The introduction and practice of nginx

The introduction and practice of nginx


Website service









Presumably most of us start to contact the Internet by visiting websites. The website service we usually visit is Web network service, which generally refers to the service that allows users to access various resources in the Internet through a browser.

Web network service is a kind of passive access service program, that is, it will respond only after receiving the request from other hosts in the Internet, and the web server used to provide the service program will send the content of the request to the user through HTTP (Hypertext Transfer Protocol) or HTTPS (Secure Hypertext Transfer Protocol).

At present, the programs that can provide Web services include IIS, Nginx, Apache, etc. Among them, IIS(Internet Information Services) is the default Web service program in Windows system

On October 4, 2004, Nginx, a Web service program developed for a well-known portal site in Russia, came into being. As a lightweight website service software, Nginx program quickly occupies the server market due to its stability and rich functions. However, Nginx is most recognized for its low consumption of system resources and strong concurrency, so it is favored by domestic portal stations such as Sina, Netease, Tencent, etc.

The relationship between web server and Web Framework

web server (nginx, apache, lighthttp, IIS): receives HTTP request (for example, www.python. CN / xiaocang. JPG) and returns data. web server does not deal with database

Web framework (django, flask, tornado, sanic): develop web application and process received data


What is nginx

nginx is an open source, high performance, high concurrent www service and proxy service software. It was developed by lgor sysoev, a Russian, and the author opened the source code for global use.
nginx is much better than its big brother apache in performance. nginx consumes less system resources, supports higher concurrent connections, and has higher access efficiency.
nginx is not only an excellent web service software, but also can be used as reverse proxy, load balancing, and caching services.
The installation is more simple, convenient and flexible.
nginx is very nb

Interview answer nginx skills

Support high concurrency and tens of thousands of concurrent connections
Less resource consumption, less than 200M memory consumption for opening 10 nginx threads under 30000 concurrent connections
Can do http reverse proxy and load balancing
Support epoll, an asynchronous network i/o event model

Why nginx

1. Less memory and strong concurrency
2. Processing static files
3. Baidu, Jingdong, Sina, Netease, Tencent and Taobao all use nginx
4. A machine has only one 80 port. What if we want to run multiple WEB servers?


Tengine is a Web server project initiated by On the basis of Nginx, it adds many advanced functions and features to meet the needs of high traffic websites. Tengine's performance and stability have been well tested on large websites such as and Its ultimate goal is to build an efficient, stable, secure and easy-to-use Web platform.

Installation environment preparation

The dependency library needed to install nginx
yum install -y gcc patch libffi-devel python-devel zlib-devel bzip2-devel openssl openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel 1, gcc installation To install nginx, you need to compile the source code downloaded from the official website. Compilation depends on the gcc environment. If there is no gcc environment, you need to install: yum install gcc-c++ 2, PCRE PCRE devel installation PCRE(Perl Compatible Regular Expressions) is a perl library, including perl compatible regular expressions library. The http module of nginx uses pcre to parse regular expressions, so the pcre library needs to be installed on linux. pcre devel is a secondary development library developed with pcre. Nginx also needs this library. Order: yum install -y pcre pcre-devel 3, zlib installation Zlib library provides many ways to compress and decompress. nginx uses zlib to gzip the content of http package, so you need to install zlib library on Centos. yum install -y zlib zlib-devel 4, OpenSSL installation OpenSSL is a powerful secure socket layer cipher library, which includes the main cipher algorithm, common key and certificate encapsulation management functions and SSL protocol, and provides a wealth of applications for testing or other purposes. nginx supports not only http protocol, but also https (that is, http is transmitted over ssl Protocol), so you need to install OpenSSL Library in Centos. yum install -y openssl openssl-devel

Compile and install, start nginx

1.Download source package
wget -c
2.Decompress source code
tar -zxvf nginx-1.9.6.tar.gz
3.Configuration, compile install on nginx Status monitoring function
./configure --prefix=/opt/nginx196/ --with-http_ssl_module --with-http_stub_status_module 
make && make install 
4.start-up nginx,Get into sbin Catalog,find nginx Start command
cd sbin
./nginx #start-up
./nginx -s stop #Close
./nginx -s reload # Smooth restart, modified nginx.conf After that, you can load the new configuration without restarting the service


configure parameter of nginx
 The following is the configure parameter of the nginx source program:

--prefix = points to the installation directory.
--SBIN path = specifies where to store the execution program file.
--Modules path = Specifies the storage path of the third-party module.
--Conf path = Specifies the location of the configuration file.
--Error log path = Specifies the error log location.
--pid path = Specifies the pid file location.
--Lock path = Specifies the location of the lock file.
--User = Specifies an unprivileged user when the program runs.
--Group = Specifies an unprivileged user group when the program is running.
--builddir = points to the build directory.
--With rtsig module enables rtsig module support.
--With select module enables select module support, a polling processing method, which is not recommended in high concurrency environments. Disable: - without select module.
--With poll module enables poll module support, which has the same function as select. It is not recommended to use in high concurrency environment.
--With threads enables thread pool support.
--With file aio enables file aio support.
--With http_ssl_module enable https support.
--With HTTP module enables NGX HTTP module support.
--With ipv6 enables ipv6 support.
--With HTTP > realip > module allows you to change the ip address of the client from the request header, which is off by default.
--With HTTP add module enables ngix HTTP add on mdoule support (as an output filter, responding to requests in parts).
--With - http ﹣ XSLT ﹣ module enable NGX ﹣ http ﹣ XSLT ﹣ module support, filter and transform XML requests.
--With HTTP? Image? Filter? Mdoule enable NGX? HTTP? Filter? Module support, a filter for transferring JPEG\GIF\PNG pictures. It is not enabled by default, and the gd library needs to be installed.
--With HTTP > geoip > module enables NGX > HTTP > module support for creating NGX > HTTP > module variables based on the matching client IP address of the MaxMind GeoIP binary.
--With HTTP sub module enables NGX HTTP sub module support, allowing some text in the nginx response to be replaced with some other text.
--With HTTP > enable NGX > HTTP > module support, add PUT, DELETE, MKCOL to create sets, COPY and MOVE methods, which are off by default and need to be compiled on.
--With HTTP? Flv? Module enables NGX? HTTP? Flv? Module support and provides time-based offset files for memory usage.
--With HTTP? mp4? Module enables NGX? HTTP? mp4? Module support, and enables support for mp4 video files.
--With HTTP gzip static module enables NGX HTTP static module support and supports online real-time compression of output data streams.
--With - HTTP? Random? Index? Module enables NGX? HTTP? Random? Index? Module support and randomly selects a directory index from the directory.
--With HTTP? Secure? Link? Module enable NGX? HTTP? Secure? Link? Module support, calculate and check the required secure link URL.
--With HTTP upgrade module enables NGX HTTP upgrade module support to allow 204 or 444 code to be returned when memory is low.
--With HTTP > status > module enables NGX > HTTP > status > module to view the status page of nginx.
--without-http_charset_module disables the ngx_http_charset_module module, which allows conversion between character sets, converting from other characters to UTF-8 or from UTF8 to other characters. It can only be from the server to the client, only one byte of characters can be converted.
--Without http gzip module, disable the support of NGX http gzip module, the same as the function of -- with HTTP gzip static module.
--Without HTTP SSI module disable NGX HTTP SSI module support, provides a filter to process the server include file (SSI) on the input side.
--Without HTTP user ID module disables NGX HTTP user ID module support, which is used to determine the cookies requested by the client in the future.
--Without HTTP access module disable NGX HTTP access module support and provide access control function based on host ip address.
--Without HTTP ABCD basic ABCD module support is disabled. You can use user name and password authentication to authenticate the site or part of the content.
--Without http autoindex module disable NGX http authindex module, which is used to make a request when the NGX HTTP index module does not find the index file, and to automatically generate the directory list.
--Without HTTP module disables NGX HTTP module support, which is used to create variables that depend on client ip.
--Without HTTP map module disable NGX HTTP map module support, use any key and value pair to set configuration variables.
--Without HTTP split clients module disable NGX HTTP split clients module support, which is used to partition users based on user ip address, header and cookies.
--Without HTTP > Referer > module disable NGX > HTTP > Referer > module support, which is used to filter requests with incorrect Referer value in the header.
--Without HTTP Rewrite Module disable NGX HTTP rewrite module support. The module allows the use of regular expressions to change URIs, and to turn and select configurations based on variables. If this option is set at the server level, it will take effect before the location, but if there are further rewriting rules in the location, the rules in the location part will still be executed. If the URI rewriting is caused by the rules of the location part, the location part will be executed as a new URI again, and the loop will be executed 10 times, and finally a 500 error will be returned.
--Without http proxy module disable NGX http proxy module support, http proxy function.
--Without HTTP fastcgi module disable NGX HTTP fastcgi module support. This module allows nginx to interact with fastcgi process and control fastcgi process work by passing parameters.
--Without http ﹣ uwsgi ﹣ module disable NGX ﹣ http ﹣ uwsgi ﹣ module support, this module is used to use the uwsgi protocol, uwsgi server related.
--Without http SCGI module disable NGX http SCGI module support, similar to fastcgi, is also the interface standard between applications and HTTP services.
--Without HTTP memcached module disable NGX HTTP memcached support to provide simple cache and improve system efficiency.
--Without http ﹣ limit ﹣ conn ﹣ module support is disabled for NGX ﹣ http ﹣ limit ﹣ conn ﹣ module, which can limit the number of concurrent connections for sessions according to conditions.
--Without http ﹣ limit ﹣ req ﹣ module support is disabled for NGX ﹣ limit ﹣ req ﹣ module support, which can limit the number of requests for an address.
--Without HTTP > empty > gif > module, NGX > HTTP > empty > gif > module support is disabled. The module resident a 1 * 1 transparent gif image in memory, which can be called very quickly.
--Without HTTP browser module disables NGX HTTP browser mdoule support and creates a value that depends on the request header. If the browser is modern, $modern'browser is equal to the value of modern'browser'value; if the browser is old, $anchor'browser is equal to the value assigned by the $anchor'browser'value instruction; if the browser is msie, $msie is equal to 1.
--Without HTTP > upstream > IP > hash > module support is disabled for NGX > HTTP > upstream > IP > hash > module support, which is used for simple load balancing.
--With HTTP perl module enables NGX HTTP perl module support, which enables nginx to call perl directly using perl or through ssi.
--With perl? Modules? Path = set perl module path
 --With perl = set perl library file path
 --HTTP log path = set access log path
 --http client body temp path = set http client request temporary file path
 --http proxy temp path = set http proxy temporary file path
 --http fastcgi temp path = set http fastcgi temporary file path
 --Http uwsgi temp path = set http scgi temporary file path
 --http scgi temp path = set http scgi temporary file path
 --Without HTTP disable http server function
 --Without http cache disable http cache function
 --Enable POP3, IMAP4 and SMTP proxy modules with mail
 --With mail > SSL > module enable NGX > mail > SSL > module support
 --Disable the pop3 protocol without mail.
--Disable the iamp protocol without mail.
--Without mail > smtp > module disables the smtp protocol.
--With Google perftools module enables NGX Google perftools mdoule support and debugging, which can be used to analyze program performance bottlenecks.
--With CPP test module enables NGX CPP test module support.
--Add module = Specifies the path of the external module, enabling support for external modules.
--With CC = points to the C compiler path.
--With CPP = points to the C preprocessing path.
--With CC opt = set C compiler parameters, specify -- with CC opt = "- I / usr / LCAL / include", if you use the select() function, you also need to specify the number of file descriptors at the same time -- with CC opt = "- D fd_setsize = 2048". (PCRE Library)
--With LD opt = to set connection file parameters, you need to specify -- with LD opt = "- L / usr / local / lib". (PCRE Library)
--With CPU opt = Specifies the compiled CPU type, such as pentium,pentiumpro,...amd64,ppc64
 --Without pcre disables the pcre library.
--With pcre enables the pcre library.
--With pcre = points to the pcre library file directory.
--With pcre opt = sets additional parameters for the pcre library at compile time.
--with-md5 = points to the MD5 library file directory.
--with-md5-opt = set additional parameters for the MD5 library at compile time.
--with-md5-asm uses the MD5 assembly source.
--with-sha1 = points to the SHA1 library file directory.
--with-sha1-opt = set additional parameters for the SHA1 library at compile time.
--with-sha1-asm uses the SHA1 assembly source.
--With zlib = points to the zlib library file directory.
--With zlib opt = set additional parameters for zlib at compile time.
--With zlib ASM = optimize with assembly source for the specified CPU.
--With libatomic provides an architecture for the implementation of update operation of atomic memory.
--With libatomic = the installation directory that points to libatomic_uops.
--With openssl = points to the openssl installation directory.
--With openssl opt = set additional parameters for openssl at compile time.
--With debug enables debug logging.
configure parameter of nginx

