When you realize you want to spend the rest of your life with somebody,you want the rest of your life to start as soon as possible. When you realize you want to spend the rest of your life with someone, you can’t wait for the second half of your life to start. — When Harry Met Sally, 1989
Basic overview
Perhaps when ports 80 and 443 are brought forward, we can remember the corresponding Http access and Https access [Http +SSL certificate]. What is more profound in my memory is that when developing wechat applets, the corresponding domain name configuration requirements must be the Https service certified for the record. Therefore, before configuring Nginx, we need to know which modules and configuration rules are included in Nginx, so that we can better use Nginx and understand Nginx. Nginx is made up of a kernel and modules. The kernel is very small and compact in design, and does a very simple job of mapping the client request to a Location block by looking up the configuration file. Each directive configured in this location will start a different module to do the job. Nginx modules are structurally divided into core modules, basic modules and third-party modules. HTTP module, EVENT module and MAIL module are core modules. The HTTP Access module, HTTP FastCGI module, HTTP Proxy module, and HTTP Rewrite module are among the basic modules. However, the HTTP Upstream Request Hash module, Notice module, and HTTP Access Key module belong to third-party modules. Modules developed by users according to their own needs belong to third-party modules. It is with the support of so many modules that Nginx is so powerful. Nginx is made up of a kernel and modules. The kernel is very small and compact in design, and does a very simple job of mapping the client request to a Location block by looking up the configuration file. Each directive configured in this location will start a different module to do the job.
Nginx structure analysis
Take nginx-1.19.8 as an example:
The source code of Nginx is mainly distributed in the SRC/directory, and the SRC/directory contains three important modules:
- Core: Basic core libraries and frameworks
Nginx core source code, including common data structures and Nginx kernel implementation of the core code.
- Event: An event-driven model
Nginx event-driven model, as well as the implementation of timer code.
- HTTP: indicates the HTTP module
Nginx implements HTTP server-related code.
- Mail: indicates the mail service module
Nginx implementation of mail proxy server related code.
- Misc: Integration module
Auxiliary code to test compatibility with C++ headers and support for Google_PerfTools.
- OS: system module
Different body system structure provides the system function encapsulation, provides external unified system call interface.
- Stream: stream processing module
Nginx (TCP/UDP) reverse proxy and upstream communication of the basic module.
Nginx event-driven model
Nginx supports the Select library,Eventport library,Poll library,Epoll library,Kqueue library, Devpoll library and Eventport library.
- Select library: in Linux and Windows platform are basically supported event-driven model library, and in the interface definition is basically the same, but some parameters have slightly different meanings, the maximum concurrency limit of 1024, only the earliest event-driven model.
- Poll library: In the basic Linux driver model, Windows does not support this driver model, is an upgrade of SELECT, remove the maximum concurrency limit, –with-poll_module and –without-poll_module can be used to specify whether to compile the SELECT library when compiling nginx.
- Epoll library: Nginx server supports one of the highest performance event-driven library, is recognized as a very excellent event-driven model, which is very different from poll and SELECT, ePoll is an upgraded version of Poll, but the efficiency of poll is very different. Epoll process is to create a list of events to be processed, Epoll supports that the upper limit of the maximum number of open event descriptors for a process is the maximum number of files that can be opened by the system. Meanwhile, the IO efficiency of epoll library does not decrease linearly with the increase of descriptors. Because it only operates on “active” descriptors reported by the kernel.
- Kqueue library: The event-driven model of universities used to support BSD series platforms is mainly used in FreeBSD 4.1 and above, OpenBSD 2.0 and above, NetBSD and above and Mac OS X platform. This model is also a variant of Poll library, so it has no essential difference from EPOLL. Both provide efficiency by avoiding rotation operations.
- Devpoll library: An efficient event-driven model is used to support uniX-derived platforms, mainly on Solaris and HP/UX. This model is proposed by Sun to complete the event-driven mechanism when developing Solaris series platforms. It uses a virtual /dev/poll device. The developer will see file descriptors added to the device and then get event notifications through the IOCtl () call, so use the /dev/poll event-driven mechanism when running on the above series of platforms.
