nginx模塊使用方法：

1、worker_processes auto

worker_processes auto; #auto等于物理核心數(shù)，可指定數(shù)量，一般等于小于物理核心數(shù)

2、events

events {

????worker_connections 1024; #單進(jìn)程響應(yīng)1024個(gè)請(qǐng)求，一共響應(yīng)的請(qǐng)求等于worker_processes乘以worker_connections的數(shù)量；

}

（1）、worker_connections number;

? 每個(gè)worker進(jìn)程所能夠打開的最大并發(fā)連接數(shù)數(shù)量；worker_processes * worker_connections

（2）、use method;

? ?指明并發(fā)連接請(qǐng)求的處理方法；use epoll;

（3）、accept_mutex on | off;

? ?處理新的連接請(qǐng)求的方法；on意味著由各worker輪流處理新請(qǐng)求，Off意味著每個(gè)新請(qǐng)求的到達(dá)都會(huì)通知所有的worker進(jìn)程；

? 3、http

log_format

$remote_addr?遠(yuǎn)程主機(jī)地址

$remote_user?遠(yuǎn)程訪問用戶

$time_local? 本地時(shí)間

$request?請(qǐng)求url?報(bào)文的起始行

$status?響應(yīng)碼

$body_bytes_sent body的字節(jié)數(shù)

$http_referer?引用

$http_user_agent?客戶端代理用的是什么瀏覽器訪問的

$http_x_forwarded_for?記錄真正的客戶端的地址

? access_log? ? ?

access_log??/var/log/nginx/access.log??main;#?日志存放地址

sendfile????????????on;#提升性能

keepalive_timeout? ?65;#保持連接啟用

default_type????????application/octet-stream;#默認(rèn)識(shí)別成8進(jìn)制的數(shù)據(jù)流

? 4、server

listen???????80 default_server;#默認(rèn)虛擬主機(jī)

listen???????[::]:80 default_server;#ipv6的端口的默認(rèn)虛擬主機(jī)

server_name??_;#對(duì)于默認(rèn)主機(jī)來說，下劃線可以匹配所有主機(jī)名

root?????????/usr/share/nginx/html;#默認(rèn)網(wǎng)頁根路徑

location / {

????????} #個(gè)人設(shè)置

error_page #錯(cuò)誤頁

? 5、worker_cpu_affinity cpumask ...;

? worker_cpu_affinity auto [cpumask];? ? ?

[root@node01 nginx]# vim nginx.conf

user nginx;

worker_processes auto;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

#worker_cpu_affinity auto;#自己綁定

不綁定之前 ? ??

[root@node01 nginx]# ps axo comm,pid,psr | grep nginx

nginx?????????????4997???0

nginx?????????????4998???3

nginx?????????????4999???2

nginx?????????????5000???0

nginx?????????????5001???1

綁定之后

[root@node01 nginx]# vim nginx.conf

user nginx;

worker_processes auto;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

worker_cpu_affinity auto;#自己綁定

[root@node01 nginx]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 nginx]# nginx -s reload

[root@node01 nginx]# ps axo comm,pid,psr | grep nginx

nginx?????????????4997???0

nginx?????????????6638???0

nginx?????????????6639???1

nginx?????????????6640???2

nginx?????????????6641???3

?進(jìn)行驗(yàn)證

[root@node02 ~]# yum install -y httpd-tools

[root@node02 ~]# ab -n 10000 -c 100 http://192.168.32.132/index.html

觀察node01?

[root@node01 nginx]# watch -n.5 'ps axo comm,pid,psr | grep nginx'

CPU不會(huì)再隨機(jī)調(diào)度了

將cpu反過來綁定

[root@node01 nginx]# vim nginx.conf

user nginx;

worker_processes auto;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

#worker_cpu_affinity auto;

worker_cpu_affinity 1000 0100 0010 0001;

[root@node01 nginx]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 nginx]# nginx -s reload

[root@node01 nginx]# watch -n.5 'ps axo comm,pid,psr | grep nginx'

Every 0.5s: ps axo comm,pid,psr | grep nginx??????????????????????????????????????????????????????????????????????????Mon Jan 28 14:06:16 2019

nginx?????????????4997???3

nginx?????????????7314???3

nginx?????????????7315???2

nginx?????????????7316???1

nginx?????????????7317???0

?自定義worker_processes數(shù)量 自定義綁定cpu? ? ?

