- 實現基于ip的訪問控制功能
(1)、allow address | CIDR | unix: | all; (2)、deny address | CIDR | unix: | all; http, server, location, limit_except 2.ngx_http_auth_basic_module模塊 實現基于用戶的訪問控制,使用basic機制進行用戶認證; (1)、auth_basic string | off; (2)、auth_basic_user_file file; location /admin/ { alias /webapps/app1/data/; auth_basic "Admin Area"; auth_basic_user_file /etc/nginx/.ngxpasswd; } 注意:htpasswd命令由httpd-tools所提供; 3.ngx_http_stub_status_module模塊 用于輸出nginx的基本狀態信息; Active connections: 291 server accepts handled requests 16630948 16630948 31070465 Reading: 6 Writing: 179 Waiting: 106 Active connections: 活動狀態的連接數; accepts:已經接受的客戶端請求的總數; handled:已經處理完成的客戶端請求的總數; requests:客戶端發來的總的請求數; Reading:處于讀取客戶端請求報文首部的連接的連接數; Writing:處于向客戶端發送響應報文過程中的連接數; Waiting:處于等待客戶端發出請求的空閑連接數; (3)、stub_status; 配置示例: location /basic_status { stub_status; } ngx_http_log_module模塊 he ngx_http_log_module module writes request logs in the specified format. (4)、log_format name string ...; string可以使用nginx核心模塊及其它模塊內嵌的變量; (5)、access_log path [format [buffer=size] [gzip[=level]] [flush=time] [if=condition]]; access_log off; 訪問日志文件路徑,格式及相關的緩沖的配置; buffer=size flush=time (6)、open_log_file_cache max=N [inactive=time] [min_uses=N] [valid=time]; open_log_file_cache off; 緩存各日志文件相關的元數據信息; max:緩存的最大文件描述符數量; min_uses:在inactive指定的時長內訪問大于等于此值方可被當作活動項; inactive:非活動時長; valid:驗正緩存中各緩存項是否為活動項的時間間隔; 4.ngx_http_gzip_module: The ngx_http_gzip_module module is a filter that compresses responses using the “gzip” method. This often helps to reduce the size of transmitted data by half or even more. (1)、gzip on | off; Enables or disables gzipping of responses. (2)、gzip_comp_level level; Sets a gzip compression level of a response. Acceptable values are in the range from 1 to 9. (3)、 gzip_disable regex ...; Disables gzipping of responses for requests with “User-Agent” header fields matching any of the specified regular expressions. (4)、 gzip_min_length length; 啟用壓縮功能的響應報文大小閾值; (5)、gzip_buffers number size; 支持實現壓縮功能時為其配置的緩沖區數量及每個緩存區的大小; (6)、gzip_proxied off | expired | no-cache | no-store | private | no_last_modified | no_etag | auth | any ...; nginx作為代理服務器接收到從被代理服務器發送的響應報文后,在何種條件下啟用壓縮功能的; off:對代理的請求不啟用 no-cache, no-store,private:表示從被代理服務器收到的響應報文首部的Cache-Control的值為此三者中任何一個,則啟用壓縮功能; (7)、gzip_types mime-type ...; 壓縮過濾器,僅對此處設定的MIME類型的內容啟用壓縮功能; ? 示例: gzip on; gzip_comp_level 6; gzip_min_length 64; gzip_proxied any; gzip_types text/xml text/css application/javascript; 5.ngx_http_ssl_module模塊: (1)、 ssl on | off; Enables the HTTPS protocol for the given virtual server. (2)、ssl_certificate file; 當前虛擬主機使用PEM格式的證書文件; (3)、ssl_certificate_key file; 當前虛擬主機上與其證書匹配的私鑰文件; (4)、ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; 支持ssl協議版本,默認為后三個; (5)、ssl_session_cache off | none | [builtin[:size]] [shared:name:size]; builtin[:size]:使用OpenSSL內建的緩存,此緩存為每worker進程私有; [shared:name:size]:在各worker之間使用一個共享的緩存; (6)、ssl_session_timeout time; 客戶端一側的連接可以復用ssl session cache中緩存 的ssl參數的有效時長; 配置示例: server { listen 443 ssl; server_name www.magedu.com; root /vhosts/ssl/htdocs; ssl on; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:sslcache:20m; }
