Shulou(Shulou.com)06/02 Report--

1. Introduction of Nginx

Nginx is specially developed for performance optimization. Its biggest advantages are its stability and low system resource consumption, as well as its high processing capacity for http concurrent connections. A single physical server can support 20000 to 50000 concurrent requests. For this reason, a large number of enterprises providing social networks, news and information, e-commerce and web hosting services have chosen Nginx to provide web services. At present, Chinese mainland uses nginx website users: Sina, NetEase, Tencent, and the well-known microblog Plurk also uses nginx.

Nginx is a powerful high-performance Web and reverse proxy server with many excellent features:

High concurrency connections: the official test can support 50,000 concurrent connections, reaching 2pm and 3W concurrent connections in the actual production environment.

Low memory consumption: under 3W concurrent connections, 10 NGINX processes open consume only 150m memory (15M*10=150M)

The configuration file is very simple: the style is as easy to understand as the program.

Low cost: Nginx, as open source software, can be used free of charge, while the purchase of F5 BIG-IP, NetScaler and other hardware load balancing switches need more than 100,000 to hundreds of thousands of RMB.

Rewrite rewriting rules are supported: HTTP requests can be distributed to different backend server groups according to different domain names and URL.

Built-in health check function: if the backend web server of the Nginx Proxy backend goes down, the front-end access will not be affected.

Bandwidth savings: GZIP compression is supported, and Header headers can be added to the browser's local cache.

High stability: for reverse proxies, the probability of downtime is minimal.

For a Web server, the basic process of a request is: establishing a connection-receiving data-sending data. From the bottom of the system, the above process (establishing a connection-receiving data-sending data) is a read-write event at the bottom of the system.

If you use blocking calls, when the read-write event is not ready, you can only wait, the current thread is suspended, and wait for the event to be ready for the read-write event.

If you use a non-blocking call: the event returns immediately, telling you that the event is not ready, come back later. After a while, check the event again until the event is ready, in the meantime, you can do something else first, and then check to see if the event is ready. Although it is no longer blocked, you have to check the status of the event from time to time. You can do more, but the cost is not small. A non-blocking call means that the call does not block the current thread until the result is not immediately available

Non-blocking determines whether to read or write by constantly checking the status of events, which brings a lot of overhead, so there is an asynchronous non-blocking event handling mechanism. This mechanism allows you to monitor multiple events at the same time, calling them is non-blocking, but you can set the timeout, within the timeout, if an event is ready, return. This mechanism solves the above two problems of blocking calls and non-blocking calls.

Take the epoll model as an example: when the event is not ready, it is placed in the epoll (queue). If an event is ready, deal with it; when the event is not ready, wait in epoll. In this way, we can handle a large number of concurrency concurrently, which, of course, refers to outstanding requests. There is only one thread, so of course there is only one request that can be processed at the same time, just constantly switching between requests, which is also actively given up because the asynchronous event is not ready. The switching here is free of cost and can be understood as looping through multiple prepared events.

Compared with multithreading, this kind of event handling has great advantages, there is no need to create threads, each request takes up very little memory, there is no context switching, and event handling is very lightweight. No matter how many concurrency is, it will not lead to unnecessary waste of resources (context switching). For apache servers, each request has an exclusive worker thread, and when the number of concurrency reaches thousands, there are thousands of threads processing requests at the same time. This is not a small challenge for the operating system: because the memory consumption caused by threads is very large, and the cpu overhead caused by thread context switching is very high, the natural performance can not go up, resulting in serious performance degradation in high concurrency scenarios.

Summary: through the asynchronous non-blocking event handling mechanism, Nginx implements that multiple prepared events are processed by the process loop, thus achieving high concurrency and lightweight.

Second, set up Nginx server

Official download address of Nginx: http://nginx.org/download/

Download address provided by me: https://pan.baidu.com/s/1PL0GyzRQ8zSPD74309R44g

Extraction code: 4mt4

1. Upload nginx-1.14.0.tar.gz to the server (since there is an operation to upgrade Nginx, install a lower version of Nginx first)