- The Eventport library is an event-driven library developed by Sun during the development of Solaris. It is only a version of Solaris 10 or later. It is designed to prevent kernel crashes.
How Nginx works
Nginx modules are functionally divided into three categories:
- Handlers: Handle requests directly and perform operations such as output and modifying headers information. Handlers generally have only one module.
- Filters -> Nginx Filters -> Nginx Filters -> Nginx Filters -> Nginx
- Proxies – > the proxy class module: Nginx HTTP module Upstream, the modules are mainly with the back-end services such as fastcgi operations such as interaction, implementation services agent and load balancing, etc.
Under the Nginx module, a normal HTTP request and response process:In terms of working mode, Nginx can be divided into single-worker process and multi-worker process modes:
- In single-worker mode, there is a worker process in addition to the main process, and the worker process is single-threaded
- In multi-worker mode, each worker process contains multiple threads
Nginx defaults to single-worker mode. Nginx modules are compiled directly into Nginx and are therefore statically compiled. When Nginx is started, the modules for Nginx are loaded automatically, unlike in Apache, where the modules are first compiled into an SO file and then specified in the configuration file whether to load or not. When parsing configuration files, each Nginx module may handle a request, but only one module can handle the same request
Http module for Nginx
Nginx common modules:
- Ngx_http_access_module module: contains only allow and deny values. It is used to set and control IP requests, similar to the function of network blacklist.
location / { root html; index index.html index.htm; Allow 127.0.0.1; ## allow 127.0.0.1 to access deny 127.0.0.1; ## deny access to 127.0.0.1}Copy the code
- Ngx_http_auth_basic_module module: implements user-based access control, using basic mechanism for user authentication
location / { root html; index index.html index.htm; auth_basic "Admin"; Auth_basic_user_file /etc/nginx/conf/htpasswd; Htpasswd: select * from htpasswd;Copy the code
Httpd-tools is required for htpasswd applications:
yum install httpd-tools
Copy the code
Run the htpasswd -c /etc/nginx/conf/htpasswd nginx command to generate the command
[root@cotos-pivotal nginx]# htpasswd -c /etc/nginx/conf/htpasswd nginx
New password:
Re-type new password:
Adding password for user nginx
Copy the code
- The ngx_HTTP_stub_status_module module is used to view HTTP status information. Use stub_status in the location
location / { root html; index index.html index.htm; auth_basic "Admin"; Auth_basic_user_file /etc/nginx/conf/htpasswd; Htpasswd > stub_status > stub_status > stub_status > stub_status > stub_status > stub_status > stub_status > stub_status > stub_status }Copy the code
State parameter parsing:
-
Active connections: indicates the number of Active connections.
-
Accepts: The total number of client requests accepted;
-
The total number of handled client requests that have been handled
-
Requests: the total number of requests from clients;
-
Reading: Indicates the number of connections in the header of the client request packet.
-
Writing: Number of connections in the process of sending response messages to clients;
-
Waiting: Number of idle connections Waiting for requests from clients.
-
Ngx_http_log_module: log module
-
Ngx_http_gzip_module module: a compression module that reduces the size of the transmitted data but increases the CPU usage. Because you have to compress the data that’s being transmitted
gzip on;
gzip_comp_level 6;
gzip_min_length 64;
gzip_proxied any;
gzip_types text/xml text/css application/javascript;
Copy the code
- Ngx_http_ssl_module module used to set HTTPS connections
server { listen 443 ssl; server_name www.ice.com; root /var/www/html; ssl on; ssl_certificate /usr/local/nginx/ssl/ssl.crt; ssl_certificate_key /usr/local/nginx/ssl/ssl.key; ssl_session_cache shared:sslcache:20m; location / { index index.html index.htm; }}Copy the code
- Ngx_http_rewrite_module module: rewriting instructions
Rewrite regex replacement [flag] : Rewrite the URI requested by the user based on the pattern described by regex and replace it with the new URI specified by replacement; If more than one rewrite rule exists in a configuration block at the same level, it will be examined one by one from the bottom down; After being replaced by a conditional rule, a new round of replacement check will be carried out. Therefore, there is an implied cyclic mechanism. The flag bits represented by [flag] are used to control this loop mechanism;
Among them:
-
Last: If there are many rules. So once you’ve done that, you’re going to start all over again, all the way to the last one. In other words. If the rules are not well written, it is easy to create an endless loop of rewriting the rules.
