Nginx优化(1)

[root@localhost conf]#egrep -v "#|^$" nginx.conf
worker_processes auto;  #worker进程自动绑定cpu,避免cpu空闲,和cpu切换提升性能
worker_cpu_affinity auto;  #自动限制cpu
worker_priority 0;   #worker进程优先级设置,-20~19
worker_rlimit_nofile 65536;  #所有worker进程能打开的文件数量上限,包括:Nginx的所有连接（例如与代理服务器的连接等），而不仅仅是与客户端的连接,另一个考虑因素是实际的并发连接数不能超过系统级别的最大打开文件数的限制.最好与ulimit -n 或者limits.conf的值保持一致,
daemon on;   #是否以守护进程的方式运行nginx,默认为ON;off前台运行,多用于测试或者容器运行
master_process on;  #是否开启Nginx的master-worker工作模式，仅用于开发调试场景,默认为on
events {
    worker_connections  65536; #设置单个工作进程的最大并发连接数
    use epoll;    #指定事件驱动,这里使用epoll性能最优
    accept_mutex on; #on为同一时刻一个请求轮流由worker进程处理,而防止被同时唤醒所有worker,避免多个睡眠进程被唤醒的设置，默认为off，新请求会唤醒所有worker进程,此过程也称为"惊群"，因此nginx刚安装完以后要进行适当的优化。建议设置为on
    multi_accept on; #on时Nginx服务器的每个工作进程可以同时接受多个新的网络连接，此指令默认为off，即默认为一个工作进程只能一次接受一个新的网络连接，打开后几个同时接受多个。建议设置为on
}
http {
    include       mime.types;     #定义可识别的文件类型
    default_type  application/octet-stream;  #如法识别的文件类型,默认为application/octet-stream
    server_tokens off;            #响应报文中隐藏nginx版本信息
    #定义访问日志的格式此处使用json格式,方便后续ELK做日志收集处理
    log_format access_json '{"@timestamp":"$time_iso8601",'       
       '"host":"$server_addr",'
       '"clientip":"$remote_addr",'
       '"size":$body_bytes_sent,'
       '"upstreamhost":"$upstream_addr",'   
       '"http_host":"$host",'
       '"uri":"$uri",'
       '"xff":"$http_x_forwarded_for",'
       '"referer":"$http_referer",'
       '"tcp_xff":"$proxy_protocol_addr",'
       '"http_user_agent":"$http_user_agent",'
       '"status":"$status"}';
    access_log  /apps/nginx/logs/access_json.log  access_json;    
    #压缩
    gzip on;  #开启gzip压缩功能,减少访问网站消耗的带宽
    gzip_min_length  1k;  #文件小于1k的不压缩
    gzip_buffers     4 16k; # 设置用于压缩响应的缓冲区的数量和大小。默认情况下，缓冲区大小等于一个内存页。这是4K或8K，取决于平台。
    gzip_http_version 1.1;  #启用压缩功能是,支持的最低的http版本
    gzip_comp_level 6;   #压缩等级
    gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml;  #指明仅对哪些类型的资源执行压缩操作;默认为gzip_types text/html，不用显示指定，否则出错
    gzip_vary on;  #如果启用压缩，是否在响应报文首部插入“Vary: Accept-Encoding”,一般建议打开
    gzip_proxied   expired no-cache no-store private auth;   #根据请求和响应，为代理请求启用或禁用gzip响应。请求被代理的事实取决于“Via”请求头字段的存在。该指令接受多个参数： 
    gzip_disable   "MSIE [1-6]\.";   #压缩功能不支持IE6
    sendfile        on;     
    keepalive_timeout  65;   #会话保持时间
    include  confd/*.conf;   #包含的字配置文件
    server {
        listen       80;
        server_name  localhost;
        location / {
            root   html;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}

#web站点配置信息
[root@localhost conf]#cat confd/www.shuhong.com.conf 
limit_req_zone $binary_remote_addr zone=req_one:10m rate=1r/s;    #限制来自单个 IP 地址的请求的处理速率，同时限制虚拟服务器的请求处理速率
#第一个参数：$binary_remote_addr表示通过这个标识来做限制，限制同一客户端ip地址。
#第二个参数：zone=req_one:10m表示生成一个大小为10M，名为req_one的内存区域用来存储访问频次信息
#第三个参数：rate=1r/s表示允许相同标识的客户端的访问频次，此处限制的是每秒1次。

limit_conn_zone $binary_remote_addr zone=conn_zone:10m;           #限制连接数

server{
      listen 80;
      listen 443 ssl http2;    #开启https 
      ssl_certificate /apps/nginx/certs/www.shuhong.com.pem; #指定证书路径
      ssl_certificate_key /apps/nginx/certs/www.shuhong.com.key;#指定私钥路径
      ssl_session_cache shared:sslcache:20m;   
      ssl_session_timeout 10m;   #超时设置
      server_name www.shuhong.com;  #站点域名
      location = /favicon.ico {   #默认的站点图标
          root /data/www/html/pc/images;
          expires 365d;         #保存时间265天
          access_log off;       #不写入访问日志
      }
      location  / {
          root /data/www/html/pc;
          #try_files $uri $uri.html ;
      }
      location /main {
          index index.html;  #打印变量,配合下面的安装第三方模块echo
          default_type text/html;
          echo "hello world,main-->";
          echo $remote_addr ;
          echo_reset_timer; #将计时器开始时间重置为当前时间
          echo_location /sub1;
          echo_location /sub2;
          echo "took $echo_timer_elapsed sec for total.";
      }
      location /sub1 {
          echo_sleep 1;
          echo sub1;
      }
      location /sub2 {
          echo_sleep 1; 
          echo sub2;
      }
      location /about {
          alias /data/www/html/alias;  #别名 转移目录
      }
      location /nginx_status {
          stub_status on;      #开启nginx状态页面
          allow 10.0.0.1;      #访问控制允许10.0.0.1
          deny 10.0.0.0/24;    #访问控制不允许10.0.0.0/24网段,但允许10.0.0.1ip因为按顺序匹配规则
          auth_basic "login password";  #实现账号密码认证配合下面用户名密码文件生成的命令
          auth_basic_user_file /apps/nginx/conf/.htpasswd; #实现账号密码认证配合下面用户名密码文件生成的命令
      }
      location /rocky {    #实现下载服务站点
          autoindex on;     #nginx开启下载功能
          autoindex_exact_size on; #计算文件大小,确切的显示
          autoindex_localtime on;  #显示本机时间,而非格林威治时间
          charset utf8;   #字符集utf8
          limit_rate_after 100m;  #下载100m以后再限速
          limit_rate 100k;      #限制下载速度   
          limit_req zone=req_one burst=3 nodelay;
#第一个参数：zone=req_one 设置使用哪个配置区域来做限制，与上面limit_req_zone的name对应。
#第二个参数：burst=10，设置一个大小为10的缓冲区，当有大量请求过来时，超过了访问频次限制的请求以先放到这个缓冲区内。
#第三个参数：nodelay，超过访问频次并且缓冲区也满了的时候，则会返回503，如果没有设置，则所有请求会等待排队
          limit_conn conn_zone 2; #最大连接数2
          root /data/www/html;   
      }
      error_page 404 @error_404;  #将404错误指向定义的404location
      location @error_404 {       #定义404错误页面
          default_type text/html;
          charset utf8;     
          return 200 '你访问的页面可能走丢了!';  #此处的中文提示一定要开启utf8
      }  
      error_page 503 @error_page;
      location @error_page {
          default_type text/html;
          charset utf8;
          return 200 '温馨提示:请联系管理员进行会员充值!';
          #return https://pan.baidu.com/buy/center?tag=8&from=loginpage#/svip ;
      }         
      location /up {     #设置上传
          client_max_body_size 100m;  #最大上传大小
          client_body_buffer_size 1024k;  #缓存大小
          client_body_temp_path /apps/nginx/client_body_temp/ 1 2 2;    #上传路径
      } 
}


#moblie站点配置信息
[root@localhost conf]#cat confd/mobile.shuhong.com.conf 
server{
      listen 80;
      server_name m.shuhong.com;  
      location / {
          root /data/www/html/mobile;
      }
}

#location优先级测试站点配置
[root@localhost conf]#cat confd/location.shuhong.com.conf 
server{
      listen 80;
      server_name location.shuhong.com;
      location = / {                      # =精确匹配/
          default_type text/html;
          return 200 'location = /';
      }
      location / {                        #匹配起始于/此uri的所有的uri
          default_type text/html;
          return 200 'location /';
      }
      location /documents/ {              #匹配以/documents/开始的uri
          default_type text/html;
          return 200 'location /documents/';
      }
      location ^~ /images/ {              #用于标准uri前，表示包含正则表达式,并且匹配以指定的正则表达式开头,对uri的最左边部分做匹配检查，不区分字符大小写
          default_type text/html;
          return 200 'location ^~ /images/';
      }
      location ~* \.(gif|jpg|jpeg)$ {      #包含,正则表达式区分大小写;~不区分大小写
          default_type text/html;
          return 200 'location ~* \.(gif|jpg|jpeg)';
      }
}


#匹配优先级：=, ^~, ～/～*，/
#location优先级：(location =) > (location ^~ 路径) > (location ~,~* 正则顺序) > (location 完整路径) > (location 部分起始路径) > (/)

#加用户名密码认证
[root@localhost ~]#yum -y install httpd-tools
[root@localhost ~]#htpasswd -cb /apps/nginx/conf/.htpasswd shuhong 123456
Adding password for user shuhong
[root@localhost ~]#htpasswd -b /apps/nginx/conf/.htpasswd shuzihan 123456
Adding password for user shuzihan
[root@localhost ~]#chown nginx. /apps/nginx/conf/.htpasswd
[root@localhost ~]#chmod 600 /apps/nginx/conf/.htpasswd

#第三方插件
[root@localhost ~]#git clone git://github.com/vozlt/nginx-module-vts.git
[root@localhost nginx-1.22.0]#./configure --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=../echo-nginx-module-master
[root@localhost nginx-1.22.0]#make && make install
[root@localhost nginx-1.22.0]#systemctl restart nginx.service 

#python统计分析json格式的访问日志
[root@localhost ~]#yum -y install python
[root@localhost ~]#vim log.py
#!/usr/bin/env python3
#coding:utf-8
status_200= []
status_404= []
with open("/apps/nginx/logs/access_json.log") as f:
     for line in f.readlines():
         line = eval(line)
     if line.get("status") == "200":
        status_200.append(line.get)
     elif line.get("status") == "404":
        status_404.append(line.get)
     else:
        print("状态码 ERROR")
        print((line.get("clientip")))
f.close()
print("状态码200的有--:",len(status_200))
print("状态码404的有--:",len(status_404))
[root@localhost ~]#python3 log.py 
状态码200的有--: 1
状态码404的有--: 0

#自签证书实现https
[root@localhost certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt 
Generating a RSA private key
..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................++++
...................................................++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:shuhong.Ltd
Organizational Unit Name (eg, section) []:SHUHONG
Common Name (eg, your name or your server's hostname) []:ca.shuhong.com
Email Address []:

[root@localhost certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.shuhong.com.key -out www.shuhong.com.csr
Generating a RSA private key
..........................................................................................................................++++
..........................................................................................................................................++++
writing new private key to 'www.shuhong.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:shuhong.com    
Organizational Unit Name (eg, section) []:shuhong.com
Common Name (eg, your name or your server's hostname) []:www.shuhong.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@localhost certs]#openssl x509 -req -days 3650 -in www.shuhong.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.shuhong.com.crt
Signature ok
subject=C = CN, ST = BeiJing, L = BeiJing, O = shuhong.com, OU = shuhong.com, CN = www.shuhong.com
Getting CA Private Key

[root@localhost certs]#openssl x509 -in www.shuhong.com.crt -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            11:74:69:da:d7:39:68:52:b3:48:21:d6:bd:88:a7:11:b6:77:b5:38
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = BeiJing, L = BeiJing, O = shuhong.Ltd, OU = SHUHONG, CN = ca.shuhong.com
        Validity
            Not Before: Sep 15 02:42:15 2022 GMT
            Not After : Sep 12 02:42:15 2032 GMT
        Subject: C = CN, ST = BeiJing, L = BeiJing, O = shuhong.com, OU = shuhong.com, CN = www.shuhong.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
......

#nginx需要两个文件合并一起
[root@localhost certs]#cat www.shuhong.com.crt ca.crt > www.shuhong.com.pem