[root@node01 nginx]# vim nginx.conf

user nginx;

worker_processes 2;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

#worker_cpu_affinity auto;

worker_cpu_affinity 1000 0100;

[root@node01 nginx]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 nginx]# nginx -s reload

[root@node01 nginx]#

[root@node01 nginx]#

[root@node01 nginx]#

[root@node01 nginx]# watch -n.5 'ps axo comm,pid,psr | grep nginx'

Every 0.5s: ps axo comm,pid,psr | grep nginx??????????????????????????????????????????????????????????????????????????Mon Jan 28 14:12:44 2019

nginx?????????????4997???3

nginx?????????????7962???3

nginx?????????????7963???2

6、?worker_priority number;指定worker進(jìn)程的nice值，設(shè)定worker進(jìn)程優(yōu)先級(jí)；[-20,20]? ? ? ??

[root@node01 nginx]# vim nginx.conf

user nginx;

worker_processes 2;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

#worker_cpu_affinity auto;

worker_cpu_affinity 1000 0100;

worker_priority -5;

[root@node01 nginx]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 nginx]# nginx -s reload

[root@node01 nginx]# ps axo comm,pid,psr,ni??| grep nginx

nginx?????????????4997???3???0

nginx?????????????8718???3??-5

nginx?????????????8719???2??-5

? 7、??worker_rlimit_nofile number;worker進(jìn)程所能夠打開的文件數(shù)量上限；

[root@node01 nginx]# vim nginx.conf

user nginx;

worker_processes 2;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

#worker_cpu_affinity auto;

worker_cpu_affinity 1000 0100;

worker_priority -5;

worker_rlimit_nofile 65535;

[root@node01 nginx]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 nginx]# nginx -s reload

?8、? ?與套接字相關(guān)的配置：

? ? 示例：

限定主機(jī)訪問

[root@node01 vhost1]# vim /etc/nginx/conf.d/vhost1.conf

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

????????location / {

????????????????deny 192.168.32.131;#node03主機(jī)的ip地址

????????????????allow all;

????????}

}

[root@node01 vhost1]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 vhost1]# nginx -s reload

? ? ? ?驗(yàn)證

[root@node02 ~]# curl http://www.hehe.com

<h1>Nginx Vhost 1</h1>

[root@node03 ~]# curl http://www.hehe.com

<html>

<head><title>403 Forbidden</title></head>

<body bgcolor="white">

<center><h1>403 Forbidden</h1></center>

<hr><center>nginx/1.12.2</center>

</body>

</html>

示例：

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

????????location / {

????????????????root /data/nginx/vhost2;

????????????????allow all;

????????}

????????location ~*??\.(jpg|jpeg|jfif)$ {

????????????????deny 192.168.32.131;

????????????????allow all;

????????}

}

匹配示例

root?和alias的區(qū)別

root?匹配的是左側(cè)的目錄? alias匹配的則是右側(cè)的

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

????????location / {

????????#???????root /data/nginx/vhost2;

????????????????allow all;

????????}

????????location ~*??\.(jpg|jpeg|jfif)$ {

????????????????deny 192.168.32.131;

????????????????allow all;

????????}

????????location ^~ /images/ {

? ? ? ? ? ? ? ? root? ?/data/pictures/;#匹配的是pictures/下面的images目錄

????????}

}

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

????????location / {

????????#???????root /data/nginx/vhost2;

????????????????allow all;

????????}

????????location ~*??\.(jpg|jpeg|jfif)$ {

????????????????deny 192.168.32.131;

????????????????allow all;

????????}

????????location ^~ /images/ {

? ? ? ? ? ? ? ? alias? ?/data/pictures/;#匹配的是pictures/目錄

}

自定義錯(cuò)誤頁

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

????????location / {

????????#???????root /data/nginx/vhost2;

????????????????allow all;

????????}

????????location ~*??\.(jpg|jpeg|jfif)$ {

????????????????deny 192.168.32.131;

