Nginx安装学习使用具体记录
生活随笔
收集整理的這篇文章主要介紹了
Nginx安装学习使用具体记录
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
前言:
選擇Nginx的長處:
Nginx 能夠在大多數(shù) Unix like OS 上編譯執(zhí)行。并有 Windows 移植版。 Nginx 的1.4.0穩(wěn)定版已經(jīng)于2013年4月24日公布。普通情況下,對于新建站點,建議使用最新穩(wěn)定版作為生產(chǎn)版本號,已有站點的升級急迫性不高。Nginx 的源碼使用 2-clause BSD-like license。
Nginx 是一個非常強大的高性能Web和反向代理服務(wù)器,它具有非常多非常優(yōu)越的特性:
在高連接并發(fā)的情況下,Nginx是Apache服務(wù)器不錯的替代品:Nginx在美國是做虛擬主機生意的老板們常常選擇的軟件平臺之中的一個。
1.1?執(zhí)行安裝
tar?-xvf nginx-1.4.2.tar.gz
cd nginx-1.4.2
./configure?--prefix=/usr/nginx?--with-http_stub_status_module?--with-debug?--with-http_realip_module?--with-http_ssl_module
[root@localhost nginx-1.4.2]#?make install
......
test?-d \'/usr/nginx/logs\'?||?mkdir?-p \'/usr/nginx/logs\'
test?-d \'/usr/nginx/logs\'?||?mkdir?-p \'/usr/nginx/logs\'
test?-d \'/usr/nginx/html\'?||?cp?-R html \'/usr/nginx\'
test?-d \'/usr/nginx/logs\'?||?mkdir?-p \'/usr/nginx/logs\'
1.2 查看進(jìn)程數(shù)
進(jìn)程數(shù)是與top出來的cpu數(shù)量是一樣的。在/usr/local/nginx/conf/nginx.conf配置文件中面的worker_processes參數(shù)。
worker_processes指明了nginx要開啟的進(jìn)程數(shù)。據(jù)官方說法,一般開一個就夠了,多開幾個,能夠降低機器io帶來的影響。據(jù)實踐表明。nginx的這個參數(shù)在普通情況下開4個或8個就能夠了。再往上開的話優(yōu)化不太大。據(jù)還有一種說法是,nginx開啟太多的進(jìn)程,會影響主進(jìn)程調(diào)度,所以占用的cpu會增高。
[root@lb-net-2 ~]#?ps?-eaf|grep nginx
root 2221 1382 0 18:06 pts/0 00:00:00 grep nginx
root 16260 1 0 Jun18???00:00:00 nginx:?master process /usr/local/nginx/sbin/nginx
nobody 16261 16260 0 Jun18???00:01:26 nginx:?worker process?
nobody 16262 16260 0 Jun18???00:01:32 nginx:?worker process?
nobody 16263 16260 0 Jun18???00:01:25 nginx:?worker process?
nobody 16264 16260 0 Jun18???00:01:33 nginx:?worker process?
nobody 16265 16260 0 Jun18???00:01:32 nginx:?worker process?
nobody 16266 16260 0 Jun18???00:01:24 nginx:?worker process?
nobody 16267 16260 0 Jun18???00:01:32 nginx:?worker process?
nobody 16268 16260 0 Jun18???00:01:23 nginx:?worker process?
nobody 16269 16260 0 Jun18???00:01:32 nginx:?worker process?
nobody 16270 16260 0 Jun18???00:01:26 nginx:?worker process?
nobody 16271 16260 0 Jun18???00:01:32 nginx:?worker process?
nobody 16272 16260 0 Jun18???00:01:25 nginx:?worker process?
nobody 16273 16260 0 Jun18???00:01:26 nginx:?worker process?
nobody 16274 16260 0 Jun18???00:01:32 nginx:?worker process?
nobody 16275 16260 0 Jun18???00:01:32 nginx:?worker process?
nobody 16276 16260 0 Jun18???00:01:33 nginx:?worker process?
nobody 16277 16260 0 Jun18???00:01:24 nginx:?worker process?
nobody 16278 16260 0 Jun18???00:01:24 nginx:?worker process?
nobody 16279 16260 0 Jun18???00:01:30 nginx:?worker process?
nobody 16280 16260 0 Jun18???00:01:24 nginx:?worker process?
nobody 16281 16260 0 Jun18???00:01:32 nginx:?worker process?
nobody 16282 16260 0 Jun18???00:01:32 nginx:?worker process?
nobody 16283 16260 0 Jun18???00:01:25 nginx:?worker process?
nobody 16284 16260 0 Jun18???00:01:26 nginx:?worker process
2 配置文件
2.1 Nginx反向代理實踐
省過
2.2 Nginx Rewrite又一次定向
使用nginx做又一次定向。?