-
Break: Do not match the rule again from scratch after rewriting. Straight out of the loop
-
Redirect: After the rewriting is complete, the new URI generated by the rewriting is returned to the client in temporary redirection mode. The client then initiates a request again. Cannot start with http:// or https://;
-
Permanent: After rewriting, the URI generated after rewriting is directly returned to the client in permanent redirect mode, and the client initiates a request again.
-
Ngx_http_referer_module module: Prevents theft
Define the valid value of the referer header:
- None: The request header does not have the referer header
- Blocked: The referer header of the request packet has no value
- Server_names: parameter, which can have a value as a host name or hostname mode
- Arbitrary_string: A direct string, but * can be used as a wildcard
- Regular expression: String matched by the specified regular expression pattern. Use the ~ prefix
valid_referers none block server_names *.pivotal.com ;
if($invalid_referer) {return 403; }
Copy the code
- Ngx_http_headers_module module: Adds a custom configuration part to the response message sent from the proxy server to the client
Complete Nginx configuration file:
#Setting Nginx User Group user root; #Setting Nginx Processes worker_processes 1; #Setting Nginx Max Nofile worker_rlimit_nofile 51200; #Setting Nginx Events events { worker_connections 51200; } #Setting Nginx Http http { include mime.types; default_type application/octet-stream; #Setting Nginx FastCGI[avoid 504 502 etc] fastcgi_connect_timeout 600s; fastcgi_send_timeout 600s; fastcgi_read_timeout 600s; fastcgi_buffer_size 256k; fastcgi_buffers 16 256k; fastcgi_busy_buffers_size 512k; fastcgi_temp_file_write_size 512k; send_timeout 60000; client_header_buffer_size 64k; large_client_header_buffers 4 64k; sendfile on; tcp_nopush on; tcp_nodelay on; #keepalive_timeout 0; keepalive_timeout 120; Client_max_body_size 100m; #gzip on; #Setting Nginx Gzip gzip on; gzip_min_length 1k; gzip_buffers 4 16k; Gzip_http_version 1.0; gzip_comp_level 2; gzip_types text/plain application/x-javascript text/css application/xml; gzip_vary on; #Setting Nginx Reverse Proxy #Setting Nginx Reverse Proxy # monitor-8090 upstream monitor.com{ip_hash; server localhost:8090 ; } # proscenium-8091 upstream proscenium.com{ip_hash; server localhost:8091; } # mobile web layer tomcat port mobile-8092 upstream {ip_hash; server localhost:8092; } # tomcat port schedule-8093 upstream schedule.com{ip_hash; server localhost:8093; } server { listen 80; server_name localhost; # # handle websocket request the location/monitor {proxy_pass http://monitor.com/zhimeng; request to define the server list add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Headers X-Requested-With; add_header Access-Control-Allow-Methods GET,POST,OPTIONS; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; Proxy_read_timeout 300s; proxy_send_timeout 300s; } location /proscenium {# request redirect to the defined server list proxy_pass http://proscenium.com; add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Headers X-Requested-With; add_header Access-Control-Allow-Methods GET,POST,OPTIONS; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; Proxy_read_timeout 300s; proxy_send_timeout 300s; } location /mobile {# request redirect to the defined server list proxy_pass http://mobile.com; add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Headers X-Requested-With; add_header Access-Control-Allow-Methods GET,POST,OPTIONS; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; Proxy_read_timeout 300s; proxy_send_timeout 300s; } location /schedule {# request redirect to defined server list proxy_pass http://schedule.com/; add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Headers X-Requested-With; add_header Access-Control-Allow-Methods GET,POST,OPTIONS; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; Proxy_read_timeout 300s; proxy_send_timeout 300s; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } location /staticFile { alias /root/repository/staticFile; autoindex on; autoindex_exact_size on; autoindex_localtime on; }}}Copy the code