Nginx is a high-performance HTTP and reverse proxy server and an IMAP/POP3/SMTP proxy server. Today, we will introduce nginx in many aspects, including pressure tests on nginx and http, nginx access methods, and nginx encrypted access.
1. Install nginx
1. disassemble and install
Tar-zxvf libevent-2.0.16-stable.tar.gz-C/usr/local/src
./Configure -- prefix =/usr/local/libevent
Make & make install
2. Process header files and library files
Library File Processing:
Edit/etc/ld. so. conf. d/libevent. conf as follows:
/Usr/local/libevent/lib
Header file processing:
Ln-s/usr/local/libevent/include/usr/include/libevent
3. To enable nginx to support pcre (perl Library), install a software package named pcre.
After checking, we found that some additional libraries have been installed, but some additional libraries are placed in a software package named pcre-devel to install the software package.
4. install and configure nginx
Groupadd-r nginx
Useradd-r-g nginx-s/sbin/nologin-M nginx (-M does not create any home directory)
Tar-zxvf nginx-1.0.11.tar.gz-C/usr/local/src
Cd/usr/local/src/nginx-1.0.11
./Configure \
-- Conf-path =/etc/nginx. conf \
-- Error-log-path =/var/log/nginx/error. log \
-- Http-log-path =/var/log/nginx/access. log \
-- Pid-path =/var/run/nginx. pid \
-- Lock-path =/var/lock/nginx. lock \
-- User = nginx \
-- Group = nginx \
With-http_ssl_module \
With-http_flv_module \
With-http_stub_status_module \
With-http_gzip_static_module \
-- Http-client-body-temp-path =/var/tmp/nginx/client /\
-- Http-proxy-temp-path =/var/tmp/nginx/proxy /\
-- Http-fastcgi-temp-path =/var/tmp/nginx/fcgi /\
-- With-pcre (obtain pcre Support)
Make & make install
5. Start nginx
Cd/usr/local/sbin
./Nginx-t (test syntax)
Create a directory and then perform the test.
Enable Service
Access Test
6. Configure environment variables. You can directly enter commands in other directories to enable the Service.
PATH = $ PATH:/usr/local/nginx/sbin
Ii. http Installation
1. Installation
Rpm-ivh/mnt/cdrom/Server/httpd-2.2.3-31.el5.i386.rpm
2. Enable the http service and generate access pages (it is best to use the same page access for comparison with nginx
Service httpd strart
3. Access
Iii. AB Pressure Measurement
There is a test tool for testing APACHE performance, that is, the test tool AB (APACHE benchmark) that comes with apache. It is under the bin directory of APACHE.
Format:./AB [options] [http: //] hostname [: port]/path
Parameters:
-N requests Number of requests to perform
// The number of requests executed in the test session. By default, only one request is executed.
-C concurrency Number of multiple requests to make
// The number of requests generated at a time. By default
1. http test:
Test 1:
Test 2:
2. nginx Testing
Disable http and enable nginx
Test 1:
Test 2:
It can be found that http fails when receiving too many requests, but nginx performs better when receiving more requests than http, but the only bad thing is that nginx is unstable.
Iv. Access methods
1. Virtual Host (IP address-Based Access)
1) We need to access the technical department site and the main site respectively.
Ifconfig eth0: 0 192.168.2.101 (address for accessing the technical department site)
2) create a directory and webpage for the Technical Department Site
Mkdir/usr/local/nginx/tec
Cd/usr/local/nginx/tec
Echo "welcome to tec"> index.html
3) edit the configuration file
Vim/etc/nginx. conf
Copy and modify the server content to form the configuration of the tec site.
4) start the service and test the access
Test syntax
Restart service
Access the main site and technical site in sequence
2. Host header-Based Access
Modify configuration file
Disable an IP address and perform address resolution in the test environment
Ifconfig eth0: 0 down (disable the p address)
Edit the hosts file in the C: \ WINDOWS \ system32 \ drivers \ etc directory and add the following content
Restart the service to test access.
3. virtual directory
The access based on the virtual directory is finally implemented at http://www.abc.com/mail. the access is the abcdirectory under the installation directory.
Cd/usr/local/nginx/
Mkdir abc
Cd abc
Echo "mail"> index.html
Vim/etc/nginx. conf
Restart service
Access Error
The above error occurs because the path of the alias record is incorrect, such
Access again
V. Site Security
1. https
Https is an effective way to implement web security, as shown in:
The client accesses the web server through https. The server presents the certificate to the client. The client checks whether the certificate is valid, whether the authority is trusted, and whether the registrant's identity is unique with the request identity. After the certificate is verified, the client browser generates a random K value, encrypts the K value with the public key, and transmits it to the web server. Then, the server opens the K value for its private key. In this way, both the server and client have a K value, and both parties can use the K value to encrypt data for communication.
2. There is a good way to implement CA. Let's introduce it below:
When the CA and web server are not on the same machine, there are two methods:
1) Online Registration
The CA itself is also a web server (which can be implemented by a windows host). The web server accesses the CA through http and inputs requests to the CA for review, after the review is complete, place the certificate on ftp, and the server can download the certificate from the CA ftp.
2) CA is implemented in linux, and the linux system can be implemented through openca. However, this implementation is too complicated. We can replace it with simple openssl, however, the CA and web server of openssl are usually on the same machine. But we can also implement it if it is not on the same machine. First, complete the request on the web server, upload the request to the CA through the network, ask the CA to sign the request, and then put the certificate on ftp. Then, the web server can download the certificate.
3. Of course, besides CA and web server on different hosts, there are also CA and web server on the same host, the following describes how to establish a CA using openssl on the same host as CA and web server:
Edit configuration file
1) vim/etc/pki/tls/openssl. cnf
2)./create the directories and files required by the CA.
Cd/etc/pki/CA
Mkdir crl certs newcerts (three directories are respectively used to store the Certificate Revocation List, certificates, and new certificates)
Touch index.txt serial (database index file and serial number file respectively)
Echo "01"> serial (assign an initial value to the serial number file)
Generate CA's own private key and Certificate file
Chmod 600 private/cakey. pem (the private key must be kept strictly, so the permission to modify the private key file)
Generate Certificate file
3) if the web server wants to have a certificate, it must first have a request file, and the request file must first generate a private key.
Generate a directory to store the three files required by the web server
Mkdir-pv/usr/local/nginx/certs
Cd/usr/local/nginx/certs
Chmod 600 nginx. key
Generate Certificate file
4) combine the three files generated above
Vim/etc/nginx. conf
Copy and modify the https content of the file
Copy the above content and modify
Restart the service and view
./Nginx-s stop
./Nginx
It is found that both the http service port and the https service port are enabled.
4. Certificate Installation
1) Visit the Technical Department Site
If the site information is not encrypted, the client does not trust the authority. In other words, if the client trusts the authority, it will trust the certificate issued by the Authority.
2) Merge CA certificates and Service Certificates
Cd/usr/local/nginx/certs/
Cp/etc/pki/CA/cacert. pem ./
Back up server certificates
Mv nginx. cert nginx. cert. bak
Merge certificates
Cat nginx. cert. bak cacert. pem> nginx. cert
3) restart the service and visit the technical department site again.
Cd/usr/local/nginx/sbin/
./Nginx-s stop
./Nginx
Access again and check that the verification has been successfully implemented.
This article is from the "xiaoxiaozhou" blog, please be sure to keep this source http://xiaoxiaozhou.blog.51cto.com/4681537/1305217