Nginx features Overview
http basic Features:
Processing static files, index files and automatic indexing;
Reverse proxy acceleration (no caching), simple load balancing and fault tolerance;
FastCGI, simple load balancing and fault tolerance;
Modular structure. Filters include gzipping, byte ranges, chunked responses, and Ssi-filter. In the SSI filter, multiple sub-requests to the same proxy or FastCGI are processed concurrently;
SSL and TLS SNI support;
IMAP/POP3 Agent service features:
Redirect users to the IMAP/POP3 backend using an external HTTP authentication server;
Use an external HTTP authentication server to authenticate the user after the connection is redirected to the internal SMTP backend;
Authentication method:
Pop3:pop3 User/pass, APOP, AUTH LOGIN PLAIN cram-md5;
Imap:imap LOGIN;
Smtp:auth LOGIN PLAIN cram-md5;
SSL support;
STARTTLS and STLS support in IMAP and POP3 modes;
supported operating systems:
FreeBSD 3.x, 4.x, 5.x, 6.x i386; FreeBSD 5.x, 6.x AMD64;
Linux 2.2, 2.4, 2.6 i386; Linux 2.6 amd64;
Solaris 8 i386; Solaris 9 i386 and sun4u; Solaris Ten i386;
MacOS X (10.4) PPC;
structure and expansion:
A master process and multiple worker processes. The work process is single-threaded and does not require special authorization to run;
Kqueue (FreeBSD 4.1+), Epoll (Linux 2.6+), RT Signals (Linux 2.2.19+),/dev/poll (Solaris 7 11/99+), select, and poll support;
The different features supported by Kqueue include Ev_clear, ev_disable (temporary Forbidden event), Note_lowat, ev_eof, number of valid data, error codes;
Sendfile (FreeBSD 3.1+), Sendfile (Linux 2.2+), Sendfile64 (Linux 2.4.21+), and Sendfilev (Solaris 8 7/01+) support;
Input filtering (FreeBSD 4.1+) and tcp_defer_accept (Linux 2.4+) support;
10,000 the inactive HTTP keep-alive connection requires only 2.5M of memory.
Minimal data copy operation;
other HTTP Features:
Virtual Host service based on IP and name;
GET interface of Memcached;
Support keep-alive and pipeline connection;
Flexible and simple configuration;
Reconfiguration and online upgrade without interrupting customer's work process;
Customizable access logs, log write cache, and fast log back volumes;
4XX-5XX error code redirection;
Rewrite rewrite module based on PCRE;
Access control based on client IP address and HTTP Basic authentication;
PUT, DELETE, and Mkcol methods;
Support for FLV (Flash video);
Bandwidth limit;
Introduction to Nginx common function module
Basic modules
HTTP Core Module//http kernel module
HTTP Upstream Module//This module provides a simple way to achieve back-end server load balancing between polling and client IP.
HTTP Access Module//This module provides a simple host-based access control.
HTTP Auth Basic module//This module allows you to use a user name and password to protect your site or portions of it based on the HTTP Basic authentication method.
HTTP AutoIndex Module//This module is used to automatically generate directory listings.
Browser//The module creates a variable, and the value of the variable depends on the request header "User Agent".
Charset//The module adds text encoding to the "Content type indication" response header.
Empty GIF//This module resides in memory with a 1x1 transparent GIF image that can be called very quickly.
FastCGI//This module allows Nginx to interact with the FastCGI process and control the FastCGI process by passing parameters.
GeoThe module creates a variable whose value depends on the IP address of the client.
Gzip//This module supports on-line real-time compressed output data stream
HTTP Headers module//This template can set the header of an HTTP message.
HTTP Index Module
Http Referer Module//This module makes it possible to block access to the site by using the "Referer" error value in the request header.
HTTP Limit Zone Module//This module can be used to control the number of concurrent connections of a session for the condition.
HTTP Limit Requests ModuleThis module allows you to limit the number of requests to a session, or to restrict the special circumstances of an address.
Log
Map//This module allows you to classify or map a set of values into a different set of values and store the results in a variable.
Memcached//You can use this module for simple caching to improve system efficiency. This module is planned for future expansion.
HTTP Proxy Module//This module is dedicated to directing requests to other services.
Rewrite//This module allows the use of regular expressions to change URIs, and to turn to and select configurations based on variables.
SSI module//This module handles processing of server-side Include files (SSI). The commands in the list are not currently fully supported.
User IDThe module gives the cookie used to identify the client. For log records, you can use variables
Other Modules
HTTP addition module //The module adds responses to other locations before and after the current position responds.
Embedded perl //This module can execute Perl directly in Ngix and Perl Perl via SSI.
FLV//This module provides an FLV file load based on time displacement. This module must be added--with-http_flv_module when compiling nginx.
Gzip precompression//Before you begin compressing files on your hard disk, this module looks for. GZ compressed files with the same name in the same directory to avoid compressing the same file again. Compile-time plus:./configure--with-http_gzip_static_module
Random Index//Select a random directory index from the directory
GeoIP//This module NGX_HTTP_GEOIP_ Module variables are based on the IP address matching maxmind GeoIP binary file. This module begins to appear in the nginx0.8.6. The module must have a GEO database and read the database class
Real ip*//This module allows the client's IP address to be changed from the request header to a value (e. g. x-real-ip or x-forwarded-for). It is useful if nginx works after a proxy in the L7 load balancer and the request comes from a local IP, but the agent adds a request header with a client IP. This module is not built by default and is enabled with the configuration option--with-http_realip_module
SSL //This module is capable of HTTPS support.
Stub Status//This module can obtain nginx since the last start of the working state, this module non-core module, need to manually add compile parameters at compile time--with-http_stub_status_module
Substitution//This module can find and replace text in Nginx's response.--with-http_sub_module option
WebDAV//This module can be added for HTTP WebDAV when compiling Nginx PUT, DELETE, MKCOL, COPY, and MOVE methods. This module is not included in the default compilation, and you need to specify the following parameters at compile time:./configure--with-http_dav_module
Google perftools //This module is capable of docking Google performance tools. The module appears in Ngix version 0.629. By default, the module is turned on and enabled with the configuration option./configure--with-google_perftools_module
xslt*//This module is a filter that transforms XML responses with one or more XSLT templates. Enabled with the configuration option./configure--with-http_xslt_module
Secure Link//This module is the security ID that is required to compute and detect URL requests, which is not compiled by default, and when you compile Nginx, You must use an explicit configuration parameter--with-http_secure_link_module
Image Filter//This module is used to distribute jpeg,gif and PNG images. This is not enabled by default and is configured via the./configure parameter in the build Nginx--with-http_image_filter_module
Mail Module
The Mail core module//nginx can handle and broker the following message protocol: IMAP POP3 SMPT
Mail auth module//auth_http URL using this instruction you can set the URL to authenticate like an HTTP server. Auth_http_header Use this instruction you can add HTTP headers and values to the validation process. This allows the shared password to be used without the request for nginx response. Auth_http_timeout you can set the time-out for the verification process using this command
Mail Proxy module//nginx can proxy imap,pop3 and SMTP protocol
Mail SSL Module//This module allows POP3/IMAP/SMTP to use SSL/TLS. The configuration already has an HTTP SSL module defined, but client certificate detection is not supported.
Manually Compile and install Nginx (1.12.0 version)
--------Install a dependency package-------------------
Yum-y install pcre-devel zlib-devel gcc gcc-c++
Useradd-m-s/sbin/nologin nginx//Create process user to manage Nginx
Tar zxvf nginx-1.12.0.tar.gz-c/opt/
-----------Compile----------------------
CD nginx-1.12.0/
./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-http_stub_status_module
Make && make install
Ln-s/usr/local/nginx/sbin/nginx/usr/local/sbin/
Script comments:--with-http_stub_status_module//Support status statistics
-----Check, start, restart, stop--------
NGINX-T//Check
Nginx//Start
KILLALL-1 nginx//restart
Killall-3 Nginx//Stop
Yum Install Elinks-y
ELinks http://localhost
-------Production Management corner of the--------
Vi/etc/init.d/nginx
#!/bin/bash
#chkconfig:-99 20
#description: Nginx Service Control Script
Prog= "/usr/local/nginx/sbin/nginx"
pidf= "/usr/local/nginx/logs/nginx.pid"
Case "$" in
Start
$PROG
;;
Stop
Kill-s QUIT $ (cat $PIDF)
;;
Restart
$ stop
$ start
;;
Reload
Kill-s HUP $ (cat $PIDF)
;;
)
echo "Usage: $ {start|stop|restart|reload}"
Exit 1
Esac
Exit 0
chmod +x/etc/init.d/nginx
Chkconfig--add Nginx
Chkconfig--level
Systemctl start Nginx
Systemctl status Nginx
Script comments
#!/bin/bash
#chkconfig:-99 20
#description: Nginx Service Control Script
Prog= "/usr/local/nginx/sbin/nginx"
pidf= "/usr/local/nginx/logs/nginx.pid"//declaration variable PID file, and Nginx command path
Case "$" in////$1 means the following condition (Start,stop,status ...).
Start
$PROG
;;
Stop
Kill-s QUIT $ (cat $PIDF)
;;
Restart
$ stop
$ start
;;
Reload
Kill-s HUP $ (cat $PIDF)
;;
)
echo "Usage: $ {start|stop|restart|reload}"
Exit 1
Esac
Exit 0
chmod +x/etc/init.d/nginx
Chkconfig--add Nginx
Chkconfig--level
Systemctl start Nginx
Systemctl status Nginx
Nginx Common Optimization (a) Hidden version number: In the production environment, you need to hide the Nginx version number to avoid leaking nginx version.
(Local ip:192.168.252.165)
1. The first method modifies the configuration file directly
Curl-i http://192.168.252.165/View version information
http/1.1 OK
server:nginx/1.12.0//version number is 1.12.0
Date:fri, Oct 2018 14:37:17 GMT
Vim/usr/local/nginx/conf/nginx.conf
HTTP {
Include Mime.types;
Default_type Application/octet-stream;
Server_tokens off; Add to
Systemctl Reload Nginx.service
Curl-i http://192.168.252.165
http/1.1 OK
Server:nginx//version number is hidden
Date:fri, Oct 2018 14:38:48 GMT
2. Second method of modifying source code files
Vim/opt/nginx-1.12.0/src/core/nginx.h//Modify the file before compiling the installation
#define Nginx_version "1.12.0"//Modify
Common Optimization (ii) Modify users and Groups: Nginx runtime processes require user and group support for access control when Web site files are read. The main process is created by root and the child process is created by the specified user and group. Nginx default use Nobody user account and group account, generally also to be modified.
1: The first method is specified when compiling the installation
./configure--prefix=/usr/local/nginx//Specify User name Nginx
--user=nginx--group=nginx//Specify the group name Nginx
2: The second method of vim/usr/local/nginx/conf/nginx.conf
User Nginx Nginx; First line modification
Common optimization (c) Configure the page cache time: When Nginx returns the Web page data to the client, the cache time can be set, so that the request for the content will be returned to the future, avoid repeated requests, speed up the access speed, usually only for static resources to set the Dynamic Web page without setting the cache time.
