一、Nginx负载均衡
负载均衡即是代理服务器将接收的请求均衡的分发到各服务器中
- 使用dig解析域名ip
[root@localhost ~]# yum install bind-utils
[root@localhost ~]# dig qq.com- 配置负载均衡配置文件
upstream qq ##upstream模块的名字,可以自定
{
ip_hash; #让同一个用户始终保持在同一台机器上
server 61.135.157.156:80; #需要代理的远端web服务器域名
server 125.39.240.113:80; #需要代理的远端web服务器域名
}
server
{
listen 80;
server_name Nginx主机域名;
location /
{
proxy_pass http://qq(这里指定upstream模块的名字);
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}二、ssl原理
- 浏览器发送一个https的请求给服务器;
- 服务器要有一套数字证书,可以自己制作也可以向组织申请,区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出提示页面,这套证书其实就是一对公钥和私钥;
- 服务器会把公钥传输给客户端;
- 客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密;
- 客户端把加密后的随机字符串传输给服务器;
- 服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串通过某种算法混合在一起,这样除非知道私钥,否则无法获取数据内容);
- 服务器把加密后的数据传输给客户端;
- 客户端收到数据后,再用自己的私钥也就是那个随机字符串解密;
三、生成ssl密钥对
- 借用openssl工具生成密钥对
[root@localhost ~]# yum install -y openssl
[root@localhost ~]# cd /usr/local/nginx/conf/
[root@localhost conf]# openssl genrsa -des3 -out test.key 2048
这一步必须指定test私钥的密码,可以用下面一条命令转换私钥取消密码
[root@localhost conf]# openssl rsa -in test.key -out test.com.key
in指定需要转换的密钥,out指定转换后的密钥
[root@localhost conf]# rm -fr test.key
删除之前旧的密钥
[root@localhost conf]# openssl req -new -key test.com.key -out test.com.csr
生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件。请求文件中包含国家地区、公司名称等相关信息。
[root@localhost conf]# openssl x509 -req -days 365 -in test.com.csr -signkey test.com.key -out test.com.crt
输入私钥和请求文件,生成crt的公钥。四、Nginx配置ssl
- 新建ssl的虚拟主机配置文件
[root@localhost conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
添加以下内容
server
{
listen 443;
server_name testssl.com;
index index.html index.php;
root /data/www/testssl.com;
ssl on;
ssl_certificate test.com.crt;
ssl_certificate_key test.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
[root@localhost conf]# mkdir /data/www/testssl.com
[root@localhost conf]# echo "this is ssl" > /data/www/testssl.com/index.html- 检查配置文件,重新加载nginx服务
[root@localhost conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
此时出现一个报错信息,无法识别ssl配置,因为在编译nginx时未指定ssl模块。需要重新编译nginx
[root@localhost ~]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
configure arguments: --prefix=/usr/local/nginx
[root@localhost ~]# cd /usr/local/src/nginx-1.12.1/
[root@localhost nginx-1.12.1]# ./configure --help|grep ssl
[root@localhost nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@localhost nginx-1.12.1]# make && make install
重新编译nginx,添加对ssl模块支持
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
[root@localhost ~]# /etc/init.d/nginx restart
[root@localhost ~]# netstat -lntp
再次查看配置是否有误,然后重启nginx服务,并查看443端口是否打开
[root@localhost ~]# iptables -F
清除防火墙规则五、php-fpm的pool
使用ps aux查看pool相关进程时,右侧会显示php fpm 的pool。一个pool里可以加载多个站点,但是有一个问题,当一个pool中php进程耗尽时,会影响到pool中的其他网站502错误。此时我们就需要将每个站点加载的pool单独隔离开,在/usr/local/php-fpm/etc/php-fpm.conf
- 修改php-fpm配置文件
在[global]部分增加
include = etc/php-fpm.d/*.conf
[root@localhost ~]# mkdir /usr/local/php-fpm/etc/php-fpm.d/
[root@localhost ~]# cd /usr/local/php-fpm/etc/php-fpm.d/
[root@localhost php-fpm.d]# vim www.conf
[www]
listen = /tmp/www.sock
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@localhost php-fpm.d]# vim test.com.conf
[test.com]
listen = /tmp/test.com.sock
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
其中监听的sock需要根据实际sock位置来定义目录- 检查配置文件是否有误
[root@localhost php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[root@localhost php-fpm.d]# /etc/init.d/php-fpm restart六、php-fpm慢执行日志
- 配置慢执行日志
[root@localhost php-fpm.d]# vim /usr/local/php-fpm/etc/php-fpm.d/test.com.conf
添加如下内容:
request_slowlog_timeout = 2
slowlog = /usr/local/php-fpm/var/log/www-slow.log- 检查配置文件是否有误
[root@localhost php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm –t
[root@localhost php-fpm.d]# /etc/init.d/php-fpm restart
