Bootstrap

2.nginx配置web服务

nginx配置web服务

一、nginx.conf主配置文件

1、语法结构

全局配置

事件驱动模型epoll的配置
events {
}

http服务相关配置
http {

	一个server代表就是一个虚拟主机
	server {

		匹配客户端请求,根据不同的请求给不同的响应
		location {
			不同的响应方式
		}
		
		location {
		}

	}

	server {
	}

}

2、全局配置

2.1 定义工作进程的用户

注意用户对网页文件的权限

user  www;

2.2 定义启动时,工作进程的数量

建议和CPU数量一致,或2倍

worker_processes  8;

2.3 定义错误日志

error_log  logs/error.log  error;

2.4 定义pid文件

pid        logs/nginx.pid;

3、事件驱动模型的配置

events {
    use epoll;  								// 指定epoll模型,注意BSD系统的Linux上,指定为kqueue
    worker_connections  2048;		// 工作进程所能接受的最大客户端连接 
}

4、http公共配置

4.1 加载子配置文件

include       mime.types;
mime: 定义非文本数据格式

4.2 定义访问日志格式

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;

变量说明:
$remote_addr:客户端地址
$time_local:时间
$request:请求方法 请求资源 http协议版本
$status:状态码
$body_bytes_sent:响应数据大小 
$http_referer:超链接地址
$http_user_agent:客户端系统、浏览器类型

4.3 启用sendfile机制

实现零拷贝,内核读取到数据后,直接放入web进程的内存空间
sendfile        on;

4.4 长连接keepalive

长连接,一条连接发送多次请求

	  keepalive_timeout  65;		//长连接的超时时间 
    keepalive_requests 1000;  // 最大请求数

4.5 启用gzip压缩

gzip on;

二、虚拟主机配置

1、虚拟主机类型

基于名称的虚拟主机
基于IP的虚拟主机

2、基于名称的虚拟主机配置

2.1 规划

music.linux.com 网页目录: /music

2.2 虚拟主机配置文件

[root@localhost ~]# cat /usr/local/nginx/conf.d/music.conf
server {
    listen 80;
    server_name music.linux.com;

    error_log /usr/local/nginx/logs/music_error.log error;
    access_log /usr/local/nginx/logs/music_access.log main;

    location / {
        root /music;
        index index.html;
    }
}

2.3 主配置文件加载

[root@localhost ~]# grep "include" /usr/local/nginx/conf/nginx.conf
    include /usr/local/nginx/conf.d/music.conf;

3、基于IP地址的虚拟主机配置

3.1 添加IP地址

[root@localhost network-scripts]# 
[root@localhost network-scripts]# ifconfig ens37
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.140.100  netmask 255.255.255.0  broadcast 192.168.140.255
        inet6 fe80::20c:29ff:fecc:6b39  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:cc:6b:39  txqueuelen 1000  (Ethernet)
        RX packets 8  bytes 1046 (1.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21  bytes 2232 (2.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

3.2 编辑虚拟主机配置文件

[root@localhost conf.d]# cat vedio.conf 
server {
    listen 192.168.140.100:80;
    server_name vedio.linux.com;

    error_log /usr/local/nginx/logs/vedio_error.log error;
    access_log /usr/local/nginx/logs/vedio_access.log main;

    location / {
        root /vedio;
        index index.html;
    }
}

3.3 加载配置

[root@localhost ~]# grep "include" /usr/local/nginx/conf/nginx.conf
    include /usr/local/nginx/conf.d/vedio.conf;

三、https的虚拟主机

1、获取证书的方式

  • 业务发布到互联网,合法的CA机构申请证书(云平台)
  • 私有CA

2、部署私有CA

2.1 创建CA的数据库文件

[root@ca ~]# touch /etc/pki/CA/index.txt
[root@ca ~]# echo 01 > /etc/pki/CA/serial

2.2 创建密钥对

[root@ca ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024
Generating RSA private key, 1024 bit long modulus
..++++++
......................++++++
e is 65537 (0x10001)
[root@ca ~]#

2.3 创建自签证书

[root@ca ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:bj
Organizational Unit Name (eg, section) []:bj
Common Name (eg, your name or your server's hostname) []:ca.linux.com
Email Address []:[email protected]

3、部署https的网站

3.1 申请证书

3.1.1 生成密钥
[root@localhost ~]# mkdir /usr/local/nginx/ssl
[root@localhost ~]# cd /usr/local/nginx/ssl
[root@localhost ssl]# 
[root@localhost ssl]# openssl genrsa -out secure.linux.com.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
.................++++++
e is 65537 (0x10001)
3.1.2 创建证书申请
[root@localhost ssl]# openssl req -new -key secure.linux.com.key -out secure.linux.com.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:bj
Organizational Unit Name (eg, section) []:bj
Common Name (eg, your name or your server's hostname) []:secure.linux.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.1.3 将证书申请发送到CA,CA签发证书
[root@localhost ssl]# scp secure.linux.com.csr [email protected]:/opt/

[root@ca ~]# openssl ca -in /opt/secure.linux.com.csr -out /etc/pki/CA/certs/secure.linux.com.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May 29 01:32:46 2024 GMT
            Not After : May 27 01:32:46 2034 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = bj
            organizationName          = bj
            organizationalUnitName    = bj
            commonName                = secure.linux.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                0C:4C:B4:22:B7:1D:CD:AF:CC:52:AD:A0:2A:A4:01:AF:06:95:DE:C7
            X509v3 Authority Key Identifier: 
                keyid:8A:02:83:30:43:E7:A4:FD:95:7C:10:17:24:C1:EC:85:B2:0C:AA:65

Certificate is to be certified until May 27 01:32:46 2034 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@ca ~]# scp /etc/pki/CA/certs/secure.linux.com.crt [email protected]:/usr/local/nginx/ssl

3.2 部署虚拟主机

[root@localhost ~]# cat /usr/local/nginx/conf.d/secure.conf 
server {
    listen       443 ssl;
    server_name  secure.linux.com;

    ssl_certificate      /usr/local/nginx/ssl/secure.linux.com.crt;
    ssl_certificate_key  /usr/local/nginx/ssl/secure.linux.com.key;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location / {
        root   /secure;
        index  index.html index.htm;
    }
}

[root@localhost ~]# netstat -tunlp | grep nginx
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4176/nginx: master  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4176/nginx: master

悦读

道可道,非常道;名可名,非常名。 无名,天地之始,有名,万物之母。 故常无欲,以观其妙,常有欲,以观其徼。 此两者,同出而异名,同谓之玄,玄之又玄,众妙之门。

最新收录
物联网核心安全系列——物联网安全需求
MySQL事务实现原理详解
HBase 系列(六)——HBase Java API 的基本使用
MyBatis查询,返回值Map或List<Map>
Spring自学日志02-AOP(面向切面编程)
java.lang.IllegalStateException: Unable to find a @SpringBootConfiguration, you need 测试类报错及解决方法
element-ui单选框按钮的样式改成对钩
肖仰华 | 知识图谱与认知智能
基于springboot+vue实现的二手交易平台系统(文末附源码)
【10.26模拟赛T1】魔法部落【逆元】
;