Test service after installation

netstat -tunlp |grep 80
curl -I
#If not, check selinux, iptables

Deploy a web site

The default site of nginx is the html folder under the nginx directory, which can be found in nginx.conf

 location /{
            root   html;  #Here is the default site html folder, which is the content under / opt/nginx196/html / folder
            index  index.html index.htm; #The file name of the homepage is index.html

If you want to deploy the website business data, just put all the developed programs in the html directory

[root@oldboy_python /tmp 11:34:52]#ls /opt/nginx196/html/
index.html  jssts.jpeg  lhy.mp4  man.jpg  wget-log

Therefore, you only need to access the domain name / resource

Directory structure of Nginx

[root@oldboy_python /opt/nginx196 11:44:02]#ls
client_body_temp  conf  fastcgi_temp  html  logs  proxy_temp  sbin  scgi_temp  static  uwsgi_temp
  • Conf the directory where all configuration files of nginx are stored, mainly nginx.conf
  • HTML stores the directory of nginx default site, such as index.html, error.html, etc
  • Logs the directory where nginx default logs are stored, such as error.log access.log
  • sbin the directory where the nginx main command is stored, sbin/nginx

Analysis of Nginx main configuration file

Nginx main configuration file / etc/nginx/nginx.conf is a plain text file. The whole configuration file is organized in the form of blocks. Generally, each block is represented by a pair of braces {} to start and end.

######Nginx configuration file nginx.conf Chinese detailed explanation#####

#Definition Nginx Users and user groups running
user www www;

#nginx Number of processes, recommended equal to CPU Total number of cores.
worker_processes 8;
#Global error log definition type,[ debug | info | notice | warn | error | crit ]
error_log /usr/local/nginx/logs/error.log info;

#process pid file
pid /usr/local/nginx/logs/;

#Specifies the maximum number of descriptors that a process can open: number
#Working mode and maximum number of connections
#This instruction means to be a nginx The maximum number of file descriptors opened by the process. The theoretical value should be the maximum number of open files( ulimit -n)And nginx Divide the number of processes, but nginx The allocation request is not so uniform, so it is better to ulimit -n The values of are consistent.
#Now in linux 2.6 The number of open files under the kernel is 65535, worker_rlimit_nofile 65535 should be filled in accordingly.
#that is because nginx The allocation of requests to processes is not so balanced during scheduling, so if 10240 is filled in, the total concurrent amount will reach 3-4 In ten thousand hours, the process may exceed 10240, and 502 error will be returned.
worker_rlimit_nofile 65535;