6.ngx_http_rewrite_module模塊:
將用戶請求的URI基于regex所描述的模式進行檢查,而后完成替換; (1)、rewrite regex replacement [flag] 將用戶請求的URI基于regex所描述的模式進行檢查,匹配到時將其替換為replacement指定的新的URI; 注意:如果在同一級配置塊中存在多個rewrite規則,那么會自下而下逐個檢查;被某條件規則替換完成后,會重新一輪的替換檢查,因此,隱含有循環機制;[flag]所表示的標志位用于控制此循環機制; 如果replacement是以http://或https://開頭,則替換結果會直接以重向返回給客戶端; 301:永久重定向; [flag]: last:重寫完成后停止對當前URI在當前location中后續的其它重寫操作,而后對新的URI啟動新一輪重寫檢查;提前重啟新一輪循環; break:重寫完成后停止對當前URI在當前location中后續的其它重寫操作,而后直接跳轉至重寫規則配置塊之后的其它配置;結束循環; redirect:重寫完成后以臨時重定向方式直接返回重寫后生成的新URI給客戶端,由客戶端重新發起請求;不能以http://或https://開頭; permanent:重寫完成后以永久重定向方式直接返回重寫后生成的新URI給客戶端,由客戶端重新發起請求; (2)、return return code [text]; return code URL; return URL; Stops processing and returns the specified code to a client. (3)、 rewrite_log on | off; 是否開啟重寫日志; (4)、 if (condition) { ... } 引入一個新的配置上下文 ;條件滿足時,執行配置塊中的配置指令;server, location; condition: 比較操作符: == != ~:模式匹配,區分字符大小寫; ~*:模式匹配,不區分字符大小寫; !~:模式不匹配,區分字符大小寫; !~*:模式不匹配,不區分字符大小寫; 文件及目錄存在性判斷: -e, !-e -f, !-f -d, !-d -x, !-x (5)、set $variable value; 用戶自定義變量 ; 7.ngx_http_referer_module模塊: The ngx_http_referer_module module is used to block access to a site for requests with invalid values in the “Referer” header field. (1)、valid_referers none | blocked | server_names | string ...; 定義referer首部的合法可用值; none:請求報文首部沒有referer首部; blocked:請求報文的referer首部沒有值; server_names:參數,其可以有值作為主機名或主機名模式; arbitrary_string:直接字符串,但可使用*作通配符; regular expression:被指定的正則表達式模式匹配到的字符串;要使用~打頭,例如 ~.*\.magedu\.com; 配置示例: valid_referers none block server_names *.magedu.com *.mageedu.com magedu.* mageedu.* ~\.magedu\.; if($invalid_referer) { return http://www.magedu.com/invalid.jpg; }
8.ngx_http_proxy_module模塊: The ngx_http_proxy_module module allows passing requests to another server. (1)、proxy_pass URL; Context: location, if in location, limit_except 注意:proxy_pass后面的路徑不帶uri時,其會將location的uri傳遞給后端主機; server { ... server_name HOSTNAME; location /uri/ { proxy http://hos[:port]; } ... } http://HOSTNAME/uri --> http://host/uri proxy_pass后面的路徑是一個uri時,其會將location的uri替換為proxy_pass的uri; server { ... server_name HOSTNAME; location /uri/ { proxy http://host/new_uri/; } ... } http://HOSTNAME/uri/ --> http://host/new_uri/ 如果location定義其uri時使用了正則表達式的模式,或在if語句或limt_execept中使用proxy_pass指令,則proxy_pass之后必須不能使用uri; 用戶請求時傳遞的uri將直接附加代理到的服務的之后; server { ... server_name HOSTNAME; location ~|~* /uri/ { proxy http://host; } ... } http://HOSTNAME/uri/ --> http://host/uri/; (2)、proxy_set_header field value; 設定發往后端主機的請求報文的請求首部的值;Context: http, server, location proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; (3)、proxy_cache_path 定義可用于proxy功能的緩存;Context: http proxy_cache_path path [levels=levels] [use_temp_path=on|off] keys_zone=name:size [inactive=time] [max_size=size] [manager_files=number] [manager_sleep=time] [manager_threshold=time] [loader_files=number] [loader_sleep=time] [loader_threshold=time] [purger=on|off] [purger_files=number] [purger_sleep=time] [purger_threshold=time]; (4)、proxy_cache zone | off; 指明要調用的緩存,或關閉緩存機制;Context: http, server, location (5)、 proxy_cache_key string; 緩存中用于“鍵”的內容; 默認值:proxy_cache_key $scheme$proxy_host$request_uri; (6)、proxy_cache_valid [code ...] time; 定義對特定響應碼的響應內容的緩存時長; 定義在http{...