Nginx command

parameter

-? -h help -c Uses the specified configuration file. -g Specifies the configuration command -p specifies the running directory. -s Sends signals. Stop Stops the service immediately Test whether the configuration file has syntax errors -v / -v Displays the version information and compilation information of nginxCopy the code

Nginx start

/usr/local/nginx/sbin/nginx
Copy the code

Start by specifying a configuration file

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
Copy the code

Configuration file syntax check

#Check the default configuration file for syntax errors
/usr/local/nginx/sbin/nginx -t
#Check the specified configuration file syntax for errors
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf -t
Copy the code

Nginx configuration file interpretation


#user nobody; # set the user to run the worker process
worker_processes  1;    Configure the number of workder processes, usually set to the number of cpus or twice the number of cpus

#error_log logs/error.log; # Configure global logs and log levels -> DEBUG > INFO > Notice > WARN > Error > crit > Alert > emerg
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid; Configure the process PID file


Configure the working mode and connection number
events {
    worker_connections  1024;   Worker_processes * worker_connections = worker_processes * worker_connections
}


http {
    include       mime.types;   Configure which multimedia types nginx supports in conf/mime.types
    default_type  application/octet-stream;  # default type

    Configure the log format
    #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    # '$status $body_bytes_sent "$http_referer" '
    # '"$http_user_agent" "$http_x_forwarded_for"';

    Configure the access. Log log path and use the main log format defined above
    #access_log logs/access.log main;

    sendfile        on; Enable efficient file transfer mode
    #tcp_nopush on; Prevent network congestion

    #keepalive_timeout 0;
    keepalive_timeout  65;  # Long connection timeout, in seconds

    #gzip on; # Enable gzip compressed output

    Configure the virtual host
    server {
        listen       80;    Configure the listening port
        server_name  localhost; # configure domain name

        #charset koi8-r; Configure character set

        #access_log logs/host.access.log main; Set access_log for this virtual host. If not, use access_log globally

        Requests that match/by default, when there is a/in the access path, will be matched and processed by this location
        location / {
            root   html;    # root is the default site root location for the configuration server. The default is the HTML directory under the nginx installation directory
            index  index.html index.htm;    Configure the name of the default home page file
        }

        #error_page 404 /404.html; # configure the 404 page

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;    # Configure the 50X page
        
        # Match 50x.html exactly
        location = /50x.html {
            root   html;
        }

        All # PHP requests are forwarded to Apache for processing
        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        # proxy_pass http://127.0.0.1;
        #}

        All # PHP requests are forwarded to FastCGI
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        # root html;
        # fastcgi_pass 127.0.0.1:9000;
        # fastcgi_index index.php;
        # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
        # include fastcgi_params;
        #}

        Htaccess files
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        # deny all;
        #}
    }


    Configure another virtual host
    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    # listen 8000;
    # listen somename:8080;
    # server_name somename alias another.alias;

    # location / {
    # root html;
    # index index.html index.htm;
    #}
    #}


    # configure HTTPS service (secure Network Transport protocol, encrypted transport)
    # HTTPS server
    #
    #server {
    # listen 443 ssl;
    # server_name localhost;