[root@nginx ~] # rz # upload the required source code package in xshell [root@nginx ~] # tar zxf nginx-1.14.0.tar.gz-C / usr/src # unpack [root@nginx ~] # cd / usr/src/nginx-1.14.0/ # switch to the decompressed directory [root@nginx nginx-1.14.0] # useradd-M-s / sbin/nologin nginx # to create a user running Nginx [ Root@nginx nginx-1.14.0] # yum-y erase httpd # Uninstall the httpd service that comes with the system Avoid conflict [root@nginx nginx-1.14.0] # yum-y install openssl-devel pcre-devel [root@nginx nginx-1.14.0] #. / configure-- prefix=/usr/local/nginx-- user=nginx-- group=nginx-- with-http_ssl_module & & make & & make install

III. Upgrade the version of the Nginx service to 1.2

[root@nginx nginx-1.14.0] # / usr/local/nginx/sbin/nginx # start the Nginx service [root@nginx nginx-1.2.4] # / usr/local/nginx/sbin/nginx-Vnginx version: nginx/1.14.0 # Note The current version is nginx/1.14.0. # omit some information [root@nginx ~] # rz # upload the required source code package in xshell [root@nginx ~] # tar zxf nginx-1.2.4.tar.gz-C / usr/src # decompress [root@nginx ~] # cd / usr/src/nginx-1.2. 4 / # switch to the decompressed path [root@nginx nginx-1.2.4] #. / configure-- prefix=/usr/local/nginx-- user=nginx-- group=nginx-- with-http_ssl_module & & make# Do not execute the make install command when upgrading Otherwise, the original low-version configuration file [root@nginx nginx-1.2.4] # pwd # confirms the current path / usr/src/nginx-1.2.4 [root@nginx nginx-1.2.4] # mv / usr/local/nginx/sbin/nginx nginx.bak# to rename the old version of the service control command [root@nginx nginx-1.2.4] # cp objs/nginx / usr/local/nginx/sbin/ # copy the newly generated control command to the specified directory [root@nginx nginx-1.2.4] # kill-USR2 `cat / usr/local/nginx/logs/ nginx.pid` # generate a new PID number [root@nginx nginx-1.2.4] # kill-HUP `cat / usr/local/nginx/logs/ nginx.pid` # restart the Nginx service [root@nginx nginx-1.2.4] # / usr/local/nginx/sbin/nginx-V # View Yes No nginx version has been upgraded: nginx/1.2.4 # version 1.2.4 Upgrade succeeded

4. Modify Nginx service header information

Generally, in order to improve security, we hide the version information of Nginx from the client, as follows:

# before modification, when the client accesses, you can see the version of our Nginx server and other information As follows: [root@nginx nginx-1.2.4] # curl-I 127.0.0.1 # get header information HTTP/1.1 200 OKServer: nginx/1.2.4 # version information is displayed in detail Date: Thu, 17 Oct 2019 14:40:50 GMTContent-Type: text/htmlContent-Length: 612Last-Modified: Thu 17 Oct 2019 14:20:40 GMTConnection: keep-aliveAccept-Ranges: bytes# now modify as follows: [root@nginx nginx-1.2.4] # pwd # determine the current working path in the source package / usr/src/nginx-1.2.4 [root@nginx nginx-1.2.4] # vim src/core/nginx.h # modify the file You can modify it casually # define nginx_version 1002004#define NGINX_VERSION "666" # here is the version number information # define NGINX_VER "ljz/" NGINX_VERSION # here it used to be Nginx, but now it has been changed to ljz# note that the comment symbols in front of the above configuration items do not need to be deleted # after the change is completed Save and exit [root@nginx nginx-1.2.4] # vim src/http/ngx_http_header_filter_module.c# to edit the configuration file static char ngx_http_server_string [] = "Server: ljz" CRLF # search for "nginx", navigate to the line, and change the original nginx to ljz. Note that it must be the same as the name specified in the previous configuration file. After the change is completed, save and exit [root@nginx nginx-1.2.4] # vim src/http/ngx_http_special_response.c # Edit this configuration file static u_char ngx_http_error_tail [] = # Note There is a section of configuration that is very similar to this paragraph. You can mainly distinguish this line # if you correct an error, you will report an error "ljz" CRLF # change the nginx in the middle of this line to ljz. "" After the CRLF "" CRLF# changes are completed Save and exit [root@nginx nginx-1.2.4] # / configure-- prefix=/usr/local/nginx-- user=nginx-- group=nginx-- with-http_ssl_module & & make# reconfigure and compile [root@nginx nginx-1.2.4] # mv / usr/local/nginx/sbin/nginx nginx2.bak # rename the original nginx command to [root@nginx nginx-1.2.4] # cp objs/nginx / usr/local/nginx/ Sbin/ # copy the newly generated nginx command to the specified directory [root@nginx nginx-1.2.4] # / usr/local/nginx/sbin/nginx-s stop # stop the nginx service [root@nginx nginx-1.2.4] # / usr/local/nginx/sbin/nginx # start nginx [root @ nginx nginx-1.2.4] # curl-I 127.0.0.1 # to view its header information HTTP/1. 1200 OKServer: ljz/666 # has been changed successfully. # omit part of the content

