Shulou(Shulou.com)06/01 Report--

This article mainly introduces "Nginx rules and module introduction". In daily operation, I believe many people have doubts about Nginx rules and module introduction. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "Nginx rules and module introduction"! Next, please follow the editor to study!

1. Overview

As we all know, Nginx has many functional modules, such as reverse proxy, cache and so on. This article summarizes the useful Nginx rules and modules in our actual environment over the years, most of which are summary and introduction of usage, and then Google the details in the actual configuration.

two。 Built-in syntax

Let's first introduce the built-in features supported by Nginx by default, which basically meet most of the web service requirements.

2.1 proxy Agent

Proxy is often used in two types of application scenarios, one is transit, such as remote scientific Internet access, and the other is load balancing solution to back-end services.

When using reverse proxy, you need to note that the domain name is resolved by default when nginx starts. Unless reload, the domain name that was originally resolved is used all the time, that is, it cannot be resolved dynamically.

But this problem can be solved through other modules or by using built-in dictionary variables.

Resolver 114.114.114.114; server {location / {set $servers github.com; proxy_pass http://$servers;}}

2.1.1 Transit

Transfer for a domain name:

Server {listen 172.16.10.1 http://pypi.python.org; 80; server_name pypi.python.org; location ~ / simple {proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://pypi.python.org;}}

Note that if the front and back end domain names are different, you need to deal with the display such as the 301 jump of proxy_redirect, otherwise you will jump to the domain name of proxy_pass when you jump.

In addition, you can directly proxy all http traffic on port 80:

Server {listen 80; server_name _; resolver 114.114.114.114; set $URL $host; location / {proxy_pass http://$URL;}}

It is not impossible for a site that wants to represent https, but you only need to handle the import of CA certificates on your own, and the traffic transferred through https is transparent to nginx, that is, eavesdropping and hijacking when you have a certificate.

2.1.2 load balancing

This is another common use of proxy. Through upstream to multiple backends, you can use weight to adjust the weight or backup keyword to specify the backend for backup, which is usually fine by default, or you can specify a way like ip_hash to balance. The configuration is very simple, first add the upstream definition in the http area:

Upstream backend {ip_hash; server backend1.example.com weight=5; server backend2.example.com weight=5;;}

Then add proxy_pass to the server:

Location / {proxy_pass http://backend; proxy_http_version 1.1; proxy_set_header Connection "";}

You can intelligently identify the status of the backend server when doing cloud load balancer. Although you can intelligently proxy_next_upstream to another backend, you will regularly lose some normal "tentative" connections, such as taking a break from the fail_timeout time after max_fails attempts, and then try again after this time. At this time, you can use a third-party upstream_check module to explore automatically in the background on a regular basis, like this:

Check interval=3000 rise=2 fall=5 timeout=2000 type=http

This way of trying instead of the user's normal connection further ensures high availability.

There is also the same way when doing a front-end agent, proxy_pass directly to the back-end, such as the CDN scenario.

2.2 hotlink protection

Ordinary hotlink protection is done through referer, such as:

Location ~ *\. (gif | jpg | png | bmp) ${valid_referers none blocked * .example.com server_names ~\ .Google\. ~\ .Baidu\; if ($invalid_referer) {return 403;}}

A little more elaborate is URL encryption. Generating an encrypted URL for variables such as user IP is usually used for file download, and can be achieved by writing lua scripts or modules such as accesskey through openresty.

2.3 variables

Regular matching and variable configuration are supported in nginx. Default variables such as remote_addr, request_filename, query_string, server_name, etc. can be combined to make a lot of rules, or there are status, http_cookie and so on in the log.

In addition, wildcards can be used when configuring multiple domain names, such as:

Server_name ~ ^ (www\.)? (. +) $; root / data/web/$2

In this way, the directory assignment of domain name is realized automatically.

In terms of variables, such as configuration variable aqui1:

Set $a 1

The following case is more useful in conjunction with if judgment.