    # ssl_certificate cert.pem;
    # ssl_certificate_key cert.key;

    # ssl_session_cache shared:SSL:1m;
    # ssl_session_timeout 5m;

    # ssl_ciphers HIGH:! aNULL:! MD5;
    # ssl_prefer_server_ciphers on;

    # location / {
    # root html;
    # index index.html index.htm;
    #}
    #}

}
Copy the code

Nginx built-in variables

$Uri Indicates the URI of the current request, without parameters
$Request_uri Specifies the URI of the request, with complete parameters
$Host The host header in the HTTP request packet. If it does not exist, it is replaced by the host name of the virtual host that processes the request
$Hostname Hostname of the host on which the nginx service runs
$Remote_addr Client IP address
$Remote_port Client port
$Remote_user User name entered by a client user during user authentication
$Request_filename The URI in the user request passes through the local root oraliasThe local file path mapped after the transformation
$Request_method Request methods, such as GET, POST, and PUT
$Server_addr Server ADDRESS
$Server_name Server name
$Server_port Server port
$Server_protocol Protocol used by the server to send responses to the client, for example, HTTP /1.1 HTTP /1.0
$Scheme uses scheme in a request, such as HTTP in http://xxx.com
$Http_HEADER Matches the HEADER specified in the request message
$Http_host Matches the host header in the request packet
$Document_root Root configuration file to which the current request is mapped
$Time_local Nginx time
$Request Request lines, methods such as GET, and HTTP
$Status Response Returned status code
$Body_bytes_sent Indicates the body size of the response from the server to the client
$Http_referer HTTP upper level page, anti-theft, used for user behavior analysis
$Http_user_agent HTTP header information and client access device information
$Http_x_forwarded_for HTTP Information carried in the request
Copy the code

Alias and root

location /hello {
    root /usr/local/nginx/html/myweb;
}
# actual request location is/usr/local/nginx/HTML/myweb/hello, spell/hello behind


location /hello {
    alias /usr/local/nginx/html/myweb;
}
# actual request location is/usr/local/nginx/HTML/myweb
Copy the code

The directory file browsing function is enabled

location / {
    autoindex on;
}
Copy the code

Autoindex Common parameter

Official document address nginx.org/en/docs/htt…

autoindex_exact_size off; The default is on, which displays the exact size of the file in bytes. Change to off to display the approximate size of the file in KB or MB or GB autoindex_localTime on; The default value is off, and the displayed file time is GMT. If the file time is changed to on, the file server time is displayed. charset utf-8/gbk; Default Chinese directory garble, add to solve garble.Copy the code

Enable directory browsing for the entire virtual host

location / {
    autoindex on;
    autoindex_localtime on;
    autoindex_exact_size off;
}
Copy the code

Individual directory Enables directory browsing

Direct Secondary directory Enable directory traffic

location /down/ {
    autoindex on;
    autoindex_localtime on;
    autoindex_exact_size off;
}
Copy the code

Virtual directory Enables directory browsing

location /down/ {
    alias /home/wwwroot/test/;
    autoindex on;
    autoindex_localtime on;
    autoindex_exact_size off;
}
Copy the code

Limit the speed at which Nginx can send responses to clients per second

location / {
    set $limit_rate 1k;
}
Copy the code

Log format

Official document address nginx.org/en/docs/htt…

Variables in nGIN X built-in modules or third-party modules can be configured to log. Main is the name of the log format, and you can name it yourself.

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                '$status $body_bytes_sent "$http_referer" '
                '"$http_user_agent" "$http_x_forwarded_for"';
Copy the code

Logs and specifies the name of the log format to use

access_log  logs/access.log  main;
Copy the code

The reverse proxy

Official document address nginx.org/en/docs/str…

Tcp, U Layer 4 proxy

Configured at the same level as HTTP

worker_processes auto;

error_log /var/log/nginx/error.log info;

events {
    worker_connections  1024;
}

stream {
    upstream backend {
        hash $remote_addr consistent;

        server backend1.example.com:12345 weight=5;
        server 127.0.0.1:12345            max_fails=3 fail_timeout=30s;
        server unix:/tmp/backend3;
    }

    upstream dns {
       server 192.168.0.1:53535;
       server dns.example.com:53;
    }

    server {
        listen 12345;
        proxy_connect_timeout 1s;
        proxy_timeout 3s;
        proxy_pass backend;
    }

    server {
        listen 127.0.0.1:53 udp reuseport;
        proxy_timeout 20s;
        proxy_pass dns;
    }

    server {
        listen[: :1] :12345;
        proxy_passunix:/tmp/stream.socket; }}Copy the code

The sample

stream {
    upstream mysql_server {
       server 192.168.101.40:3306;
    }

    server {
        listen 3340;
        proxy_connect_timeout 5s;
        proxy_timeout 10s;
        proxy_passmysql_server; }}Copy the code
Http layer 7 proxy

When we use the nginx reverse proxy, it is used to establish a connection with the reverse proxy server directly, and the reverse proxy establishes another connection with the upstream server, and when the upstream server wants to retrieve the user’s real information (such as $remote_ADDR), it gets the echo proxy’S IP.

Solutions:

The user is directly connected to the reverse proxy server, so we can get the real information of the user from the reverse proxy server. We write this information to the request header and send it to the upstream server, so that the upstream server can get the real information of the user

upstream myserver {
    server 127.0.0.1:8080;
}

location / {
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_pass http://myserver;
}
Copy the code
The reverse proxy can also be forwarded directly to the upstream server address using proxy_pass
location /admin {
    proxy_pass http://192.168.101.38:8080;
}
Copy the code

Flask Obtains the real IP address of the user

from flask import Flask, request, jsonify

app = Flask(__name__)


@app.route('/')
def index() :
    real_ip = request.headers.get('X-Forwarded-For')
    if real_ip:
        return jsonify({'ip': request.remote_addr, 'real_ip': real_ip})
    return jsonify({'ip': request.remote_addr})


if __name__ == '__main__':
    app.run(debug=True, host='0.0.0.0')
Copy the code

Forward agent

server {
    listen 80;

    # dns
    resolver 233.5.5.5;
    location / {
        proxy_passhttp://$http_host$request_uri; }}Copy the code

Load balancing

Status of upstream servers in load balancing scheduling

state instructions
down The current server does not participate in load balancing temporarily
backup Reserved backup server
max_fails Number of failed requests from the current server
fail_timeout After max_FAILS, the service is suspended for some time
max_conns Limit the maximum number of connections

Other configurations of load balancing

upstream myserver {
    server 192.168.101.40:8080;
    server 192.168.101.41:8080;

    # backup indicates that the backup machine is requested only when all other non-backup machines are down
    server 192.168.101.42:8080 backup;
    # down Indicates that the current server node is down and does not participate in load balancing
    server 192.168.101.43:8080 down;
}
Copy the code
upstream myserver {
    # weight indicates the weight, which is used when the upstream server performance is uneven
    server 192.168.101.40:8080 weight=3;
    server 192.168.101.41:8080 weight=1;
}

location / {
    proxy_pass http://myserver;
}
Copy the code

Common load balancing policies

  1. Polling (default)

    Each request is assigned to a different upstream server in turn. If the upstream server fails, it is automatically removed

    upstream myserver {
    server 192.168.101.40:8080;
    server 192.168.101.41:8080;
}
Copy the code

  2. The weight

    Each request is sent to different upstream servers in a certain proportion. A larger weight value increases the access ratio, which is applicable to the scenario with uneven performance of upstream servers

     upstream myserver {
     server 192.168.101.40:8080 weight=2;
     server 192.168.101.41:8080 weight=1;
 }
Copy the code

  3. ip_hash

    Ip_hash is also called IP binding. Each request is assigned according to the hash value of the access. In this way, each client accessing the upstream server can access a fixed upstream server, which can solve the problem of Session loss.

    upstream myserver {
    ip_hash;
    server 192.168.101.40:8080;
    server 192.168.101.41:8080;
}
Copy the code

  4. The minimum connection

    Requests are forwarded to the server with the fewest connections

    upstream myserver {
    least_conn;
    server 192.168.101.40:8080;
    server 192.168.101.41:8080;
}
Copy the code

  5. url_hash

    Requests are allocated based on the hash result of the URL accessed so that each URL is directed to the same backend server

    upstream myserver {
    hash $request_uri;
    server 192.168.101.40:8080;
    server 192.168.101.41:8080;
}
Copy the code

Dynamic and static separation

Static resource requests are processed by NGINx, and dynamic requests are forwarded by NGINx to upstream servers for processing

Implementing static proxies

When accessing static resources from/usr/local/nginx/HTML/static directory access

Based on static resource suffix matching

location ~ .*\.(js|css|htm|html|gif|jpg|jpeg|png|bmp|swf|ico|rar|zip|txt)$ {
    root /usr/local/nginx/html/static;
}
Copy the code

~ indicates a regular match

. The first dot represents any character

\. Represents the escape character, the. Escape to original.

| said or mean

$indicates the end

Based on static file directory matching

location ~ .*/(css/js/img/image){
    root /usr/local/nginx/html/static;
}
Copy the code

Virtual host

Nginx can configure multiple virtual hosts to deploy multiple web sites by configuring multiple server tags.

You can configure multiple virtual hosts by configuring different ports.

You can also configure virtual hosts by using the same port and different domain names.

Use the cache

There are two kinds of user requests, one is static and the other is dynamic. When different users access the same URL, they see different contents, which is a dynamic request and needs to be processed by the upstream server. Some resources will not be changed for a period of time. We can have Nginx cache the content returned by the upstream server for a period of time, such as a day. If the upstream server’s response to the content changes during the day, it will not be handled by the upstream server. It will only fetch the content from the Nginx cache to the browser. Because nginx’s performance is far ahead of that of upstream servers, using such a feature can provide a significant performance boost for small sites.

proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=mycache:10m max_size=10g inactive=60m use_temp_path=off;
Copy the code

Use the cache

location / {
    proxy_cache mycache;
    proxy_cache_key $host$uri$is_args$args;
    proxy_cache_valid 200 304 302 1d;
}
Copy the code

GoAccess Starts monitoring Access logs in real time

Copy the code

Nginx process structure

  • The Master process
  • Worker processes
  • The Cache manager process
  • Cache loader process

Description:

The number of worker processes is usually set to the number of cpus.

Process structure description:

Master is a parent process that has many child processes Worker, Cache Manager, and Cache Loader

Master is mainly used for the management of Worker processes (monitoring whether each Worker process is working normally, whether it needs to do heavy configuration, whether it needs to do hot deployment, etc.). It is the Worker process that is really used to process requests

The Cache loader is used to load the Cache.

Cache Manager is used to manage the Cache.

Nginx process Management: Signals

- Master process - Monitor worker process - CHLD - Manage worker process - Receive signals - TERM, Int-quit-hup - USR1 - USR2 - winch-worker process - receiving signals - TERM, Int-quit-usr1 -winch-nginx -reload -> HUP - reopen -> usr1-stop -> term-quit -> QUITCopy the code

Send a signal

Kill -hup Indicates the ID of a processCopy the code

Nginx performs the reload process

1. Send HUP signal (reload command) to the master process 2. Verify that the configuration syntax is correct 3 5. The master process sends QUIT to the old worker child process. The old worker process closes the listener handle and terminates the process after processing the current connectionCopy the code

Nginx hot upgrade process

1. Replace the old nginx file with the new nginx file (note the backup) 2. Send USR2 signals to the master process 3. The master process changes the PID file name and adds the suffix. Oldbin 4. Send the QUIT signal to the old master process to stop the old master process 6. Rollback: Send HUP to the old master and QUIT to the new masterCopy the code

Worker processes: Gracefully shut down (mostly for HTTP requests)

1. Set the worker_shutdown_timeout 2 timer. Close listener handle 3. Close idle connections 4. Wait in the loop until all connections are closed 5. Withdraw from the processCopy the code

Nginx access restriction

Connection limits limit_conn_module

# HTTP module configuration
limit_conn_zone $binary_remote_addr zone=conn_zone:10m;

Allow only one client IP to connect at a time
location / {
    limit_conn conn_zone 1; 	
}
Copy the code

Request limits limit_REq_module

# HTTP module configuration, rate limits the rate of processing a maximum of one IP request per second
limit_req_zone $binary_remote_addr zone=req_zone:1m rate=1r/s

# location module configuration, 1r/s directly receive a request, surplus directly processing
location / {
    limit_req zone=req_zone;
}

# Location module configuration, requests over 1r/s, the rest will be deferred
location / {
    limit_req zone=req_zone burst=3 nodelay;
}
Copy the code
# Stress testAb-n 50-c 20 Page addressCopy the code