nginx參考網(wǎng)址:http://blog.sina.com.cn/s/blog_97688f8e0100zws5.html
語法規(guī)則: location [=|~|~*|^~] /uri/ { … }
= 開頭表示精確匹配
^~ 開頭表示uri以某個常規(guī)字符串開頭。理解為匹配 url路徑即可。
~ 開頭表示區(qū)分大寫和小寫的正則匹配
~* ?開頭表示不區(qū)分大寫和小寫的正則匹配
!~和!~*分別為區(qū)分大寫和小寫不匹配及不區(qū)分大寫和小寫不匹配 的正則
/ 通用匹配,不論什么請求都會匹配到。
多個location配置的情況下匹配順序為(參考資料而來,還未實際驗證。試試就知道了。不必拘泥,僅供參考):
首先匹配 =。其次匹配^~, 其次是按文件中順序的正則匹配,最后是交給 / 通用匹配。當(dāng)有匹配成功時候,停止匹配。按當(dāng)前匹配規(guī)則處理請求。
樣例,有例如以下匹配規(guī)則:
location = / {
? ?#規(guī)則A
}
location = /login {
? ?#規(guī)則B
}
location ^~ /static/ {
? ?#規(guī)則C
}
location ~ \.(gif|jpg|png|js|css)$ {
? ?#規(guī)則D
}
location ~* \.png$ {
? ?#規(guī)則E
}
location !~ \.xhtml$ {
? ?#規(guī)則F
}
location !~* \.xhtml$ {
? ?#規(guī)則G
}
location / {
? ?#規(guī)則H
}
那么產(chǎn)生的效果例如以下:
訪問根文件夾/, 比方http://localhost/ 將匹配規(guī)則A
訪問 http://localhost/login 將匹配規(guī)則B,http://localhost/register 則匹配規(guī)則H
訪問 http://localhost/static/a.html 將匹配規(guī)則C
訪問 http://localhost/a.gif, http://localhost/b.jpg 將匹配規(guī)則D和規(guī)則E。可是規(guī)則D順序優(yōu)先,規(guī)則E不起作用,而 http://localhost/static/c.png 則優(yōu)先匹配到規(guī)則C
訪問 http://localhost/a.PNG 則匹配規(guī)則E,而不會匹配規(guī)則D。由于規(guī)則E不區(qū)分大寫和小寫。
訪問 http://localhost/a.xhtml 不會匹配規(guī)則F和規(guī)則G。http://localhost/a.XHTML不會匹配規(guī)則G,由于不區(qū)分大寫和小寫。規(guī)則F,規(guī)則G屬于排除法,符合匹配規(guī)則可是不會匹配到。所以想想看實際應(yīng)用中哪里會用到。
訪問 http://localhost/category/id/1111 則終于匹配到規(guī)則H,由于以上規(guī)則都不匹配,這個時候應(yīng)該是nginx轉(zhuǎn)發(fā)請求給后端應(yīng)用服務(wù)器,比方FastCGI(php),tomcat(jsp)。nginx作為方向代理服務(wù)器存在。
所以實際使用中。個人認(rèn)為至少有三個匹配規(guī)則定義,例如以下:
#直接匹配站點根,通過域名訪問站點首頁比較頻繁,使用這個會加速處理,官網(wǎng)如是說。
#這里是直接轉(zhuǎn)發(fā)給后端應(yīng)用服務(wù)器了。也能夠是一個靜態(tài)首頁
# 第一個必選規(guī)則
location = / {
? ? proxy_pass http://tomcat:8080/index
}
# 第二個必選規(guī)則是處理靜態(tài)文件請求,這是nginx作為http服務(wù)器的強項
# 有兩種配置模式,文件夾匹配或后綴匹配,任選其一或搭配使用
location ^~ /static/ {
? ? root /webroot/static/;
}
location ~* \.(gif|jpg|jpeg|png|css|js|ico)$ {
? ? root /webroot/res/;
}
#第三個規(guī)則就是通用規(guī)則。用來轉(zhuǎn)發(fā)動態(tài)請求到后端應(yīng)用服務(wù)器
#非靜態(tài)文件請求就默認(rèn)是動態(tài)請求。自己依據(jù)實際把握
#畢竟眼下的一些框架的流行。帶.php,.jsp后綴的情況非常少了
location / {
? ? proxy_pass http://tomcat:8080/
}
2.3 ReWrite語法
last – 基本上都用這個Flag。
break – 中止Rewirte,不在繼續(xù)匹配
redirect – 返回暫時重定向的HTTP狀態(tài)302
permanent – 返回永久重定向的HTTP狀態(tài)301
1、以下是能夠用來推斷的表達(dá)式:
-f和!-f用來推斷是否存在文件
-d和!-d用來推斷是否存在文件夾
-e和!-e用來推斷是否存在文件或文件夾
-x和!-x用來推斷文件是否可執(zhí)行
2、以下是能夠用作推斷的全局變量
例:http://localhost:88/test1/test2/test.php
$host:localhost
$server_port:88
$request_uri:http://localhost:88/test1/test2/test.php
$document_uri:/test1/test2/test.php
$document_root:D:\nginx/html
$request_filename:D:\nginx/html/test1/test2/test.php
2.4 Redirect語法
server {
listen 80;
server_name start.igrow.cn;
index index.html index.php;
root html;
if ($http_host !~ “^star\.igrow\.cn$" {
rewrite ^(.*) http://star.igrow.cn$1 redirect;
}
}
2.5 防盜鏈
location ~* \.(gif|jpg|swf)$ {
valid_referers none blocked start.igrow.cn sta.igrow.cn;
if ($invalid_referer) {
rewrite ^/ http://$host/logo.png;
}
}
2.6 依據(jù)文件類型設(shè)置過期時間
location ~* \.(js|css|jpg|jpeg|gif|png|swf)$ {
if (-f $request_filename) {
expires 1h;
break;
}
}
2.7 禁止訪問某個文件夾
location ~* \.(txt|doc)${
root /data/www/wwwroot/linuxtone/test;
deny all;
}
一些可用的全局變量:
$args
$content_length
$content_type
$document_root
$document_uri
$host
$http_user_agent
$http_cookie
$limit_rate
$request_body_file
$request_method
$remote_addr
$remote_port
$remote_user
$request_filename
$request_uri
$query_string
$scheme
$server_protocol
$server_addr
$server_name
$server_port
$uri
2.8 Nginx靜態(tài)文件(css,js,jpg等等web靜態(tài)資源)
vim /usr/local/nginx/conf/nginx.conf
? server {
? ? ? ? listen ? ? ? 80;
? ? ? ? server_name ?localhost;
? ? ? ? open_file_cache max=10000 inactive=60s;
? ? ? ? location /group1/M00 {
? ? ? ? ? ? root ? /data/fastdfs/data;
? ? ? ? ? ? ngx_fastdfs_module;
? ? ? ? }
? ? ? ? location /css {
? ? ? ? ? ? root ? plocc_static;
? ? ? ? ? ? include gzip.conf;
? ? ? ? }
? ? ? ? location /common {
? ? ? ? ? ? root ? plocc_static;
? ? ? ? ? ? include gzip.conf;
? ? ? ? }
2.9 nginx 轉(zhuǎn)發(fā)project的日志文件
去nginx.conf配置文件中面去看訪問日志,例如以下:
vim nginx.conf
? ? ? ?location ~* ^/mobileWeb/.*$ {
? ? ? ? ? ?include deny.conf;
? ? ? ? ? ?proxy_pass http://mobilewebbackend;
? ? ? ? ? ?include proxy.conf;
? ? ? ? ? ?error_log ?logs/mobileweb_error.log error;
? ? ? ? ? ?access_log ?logs/mobileweb_access.log ?main;
? ? ? ? ? ?include gzip.conf;
? ? ? ? }
再去logs文件夾查看日志文件。例如以下:
[root@xx logs]# ll /usr/local/nginx/logs/mobileweb*
-rw-r--r--. 1 root root 10946 7月 ?18 10:36 /usr/local/nginx/logs/mobileweb_access.log
-rw-r--r--. 1 root root ?1628 7月 ?18 10:36 /usr/local/nginx/logs/mobileweb_error.log
3 加入啟動服務(wù)
[root@localhost nginx]#?cat /etc/init.d/nginx
#!/bin/bash
#chkconfig:2345 70 70
#description:nginx
BIN=/usr/nginx/sbin/nginx
function d_start {
??$BIN?||?echo?-n \"nginx is running\"
}
function d_stop {
??$BIN?-s stop?||?echo?-n \"nginx is not running\"
}
function d_reload {
??$BIN?-s reload?||?echo?-n \"nginx reload failed\"
}
case $1?in
start)
???echo?start nginx
???d_start
;;
stop)?
???echo?stop nginx
???d_stop
;;
reload)
???echo?reload nginx
???d_reload
;;
restart)
???echo?restart nginx
???d_stop
???echo?sleep?5s
???sleep?5
???d_start
;;
*)?
???echo?\"Usage: nginx [start | stop |reload |restart]\"
;;
esac
exit 0 啟動:?service nginx start;
4 制作證書Key。
4.1.首先要生成服務(wù)器端的私鑰(key文件):
openssl genrsa -des3 -out server.key 2048
Enter pass phrase for server.key:gongsilong0617
4.2.用server.key生成一個證書:
openssl req -new -key server.key -out server.csr
pass phrase: gongsilong0617
[root@localhost ssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:shanghai
Locality Name (eg, city) [Newbury]:shanghai
Organization Name (eg, company) [My Company Ltd]:gongsilong
Organizational Unit Name (eg, section) []:business
Common Name (eg, your name or your server's hostname) []:ops
Email Address []:mch@gongsilong.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:gongsilong0617
An optional company name []:gongsilong
[root@localhost ssl]#
4.3.?對客戶端也作相同的命令生成key及csr文件
openssl genrsa -des3 -out client.key 2048
pass phrase: plclient0618
[root@localhost client]# openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:shanghai
Locality Name (eg, city) [Newbury]:shanghai
Organization Name (eg, company) [My Company Ltd]:gongsilong
Organizational Unit Name (eg, section) []:business
Common Name (eg, your name or your server's hostname) []:ops
Email Address []:mch@gongsilong.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:plclient0618
An optional company name []:gongsilong
4.4 生成的CSR證書文件必須有CA的簽名才可形成證書.這里制作自己的CA 這時生成一個KEY文件ca.key 和根證書ca.crt
pass phrase: gongsilong0617
[root@localhost ssl]# openssl req -new -x509 -nodes -keyout ca.key -out ca.crt
Generating a 1024 bit RSA private key
.......++++++
................++++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:shanghai
Locality Name (eg, city) [Newbury]:
writing new private key to 'ca.key'Organization Name (eg, company) [My Company Ltd]:
[root@localhost ssl]# openssl req -new -x509 -keyout ca.key -out ca.crt
Generating a 1024 bit RSA private key
..............++++++
..................................................++++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:shanghai
Locality Name (eg, city) [Newbury]:shanghai
Organization Name (eg, company) [My Company Ltd]:gongsilong
Organizational Unit Name (eg, section) []:business
Common Name (eg, your name or your server's hostname) []:ops
Email Address []:mch@gongsilong.com
[root@localhost ssl]#?
[root@localhost ssl]# mch@gongsilong.com
-bash: mch@gongsilong.com: command not found
[root@localhost ssl]#?
簽署證書準(zhǔn)備工作:
[root@mail ssl]# vim /etc/pki/tls/openssl.cnf
#dir ? ? ? ? ? ?= ../../CA ? ? ?//改動例如以下
dir ? ? ? ? ? ? = /etc/pki/plocc/CA
touch /etc/pki/plocc/CA/{index.txt,serial}?
[root@localhost ssl]# ll /etc/pki/plocc/CA/
總計 0
-rw-r--r-- 1 root root 0 06-18 10:47 index.txt
-rw-r--r-- 1 root root 0 06-18 10:47 serial
[root@localhost ssl]# echo 01 > /etc/pki/plocc/CA/serial
[root@localhost ssl]# mkdir /etc/pki/plocc/CA/newcerts
4.5 用生成的CA的證書(ca.crt)為剛才生成的server.csr,client.csr文件簽名
pass phrase:gongsilong0617
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key?
[root@localhost ssl]#?openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key?
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
? ? ? ? Serial Number: 1 (0x1)
? ? ? ? Validity
? ? ? ? ? ? Not Before: Jun 18 04:04:09 2014 GMT
? ? ? ? ? ? Not After : Jun 18 04:04:09 2015 GMT
? ? ? ? Subject:
? ? ? ? ? ? countryName ? ? ? ? ? ? ? = cn
? ? ? ? ? ? stateOrProvinceName ? ? ? = shanghai
? ? ? ? ? ? organizationName ? ? ? ? ?= baolong
? ? ? ? ? ? organizationalUnitName ? ?= business
? ? ? ? ? ? commonName ? ? ? ? ? ? ? ?= ops
? ? ? ? ? ? emailAddress ? ? ? ? ? ? ?= mch@gongsilong.com
? ? ? ? X509v3 extensions:
? ? ? ? ? ? X509v3 Basic Constraints:?
? ? ? ? ? ? ? ? CA:FALSE
? ? ? ? ? ? Netscape Comment:?
? ? ? ? ? ? ? ? OpenSSL Generated Certificate
? ? ? ? ? ? X509v3 Subject Key Identifier:?
? ? ? ? ? ? ? ? 52:6A:D9:56:CB:2B:DA:E3:9A:18:CC:FE:4D:A1:8C:21:86:55:D5:11
? ? ? ? ? ? X509v3 Authority Key Identifier:?
? ? ? ? ? ? ? ? keyid:4E:F5:29:7F:6B:AD:11:EF:FC:44:CC:76:1D:B0:B9:F7:4B:9D:CB:93
Certificate is to be certified until Jun 18 04:04:09 2015 GMT (365 days)
Sign the certificate?
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl]#?
[root@localhost ssl]#?openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key?
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
? ? ? ? Serial Number: 2 (0x2)
? ? ? ? Validity
? ? ? ? ? ? Not Before: Jun 18 04:10:40 2014 GMT
? ? ? ? ? ? Not After : Jun 18 04:10:40 2015 GMT
? ? ? ? Subject:
? ? ? ? ? ? countryName ? ? ? ? ? ? ? = cn
? ? ? ? ? ? stateOrProvinceName ? ? ? = shanghai
? ? ? ? ? ? organizationName ? ? ? ? ?= baolong
? ? ? ? ? ? organizationalUnitName ? ?= business
? ? ? ? ? ? commonName ? ? ? ? ? ? ? ?= ops
? ? ? ? ? ? emailAddress ? ? ? ? ? ? ?= mch@gongsilong.com
? ? ? ? X509v3 extensions:
? ? ? ? ? ? X509v3 Basic Constraints:?
? ? ? ? ? ? ? ? CA:FALSE
? ? ? ? ? ? Netscape Comment:?
? ? ? ? ? ? ? ? OpenSSL Generated Certificate
? ? ? ? ? ? X509v3 Subject Key Identifier:?
? ? ? ? ? ? ? ? E2:64:97:DC:A6:2B:85:53:5F:6C:5C:8D:1F:EB:59:C8:2C:66:C5:10
? ? ? ? ? ? X509v3 Authority Key Identifier:?
? ? ? ? ? ? ? ? keyid:4E:F5:29:7F:6B:AD:11:EF:FC:44:CC:76:1D:B0:B9:F7:4B:9D:CB:93
Certificate is to be certified until Jun 18 04:10:40 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl]#?
[PS]:附帶功能:
另外,這個certificate是BASE64形式的,要轉(zhuǎn)成PKCS12才干裝到IE,/NETSCAPE上.轉(zhuǎn)換例如以下:
雙擊安裝即可
?openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
這個是ISO 須要的證書格式
openssl x509 -in client.crt -out client.cer
這個是android 須要的證書格式。
[root@mail ssl]# openssl pkcs12 -export -in client.crt -inkey client.key -out ?client.pfx
Enter pass phrase for client.key: ? ? ?//客戶端私鑰password
Enter Export Password: ? ? ? ? ? ? //pfx文件導(dǎo)入要求的password
Verifying - Enter Export Password:
[root@localhost conf]#?service nginx stop
stop nginx
Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
nginx啟動SSL默認(rèn)不輸入password
假設(shè)nginx配置了SSL,在每次啟動nginx的時候都會須要你手動輸入證書的password,假設(shè)不想輸入,能夠
cp server.key server.key.orig
openssl rsa -in server.key.orig -out server.key
這樣啟動nginx的時候就不須要輸入password了。
[root@localhost ssl]#?cp server.key server.key.orig
[root@localhost ssl]#?openssl rsa -in server.key.orig -out server.key
Enter pass phrase for server.key.orig:
unable to load Private Key
20487:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:325:
20487:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:
[root@localhost ssl]#?
這里奇怪,一開始通只是,可是過了15分鐘后,在執(zhí)行一遍,輸入password,又通過了,例如以下所看到的:
[root@localhost ssl]# openssl rsa -in server.key.orig -out server.key
Enter pass phrase for server.key.orig:
writing RSA key
[root@localhost ssl]#?
當(dāng)然也能夠保留password。改用expect的方式,這個能夠參考expect自己主動登錄SSH的方法。下次有時間再整理貼上來
5 靜態(tài)文件地址映射 nginx
location = userWeb/userCenter/findConsultList.htm {
? ? ? ? ? ?rewrite ^.*$ http://xx.gongsilong.com/xx/xx/findConsultList.htm;
? ? ? ? }
?# add by tim begin ...
? ? ? ? location ~* ^/svn/(.*) {
? ? ? ? ? ?rewrite ^.*$ https://192.123.11.12/$1;
? ? ? ? }
? ? ? ? # add by tim end ..?
來源地址:http://blog.itpub.net/26230597/abstract/1/
選擇Nginx的長處:
Nginx 能夠在大多數(shù) Unix like OS 上編譯執(zhí)行。并有 Windows 移植版。 Nginx 的1.4.0穩(wěn)定版已經(jīng)于2013年4月24日公布。普通情況下,對于新建站點,建議使用最新穩(wěn)定版作為生產(chǎn)版本號,已有站點的升級急迫性不高。Nginx 的源碼使用 2-clause BSD-like license。
Nginx 是一個非常強大的高性能Web和反向代理服務(wù)器,它具有非常多非常優(yōu)越的特性:
在高連接并發(fā)的情況下,Nginx是Apache服務(wù)器不錯的替代品:Nginx在美國是做虛擬主機生意的老板們常常選擇的軟件平臺之中的一個。
能夠支持高達(dá) 50,000 個并發(fā)連接數(shù)的響應(yīng),感謝Nginx為我們選擇了 epoll and kqueue作為開發(fā)模型。
1.1?執(zhí)行安裝
1.2 查看進(jìn)程數(shù)
進(jìn)程數(shù)是與top出來的cpu數(shù)量是一樣的。在/usr/local/nginx/conf/nginx.conf配置文件中面的worker_processes參數(shù)。
worker_processes指明了nginx要開啟的進(jìn)程數(shù)。據(jù)官方說法,一般開一個就夠了,多開幾個,能夠降低機器io帶來的影響。據(jù)實踐表明。nginx的這個參數(shù)在普通情況下開4個或8個就能夠了。再往上開的話優(yōu)化不太大。據(jù)還有一種說法是,nginx開啟太多的進(jìn)程,會影響主進(jìn)程調(diào)度,所以占用的cpu會增高。
2 配置文件
2.1 Nginx反向代理實踐
省過
2.2 Nginx Rewrite又一次定向
使用nginx做又一次定向。?
nginx參考網(wǎng)址:http://blog.sina.com.cn/s/blog_97688f8e0100zws5.html
語法規(guī)則: location [=|~|~*|^~] /uri/ { … }
= 開頭表示精確匹配
^~ 開頭表示uri以某個常規(guī)字符串開頭。理解為匹配 url路徑即可。
nginx不正確url做編碼。因此請求為/static/20%/aa,能夠被規(guī)則^~ /static/ /aa匹配到(注意是空格)。
~ 開頭表示區(qū)分大寫和小寫的正則匹配
~* ?開頭表示不區(qū)分大寫和小寫的正則匹配
!~和!~*分別為區(qū)分大寫和小寫不匹配及不區(qū)分大寫和小寫不匹配 的正則
/ 通用匹配,不論什么請求都會匹配到。
多個location配置的情況下匹配順序為(參考資料而來,還未實際驗證。試試就知道了。不必拘泥,僅供參考):
首先匹配 =。其次匹配^~, 其次是按文件中順序的正則匹配,最后是交給 / 通用匹配。當(dāng)有匹配成功時候,停止匹配。按當(dāng)前匹配規(guī)則處理請求。
樣例,有例如以下匹配規(guī)則:
location = / {
? ?#規(guī)則A
}
location = /login {
? ?#規(guī)則B
}
location ^~ /static/ {
? ?#規(guī)則C
}
location ~ \.(gif|jpg|png|js|css)$ {
? ?#規(guī)則D
}
location ~* \.png$ {
? ?#規(guī)則E
}
location !~ \.xhtml$ {
? ?#規(guī)則F
}
location !~* \.xhtml$ {
? ?#規(guī)則G
}
location / {
? ?#規(guī)則H
}
那么產(chǎn)生的效果例如以下:
訪問根文件夾/, 比方http://localhost/ 將匹配規(guī)則A
訪問 http://localhost/login 將匹配規(guī)則B,http://localhost/register 則匹配規(guī)則H
訪問 http://localhost/static/a.html 將匹配規(guī)則C
訪問 http://localhost/a.gif, http://localhost/b.jpg 將匹配規(guī)則D和規(guī)則E。可是規(guī)則D順序優(yōu)先,規(guī)則E不起作用,而 http://localhost/static/c.png 則優(yōu)先匹配到規(guī)則C
訪問 http://localhost/a.PNG 則匹配規(guī)則E,而不會匹配規(guī)則D。由于規(guī)則E不區(qū)分大寫和小寫。
訪問 http://localhost/a.xhtml 不會匹配規(guī)則F和規(guī)則G。http://localhost/a.XHTML不會匹配規(guī)則G,由于不區(qū)分大寫和小寫。規(guī)則F,規(guī)則G屬于排除法,符合匹配規(guī)則可是不會匹配到。所以想想看實際應(yīng)用中哪里會用到。
訪問 http://localhost/category/id/1111 則終于匹配到規(guī)則H,由于以上規(guī)則都不匹配,這個時候應(yīng)該是nginx轉(zhuǎn)發(fā)請求給后端應(yīng)用服務(wù)器,比方FastCGI(php),tomcat(jsp)。nginx作為方向代理服務(wù)器存在。
所以實際使用中。個人認(rèn)為至少有三個匹配規(guī)則定義,例如以下:
#直接匹配站點根,通過域名訪問站點首頁比較頻繁,使用這個會加速處理,官網(wǎng)如是說。
#這里是直接轉(zhuǎn)發(fā)給后端應(yīng)用服務(wù)器了。也能夠是一個靜態(tài)首頁
# 第一個必選規(guī)則
location = / {
? ? proxy_pass http://tomcat:8080/index
}
# 第二個必選規(guī)則是處理靜態(tài)文件請求,這是nginx作為http服務(wù)器的強項
# 有兩種配置模式,文件夾匹配或后綴匹配,任選其一或搭配使用
location ^~ /static/ {
? ? root /webroot/static/;
}
location ~* \.(gif|jpg|jpeg|png|css|js|ico)$ {
? ? root /webroot/res/;
}
#第三個規(guī)則就是通用規(guī)則。用來轉(zhuǎn)發(fā)動態(tài)請求到后端應(yīng)用服務(wù)器
#非靜態(tài)文件請求就默認(rèn)是動態(tài)請求。自己依據(jù)實際把握
#畢竟眼下的一些框架的流行。帶.php,.jsp后綴的情況非常少了
location / {
? ? proxy_pass http://tomcat:8080/
}
2.3 ReWrite語法
last – 基本上都用這個Flag。
break – 中止Rewirte,不在繼續(xù)匹配
redirect – 返回暫時重定向的HTTP狀態(tài)302
permanent – 返回永久重定向的HTTP狀態(tài)301
1、以下是能夠用來推斷的表達(dá)式:
-f和!-f用來推斷是否存在文件
-d和!-d用來推斷是否存在文件夾
-e和!-e用來推斷是否存在文件或文件夾
-x和!-x用來推斷文件是否可執(zhí)行
2、以下是能夠用作推斷的全局變量
例:http://localhost:88/test1/test2/test.php
$host:localhost
$server_port:88
$request_uri:http://localhost:88/test1/test2/test.php
$document_uri:/test1/test2/test.php
$document_root:D:\nginx/html
$request_filename:D:\nginx/html/test1/test2/test.php
2.4 Redirect語法
server {
listen 80;
server_name start.igrow.cn;
index index.html index.php;
root html;
if ($http_host !~ “^star\.igrow\.cn$" {
rewrite ^(.*) http://star.igrow.cn$1 redirect;
}
}
2.5 防盜鏈
location ~* \.(gif|jpg|swf)$ {
valid_referers none blocked start.igrow.cn sta.igrow.cn;
if ($invalid_referer) {
rewrite ^/ http://$host/logo.png;
}
}
2.6 依據(jù)文件類型設(shè)置過期時間
location ~* \.(js|css|jpg|jpeg|gif|png|swf)$ {
if (-f $request_filename) {
expires 1h;
break;
}
}
2.7 禁止訪問某個文件夾
location ~* \.(txt|doc)${
root /data/www/wwwroot/linuxtone/test;
deny all;
}
一些可用的全局變量:
$args
$content_length
$content_type
$document_root
$document_uri
$host
$http_user_agent
$http_cookie
$limit_rate
$request_body_file
$request_method
$remote_addr
$remote_port
$remote_user
$request_filename
$request_uri
$query_string
$scheme
$server_protocol
$server_addr
$server_name
$server_port
$uri
2.8 Nginx靜態(tài)文件(css,js,jpg等等web靜態(tài)資源)
vim /usr/local/nginx/conf/nginx.conf
? server {
? ? ? ? listen ? ? ? 80;
? ? ? ? server_name ?localhost;
? ? ? ? open_file_cache max=10000 inactive=60s;
? ? ? ? location /group1/M00 {
? ? ? ? ? ? root ? /data/fastdfs/data;
? ? ? ? ? ? ngx_fastdfs_module;
? ? ? ? }
? ? ? ? location /css {
? ? ? ? ? ? root ? plocc_static;
? ? ? ? ? ? include gzip.conf;
? ? ? ? }
? ? ? ? location /common {
? ? ? ? ? ? root ? plocc_static;
? ? ? ? ? ? include gzip.conf;
? ? ? ? }
2.9 nginx 轉(zhuǎn)發(fā)project的日志文件
去nginx.conf配置文件中面去看訪問日志,例如以下:
vim nginx.conf
? ? ? ?location ~* ^/mobileWeb/.*$ {
? ? ? ? ? ?include deny.conf;
? ? ? ? ? ?proxy_pass http://mobilewebbackend;
? ? ? ? ? ?include proxy.conf;
? ? ? ? ? ?error_log ?logs/mobileweb_error.log error;
? ? ? ? ? ?access_log ?logs/mobileweb_access.log ?main;
? ? ? ? ? ?include gzip.conf;
? ? ? ? }
再去logs文件夾查看日志文件。例如以下:
[root@xx logs]# ll /usr/local/nginx/logs/mobileweb*
-rw-r--r--. 1 root root 10946 7月 ?18 10:36 /usr/local/nginx/logs/mobileweb_access.log
-rw-r--r--. 1 root root ?1628 7月 ?18 10:36 /usr/local/nginx/logs/mobileweb_error.log
3 加入啟動服務(wù)
4 制作證書Key。
4.1.首先要生成服務(wù)器端的私鑰(key文件):
openssl genrsa -des3 -out server.key 2048
Enter pass phrase for server.key:gongsilong0617
4.2.用server.key生成一個證書:
openssl req -new -key server.key -out server.csr
pass phrase: gongsilong0617
[root@localhost ssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:shanghai
Locality Name (eg, city) [Newbury]:shanghai
Organization Name (eg, company) [My Company Ltd]:gongsilong
Organizational Unit Name (eg, section) []:business
Common Name (eg, your name or your server's hostname) []:ops
Email Address []:mch@gongsilong.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:gongsilong0617
An optional company name []:gongsilong
[root@localhost ssl]#
4.3.?對客戶端也作相同的命令生成key及csr文件
openssl genrsa -des3 -out client.key 2048
pass phrase: plclient0618
[root@localhost client]# openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:shanghai
Locality Name (eg, city) [Newbury]:shanghai
Organization Name (eg, company) [My Company Ltd]:gongsilong
Organizational Unit Name (eg, section) []:business
Common Name (eg, your name or your server's hostname) []:ops
Email Address []:mch@gongsilong.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:plclient0618
An optional company name []:gongsilong
4.4 生成的CSR證書文件必須有CA的簽名才可形成證書.這里制作自己的CA 這時生成一個KEY文件ca.key 和根證書ca.crt
pass phrase: gongsilong0617
[root@localhost ssl]# openssl req -new -x509 -nodes -keyout ca.key -out ca.crt
Generating a 1024 bit RSA private key
.......++++++
................++++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:shanghai
Locality Name (eg, city) [Newbury]:
writing new private key to 'ca.key'Organization Name (eg, company) [My Company Ltd]:
[root@localhost ssl]# openssl req -new -x509 -keyout ca.key -out ca.crt
Generating a 1024 bit RSA private key
..............++++++
..................................................++++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:shanghai
Locality Name (eg, city) [Newbury]:shanghai
Organization Name (eg, company) [My Company Ltd]:gongsilong
Organizational Unit Name (eg, section) []:business
Common Name (eg, your name or your server's hostname) []:ops
Email Address []:mch@gongsilong.com
[root@localhost ssl]#?
[root@localhost ssl]# mch@gongsilong.com
-bash: mch@gongsilong.com: command not found
[root@localhost ssl]#?
簽署證書準(zhǔn)備工作:
[root@mail ssl]# vim /etc/pki/tls/openssl.cnf
#dir ? ? ? ? ? ?= ../../CA ? ? ?//改動例如以下
dir ? ? ? ? ? ? = /etc/pki/plocc/CA
touch /etc/pki/plocc/CA/{index.txt,serial}?
[root@localhost ssl]# ll /etc/pki/plocc/CA/
總計 0
-rw-r--r-- 1 root root 0 06-18 10:47 index.txt
-rw-r--r-- 1 root root 0 06-18 10:47 serial
[root@localhost ssl]# echo 01 > /etc/pki/plocc/CA/serial
[root@localhost ssl]# mkdir /etc/pki/plocc/CA/newcerts
4.5 用生成的CA的證書(ca.crt)為剛才生成的server.csr,client.csr文件簽名
pass phrase:gongsilong0617
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key?
[root@localhost ssl]#?openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key?
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
? ? ? ? Serial Number: 1 (0x1)
? ? ? ? Validity
? ? ? ? ? ? Not Before: Jun 18 04:04:09 2014 GMT
? ? ? ? ? ? Not After : Jun 18 04:04:09 2015 GMT
? ? ? ? Subject:
? ? ? ? ? ? countryName ? ? ? ? ? ? ? = cn
? ? ? ? ? ? stateOrProvinceName ? ? ? = shanghai
? ? ? ? ? ? organizationName ? ? ? ? ?= baolong
? ? ? ? ? ? organizationalUnitName ? ?= business
? ? ? ? ? ? commonName ? ? ? ? ? ? ? ?= ops
? ? ? ? ? ? emailAddress ? ? ? ? ? ? ?= mch@gongsilong.com
? ? ? ? X509v3 extensions:
? ? ? ? ? ? X509v3 Basic Constraints:?
? ? ? ? ? ? ? ? CA:FALSE
? ? ? ? ? ? Netscape Comment:?
? ? ? ? ? ? ? ? OpenSSL Generated Certificate
? ? ? ? ? ? X509v3 Subject Key Identifier:?
? ? ? ? ? ? ? ? 52:6A:D9:56:CB:2B:DA:E3:9A:18:CC:FE:4D:A1:8C:21:86:55:D5:11
? ? ? ? ? ? X509v3 Authority Key Identifier:?
? ? ? ? ? ? ? ? keyid:4E:F5:29:7F:6B:AD:11:EF:FC:44:CC:76:1D:B0:B9:F7:4B:9D:CB:93
Certificate is to be certified until Jun 18 04:04:09 2015 GMT (365 days)
Sign the certificate?
[y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl]#?
[root@localhost ssl]#?openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key?
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
? ? ? ? Serial Number: 2 (0x2)
? ? ? ? Validity
? ? ? ? ? ? Not Before: Jun 18 04:10:40 2014 GMT
? ? ? ? ? ? Not After : Jun 18 04:10:40 2015 GMT
? ? ? ? Subject:
? ? ? ? ? ? countryName ? ? ? ? ? ? ? = cn
? ? ? ? ? ? stateOrProvinceName ? ? ? = shanghai
? ? ? ? ? ? organizationName ? ? ? ? ?= baolong
? ? ? ? ? ? organizationalUnitName ? ?= business
? ? ? ? ? ? commonName ? ? ? ? ? ? ? ?= ops
? ? ? ? ? ? emailAddress ? ? ? ? ? ? ?= mch@gongsilong.com
? ? ? ? X509v3 extensions:
? ? ? ? ? ? X509v3 Basic Constraints:?
? ? ? ? ? ? ? ? CA:FALSE
? ? ? ? ? ? Netscape Comment:?
? ? ? ? ? ? ? ? OpenSSL Generated Certificate
? ? ? ? ? ? X509v3 Subject Key Identifier:?
? ? ? ? ? ? ? ? E2:64:97:DC:A6:2B:85:53:5F:6C:5C:8D:1F:EB:59:C8:2C:66:C5:10
? ? ? ? ? ? X509v3 Authority Key Identifier:?
? ? ? ? ? ? ? ? keyid:4E:F5:29:7F:6B:AD:11:EF:FC:44:CC:76:1D:B0:B9:F7:4B:9D:CB:93
Certificate is to be certified until Jun 18 04:10:40 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl]#?
[PS]:附帶功能:
另外,這個certificate是BASE64形式的,要轉(zhuǎn)成PKCS12才干裝到IE,/NETSCAPE上.轉(zhuǎn)換例如以下:
雙擊安裝即可
?openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
這個是ISO 須要的證書格式
openssl x509 -in client.crt -out client.cer
這個是android 須要的證書格式。
[root@mail ssl]# openssl pkcs12 -export -in client.crt -inkey client.key -out ?client.pfx
Enter pass phrase for client.key: ? ? ?//客戶端私鑰password
Enter Export Password: ? ? ? ? ? ? //pfx文件導(dǎo)入要求的password
Verifying - Enter Export Password:
[root@localhost conf]#?service nginx stop
stop nginx
Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
nginx啟動SSL默認(rèn)不輸入password
假設(shè)nginx配置了SSL,在每次啟動nginx的時候都會須要你手動輸入證書的password,假設(shè)不想輸入,能夠
cp server.key server.key.orig
openssl rsa -in server.key.orig -out server.key
這樣啟動nginx的時候就不須要輸入password了。
[root@localhost ssl]#?cp server.key server.key.orig
[root@localhost ssl]#?openssl rsa -in server.key.orig -out server.key
Enter pass phrase for server.key.orig:
unable to load Private Key
20487:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:325:
20487:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:
[root@localhost ssl]#?
這里奇怪,一開始通只是,可是過了15分鐘后,在執(zhí)行一遍,輸入password,又通過了,例如以下所看到的:
[root@localhost ssl]# openssl rsa -in server.key.orig -out server.key
Enter pass phrase for server.key.orig:
writing RSA key
[root@localhost ssl]#?
當(dāng)然也能夠保留password。改用expect的方式,這個能夠參考expect自己主動登錄SSH的方法。下次有時間再整理貼上來
5 靜態(tài)文件地址映射 nginx
location = userWeb/userCenter/findConsultList.htm {
? ? ? ? ? ?rewrite ^.*$ http://xx.gongsilong.com/xx/xx/findConsultList.htm;
? ? ? ? }
?# add by tim begin ...
? ? ? ? location ~* ^/svn/(.*) {
? ? ? ? ? ?rewrite ^.*$ https://192.123.11.12/$1;
? ? ? ? }
? ? ? ? # add by tim end ..?
來源地址:http://blog.itpub.net/26230597/abstract/1/
總結(jié)
以上是生活随笔為你收集整理的Nginx安装学习使用具体记录的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 如何写出正确的二分查找?——利用循环不变
- 下一篇: Nginx反代Mogilefs分布式储存