nginx
# 安装nginx
```sh
#安装PCRE库支持
yum install pcre-devel pcre -y
#下载Nginx源码包
cd /usr/src
wget -c http://nginx.org/download/nginx-1.19.0.tar.gz
#解压Nginx源码包
tar -xzf nginx-1.19.0.tar.gz
#进入解压目录,然后sed修改Nginx版本信息为JWS,隐藏版本信息
cd nginx-1.19.0 ; sed -i -e 's/1.19.0//g' -e 's/nginx\//JWS/g' -e 's/"NGINX"/"JWS"/g' src/core/nginx.h
#预编译Nginx
useradd www ; ./configure --user=www --group=www --prefix=/usr/local/nginx --with-stream --with-http_stub_status_module --with-http_ssl_module
#.configure预编译成功后,执行make命令进行编译
make && make install
# 创建软连接
ln -s /usr/local/nginx/sbin/nginx /usr/bin/
# 检查nginx配置文件是否正确,返回OK即正确。
/usr/local/nginx/sbin/nginx -t
# 启动
ngin
# 平滑重启
nginx -s reload
# 停止
nginx -s stop
```
# 生成自签证书
```sh
[root@dev-1 nginx]# pwd
/usr/local/nginx
[root@dev-1 nginx]# ls
client_body_temp conf fastcgi_temp html logs proxy_temp sbin scgi_temp uwsgi_temp
[root@dev-1 nginx]# mkdir ssl
[root@dev-1 nginx]# cd ssl/
[root@dev-1 ssl]# ls
[root@dev-1 ssl]# openssl genrsa -out example.key 2048
Generating RSA private key, 2048 bit long modulus
...........+++
.........................+++
e is 65537 (0x10001)
[root@dev-1 ssl]# openssl req -new -key example.key -out example.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@dev-1 ssl]# openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Default Company Ltd
Getting Private key
```
# 修改配置文件
```
[root@dev-1 conf]# cat nginx.conf
#user nobody;
worker_processes 8;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
server {
listen 8084 ssl; # ETL的https的端口
server_name example.com www.example.com;
ssl_certificate /usr/local/nginx/ssl/example.crt;
ssl_certificate_key /usr/local/nginx/ssl/example.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://10.1.125.49:8088; # 修改此处 etl地址
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 8083 ssl; # api的https的端口
server_name example.com www.example.com;
ssl_certificate /usr/local/nginx/ssl/example.crt;
ssl_certificate_key /usr/local/nginx/ssl/example.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://10.1.125.49:8089; # 修改此处 api地址
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
```
# 检查配置重启
```
# 检查配置是否正确
[root@dev-1 conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
# 重启nginx服务
[root@dev-1 conf]# nginx -s reload
```
# 登录页面检查
```
api => https://localhost:8083/
etl => https://localhost:8084/
```
```
yum -y install openssl openssl-devel
wget nginx.org/download/nginx-1.14.0.tar.gz
tar -zxf nginx-1.14.0.tar.gz
cd nginx-1.14.0
#3.复制Nginx默认提供的vim语法插件
mkdir ~/.vim
cp -r contrib/vim/* ~/.vim/
./configure --prefix=/home/Learn_Nginx/nginx/ --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --with-http_stub_status_module --with-stream --with-threads --with-file-aio
make && make install
#检查Prefix指定的安装目录
#[root@chaogelinux nginx-1.14.0]# ls /home/Learn_Nginx/
#nginx nginx-1.14.0 nginx-1.14.0.tar.gz
ln -s /home/Learn_Nginx/nginx/sbin/nginx /usr/bin/
#创建nginx的环境变量文件,修改如下,创建/etc/profile.d/nginx.sh脚本文件便于以后维护
[root@chaogelinux ~]# cat /etc/profile.d/nginx.sh
export PATH=/home/Learn_Nginx/nginx/sbin:$PATH
#去配置文件目录
cd /home/Learn_Nginx/nginx/conf
cat > `pwd`/file-18080.conf <<EOF
server {
access_log /data02/nginx_logs/version_file_access.log;#配置访问日志存放地址
listen 18080; #文件服务器端口根据实际配置
charset utf-8;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
location / {
root /mnt/serverfile;#文件服务器中存放文件的目录, 请根据实际配置
}
}
EOF
将自定义配置文件 include到nginx.conf中
在nginx.conf配置文件中增加引用
include /home/Learn_Nginx/nginx/conf/file-*.conf;