????????????????allow all;

????????}

????????location ^~ /images/ {

????????????????root???/data/pictures/;#匹配的是pictures/下面的images目錄

????????}

????????error_page 404? /notfound.html;

????????location = /notfound.html {

????????????????root /data/nginx/error_pages;

????????}

}

[root@node01 ~]# mkdir /data/nginx/error_pages

[root@node01 ~]# vim /data/nginx/error_pages/notfound.html

驗(yàn)證

將狀態(tài)碼重定向到其他狀態(tài)碼

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

????????location / {

????????#???????root /data/nginx/vhost2;

????????????????allow all;

????????}

????????location ~*??\.(jpg|jpeg|jfif)$ {

????????????????deny 192.168.32.131;

????????????????allow all;

????????}

????????location ^~ /images/ {

????????????????alias???/data/pictures/;

????????}

????????error_page 404 =200 /notfound.html;

????????location = /notfound.html {

????????????????root /data/nginx/error_pages;

????????}

}

驗(yàn)證

10、定義客戶端請(qǐng)求的相關(guān)配置

? ?（1）、keepalive_timeout timeout [header_timeout];

????????????????????????設(shè)定保持連接的超時(shí)時(shí)長(zhǎng)，0表示禁止長(zhǎng)連接；默認(rèn)為75s；

? ?（2）、keepalive_requests number;

????????????????????????在一次長(zhǎng)連接上所允許請(qǐng)求的資源的最大數(shù)量，默認(rèn)為100;

? ?（3）、keepalive_disable none | browser ...;

????????????????????????對(duì)哪種瀏覽器禁用長(zhǎng)連接；

? ?（4）、send_timeout time;

????????????????????????向客戶端發(fā)送響應(yīng)報(bào)文的超時(shí)時(shí)長(zhǎng)，此處，是指兩次寫操作之間的間隔時(shí)長(zhǎng)；

? ?（5） 、client_body_buffer_size size;

11、對(duì)客戶端進(jìn)行限制的相關(guān)配置

? ? ? （1）、limit_rate rate;

????????????????????????限制響應(yīng)給客戶端的傳輸速率，單位是bytes/second，0表示無限制；

? ? ? （2） 、limit_except method ... { ... }

????????????????????????限制對(duì)指定的請(qǐng)求方法之外的其它方法的使用客戶端；

????????????????????????limit_except GET {

????????????????????????????allow 192.168.1.0/24;

????????????????????????????deny??all;

????????????????????????}

12、文件操作優(yōu)化的配置

? ? ? ? （1）、aio on | off | threads[=pool];是否啟用aio功能；

? ? ? ? （2）、directio size | off; 在Linux主機(jī)啟用O_DIRECT標(biāo)記，此處意味文件大于等于給定的大小時(shí)使用，例如directio 4m;

? ? ? ? ? (3）、open_file_cache off; open_file_cache max=N [inactive=time];

????????????????????????????nginx可以緩存以下三種信息: (1) 文件的描述符、文件大小和最近一次的修改時(shí)間；(2) 打開的目錄結(jié)構(gòu); (3) 沒有找到的或者沒有權(quán)限訪問的文件的相關(guān)信息；

????????????????????????????max=N：可緩存的緩存項(xiàng)上限；達(dá)到上限后會(huì)使用LRU算法實(shí)現(xiàn)緩存管理；

????????????????????????????inactive=time：緩存項(xiàng)的非活動(dòng)時(shí)長(zhǎng)，在此處指定的時(shí)長(zhǎng)內(nèi)未被命中的或命中的次數(shù)少于open_file_cache_min_uses指令所指定的次數(shù)的緩存項(xiàng)即為非活動(dòng)項(xiàng)；

13、ngx_http_access_module 訪問控制模塊

ngx_http_access_module模塊：

????????????????????實(shí)現(xiàn)基于ip的訪問控制功能

? ? ? ? ? ? ? ? ? ? （1）、allow address | CIDR | unix: | all;

? ? ? ? ? ? ? ? ? ? （2）、deny address | CIDR | unix: | all;

