环境概况:
IP地址 | 服务器状态 | 简述 |
192.168.180.4 | Nginx服务器 | |
192.168.180.23 | client | |
192.168.171.231 | client |
具体测试步骤如下:
(一)基于虚拟主机的配置。是通过不同的域名来区分提供的web服务器的主机,server_name指令主要用于配置基于域名的虚拟主机
1,首先在192.168.180.23修改/etc/hosts文件
[root@localhost haproxy]# vim /etc/hosts 192.168.180.13 192.168.180.13 192.168.180.4 192.168.180.4 192.168.180.4
2,修改nginx的配置文件。首先先把nginx.conf配置文件中的虚拟主机server段取出来,通过include导入进来。
root@Monitor conf]# cat nginx.conf worker_processes 1; user appuser appuser; error_log /data/nginx/error.log; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; access_log /data/nginx/access.log; keepalive_timeout 65; gzip on; server_tokens off; error_log /data/nginx/error.log debug; include server/server.conf }
3,接下来编辑配置虚拟主机段
[root@Nginx conf]# cd ../html/ [root@Nginx html]# mkdir -pv xn{1,2,3} mkdir: 已创建目录 "xn1" mkdir: 已创建目录 "xn2" mkdir: 已创建目录 "xn3" [root@Nginx html]# echo "This is xn1" >> xn1/index.html [root@Nginx html]# echo "This is xn2" >> xn2/index.html [root@Nginx html]# echo "This is xn3" >> xn3/index.html [root@Nginx html]# cat xn1/index.html This is xn1 [root@Monitor conf]# cat server/server.conf server { listen 80; server_name ; location =/ { root /html/xn1; index index.html; } } server { listen 80; server_name ; location =/ { root /html/xn2; index index.html; } } server { listen 80; server_name ; location =/ { root /html/xn2; index index.html; } } } [root@Monitor conf]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@Monitor conf]# /usr/local/nginx/sbin/nginx -s reload
4,根据端口和域名的不同访问情况:
a,端口和域名不能同时相同,如果相同的话会出现如下报错:“nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored”,其实也是可以正常访问的,访问的结果是最上边的生效。
server_name段的配置:
server { listen 80; server_name ; location / { root /html/xn1; index index.html; } } server { listen 80; server_name ; location / { root /html/xn2; index index.html; } }
[root@Monitor conf]# /usr/local/nginx/sbin/nginx -s reload nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored [root@localhost ~]# curl Xn1 is this
b,域名不同,但端口可以相同 .是正确的配置(基于域名的虚拟主机)
server_name段的配置如下:
server { listen 80; server_name ; location / { root /html/xn1; index index.html; } } server { listen 80; server_name ; location / { root /html/xn2; index index.html; } }
访问结果如下:
[root@localhost ~]# curl Xn1 is this [root@localhost ~]# curl Xn2 is this
c,域名相同,端口号不同,访问的路径也是不同的(基于端口号的虚拟主机)
server_name段的配置如下:
server { listen 80; server_name ; location / { root /html/xn1; index index.html; } } server { listen 8080; server_name ; location / { root /html/xn2; index index.html; } }
访问结果如下;
[root@localhost ~]# curl Xn1 is this [root@localhost ~]# curl :8080 Xn2 is this
d,基于IP的端口访问。以在一块物理网卡上绑定多个lP地址。这样就能够在使用单一网卡的同一个服务器上运行多个基于IP的虚拟主机。设置IP别名也非常容易,只须配置系统上的网络接口,让它监听额外的lP地址。
[root@Monitor conf]# ip addr add 192.168.0.10/24 dev eth0 [root@Monitor conf]# ip addr add 192.168.0.20/24 dev eth0 [root@Monitor conf]# ip add |grep eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 inet 192.168.180.4/24 brd 192.168.180.255 scope global eth0 inet 192.168.0.10/24 scope global eth0 inet 192.168.0.20/24 scope global secondary eth0
server { listen 192.168.0.10:8001; server_name ; location / { root /html/xn1; index index.html; } } server { listen 192.168.0.20:8080; server_name ; location / { root /html/xn2; index index.html; } } server { listen 80; server_name ; location / { root /html/xn3; index index.html; }
测试,基于IP地址的访问需要重启nginx服务,重新加载时无法生效的
