Nginx stress testing, access methods, and encryption

Nginx is a high-performance HTTP and reverse proxy server and an IMAP/POP3/SMTP proxy server. Today, we will introduce nginx in many aspects, including pressure tests on nginx and http, nginx access methods, and nginx encrypted access.

1. Install nginx

1. disassemble and install

Tar-zxvf libevent-2.0.16-stable.tar.gz-C/usr/local/src

./Configure -- prefix =/usr/local/libevent

Make & make install

2. Process header files and library files

Library File Processing:

Edit/etc/ld. so. conf. d/libevent. conf as follows:

/Usr/local/libevent/lib

Header file processing:

Ln-s/usr/local/libevent/include/usr/include/libevent

3. To enable nginx to support pcre (perl Library), install a software package named pcre.

After checking, we found that some additional libraries have been installed, but some additional libraries are placed in a software package named pcre-devel to install the software package.

4. install and configure nginx

Groupadd-r nginx

Useradd-r-g nginx-s/sbin/nologin-M nginx (-M does not create any home directory)

Tar-zxvf nginx-1.0.11.tar.gz-C/usr/local/src

Cd/usr/local/src/nginx-1.0.11

./Configure \

-- Conf-path =/etc/nginx. conf \

-- Error-log-path =/var/log/nginx/error. log \

-- Http-log-path =/var/log/nginx/access. log \

-- Pid-path =/var/run/nginx. pid \

-- Lock-path =/var/lock/nginx. lock \

-- User = nginx \

-- Group = nginx \

With-http_ssl_module \

With-http_flv_module \

With-http_stub_status_module \

With-http_gzip_static_module \

-- Http-client-body-temp-path =/var/tmp/nginx/client /\

-- Http-proxy-temp-path =/var/tmp/nginx/proxy /\

-- Http-fastcgi-temp-path =/var/tmp/nginx/fcgi /\

-- With-pcre (obtain pcre Support)

Make & make install

5. Start nginx

Cd/usr/local/sbin

./Nginx-t (test syntax)

Create a directory and then perform the test.

Enable Service

Access Test

6. Configure environment variables. You can directly enter commands in other directories to enable the Service.

PATH = $ PATH:/usr/local/nginx/sbin

Ii. http Installation

1. Installation

Rpm-ivh/mnt/cdrom/Server/httpd-2.2.3-31.el5.i386.rpm

2. Enable the http service and generate access pages (it is best to use the same page access for comparison with nginx

Service httpd strart

3. Access

Iii. AB Pressure Measurement

There is a test tool for testing APACHE performance, that is, the test tool AB (APACHE benchmark) that comes with apache. It is under the bin directory of APACHE.
Format:./AB [options] [http: //] hostname [: port]/path
Parameters:
-N requests Number of requests to perform
// The number of requests executed in the test session. By default, only one request is executed.
-C concurrency Number of multiple requests to make
// The number of requests generated at a time. By default

1. http test:

Test 1:

Test 2:

2. nginx Testing

Disable http and enable nginx

Test 1:

Test 2:

It can be found that http fails when receiving too many requests, but nginx performs better when receiving more requests than http, but the only bad thing is that nginx is unstable.

Iv. Access methods

1. Virtual Host (IP address-Based Access)

1) We need to access the technical department site and the main site respectively.

Ifconfig eth0: 0 192.168.2.101 (address for accessing the technical department site)

2) create a directory and webpage for the Technical Department Site

Mkdir/usr/local/nginx/tec

Cd/usr/local/nginx/tec

Echo "welcome to tec"> index.html

3) edit the configuration file

Vim/etc/nginx. conf

Copy and modify the server content to form the configuration of the tec site.

4) start the service and test the access

Test syntax

Restart service

Access the main site and technical site in sequence

2. Host header-Based Access

Modify configuration file

Disable an IP address and perform address resolution in the test environment

Ifconfig eth0: 0 down (disable the p address)

Edit the hosts file in the C: \ WINDOWS \ system32 \ drivers \ etc directory and add the following content

Restart the service to test access.

3. virtual directory

The access based on the virtual directory is finally implemented at http://www.abc.com/mail. the access is the abcdirectory under the installation directory.

Cd/usr/local/nginx/

Mkdir abc

Cd abc

Echo "mail"> index.html

Vim/etc/nginx. conf

Restart service

Access Error

The above error occurs because the path of the alias record is incorrect, such

Access again

V. Site Security

1. https

Https is an effective way to implement web security, as shown in:

The client accesses the web server through https. The server presents the certificate to the client. The client checks whether the certificate is valid, whether the authority is trusted, and whether the registrant's identity is unique with the request identity. After the certificate is verified, the client browser generates a random K value, encrypts the K value with the public key, and transmits it to the web server. Then, the server opens the K value for its private key. In this way, both the server and client have a K value, and both parties can use the K value to encrypt data for communication.

2. There is a good way to implement CA. Let's introduce it below:

When the CA and web server are not on the same machine, there are two methods:

1) Online Registration

The CA itself is also a web server (which can be implemented by a windows host). The web server accesses the CA through http and inputs requests to the CA for review, after the review is complete, place the certificate on ftp, and the server can download the certificate from the CA ftp.

2) CA is implemented in linux, and the linux system can be implemented through openca. However, this implementation is too complicated. We can replace it with simple openssl, however, the CA and web server of openssl are usually on the same machine. But we can also implement it if it is not on the same machine. First, complete the request on the web server, upload the request to the CA through the network, ask the CA to sign the request, and then put the certificate on ftp. Then, the web server can download the certificate.

3. Of course, besides CA and web server on different hosts, there are also CA and web server on the same host, the following describes how to establish a CA using openssl on the same host as CA and web server:

Edit configuration file

1) vim/etc/pki/tls/openssl. cnf

2)./create the directories and files required by the CA.

Cd/etc/pki/CA

Mkdir crl certs newcerts (three directories are respectively used to store the Certificate Revocation List, certificates, and new certificates)

Touch index.txt serial (database index file and serial number file respectively)

Echo "01"> serial (assign an initial value to the serial number file)

Generate CA's own private key and Certificate file

Chmod 600 private/cakey. pem (the private key must be kept strictly, so the permission to modify the private key file)

Generate Certificate file

3) if the web server wants to have a certificate, it must first have a request file, and the request file must first generate a private key.

Generate a directory to store the three files required by the web server

Mkdir-pv/usr/local/nginx/certs

Cd/usr/local/nginx/certs

Chmod 600 nginx. key

Generate Certificate file

4) combine the three files generated above

Vim/etc/nginx. conf

Copy and modify the https content of the file

Copy the above content and modify

Restart the service and view

./Nginx-s stop

./Nginx

It is found that both the http service port and the https service port are enabled.

4. Certificate Installation

1) Visit the Technical Department Site

If the site information is not encrypted, the client does not trust the authority. In other words, if the client trusts the authority, it will trust the certificate issued by the Authority.

2) Merge CA certificates and Service Certificates

Cd/usr/local/nginx/certs/

Cp/etc/pki/CA/cacert. pem ./

Back up server certificates

Mv nginx. cert nginx. cert. bak

Merge certificates

Cat nginx. cert. bak cacert. pem> nginx. cert

3) restart the service and visit the technical department site again.

Cd/usr/local/nginx/sbin/

./Nginx-s stop

./Nginx

Access again and check that the verification has been successfully implemented.

This article is from the "xiaoxiaozhou" blog, please be sure to keep this source http://xiaoxiaozhou.blog.51cto.com/4681537/1305217