    #Refer to the event model, use [ kqueue | rtsig | epoll | /dev/poll | select | poll ]; epoll Model
    #yes Linux 2.6 High performance network in the kernel of the above version I/O Model, linux proposal epoll,If you run FreeBSD It's on it kqueue Model.
    #Supplementary notes:
    #And apache Phase classes, nginx There are different event models for different operating systems
    #A)Standard event model
    #Select,poll It belongs to the standard event model. If there is no more effective method in the current system, nginx Will choose select or poll
    #B)Efficient event model
    #Kqueue: Used in FreeBSD 4.1+, OpenBSD 2.9+, NetBSD 2.0 and MacOS X.Dual processor MacOS X System use kqueue May cause kernel crash.
    #Epoll: Used in Linux Kernel 2.6 Version and later systems.
    #/dev/poll: Used in Solaris 7 11/99+,HP/UX 11.22+ (eventport),IRIX 6.5.15+ and Tru64 UNIX 5.1A+. 
    #Eventport: Used in Solaris 10.  In order to prevent kernel crash, it is necessary to install security patch.
    use epoll;

    #Maximum connections per process (maximum connections=Connection number*Number of processes)
    #According to the hardware adjustment, it can be used in combination with the previous work process. It should be as large as possible, but do not cpu Run to 100%All right. The maximum number of connections allowed per process, theoretically per nginx The maximum number of connections for the server is.
    worker_connections 65535;

    #keepalive Timeout.
    keepalive_timeout 60;

    #The buffer size of the client request header. This can be set according to the paging size of your system. Generally, the size of a request header will not exceed 1 k,However, the paging of general system is greater than 1 k,So this is set to page size.
    #Page size can be getconf PAGESIZE Obtain.
    #[root@web001 ~]# getconf PAGESIZE
    #But there are also client_header_buffer_size More than 4 k But client_header_buffer_size The value must be set to an integral multiple of the system page size.
    client_header_buffer_size 4k;

    #This will specify caching for open files, which is not enabled by default, max Specify the number of caches. It is recommended to be consistent with the number of open files, inactive How long does it take to delete the cache after the file has not been requested.
    open_file_cache max=65535 inactive=60s;

    #This refers to how often to check the cached valid information.
    #grammar:open_file_cache_valid time Default value:open_file_cache_valid 60 Using fields:http, server, location This command specifies when to check open_file_cache Valid information for cached items in.
    open_file_cache_valid 80s;

    #open_file_cache Directive inactive The minimum number of times a file is used in the parameter time. If the number is exceeded, the file descriptor is always opened in the cache. For example, if there is a file in the inactive If it is not used once in time, it will be removed.
    #grammar:open_file_cache_min_uses number Default value:open_file_cache_min_uses 1 Using fields:http, server, location  This command specifies the open_file_cache The minimum number of files that can be used within a certain time range in an invalid parameter of an instruction,If a larger value is used,File descriptors in cache Always open in.
    open_file_cache_min_uses 1;
    #grammar:open_file_cache_errors on | off Default value:open_file_cache_errors off Using fields:http, server, location This command specifies whether to search for a file as a record cache error.
    open_file_cache_errors on;
#Set up http Server, using its reverse proxy function to provide load balancing support
    #File extension and file type mapping table
    include mime.types;

    #Default file type
    default_type application/octet-stream;

    #Default encoding
    #charset utf-8;

    #Of server name hash Table size
    #Save server name hash Table is ordered by server_names_hash_max_size and server_names_hash_bucket_size Controlled by. parameter hash bucket size Always equal to hash The size of the table, and is a multiple of the size of the processor cache along the way. After reducing the number of accesses in memory, the search in the processor is accelerated hash Table key values are possible. If hash bucket size Equal to the size of a processor cache, the worst-case number of searches in memory for a key is 2. The first is to determine the address of the storage unit, and the second is to find the key value in the storage unit. So, if Nginx Give the need to increase hash max size or hash bucket size The first thing is to increase the size of the previous parameter.
    server_names_hash_bucket_size 128;

    #The buffer size of the client request header. This can be set according to the paging size of your system. Generally, the header size of a request will not exceed 1 k,However, the paging of general system is greater than 1 k,So this is set to page size. Page size can be getconf PAGESIZE Obtain.
    client_header_buffer_size 32k;

    #Client request header buffer size. nginx Default will be used client_header_buffer_size this buffer To read header Value, if header Too big, it will use large_client_header_buffers To read.
    large_client_header_buffers 4 64k;

    #Set through nginx Size of uploaded file
    client_max_body_size 8m;

    #Turn on efficient file transfer mode, sendfile Instruction assignment nginx Whether to call sendfile Function to output a file, set to on,If it is used for downloading and other application disks IO Heavy duty application, can be set to off,To balance disk and network I/O Processing speed, reduce the load of the system. Note: if the picture is not normal, change this to off. 
    #sendfile Instruction assignment nginx Whether to call sendfile Function ( zero copy Mode) to output files. For normal applications, it must be set to on. If it is used for downloading and other application disks IO Heavy duty application, can be set to off,To balance disk and network IO Processing speed, reducing system uptime. 
    sendfile on;

    #Turn on directory list access, download the server appropriately, and turn off by default.
    autoindex on;

    #This option allows or disables the use of socke Of TCP_CORK , which is only used in sendfile When using
    tcp_nopush on;
    tcp_nodelay on;

    #Long connection timeout in seconds
    keepalive_timeout 120;

    #FastCGI The related parameters are to improve the performance of the website: reduce the resource occupation and improve the access speed. The following parameters can be understood literally.
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 128k;

