Nginx Workflow Flowchart
HTTP part of the workflow is roughly like a master to open multiple workers, network IO is generally used epoll to achieve the high concurrency of a worker, file IO with Sendfile,aio and other efficient steps Io, to achieve an HTTP request response.
Io section please refer to: http://blog.51cto.com/marvin89/2115474
Main script please scroll: http://blog.51cto.com/marvin89/2118341
To install the configuration file:
NAME:NGINXVERSION:1.14.0DOWNLOAD:HTTP://NGINX.ORG/DOWNLOAD/NGINX-{VERSION}.TAR.GZCMDS:-ID Nginx | | Useradd-r-m-s/sbin/nologin Nginxyum:-yum-y Groupinstall "Development tools"-yum-y install Pcre-devel openssl-d Evel Zlib-develuncompress:tar XF nginx-{version}.tar.gzuncompress_dir:nginx-{version}compile:./configure--prefix= {source_path}/{name}{version}--conf-path={source_path}/{name}{version}/conf/nginx.conf --error-log-path=/var/log/nginx/error.log--http-log-path=/var/log/ng Inx/access.log--pid-path=/var/run/nginx.pid--lock-path=/var/ru N/nginx.lock--user=nginx--group=nginx --with-http_ssl_module--with-http_v2_module--with-http_da V_module--with-Http_stub_status_module--with-threads--with-file-aio --with-http_gzip_static_module--add-module=. /nginx-http-auth-digest-master && make && make installdepends:-Name:nginx -http-auth-digest version: ' Download: ' Https://github.com/atomx/nginx-http-auth-digest/archive/master.zip-O nginx -http-auth-digest-master.zip ' Uncompress:unzip nginx-http-auth-digest-master.zip uncompress_dir: ' Compile: ' I Nit:linkname:nginx Cmds:-cat {source_path}/{name}{version}/conf/nginx.conf|egrep ' include conf\.d/\*\.conf ' || Sed-i ' $s #}#\tinclude conf.d/*.conf;\n}# ' {source_path}/{name}{version}/conf/nginx.conf-' [-D {Source_path}/{name} {VERSION}/CONF/CONF.D] | | mkdir {source_path}/{name}{version}/conf/conf.d '-echo ' export path={link_path}/{name}/sbin: $PATH ' >/etc/profile . d/nginx.sh SystemCTl:path:/etc/systemd/system/mynginx.service content:Unit:Description: The Nginx Server After:network.target remote-fs.target nss-lookup.target Service: Type:forking pidfile: '/var/run/nginx.pid ' Execstart: ' {link_path}/{name}/sbin/ Nginx ' Execreload: ' {link_path}/{name}/sbin/nginx-s reload ' execstop: ' {Link_path}/{na Me}/sbin/nginx-s Stop ' privatetmp:true install:wantedby:multi-user.targ Et
HTTP Configuration Entry Description 1, CPU bound
Binding CPU scenario, the server is mainly Nginx service, otherwise it will affect other service performance
No prior to binding
[[email protected] test]# watch -n0.5 ‘ps axo comm,pid,ppid,psr|grep nginx‘Every 0.5s: ps axo comm,pid,ppid,psr|grep nginx Sun May 27 19:35:10 2018nginx 5047 1 0nginx 5048 5047 1nginx 5049 5047 0nginx 5050 5047 2可以看到nginx进程时候会不断切换cpu
Bind CPU
worker_processes 3;worker_cpu_affinity auto;#worker_cpu_affinity 0001 0010 0100 1000;#绑定cpu #如果服务器以nginx为主 这个优化是可以的(如果不是,请勿打开) 用auto就可以了#用掩码方式绑定 假如8个cpu 0000 0000 每个0对应一个cpu
[[email protected] test]# watch -n0.5 ‘ps axo comm,pid,ppid,psr|grep nginx‘Every 0.5s: ps axo comm,pid,ppid,psr|grep nginx Sun May 27 19:34:18 2018nginx 4895 1 2nginx 4896 4895 0nginx 4897 4895 1nginx 4898 4895 2#不会切换cpu,切换cpu会有很多cpu开销,以及缓存之类
2. Process Tuning
worker_processes auto; #超过cpu 核数就没有意义了 lscpu可以查看 auto最大个数worker_rlimit_nofile number cpu个数*worker_connections 最大打开文件描述符events { worker_connections 1024; #单个进程响应请求数 use epoll; #网络io复用 用epoll accept_mutex on | off; #个人推荐Off #处理新的连接请求的方法;on意味着由各worker轮流处理新请求,Off意味着每个新请求的到达都会通知所有的worker进程,能者多劳;}
Adjust the priority level
Default
Configuration parameters
worker_priority -5;
3. HTTP Configuration settings
Server backstop configuration, or it can be configured separately in each server
when both AIO and Sendfile be enabled on Linux, AIO was used for files that's larger than or equal to the size specified in the Directio directive, while Sendfile was used for files of smaller sizes or when D Irectio is disabled.
