Shulou(Shulou.com)06/03 Report--

We have already understood the basic concepts of Nginx through the preliminary optimization of Nginx in the blog post, and we can make preliminary optimization of Nginx, including: Nginx smooth upgrade

, change the Nginx version information, Nginx virtual host configuration, the role of the location option in the nginx configuration file, and so on. This blog post focuses on further optimization of Nginx.

Blog outline:

I. Nginx configuration reverse proxy

Second, the use of proxy cache in Nginx

Third, optimize the compression function of Nginx service

I. Nginx configuration reverse proxy

Configure Nginx as a reverse proxy and load balancer, and make use of its cache function to cache static pages in Nginx in order to reduce the number of connections to the back-end server and check the check status of the back-end web server.

As shown in the figure:

Environmental requirements:

A Nginx server (Centos system) IP address: 192.168.1.1

Two httpd servers (Centos system) IP address: 192.168.1.2 192.168.1.3

Download the Nginx package

Install Nginx:

[root@localhost ~] # yum-y install gcc gcc-c++ make libtool zlib zlib-devel pcre pcre-devel openssl openssl-devel// if the installation of the system is minimized, you need to install the above dependency package [root@localhost ~] # yum-y install pcre-devel zlib-devel openssl-devel// if the system is not a minimum installation Then install the above dependency packages [root@localhost ~] # unzip nginx-sticky-module.zip-d / usr/src/// use the nginx-sticky-module extension module to implement Cookie session pasting (keep the session) [root@localhost ~] # tar zxf ngx_brotli.tar.gz-C / usr/src/ [root@localhost ~] # tar zxf ngx_cache_purge-2.3.tar.gz-C / usr/src/// use ngx_cache _ purge to achieve more powerful cache removal / / install Nginx source code dependency package [root@localhost] # tar zxf nginx-1.14.0.tar.gz-C / usr/src/ [root@localhost ~] # cd / usr/src/nginx-1.14.0/ [root@localhost nginx-1.14.0] #. / configure-- prefix=/usr/local/nginx-- user=nginx\-- group=nginx-- with-http_stub_status_module-- with -http_realip_module\-with-http_ssl_module-- with-http_gzip_static_module\-- http-client-body-temp-path=/var/tmp/nginx/client\-- http-proxy-temp-path=/var/tmp/nginx/proxy\-- http-fastcgi-temp-path=/var/tmp/nginx/fcgi-- with-pcre\-- add-module=/usr/src/ngx_cache_purge-2.3/-- with-http _ flv_module\-add-module=/usr/src/nginx-sticky-module/ & & make & & make install

Meaning of configuration options:

-- prefix=/usr/local/nginx: specify the Nginx storage path;-- with-http_stub_status_module: monitor the nginx status through web pages;-- with-http_realip_module: show that the client is really IP;--with-http_ssl_module: enable the encrypted transmission function of Nginx;-- with-http_gzip_static_module: enable the Nginx expansion compression module -- http-client-body-temp-path=/var/tmp/nginx/client: temporary storage path for client access data;-- http-proxy-temp-path=/var/tmp/nginx/proxy: ditto;-- http-fastcgi-temp-path=/var/tmp/nginx/fcgi: ditto;-- with-pcre: support regular matching expressions -- add-module=/usr/src/ngx_cache_purge-2.3: add third-party module, and specify third-party module path, support caching;-- with-http_flv_module: support flv video stream;-- add-module=/usr/src/nginx-sticky-module: add third-party module, and specify third-party module path, add third-party module format:-- add-module= source code decompressed path [root@localhost ~] # ln-s / usr/local/nginx/sbin/nginx / usr/local/sbin/ create symbolic links [root@localhost ~] # vim / usr/local/nginx/conf/nginx.conf / / write the Nginx main configuration file. / / omit part of the content http {include mime.types; default_type application/octet-stream; upstream lzj {/ / defines a server group with the name lzj sticky; / / session session persistence server 192.168.1.2 server 80 weight=1 max_fails=2 fail_timeout=10s; server 192.168.1.3 server 80 weight=1 max_fails=2 fail_timeout=10s } / / define two backend servers with a weight of 1, a maximum number of failures of 2, and a maximum timeout of 10s location / {proxy_pass http://lzj; } / / comment the original location rules And redefine forwarding to the defined lzj [root@localhost ~] # nginx-t / / Inspection profile nginx: the configuration file / usr/local/nginx/conf/nginx.conf syntax is oknginx: [emerg] getpwnam ("nginx") failednginx: configuration file / usr/local/nginx/conf/nginx.conf test failed [root@localhost ~] # useradd-s / sbin/nologin-M nginx/ / create Nginx user Login to the operating system [root@localhost ~] # nginx-t / / Detection profile nginx: the configuration file / usr/local/nginx/conf/nginx.conf syntax is oknginx: [emerg] mkdir () "/ var/tmp/nginx/client" failed (2: No such file or directory) nginx: configuration file / usr/local/nginx/conf/nginx.conf test failed [root@localhost ~] # mkdir-p / var/tmp/nginx/client / / create a directory Used to store the temporary storage path of client access data [root@localhost ~] # nginx-tnginx: the configuration file / usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file / usr/local/nginx/conf/nginx.conf test is successful// table shows that the configuration file has no problem [root@localhost ~] # nginx/ / start Nginx [root @ localhost ~] # nginx-V / / you can view compile time Configuration parameters used: nginx version: nginx/1.14.0built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017TLS SNI support enabledconfigure arguments:-- prefix=/usr/local/nginx-- user=nginx-- group=nginx-- with-http_stub_status_module-- with-http_realip_module-- with-http_ssl_module-- with-http_gzip_static_module-- http-client- Body-temp-path=/var/tmp/nginx/client-http-proxy-temp-path=/var/tmp/nginx/proxy-http-fastcgi-temp-path=/var/tmp/nginx/fcgi-with-pcre-add-module=/usr/src/ngx_cache_purge-2.3/-with-http_flv_module-add-module=/usr/src/nginx-sticky-module/