    #gzip Module settings
    gzip on; #open gzip compression out
    gzip_min_length 1k;    #Minimum compressed file size
    gzip_buffers 4 16k;    #Compress buffer
    gzip_http_version 1.0;    #Compressed version (default 1.1,Front end if it is squid2.5 Please use 1.0)
    gzip_comp_level 2;    #Compression level
    gzip_types text/plain application/x-javascript text/css application/xml;    #Compression type, which is already included by default textml,So there's no need to write it down. There won't be any problem with it, but there will be one warn. 
    gzip_vary on;

    #Opening restriction IP You need to use the
    #limit_zone crawler $binary_remote_addr 10m;

    #Load balancing configuration
    upstream {
        #upstream Load balancing, weight Is the weight, which can be defined according to the machine configuration. weigth The parameter represents the weight. The higher the weight, the greater the probability of being assigned.
        server weight=3;
        server weight=2;
        server weight=3;

        #nginx Of upstream Currently, four methods of allocation are supported
        #1,Poll (default)
        #Each request is allocated to a different back-end server in chronological order, if the back-end server down It can be removed automatically.
        #Specify the polling probability, weight Proportional to access ratio, it is used in case of uneven performance of back-end server.
        #For example:
        #upstream bakend {
        #    server weight=10;
        #    server weight=10;
        #Per request by access ip Of hash Result allocation, so that each visitor has a fixed access to a back-end server, which can solve session The problem.
        #For example:
        #upstream bakend {
        #    ip_hash;
        #    server;
        #    server;
        #3,fair(The third party)
        #Requests are allocated according to the response time of the back-end server, and those with short response time are allocated preferentially.
        #upstream backend {
        #    server server1;
        #    server server2;
        #    fair;
        #4,url_hash(The third party)
        #Press visit url Of hash Results to allocate requests so that each url Directed to the same back-end server, it is more effective when the back-end server is cache.
        #Example: in upstream Join in hash Sentence, server Cannot write in statement weight And so on, hash_method It is used. hash algorithm
        #upstream backend {
        #    server squid1:3128;
        #    server squid2:3128;
        #    hash $request_uri;
        #    hash_method crc32;

        #upstream bakend{#Define Ip and device status of load balancing device}{
        #    ip_hash;
        #    server down;
        #    server weight=2;
        #    server;
        #    server backup;
        #When you need to use load balancing server Increase in proxy_pass http://bakend/;

        #The status of each device is set to:
        #1.down Indicates the server Do not participate in the load temporarily
        #2.weight by weight The larger the load, the greater the weight.
        #3.max_fails: The default number of requests allowed to fail is 1.When the maximum number of times is exceeded, return proxy_next_upstream Module definition error
        #4.fail_timeout:max_fails Time to pause after failure.
        #5.backup:  All other non backup machine down Or when you're busy, ask backup Machine. So this machine will have the least pressure.

        #nginx It supports the simultaneous setting of multiple groups of load balancers for the unused server To use.
        #client_body_in_file_only Set to On Can speak client post The coming data is recorded in the file for doing debug
        #client_body_temp_path Set the directory of the record file. You can set up to three levels of directory
        #location Yes URL Matching.Redirection or new agent load balancing is possible
    #Configuration of virtual host
        #Monitor port
        listen 80;

        #There can be multiple domain names separated by spaces
        index index.html index.htm index.php;
        root /data/www/w3cschool;

        #Yes******Load balancing
        location ~ .*.(php|php5)?$
            fastcgi_index index.php;
            include fastcgi.conf;
        #Picture cache time settings
        location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$
            expires 10d;
        #JS and CSS Cache time settings
        location ~ .*.(js|css)?$
            expires 1h;
        #Log format setting
        #$remote_addr And $http_x_forwarded_for To record the ip Address;
        #$remote_user: Used to record the client user name;
        #$time_local:  Used to record access time and time zone;
        #$request:  Used to record requests url And http Agreement;
        #$status:  Used to record request status; success is 200,
        #$body_bytes_sent : Record the content size of the file body sent to the client;
        #$http_referer: Used to record the links from that page;
        #$http_user_agent: Record the relevant information of customer browser;
        #usually web The server is placed behind the reverse proxy so that the client's IP Address, through $remote_add Get IP The address is for the reverse proxy server iP Address. The reverse proxy server is forwarding the requested http In header information, you can add x_forwarded_for Information used to record the original client's IP Address and the server address requested by the original client.
        log_format access '$remote_addr - $remote_user [$time_local] "$request" '
        '$status $body_bytes_sent "$http_referer" '
        '"$http_user_agent" $http_x_forwarded_for';
        #Define the access log of this virtual host
        access_log  /usr/local/nginx/logs/host.access.log  main;
        access_log  /usr/local/nginx/logs/host.access.404.log  log404;
        #Yes "/" Enable reverse proxy
        location / {
            proxy_redirect off;
            proxy_set_header X-Real-IP $remote_addr;
            #Backend Web The server can use the X-Forwarded-For Get user reality IP
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            #The following is the configuration of some reverse agents, optional.
            proxy_set_header Host $host;

            #Maximum single file bytes allowed for client requests
            client_max_body_size 10m;

            #The maximum number of bytes requested by the buffer agent to buffer the client,
            #If you set it to a larger value, for example, 256 k,Then, regardless of the use firefox still IE Browser, to submit any less than 256 k All the pictures are normal. If you annotate the directive, use the default client_body_buffer_size Settings, which is twice the page size of the operating system, 8 k Or 16 k,The problem arises.
            #No matter how to use firefox4.0 still IE8.0,Submit a larger one, 200 k All the left and right pictures return to 500 Internal Server Error error
            client_body_buffer_size 128k;

            #Express nginx prevent HTTP Response code 400 or higher.
            proxy_intercept_errors on;

            #Timeout for back-end server connection_Timeout for initiating handshake waiting for response
            #nginx Timeout for connection with backend server(Agent connection timeout)
            proxy_connect_timeout 90;

            #Back end server data return time(Agent send timeout)
            #Back end server data return time_It means that the backend server must transmit all data within the specified time
            proxy_send_timeout 90;

            #Response time of back-end server after successful connection(Agent receive timeout)
            #After successful connection_Wait for backend server response time_In fact, it has entered the back-end queue to wait for processing (also can be said to be the time when the back-end server processes the request)
            proxy_read_timeout 90;

            #Setting up a proxy server( nginx)Buffer size to hold user header information
            #Set the buffer size of the first part of the response read from the proxy server. Usually, this part of the response contains a small response header. By default, the size of this value is the instruction proxy_buffers The size of one of the buffers specified in, but can be set to smaller
            proxy_buffer_size 4k;

            #proxy_buffers Buffer, 32 pages on average k The following settings
            #Set the number and size of buffers used to read replies (from the proxied server). The default is page size, which may be 4 depending on the operating system k Or 8 k
            proxy_buffers 4 32k;

            #Buffer size under high load( proxy_buffers*2)
            proxy_busy_buffers_size 64k;

            #Set on write proxy_temp_path The size of time data to prevent a worker process from blocking too long when passing files
            #Set the cache folder size. If it is larger than this value, the upstream Server transmission
            proxy_temp_file_write_size 64k;
        #Set view Nginx Address of status
        location /NginxStatus {
            stub_status on;
            access_log on;
            auth_basic "NginxStatus";
            auth_basic_user_file confpasswd;
            #htpasswd The contents of the file can be used apache Provided htpasswd Tools to generate.
        #Local dynamic static separation reverse agent configuration
        #All jsp All pages of tomcat or resin Handle
        location ~ .(jsp|jspx|do)?$ {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #All static files are created by nginx Direct read does not pass tomcat or resin
        location ~ .*.(htm|html|gif|jpg|jpeg|png|bmp|swf|ioc|rar|zip|txt|flv|mid|doc|ppt|
            expires 15d; 
        location ~ .*.(js|css)?$
            expires 1h;
######Nginx configuration file nginx.conf Chinese detailed explanation#####
Details of nginx.conf
CoreModule Core module

user www;                       #Users used by the Nginx process
worker_processes 1;             #Number of work processes running by Nginx (it is recommended to be consistent with the number of CPU s or auto)
error_log /log/nginx/error.log  #Nginx error log storage path
pid /var/run/          #pid process number generated after Nginx service runs
events Event module

events {            
    worker_connections  //Maximum number of connections supported per worker process
    use epool;          //Event driven model, epoll default
http Kernel module

//Public configuration is defined in http {}
http {  //http layer start
    //Use Server to configure websites, each Server {} represents a website (virtual host for short)
    'server' {
        listen       80;        //Listening port, default 80
        server_name  localhost; //Domain name or host name of the service
        access_log host.access.log  //Access log
        //Control site access path
        'location' / {
            root   /usr/share/nginx/html;   //Store website code path
            index  index.html index.htm;    //Default page file returned by the server
        //Specify error code, define error page uniformly, redirect error code to new Locaiton
        error_page   500 502 503 504  /50x.html;
    //Second virtual host configuration
    'server' {
    include /etc/nginx/conf.d/*.conf;  //Contains all files ending in. Conf under / etc/nginx/conf.d /

}   //End of http layer
#Definition nginx Number of working processes
worker_processes  5;
#Error log
#error_log  logs/error.log;
#http Define code main area
http {
    include       mime.types;
    default_type  application/octet-stream;
    #Definition nginx Access log function of
    #nginx There will be one. accses.log Function to view records of user access
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    #Turn on the log function
    access_log  logs/access.log  main;
    sendfile        on;
    keepalive_timeout  65;
    #open gzip Compressed transmission
    gzip  on;
    #Virtual host 1 defines a fighting fish website 
    server {
        #Definition nginx The access port of is
        listen       80;
        #Define the domain name of the site
        #If there is no domain name, fill in the server's ip Address
        #nginx Of url Domain name matching
        #As long as the request comes from
        #As long as the request comes from
        #The lowest level match, as long as it comes from This domain name will come to this location
        location / {
            #this root Parameter, also a keyword, defines the root directory of the web page
            #with nginx Installation directory is relative path  /opt/nginx112/html 
            #You are free to modify this root Defined page root
            root   html;
            #index Parameter defines the first page file name of the website, the default file name
            index  index.html index.htm;
        #Optimization of error page(As long as you encounter the errors in the previous 4 series, you will directly jump to 40 in the relative directory x.html page)
        error_page  400 401  402  403  404   /40x.html;
nginx.conf core configuration


Nginx virtual host


If each linux server only runs a small website, then the grassroots webmasters with low popularity and small traffic need to bear high server rental fees, which also causes a waste of hardware resources.

Virtual host is to divide a server into multiple "virtual servers". Each site uses its own hard disk space. Because of saving resources and money, many sites use virtual host to deploy websites.