2.4 if judgment

Some simple if judgments are supported in nginx, but there is no multiple logic syntax. Multiple judgment conditions need to be implemented by combining variables, such as allowing users whose ip addresses are 10.10.61 and 192.168.100 to access, and the rest are rejected. 405 status codes are returned:

Set $err 0; if ($remote_addr ~ 10.10.61.) {set $err 0;} if ($remote_addr ~ 192.168.100.) {set $err 0;} if ($err = 1) {return 405;}

This cleverly implements the requirements through an err variable.

2.5 error_page

If you need to add this sentence to the backend proxy, you can pass the status code to nginx:

Fastcgi_intercept_errors on

Specific configuration is generally configured to a specific error URL page, such as:

# return specific status code error_page 404403 / 4xx.html # return 200status code error_page 404403 = 200 / error.html

Or uniformly handle it in the way of callback:

Error_page 40403 = @ fallback; location @ fallback {proxy_pass http://backend; access_log / data/logs/404_error.log access;}

In this way, the URL will not be changed during redirection, and then the 404 page will be returned directly.

2.6 rewrite

Rewrite does some jumps such as 301,302, and you can also do the effect of caching "go to the question mark" on the front end of CDN.

Location / db.txt {rewrite (. *) $1? Break; include proxy.conf;}

In addition, the most common way to jump to write:

Rewrite ^ / game/ (. *) / 1

The effect of jumping / game/test to / test. Note that there is no status code. If the access is normal, the status code will be returned directly.

You can add a permanent parameter to change to 301 Moved Permanently, or add redirect to 302 jump.

Similarly, multiple regular matches can be performed for URL reorganization, such as:

Rewrite ^ / download/ (. *) / lastest/ (. *) $/ file/$1?ver=$2 break

2.7 Log field

If you want to log files for each connection, you can configure fields in the nginx log, such as recording data like cookie.

Just add the $http_cookie variable to the log_format field.

In addition, the data of post can be kept in the file, such as log backup of http, including raw data of get and post. You can enable this value:

Client_body_in_file_only on

Then the post data is saved in the nginx/client_body_temp folder.

2.8 internal keywords

This keyword is rare, but sometimes it is useful, such as when there are a lot of rules, there is a sudden need to switch to nginx internal processing for a directory.

Location ^ ~ / upload/down/ {alias / data/web/dts/dtsfile/down/; internal;}

2.9 try_files

Literally means to try, followed by multiple directories or files, such as the kohana framework:

Try_files $uri / index.php?$query_string

First, check whether the file URL is available. If not, call index.php to handle it, or support status code processing:

Try_files / foo / bar/ = 404

Without these two files, the 404 status is returned.

2.10 auth Certification

You can do a simple user login authentication method, in which the passwd_file has to be generated through the apache htpasswd command.

Auth_basic "Restricted"; auth_basic_user_file passwd_file

After the authentication is passed, the base64 ciphertext containing the user name and password in the Authorization field is added to the server for each visit.

2.11 gzip

Ordinary online web site gzip compression is necessary to compress some text type files and return them to the user.

Note that you must manually specify all the types that need to be compressed, such as css, js and so on. The online configuration is as follows:

Gzip on; gzip_min_length 2048; gzip_buffers 4 16k; gzip_vary on; gzip_http_version 1.1; gzip_types text/plain text/css text/xml application/xml application/javascript application/x-javascript

2.12 mime configuration

This configuration was basically ignored a long time ago, but an exception was found after mobile games became popular. You need to let mobile browsers know the type of apk suffix returned, otherwise similar IE browsers will return with zip suffix and need to add:

Application/vnd.android.package-archive apk; application/iphone pxl ipa

2.13 Speed limit

The speed limit includes limiting the number of concurrent requests and the requested download speed.

Simply limit the download speed of a thread and simply add a sentence:

Limit_rate 1024k

To limit the number of concurrency of an IP and the like, you need to use ngx_http_limit_req_module and ngx_http_limit_conn_module modules, but they are compiled by default.