????????????????????????http, server, location, limit_except

14、ngx_http_auth_basic_module模塊

???????????????實(shí)現(xiàn)基于用戶的訪問控制，使用basic機(jī)制進(jìn)行用戶認(rèn)證；

? ? ? ? ? ? ? ? ? ? （1）、auth_basic string | off;

? ? ? ? ? ? ? ? ? ? （2）、auth_basic_user_file file;

????????????????????????location /admin/ {

????????????????????????????alias /webapps/app1/data/;

????????????????????????????auth_basic "Admin Area";

????????????????????????????auth_basic_user_file /etc/nginx/.ngxpasswd;

????????????????????????}

????????????????????????注意：htpasswd命令由httpd-tools所提供；

示例

[root@node01 ~]# htpasswd -c -m /etc/nginx/.ngxpasswd tom

New password:

Re-type new password:

Adding password for user tom

[root@node01 ~]# htpasswd??-m /etc/nginx/.ngxpasswd jerry

New password:

Re-type new password:

Adding password for user jerry

[root@node01 ~]# cat /etc/nginx/.ngxpasswd

tom:$apr1$hj5QSHd8$GhF4wQy3RqGSgqhsnDkP3.

jerry:$apr1$YBflr81R$JwwcZRpSH1v5HNnP9Hi5i/

[root@node01 ~]# vim /etc/nginx/conf.d/vhost1.conf

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

????????location / {

????????#???????root /data/nginx/vhost2;

????????????????allow all;

????????}

????????location ~* ^/(admin|login) {

????????????????auth_basic "admin area or login url";

????????????????auth_basic_user_file??/etc/nginx/.ngxpasswd;

????????}

????????location ~*??\.(jpg|jpeg|jfif)$ {

????????????????deny 192.168.32.131;

????????????????allow all;

????????}

????????location ^~ /images/ {

????????????????alias???/data/pictures/;

????????}

????????error_page 404 =200 /notfound.html;

????????location = /notfound.html {

????????????????root /data/nginx/error_pages;

????????}

}

[root@node01 ~]# mkdir /data/nginx/vhost1/admin

[root@node01 ~]# vim??/data/nginx/vhost1/admin/index.html

[root@node01 ~]# more???/data/nginx/vhost1/admin/index.html

<h1>Admin Area</h1>

[root@node01 ~]#

[root@node01 ~]#

[root@node01 ~]#

[root@node01 ~]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 ~]# nginx -s reload

15、ngx_http_stub_status_module模塊

????????????????????用于輸出nginx的基本狀態(tài)信息；

?? ??? ??? ??? ??? ?Active connections: 活動(dòng)狀態(tài)的連接數(shù)；

????????????????????accepts：已經(jīng)接受的客戶端請(qǐng)求的總數(shù)；

????????????????????handled：已經(jīng)處理完成的客戶端請(qǐng)求的總數(shù)；

????????????????????requests：客戶端發(fā)來的總的請(qǐng)求數(shù)；

????????????????????Reading：處于讀取客戶端請(qǐng)求報(bào)文首部的連接的連接數(shù)；

????????????????????Writing：處于向客戶端發(fā)送響應(yīng)報(bào)文過程中的連接數(shù)；

????????????????????Waiting：處于等待客戶端發(fā)出請(qǐng)求的空閑連接數(shù)；

示例

[root@node01 ~]# vim /etc/nginx/conf.d/vhost1.conf

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

????????location / {

????????#???????root /data/nginx/vhost2;

????????????????allow all;

????????}

????????location ~* ^/(admin|login) {

????????????????auth_basic "admin area or login url";

????????????????auth_basic_user_file??/etc/nginx/.ngxpasswd;

????????}

????????location ~*??\.(jpg|jpeg|jfif)$ {

????????????????deny 192.168.32.131;

????????????????allow all;

????????}

????????location ^~ /images/ {

????????????????alias???/data/pictures/;

????????}

????????error_page 404 =200 /notfound.html;

????????location = /notfound.html {

????????????????root /data/nginx/error_pages;

????????}

????????location /ngxstatus {

????????????????stub_status;

????????}

}

[root@node01 ~]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 ~]# nginx -s reload