V. detailed explanation of location options in the main configuration file of nginx

In the main configuration file of nginx, there is a paragraph of http {}, and server {} is also included in http {}. One of the server {} represents a virtual host in which different parameters can be configured for a web service. Here we will talk about the detailed configuration of location {}.

1. The difference between root and alias

Root: the path where the actual accessed file will be spliced into URL; alias: the actual accessed file path will not be spliced into URL path

In the following configuration, "^" indicates what to start with, and "~" indicates the use of regular matching expressions

1) now change the location in the configuration file to the following:

[root@nginx conf] # vim nginx.conf # Edit the main configuration file http {. # omit part of the content server {listen 80; location ^ ~ / www {root / var/www/html # when accessing 127.0.0.1/www, it will look for the www directory index index.html index.htm under the / var/www/html path }. # omitting part}} [root@nginx nginx] # nginx-t [root@nginx nginx] # nginx-s reload # overload the service twice Otherwise, it may not take effect [root@nginx nginx] # nginx-s reload [root@nginx conf] # mkdir-p / var/www/html/www [root@nginx conf] # echo "/ var/www/html/www/index.html" > / var/www/html/www/index.html

The client accesses 192.168.20.5/www for testing:

2) now change the location in the configuration file to the following:

[root@nginx conf] # vim nginx.conf # Edit the main configuration file http {. # omit part of the content server {listen 80; location ^ ~ / test02 {alias / var/www/test02 # when you visit 127.0.0.1/test02, you will find the web page file index index.html index.htm in the / var/www/test02 directory. }. # omitting part}} [root@nginx nginx] # nginx-t [root@nginx nginx] # nginx-s reload [root@nginx nginx] # nginx-s reload [root@nginx conf] # mkdir-p / var/www/test02 [root@nginx conf] # echo "/ var/www/test02/index.html" > / var/www/test02/index.html

The client accesses 192.168.20.5/test02 for testing:

2. When the specified suffix is matched, it is redirected to the specified file

Demonstration 1:

[root@nginx conf] # vim nginx.conf # Edit the main configuration file http {. # omit part of the content server {listen 80; location ~ *. (gif | jpg | png) ${rewrite. (gif | jpg) $/ error.png } # above means that when accessing files at the end of gif and jpg, jump to / usr/local/nginx/html/error.png. # omit part}} [root@nginx nginx] # nginx-t [root@nginx nginx] # nginx-s reload [root@nginx nginx] # nginx-s reload [root@nginx html] # pwd # View the current path / usr/local/ Nginx/html [root@nginx html] # ls # error.png needs to be stored in this directory 50x.html error.png index.html

The client accesses 192.168.20.5/bb.gif for testing:

Demonstration 2:

[root@nginx res] # pwd/webroot/res [root@nginx res] # ls # Images stored in this path test1.jpg [root@nginx html] # pwd # current path / usr/local/nginx/html [root@nginx html] # cat index.html # there is a home file / usr/local/nginx/html/index.html [root@nginx html] # vim.. / conf/nginx.conf # Editing the main configuration file server {listen 80 Server_name localhost; location ~ *\. (gif | jpg | jpeg | png | css | js | ico) ${# "~" means regular expressions are used, and "*" means case-insensitive root/ webroot/res; # when accessing files ending with the above gif, jpg, etc., go to the / webroot/res directory to find index index.html index.html. } location / {root html; index index.html index.htm;} [root@nginx html] # nginx-s reload # restart the service for the changes to take effect

The client accesses 192.168.20.5 of Nginx for testing:

What you see is the contents of the index.html file under html. Now visit 192.168.20.5/test1.jpg to test:

In this way, you will see the test1.jpg image in the / webroot/res/ directory.

