nginx

# 安装nginx ```sh #安装PCRE库支持 yum install pcre-devel pcre -y #下载Nginx源码包 cd /usr/src wget -c http://nginx.org/download/nginx-1.19.0.tar.gz #解压Nginx源码包 tar -xzf nginx-1.19.0.tar.gz #进入解压目录,然后sed修改Nginx版本信息为JWS,隐藏版本信息 cd nginx-1.19.0 ; sed -i -e 's/1.19.0//g' -e 's/nginx\//JWS/g' -e 's/"NGINX"/"JWS"/g' src/core/nginx.h #预编译Nginx useradd www ; ./configure --user=www --group=www --prefix=/usr/local/nginx --with-stream --with-http_stub_status_module --with-http_ssl_module #.configure预编译成功后,执行make命令进行编译 make && make install # 创建软连接 ln -s /usr/local/nginx/sbin/nginx /usr/bin/ # 检查nginx配置文件是否正确,返回OK即正确。 /usr/local/nginx/sbin/nginx -t # 启动 ngin # 平滑重启 nginx -s reload # 停止 nginx -s stop ``` # 生成自签证书 ```sh [root@dev-1 nginx]# pwd /usr/local/nginx [root@dev-1 nginx]# ls client_body_temp conf fastcgi_temp html logs proxy_temp sbin scgi_temp uwsgi_temp [root@dev-1 nginx]# mkdir ssl [root@dev-1 nginx]# cd ssl/ [root@dev-1 ssl]# ls [root@dev-1 ssl]# openssl genrsa -out example.key 2048 Generating RSA private key, 2048 bit long modulus ...........+++ .........................+++ e is 65537 (0x10001) [root@dev-1 ssl]# openssl req -new -key example.key -out example.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@dev-1 ssl]# openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt Signature ok subject=/C=CN/ST=Beijing/L=Beijing/O=Default Company Ltd Getting Private key ``` # 修改配置文件 ``` [root@dev-1 conf]# cat nginx.conf #user nobody; worker_processes 8; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; server { listen 8084 ssl; # ETL的https的端口 server_name example.com www.example.com; ssl_certificate /usr/local/nginx/ssl/example.crt; ssl_certificate_key /usr/local/nginx/ssl/example.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; location / { proxy_pass http://10.1.125.49:8088; # 修改此处 etl地址 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { listen 8083 ssl; # api的https的端口 server_name example.com www.example.com; ssl_certificate /usr/local/nginx/ssl/example.crt; ssl_certificate_key /usr/local/nginx/ssl/example.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; location / { proxy_pass http://10.1.125.49:8089; # 修改此处 api地址 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } } ``` # 检查配置重启 ``` # 检查配置是否正确 [root@dev-1 conf]# nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful # 重启nginx服务 [root@dev-1 conf]# nginx -s reload ``` # 登录页面检查 ``` api => https://localhost:8083/ etl => https://localhost:8084/ ``` ``` yum -y install openssl openssl-devel wget nginx.org/download/nginx-1.14.0.tar.gz tar -zxf nginx-1.14.0.tar.gz cd nginx-1.14.0 #3.复制Nginx默认提供的vim语法插件 mkdir ~/.vim cp -r contrib/vim/* ~/.vim/ ./configure --prefix=/home/Learn_Nginx/nginx/ --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --with-http_stub_status_module --with-stream --with-threads --with-file-aio make && make install #检查Prefix指定的安装目录 #[root@chaogelinux nginx-1.14.0]# ls /home/Learn_Nginx/ #nginx nginx-1.14.0 nginx-1.14.0.tar.gz ln -s /home/Learn_Nginx/nginx/sbin/nginx /usr/bin/ #创建nginx的环境变量文件,修改如下,创建/etc/profile.d/nginx.sh脚本文件便于以后维护 [root@chaogelinux ~]# cat /etc/profile.d/nginx.sh export PATH=/home/Learn_Nginx/nginx/sbin:$PATH #去配置文件目录 cd /home/Learn_Nginx/nginx/conf cat > `pwd`/file-18080.conf <<EOF server { access_log /data02/nginx_logs/version_file_access.log;#配置访问日志存放地址 listen 18080; #文件服务器端口根据实际配置 charset utf-8; autoindex on; autoindex_exact_size off; autoindex_localtime on; location / { root /mnt/serverfile;#文件服务器中存放文件的目录, 请根据实际配置 } } EOF 将自定义配置文件 include到nginx.conf中 在nginx.conf配置文件中增加引用 include /home/Learn_Nginx/nginx/conf/file-*.conf; mkdir -p /mnt/serverfile /data02/nginx_logs/ nginx -s reload ``` ### nginx做负载均衡用到哪些模块 ``` upstream 定义负载节点池。 