[root@node01 ~]# curl http://www.hehe.com/ngxstatus

Active connections: 2

server accepts handled requests

2 2 4

Reading: 0 Writing: 1 Waiting: 1

16、ngx_http_log_module模塊

示例:

[root@node01 ~]# vim???/etc/nginx/conf.d/vhost1.conf

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

????????access_log /var/log/nginx/vhost1_access.log main;

????????location / {

????????#???????root /data/nginx/vhost2;

????????????????allow all;

????????}

????????location ~* ^/(admin|login) {

????????????????auth_basic "admin area or login url";

????????????????auth_basic_user_file??/etc/nginx/.ngxpasswd;

????????}

????????location ~*??\.(jpg|jpeg|jfif)$ {

????????????????deny 192.168.32.131;

????????????????allow all;

????????}

????????location ^~ /images/ {

????????????????alias???/data/pictures/;

????????}

????????error_page 404 =200 /notfound.html;

????????location = /notfound.html {

????????????????root /data/nginx/error_pages;

????????}

????????location /ngxstatus {

????????????????stub_status;

????????????????access_log off;

????????}

}

[root@node01 ~]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 ~]# nginx -s reload

[root@node01 ~]# tail -f /var/log/nginx/

access.log??????????????access.log-20190128.gz??error.log???????????????error.log-20190128.gz???vhost1_access.log

[root@node01 ~]# tail -f /var/log/nginx/vhost1_access.log

192.168.32.131 - - [28/Jan/2019:19:29:15 +0800] "GET /images/test001.jpg HTTP/1.1" 200 12931 "-" "curl/7.29.0" "-"

^C

17、ngx_http_gzip_module：http壓縮模塊

示例

[root@node01 ~]# vim???/etc/nginx/nginx.conf

[root@node01 ~]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 ~]# nginx -s reload

[root@node01 nginx]# cp nginx.conf /data/nginx/vhost1/nginx.html

驗(yàn)證

18、ngx_http_ssl_module模塊：

示例

1、在node02搭建CA服務(wù)器

[root@node02 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Beijing

Locality Name (eg, city) [Default City]:Beijing

Organization Name (eg, company) [Default Company Ltd]:heheda

Organizational Unit Name (eg, section) []:devops

Common Name (eg, your name or your server's hostname) []:node02.hehe.com

Email Address []:

[root@node02 CA]# ls

cacert.pem??certs??crl??newcerts??private

[root@node02 CA]# touch index.txt

[root@node02 CA]# echo 01 > serial

[root@node02 CA]# ll

總用量 8

-rw-r--r--??1 root root 1334 1月??29 10:41 cacert.pem

drwxr-xr-x. 2 root root????6 4月??11 2018 certs

drwxr-xr-x. 2 root root????6 4月??11 2018 crl

-rw-r--r--??1 root root????0 1月??29 10:41 index.txt

drwxr-xr-x. 2 root root????6 4月??11 2018 newcerts

drwx------. 2 root root???23 1月??29 10:38 private

-rw-r--r--??1 root root????3 1月??29 10:41 serial

2、在node01上（nginx）自建key

[root@node01 nginx]# mkdir /etc/nginx/ssl

[root@node01 nginx]# cd /etc/nginx/ssl/

[root@node01 ssl]#

[root@node01 ssl]#

[root@node01 ssl]# ls

[root@node01 ssl]# (umask 077; openssl genrsa -out nginx.key 2048)

Generating RSA private key, 2048 bit long modulus

..............................................................................................+++

...........................................................................................................+++

e is 65537 (0x10001)

[root@node01 ssl]# ls

nginx.key

[root@node01 ssl]# openssl req -new -key nginx.key -out nginx.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Beijing

Locality Name (eg, city) [Default City]:Beijing

Organization Name (eg, company) [Default Company Ltd]:heheda

Organizational Unit Name (eg, section) []:devops

Common Name (eg, your name or your server's hostname) []:node01.hehe.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@node01 ssl]# ll

總用量 8

-rw-r--r-- 1 root root 1013 1月??29 13:21 nginx.csr

-rw------- 1 root root 1675 1月??29 10:42 nginx.key

3、進(jìn)行授權(quán)

[root@node01 ssl]# scp nginx.csr node02:/tmp/

The authenticity of host 'node02 (192.168.32.128)' can't be established.