HTTP {include mime.types; #类型 Default_type Application/octet-stream; #默认类型八进制数据流 #日志定义格式打开 log_format main ' $remote _addr-$remote _user [$time _local] "$request" ' ' $status $body _bytes_sent "$http _referer" "$http _user_agent" "$http _x_forwarded_for"; #http_x_forwarded_for在代理服务器转发时候记录源地址 #配置在这里是兜底用, can also not set, if set must turn on cache, otherwise trivial write too consumes io access_log logs/access.log main bu ffer=4096; #http, server, location configuration segment can be sendfile on; #高效传输文件的模式 from the kernel directly to send out, do not walk the client tcp_nopush on; #在sendfile模式下, whether the tcp_cork option is enabled; A file is sent with one message, and the application layer header one file only once, not separate AIO on; #tcp_nodelay on | Off #在keepalived模式下的连接是否启用TCP_NODELAY选项; keepalived Small package may be packaged together to send, save bandwidth, but affect the client #tcp_nodelay on do not wait to send, enhance the client experience such as The fruit is not kept connected, this item does not exist #http, server, location Keepalive_timeout 65; #65s keepalive_requests 100; #100个资源 #http, Server, LocatIon client upload data size post and so on, when it exceeds this size, it will be staged to disk by the client_body_temp_path instruction defined by the location; reasonable definition can be small 16*1024 byte 5,461 Chinese Client_body_buffe R_size 16k; Client_max_body_size 20m; #post Maximum value Client_body_temp_path CLIENT_BODY_TEMP_PATH/DEV/SHM/NGINX/BODY_TEMP/1 2; #目录要在/dev/shm below/dev/shm/nginx/body_temp/1/05/0000000051 1: Represents a first-level subdirectory with a 16-digit number, 0-f 2: Represents a 16-level subdirectory with 2-bit two process digits Record: 00-ff 2: Represents a three-level subdirectory with 2-bit 16 process digits: 00-ff include conf.d/*.conf;}
4. File IO optimization
Common configuration for File operations Optimization AIO Onopen_file_cache max=n official configuration Open_file_cache max=1000 Inactive=20s;open_file_cache_valid 3 0s;open_file_cache_min_uses 2;open_file_cache_errors on; Other no is the default value sendfile on; Kernel reduction copy process suitable for small files Aio on | Off | Threads[=pool]; Multi-threaded Read local IO whether the AIO feature is enabled; Directio size | Off #使用大文件读取, do not read the cache or buffer in the Linux host to enable the o_direct tag, which means that the file is greater than or equal to the given size when used, such as directio 4m; Open_file_cache off; Open_file_cache max=n [Inactive=time]; Nginx can cache the following three kinds of information: (1) file descriptor, file size and last modified time, (2) Open directory structure; (3) files not found or accessed without permission Max=n: The cache entry upper limit is cached, and the LRU algorithm is used to implement cache management when the upper limit is reached; Inactive=time: The inactive duration of the cache entry, the length of time specified here that has not been hit or the number of hits is less than Open_file_ The cache entry for the number of times specified by the cache_min_uses instruction is an inactive item; open_file_cache_valid time; The check frequency of the validity of the cache entry; default is 60s; Open_file_cache_min_uses number; The length of the inactive parameter specified in the Open_file_cache directive, at least how many times it should be hit, can be categorized as the active item; Open_file_cache_errors on | Off Whether to cache the information of the file type where the error occurred while looking;
5. Certification
Plaintext
[[email protected] conf]# htpasswd -c -m .ngxpasswd tom[[email protected] conf]# htpasswd -m .ngxpasswd jacklocation ^~ /admin/ { auth_basic "admin area"; auth_basic_user_file .ngxpasswd; #根nginx.conf同一个层级}
Ciphertext
https://www.nginx.com/resources/wiki/modules/auth_digest/[[email protected] conf]# htdigest -c .passwd_digest ‘digest‘ tom[[email protected] conf]# htdigest .passwd_digest ‘digest‘ jack location ^~ /admins/ { auth_digest "digest"; auth_digest_user_file .passwd_digest; }
6. HTTP status
location ^~ /basic_status/ { stub_status;}Active connections: 4 server accepts handled requests 25825 25825 25885 Reading: 0 Writing: 1 Waiting: 3 Active connections: 活动状态的连接数;accepts:已经接受的客户端请求的总数;handled:已经处理完成的客户端请求的总数;requests:客户端发来的总的请求数;Reading:处于读取客户端请求报文首部的连接的连接数;Writing:处于向客户端发送响应报文过程中的连接数;Waiting:处于等待客户端发出请求的空闲连接数;
7. Location Priority
~:对URI做正则表达式模式匹配,区分字符大小写;~*:对URI做正则表达式模式匹配,不区分字符大小写;^~:对URI的左半部分做匹配检查,不区分字符大小写;不带符号:匹配起始于此uri的所有的url;匹配优先级:=, ^~, ~/~*,不带符号;1 =:对URI做精确匹配location = / { [ configuration A ]}2 ~:对URI做正则表达式模式匹配,区分字符大小写;location ^~ /images/ { [ configuration D ]}2 ^~:对URI的左半部分做匹配检查,不区分字符大小写;location ~* \.(gif|jpg|jpeg)$ { [ configuration E ]}3 不带符号:匹配起始于此uri的所有的url; 不带符号的长度越长优先级越高location /images/ { root /webapps/app1/data/ #根/webapps/app1/data/ 在根下面寻找 #alias 匹配路径别名/images/ 别名到/webapps/app1/data/ 路径下 #http://www.test.develop/images/a.jpg 匹配/images/ 注意/;还剩a.jpg /webapps/app1/data/必须要/ /webapps/app1/data/a.jpg #如果匹配的是/images;还剩/a.jpg /webapps/app1/data[/]/a.jpg alias /webapps/app1/data/ }location / { [ configuration B ]}优先级从高到低
8. Log
access_log path [format [buffer=size] [gzip[=level]] [flush=time] [if=condition]];access_log /www/data/nginx/logs/test.log main buffer=2048; 默认是随时写入,必须设置access_log off;access_log path; #每个server都可以开启一个自己的日志location ^~ /basic_status/ { stub_status; access_log off; #有些地址请求不要记录日志}open_log_file_cache max=N [inactive=time] [min_uses=N] [valid=time];open_log_file_cache off;缓存各日志文件相关的元数据信息;max:缓存的最大文件描述符数量;min_uses:在inactive指定的时长内访问大于等于此值方可被当作活动项;inactive:非活动时长;valid:验正缓存中各缓存项是否为活动项的时间间隔;
9. Compression
Configure compression
gzip on;gzip_comp_level 6;gzip_min_length 64;gzip_proxied any;gzip_types text/xml text/css application/javascript;
After compression, block transfer
10, rewrite
Only the rules in the location loop, equivalent to the following loops
Last = Continue
Break = Break
while True: rewrite /(.*)\.png$ /$1.jpg break; rewrite /(.*)\.jpg$ /$1.png break;
Dead loop
location ~* \.(jpg|png)$ { rewrite /(.*)\.png$ /$1.jpg; rewrite /(.*)\.jpg$ /$1.png; root /www/data/nginx/test; allow all;}
Break Stop rewrite match
location ~* \.(jpg|png)$ { rewrite /(.*)\.png$ /$1.jpg break; rewrite /(.*)\.jpg$ /$1.png break; root /www/data/nginx/test; allow all;}
Last break is only implemented inside Nginx, the client does not perceive
Redirect is to return the matching results to the client, implementing 302 redirects
rewrite /(.*)\.png$ /$1.jpg redirect;
Permanent permanent redirection
rewrite /(.*)\.png$ /$1.jpg permanent;
11, Referer anti-theft chain
location ~* \.(jpg|png)$ { valid_referers none block www.test.develop; if ($invalid_referer){ return 403; } rewrite /(.*)\.png$ http://www.test.develop/$1.jpg redirect; root /www/data/nginx/test; allow all; }none:请求报文首部没有referer首部;blocked:请求报文的referer首部没有值;server_names:参数,其可以有值作为主机名或主机名模式; arbitrary_string:直接字符串,但可使用*作通配符; regular expression:被指定的正则表达式模式匹配到的字符串;要使用~打头,例如 ~.*\.zander\.com;
Introduction to Linux nginx-http configuration