Of Stack

Nginx server basic module configuration and use of the overall guide

  • 2020-05-12 06:47:21
  • OfStack

1. Install nginx
1.1 select the stable version
We compiled and installed nginx to customize our own module, machine CentOS 6.2 x86_64. First install the missing dependencies: 


# yum -y install gcc gcc-c++ make libtool zlib zlib-devel openssl openssl-devel pcre pcre-devel

You can download the source code to compile and install these packages if they are not available on yum. Just be aware of the directory that is installed by default at compile time and make sure these dynamic library files (ldconfig) are found when you install nginx below.

From http: / / nginx org/en/download html stable version download nginx - 1.6.3. tar. gz to/usr local/src under decompression.

In order to prepare for the future, we will download two additional plug-in modules: nginx_upstream_check_module-0.3.0.tar.gz -- check the status of the back-end server, nginx goodies - nginx sticky - module - ng - bd312d586752. tar. gz (under/usr local/src proposed after decompression directory will be renamed nginx sticky - module - ng - 1.2.5) - backend solve session do load balancing sticky problem (the upstream_check module needs another patch, please refer to the actual situation of nginx load balancing configuration).

Please note that the plugin is compatible with the version of nginx. The newer the plugin, the better. nginx-1.4.7, nginx-sticky-module-1.1, nginx_upstream_check_module-0.2.0, no problem with this collocation. The sticky-1.1 and nginx-1.6 versions failed to keep up with the compilation due to updates. (you can use Tengine directly, including these modules by default) 


[root@cachets nginx-1.6.3]# pwd
/usr/local/src/nginx-1.6.3
[root@cachets nginx-1.6.3]# ./configure --prefix=/usr/local/nginx-1.6 --with-pcre \
> --with-http_stub_status_module --with-http_ssl_module \
> --with-http_gzip_static_module --with-http_realip_module \
> --add-module=../nginx_upstream_check_module-0.3.0

[root@cachets nginx-1.6.3]# make && make install

1.2 description of common compilation options
Most commonly used modules of nginx are installed by default at compile time./configure --help begins with --without.

--prefix=PATH: specify the installation directory for nginx. The default/usr/local/nginx
-- conf-path =PATH: sets the path to the nginx.conf configuration file. nginx allows you to start with a different configuration file, using the -c option on the command line. Defaults to prefix conf/nginx conf
--user=name: user who sets the nginx worker process. Once the installation is complete, you can change the user directive at any time in the nginx.conf configuration file. The default username is nobody. - group = name similar
-- with-pcre: sets the source path of the PCRE library. If it is installed via yum, use -- with-pcre to automatically find the library files. Using -- with-pcre =PATH, you download the source code (version 4.4-8.30) of the pcre library from the PCRE website and unzip it, leaving the rest to Nginx's./configure and make. perl regular expressions are used in the location directive and the ngx_http_rewrite_module module.
-- with-zlib =PATH: specifies the source unzip directory for zlib (version 1.1.3-1.2.5). zlib is used when the network transport compression module ngx_http_gzip_module is enabled by default.
-- with-http_ssl_module: use the https protocol module. By default, the module is not built. If openssl and openssl-devel are installed
-- with-http_stub_status_module: to monitor the current state of Nginx
-- with-http_realip_module: this module allows us to change the client IP address value in the client request header (for example, X-Real-IP or X-Forwarded-For), in order to enable the backend server to record the original client IP address
-- add-module =PATH: add a third external module, such as nginx-sticky-module-ng or the cache module. Recompile every time a new module is added (Tengine can be added without recompiling when module is added)
Another compilation scheme is provided: 


./configure \
> --prefix=/usr \
> --sbin-path=/usr/sbin/nginx \
> --conf-path=/etc/nginx/nginx.conf \
> --error-log-path=/var/log/nginx/error.log \
> --http-log-path=/var/log/nginx/access.log \
> --pid-path=/var/run/nginx/nginx.pid \
> --lock-path=/var/lock/nginx.lock \  
> --user=nginx \
> --group=nginx \
> --with-http_ssl_module \
> --with-http_stub_status_module \
> --with-http_gzip_static_module \
> --http-client-body-temp-path=/var/tmp/nginx/client/ \
> --http-proxy-temp-path=/var/tmp/nginx/proxy/ \
> --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ \
> --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi \
> --with-pcre=../pcre-7.8
> --with-zlib=../zlib-1.2.3

1.3 start and close nginx 


##  Check that the configuration file is correct 
# /usr/local/nginx-1.6/sbin/nginx -t 
# ./sbin/nginx -V   #  You can see the compile options 

##  Start and close 
# ./sbin/nginx    #  Default profile  conf/nginx.conf . -c  The specified 
# ./sbin/nginx -s stop

Or pkill nginx 


##  Restart without changing the configuration file specified at startup 
# ./sbin/nginx -s reload

or 


kill -HUP `cat /usr/local/nginx-1.6/logs/nginx.pid`

Of course can also be nginx as the service management system, download nginx to/etc init. d /, modify the path of the inside and then give the executable permissions. 


# service nginx {start|stop|status|restart|reload|configtest}

1.4 yum installation
Installing the yum rpm package is much easier than compiling and installing it. Many modules will be installed by default, but the downside is that if you want to install a third module later, you won't be able to. 


# vi /etc/yum.repo.d/nginx.repo 
[nginx] 
name=nginx repo 
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ 
gpgcheck=0 
enabled=1

The rest is yum install nginx or yum install nginx-1.6.3 install the specified version (if you go to packages and see the corresponding version, the default is the latest stable version).

2. nginx.conf configuration file
The Nginx configuration file is mainly divided into four parts: main (global setting), server (host setting), upstream (upstream server setting, mainly reverse proxy, load balancing related configuration) and location (URL matching a specific location). Each part contains several instructions. Instructions set in part main will affect the Settings of all other parts; The server part of the directive is mainly used to specify the virtual host domain name, IP and port; The instruction of upstream is used to set up the back-end servers of series 1 and set up the load balancing of the reverse proxy and back-end servers. The location section matches the page location (for example, the root directory "/", "/images", and so on). The relation between them is: server inherits main, location inherits server; upstream will neither inherit nor be inherited. It has its own special instructions that need not be applied elsewhere.

Several instruction contexts currently supported by nginx:

2.1 general
nginx.conf simply implements nginx as a reverse proxy server at the front end, handling static files such as js and png, and forwarding dynamic requests such as jsp to other servers, tomcat: 


user www www;
worker_processes 2;

error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

pid    logs/nginx.pid;


events {
  use epoll;
  worker_connections 2048;
}


http {
  include    mime.types;
  default_type application/octet-stream;

  #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  #         '$status $body_bytes_sent "$http_referer" '
  #         '"$http_user_agent" "$http_x_forwarded_for"';

  #access_log logs/access.log main;

  sendfile    on;
  # tcp_nopush   on;

  keepalive_timeout 65;

 # gzip Compression function setting 
  gzip on;
  gzip_min_length 1k;
  gzip_buffers  4 16k;
  gzip_http_version 1.0;
  gzip_comp_level 6;
  gzip_types text/html text/plain text/css text/javascript application/json application/javascript application/x-javascript application/xml;
  gzip_vary on;
 
 # http_proxy  Set up the 
  client_max_body_size  10m;
  client_body_buffer_size  128k;
  proxy_connect_timeout  75;
  proxy_send_timeout  75;
  proxy_read_timeout  75;
  proxy_buffer_size  4k;
  proxy_buffers  4 32k;
  proxy_busy_buffers_size  64k;
  proxy_temp_file_write_size 64k;
  proxy_temp_path  /usr/local/nginx/proxy_temp 1 2;

 #  Set the load balancing backend server list  
  upstream backend { 
       #ip_hash; 
       server  192.168.10.100:8080 max_fails=2 fail_timeout=30s ; 
       server  192.168.10.101:8080 max_fails=2 fail_timeout=30s ; 
  }

 #  Very important virtual host configuration 
  server {
    listen    80;
    server_name itoatest.example.com;
    root  /apps/oaapp;

    charset utf-8;
    access_log logs/host.access.log main;

    # right  /  All do load balancing + The reverse proxy 
    location / {
      root  /apps/oaapp;
      index index.jsp index.html index.htm;

      proxy_pass    http://backend; 
      proxy_redirect off;
      #  The back end Web The server can go through X-Forwarded-For Get user real IP
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr; 
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
      
    }

    # Static files, nginx Deal with it. Don't go backend request tomcat
    location ~* /download/ { 
      root /apps/oa/fs; 
      
    }
    location ~ .*\.(gif|jpg|jpeg|bmp|png|ico|txt|js|css)$  
    {  
      root /apps/oaapp;  
      expires   7d; 
    }
    location /nginx_status {
      stub_status on;
      access_log off;
      allow 192.168.10.0/24;
      deny all;
    }

    location ~ ^/(WEB-INF)/ {  
      deny all;  
    }
    #error_page 404       /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page  500 502 503 504 /50x.html;
    location = /50x.html {
      root  html;
    }
  }

 ##  Other virtual hosts, server  Order began 
}

2.2 description of common instructions
2.2.1 main global configuration

Some parameters, such as the number of worker processes, the identity of the run, etc. that are not related to the specific business function (such as http service or email service proxy) at run time of nginx.

woker_processes 2
In the top-level main section of the configuration file, the number of worker processes for the worker role, and the master process is the one that receives and assigns requests to the worker process. This value can be set to cpu's core value grep ^processor /proc/cpuinfo | wc-l, which is also auto value. If ssl and gzip are turned on, ssl and gzip should be set to 1 or even 2 times the number of logical CPU, which can reduce I/O operation. If the nginx server has other services, consider reducing them.

worker_cpu_affinity
Also written in section main. In the case of high concurrency, the viscosity of cpu is set to reduce the performance loss caused by field reconstruction such as register switching caused by multi-CPU core switching. For example, worker_cpu_affinity 0001 0010 0100 1000; (4 cores).

worker_connections 2048
Write it in section events. The maximum number of connections (including all connections to the client or back-end proxy) that can be processed (initiated) concurrently per 1 worker process. As a reverse proxy server, nginx is calculated as the maximum number of connections = worker_processes * worker_connections/4, so the maximum number of connections of the client is 1024. It doesn't matter if it can be increased to 8192, but it cannot exceed worker_rlimit_nofile. When nginx is the http server, the calculation formula is divided by 2.

worker_rlimit_nofile 10240
Write it in the main section. The default is unset and can be limited to the maximum operating system limit of 65535.

use epoll
Write it in the events section. With the Linux operating system, nginx USES the epoll event model by default. Thanks to this, nginx is quite efficient with the Linux operating system. At the same time, Nginx adopts the kqueue efficient event model similar to epoll on OpenBSD or FreeBSD operating systems. Use select when the operating system does not support these efficient models.

2.2.2 http server

Some configuration parameters related to providing http services. For example, whether keepalive is used, whether gzip is used for compression, etc.

sendfile on
With efficient file transfer mode enabled, the sendfile directive specifies whether nginx calls the sendfile function to output the file, reducing the context switching from user space to kernel space. For common applications, on can be set to off if it is used for heavy load applications such as application disk IO for download, so as to balance the processing speed of disk and network I/O and reduce the load of the system.

keepalive_timeout 65: long connection timeout in seconds. This parameter is very sensitive. It involves the type of browser, the timeout setting of back-end server, and the setting of operating system. Long connection requests for a large number of small files can reduce the overhead of rebuilding the connection, but if a large file is uploaded, it will fail if the upload is not completed in 65s. If the setup time is too long and there are too many users, keeping the connection for a long time will take up a lot of resources.

send_timeout: used to specify the timeout for the response client. This timeout is limited to the time between the two connection activities, and if the client has no activity beyond this time, Nginx will close the connection.

client_max_body_size 10m
Maximum number of bytes per file allowed for client request. If you upload a large file, set its limit value

client_body_buffer_size 128k
The buffer agent buffers the maximum number of bytes requested by the client
Module http_proxy:
This module implements nginx as a reverse proxy server, including caching (see article)

proxy_connect_timeout 60
Connection timeout time between nginx and back-end server (proxy connection timeout)
proxy_read_timeout 60
Timeout time between two successful response operations with the back-end server after successful connection (proxy receive timeout)

proxy_buffer_size 4k
Set the buffer size of the proxy server (nginx) to read and save the user header from the backend realserver, which is the same size as proxy_buffers by default

proxy_buffers 4 32k
proxy_buffers buffer, nginx cache responses from the backend realserver for a single connection, if the average page is below 32k

proxy_busy_buffers_size 64k
Buffer size under high load (proxy_buffers*2)

proxy_max_temp_file_size
When proxy_buffers does not fit the response content of the back-end server, part 1 is saved to a temporary file on the hard disk. This value is used to set the maximum temporary file size. The default is 1024M, which is not related to proxy_cache. Greater than this value will be returned from the upstream server. Set to 0 to disable.

proxy_temp_file_write_size 64k
This option limits the size of the temporary file per write when caching the proxy server response to the temporary file. proxy_temp_path (at compile time) specifies which directory to write to.

See section location for proxy_pass, proxy_redirect.

Module http_gzip:

gzip on: turn on gzip compressed output to reduce network traffic.
gzip_min_length 1k: sets the minimum number of page bytes allowed to be compressed. The page bytes are obtained from header header content-length. The default value is 20. It is recommended to set it to the number of bytes greater than 1k. If it is less than 1k, the more pressing it will be.
gzip_buffers 4 16k: set up the system to get several units of cache to store the compressed result data stream of gzip. 4 16k represents the amount of memory requested in 16k and the original data size in 16k.
gzip_http_version 1.0: used to identify the version of the http protocol. Early browsers did not support Gzip compression, so users would see the messy code. So this option was added to support the previous version.
gzip_comp_level 6: gzip compression ratio, 1 compression ratio minimum, fastest processing speed, 9 compression ratio maximum but slowest processing speed (fast transmission but relatively consuming cpu)
gzip_types: matches the mime type for compression, and the "text/html" type will always be compressed whether or not specified.
gzip_proxied any: when Nginx is enabled as a reverse proxy, it determines whether the result returned by the back-end server is compressed or not. The matching premise is that the back-end server must return the header header containing "Via".
gzip_vary on: in relation to the http header, an Vary: Accept-Encoding is added to the response header to enable the front-end cache server to cache the pages compressed by gzip, for example, the data compressed by Nginx is cached by Squid.
2.2.3 server virtual host

Several virtual hosts are supported on the http service. Each virtual host has 1 corresponding server configuration item, which contains the configuration related to the virtual host. You can also set up several server when providing an agent for the mail service. Each server is distinguished by listening on the address or port.

listen
Listen to port, default 80, less than 1024 to start with root. It can be in the form listen *:80, listen 127.0.0.1:80, etc.

server_name
Server names, such as localhost, www.example.com, can be matched through regular matches.

Module http_stream
This module realizes load balancing from the client IP to the back-end server through a simple scheduling algorithm. upstream is followed by the name of the load balancer. The back-end realserver is followed by host:port options; The mode is organized in {}. If only one backend is proxied, it can also be written directly in proxy_pass.

2.2.4 location

In the http service, certain URL 1 series configuration items correspond to certain URL.

root /var/www/html
Defines the default site root location for the server. If locationURL matches a subdirectory or file, root does not work, 1 is usually placed in or under the server directive.

index index.jsp index.html index.htm
Define the file name to be accessed by default under the path, 1 like root

proxy_pass http:/backend
The request goes to the list of servers defined by backend, the reverse proxy, corresponding to the upstream load balancer. Can also be proxy_pass http: / / ip: port.

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
For the time being, let's assume that each of the four involves very complex content and will be interpreted through another article.

Regarding the writing method of location matching rules, it can be said that it is particularly critical and basic. Refer to the article nginx configuration location summary and rewrite rule writing;

2.3 other
2.3.1 access control allow/deny

The access control module of Nginx will be installed by default, and the writing method is very simple. There can be multiple allow,deny, respectively, allowing or disallowing a certain ip or ip segment to access. Such as: 


location /nginx-status {
 stub_status on;
 access_log off;
# auth_basic  "NginxStatus";
# auth_basic_user_file  /usr/local/nginx-1.6/htpasswd;

 allow 192.168.10.100;
 allow 172.29.73.0/24;
 deny all;
}

We also use the httpd-devel tool htpasswd to set the login password for the access path: 


[root@cachets nginx-1.6.3]# pwd
/usr/local/src/nginx-1.6.3
[root@cachets nginx-1.6.3]# ./configure --prefix=/usr/local/nginx-1.6 --with-pcre \
> --with-http_stub_status_module --with-http_ssl_module \
> --with-http_gzip_static_module --with-http_realip_module \
> --add-module=../nginx_upstream_check_module-0.3.0

[root@cachets nginx-1.6.3]# make && make install
0

This generates a password file encrypted with CRYPT by default. Open the above two lines of nginx-status comments and restart nginx to take effect.

2.3.2 list autoindex

By default, Nginx does not allow you to list entire directories. To do this, open the nginx.conf file and add autoindex on to location, server or http; , and the other two parameters should be added:

autoindex_exact_size off; The default is on, which shows the exact size of the file in bytes units. When changed to off, the approximate size of the file is shown in units kB or MB or GB
autoindex_localtime on;
The default is off, and the file time displayed is GMT time. After changing to on, the time of the file displayed is the server time of the file 


[root@cachets nginx-1.6.3]# pwd
/usr/local/src/nginx-1.6.3
[root@cachets nginx-1.6.3]# ./configure --prefix=/usr/local/nginx-1.6 --with-pcre \
> --with-http_stub_status_module --with-http_ssl_module \
> --with-http_gzip_static_module --with-http_realip_module \
> --add-module=../nginx_upstream_check_module-0.3.0

[root@cachets nginx-1.6.3]# make && make install
1


3. How to debug when adding nginx module?
Errors will inevitably occur when you add the nginx module yourself, so you need to do the necessary debugging.
Running gdb nginx directly will appear: No symbol table info available.

Add CFLAGS=" -g-O0" 


[root@cachets nginx-1.6.3]# pwd
/usr/local/src/nginx-1.6.3
[root@cachets nginx-1.6.3]# ./configure --prefix=/usr/local/nginx-1.6 --with-pcre \
> --with-http_stub_status_module --with-http_ssl_module \
> --with-http_gzip_static_module --with-http_realip_module \
> --add-module=../nginx_upstream_check_module-0.3.0

[root@cachets nginx-1.6.3]# make && make install
2

And then: 


make
make install

Related articles: