Nginx 常见配置总结

前面总结了几篇nginx的配置文档，但忽略了一些常用的配置，例如访问控制，目录索引，重定向等，因而需要在此记录下，方便熟悉nginx，在此总结的内容也比较肤浅，毕竟刚开始学习nginx,生产环境中使用的也都是Apache，要走的路还很长，要学习的内容也很多，多多努力吧…

1:针对主机的访问控制
[root@yunwei ~]# grep -A 3 -B 3 '192.168.50.40' /usr/local/nginx/conf/nginx.conf
        location / {
            root   html;
            index index.html index.htm;
            allow   192.168.50.40;   //支持整个网段，192.168.50.0/24这样的语法
            deny    all;
        }

[root@yunwei ~]# /usr/local/nginx/sbin/nginx -t
the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@yunwei ~]# tail -f /usr/local/nginx/logs/access.log
192.168.50.40 - - [21/Jun/2010:15:42:58 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; 360SE)"

[root@yunwei ~]# tail -f /usr/local/nginx/logs/error.log
2010/06/21 15:43:53 [error] 21164#0: *15 access forbidden by rule, client: 192.168.50.27, server: localhost, request: "GET / HTTP/1.1", host: "192.168.50.3"

2：针对用户的访问控制
[root@yunwei ~]# grep -A 5 -B 5 'auth' /usr/local/nginx/conf/nginx.conf

        location / {
            root   html;
            index index.html index.htm;
            allow   192.168.50.0/24;
            deny    all;
            auth_basic "test";
            auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
        }

        error_page 404              /404.html;

[root@yunwei ~]# /usr/local/apache2.2.15/bin/htpasswd -cd /usr/local/nginx/conf/.htpasswd yang
New password:
Re-type new password:
Adding password for user yang

3：开启自动索引功能
[root@yunwei ~]# grep -A 3 -B 3 'autoindex' /usr/local/nginx/conf/nginx.conf

        location / {
            root   html;
            autoindex on;
            index index.html index.htm;
            allow   192.168.50.0/24;
            deny    all;

4:整合ZendOptimizer
[root@yunwei ~]# cd /usr/local/src/tarbag/
[root@yunwei tarbag]# wget http://downloads.zend.com/optimizer/3.3.9/ZendOptimizer-3.3.9-linux-glibc23-x86_64.tar.gz
[root@yunwei tarbag]# tar -zxvf ZendOptimizer-3.3.9-linux-glibc23-x86_64.tar.gz -C ../software/
[root@yunwei tarbag]# mv ../software/ZendOptimizer-3.3.9-linux-glibc23-x86_64/ /usr/local/Zend3
[root@yunwei tarbag]# grep -i 'zend3' /usr/local/php5.2.13/etc/php.ini |grep -v ';'
zend_extension=/usr/local/Zend3/data/5_2_x_comp/ZendOptimizer.so

[root@yunwei tarbag]# service php-fpm restart
Shutting down php_fpm . done
Starting php_fpm done
[root@yunwei tarbag]# service nginx restart
nginx is restarted...

[root@yunwei tarbag]# /usr/local/php5.2.13/bin/php -m |grep -i zend
[Zend Modules]
Zend Optimizer

5: 整合memcached

[root@yunwei ~]# cd /usr/local/src/tarbag/
[root@yunwei tarbag]# wget http://pecl.php.net/get/memcache-2.2.5.tgz
[root@yunwei tarbag]# tar -zxvf memcache-2.2.5.tgz -C ../software/
[root@yunwei tarbag]# cd ../software/memcache-2.2.5/
[root@yunwei memcache-2.2.5]# /usr/local/php5.2.13/bin/phpize
Configuring for:
PHP Api Version:         20041225
Zend Module Api No:      20060613
Zend Extension Api No:   220060519

[root@yunwei memcache-2.2.5]# ./configure --enable-memcache --with-php-config=/usr/local/php5.2.13/bin/php-config --with-zlib-dir
[root@yunwei memcache-2.2.5]# make && make install

………………………………………………输出省略………………………………………………
Installing shared extensions:     /usr/local/php5.2.13/lib/php/extensions/no-debug-non-zts-20060613/

[root@yunwei memcache-2.2.5]# grep -A 2 'extension_dir' /usr/local/php5.2.13/etc/php.ini |grep -v ';'
extension_dir = "/usr/local/php5.2.13/lib/php/extensions/no-debug-non-zts-20060613/"
extension=memcache.so

[root@yunwei memcache-2.2.5]# service php-fpm restart
Shutting down php_fpm . done
Starting php_fpm done
[root@yunwei memcache-2.2.5]# service nginx restart
nginx is restarted...

[root@yunwei memcache-2.2.5]# /usr/local/php5.2.13/bin/php -m |grep mem
memcache

6: 重定向
[root@yunwei ~]# grep -A 3 -B 8 'permanent' /usr/local/nginx/conf/nginx.conf
        location / {
            root   html;
            autoindex on;
            index index.html index.htm;
            allow   192.168.50.0/24;
            deny    all;
            auth_basic "test";
            auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
            rewrite /download http://apt.sw.be permanent;
        }

        error_page 404              /404.html;

[root@yunwei ~]# tail -f /usr/local/nginx/logs/access.log
192.168.50.40 - - [21/Jun/2010:09:57:13 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; 360SE)"

7:定义日志格式：
[root@yunwei ~]# grep -A 3 'log_format' /usr/local/nginx/conf/nginx.conf
    log_format access '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

[root@yunwei ~]# grep 'access_log' /usr/local/nginx/conf/nginx.conf
        access_log /usr/local/nginx/logs/localhost.log access;

