Project Practice: 1-LNMP construction, nginx reverse proxy and cache implementation, lnmpnginx

Source: Internet
Author: User
Tags openssl rsa website performance nginx reverse proxy

Project Practice: 1-LNMP construction, nginx reverse proxy and cache implementation, lnmpnginx

Practice 1: build commercial websites such as lnmp and Xiaomi

Environment: Disable firewall, selinux

1. Install the package and enable the Service

Yum-y install nginx mariadb-server php-fpm php-mysql

Systemctl start nginx

Systemctl start mariadb

Systemctl start php-fpm

2. Modify the nginx configuration file

(1) A template example of cp/etc/nginx. conf. default/etc/nginx. conf overwrites the configuration file.

Vim/etc/nginx. conf modify the following classes

① User nobody; Use user
Error_log/var/log/nginx/error. log info; error log

 

② Events {
① User nobody; Use user
Error_log/var/log/nginx/error. log info; error log

 

② Events {
Worker_connections 65535;
}

 

③ Tcp_nopush on; tcp optimization
Tcp_nodelay on;
Gzip on;

 

④ Server {
Listen 80;
Server_name xiaomi.along.com; write by yourself
Root/data/web; root of the Main Site Directory
Location /{
Index. php index.html index.htm;
}

 

⑤ Location ~ \. Php $ {enable. php. There is an example in the configuration file. You only need to remove the comment and modify one line.
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fastcgi_param SCRIPT_FILENAME $ document_root $ fastcgi_script_name;
Include fastcgi_params;
}

 

 

(2) Check nginx-t after modification.

Systemctl restart nginx restart service, warn found

 

(3) ulimit-n: Check the maximum value of the opened file descriptor in linux. The default value is 1024. For a busy server, this value is too small, therefore, it is necessary to reset the maximum value of the open file descriptor in linux.

Ulimit-n 65535 modify Kernel Parameters

3. modify the configuration file of php-fpm.

① Change vim/etc/php. ini to two lines.

Date. timezone = Asia/Shanghai Time Zone

Short_open_tag = On allow short labels

Vim/etc/php-fpm.d/www. conf change two lines

User = nobody

Group = nobody

Systemctl restart php-fpm

4. Run mysql to create the database required by the web page

Create database xiaomi;

5. Upload the pre-searched Xiaomi website to rz

Millet website source code resources I have uploaded to the Network Disk http://pan.baidu.com/s/1kUUFp6B, need private I

Mkdir/data/web-p

Unzip-d/data/web/xiaomi.zip to the directory

Cd/data/web/

Chown-RNobody. nobody * for security, recursively change the owner and group of all files to the nobody with limited permissions.

6. webpage Logon

① User: admin

Password 123456

② Parameter settings: connect to your own database

You can also connect your own database on the command line:

Vim/data/web/data/config. php

③ Write the data to the database and restore the data

7. The experiment is successful. log on to view

Log on to the backend and modify it as needed.

Http: // 192.168.30.107/admin

8. AB stress testing

AB-c 100-n 1000 http: // 192.168.30.107/

 

Experiment 2: Implement ssl encryption

(1) One physical server sets an https

1. Create a directory for storing certificates

Mkdir/etc/nginx/ssl

2. Self-signed certificate

Cd/etc/pki/tls/certs/

Make nginx. crt

Openssl rsa-in nginx. key-out nginx2.key is encrypted because the private key has just been encrypted and decrypted for convenience.

3. Copy the certificate and private key cp to the nginx certificate directory.

Cp nginx. crt nginx2.key/etc/nginx/ssl/

Cd/etc/nginx/ssl/

Mv nginx2.key nginx. key to change the name back

 

4. modify the configuration file and add a server
server {   listen 443 ssl;   server_name www.along.com;   ssl on;   ssl_certificate /etc/nginx/ssl/nginx.crt;   ssl_certificate_key /etc/nginx/ssl/nginx.key;   ssl_session_cache shared:sslcache:20m;   ssl_session_timeout 10m; }

 

5. Test. Open https: // 192.168.30.7/on the webpage/

Windows trust certificate

(2) Because nginx is powerful, multiple virtual hosts can implement ssl encryption based on different FQDN, and httpd cannot implement

Multiple https settings for one physical server

1. generate three certificates and private keys

Make nginx. crt

Make nginx2.crt

Make nginx3.crt

2. Store the certificate and private key cp in the nginx certificate directory and unlock the encryption of the private key.

Cp nginx {1, 2, 3} */etc/nginx/ssl/

Openssl rsa-in nginx. key-out nginx. key

Openssl rsa-in nginx2.key-out nginx2.key

Openssl rsa-in nginx3.key-out nginx3.key

3. Create corresponding webpage

Mkdir/app/website {1, 2, 3}

Echo website1>/app/website1/index.html

Echo website1>/app/website2/index.html

Echo website1>/app/website3/index.html

4. Access test. Successful

Practice 3: implement identity authentication 1. Generate password account files

Cd/etc/nginx/conf. d

Htpasswd-c-m. htpasswd http1

Htpasswd-m. htpasswd http2

2. modify the configuration file

Vim/etc/nginx. conf points to the account password file in the location segment

Location/images {

Auth_basic "images site"; "prompt"

Auth_basic_user_file/etc/nginx/conf. d/. htpasswd;

}

3. check and verify http: // 172.17.22.22/images/loading.gif

Experiment 4: Implementing reverse proxy load balancing and dynamic/static Separation

1. Environment preparation:

Machine name

IP configuration

Service role

Remarks

Nginx

VIP: 172.17.11.11

Reverse Proxy Server

Enable proxy

Set monitoring and Scheduling

Rs01

RIP: 172.17.22.22

Backend servers

Stasic-srv Group

Rs02

RIP: 172.17.1.7

Backend servers

Stasic-srv Group

Rs01

RIP: 172.17.77.77

Backend servers

Defautl-srv Group

Rs02

RIP: 172.17.252.111

Backend servers

Defautl-srv Group

2. Download, compile, and install tengine

Cause: Although nginx's built-in monitoring mode can be used, it is not easy to understand. tengine's monitoring mode is easy to set and easy to understand. It is a secondary development in nginx,Similar to nginx

(1) official website download: http://tengine.taobao.org also supports Chinese

Unpack tar tengine-2.1.1.tar.gz

Cd tengine-2.1.1

(2) download the dependent package

Yum-y groupinstall "development tools"

Yum install openssl-devel-y

Yum install pcre-devel-y

(3) Compile and install

./Configure -- prefix =/Usr/local/Tengine specifies the directory after installation

Make & make install

3. Set the configuration file of the proxy server

Cd/usr/local/tengine/conf

Cp nginx. conf/usr/local/tengine/conf/If nginx is available on the machine, you can copy the configuration file directly. If no nginx is available, you can set it yourself.

I will not set the global and http segments of vim nginx. conf. The default is good.

① Define upstream: backend server group

upstream lnmp-srv1 {        server 172.17.22.22:80;        server 172.17.1.7:80;        check interval=3000 rise=2 fall=5 timeout=1000 type=http;        check_http_send "HEAD / HTTP/1.0\r\n\r\n";        check_http_expect_alive http_2xx http_3xx;}upstream lnmp-srv2 {        server 172.17.77.77:80;        server 172.17.252.111:80;        server 172.17.1.7:80;        check interval=3000 rise=2 fall=5 timeout=1000 type=http;        check_http_send "HEAD / HTTP/1.0\r\n\r\n";        check_http_expect_alive http_2xx http_3xx;}

 

 

② Set static/dynamic separation in the location segment of the server segment

Server {listen 80; location/stats {# Set the listener page check_status;} location ~ *. Jpg |. png |. gif |. jpeg $ {proxy_pass http: // static-srv;} location ~ *. Css |. js |. html |. xml $ {proxy_pass http: // static-srv;} location/{proxy_pass http: // default-srv ;}}

 

4. Start the tengine Service

Cd/usr/local/tengine/sbin/

./Nginx start tengine

./Nginx-s stop

5. Enable the backend web Service

Systemctl start nginx

Systemctl start php-fpm

Systemctl start mariadb

6. Test

(1) test whether the reverse proxy is successful. http: // 172.17.11.11/web page access is successful.

(2) test status page http: // 172.17.11.11/stats

(3) test static/dynamic Separation

Services in the backend server group of the static page are down and no static things are found.

Experiment 5: nginx implements the cache Function

Requirement Analysis: Why cache is required?

The most fundamental purpose of caching is to improve website performance and reduce the pressure on the database for frequent data access. Reasonable caching also reduces the pressure on CPU during program operations. In the modern structure of a computer, the data in the Operation memory is faster than the data stored on the hard disk by N orders of magnitude, and the data in the simple text structure is operated, it is N orders of magnitude faster than the data in the database.

For example, each time a user accesses a website, the website title must be read from the database. It takes 15 milliseconds to read each time. If there are 100 users (access at the same time is not considered first ), if you access the database 10 times per hour, you need to read the database 1000 times, which takes 15000 milliseconds. if the page is directly converted to the page cache, you do not need to read the page from the database every time you access it, which greatly improves the website performance.

1. Environment preparation: see the preceding experiment. The experiment structure is as follows:

2. Set the configuration file of the proxy server

① First define the cache in the http segment

Proxy_cache_path/data/cache levels = keys_zone = proxycache: 10 m inactive = 120 s max_size = 1g

Analysis: Define a cache with the path under/data/cache; Level 3 directory, level 1 [0-f] random numbers, level 2 and level 3 [00-ff] random numbers; Define the cache name proxycache, the cache size is 10 MB; the survival time is 120 s; the maximum disk space is 1 GB.

② Reference the cache in the server segment

Proxy_cache proxycache; # reference the cache space defined above. The same cache space can be used in several places with proxy_cache_key $ request_uri; # perform the hash operation proxy_cache_valid 200 302 1 h on the uri; #1 hour proxy_cache_valid any 1 m; # other caches: 1 minute
Add_header Along-Cache "$ upstream_cache_status form $ server_addr"; # Add a header to the Request Response, indicating the cache returned from the server

3. Test: Access http: // 172.17.11.11/. In F12 debug mode, you can see that the specified header exists.

Cache directory is also generated

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.