The operation of the tester is as follows:

Number one:

[root@localhost ~] # yum-y install httpd [root@localhost ~] # echo "192.168.1.2" > / var/www/html/index.html [root@localhost ~] # systemctl start httpd

Station 2:

[root@localhost ~] # yum-y install httpd [root@localhost ~] # echo "192.168.1.3" > / var/www/html/index.html [root@localhost ~] # systemctl start httpd

Nginx test results:

[root@localhost ~] # curl 127.0.0.1192.168.1.2 [root@localhost ~] # curl 127.0.0.1192.168.1.3

Note: if you need to add a third-party module to an installed Nginx server, you still need to recompile, but in order not to overwrite the original configuration information, please do not execute make install, but simply copy the executable file!

Add Nginx to serve the system script:

[root@localhost ~] # vim / etc/init.d/nginx #! / bin/bash# chkconfig: 2345 99 2 percent description: Nginx Service Control ScriptPROG= "/ usr/local/nginx1.10/sbin/nginx" PIDF= "/ usr/local/nginx1.10/logs/nginx.pid" case "$1" in start) netstat-anplt | grep ": 80" & > / dev/null & & pgrep "nginx" & > / dev/null if [$?- Eq 0] then echo "Nginx service already running." Else $PROG-t & > / dev/null if [$?-eq 0]; then $PROG echo "Nginx service start success." Else $PROG-t fi fi;; stop) netstat-anplt | grep ": 80" & > / dev/null & & pgrep "nginx" & > / dev/null if [$?-eq 0] then kill-s QUIT $(cat $PIDF) echo "Nginx service stop success." Else echo "Nginx service already stop" fi;; restart) $0 stop $0 start Status) netstat-anplt | grep ": 80" & > / dev/null & & pgrep "nginx" & > / dev/null if [$?-eq 0] then echo "Nginx service is running." Else echo "Nginx is stop." Fi;; reload) netstat-anplt | grep ": 80" & > / dev/null & & pgrep "nginx" & > / dev/null if [$?-eq 0] then $PROG-t & > / dev/null if [$?-eq 0]; then kill-s HUP $(cat $PIDF) echo "reload Nginx config success." Else $PROG-t fi else echo "Nginx service is not run." Fi;; *) echo "Usage: $0 {start | stop | restart | reload}" exit 1 esac [root@localhost ~] # chmod + x / etc/init.d/nginx [root@localhost ~] # chkconfig-- add nginx [root@localhost ~] # systemctl restart nginx II. Proxy cache usage of Nginx

Caching means caching some static files from the back-end server to the cache directory specified by nginx, which can not only reduce the burden on the back-end server, but also speed up access, but timely cache cleaning has become a headache. So a third-party module, ngx_cache_purge, is required to manually clean the cache before the expiration time.

The commonly used instructions of proxy module are proxy_pass and proxy_cache

As long as the web caching function of nginx is accomplished by proxy_cache, fastcgi_cache instruction set and related instruction set:

Proxy_cache: responsible for reverse proxy caching static content of back-end servers; fastcgi_cache: mainly used to deal with fastcgi dynamic process cache

In order for nginx to have caching capabilities, you need to modify its configuration file as follows:

[root@localhost] # vim / usr/local/nginx/conf/nginx.conf. / / omit part of log_format main'$remote_addr-$remote_user [$time_local] "$request"'$status $body_bytes_sent "$http_referer"'"$http_user_agent"$http_x_forwarded_for"'"$upstream_cache_status"' / / record the buffer hit rate, note that this is a whole paragraph, so there is only a semicolon / / at the end that already exists, just add the last line! When the access_log logs/access.log main; proxy_buffering on; / / proxy is enabled, the response of the buffered backend server proxy_temp_path / usr/local/nginx/proxy_temp; / / defines the cache temporary directory proxy_cache_path / usr/local/nginx/proxy_cache levels=1:2 keys_zone=my-cache:100m inactive=600m max_size=2g;// defines the cache directory. The specific information has been explained outside the configuration file. / / omit part of the content location ~ / purge (/. *) {/ / define cache cleanup policy allow 127.0.0.1; allow 192.168.1.0 host$1 24; deny all; proxy_cache_purge my-cache $cache $is_args$args } location / {proxy_pass http://lzj; / / request goes to the server list proxy_redirect off; defined by lzj to specify whether to modify the location header and refresh header values in the response header returned by the proxy server # for example: # sets the replacement text of the back-end server "Location" response header and "Refresh" response header. Assuming that the # response header returned by the back-end server is "Location: http://localhost:8000/two/some/uri/", then the instruction proxy_redirect # http://localhost:8000/two/ http://frontend/one/; will rewrite the string to" Location: # http://frontend/one/some/uri/". " Proxy_set_header Host $host; / / allows you to redefine or add the request header # Host, which indicates the hostname of the request, the nginx reverse proxy server sends the request to the real backend server, and the host field in the request header is rewritten to the server set by the proxy_pass directive. Because nginx uses # as a reverse proxy, and if the real back-end server is configured with similar hotlink protection or # routing or judging function based on the host field in the http request header, if the nginx in the reverse proxy layer does not override the host field in the request header, the request will fail. Proxy_set_header X-Real-IP $remote_addr; / / web server side gets the user's real ip, but, in fact, to get the user's real ip, you can also get the user's real ip through the following X-Forward-For proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for # the backend Web server can obtain the user's real IP,X_Forward_For field through X-Forwarded-For. # indicates who initiated the http request? If the reverse proxy server does not rewrite the request header, then the backend # real server will assume that all requests come from the reverse proxy server. If the backend has a protection policy #, then the machine will be blocked. Therefore, two configurations are generally added to the nginx configured as a reverse proxy in order to modify the request header proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 of the http # add failover. If the backend server returns errors such as 502,504 or execution timeout, # automatically forwards the request to another server in the upstream load balancer pool to achieve failover. Proxy_cache my-cache; add_header Nginx-Cache $upstream_cache_status; proxy_cache_valid 200 304 301 3028 h; proxy_cache_valid 404 1m; proxy_cache_valid any 1d; proxy_cache_key $host$uri$is_args$args; expires 30d } [root@localhost ~] # nginx-tnginx: the configuration file / usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file / usr/local/nginx/conf/nginx.conf test is successful// Detection configuration file is not a problem [root@localhost ~] # nginx-s reload / / reload nginx configuration file

Detailed description of configuration options:

Levels=1:2 keys_zone=my-cache:100m means a two-level directory structure. The first-tier directory has only one character, which is set by levels=1:2. It has a total of two-tier directories, and the subdirectory name consists of two characters. The name of the Web cache is my-cache, and the size of the memory cache space is 100MB. This buffer zone can be used many times. Inactive=600 max_size=2g means that the content that has not been accessed in 600 minutes is automatically cleared, and the maximum cache space of the hard disk is 2GB. If you exceed this university, you will clear the least recently used data. Proxy_cache: refer to the previously defined cache my-cache. Proxy_cache_key: define how to generate the key of the cache, set the key value of the web cache, and nginx stores the cache according to the key value md5 hash; proxy_cache_valid: set different cache time for different response status codes, such as 200,302 and other normal results can be cached longer, while the cache time of 404,500 is shorter, the file will expire at this time.

Regardless of whether it has just been accessed or not; add_header instruction to set response header, syntax: add_header name value;$upstream_cache_status this variable to display the status of the cache, we can add a http header to the configuration to display this status

$upstream_cache_status contains the following states:

MISS: missed, request delivered to backend (common); HIT: cache hit (common); EXPIRED: cache expired request delivered to backend; UPDATING: cache is being updated and old reply will be used; STALE: backend will get expired reply; expires: set Expires: or Cache-Control:max-age in response header, return browser cache expiration time to client

Client browser access:

After refreshing the page with F5, the following page appears:

Clear the cache to access the following path, as shown in the figure:

If the URL accessed during access is: http:192.168.1.1/index.html, then http:192.168.1.1/purge/index.html is required to clear the cache.