Vim/usr/local/nginx/conf/nginx.conf
server {
Listen 80;
server_name localhost;
#charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } location ~\.(gif|jpg|jpeg|png|bmp|ico)$ { root html; expires 1d; }
Script comments:
Location ~. (Gif|jpg|jpeg|png|bmp|ico) $ {
root HTML;
Expires 1d;
}//adds a cache static page that is 1 days long
When the cache time has been opened the following is the verification process
Cd/usr/local/nginx/html
Cp/opt/game.jpg.///Copy the picture file to this folder
Vim index.html
<! DOCTYPE html>
<title>welcome to Nginx!</title>
<style>
Body {
Width:35em;
margin:0 Auto;
Font-family:tahoma, Verdana, Arial, Sans-serif;
}
</style>
<body>
//Add Bank
Systemctl Restart Nginx.service
Go to Windows Client to verify with the Grab kit tool
Common optimization (four) Log segmentation: With the increase in nginx running time, the resulting log will increase, in order to facilitate the control of Nginx operation status, you need to pay attention to nginx log files. Too large a log file for monitoring is a catastrophe, very inconvenient for analysis and troubleshooting, so the need to regularly cut log files.
vim/opt/fenge.sh//Scripting/opt/fenge.sh
#!/bin/bash
#Filename: fenge.sh
d=$ (date-d "-1 Day" "+%y%m%d")
Logs_path= "/var/log/nginx"
Pid_path= "/usr/local/nginx/logs/nginx.pid"
[-D $logs _path] | | Mkdir-p $logs _path
Mv/usr/local/nginx/logs/access.log $logs _path/test.com-access.log-$d
KILL-USR1 $ (cat $pid _path)
Find $logs _path-mtime +30 | Xargs RM-RF
chmod +x fenge.sh
Script comments
#!/bin/bash
#Filename: fenge.sh
d=$ (date-d "-1 Day" "+%y%m%d") #显示前一天的日期%y%m%d= Month
Logs_path= "/var/log/nginx" #指定保存日志路径
Pid_path= "/usr/local/nginx/logs/nginx.pid" #进程ID路径
[-D $logs _path] | | Mkdir-p $logs _path #创建日志文件目录
Mv/usr/local/nginx/logs/access.log $logs _path/test.com-access.log-$d #移动并重命名日志文件
KILL-USR1 $ (Cat $pid _path) #重建新日志文件
Find $logs _path-mtime +30 | Xargs RM-RF #删除30天之前的日志文件
./fenge.sh
cd/var/log/nginx/
Ls
test.com-access.log-20181006//split log files by date
Cat/usr/local/nginx/logs/access.log//original log file re-created
CRONTAB-E//Introduce scripts to recurring scheduled tasks
0 1 */opt/fenge.sh//Daily 1:00 Execute script
Common optimization (v) Set connection timeout: In the Enterprise website, in order to avoid the same customer for a long time to occupy the connection, resulting in waste of resources, you can set the corresponding connection time-out parameters, to achieve the control of the connection access time.
HTTP {
Include Mime.types;
Default_type Application/octet-stream;
Server_tokens off;
#log_format Main ' $remote _addr-$remote _user [$time _local] "$request" '
# ‘"$http_user_agent" "$http_x_forwarded_for"‘;#access_log logs/access.log main;sendfile on;#tcp_nopush on;#keepalive_timeout 0;keepalive_timeout 65 180;client_header_timeout 80;client_body_timeout 80;
Script comments
HTTP {
Include Mime.types;
Default_type Application/octet-stream;
Server_tokens off;
#log_format Main ' $remote _addr-$remote _user [$time _local] "$request" '
# ‘"$http_user_agent" "$http_x_forwarded_for"‘;#access_log logs/access.log main;sendfile on;#tcp_nopush on;#keepalive_timeout 0;keepalive_timeout 65 180; //修改 服务器超时时间为65s,客户端为180sclient_header_timeout 80; //添加 指定等待客户端发送请求头部的超时时间
Client_body_timeout 80; Add request body Read timeout time
The client accesses the URL to fetch the data message, and the response header shows the timeout time of 180S.
General optimization (vi) Number of change processes: In high concurrency environments, more nginx processes need to be started to ensure fast response, to handle user requests, and to avoid blocking.
