NGINX is open source software for web serving, reverse proxying, caching, load balancing, media streaming, and more. It started out as a web server designed for maximum performance and stability. In addition to its HTTP server capabilities, NGINX can also function as a proxy server for email (IMAP, POP3, and SMTP) and a reverse proxy and load balancer for HTTP, TCP, and UDP servers.
Nginx(enginx x)是一个高性能的HTTP和反向代理服务器 ,具有内存少,高并发能力强特点,他可以处理2-3万并发连接数,官方监测能支持5万并发
处理静态文件, 索引文件以及自动索引,打开文件描述符缓冲
无缓存的反向代理加速,简单的负载均衡和容错.
跨平台、配置简单、方向代理、高并发连接:处理2-3万并发连接数,官方监测能支持5万并发,内存消耗小:开启10个nginx才占150M内存 ,nginx处理静态文件好,耗费内存少
而且Nginx内置的健康检查功能:如果有一个服务器宕机,会做一个健康检查,再发送的请求就不会发送到宕机的服务器了。重新将请求提交到其他的节点上
使用Nginx的话还能:
节省宽带:支持GZIP压缩,可以添加浏览器本地缓存
稳定性高:宕机的概率非常小
接收用户请求是异步的
正向代理就是一个人发送一个请求直接就到达了目标的服务器(代理客户端)
例如VPN,在电脑上做了一个代理,这个代理会帮你请求外部的资源
反向代理就是请求统一被Nginx接收,nginx反向代理服务器接收到之后,按照一定的规则分发给了后端的业务处理服务器进行处理了
例如:每天大量的人访问百度,永远都是www.baidu.com这个域名,百度肯定不止一台服务器
反向代理就是代理服务器端的,让你无感知的浏览一些服务器资源,可以让服务更好的部署上线
Nginx提供的负载均衡策略有2种:内置策略和扩展策略 ,内置策略为轮询,加权轮询,IP hash ,扩展策略就是天马行空的感觉
请求依次循环访问服务器就是轮询
加权轮询就是加上权重
IP hash对客户端请求的IP进行hash操作,然后根据hash结果将同一个客户端ip的请求分发给同一台服务器进行处理,可以解决session不共享问题
动静分离:在我们的软件开发中,有些请求是需要后台处理的,有些请求是不需要经过后台处理的(如:CSS,HTML,JS,jpg等文件),这些不需要经过后台处理的文件称为静态文件 。让动态网站里的动态网页根据一定规则把不变的资源和经常变得资源区分开来,动静资源做好了拆分以后,我们就可以根据静态资源的特点将其做缓存操作,提高资源响应速度
因为它的事件处理机制:异步非阻塞事件处理机制 :运用了epoll模型,提供了一个队列,排队解决
nginx接收一个请求后,首先由listen和server_name指令匹配server模块,再匹配server模块里的location,location就是实际地址
1 2 3 4 5 6 7 8 server { listen 80; server_name localhost; location / { root html; index index.html index.htm; } }
1 2 3 4 5 6 cd /usr/local/nginx/sbin/./nginx ./nginx -s stop ./nginx -s quit ./nginx -s reload ps aux | grep nginx
默认80端口,如果连接不上,检查服务器防火墙是否开放端口
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 service firewalld start service firewalld restart service firewalld stop firewall-cmd --list-all firewall-cmd --query-port=8000/tcp firewall-cmd --permanent --add-port=80/tcp firewall-cmd --permanent --remove-port=8080/tcp firewall-cmd --reload 1. firewall-cmd:是linux提供的操作firewall的一个工具 2. --permanent:表示设置为持久 3. --add-port:标识添加的端口
1 2 3 4 5 6 7 8 9 10 11 12 13 14 docker run -it -p 80:80 -p 443:443 --name ubuntu ubuntu1 /bin/bash apt update && apt upgrade apt install nano apt-get install nginx service nginx start
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 cd /etc/nginx/conf.dnano blog.tyokyo320.com.conf mkdir /etc/nginx/sslchmod 700 /etc/nginx/sslapt-get install openssl openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/blog.key -out /etc/nginx/ssl/blog.crt
接下来编辑配置文件的内容
1 2 nano blog.tyokyo320.com.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 server{ listen 80 default_server; server_name blog.tyokyo320.com; return 301 https://$server_name $request_uri ; } server{ listen 443 ssl; server_name blog.tyokyo320.com; ssl_certificate /etc/nginx/ssl/blog.crt; ssl_certificate_key /etc/nginx/ssl/blog.key; location / { root /usr/share/nginx/html; index index.html index.html; } }
这里需要将/etc/nginx/conf.d中的blog.tyokyo320.com.conf移动到/etc/nginx/sites-available下
1 2 mv ../conf.d/blog.tyokyo320.com.conf .
