Nginx服务配置管理

nginx日志备份：

cd /usr/local/nginx/logs
cat nginx.pid

yum whatprovides ./ab
yum install httpd-tools-2.4.6-45.el7.x86_64 -y
ab -c 1 -n 1000 http://172.25.37.1/index.htmlx.pid
du -sh access.log 
ab -c 1 -n 10000 http://172.25.37.1/index.htmlx.pid
du -sh access.log 
	2.0M	access.log
mv ./access.log `date +%F -d -1day`_access.log
/usr/local/nginx/sbin/nginx -s reopen 

脚本一键备份nginx日志

vim backup.sh
#!/bin/bash
LOGS_PATH=/usr/local/nginx/logs
OLD_LOG_PATH=/usr/local/nginx/logs/oldlogs
YESTERDAY=$(date +%F -d -1day)

mv $LOGS_PATH/access.log $OLD_LOG_PATH/${YESTERDAY}_access.log
mv $LOGS_PATH/error.log $OLD_LOG_PATH/${YESTERDAY}_error.log

#/usr/local/nginx/sbin/nginx -s reopen
kill -USR1 $(cat /usr/local/nginx/logs/nginx.pid) #USR1	re-opening log files
mkdir logs/oldlogs
chmod +x backup.sh

gzip压缩：

nginx官网
The ngx_http_gzip_module module is a filter that compresses （压缩）responses using the “gzip” method. This often helps to reduce the size of transmitted data（减小传输数据的大小到一半甚至更多） by half or even more.

vim nginx/conf/nginx.conf 
	gzip  on;
	gzip_min_length 1;#设置响应能被压缩的最小长度，小于1不压缩（长度取决于“Content-Length” response header field. ）
    gzip_comp_level 3; #压缩等级设为3（设置响应的压缩等级，可选范围1-9）
    gzip_types text/plain application/x-javascript text/css application/xml text/javascript 	application/x-httpd-php image/jpeg image/gif image/png; #压缩文件类型
[root@server3 html]# cat /etc/passwd > index.html
[root@server3 html]# vim index.html
[root@server3 html]# du -sh index.html
168K	index.html
[root@server3 html]# systemctl restart nginx

index.html 数据压缩到2.41KB。

nginx访问控制

nginx

vim /usr/local/nginx/conf/nginx.conf
 limit_conn_zone $binary_remote_addr zone=addr:10m; #设置可分享的内存空间名为addr，大小为10M；
 limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; #限制请求速率

events {
    worker_connections  65535;
}
#支持请求连接的个数


#/指的是/usr/local/nginx/html/
location / {
            root   html;  #发布目录/usr/local/nginx/html/
            set $limit_rate 50k;
            index  index.html index.htm; #发布页面
        }
#download值的是/usr/local/nginx/html/download
location /download {
            limit_conn addr 1; #限制连接数为1
            limit_rate 50k; #Limiting the Bindwidth限制带宽
            limit_req zone=one burst=5; #burst 处理过多请求
        }

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; #限制速率1s一次

limit_req_zone $binary_remote_addr zone=one:10m rate=2r/s;#限制速率2s一次
限制带宽
浏览器访问 http://172.25.37.1/download/vim.jpg，图片加载速度变慢

获取真实访问来源IP（客户端IP）

nginx官网 Module ngx_http_realip_module
ngx_http_realip_module用来改变客户端IP地址和端口。

This module is not built by default, it should be enabled with the --with-http_realip_module configuration parameter. 这个模块不是默认就有，需要使用 --with-http_realip_module 重新编译添加模块

./configure --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module
make
cp ~/nginx-1.17.1/objs/nginx /usr/local/nginx/sbin/nginx
本机（server1）设置虚拟反向代理：
vim /usr/local/nginx/conf/nginx.conf
server {
        listen 80;
        server_name server1.example.com;
        set_real_ip_from 172.25.37.1;
        real_ip_header X-Forwarded-For;
        real_ip_recursive on;
        location /{
                return 200 "Client real IP: $remote_addr\n";
			}
 }

vim /etc/hosts
172.25.37.1 server1 server1.example.com

/usr/local/nginx/sbin/nginx -t #测试nginx.conf配置是否正确

[root@server1 nginx-1.17.1]# curl -H "X-Forwarded-For:2.2.2.2,172.25.37.1" server1.example.com
Client real ip: 2.2.2.2

在server3做反向代理：

[root@server3 ~]# cd /usr/local/nginx
[root@server3 nginx]# ls
client_body_temp  fastcgi_temp  logs        sbin       uwsgi_temp
conf              html          proxy_temp  scgi_temp
[root@server3 nginx]# vim conf/nginx.conf
[root@server3 nginx]# useradd nginx -s /sbin/nologin
[root@server3 nginx]# ./sbin/nginx 

修改server1：


 vim /usr/local/nginx/conf/nginx.conf
 echo server1 > /usr/local/nginx/html/index.html
 systemctl reload nginx
 cat /usr/local/nginx/logs/access.log #查看访问记录

客户端：

vim /etc/hosts
server3 www.westos.org

反向代理服务器server3，修改配置文件：
客户端访问www.westos.org,

修改nginx服务器server1配置文件：
反向代理设置为172.25.37.3；（真实IP获取于172.25.37.3）

客户端：

cat /usr/local/nginx/logs/access.log #server1上查看访问记录，
显示真实的客户端访问IP

若关闭真实IP地址循环，返回代理IP地址：

看到的是代理服务器的IP地址：

ngx_http_image_filter_module使图片变形的模块

[root@server1 nginx-1.17.1]# yum install gd-devel-2.0.35-26.el7.x86_64.rpm -y
[root@server1 nginx-1.17.1]# ./configure  --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module --with-http_image_filter_module=dynamic
[root@server1 nginx-1.17.1]# make
[root@server1 nginx-1.17.1]# cp -fr ~/nginx-1.17.1/objs/nginx /usr/local/nginx/sbin/nginx
cp: overwrite ‘/usr/local/nginx/sbin/nginx’? y
[root@server1 nginx-1.17.1]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.17.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) 
configure arguments: --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module --with-http_image_filter_module=dynamic

[root@server1 objs]# mkdir /usr/local/nginx/modules
[root@server1 objs]# cp ngx_http_image_filter_module.so /usr/local/nginx/module
[root@server1 objs]# vim /usr/local/nginx/conf/nginx.conf
	load_module modules/ngx_http_image_filter_module.so;

ngx_http_ssl_module

Module ngx_http_ssl_module

The ngx_http_ssl_module module provides the necessary support for HTTPS.

vim /usr/local/nginx/conf/nginx.conf
server {
            listen              443 ssl;
            server_name         www.westos.org;

            ssl_certificate     cert.pem;
            ssl_certificate_key cert.pem;   #Specifies a file with the secret key in the PEM format for the given virtual server. 
            ssl_ciphers HIGH:!aNULL:!MD5;   #Specifies the enabled ciphers.
            ssl_prefer_server_ciphers on;

        }

[root@server1 nginx]# mkdir /web
[root@server1 nginx]# echo www.westos.org > /web/index.html
[root@server1 nginx]# cd /etc/pki/tls/certs/ 
[root@server1 certs]# make cert.pem
[root@server1 certs]# ls
ca-bundle.crt        cert.pem         Makefile
ca-bundle.trust.crt  make-dummy-cert  renew-dummy-cert
[root@server1 certs]# cp cert.pem /usr/local/nginx/conf/
[root@server1 html]# /usr/local/nginx/sbin/nginx -s reload
客户端：

vim /etc/hosts
172.25.37.1 server1 www.westos.org

make cert.pem 写ssl认证
### 盗链
客户端访问server3（daolian.westos.org）,server3使用的是server1的资源。

[root@server3 nginx]# vim conf/nginx.conf
	server {
	                listen 80;
	                server_name daolian.westos.org;
	                location / {
	                        root /web;
	                        index index.html;
	                        }
	        }

[root@server3 nginx]# mkdir /web
[root@server3 nginx]# vim /web/index.html
	<html>
	<body>
	<br>盗链图片</br>
	<img src="http://www.westos.org/download/daolian.jpg">
	</body>
	</html>

[root@server3 nginx]# vim /etc/hosts
	172.25.37.1 server1 www.westos.org
[root@server3 nginx]# /usr/local/nginx/sbin/nginx -s reload
客户端本地解析：

172.25.37.3 server3 daolian.westos.org

server3配置虚拟主机：

html页面，图片在server1的/usr/local/nginx/html/download/daolian.jpg
客户端访问daolian.westos.com