[root@Monitor ~]# netstat -lntp|grep nginx tcp 0 0 192.168.0.10:8001 0.0.0.0:* LISTEN 2432/nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2432/nginx tcp 0 0 192.168.0.20:8080 0.0.0.0:* LISTEN 2432/nginx [root@Monitor ~]# curl 192.168.0.10:8001 Xn1 is this [root@Monitor ~]# curl 192.168.0.20:8080 Xn2 is this [root@Monitor ~]# curl 192.168.180.4 Xn3 is this
(二)IP访问控制。通过deny和allow设置访问控制,通过without-http_access_module模块来实现的
语法:
Syntax: | allow |
---|---|
Default: | — |
Context: | http , server , location , limit_except |
Syntax: | deny |
---|---|
Default: | — |
Context: | http , server , location , limit_except |
eg:配置信息如下:只允许192.168.180.23访问,其他的都禁止访问
server { listen 80; server_name ; location / { root /html/xn1; index index.html; allow 192.168.180.23; deny all; } }
在180.4访问结果
[root@Monitor ~]# curl <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx</center> </body> </html>
在windows客户端访问如下:
180.23访问如下
[root@localhost ~]# curl Xn1 is this
nginx日志如下:
192.168.181.231 - - [31/Jul/2017:16:25:40 +0800] "GET / HTTP/1.1" 403 192 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36" 192.168.180.23 - - [31/Jul/2017:16:27:06 +0800] "GET / HTTP/1.1" 200 12 "-" "curl/7.29.0" 192.168.180.4 - - [31/Jul/2017:16:27:54 +0800] "GET / HTTP/1.1" 403 162 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
只拒绝IP地址192.168.180.23访问,其他的都是可以访问的:
server { listen 80; server_name ; location / { root /html/xn1; index index.html; deny 192.168.180.23; allow all; } }
具体的nginx访问日志如下:
192.168.180.23 - - [31/Jul/2017:16:29:51 +0800] "GET / HTTP/1.1" 403 162 "-" "curl/7.29.0" 192.168.180.4 - - [31/Jul/2017:16:29:57 +0800] "GET / HTTP/1.1" 200 12 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2" 192.168.181.231 - - [31/Jul/2017:16:30:03 +0800] "GET / HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
备注:如果有很多IP地址需要拒绝,可以通过include deny.ip; 然后新建deny.ip文件,把所有的IP放到该文件里,就可以实现批量拒绝了
(三)nginx访问认证。让用户通过输入用户名和密码认证才可以访问web页面。
1,通过htpasswd生成用户名及对应的密码数据库文件。
[root@Monitor conf]# htpasswd -bc /usr/local/nginx/conf/passwd yz 123456 Adding password for user yz [root@Monitor conf]# more passwd yz:C9qDroTFbuldY [root@Monitor conf]# chmod 400 passwd 备注:如何在原有密码文件中增加下一个用户? htpasswd -b /usr/local/nginx/conf/passwd abc abc 去掉c选项,即可在第一个用户之后添加第二个用户,依此类推
2,配置虚拟主机的配置文件
server { listen 80; server_name ; location / { auth_basic "please input you username and password"; ####虚拟主机的认证名称 auth_basic_user_file /usr/local/nginx/conf/passwd; ###虚拟主机的认证文件 root /html/xn1; index index.html; deny 192.168.180.23; allow all; } }
3,测试访问
(四)nginx信息状态模块的监控。ngx_http_stub_status_module模块提供Nginx的基本访问状态信息,在编译时要加入--with-http_stub_status_module参数
1,查看nginx是否有ngx_http_stub_status_module模块
[root@Monitor conf]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.10.1 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module --with-http_stub_status_module
2.开启nginx状态信息模块
server { listen 80; server_name ; location / { # auth_basic "please input you username and password"; # auth_basic_user_file /usr/local/nginx/conf/htpasswd; root /html/xn1; index index.html; deny 192.168.180.23; allow all; location /status { stub_status on; access_log /opt/access.log; allow 192.168.181.231; deny all; auth_basic "please input you username and password"; auth_basic_user_file /usr/local/nginx/conf/htpasswd; } } }
3,通过浏览器进行访问。
具体的解释信息如下:
Active connections: 对后端(服务器)发起的活动连接数。
Server accepts handled requests: Nginx总共处理了56个连接,成功创建56次握手(证明中间没有失败的),总共处理了101个请求
Reading: Nginx 读取到客户端的Header信息数。
Writing: Nginx 返回给客户端的Header信息数。
Waiting: 开启keep-alive的情况下,这个值等于 active – (reading + writing),意思就是Nginx已经处理完成,正在等候下一次请求指令的驻留连接。
所以,在访问效率高,请求很快被处理完毕的情况下,Waiting数比较多是正常的。如果reading + writing数较多,则说明并发访问量非常大,正在处理过程中。