3. When the specified request method is matched, a specific status code is returned

[root@nginx conf] # vim nginx.conf # Edit the main configuration file http {. # omitted part of the content server {listen 80; if ($request_method = TEST) {return 666 } # when the client accesses TEST, the status code 666. # omits part of the content}} [root@nginx nginx] # nginx-t [root@nginx nginx] # nginx-s reload [root@nginx nginx] # nginx-s reload

Execute the command curl-X TEST-I 127.0.0.1 locally to test:

You can see that the status code we specified has been returned.

4. When the client is not accessed with the specified domain name, it jumps to the specified domain name

[root@nginx conf] # vim nginx.conf # Edit the main configuration file http {. # omit part of the content server {listen 80; if ($host! = 'www.test.com') {rewrite ^ / (. *) $https://www.baidu.com/$1; } # above means that when the client is not accessed through the www.test.com domain name, it will jump to the Baidu homepage. # omit some content}} [root@nginx nginx] # nginx-t [root@nginx nginx] # nginx-s reload [root@nginx nginx] # nginx-s reload

The client accesses 192.168.20.5 for testing:

Since I visited once before the screenshot, when I enter IP here, it will automatically correspond to Baidu.

Configure https to access Nginx

We all know that http is port 80 and https is port 443. because https is more secure, most web services are now accessed through https, so next, configure https to access the nginx server.

Because the CA certificate certified by the Internet needs to be purchased for a fee, so here we make a CA certificate that is not certified by the Internet.

[root@nginx ca] # pwd # switch to the specified directory / usr/local/nginx/ca [root@nginx ca] # openssl genrsa-out ca.key 4096 # to generate the key file [root@nginx ca] # openssl req-new-x509-days 7304-key ca.key-out ca.crt#. You can press enter directly. Receive default value. # omit partial content Country Name (2 letter code) [XX]: zh # country name State or Province Name (full name) []: beijing # State or Provincial (full name) Locality Name (eg, city) [Default City]: beijing # City name Organization Name (eg, company) [Default Company Ltd]: test # Company name Organizational Unit Name (eg Section) []: Common Name of the department where operation # belongs (eg Your name or your server's hostname) []: test.com # hostname Email Address []: lv916551516@163.com # mailbox [root@nginx ca] # ls # make sure the following two files are in the current directory: ca.crt ca.key [root@nginx ca] # vim / usr/local/nginx/conf/nginx.conf # Edit the main configuration file. # omit part of the content Search for "HTTPS" to navigate to the following configuration item and delete all comment symbols in server {} under HTTPS. # change (two lines altogether): server {listen 443 ssl Server_name localhost; ssl_certificate / usr/local/nginx/ca/ca.crt; # change this line, specify the absolute path of ca.crt ssl_certificate_key / usr/local/nginx/ca/ca.key; # and then change this line, specify the absolute path of ca.key ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m After the change of ssl_ciphers / {root html; index index.html index.htm;} # is completed, you can [root@nginx ca] # nginx-s reload # restart nginx [root@nginx ca] # nginx-s reload

The client uses https to access the test (because the certificate is not authenticated on the Internet, the following warning message appears. Click Advanced and choose to continue access):

Https access succeeded:

7. Enable Nginx access authentication

Sometimes, some pages of our web service are not open to everyone. In this case, you can turn on the access authentication of the page. After opening it, you need to log in with a user name and password to see the corresponding page.

If you visit our 192.168.20.5/auth/ web page file without enabling access authentication, you can access it directly, as follows:

Now turn on the authentication:

[root@nginx ~] # yum-y install httpd-tools # htpasswd tool required for installation [root@nginx ~] # htpasswd-c / usr/local/nginx/.passwd admin # create an admin user New password: # enter user password Re-type new password: # confirm password # Note: to add a second user to .passwd, you need to omit the "- c" option, otherwise all previous users will be overwritten. Adding password for user admin [root@nginx ~] # vim / usr/local/nginx/conf/nginx.conf # Editing the Nginx configuration file.. # omitting some of the contents, editing the server configuration segment server {listen 80; server_name localhost; # charset koi8-r that needs to be authenticated # access_log logs/host.access.log main; location / auth {# Note that the actual path here is equivalent to "/ usr/local/nginx/html/auth" root html; index index.html index.htm; auth_basic "Please enter the login account" # add prompt statement auth_basic_user_file / usr/local/nginx/.passwd; # specify the storage path of password file} # after editing, save and exit [root@nginx nginx] # nginx-s reload # restart Nginx service

The client performs access testing (will be prompted for a user name and password, and can log in as long as it is the user and password contained in the .passwd file):

After logging in successfully, you can see the web page file:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.