PS aux | grep nginx//View the number of Nginx running processes
Root 50306 0.0 0.0 20544 620? Ss 09:24 0:00 nginx:master Process/usr/local/nginx/sbin/nginx//The main process opens a
Nginx 50307 0.0 0.1 23072 1648? S 09:24 0:00 Nginx:worker process//subprocess opens a
Vim/usr/local/nginx/conf/nginx.conf
User Nginx Nginx;
Worker_processes 2; Modify
#error_log Logs/error.log;
#error_log Logs/error.log Notice;
#error_log Logs/error.log Info;
#pid Logs/nginx.pid;
Events {
Worker_connections 2048; Modify
}
Systemctl Stop Nginx.service
Systemctl start Nginx
PS aux | grep nginx
Root 54705 0.0 0.0 20544 616? Ss 13:17 0:00 Nginx:master Process/usr/local/nginx/sbin/nginx
Nginx 54706 0.0 0.1 23472 1664? S 13:17 0:00 Nginx:worker Process
Nginx 54707 0.0 0.1 23472 1668? S 13:17 0:00 Nginx:worker process//subprocess changed to 2
Root 54717 0.0 0.0 112720 980 PTS/1 s+ 13:17 0:00 grep--color=auto nginx
Modify the worker_prcesses parameter in Nginx configuration file, usually set to the number of CPU or the number of cores, in the case of high concurrency can be set to the number of CPUs or the number of cores twice times
Cat/proc/cpuinfo | Grep-c "Physical"//view the number of cores of the CPU to determine the parameters
Common optimization (vii) configuration page compression: Nginx ngx_http_gzip_module Compression module provides the function of compressing the contents of the file, allowing the Nginx server to compress the output content before sending it to the client, so as to save the bandwidth of the website and enhance the user's experience.
Vim/usr/local/nginx/conf/nginx.conf
gzip on;gzip_min_length 1k;gzip_buffers 4 16k;gzip_http_version 1.1;gzip_comp_level 2; gzip_types text/plain text/html text/javascript;gzip_vary on;
Common optimization (eight) Configure the anti-theft chain: In the Enterprise website services, generally have to configure the anti-theft chain function, in order to avoid the illegal misappropriation of website content, resulting in economic losses, but also to avoid unnecessary bandwidth waste. Nginx anti-theft chain function is very powerful, by default, only need to make a very simple configuration, you can implement anti-theft chain processing.
SOURCE Host Www.bt.com
Hotlinking host www.test.com
Nginx Service side:
Vim/usr/local/nginx/conf/nginx.conf
server {
Listen 80;
server_name localhost;
...........
Add the following content
Location ~. ( JPG|GIF|SWF) $ {
Valid_referers none blocked . bt.com bt.com;
if ($invalid _referer) {
Rewrite ^/http://www.bt.com/error.png;
}
}
Common optimizations (ix) authorization-based access control
Yum Install Httpd-tools.x86_64-y
Htpasswd-c/usr/local/nginx/passwd.db Test//Use HTPPASSWD to generate user authentication file, user name is test
Chown nginx passwd.db//change passwd.db owner to Nginx
chmod passwd.db//Change file permissions set to read-only
Vim nginx.conf
server {
Listen 80;
server_name localhost;
#charset koi8-r; #access_log logs/host.access.log main; location / { auth_basic "secret"; auth_basic_user_file /usr/local/nginx/passwd.db; root html; index index.html index.htm; }
Script comments:
server {
Listen 80;
server_name localhost;
#charset koi8-r; #access_log logs/host.access.log main; location / { auth_basic "secret"; //添加 添加认证配置 auth_basic_user_file /usr/local/nginx/passwd.db; //添加 指定添加用户认证文件位置 root html; index index.html index.htm; }
Client-based access control
Location/{
Deny 192.168.252.132; Deny access to this IP address
Allow all; Allow all remaining IP clients to access normally
The above is the function of Nginx overview, the introduction of common functional modules, Nginx installation on the CENTOS7 and commonly used optimization. In the next section, we will bring the application of nginx in the actual production environment.
Detailed description of Nginx (upper) function overview, the introduction of common functional modules, installation and common optimization on CENTOS7
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