然后备份sites-available下的default文件
再删除/etc/nginx/sites-enabled下的default链接文件
1 2 rm ../sites-enabled/default
最后在sites-enabled建立一个blog.tyokyo320.com.conf的软链接
1 2 ln -s ../sites-available/blog.tyokyo320.com.conf .
执行结果
1 2 3 root@5602de98f6a6:/etc/nginx/sites-enabled total 0 lrwxrwxrwx 1 root root 42 Sep 11 06:46 blog.tyokyo320.com.conf -> ../sites-available/blog.tyokyo320.com.conf
最后检查一下配置文件是否成功
1 2 3 root@5602de98f6a6:/etc/nginx/sites-enabled nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
成功的话可以reload了
退出容器返回NUC,编辑~/docker/frp/frpc.ini
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [common] server_addr = 3.19.55.120 server_port = 7000 [ssh] type = tcplocal_ip = 172.17.0.1 local_port = 22 remote_port = 6000 [blog_http] type = tcplocal_ip = 172.17.0.1 local_port = 80 remote_port = 80 custom_domains = blog.tyokyo320.com [blog_https] type = tcplocal_ip = 172.17.0.1 local_port = 443 remote_port = 443 custom_domains = blog.tyokyo320.com
Nginx的配置文件采用层级化结构 ,由指令(directive)和上下文(context)组成:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 user nginx;worker_processes auto;error_log /var/log/nginx/error .log warn ;pid /var/run/nginx.pid;events { worker_connections 1024 ; use epoll ; multi_accept on ; } http { include /etc/nginx/mime.types; default_type application/octet-stream; server { listen 80 ; server_name example.com; location / { root /usr/share/nginx/html; index index.html; } location /api { proxy_pass http://backend; } } }
配置文件位置 :
/etc/nginx/nginx.conf(主配置文件)/etc/nginx/conf.d/*.conf(额外配置文件)/etc/nginx/sites-available/(可用站点配置)/etc/nginx/sites-enabled/(已启用站点配置)
指令
说明
示例
user运行worker进程的用户
user nginx;
worker_processesworker进程数量,建议设为CPU核心数或auto
worker_processes auto;
worker_cpu_affinity绑定worker进程到特定CPU
worker_cpu_affinity auto;
worker_rlimit_nofile每个worker进程的最大文件描述符数
worker_rlimit_nofile 65535;
error_log错误日志路径和级别
error_log /var/log/nginx/error.log warn;
pid主进程PID文件位置
pid /var/run/nginx.pid;
错误日志级别 (从低到高):debug → info → notice → warn → error → crit → alert → emerg
1 2 3 4 5 6 7 8 9 10 11 12 13 events { worker_connections 1024 ; use epoll ; multi_accept on ; accept_mutex off ; }
最大并发连接数计算 :max_clients = worker_processes × worker_connections
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 http { include /etc/nginx/mime.types; default_type application/octet-stream; charset utf-8 ; log_format main '$remote_addr - $remote_user [$time_local ] "$request " ' '$status $body_bytes_sent "$http_referer " ' '"$http_user_agent " "$http_x_forwarded_for "' ; access_log /var/log/nginx/access.log main; sendfile on ; tcp_nopush on ; tcp_nodelay on ; keepalive_timeout 65 ; keepalive_requests 100 ; client_max_body_size 20m ; client_body_timeout 60s ; client_header_timeout 60s ; gzip on ; gzip_vary on ; gzip_min_length 1024 ; gzip_types text/plain text/css application/json application/javascript; }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 server { listen 80 ; listen [::]:80 ; listen 443 ssl http2; server_name example.com www.example.com; root /var/www/html; index index.html index.htm; ssl_certificate /etc/nginx/ssl/cert.pem; ssl_certificate_key /etc/nginx/ssl/key.pem; ssl_protocols TLSv1.2 TLSv1.3 ; ssl_ciphers HIGH:!aNULL:!MD5; access_log /var/log/nginx/example.access.log; error_log /var/log/nginx/example.error .log; }
匹配优先级 (从高到低):
location = /path - 精确匹配 (最高优先级)location ^~ /path - 前缀匹配 (阻止正则匹配)location ~ pattern - 区分大小写的正则匹配 location ~* pattern - 不区分大小写的正则匹配 location /path - 普通前缀匹配 (最低优先级)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 location = / { return 200 "exact match" ; } location ^~ /static/ { root /var/www; } location ~ \.(jpg|png|gif)$ { root /var/www/images; } location ~* \.(JPG|PNG|GIF)$ { root /var/www/images; } location /api/ { proxy_pass http://backend; } location / { root /usr/share/nginx/html; index index.html; }