[root@yunwei ~]# tail -f /usr/local/nginx/logs/localhost.log

192.168.50.40 - - [30/Aug/2010:17:04:29 +0800] "GET /themes/original/img/ HTTP/1.1" 200 2144 "http://192.168.50.3/themes/original/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2) Gecko/20100115 Firefox/3.6" "-"

8: 按时间来切割日志：
[root@yunwei ~]# cat cut_nginx_log.sh
#!/bin/sh
#function: cut nginx's log at 00:00 wtih crontab

log_path=/usr/local/nginx/logs

mkdir -p $log_path/$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")

mv $log_path/localhost.log $log_path/$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/localhost_$(date -d "yesterday" +"%Y%m%d").log

kill -USR1 `cat /usr/local/nginx/logs/nginx.pid`

9: 优化linux内核参数，将如下参数写入/etc/sysctl.conf文件，使用sysctl -p命令生效

net.ipv4.tcp_max_syn_backlog = 65535      //表示SYN队列的长度，默认为1024，加大队列长度为65535，可以容纳更多等待连接的网络连接数
net.core.netdev_max_backlog = 32768       //表示当网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目
net.core.somaxconn = 32768                   //默认值是128,这个值不能调高系统的最大连接数，但是能调高系统同时发起连接的tcp连接数
net.core.wmem_default = 8388608           //默认的TCP数据发送缓冲大小
net.core.rmem_default = 8388608            //默认的TCP数据接收缓冲大小
net.core.wmem_max     = 16777216          //默认的TCP数据发送缓冲大小
net.core.rmem_max     = 16777216          //默认的TCP数据接收缓冲大小
net.ipv4.tcp_timestamps = 0                     //时间戳可以避免序列号的卷绕。一个1Gbps的链路肯定会遇到以前用过的序列号。时间戳能够让内核接受这种“异常”的数据包
net.ipv4.tcp_synack_retries = 2        //这个设置决定了内核放弃连接之前发送SYN+ACK包的数量
net.ipv4.tcp_syn_retries = 2              //在内核放弃建立连接之前发送SYN包的数量
net.ipv4.tcp_tw_recycle = 1               //能够更快地回收TIME-WAIT套接字。缺省值是1。除非有技术专家的建议和要求，否则不应修改
net.ipv4.tcp_tw_reuse = 1                   //默认值是0,该文件表示是否允许重新应用处于TIME-WAIT状态的socket用于新的TCP连接
net.ipv4.ip_local_port_range = 1024 65535     //用于向外连接的端口范围。缺省情况下其实很小：1024到4999。
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 327680

/proc/sys/net/ipv4/tcp_max_orphans
系 统中最多有多少个TCP套接字不被关联到任何一个用户文件句柄上。如果超过这个数字，孤儿连接将即刻被复位并打印出警告信息。这个限制仅仅是为了防止简单的DoS攻击，你绝对不能过分依靠它或者人为地减小这个值，更应该增加这个值(如果增加了内存之后)

tcp_mem(3个INTEGER变量)：low, pressure, high

low：当TCP使用了低于该值的内存页面数时，TCP不会考虑释放内存。(理想情况下，这个值应与指定给 tcp_wmem 的第 2 个值相匹配 - 这第 2 个值表明，最大页面大小乘以最大并发请求数除以页大小 (131072 * 300 / 4096)。 )

pressure：当TCP使用了超过该值的内存页面数量时，TCP试图稳定其内存使用，进入pressure模式，当内存消耗低于low值时则退 出pressure状态。(理想情况下这个值应该是 TCP 可以使用的总缓冲区大小的最大值 (204800 * 300 / 4096)。 )

high：允许所有tcp sockets用于排队缓冲数据报的页面量。(如果超过这个值，TCP 连接将被拒绝，这就是为什么不要令其过于保守 (512000 * 300 / 4096) 的原因了。 在这种情况下，提供的价值很大，它能处理很多连接，是所预期的 2.5 倍；或者使现有连接能够传输 2.5 倍的数据)

10：nginx同tomcat的整合，java和tomcat的安装此处就不在赘述，可以参考

http://hi.baidu.com/naruto6006/blog/item/228bee425ee80b1b73f05da8.html

tomcat服务状态如下，监听80端口
[root@jsb-ylw-5024 ~]# netstat -ntpl |grep java
tcp        0      0 ::ffff:127.0.0.1:8005       :::*                    LISTEN      923/java          
tcp        0      0 :::8009                           :::*                    LISTEN      3923/java          
tcp        0      0 :::80                               :::*                     LISTEN      3923/java    

修改nginx主配置文件相关内容如下：

upstream tomcat_server {
    server 192.168.50.24:80;}

location ~\.(jsp|jspx|do)?$ {
                proxy_set_header Host $host;
                proxy_set_header X-forwarded-For $remote_addr;
                proxy_pass http://tomcat_server;

检测配置文件语法，重启nginx服务：
[root@yunwei ~]# /usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yunwei ~]# service nginx restart
nginx is restarted..

[root@jsb-ylw-5024 ~]# cat /www/tmp/index.jsp
<%@ page contentType="text/html; charset=gb2312" language="java" import="java.sql.*" errorPage="" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>301??¨?</title>
</head>

<body>
this is a jsp test page.....
<%
String requestPage = request.getRequestURI();
String queryString = (request.getQueryString() == null ? "" : "?" + request.getQueryString());
if(request.getRequestURL().indexOf("http://192.168.50.3") >=0) {
%>
this is jsp!!
<%
}
%>
</body>
</html>