}中; proxy_cache_path /var/cache/nginx/proxy_cache levels=1:1:1 keys_zone=pxycache:20m max_size=1g; 定義在需要調用緩存功能的配置段,例如server{...}; proxy_cache pxycache; proxy_cache_key $request_uri; proxy_cache_valid 200 302 301 1h; proxy_cache_valid any 1m; (7)、proxy_cache_use_stale proxy_cache_use_stale error | timeout | invalid_header | updating | http_500 | http_502 | http_503 | http_504 | http_403 | http_404 | off ...; Determines in which cases a stale cached response can be used when an error occurs during communication with the proxied server. (8)、proxy_cache_methods GET | HEAD | POST ...; If the client request method is listed in this directive then the response will be cached. “GET” and “HEAD” methods are always added to the list, though it is recommended to specify them explicitly. (9)、proxy_hide_header field; By default, nginx does not pass the header fields “Date”, “Server”, “X-Pad”, and “X-Accel-...” from the response of a proxied server to a client. The proxy_hide_header directive sets additional fields that will not be passed. (10)、proxy_connect_timeout time; Defines a timeout for establishing a connection with a proxied server. It should be noted that this timeout cannot usually exceed 75 seconds. 默認為60s;最長為75s; (11)、proxy_read_timeout time; Defines a timeout for reading a response from the proxied server. The timeout is set only between two successive read operations, not for the transmission of the whole response. (12)、proxy_send_timeout time; Sets a timeout for transmitting a request to the proxied server. he timeout is set only between two successive write operations, not for the transmission of the whole request. If the proxied server does not receive anything within this time, the connection is closed. ngx_http_headers_module模塊 The ngx_http_headers_module module allows adding the “Expires” and “Cache-Control” header fields, and arbitrary fields, to a response header. 向由代理服務器響應給客戶端的響應報文添加自定義首部,或修改指定首部的值; 1、add_header name value [always]; 添加自定義首部; add_header X-Via $server_addr; add_header X-Accel $server_name; 2、expires [modified] time; expires epoch | max | off; 用于定義Expire或Cache-Control首部的值;
9.ngx_http_fastcgi_module模塊: The ngx_http_fastcgi_module module allows passing requests to a FastCGI server. (1)、fastcgi_pass address; address為fastcgi server的地址; location, if in location; http://www.ilinux.io/admin/index.php --> /admin/index.php (uri) /data/application/admin/index.php
(2)、fastcgi_index name; fastcgi默認的主頁資源; (3)、fastcgi_param parameter value [if_not_empty]; Sets a parameter that should be passed to the FastCGI server. The value can contain text, variables, and their combination. 配置示例1: 前提:配置好fpm server和mariadb-server服務; location ~* \.php$ { root ? ? ? ? ? /usr/share/nginx/html; fastcgi_pass ? 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html$fastcgi_script_name; include ? ? ? fastcgi_params; } 配置示例2:通過/pm_status和/ping來獲取fpm server狀態信息; location ~* ^/(pm_status|ping)$ { include ? ? ? fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; } (4)、fastcgi_cache_path path [levels=levels] [use_temp_path=on|off] keys_zone=name:size [inactive=time] [max_size=size] [manager_files=number] [manager_sleep=time] [manager_threshold=time] [loader_files=number] [loader_sleep=time] [loader_threshold=time] [purger=on|off] [purger_files=number] [purger_sleep=time] [purger_threshold=time]; 定義fastcgi的緩存;緩存位置為磁盤上的文件系統,由path所指定路徑來定義; levels=levels:緩存目錄的層級數量,以及每一級的目錄數量;levels=ONE:TWO:THREE leves=1:2:2 keys_zone=name:size k/v映射的內存空間的名稱及大小 inactive=time 非活動時長 max_size=size 磁盤上用于緩存數據的緩存空間上限 (5)、fastcgi_cache zone | off; 調用指定的緩存空間來緩存數據;http, server, location (6)、fastcgi_cache_key string; 定義用作緩存項的key的字符串; (7)、fastcgi_cache_methods GET | HEAD | POST ...; 為哪些請求方法使用緩存; (8)、fastcgi_cache_min_uses number; 緩存空間中的緩存項在inactive定義的非活動時間內至少要被訪問到此處所指定的次數方可被認作活動項; (9)、fastcgi_cache_valid [code ...] time; 不同的響應碼各自的緩存時長; 示例: http { ... fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2:1 keys_zone=fcgi:20m inactive=120s; ... server { ... location ~* \.php$ { ... fastcgi_cache fcgi; fastcgi_cache_key $request_uri; fastcgi_cache_valid 200 302 10m; fastcgi_cache_valid 301 1h; fastcgi_cache_valid any 1m; ... } ... } ... } 10、fastcgi_keep_conn on | off; By default, a FastCGI server will close a connection right after sending the response. However, when this directive is set to the value on, nginx will instruct a FastCGI server to keep connections open.
The ngx_http_upstream_module module is used to define groups of servers that can be referenced by the proxy_pass, fastcgi_pass, uwsgi_pass, scgi_pass, and memcached_pass directives.
10.ngx_http_upstream_module模塊 The ngx_http_upstream_module module is used to define groups of servers that can be referenced by the proxy_pass, fastcgi_pass, uwsgi_pass, scgi_pass, and memcached_pass directives. (1)、upstream name { ... } 定義后端服務器組,會引入一個新的上下文;Context: http upstream httpdsrvs { server ... server... ... } (2)、server address [parameters]; 在upstream上下文中server成員,以及相關的參數;Context: upstream address的表示格式: unix:/PATH/TO/SOME_SOCK_FILE IP[:PORT] HOSTNAME[:PORT] parameters: weight=number 權重,默認為1; max_fails=number 失敗嘗試最大次數;超出此處指定的次數時,server將被標記為不可用; fail_timeout=time 設置將服務器標記為不可用狀態的超時時長; max_conns 當前的服務器的最大并發連接數; backup 將服務器標記為“備用”,即所有服務器均不可用時此服務器才啟用; down 標記為“不可用”; (3)、least_conn; 最少連接調度算法,當server擁有不同的權重時其為wlc; (4)、 ip_hash; 源地址hash調度方法; (5)、hash key [consistent]; 基于指定的key的hash表來實現對請求的調度,此處的key可以直接文本、變量或二者的組合; 作用:將請求分類,同一類請求將發往同一個upstream server; If the consistent parameter is specified the ketama consistent hashing method will be used instead. 示例: hash $request_uri consistent; hash $remote_addr; (6)、keepalive connections; 為每個worker進程保留的空閑的長連接數量; 11.ngx_stream_core_module模塊 模擬反代基于tcp或udp的服務連接,即工作于傳輸層的反代或調度器; (1)、stream { ... } 定義stream相關的服務;Context:main stream { upstream sshsrvs { server 192.168.22.2:22; server 192.168.22.3:22; least_conn; } ? server { listen 10.1.0.6:22022; proxy_pass sshsrvs; } } ()2、listen listen address:port [ssl] [udp] [proxy_protocol] [backlog=number] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off| [keepidle]:[keepintvl]:[keepcnt]];
本文來自投稿,不代表Linux運維部落立場,如若轉載,請注明出處:http://www.www58058.com/102181