mkdir -p /mnt/serverfile /data02/nginx_logs/
nginx -s reload
```
### nginx做负载均衡用到哪些模块
```
upstream 定义负载节点池。
location 模块 进行URL匹配。
proxy模块 发送请求给upstream定义的节点池。
```
### 负载均衡有哪些实现方式
```
硬件负载
HTTP重定向负载均衡
DNS负载均衡
反向代理负载均衡
IP层负载均衡
数据链路层负载均衡
```
### nginx如何实现四层负载?
```
四层负载分为动态和静态负载
Nginx的四层静态负载均衡需要启用ngx_stream_core_module模块
默认情况下,ngx_stream_core_module是没有启用的,需要在安装Nginx时,添加--with-stream配置参数启用
配置HTTP负载均衡时,都是配置在http指令下,配置四层负载均衡,则是在stream指令下,结构如下所示.
```
```config
stream {
upstream mysql_backend {
server 192.168.175.100:3306 max_fails=2 fail_timeout=10s weight=1;
least_conn; #将请求转发至当前连接数最少的后端服务器,从而达到负载均衡的效果。
}
server {
listen 3307; #监听端口,默认使用的是tcp协议,如果需要UDP协议,则配置成listen 3307 udp;
proxy_next_upstream on; #失败重试
proxy_next_upstream_timeout 0; #超时配置
proxy_next_upstream_tries 0; #配置与上游服务器连接超时时间,默认60s
proxy_connect_timeout 1s; #配置与客户端上游服务器连接的两次成功读/写操作的超时时间,如果超时,将自动断开连接
proxy_timeout 1m; #即连接存活时间,通过它可以释放不活跃的连接,默认10分钟
#限速配置
proxy_upload_rate 0; #从客户端读数据的速率,单位为每秒字节数,默认为0,不限速
proxy_download_rate 0; #从上游服务器读数据的速率,单位为每秒字节数,默认为0,不限速
proxy_pass mysql_backend; #上游服务器
}
}
```
```
使用Nginx的四层动态负载均衡有两种方案:使用商业版的Nginx和使用开源的nginx-stream-upsyncmodule模块。
注意:四层动态负载均衡可以使用nginx-stream-upsync-module模块,七层动态负载均
衡可以使用nginx-upsync-module模块。
```
### 虚拟主机
```
[root@hadoop103 captor_fast_index4]# cat /usr/local/nginx/conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 3000;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 3000;
server_name grafana;
access_log logs/grafana.log;
location / {
proxy_pass http://172.24.61.103:30000;
# 添加 CORS 头信息
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen 3000;
server_name jumpserver;
access_log logs/jumpserver.log;
location / {
proxy_pass http://127.0.0.1:30001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /koko/ws/ {
proxy_pass http://127.0.0.1:30001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
}
}
server {
listen 3000;
server_name kubesphere;
access_log logs/kubesphere.log;
location / {
proxy_pass http://127.0.0.1:30002;
}
}
server {
listen 3000;
server_name zabbix;
access_log logs/zabbix.log;
location / {
proxy_pass http://127.0.0.1:2188;
}
}
server {
listen 3000;
server_name etl;
access_log logs/etl.log;
location / {
proxy_pass http://172.24.48.39:8088;
}
}
server {
listen 3000;
server_name api;
access_log logs/api.log;
location / {
proxy_pass http://172.24.48.39:8089;
}
}
server {
listen 3000;
server_name prom;
access_log logs/prom.log;
location / {
proxy_pass http://172.24.61.104:9090;
}
}
}
```