The concept of virtual host is an independent web site in Web services. This site corresponds to an independent domain name (IP), has an independent program and resource directory, and can provide services independently.
This stand-alone site configuration uses the server {} code block label in nginx.conf to represent a virtual host.
Nginx supports multiple server {} tags, that is, multiple virtual host sites.

Virtual host type

Domain name based virtual host
 It is the most widely used virtual host for enterprises to distinguish different virtual hosts by different domain names.

Port based virtual host
Different virtual hosts can be distinguished by different ports. They are generally used as internal websites of enterprises and do not provide services directly to the outside world. For example,

IP based virtual host
Different virtual hosts are distinguished by different IP addresses. This kind of virtual host is rare. VIP is bound in load balancing for common services that require multiple IP addresses

Nginx status information (status) configuration

Configuration and details of Nginx status information
 Like PHP FPM, nginx has a built-in status page, which is very helpful to understand the status of nginx and monitor nginx. For subsequent zabbix monitoring, we need to understand the status page of nginx.

The introduction of Nginx status information
 Nginx software is another with HTTP? Stub? Status? Module at compile time. The function of this module is to record the basic access state information of nginx, so that users can understand the working state of nginx.
To use a state module, you must add the -- with HTTP? Stub? Status? Module parameter at compile time.

Monitor whether your nginx has the status module installed

[root@master conf]# /opt/nginx/sbin/nginx -V
nginx version: nginx/1.12.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
configure arguments: --prefix=/opt/nginx/ --with-http_stub_status_module

Start the status function and modify the configuration file

#Visit ip/status When entering the state function        
location /status {
        #Turn on nginx status function stub_status on; }

Restart nginx smoothly

./sbin/nginx -s reload

Visit the status page

Test by ab pressure test command

-n requests - the number of requests executed, that is, the total number of requests initiated.

-c concurrency - the number of concurrent requests.

-k ා enable the HTTP KeepAlive function, that is, to execute multiple requests in one HTTP session.

ab -kc 1000 -n 100000


status page parsing


Domain name based multi virtual host practice

nginx can automatically identify the domain name requested by the user. According to different domain name requests, the server transmits different content. It only needs to ensure that there is an available ip address on the server and configure dns resolution service.

/etc/hosts is the configuration file of local dns resolution in linux system, which can also achieve the effect of domain name access

Modify nginx.conf

[root@oldboy_python ~ 14:33:16]#egrep -v '#|^$' /opt/nginx196/conf/nginx.conf
worker_processes  1;
events {
    worker_connections  1024;
http {
    include       mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  logs/access.log  main;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80;
        location /{
            root   html/lxh1;
            index  index.html index.htm;

The above code configures a website of domain name. The part of virtual host is the content of server {}

Create site directories and files for

[root@oldboy_python /opt/nginx196/html 14:36:08]#mkdir lxh1
[root@oldboy_python /opt/nginx196/html 14:36:18]#echo "<meta charset=utf8>I am lxh1 site" > lxh1/index.html
[root@oldboy_python /opt/nginx196/html 14:37:21]#cat lxh1/index.html
<meta charset=utf8>I am lxh1 site

The above function creates an html/lxh1 site directory, which corresponds to the setting html/lxh1 of the root directory in the virtual host configuration file

Then generate a home page file index.html, the content is "I am lxh1 site"

Check nginx syntax to reload nginx

[root@oldboy_python /opt/nginx196/html 14:37:28]#../sbin/nginx -t
nginx: the configuration file /opt/nginx196/conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx196/conf/nginx.conf test is successful

#Restart nginx smoothly

[root@oldboy_python /opt/nginx196/html 14:39:18]#../sbin/nginx -s reload

Check nginx port, process, visit lxh1 virtual site

[root@oldboy_python /opt/nginx196/html 14:40:02]#netstat -tunlp|grep nginx
[root@oldboy_python /opt/nginx196/html 14:40:29]#ps -ef|grep nginx

#I have dns parsing here. If not, I need / etc/hosts parsing
#Successfully configured lxh1 virtual host site
[root@oldboy_python /opt/nginx196/html 14:41:37]#curl
< meta charset = utf8 > I am lxh1 site

Configure virtual hosts with multiple domain names

In fact, it is to add a server{} virtual host

egrep -v '#|^$' /opt/nginx196/conf/nginx.conf
worker_processes  1;
events {
    worker_connections  1024;
http {
    include       mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  logs/access.log  main;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80;
        location /{
            root   html/lxh1;
            index  index.html index.htm;
    server {
        listen       80;
        location /{
            root   html/pythonav;
            index  index.html index.htm;

Creating directories and files for a python virtual host site

[root@oldboy_python /opt/nginx196 14:47:21]#mkdir -p /opt/nginx196/html/pythonav
[root@oldboy_python /opt/nginx196 14:49:33]#Echo "< meta charset = utf8 > I'm pythonav, minors are not allowed to enter" > / opt / nginx196 / HTML / pythonav / index.html
[root@oldboy_python /opt/nginx196 14:50:44]#./sbin/nginx -t
nginx: the configuration file /opt/nginx196/conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx196/conf/nginx.conf test is successful
[root@oldboy_python /opt/nginx196 14:51:32]#./sbin/nginx -s reload

The virtual host based on domain name is completed

[root@oldboy_python /opt/nginx196 14:52:12]#curl
<meta charset=utf8>I am pythonav,No entry for minors
[root@oldboy_python /opt/nginx196 14:52:40]#curl
<meta charset=utf8>I am lxh1 site

1. Nginx error page optimization

During the operation of the website, the website may not respond to the request normally because the page does not exist. At this time, the web service will return the system error code, but the default error page is very unfriendly.


