「NGINX」- Web 服务器 | Engine X | 高性能的负载均衡器 | 反向代理

0

认识

官网:https://nginx.org/en/
文档:https://nginx.org/en/docs/
仓库:https://hg.nginx.org/nginx/

Nginx 是一个高性能的 HTTP 和反向代理服务器,它以事件驱动和异步非阻塞的方式运行,能够提供高并发的处理能力。Nginx 最初由俄罗斯的 Igor Sysoev 开发,并于 2004 年首次公开发布。它被设计为一个轻量级、高性能的服务器,能够处理大量的并发连接,并且具有较低的内存占用。

组成

Architecture and scalability

One master and several worker processes; worker processes run under an unprivileged user;

Flexible configuration;

Reconfiguration and upgrade of an executable without interruption of the client servicing;
Support for kqueue (FreeBSD 4.1+), epoll (Linux 2.6+), /dev/poll (Solaris 7 11/99+), event ports (Solaris 10), select, and poll;

The support of the various kqueue features including EV_CLEAR, EV_DISABLE (to temporarily disable events), NOTE_LOWAT, EV_EOF, number of available data, error codes;

The support of various epoll features including EPOLLRDHUP (Linux 2.6.17+, glibc 2.8+) and EPOLLEXCLUSIVE (Linux 4.5+, glibc 2.24+);

sendfile (FreeBSD 3.1+, Linux 2.2+, macOS 10.5+), sendfile64 (Linux 2.4.21+), and sendfilev (Solaris 8 7/01+) support;

File AIO (FreeBSD 4.3+, Linux 2.6.22+);

DIRECTIO (FreeBSD 4.4+, Linux 2.4+, Solaris 2.6+, macOS);

Accept-filters (FreeBSD 4.1+, NetBSD 5.0+) and TCP_DEFER_ACCEPT (Linux 2.4+) support;

10,000 inactive HTTP keep-alive connections take about 2.5M memory;

Data copy operations are kept to a minimum.

性质

—— 性质 | 功能 | Functions | Features | 该部分将描述 Nginx 所具备的功能。

Basic HTTP server features

Modular architecture

Load Balancing and Fault Tolerance

Accelerated reverse proxying with caching

Other HTTP server features

Mail proxy server features

TCP/UDP proxy server features

Alphabetical index of variables
https://nginx.org/en/docs/varindex.html

提供 HTTP Server 功能

支持多个 HTTP 版本

WIP 其他 HTTP 版本?

构建

安装 | CentOS、Ubuntu、Debian、……

容器镜像

[I] SRC: docker.io/library/nginx:1.25
[I] DST: ccr.ccs.tencentyun.com/d3rm-3rd/docker.io_library_nginx:1.25

Nginx 1.8 on CentOS 7.6

按照道理将应该不会有什么问题,但是在阿里云的 CentOS 系统里找不到这个包;

可以直接从官方的源中安装:

# http://nginx.org/packages/centos/7/x86_64/RPMS/
rpm -ivh http://nginx.org/packages/centos/7/x86_64/RPMS/nginx-1.8.1-1.el7.ngx.x86_64.rpm

on RHEL/CentOS

Nginx/RHEL/CentOS

# 配置源
cat << 'EOF' > /etc/yum.repos.d/cstm-nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
EOF

# 启用 mainline 版本(此时需要安装 yum-utils 包)
# yum install -y yum-utils
# yum-config-manager --enable nginx-mainline

# 更新缓存
yum makecache

# 安装
yum install -y nginx.x86_64

应用

强制使用 HTTPS 访问

How to force or redirect to SSL in nginx?
https://serverfault.com/questions/250476/how-to-force-or-redirect-to-ssl-in-nginx

返回特定字符串

location @ratelimit_response {
    default_type application/json;
    add_header Content-Type application/json;
    return 429 '{"code": 429,"message": "系统太火爆了,请稍后再试试啦!","data": {"timestamp": $msec}}';
}

场景 | 屏蔽所有搜索引擎 | Block All Robots

The Web Robots Pages
Robots.txt File [2021 Examples] – Moz
How to set robots.txt globally in nginx for all virtual hosts – Server Fault

我们有些服务仅供内部使用,但是又需要通过公网访问。这带来的一个问题就是,服务会被搜索引擎爬取,被其他人从搜索引擎中搜索到。所以,我们希望可以屏蔽所有的搜索引擎,不希望站点被爬取到。该笔记将记录:如何调整 Nginx 配置,以屏蔽所有的搜索引擎机器人。

操作系统:Ubuntu 18.04.2 LTS(各种发行版的目录结构存在差异,请根据场景进行调整)

配置 robots.txt 文件:

# 创建配置文件

mkdir /etc/nginx/conf.d/common/
echo 'location = /robots.txt { return 200 "User-agent: *\nDisallow: /\n"; }' \
    > /etc/nginx/conf.d/common/block-all-robots.conf

# 引用配置

server {
    ...
    include /etc/nginx/conf.d/common/block-all-robots.conf;
    ...
}

场景 | 屏蔽 IP 地址、Block IP Address

该笔记将记录:在 Nginx 中,如何屏蔽某些 IP 地址对站点的访问,以及相关问题解决方法。

这里我们还是会记录如何通过 IP 地址进行屏蔽:

server {
  server blog.example.com;

  deny 45.43.23.21;
  deny 45.43.23.0/24;
  allow all;
  ...

  # 针对地址进行屏蔽
  location /accounts/login {
      deny 45.43.23.21;
  }
}

场景 | 允许跨域访问 | CORS

Module ngx_http_headers_module/add_header
Allowing cross origin requests (CORS) on Nginx for 404 responses

最简单,但最不安全的配置:

add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods *;
add_header Access-Control-Allow-Headers *;

在某些情况下,Nginx 没有返回我们设置的头部。例如,在 404 时,就不会返回我们自定义的头部。这是因为只有当响应码为 200, 201 (1.3.10), 204, 206, 301, 302, 303, 304, 307 (1.1.16, 1.0.13), or 308 (1.13.0) 时才会响应特定头部。

如果要解决这个问题,需要使用 always 关键字:

add_header Access-Control-Allow-Origin * always;
add_header Access-Control-Allow-Methods * always;
add_header Access-Control-Allow-Headers * always;

场景 | 记录全部的请求日志

现在我们需要记录到达站点的全部 HTTP 请求,并进行数据分析。

我们为在文档上找到相关的说明,但是根据网上的部分博客描述,access_log 是能够记录所有 HTTP 访问记录。

改进

Nginx UI

Nginx UI | Yet another Nginx Web UI | https://nginxui.com/
https://github.com/0xJacky/nginx-ui

配置文件安全分析工具

yandex/gixy: Nginx configuration static analyzer

参考

访问 Nginx 主页