ECDSA key fingerprint is SHA256:tMT8xiLAjrhvRkah4txBY1OVsq4KZzdK+mW9G7LK/ZU.

ECDSA key fingerprint is MD5:e2:c3:6d:0d:d8:5e:05:94:dc:9e:9e:4f:87:de:8d:68.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'node02,192.168.32.128' (ECDSA) to the list of known hosts.

root@node02's password:

nginx.csr???????????????????????????????????????????????????????????????????????????????????????????????????100% 1013???657.2KB/s???00:00

[root@node02 CA]# openssl ca -in /tmp/nginx.csr -out /etc/pki/CA/certs/nginx.crt -days 365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

????????Serial Number: 1 (0x1)

????????Validity

????????????Not Before: Jan 29 05:26:21 2019 GMT

????????????Not After : Jan 29 05:26:21 2020 GMT

????????Subject:

????????????countryName???????????????= CN

????????????stateOrProvinceName???????= Beijing

????????????organizationName??????????= heheda

????????????organizationalUnitName????= devops

????????????commonName????????????????= node01.hehe.com

????????X509v3 extensions:

????????????X509v3 Basic Constraints:

????????????????CA:FALSE

????????????Netscape Comment:

????????????????OpenSSL Generated Certificate

????????????X509v3 Subject Key Identifier:

????????????????94:F0:75:E1:3A:86:06:33:CB:A3:1E:B1:E5:83:C0:07:FA:A9:A9:CD

????????????X509v3 Authority Key Identifier:

????????????????keyid:EC:1F:2B:D8:93:96:6C:18:8A:AC:90:16:F3:0C:0F:ED:35:36:58:BC

Certificate is to be certified until Jan 29 05:26:21 2020 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@node02 CA]# ls

cacert.pem??certs??crl??index.txt??index.txt.attr??index.txt.old??newcerts??private??serial??serial.old

[root@node02 CA]# cd newcerts/

[root@node02 newcerts]# ls

01.pem

[root@node02 newcerts]# cd ..

[root@node02 CA]# ls

cacert.pem??certs??crl??index.txt??index.txt.attr??index.txt.old??newcerts??private??serial??serial.old

[root@node02 CA]# ll certs/

總用量 8

-rw-r--r-- 1 root root 4480 1月??29 13:26 nginx.crt

[root@node02 CA]# scp certs/nginx.crt node01:/etc/nginx/ssl/

The authenticity of host 'node01 (192.168.32.132)' can't be established.

ECDSA key fingerprint is SHA256:0VrA1bIJY59rAo4HPYPuI9OBPgzS3mmmVZ4Erhkvs/I.

ECDSA key fingerprint is MD5:d3:ca:de:bf:b3:ad:38:25:71:e6:d6:07:5b:c9:7a:17.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'node01,192.168.32.132' (ECDSA) to the list of known hosts.

root@node01's password:

Permission denied, please try again.

root@node01's password:

nginx.crt???????????????????????????????????????????????????????????????????????????????????????????????????100% 4480?????3.9MB/s???00:00

4、配置

[root@node01 nginx]# cp conf.d/vhost1.conf conf.d/vhost1_ssl.conf

[root@node01 nginx]# vim conf.d/vhost1_ssl.conf

server {

????????listen 443 ssl;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

????????ssl on;

????????ssl_certificate /etc/nginx/ssl/nginx.crt;

????????ssl_certificate_key /etc/nginx/ssl/nginx.key;

????????ssl_protocols sslv3 TLSv1 tlsv1.1 tlsv1.2;

????????ssl_session_cache shared:SSL:10m;

}

[root@node01 nginx]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 nginx]# nginx -s reload

[root@node01 nginx]# ss -tnl

State??????Recv-Q Send-Q??????????????????????????Local Address:Port?????????????????????????????????????????Peer Address:Port

LISTEN?????0??????128?????????????????????????????????????????*:111?????????????????????????????????????????????????????*:*

LISTEN?????0??????128?????????????????????????????????????????*:80??????????????????????????????????????????????????????*:*

LISTEN?????0??????128?????????????????????????????????????????*:22??????????????????????????????????????????????????????*:*

LISTEN?????0??????100?????????????????????????????????127.0.0.1:25??????????????????????????????????????????????????????*:*

LISTEN?????0??????128?????????????????????????????????????????*:443?????????????????????????????????????????????????????*:*

LISTEN?????0??????128????????????????????????????????????????:::111????????????????????????????????????????????????????:::*

LISTEN?????0??????128????????????????????????????????????????:::80?????????????????????????????????????????????????????:::*

LISTEN?????0??????128????????????????????????????????????????:::22?????????????????????????????????????????????????????:::*

LISTEN?????0??????100???????????????????????????????????????::1:25?????????????????????????????????????????????????????:::*

5、驗(yàn)證

19、ngx_http_rewrite_module模塊：將用戶請(qǐng)求的URI基于regex所描述的模式進(jìn)行檢查，而后完成替換；

示例01

rewrite *.png --> *.jpg

[root@node01 vhost1]# vim /etc/nginx/conf.d/vhost1.conf

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

????????rewrite??/(.*)\.png$ /$1.jpg;

}

[root@node01 vhost1]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 vhost1]# nginx -s reload

驗(yàn)證

示例02：rewrite http-->https

[root@node01 vhost1]# vim /etc/nginx/conf.d/vhost1.conf

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

? ? ? ? rewrite /(.*)$ https://www.hehe.com/$1;

}

[root@node01 vhost1]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 vhost1]# nginx -s reload

驗(yàn)證

示例03：rewrite? 多個(gè)rewrite

[root@node01 vhost1]# vim /etc/nginx/conf.d/vhost1.conf

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

? ? ? ? rewrite??/(.*)\.png$ http://www.hehe.com/$1.jpg;

? ? ? ? rewrite /(.*)$ https://www.hehe.com/$1;

}

[root@node01 vhost1]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 vhost1]# nginx -s reload

驗(yàn)證

示例04：rewrite?redirect

[root@node01 vhost1]# vim /etc/nginx/conf.d/vhost1.conf

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

? ? ? ? rewrite /(.*).png$??/$1.jpg redirect;

}

[root@node01 vhost1]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 vhost1]# nginx -s reload

驗(yàn)證

示例05： rewrite? permanent

[root@node01 vhost1]# vim /etc/nginx/conf.d/vhost1.conf

server {

????????listen 80;

????????server_name www.hehe.com;

????????root /data/nginx/vhost1;

????????#rewrite??/(.*)\.png$ /$1.jpg;

????????#rewrite??/(.*)\.png$ http://www.hehe.com/$1.jpg;

????????#rewrite /(.*)$ https://www.hehe.com/$1;

????????#rewrite /(.*).png$??/$1.jpg;

????????#rewrite /(.*).png$??/$1.jpg redirect;

????????rewrite /(.*).png$??/$1.jpg permanent;

}

[root@node01 vhost1]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 vhost1]# nginx -s reload

驗(yàn)證

20、ngx_http_referer_module模塊：

? ? ? ? ?（1）、valid_referers none | blocked | server_names | string ...;

????????????????定義referer首部的合法可用值；

????????????????????none：請(qǐng)求報(bào)文首部沒有referer首部；

????????????????????blocked：請(qǐng)求報(bào)文的referer首部沒有值；

????????????????????server_names：參數(shù)，其可以有值作為主機(jī)名或主機(jī)名模式；

? ? ? ? ? ? ? ? ? ? arbitrary_string：直接字符串，但可使用*作通配符；

? ? ? ? ? ? ? ? ? ? regular expression：被指定的正則表達(dá)式模式匹配到的字符串；要使用~打頭，例如 ~.*\.magedu\.com；

????????????????配置示例：

valid_referers none block server_names *.magedu.com*.mageedu.commagedu.* mageedu.* ~\.magedu\.;

????????????????????if($invalid_referer) {

returnhttp://www.magedu.com/invalid.jpg;

????????????????????}