常用Location指令 :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 location /app/ { root /var/www; alias /var/www/application/; try_files $uri $uri / /index.html; error_page 404 /404 .html; error_page 500 502 503 504 /50x.html; limit_except GET POST { deny all; } limit_rate 500k ; }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 location /api/ { proxy_pass http://backend_server; proxy_set_header Host $host ; proxy_set_header X-Real-IP $remote_addr ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto $scheme ; proxy_connect_timeout 60s ; proxy_send_timeout 60s ; proxy_read_timeout 60s ; proxy_buffering on ; proxy_buffer_size 4k ; proxy_buffers 8 4k ; proxy_http_version 1 .1 ; proxy_set_header Upgrade $http_upgrade ; proxy_set_header Connection "upgrade" ; }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 upstream backend { server 192.168.1.101:8080 weight=3 ; server 192.168.1.102:8080 weight=1 ; server 192.168.1.103:8080 backup; server 192.168.1.104:8080 down; server 192.168.1.105:8080 max_fails=3 fail_timeout=30s ; keepalive 32 ; } upstream backend_iphash { ip_hash; server 192.168.1.101:8080 ; server 192.168.1.102:8080 ; } upstream backend_leastconn { least_conn; server 192.168.1.101:8080 ; server 192.168.1.102:8080 ; } server { listen 80 ; server_name example.com; location / { proxy_pass http://backend; } }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 proxy_cache_path /var/cache/nginx levels=1 :2 keys_zone=my_cache:10m max_size=1g inactive=60m use_temp_path=off ; server { location / { proxy_cache my_cache; proxy_cache_valid 200 304 10m ; proxy_cache_valid 404 1m ; proxy_cache_key "$scheme $request_method $host $request_uri " ; add_header X-Cache-Status $upstream_cache_status ; proxy_cache_bypass $http_pragma $http_authorization ; proxy_pass http://backend; } }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ { root /var/www/static; expires 30d ; add_header Cache-Control "public, immutable" ; access_log off ; open_file_cache max=1000 inactive=20s ; open_file_cache_valid 30s ; open_file_cache_min_uses 2 ; open_file_cache_errors on ; }
变量
说明
$host请求的主机名
$uri当前请求的URI(不含参数)
$request_uri完整的原始请求URI(含参数)
$args请求参数
$remote_addr客户端IP地址
$remote_port客户端端口
$server_addr服务器地址
$server_name服务器名称
$scheme请求协议(http/https)
$request_method请求方法(GET/POST等)
$http_user_agent客户端User-Agent
$http_referer来源页面
$status响应状态码
$body_bytes_sent发送的字节数
1 2 3 4 5 6 7 8 9 10 worker_processes auto;worker_rlimit_nofile 65535 ;worker_cpu_affinity auto;events { worker_connections 4096 ; use epoll ; multi_accept on ; }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 http { sendfile on ; tcp_nopush on ; tcp_nodelay on ; gzip on ; gzip_vary on ; gzip_comp_level 6 ; gzip_types text/plain text/css application/json application/javascript; open_file_cache max=10000 inactive=30s ; open_file_cache_valid 60s ; open_file_cache_min_uses 2 ; client_body_timeout 12 ; client_header_timeout 12 ; send_timeout 10 ; server_tokens off ; }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 nginx -t nginx -V nginx -s reload ps aux | grep nginx tail -f /var/log/nginx/access.logtail -f /var/log/nginx/error.log
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 http { server_tokens off ; if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 405 ; } server { add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; if ($scheme = http) { return 301 https://$server_name $request_uri ; } ssl_protocols TLSv1.2 TLSv1.3 ; ssl_prefer_server_ciphers on ; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256' ; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; limit_req zone=one burst=5 ; } }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 server { listen 80 ; server_name app.example.com; root /var/www/app/dist; index index.html; location / { try_files $uri $uri / /index.html; } location /api { proxy_pass http://backend; } location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { expires 1y ; add_header Cache-Control "public, immutable" ; } }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 server { listen 80 ; server_name php.example.com; root /var/www/php; index index.php index.html; location / { try_files $uri $uri / /index.php?$args ; } location ~ \.php$ { fastcgi_pass unix:/var/run/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root $fastcgi_script_name ; include fastcgi_params; } location ~ /\. { deny all; } }
