OpenResty实战
充鑫鹏
- 核心:Nginx核心
- 安装
- yum -y install yum-utils(包含yum-config-manager软件包)
- yum-config-manager --add-repo https://openresty.org/yum/cn/centos/OpenResty.repo
- 配置文件:/usr/local/openresty/nginx/conf/nginx.conf
- 网站存放目录:/usr/local/openresty/nginx/html/
- 启动:systemctl start openresty
- 检查配置:openresty -t
- 重启:openresty -s reload
- 创建本地ssl证书访问HTTPS站点:
- 检查openresty是否安装https模块
- Nginx -V:--with-http_ssl_module
- 创建私钥和证书:
- openssl genrsa -des3 -out server.key 1024
- Enter pass phrase for server.key:
- Verifying - Enter pass phrase for server.key:
- 连续两次输入密码
- 目录下生成server.key 文件
- openssl genrsa -des3 -out server.key 1024
- 创建签名请求的证书(CSR)
- openssl req -new -key server.key -out server.csr
- 此时当前目录下生成server.csr server.key两个文件
- openssl req -new -key server.key -out server.csr
- 在加载SSL支持的Nginx并使用上述私钥时除去必须的口令
- cp server.key server.key.org
- openssl rsa -in server.key.org -out server.key
- Enter pass phrase for server.key.org:
- writing RSA key
- 此时重新生成server.key
- 将server.crt server.key文件拷贝到指定的key存放的目录中
- 修改站点配置文件
- 将server块的配置文件从主配置文件中分离
- 在主配置文件中引入站点配置文件
- include /usr/share/nginx/html/*.conf(自定义)
- http配置文件
- server {
- listen 80;
- server_name localhost;#替换为申请的域名
- set $template_root "/var/www/newcisco/templates";#模版的路径
- }
- HTTPS配置文件
- server {
- listen 443;
- server_name 192.168.1.98;
- set $template_root "/var/www/newcisco/templates";#模版的路径
- ssl on;
- ssl_certificate /var/www/newcisco/key/server.crt;#申请的ssl证书
- ssl_certificate_key /var/www/newcisco/key/server.key;#申请的ssl秘钥
- ssl_session_cache shared:SSL:1m;
- ssl_session_timeout 5m;
- ssl_ciphers HIGH:!aNULL:!MD5;
- ssl_prefer_server_ciphers on;、
- root /var/www/newcisco/templates/static;
- #access_log logs/host.access.log main;
- location / {
- index index.html index.htm;
- }
- location /shizhan {
- index index.html index.htm;
- root /var/www/newcisco/items;
- }
- 检查配置并重启启动服务
- 测试:
- 使用浏览器进行访问的时候会弹出警告信息,告知该ssl证书是非法的,继续访问,方能正常打开需要的页面。
- 注意事项:
- server_name 使用域名时,需将服务器端和本地电脑端均在hosts文件中加入解析。
- 检查openresty是否安装https模块
- openresty优化
- 主配置文件优化:[/usr/local/openresty/nginx/conf/nginx.conf]
- user nobody nobody; #指定用户
- #建议为cpu核心的2倍,但不要超过16
- worker_processes 2;
- error_log logs/error.log info;
- pid logs/nginx.pid;
- worker_rlimit_nofile 65535;
- events {
- use epoll;
- worker_connections 65535;
- }
- http {
- include mime.types;
- default_type application/octet-stream;
- include /var/www/newcisco/newcisco.conf;#引入站点的配置文件
- log_format main '{"remote_addr": "$remote_addr", "remote_user": "$remote_user","time_local": "$time_local","request": "$request",'
- '"status": "$status", "body_bytes_sent":"$body_bytes_sent","http_referer": "$http_referer",'
- '"http_user_agent": "$http_user_agent", "http_x_forwarded_for":"$http_x_forwarded_for",'
- '"upstream_response_time":"$upstream_response_time","request_time":"$request_time"}';
- charset utf-8;
- access_log logs/access.log main;
- server_names_hash_bucket_size 128;
- client_header_buffer_size 32k;
- large_client_header_buffers 4 32k;
- server_tokens off;
- expires 1h;
- sendfile on;
- tcp_nopush on;
- keepalive_timeout 60;
- tcp_nodelay on;
- fastcgi_connect_timeout 20;
- fastcgi_send_timeout 30;
- fastcgi_read_timeout 120;
- fastcgi_buffer_size 256k;
- fastcgi_buffers 8 256k;
- fastcgi_busy_buffers_size 256k;
- fastcgi_temp_file_write_size 256k;
- fastcgi_temp_path /dev/shm;
- gzip on;
- gzip_min_length 2048;
- gzip_buffers 4 16k;
- gzip_http_version 1.1;
- gzip_types text/plain text/css application/xml application/x-javascript ;
- }
- 分离的站点配置文件优化:
- server {
- # 凡是使用IP地址访问的都给他500错误
- listen 80 default;
- server_name _;
- return 500;
- }
- server {
- listen 80;
- server_name www.newcisco.com;
- charset utf-8;
- rewrite ^(.*) https://$server_name$1 permanent;#设置访问http后自动进行跳转到https
- }
- server {
- listen 443;
- server_name www.newcisco.com;
- #set $template_root "/var/www/newcisco/templates";#模版的路径
- ##############
- ssl on;
- ssl_certificate /var/www/newcisco/key/server.crt;#申请的ssl证书
- ssl_certificate_key /var/www/newcisco/key/server.key;#申请的ssl秘钥
- # 分配10MB的共享内存缓存,不同工作进程共享TLS会话信息
- ssl_session_cache shared:SSL:10m;
- # 设置会话缓存过期时间24h
- ssl_session_timeout 1440m;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3;
- ssl_prefer_server_ciphers on;
- ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA !DSS";
- ssl_session_tickets on;
- # 使用 “openssl rand -out session_ticket.key 48”命令生成 session_ticket.key文件
- ssl_session_ticket_key /var/www/newcisco/key/session_ticket.key;
- ###################
- root /var/www/newcisco/templates/static;
- #access_log logs/host.access.log main;
- location / {
- index index.html index.htm;
- }
- location /shizhan {
- index index.html index.htm;
- root /var/www/newcisco/items;
- }
- }
- 主配置文件优化:[/usr/local/openresty/nginx/conf/nginx.conf]
- 将php关联openresty
- php7安装
- rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
- rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
- yum install -y \
- php71w-common \
- php71w-bcmath \
- php71w-fpm \
- php71w-opcache \
- php71w-gd \
- php71w-mysqlnd \
- php71w-mbstring \
- php71w-pecl-redis \
- php71w-devel \
- php71w-pecl-mongodb \
- php71w-mcrypt
- 创建php存放目录
- 在站点配置文件中的添加:
- location ~ \.php$ {
- root /var/www/newcisco/phptest;
- fastcgi_pass 127.0.0.1:9000;
- fastcgi_index index.php;
- fastcgi_param SCRIPT_FILENAME /$document_root$fastcgi_script_name;
- include fastcgi_params;
- }
- php7安装
- Nginx进程
- nginx 启动后,在 unix 系统中会以 daemon 的方式在后台运行,后台进程包含一个 master 进程和多个 worker 进程(你可以理解为工人和管理员)。
- master
- 当 nginx 在启动后,会有一个 master 进程和多个 worker 进程。master进程主要用来管理worker进程,master 要做的就是:接收来自外界的信号,向各 worker 进程发送信号,监控 worker 进程的运行状态,当 worker 进程退出后(异常情况下),会自动重新启动新的 worker 进程。
- 主要完成如下工作:
- 读取并验证配置信息;
- 创建、绑定及关闭套接字;
- 启动、终止 worker 进程及维护 worker 进程的个数;
- 无须中止服务而重新配置工作;
- 控制非中断式程序升级,启用新的二进制程序并在需要时回滚至老版本;
- 重新打开日志文件;
- 编译嵌入式 perl 脚本
- worker
- 对于基本的网络事件,则是放在 worker 进程中来处理了。多个 worker 进程之间是对等的,他们同等竞争来自客户端的请求,各进程互相之间是独立的。一个请求,只可能在一个 worker 进程中处理,一个 worker 进程,不可能处理其它进程的请求(一对一)。然而 nginx 没有专门地仲裁或连接分布的 worker,这项工作是由操作系统内核机制完成的。在启动时,创建一组初始的监听套接字,HTTP 请求和响应之时,worker 连续接收、读取和写入套接字。
- worker 进程主要完成的任务包括
- 接收、传入并处理来自客户端的连接;
- 提供反向代理及过滤功能;
- nginx 任何能完成的其它任务
类似资料: