Nginx stress testing, access methods, and encryption

Source: Internet
Author: User

Nginx is a high-performance HTTP and reverse proxy server and an IMAP/POP3/SMTP proxy server. Today, we will introduce nginx in many aspects, including pressure tests on nginx and http, nginx access methods, and nginx encrypted access.

1. Install nginx

1. disassemble and install

Tar-zxvf libevent-2.0.16-stable.tar.gz-C/usr/local/src


./Configure -- prefix =/usr/local/libevent


Make & make install



2. Process header files and library files


Library File Processing:


Edit/etc/ld. so. conf. d/libevent. conf as follows:


/Usr/local/libevent/lib


Header file processing:

Ln-s/usr/local/libevent/include/usr/include/libevent


3. To enable nginx to support pcre (perl Library), install a software package named pcre.


After checking, we found that some additional libraries have been installed, but some additional libraries are placed in a software package named pcre-devel to install the software package.


4. install and configure nginx


Groupadd-r nginx


Useradd-r-g nginx-s/sbin/nologin-M nginx (-M does not create any home directory)


Tar-zxvf nginx-1.0.11.tar.gz-C/usr/local/src


Cd/usr/local/src/nginx-1.0.11



./Configure \


-- Conf-path =/etc/nginx. conf \


-- Error-log-path =/var/log/nginx/error. log \


-- Http-log-path =/var/log/nginx/access. log \


-- Pid-path =/var/run/nginx. pid \


-- Lock-path =/var/lock/nginx. lock \


-- User = nginx \


-- Group = nginx \


With-http_ssl_module \


With-http_flv_module \


With-http_stub_status_module \


With-http_gzip_static_module \


-- Http-client-body-temp-path =/var/tmp/nginx/client /\


-- Http-proxy-temp-path =/var/tmp/nginx/proxy /\


-- Http-fastcgi-temp-path =/var/tmp/nginx/fcgi /\


-- With-pcre (obtain pcre Support)



Make & make install



5. Start nginx


Cd/usr/local/sbin


./Nginx-t (test syntax)



Create a directory and then perform the test.


Enable Service


Access Test



6. Configure environment variables. You can directly enter commands in other directories to enable the Service.

PATH = $ PATH:/usr/local/nginx/sbin


Ii. http Installation



1. Installation


Rpm-ivh/mnt/cdrom/Server/httpd-2.2.3-31.el5.i386.rpm



2. Enable the http service and generate access pages (it is best to use the same page access for comparison with nginx

Service httpd strart


3. Access

Iii. AB Pressure Measurement


There is a test tool for testing APACHE performance, that is, the test tool AB (APACHE benchmark) that comes with apache. It is under the bin directory of APACHE.
Format:./AB [options] [http: //] hostname [: port]/path
Parameters:
-N requests Number of requests to perform
// The number of requests executed in the test session. By default, only one request is executed.
-C concurrency Number of multiple requests to make
// The number of requests generated at a time. By default


1. http test:


Test 1:



Test 2:




2. nginx Testing


Disable http and enable nginx



Test 1:



Test 2:


It can be found that http fails when receiving too many requests, but nginx performs better when receiving more requests than http, but the only bad thing is that nginx is unstable.

Iv. Access methods


1. Virtual Host (IP address-Based Access)


1) We need to access the technical department site and the main site respectively.


Ifconfig eth0: 0 192.168.2.101 (address for accessing the technical department site)



2) create a directory and webpage for the Technical Department Site


Mkdir/usr/local/nginx/tec


Cd/usr/local/nginx/tec


Echo "welcome to tec"> index.html



3) edit the configuration file


Vim/etc/nginx. conf


Copy and modify the server content to form the configuration of the tec site.



4) start the service and test the access


Test syntax


Restart service


Access the main site and technical site in sequence





2. Host header-Based Access


Modify configuration file


Disable an IP address and perform address resolution in the test environment


Ifconfig eth0: 0 down (disable the p address)


Edit the hosts file in the C: \ WINDOWS \ system32 \ drivers \ etc directory and add the following content


Restart the service to test access.




3. virtual directory


The access based on the virtual directory is finally implemented at http://www.abc.com/mail. the access is the abcdirectory under the installation directory.


Cd/usr/local/nginx/


Mkdir abc


Cd abc


Echo "mail"> index.html


Vim/etc/nginx. conf


Restart service


Access Error


The above error occurs because the path of the alias record is incorrect, such


Access again


V. Site Security



1. https


Https is an effective way to implement web security, as shown in:




The client accesses the web server through https. The server presents the certificate to the client. The client checks whether the certificate is valid, whether the authority is trusted, and whether the registrant's identity is unique with the request identity. After the certificate is verified, the client browser generates a random K value, encrypts the K value with the public key, and transmits it to the web server. Then, the server opens the K value for its private key. In this way, both the server and client have a K value, and both parties can use the K value to encrypt data for communication.



2. There is a good way to implement CA. Let's introduce it below:


When the CA and web server are not on the same machine, there are two methods:



1) Online Registration


The CA itself is also a web server (which can be implemented by a windows host). The web server accesses the CA through http and inputs requests to the CA for review, after the review is complete, place the certificate on ftp, and the server can download the certificate from the CA ftp.



2) CA is implemented in linux, and the linux system can be implemented through openca. However, this implementation is too complicated. We can replace it with simple openssl, however, the CA and web server of openssl are usually on the same machine. But we can also implement it if it is not on the same machine. First, complete the request on the web server, upload the request to the CA through the network, ask the CA to sign the request, and then put the certificate on ftp. Then, the web server can download the certificate.



3. Of course, besides CA and web server on different hosts, there are also CA and web server on the same host, the following describes how to establish a CA using openssl on the same host as CA and web server:


Edit configuration file


1) vim/etc/pki/tls/openssl. cnf



2)./create the directories and files required by the CA.


Cd/etc/pki/CA


Mkdir crl certs newcerts (three directories are respectively used to store the Certificate Revocation List, certificates, and new certificates)


Touch index.txt serial (database index file and serial number file respectively)


Echo "01"> serial (assign an initial value to the serial number file)


Generate CA's own private key and Certificate file


Chmod 600 private/cakey. pem (the private key must be kept strictly, so the permission to modify the private key file)

Generate Certificate file



3) if the web server wants to have a certificate, it must first have a request file, and the request file must first generate a private key.


Generate a directory to store the three files required by the web server


Mkdir-pv/usr/local/nginx/certs


Cd/usr/local/nginx/certs


Chmod 600 nginx. key



Generate Certificate file




4) combine the three files generated above

Vim/etc/nginx. conf


Copy and modify the https content of the file


Copy the above content and modify


Restart the service and view


./Nginx-s stop


./Nginx


It is found that both the http service port and the https service port are enabled.



4. Certificate Installation


1) Visit the Technical Department Site





If the site information is not encrypted, the client does not trust the authority. In other words, if the client trusts the authority, it will trust the certificate issued by the Authority.



2) Merge CA certificates and Service Certificates


Cd/usr/local/nginx/certs/


Cp/etc/pki/CA/cacert. pem ./


Back up server certificates


Mv nginx. cert nginx. cert. bak


Merge certificates


Cat nginx. cert. bak cacert. pem> nginx. cert



3) restart the service and visit the technical department site again.


Cd/usr/local/nginx/sbin/


./Nginx-s stop


./Nginx







Access again and check that the verification has been successfully implemented.



This article is from the "xiaoxiaozhou" blog, please be sure to keep this source http://xiaoxiaozhou.blog.51cto.com/4681537/1305217


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.