Nginx实战学习

Nginx实战

nginx documentation

所有相关的配置都可以在文档中找到。

下载安装nginx

root@iZf8ziiqagwfxvra7net95Z:/home# wget https://nginx.org/download/nginx-1.24.0.tar.gz
--2024-03-20 20:23:36--  https://nginx.org/download/nginx-1.24.0.tar.gz
Resolving nginx.org (nginx.org)... 52.58.199.22, 3.125.197.172, 2a05:d014:5c0:2601::6, ...
Connecting to nginx.org (nginx.org)|52.58.199.22|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1112471 (1.1M) [application/octet-stream]
Saving to: ‘nginx-1.24.0.tar.gz’

nginx-1.24.0.t 100%   1.06M  1.07MB/s    in 1.0s       

2024-03-20 20:23:39 (1.07 MB/s) - ‘nginx-1.24.0.tar.gz’ saved [1112471/1112471]

root@iZf8ziiqagwfxvra7net95Z:/home/nginx-1.24.0# ./configure --help

  --help                             print this message

  --prefix=PATH                      set installation prefix
  --sbin-path=PATH                   set nginx binary pathname
  --modules-path=PATH                set modules path
  --conf-path=PATH                   set nginx.conf pathname
  --error-log-path=PATH              set error log pathname
  --pid-path=PATH                    set nginx.pid pathname
  --lock-path=PATH                   set nginx.lock pathname

  --user=USER                        set non-privileged user for
                                     worker processes
  --group=GROUP                      set non-privileged group for
                                     worker processes

  --build=NAME                       set build name
  --builddir=DIR                     set build directory

  --with-select_module               enable select module
  --without-select_module            disable select module
  --with-poll_module                 enable poll module
  --without-poll_module              disable poll module

  --with-threads                     enable thread pool support

  --with-file-aio                    enable file AIO support

  --with-http_ssl_module             enable ngx_http_ssl_module
  --with-http_v2_module              enable ngx_http_v2_module
  --with-http_realip_module          enable ngx_http_realip_module
  --with-http_addition_module        enable ngx_http_addition_module
  --with-http_xslt_module            enable ngx_http_xslt_module
  --with-http_xslt_module=dynamic    enable dynamic ngx_http_xslt_module
  --with-http_image_filter_module    enable ngx_http_image_filter_module
  --with-http_image_filter_module=dynamic
                                     enable dynamic ngx_http_image_filter_module
  --with-http_geoip_module           enable ngx_http_geoip_module
  --with-http_geoip_module=dynamic   enable dynamic ngx_http_geoip_module
  --with-http_sub_module             enable ngx_http_sub_module
  --with-http_dav_module             enable ngx_http_dav_module
  --with-http_flv_module             enable ngx_http_flv_module
  --with-http_mp4_module             enable ngx_http_mp4_module
  --with-http_gunzip_module          enable ngx_http_gunzip_module
  --with-http_gzip_static_module     enable ngx_http_gzip_static_module
  --with-http_auth_request_module    enable ngx_http_auth_request_module
  --with-http_random_index_module    enable ngx_http_random_index_module
  --with-http_secure_link_module     enable ngx_http_secure_link_module
  --with-http_degradation_module     enable ngx_http_degradation_module
  --with-http_slice_module           enable ngx_http_slice_module
  --with-http_stub_status_module     enable ngx_http_stub_status_module

  --without-http_charset_module      disable ngx_http_charset_module
  --without-http_gzip_module         disable ngx_http_gzip_module
  --without-http_ssi_module          disable ngx_http_ssi_module
  --without-http_userid_module       disable ngx_http_userid_module
  --without-http_access_module       disable ngx_http_access_module
  --without-http_auth_basic_module   disable ngx_http_auth_basic_module
  --without-http_mirror_module       disable ngx_http_mirror_module
  --without-http_autoindex_module    disable ngx_http_autoindex_module
  --without-http_geo_module          disable ngx_http_geo_module
  --without-http_map_module          disable ngx_http_map_module
  --without-http_split_clients_module disable ngx_http_split_clients_module
  --without-http_referer_module      disable ngx_http_referer_module
  --without-http_rewrite_module      disable ngx_http_rewrite_module
  --without-http_proxy_module        disable ngx_http_proxy_module
  --without-http_fastcgi_module      disable ngx_http_fastcgi_module
  --without-http_uwsgi_module        disable ngx_http_uwsgi_module
  --without-http_scgi_module         disable ngx_http_scgi_module
  --without-http_grpc_module         disable ngx_http_grpc_module
  --without-http_memcached_module    disable ngx_http_memcached_module
  --without-http_limit_conn_module   disable ngx_http_limit_conn_module
  --without-http_limit_req_module    disable ngx_http_limit_req_module
  --without-http_empty_gif_module    disable ngx_http_empty_gif_module
  --without-http_browser_module      disable ngx_http_browser_module
  --without-http_upstream_hash_module
                                     disable ngx_http_upstream_hash_module
  --without-http_upstream_ip_hash_module
                                     disable ngx_http_upstream_ip_hash_module
  --without-http_upstream_least_conn_module
                                     disable ngx_http_upstream_least_conn_module
  --without-http_upstream_random_module
                                     disable ngx_http_upstream_random_module
  --without-http_upstream_keepalive_module
                                     disable ngx_http_upstream_keepalive_module
  --without-http_upstream_zone_module
                                     disable ngx_http_upstream_zone_module

  --with-http_perl_module            enable ngx_http_perl_module
  --with-http_perl_module=dynamic    enable dynamic ngx_http_perl_module
  --with-perl_modules_path=PATH      set Perl modules path
  --with-perl=PATH                   set perl binary pathname

  --http-log-path=PATH               set http access log pathname
  --http-client-body-temp-path=PATH  set path to store
                                     http client request body temporary files
  --http-proxy-temp-path=PATH        set path to store
                                     http proxy temporary files
  --http-fastcgi-temp-path=PATH      set path to store
                                     http fastcgi temporary files
  --http-uwsgi-temp-path=PATH        set path to store
                                     http uwsgi temporary files
  --http-scgi-temp-path=PATH         set path to store
                                     http scgi temporary files

  --without-http                     disable HTTP server
  --without-http-cache               disable HTTP cache

  --with-mail                        enable POP3/IMAP4/SMTP proxy module
  --with-mail=dynamic                enable dynamic POP3/IMAP4/SMTP proxy module
  --with-mail_ssl_module             enable ngx_mail_ssl_module
  --without-mail_pop3_module         disable ngx_mail_pop3_module
  --without-mail_imap_module         disable ngx_mail_imap_module
  --without-mail_smtp_module         disable ngx_mail_smtp_module

  --with-stream                      enable TCP/UDP proxy module
  --with-stream=dynamic              enable dynamic TCP/UDP proxy module
  --with-stream_ssl_module           enable ngx_stream_ssl_module
  --with-stream_realip_module        enable ngx_stream_realip_module
  --with-stream_geoip_module         enable ngx_stream_geoip_module
  --with-stream_geoip_module=dynamic enable dynamic ngx_stream_geoip_module
  --with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module
  --without-stream_limit_conn_module disable ngx_stream_limit_conn_module
  --without-stream_access_module     disable ngx_stream_access_module
  --without-stream_geo_module        disable ngx_stream_geo_module
  --without-stream_map_module        disable ngx_stream_map_module
  --without-stream_split_clients_module
                                     disable ngx_stream_split_clients_module
  --without-stream_return_module     disable ngx_stream_return_module
  --without-stream_set_module        disable ngx_stream_set_module
  --without-stream_upstream_hash_module
                                     disable ngx_stream_upstream_hash_module
  --without-stream_upstream_least_conn_module
                                     disable ngx_stream_upstream_least_conn_module
  --without-stream_upstream_random_module
                                     disable ngx_stream_upstream_random_module
  --without-stream_upstream_zone_module
                                     disable ngx_stream_upstream_zone_module

  --with-google_perftools_module     enable ngx_google_perftools_module
  --with-cpp_test_module             enable ngx_cpp_test_module

  --add-module=PATH                  enable external module
  --add-dynamic-module=PATH          enable dynamic external module

  --with-compat                      dynamic modules compatibility

  --with-cc=PATH                     set C compiler pathname
  --with-cpp=PATH                    set C preprocessor pathname
  --with-cc-opt=OPTIONS              set additional C compiler options
  --with-ld-opt=OPTIONS              set additional linker options
  --with-cpu-opt=CPU                 build for the specified CPU, valid values:
                                     pentium, pentiumpro, pentium3, pentium4,
                                     athlon, opteron, sparc32, sparc64, ppc64

  --without-pcre                     disable PCRE library usage
  --with-pcre                        force PCRE library usage
  --with-pcre=DIR                    set path to PCRE library sources
  --with-pcre-opt=OPTIONS            set additional build options for PCRE
  --with-pcre-jit                    build PCRE with JIT compilation support
  --without-pcre2                    do not use PCRE2 library

  --with-zlib=DIR                    set path to zlib library sources
  --with-zlib-opt=OPTIONS            set additional build options for zlib
  --with-zlib-asm=CPU                use zlib assembler sources optimized
                                     for the specified CPU, valid values:
                                     pentium, pentiumpro

  --with-libatomic                   force libatomic_ops library usage
  --with-libatomic=DIR               set path to libatomic_ops library sources

  --with-openssl=DIR                 set path to OpenSSL library sources
  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL

  --with-debug                       enable debug logging

有–with 的是nginx默认不会编译进二进制文件中，–without的则默认编译进二进制文件。

root@iZf8ziiqagwfxvra7net95Z:/home/nginx-1.24.0# ./configure --prefix=/home/nginx
checking for OS
 + Linux 5.15.0-71-generic x86_64
checking for C compiler ... found
 + using GNU C compiler
 + gcc version: 11.3.0 (Ubuntu 11.3.0-1ubuntu1~22.04) 
checking for gcc -pipe switch ... found
checking for -Wl,-E switch ... found
checking for gcc builtin atomic operations ... found
checking for C99 variadic macros ... found
checking for gcc variadic macros ... found
checking for gcc builtin 64 bit byteswap ... found
checking for unistd.h ... found
checking for inttypes.h ... found
checking for limits.h ... found
checking for sys/filio.h ... not found
checking for sys/param.h ... found
checking for sys/mount.h ... found
checking for sys/statvfs.h ... found
checking for crypt.h ... found
checking for Linux specific features
checking for epoll ... found
checking for EPOLLRDHUP ... found
checking for EPOLLEXCLUSIVE ... found
checking for eventfd() ... found
checking for O_PATH ... found
checking for sendfile() ... found
checking for sendfile64() ... found
checking for sys/prctl.h ... found
checking for prctl(PR_SET_DUMPABLE) ... found
checking for prctl(PR_SET_KEEPCAPS) ... found
checking for capabilities ... found
checking for crypt_r() ... found
checking for sys/vfs.h ... found
checking for UDP_SEGMENT ... found
checking for nobody group ... not found
checking for nogroup group ... found
checking for poll() ... found
checking for /dev/poll ... not found
checking for kqueue ... not found
checking for crypt() ... not found
checking for crypt() in libcrypt ... found
checking for F_READAHEAD ... not found
checking for posix_fadvise() ... found
checking for O_DIRECT ... found
checking for F_NOCACHE ... not found
checking for directio() ... not found
checking for statfs() ... found
checking for statvfs() ... found
checking for dlopen() ... found
checking for sched_yield() ... found
checking for sched_setaffinity() ... found
checking for SO_SETFIB ... not found
checking for SO_REUSEPORT ... found
checking for SO_ACCEPTFILTER ... not found
checking for SO_BINDANY ... not found
checking for IP_TRANSPARENT ... found
checking for IP_BINDANY ... not found
checking for IP_BIND_ADDRESS_NO_PORT ... found
checking for IP_RECVDSTADDR ... not found
checking for IP_SENDSRCADDR ... not found
checking for IP_PKTINFO ... found
checking for IPV6_RECVPKTINFO ... found
checking for TCP_DEFER_ACCEPT ... found
checking for TCP_KEEPIDLE ... found
checking for TCP_FASTOPEN ... found
checking for TCP_INFO ... found
checking for accept4() ... found
checking for int size ... 4 bytes
checking for long size ... 8 bytes
checking for long long size ... 8 bytes
checking for void * size ... 8 bytes
checking for uint32_t ... found
checking for uint64_t ... found
checking for sig_atomic_t ... found
checking for sig_atomic_t size ... 4 bytes
checking for socklen_t ... found
checking for in_addr_t ... found
checking for in_port_t ... found
checking for rlim_t ... found
checking for uintptr_t ... uintptr_t found
checking for system byte ordering ... little endian
checking for size_t size ... 8 bytes
checking for off_t size ... 8 bytes
checking for time_t size ... 8 bytes
checking for AF_INET6 ... found
checking for setproctitle() ... not found
checking for pread() ... found
checking for pwrite() ... found
checking for pwritev() ... found
checking for strerrordesc_np() ... found
checking for localtime_r() ... found
checking for clock_gettime(CLOCK_MONOTONIC) ... found
checking for posix_memalign() ... found
checking for memalign() ... found
checking for mmap(MAP_ANON|MAP_SHARED) ... found
checking for mmap("/dev/zero", MAP_SHARED) ... found
checking for System V shared memory ... found
checking for POSIX semaphores ... found
checking for struct msghdr.msg_control ... found
checking for ioctl(FIONBIO) ... found
checking for ioctl(FIONREAD) ... found
checking for struct tm.tm_gmtoff ... found
checking for struct dirent.d_namlen ... not found
checking for struct dirent.d_type ... found
checking for sysconf(_SC_NPROCESSORS_ONLN) ... found
checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ... found
checking for openat(), fstatat() ... found
checking for getaddrinfo() ... found
checking for PCRE2 library ... not found
checking for PCRE library ... not found
checking for PCRE library in /usr/local/ ... not found
checking for PCRE library in /usr/include/pcre/ ... not found
checking for PCRE library in /usr/pkg/ ... not found
checking for PCRE library in /opt/local/ ... not found

./configure: error: the HTTP rewrite module requires the PCRE library.
You can either disable the module by using --without-http_rewrite_module
option, or install the PCRE library into the system, or build the PCRE library
statically from the source with nginx by using --with-pcre=<path> option.

发现缺少了PCRE模块。安装即可

静态服务器常用配置

用 location来指定静态资源的位置，注意区分root和alias。

Nginx系列：root与alias指令用法的区别-腾讯云开发者社区-腾讯云 (tencent.com)

打开Nginx的 gzip可以缩小传输的文本文件的大小，加大静态资源传输效率。

autoindex可以为用户提供目录显示。

set $limit_rate 1k限制Nginx服务器向客户浏览器的传输速率为1k。实现在多用户争抢带宽时可以保证基本小文件的传输。

log_format定义日志格式。access_log可指定所属块日志记录的路径。

反向代理配置

设置反向代理需要注意一些细节（下面的proxy_set_header部分)

客户端浏览器与反向代理服务器之间有一条TCP连接，反向代理服务器和上游服务器又是另一条TCP，所以需要 proxy_set_header X-Real-IP $remote_addr来告诉上游服务真正的IP地址。
同样，上面设置host也是为了告诉上游服务器浏览器使用的真正域名。

proxy_cache 为该反向代理服务器设置缓存，这样一些静态内容就不需要从上游服务器那里拿到了，对于中小型网站有明显的提速效果。

GoAccess 可视化Nginx日志

GoAccess - 中文站 - 可视化 Web 日志分析工具

SSL

SSL协议握手性能瓶颈

小文件→RSA，关注握手

大文件→AES，关注数据加密

免费的SSL证书实现升级https：使用 certbot工具。

OpenResty Lua

OpenResty集成了很多第三方模块的Nginx,可使用Lua语言扩展Nginx服务功能。

Nginx基础架构

Nginx的请求处理流程

任何一个问题在请求数量级不同的情况下解决方案是不同的。

Nginx的进程结构

单进程结构：不适用生产环境

多进程结构：高可靠高可用

为什么不用多线程结构而用多进程架构？

保证高可用高可靠。线程是共享内存地址空间的，如果Nginx采用多线程，那么某个第三方模块导致了某个内存段错误时整个Nginx就会崩溃。进程间的内存空间是隔离的。

master-worker进程架构

一般第三方不会在MASTER PROCESS添加扩展，MASTER PROCESS时用来管理Child Process进程的

Child Process真正处理请求。

很多worker，让worker和CPU核对应，从而提高CPU缓存命中率。

Nginx进程管理信号

Nginx的请求切换

传统服务器：一线程仅处理一连接，依赖OS的进程调度实现并发

Nginx服务器：一线程同时处理处理多连接，用户态代码完成连接切换，尽量减少OS进程切换

同步&异步 阻塞&非阻塞

一般这个是指某个进程调用底层库提供的方法时，会分为阻塞和非阻塞的方式，区别如下：

阻塞：进程调用系统提供的阻塞方法，在条件不满足的情况下会让进程进入sleep状态，操作系统内核切换到另外一个进程

非阻塞：不会在时间片未用完时把调用非阻塞方法的进程切换

以accept为例：

大部分程序调用阻塞方式的accept，会产生进程间的主动切换。这种方式不利于有高并发连接的Nginx。

Nginx使用非阻塞的accept，当accept队列为空时，不会主动切换进程，而是返回一个EAGAIN错误，由你的代码决定是否切换新任务。

同步和异步则更多是从程序编写方式来看的。

比如，Nginx的反向代理会默认上游服务器的处理能力是不足的，所以会异步调用读取request body，读完了body之后再执行下一步操作。

非阻塞的异步调用会增加程序的复杂性。

Openresty Lua的非阻塞方式同步调用的代码则简单一些。

Nginx的模块

Nginx模块化设计非常优良，从第一个版本到现在依然保持不变。

Nginx模块会编译仅Nginx bin

nginx documentation

nginx的各个官方模块在文档中都有详细的说明。也可以通过看源码等方式看其配置项与各种用法。

进入objs里面查看ngx_modules.c，可以看到所有编译进ngx的模块。

通过.c原文件的command_t可以看到各个模块的用法。比如 src/http/nginx里面的文件

这样对说明不充分的第三方模块可以通过阅读源码把握其用法。

Nginx模块有内聚和抽象之特性。

内聚：相应独立的功能在某个模块中

抽象：把每个模块应有的特性抽象出来，比如启停回调方法

模块的划分：

NGX_CORE_MODULE

• NGX_EVENT_MODULE
• NGX_HTTP_MODULE
• NGX_CONF_MODULE
• NGX_STREAM_MODULE
• NGX_MAIL_MODULE

nginx连接池

Core functionality (nginx.org)

worker_connections往往需要修改，默认的512比较小。

核心数据结构，ngx_event_s和ngx_connection_s

一个连接占用的空间约为96byte*2（一个读事件，一个写事件）+232byte（连接本身）

bytes_sent为发往客户端的字节，常记录在log中

内存池

在处理一些罕见的情况，可能需要修改nginx初始化的内存池分配大小。

连接内存池

请求内存池

Module ngx_http_core_module connection_pool_size

Module ngx_http_core_module request_pool_size

为什么两个内存池相差这么大？因为连接需要记录的上下文信息更多。request主要记录header和url。

共享内存

不同worker在不同进程，通过共享内存来传数据。

引入工具：锁（竞争）、slab（管理不同的对象）

共享内存使用者：Ngx_http_lua_api、rbtree、单链表

红黑树每个节点都需要内存，如果有效管理？

→slab内存管理(使用bestfits方法分配)

可通过Tengine的 ngx_slab_stat查看slab使用状态

让openresty编译的时候把Tengine的ngx_slab_stat模块编译进去

./configure --add-module=../tengine-2.2.2/modules/ngx_slab_stat/