Ip-based access control http_access_module

Official document address nginx.org/en/docs/htt…

Allow configuration syntax

Syntax:	allow address | CIDR | unix: | all;
Default:	—
Context:	http, server, location, limit_except
Copy the code

Reject configuration syntax

Syntax:	deny address | CIDR | unix: | all;
Default:	—
Context:	http, server, location, limit_except
Copy the code

Deny one IP address and allow all others

location / {
    root /home/wwwroot/web;
    index index.html;
    deny 192.168.10.18;
    allow all;
}
Copy the code

If one IP address is allowed and all others are denied, configure the permit first and write deny all after it.

Authentication based on user login http_auth_basic_module

Official document address nginx.org/en/docs/htt…

The configuration syntax

Syntax:	auth_basic string | off;
Default:	
auth_basic off;
Context:	http, server, location, limit_except
Copy the code

User password configuration file

Syntax:	auth_basic_user_file file;
Default:	—
Context:	http, server, location, limit_except
Copy the code
yum -y install httpd-tools
Copy the code

Htpasswd grammar

Usage: htpasswd [-cimBdpsDv] [-C cost] passwordfile username htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password Htpasswd -n[imBdps] [-c cost] username htpasswd -nb[mBdps] [-c cost] username password Parameter Description -c Creates passwdfile. If the passwdfile already exists, the password will be written and deleted. -n Does not update the passwordfile. -d Uses the CRYPT algorithm to encrypt passwords. -p Does not encrypt passwords, that is, passwords in plain text format. -s Uses the SHA algorithm to encrypt passwords. -d deletes the specified user without interactionCopy the code

The sample

# htpasswd create user users - cb/usr/local/nginx/conf/htpasswd wanghaha 123456 # delete user htpasswd -d/usr/local/nginx/conf/htpasswd wanghahaCopy the code
location / {
    auth_basic           "closed site";
    auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
Copy the code

Gzip compression

# open gzip
gzip off;

# Minimum files to enable gzip compression, files smaller than the set value will not be compressed
gzip_min_length 1k;

# gzip compression level, 1-9, the higher the compression, the more CPU time, more details later
gzip_comp_level 1;

The type of file to compress. Javascript comes in many forms. The values can be found in the mime.types file.
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png application/vnd.ms-fontobject font/ttf font/opentype font/x-woff image/svg+xml;

Whether to add Vary: accept-encoding to the HTTP header is recommended
gzip_vary on;

# Disable IE 6 gzip
gzip_disable "MSIE [1-6]\.";

Set the size of the buffer required for compression
gzip_buffers 32 4k;

Set the HTTP protocol version for gzip compression
gzip_http_version 1.0;
Copy the code

rewrite

The regular test tool pcretest

yum -y install pcre-tools
Copy the code

Grammar:

/ Write the regular expression/in between

/ root @ localhost ~ # pcretest interactively PCRE version 8.32 2012-11-30 re > / ^ (\ d {3}) \. (\ d {1, 3}) \. (\ d {1, 3}) \. (\ d {1, 3}) $/ data > 192.168.101.1 0: 192.168.101.1 1: 192 2:168 3: 101 4:1Copy the code

Rewrite tag flag

flag instructions
last Stop rewriting detection
break Stop rewriting detection
redirect Return 302 temporary redirect, the address bar will display the redirect address
permanent Returns 301 permanent redirect, and the address bar displays the redirected address 
Copy the code

Browser cache

# nginx time unit
msMilliseconds s seconds m minutes h hours d days w weeks m months30 days
y   years, 365 days
Copy the code
Page cache for 20 days
location / {
    expires 20d;
}
Copy the code

Cross domain access

location ~ .*\.(html|htm)$ {
    add_headerAccess-control-allow-origin http://your domain.com;add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
}
Copy the code

Static resources prevent theft

Only specified server IP addresses (or domain names) are allowed to access static resources

location \ .*\.(jpg|gif|png)$ {
    valid_referers none blocked 192.168.101.40;
    if($invalid_referer) {
        return 403; }}Copy the code