For example, use a 10m state cache that only accepts 20 requests per second for each IP:

Limit_req_zone $binary_remote_addr zone=NAME:10m rate=20r/s

2.14 location matching

There are many ways to match location, such as

Location = / location / location ^ ~ / test {

There is a priority, and the priority of the direct "=" is * *. Generally, the symbol "~" is used to match the php, but it is case-sensitive:

Location ~. *\ .php$

2.15 File caching

Files returned to users are generally configured with an expiration time for browsers to cache.

For example, cache for 14 days:

Expires 14d

Disable caching configuration after location matching is required for some special files:

Add_header Cache-Control no-cache; add_header Cache-Control no-store; expires off

2.16 cache file

Nginx can be used as a cache server such as ATS to cache files, and the configuration is relatively simple, but we seldom use it, except for some special occasions, refer to the configuration:

# first define the cache directory proxy_cache_path / data/cache/ levels=1:2 keys_zone=cache_one:10m inactive=7d max_size=10g; proxy_temp_path / data/cache/proxy_temp_path; proxy_cache_key $host$uri$is_args$args; # and then match the destination file in the location in server, and add the next paragraph to proxy_cache cache_one; proxy_cache_valid 200 304 24h; proxy_cache_valid any 10m; proxy_pass https://$host; Proxy_cache_key $host$uri$is_args$args; add_header Nginx-Cache "$upstream_cache_status"; 3. Built in module

3. Built in module

Nginx contains a large number of modules that can support a variety of complex requirements. For example, there is a lot of c module code in the source directory src/http/modules, or you can directly check which built-in modules are available through. / configure-help | grep module and add them directly at compile time.

In addition to the built-in modules in nginx, there are many third-party modules on the network that can be compiled by adding the parameter-add-module=PATH to specify the module source code at compile time.

Here are some awesome built-in modules that we have used online.

3.1 stream

Port forwarding module is supported from nginx1.9 version and includes support for tcp and udp. Compared with IPTABLES, although it is an application layer and listens on the port, it is easy to configure and more flexible than IPTABLES. Add a server similar to vhost under the tcp module to facilitate automatic management. Refer to configuration:

Server {listen PORT; proxy_pass IP:PORT; access_log / data/logs/tcp/PORT.log;}

3.2 http_realip_module

After the nginx reverse proxy, how to make the IP directly obtained by the back-end web is not the iP of the reverse proxy, but the real IP of the user directly? this module is needed, and there is no need for the code to make a special judgment of variables similar to X-Real-IP.

3.3 http_slice_module

When doing CDN, you can use to split a large file into several small files and continue to transfer them to the backend through 206breakpoints, and then combine them to avoid the problem of direct origin-pull of large files leading to multiple copies and multiple origin-pull.

3.4 http_secure_link_module

The hotlink protection mentioned earlier can be done with this, but this is generally used for downloading that kind of file. For example, when downloading from a web page, the server generates an encrypted URL to the user, and then the URL has an expiration time, and so on, to prevent this URL from being shared many times, but ordinary materials can be loaded with ordinary hotlink protection.

3.5 http_sub_module

Replace the content of the response to the user, relative to the sed and then return it later, for example, you can deal with it all at once when you need to temporarily modify the background of the site or title.

4. Expand the project

A brief introduction to the two famous nginx-based extension projects, which are also used in many places online.

4.1 openresty

Integrating lua scripts can accomplish almost any common web-related requirements.

For example, URL encryption is used for anti-hijacking and hotlink protection. The server dynamically generates a string of aes-encrypted URL to decrypt the openresty of CDN,CDN, then transmits it to the backend with ordinary URL, and then returns the correct content to the user.

4.2 tengine

The modified version of nginx on Taobao implements many charging functions or special functions of nginx, such as dynamic loading, concat merge request, dynamic parsing and so on.

The background of our python development basically uses this version, mainly making use of the function of merging material of concat.

At this point, the study of "introduction to Nginx rules and modules" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.