[root@localhost php-fpm.d]# cat /usr/local/php-fpm/var/log/www-slow.log七、open_basedir
nginx中也可以通过php-fpm的open_basedir功能,隔离不同的虚拟主机以增强安全性。
有两种方式定义open_basedir,一种是定义在php.ini中,一种是在虚拟主机配置文件中定义。 在php.ini定义缺乏灵活性,所以一般在虚拟主机的配置文件中定义。
这里以authtest.com虚拟主机为例配置open_basedir
//编辑authtest.conf
[root@localhost php-fpm]# vim /usr/local/php-fpm/etc/php-fpm.d/authtest.conf
[authtest]
listen = /tmp/authtest.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
//增加下列语句,basedir一定要定义正确,否则会导致故障。下面会进行演示
php_admin_value[open_basedir]=/usr/local/nginx/html/authtest.com:/tmp/
[root@localhost php-fpm]# /usr/local/php-fpm/sbin/php-fpm -t
[06-Jul-2018 04:25:11] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@localhost php-fpm]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
//此时访问是正常的
[root@localhost php-fpm]# curl authtest.com/sleep.php
test slow logdone
[root@localhost php-fpm]#
[root@localhost php-fpm]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@localhost php-fpm]# curl authtest.com/sleep.php -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Fri, 06 Jul 2018 08:35:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
//若basedir配置有问题,这里故障将authtest.com改成bbb.com
php_admin_value[open_basedir]=/usr/local/nginx/html/bbb.com:/tmp/
[root@localhost php-fpm]# curl authtest.com/sleep.php
No input file specified.
[root@localhost php-fpm]# curl authtest.com/sleep.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.14.0
Date: Fri, 06 Jul 2018 08:34:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30为定位出错原因,可通过开启php的错误日志功能
[root@localhost php-fpm]# vim /usr/local/php-fpm/etc/php.ini
//生产将display_errors关闭,调试的时候可以开启,这样可以直接在浏览器看到错误
display_errors = Off
//增加error_log保存位置,
error_log = /usr/local/php-fpm/var/log/error.log
//设定日志的记录级别为所有,
error_reporting = E_ALL
//将/usr/local/php-fpm/var/log/error.log的权限设为666
//测试
[root@localhost php-fpm]# curl authtest.com/sleep.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.14.0
Date: Fri, 06 Jul 2018 09:59:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
//日志,明确显示open_basedir限制生效,authtest.com路径不在允许的路径中
[06-Jul-2018 09:57:25 UTC] PHP Warning: Unknown: open_basedir restriction in effect. File(/usr/local/nginx/html/authtest.com/sleep.php) is not within the allowed path(s): (/usr/local/nginx/html/bbb.com:/tmp/) in Unknown on line 0
[06-Jul-2018 09:57:25 UTC] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[06-Jul-2018 09:59:45 UTC] PHP Warning: Unknown: open_basedir restriction in effect. File(/usr/local/nginx/html/authtest.com/sleep.php) is not within the allowed path(s): (/usr/local/nginx/html/bbb.com:/tmp/) in Unknown on line 0
[06-Jul-2018 09:59:45 UTC] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
//注意,/usr/local/php-fpm/var/log/error.log权限需要666或以上。否则测试的时候报的错是403,禁止访问
//日志
[06-Jul-2018 09:38:12 UTC] PHP Deprecated: Comments starting with '#' are deprecated in Unknown on line 1 in Unknown on line 0
[06-Jul-2018 09:38:26 UTC] PHP Deprecated: Comments starting with '#' are deprecated in Unknown on line 1 in Unknown on line 0八、php-fpm进程管理
- php-fpm配置文件
配置文件主要有以下几点涉及到php-fpm进程
pm = dynamic //动态进程管理,也可以是static
pm.max_children = 50 //最大子进程数,ps aux可以查看
pm.start_servers = 20 //启动服务时会启动的进程数
pm.min_spare_servers = 5 //定义在空闲时段,子进程数的最少数量,如果达到这个数值时,php-fpm服务会自动派生新的子进程。
pm.max_spare_servers = 35 //定义在空闲时段,子进程数的最大值,如果高于这个数值就开始清理空闲的子进程。
pm.max_requests = 500 //定义一个子进程最多处理的请求数,也就是说在一个php-fpm的子进程最多可以处理这么多请求,当达到这个数值时,它会自动退出。九、扩展
扩展
ssl相关
https://coding.net/u/aminglinux/p/nginx/git/blob/master/ssl/ca.md
https://coding.net/u/aminglinux/p/nginx/git/blob/master/ssl/ssl.md
负载均衡
https://coding.net/u/aminglinux/p/nginx/git/blob/master/proxy/lb.md
nginx算法分析https://blog.whsir.com/post-1482.html
root和alias
http://www.ttlsa.com/nginx/nginx-root_alias-file-path-configuration/
扫一扫
5915
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