Therefore, we can redirect the error information of 404403 and other pages to the homepage of the website or other designated pages to improve the user access experience.

server {
        listen       80;
        root html/pythonav;
        location /{
            index  index.html index.htm;
      #Error page of 40x.html in pythonav path error_page 400 403 404 405 /40x.html; }


<img style='width:100%;height:100%;' src=>

At this time, the error page of has been optimized


2. nginx access log

The log function records the log information of each user visiting the website to the specified log file. The development and operation personnel can analyze the user's browser behavior. This function is responsible by the NGX ﹣ http ﹣ log ﹣ module. The address of the official website is:

Control log parameters

log_format    The format of log can be defined in many formats
accsss_log    Specify the path and format of the log file

  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for"';

Corresponding parameter analysis

$remote? Addr record client ip
 $remote Uuser remote user, none is "-"
$time_local corresponds to [14/Aug/2018:18:46:52 +0800]
$request corresponds to request information "GET /favicon.ico HTTP/1.1"
$status status code
Size of $body ﹐ bytes ﹐ sent 571 byte request body
"-" corresponds to $http ﹣ ", because it is a direct input browser-
$HTTP? User? Agent client identity
$HTTP "X" forwarded "for recording the source of client real ip

The log effect is as follows - - [14/Aug/2018:18:46:52 +0800] "GET /favicon.ico HTTP/1.1" 404 571 "-"

"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Google Favicon" ""

nginx.conf default configuration

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;

Log format configuration definition

Log format is a log keyword parameter and cannot be changed
 Main is the label specified by the log format. When logging, select the specified format through the main label.  

3. nginx restricts IP access to website sources

If one day you find that your nginx is very slow, or when you check access.log, there is a certain body crazy requesting your nginx server, then you can disable this IP access
Restrict ip or ip segment access
No access to resources under / av /
location /av { deny; #alias /opt/nginx196/html/av; allow; }

4. Nginx agent function

Forward agency

The forward proxy, also known as the legendary proxy, works like a springboard (VPN). In short:

I'm a user, I can't visit a website, but I can visit a proxy server. For this proxy server, he can visit the website that I can't visit. So I connect to the proxy server first, tell him that I need the content that I can't visit the website, go to the proxy server to get it back, and then return it to me.


Reverse proxy

For the client, the proxy server is like the original server.


nginx components for load balancing

NGX HTTP proxy module proxy module is used to send requests to server nodes or upstream server pools

Implement a simple reverse proxy

Experimental results:

#Access the proxy server in windows, and then let the proxy server get the data of the web server

Request data: windows - > - >
 Return data: Windows < - < -

Machine ready, two servers

Master main load
slave  web1

Profile of the primary load balancing node

worker_processes  1;
error_log  logs/error.log;
pid        logs/;
events {
    worker_connections  1024;
http {
    include       mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  logs/access.log  main;
    sendfile        on;
    keepalive_timeout  65;
        upstream slave_pools{
    server weight=1;
    server {
        listen       80;
        server_name  localhost;
        location / {
        proxy_pass  http://slave_pools;
            root   html;
            index  index.html index.htm;
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;

Check syntax and start nginx

[root@master /opt/nginx196]$/opt/nginx196/sbin/nginx -t
nginx: the configuration file /opt/nginx196/conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx196/conf/nginx.conf test is successful
#start-up nginx
[root@master /opt/nginx196]$/opt/nginx196/sbin/nginx
#Check port
[root@master /opt/nginx196]$netstat -tunlp|grep nginx
tcp 0 0* LISTEN 8921/nginx: master

At this time, access the address of the master server, and the request will be forwarded to port 80 of the slave

In addition to the display of page effect, you can also view the agent effect through log(access.log)

master log

slave end log

A detailed explanation of the location of nginx syntax

A detailed explanation of nginx and location syntax


Keepalived high availability software

What is kept alive

Keepalived is a routing software written in C language. The main goal of this project is to provide simple and powerful load balancing and high availability facilities for Linux system and Linux based infrastructure. 
It can also be used as highly available software for other services (nginx, mysql)
keepalived mainly realizes high availability function through vrrp protocol. vrrp is called virtual router redundancy protocol,
In order to solve the problem of single point of failure, it can guarantee that when individual nodes are down. The whole network can run continuously.

High availability failover principle

When keepalived is working, the primary master node will continuously send heartbeat messages to the standby node, telling the standby node that it is still alive,
When the master node fails, the heartbeat message cannot be sent, and the standby node cannot detect the heartbeat from the master, so it calls its own takeover program to take over the ip resources and services of the master node,
When the master node recovers, the backup node will release the ip resources and services taken over and return to the original role of the backup node.

1. Hardware environment preparation

The best experimental environment should be 4 virtual machines, so the environment is limited, so 2 machines are used

2.centos system and nginx agent environment


Tags: Linux Nginx zlib OpenSSL

Posted on Sat, 11 Jan 2020 00:14:55 -0800 by jmanfffreak