location 模块 进行URL匹配。 proxy模块 发送请求给upstream定义的节点池。 ``` ### 负载均衡有哪些实现方式 ``` 硬件负载 HTTP重定向负载均衡 DNS负载均衡 反向代理负载均衡 IP层负载均衡 数据链路层负载均衡 ``` ![image.png](https://cos.easydoc.net/97954506/files/l1etxn09.png) ### nginx如何实现四层负载? ``` 四层负载分为动态和静态负载 Nginx的四层静态负载均衡需要启用ngx_stream_core_module模块 默认情况下,ngx_stream_core_module是没有启用的,需要在安装Nginx时,添加--with-stream配置参数启用 配置HTTP负载均衡时,都是配置在http指令下,配置四层负载均衡,则是在stream指令下,结构如下所示. ``` ```config stream { upstream mysql_backend { server 192.168.175.100:3306 max_fails=2 fail_timeout=10s weight=1; least_conn; #将请求转发至当前连接数最少的后端服务器,从而达到负载均衡的效果。 } server { listen 3307; #监听端口,默认使用的是tcp协议,如果需要UDP协议,则配置成listen 3307 udp; proxy_next_upstream on; #失败重试 proxy_next_upstream_timeout 0; #超时配置 proxy_next_upstream_tries 0; #配置与上游服务器连接超时时间,默认60s proxy_connect_timeout 1s; #配置与客户端上游服务器连接的两次成功读/写操作的超时时间,如果超时,将自动断开连接 proxy_timeout 1m; #即连接存活时间,通过它可以释放不活跃的连接,默认10分钟 #限速配置 proxy_upload_rate 0; #从客户端读数据的速率,单位为每秒字节数,默认为0,不限速 proxy_download_rate 0; #从上游服务器读数据的速率,单位为每秒字节数,默认为0,不限速 proxy_pass mysql_backend; #上游服务器 } } ``` ``` 使用Nginx的四层动态负载均衡有两种方案:使用商业版的Nginx和使用开源的nginx-stream-upsyncmodule模块。 注意:四层动态负载均衡可以使用nginx-stream-upsync-module模块,七层动态负载均 衡可以使用nginx-upsync-module模块。 ``` ### 虚拟主机 ``` [root@hadoop103 captor_fast_index4]# cat /usr/local/nginx/conf/nginx.conf worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 3000; server_name localhost; location / { root html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } server { listen 3000; server_name grafana; access_log logs/grafana.log; location / { proxy_pass http://172.24.61.103:30000; # 添加 CORS 头信息 add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { listen 3000; server_name jumpserver; access_log logs/jumpserver.log; location / { proxy_pass http://127.0.0.1:30001; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /koko/ws/ { proxy_pass http://127.0.0.1:30001; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; } } server { listen 3000; server_name kubesphere; access_log logs/kubesphere.log; location / { proxy_pass http://127.0.0.1:30002; } } server { listen 3000; server_name zabbix; access_log logs/zabbix.log; location / { proxy_pass http://127.0.0.1:2188; } } server { listen 3000; server_name etl; access_log logs/etl.log; location / { proxy_pass http://172.24.48.39:8088; } } server { listen 3000; server_name api; access_log logs/api.log; location / { proxy_pass http://172.24.48.39:8089; } } server { listen 3000; server_name prom; access_log logs/prom.log; location / { proxy_pass http://172.24.61.104:9090; } } } ``` ### nginx代理rancher ```sh server { listen 1443 ssl; server_name localhost; ssl_certificate /usr/local/nginx/key/server.crt; ssl_certificate_key /usr/local/nginx/key/server.key; location / { proxy_pass https://192.168.123.51:1443; proxy_set_header Host $host:1443; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect off; proxy_http_version 1.1; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE'; add_header 'Access-Control-Allow-Credentials' 'true'; if ( $request_method = 'OPTIONS' ){ return 200; } } location ~* /k8s/.*/(exec|subscribe|log)$ { proxy_pass https://192.168.123.51:1443; proxy_set_header Host $host:1443; proxy_redirect off; proxy_http_version 1.1; proxy_set_header X-Real_IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE'; add_header 'Access-Control-Allow-Credentials' 'true'; if ( $request_method = 'OPTIONS' ){ return 200; } } } ```
上一篇 数组函数
nextDoc ansible
本文档使用易文档编写, 更新时间: 2024-04-29 22:40