These can also be seen from the access log of nginx, as shown in the figure:

Note: when testing, pay attention to clear the cache of the client browser!

Third, optimize the compression function of Nginx service

Optimizing the compression capabilities of Nginx services requires the following:

[root@localhost] # vim / usr/local/nginx/conf/nginx.conf... / / omit part of the content http {include mime.types; default_type application/octet-stream; upstream lzj {sticky; server 192.168.1.2 weight=1 max_fails=2 fail_timeout=10s; server 80 weight=1 max_fails=2 fail_timeout=10s 192.168.1.3 weight=1 max_fails=2 fail_timeout=10s } log_format main'$remote_addr-$remote_user [$time_local] "$request"'$status $body_bytes_sent "$http_referer"'"$http_user_agent" $http_x_forwarded_for "'" $upstream_cache_status "'; access_log logs/access.log main; brotli on Whether brotli_types text/plain text/css text/xml application/xml application/json; brotli_static off; / / allows you to find preprocessed compressed files ending in .br. Available values are on, off, and always. Brotli_comp_level 11; / / the level of compression, with a range of "1byte 14". The higher the value, the higher the compression ratio brotli_buffers 168k; / / the number and size of read buffers brotli_window 512k; / / sliding window size brotli_min_length 20; / / specify the minimum byte server_tokens off; of compressed data / / hide version information sendfile on / / enable efficient file transfer keepalive_timeout 65; / / enable persistent connection timeout (in seconds): gzip on; / / enable gzip compression gzip_comp_level 6; / / the compression level is "1x6". The higher the value, the higher the compression ratio gzip_http_version 1.1; / / the http version is 1.1 gzip_proxied any / / when Nginx is enabled as a reverse proxy, it is decided whether to enable gzip compression in the response to the proxy request according to certain requests and replies. Whether compression depends on the "Via" field in the request header. Multiple different parameters can be specified in the instruction at the same time. The common parameters are as follows: off-turn off compression of all proxy result data. Expired-enables compression if the header header contains "Expires" header information; no-cache-enables compression if the header header contains "Cache-# Control:no-cache" header information; private-enables compression if the header header contains "Cache-Control:private" header information; no_last_modified-enables compression if the header header does not contain "Last-Modified" header information No_etag-enables compression if the header header does not contain "ETag" header information; auth-enables compression if the header header contains "Authorization" header information; any-enables compression unconditionally Gzip_min_length 1k; gzip_buffers 168k; gzip_types text/plain text/css text/xml application/xml application/json; gzip_vary on; client_max_body_size 10m; client_body_buffer_size 128k; / / buffer proxy buffers the maximum number of bytes requested by the client proxy_connect_timeout 75 / / timeout for connection between nginx and backend server (proxy connection timeout) proxy_read_timeout 75; / / define the timeout proxy_buffer_size for reading response from backend server; / / set the size of the buffer to size proxy_buffers 4 32k; / / the size of each buffer proxy_busy_buffers_size 64k / / buffer size proxy_temp_file_write_size 64k under heavy load; / / size of temporary files per write proxy_buffering on; proxy_temp_path / usr/local/nginx/proxy_temp; proxy_cache_path / usr/local/nginx/proxy_cache levels=1:2 keys_zone=my-cache:100m inactive=600m max_size=2g; # sendfile on; # tcp_nopush on; # keepalive_timeout 0 # keepalive_timeout 65; # gzip on; server {listen 80; server_name localhost; charset utf-8;... / / omit some of the contents and add location / nginx_status {stub_status on; access_log off; allow 192.168.1.0 Universe 24; deny all at the end of the location rule } [root@localhost ~] # nginx-tnginx: [emerg] unknown directive "brotli" in / usr/local/nginx/conf/nginx.conf:32nginx: configuration file / usr/local/nginx/conf/nginx.conf test failed// check the configuration file and find that the tool brotli forgot to install at compile time (intentionally)

Next, install the original module:

[root@localhost ~] # cd / usr/src/nginx-1.14.0/ enter the source package path [root@localhost nginx-1.14.0] # nginx- V / /-V query when compiling and installing The parameters used are nginx version: nginx/1.14.0built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017TLS SNI support enabledconfigure arguments:-- prefix=/usr/local/nginx-- user=nginx-- group=nginx-- with-http_stub_status_module-- with-http_realip_module-- with-http_ssl_module-- with-http_gzip_static_module-- http-client- Body-temp-path=/var/tmp/nginx/client-http-proxy-temp-path=/var/tmp/nginx/proxy-http-fastcgi-temp-path=/var/tmp/nginx/fcgi-with-pcre-add-module=/usr/src/ngx_cache_purge-2.3/-with-http_flv_module-add-module=/usr/src/nginx-sticky-module/ [root@localhost nginx-1.14.0] #. / configure-prefix=/usr / local/nginx-user=nginx-group=nginx-with-http_stub_status_module-with-http_realip_module-with-http_ssl_module-with-http_gzip_static_module-http-client-body-temp-path=/var/tmp/nginx/client-http-proxy-temp-path=/var/tmp/nginx/proxy-http-fastcgi-temp-path=/var/tmp/nginx/fcgi with-pcre add-module=/usr/src/ngx_ Cache_purge-2.3/-- with-http_flv_module-- add-module=/usr/src/nginx-sticky-module/-- add-module=/usr/src/ngx_brotli & & make & & make install// copy the loaded modules found above as follows Recompile the following, while Plus the modules that need to be added / / for example, I added a third-party module "--add-module=/usr/src/ngx_brotli" [root@localhost ~] # mv / usr/local/nginx/sbin/nginx / usr/local/nginx/sbin/nginx.bak// to back up the original command [root@localhost ~] # cp / usr/src/nginx-1.14.0/objs/nginx / usr/local/nginx/sbin/// to copy the new The generated nginx command is sent to the specified directory [root@localhost ~] # ln-sf / usr/local/nginx/sbin/nginx / usr/local/sbin/ A pair of new commands make a forced soft connection [root@localhost ~] # nginx-s reload / / reload the nginx configuration file [root@localhost ~] # nginx-tnginx: the configuration file / usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file / usr/ Local/nginx/conf/nginx.conf test is successful// check configuration file [root@localhost ~] # nginx-s stop [root@localhost ~] # nginx// restart the nginx service Pay attention to clearing the cache information locally in the browser

Client authentication access:

In view of the replication problem, finally attach this blog post about the complete Nginx configuration file without comments:

# user nobody;worker_processes 1 is the errorists log logs/error.log;#error_log logs/error.log notice;#error_log logs/error.log info;#pid logs/nginx.pid;events {worker_connections 1024;} http {include mime.types; default_type application/octet-stream; upstream lzj {sticky; server 192.168.1.2 virtual 80 weight=1 max_fails=2 fail_timeout=10s Server 192.168.1.3 weight=1 max_fails=2 fail_timeout=10s; 80 weight=1 max_fails=2 fail_timeout=10s;} log_format main'$remote_addr-$remote_user [$time_local] "$request"'$status $body_bytes_sent "$http_referer"'"$http_user_agent"$http_x_forwarded_for"'"$upstream_cache_status"' Access_log logs/access.log main; brotli on; brotli_types text/plain text/css text/xml application/xml application/json; brotli_static off; brotli_comp_level 11; brotli_buffers 168k; brotli_window 512k; brotli_min_length 20; server_tokens off; sendfile on; keepalive_timeout 65; gzip on; gzip_comp_level 6; gzip_http_version 1.1; gzip_proxied any Gzip_min_length 1k; gzip_buffers 168k; gzip_types text/plain text/css text/xml application/xml application/json; gzip_vary on; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 75; proxy_send_timeout 75; proxy_read_timeout 75; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k Proxy_temp_file_write_size 64k; proxy_buffering on; proxy_temp_path / usr/local/nginx/proxy_temp; proxy_cache_path / usr/local/nginx/proxy_cache levels=1:2 keys_zone=my-cache:100m inactive=600m max_size=2g; # sendfile on; # tcp_nopush on; # keepalive_timeout 0; # keepalive_timeout 65; # gzip on; server {listen 80 Server_name localhost; charset utf-8; # charset koi8-r; # access_log logs/host.access.log main; location ~ / purge (/. *) {allow 127.0.0.1; allow 192.168.1.0 host$1 24; deny all; proxy_cache_purge my-cache $host$1 $is_args$args } location / {proxy_pass http://lzj; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for Proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_cache my-cache; add_header Nginx-Cache $upstream_cache_status; proxy_cache_valid 200304 301 3028h; proxy_cache_valid 404 1m; proxy_cache_valid any 1d Proxy_cache_key $host$uri$is_args$args; expires 30d;} location / nginx_status {stub_status on; access_log off; allow 192.168.1.0 deny all; 24; the content below has not been modified, so it will not be copied.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.