塊之後的其它配置;結束循環;
redirect:重寫完成後以臨時重定向方式直接返回重寫後生成的新URI給客戶端,由客戶端重新發起請求;不能以http://或https://開頭;
permanent:重寫完成後以永久重定向方式直接返回重寫後生成的新URI給客戶端,由客戶端重新發起請求;
2、return
return code [text]; return code URL; return URL; Stops processing and returns the specified code to a client.
3、 rewrite_log on | off;
是否開啓重寫日誌;
4、 if (condition) { ... }
引入一個新的配置上下文 ;條件滿足時,執行配置塊中的配置指令;server, location;
condition:
比較操作符:
== != ~:模式匹配,區分字符大小寫; ~*:模式匹配,不區分字符大小寫; !~:模式不匹配,區分字符大小寫; !~*:模式不匹配,不區分字符大小寫; 文件及目錄存在性判斷: -e, !-e -f, !-f -d, !-d -x, !-x
5、set $variable value;
用戶自定義變量 ;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name www.momoda.com;
rewrite /(.*) https://www.momoda.com/$1 permanent;
}
server {
listen 443 default_server;
listen [::]:443 default_server;
server_name www.momoda.com;
root /var/www/html;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 200s;
include /etc/nginx/default.d/*.conf;
}
ngx_http_referer_module模塊:
The ngx_http_referer_module module is used to block access to a site for requests with invalid values in the “Referer” header field.
合法的引用:
1、valid_referers none | blocked | server_names | string ...;
定義referer首部的合法可用值;
none:請求報文首部沒有referer首部;
blocked:請求報文的referer首部沒有值;
server_names:參數,其可以有值作爲主機名或主機名模式;
arbitrary_string:直接字符串,但可使用*作通配符;
regular expression:被指定的正則表達式模式匹配到的字符串;要使用~打頭,例如 ~.*\.magedu\.com;