nginx企业应用配置-3 | 学习笔记（一）

开发者学堂课程【Linux Web服务器Nginx搭建与配置：nginx 企业应用配置-3】学习笔记，与课程紧密联系，让用户快速学习知识.

课程地址：https://developer.aliyun.com/learning/course/579/detail/7991

快速学习nginx企业应用配置-3

目录：

一、ngx_hrrp_core_module

二、ngx_hrrp_stub_status_module

三、ngx_http_log_modul

四、ngx_http_gzip_module

一、ngx_hrrp_core_module

1.ngx_hrrp_core_module模块

对客户端进行限制的相关配置

1)limit_ rate rate;

限制响应给客户端的传输速率,单位是bytes/second

默认值0表示无限制

2)limit_excelpt method ... { ...} ,仅用于location

限制客户端使用除了指定的请求方法之外的其它方法

method:GET, HEAD, POST, PUT, DELETE

MKCOL, COPY, MOVE, OPTIONS, PROPFIND,

PROPPATCH, LOCK, UNLOCK, PATCH

limit_except GET{

allow 192.168.1.0/24;

deny all;

}除了 GET和HEAD之外其它方法仅允许192.168.1.0/24网段主机使用

OPTIONS：探测对方网站支持哪些方法。

例如：探测a.com网站

[root@centos7 ~] #curl -XOPTIONS http://www.a.com/

<html>

<head><title>405 Not Allowed</tit1e> </head>

<body bgcolor="white">

<center><h1>405 Not Allowed</h1></center>

<hr> <center>nginx</center>

</body>

</ html>

location/ {

root /data/sitea

limit_exceptGET

allow 192.168. 30.17/32;

deny  all;

}

[root@centos7 ~]#curl -XOPTIONS http://www.a.com/

<html>

<head><title>405 Not Allowed</tit1e> </head>  //option即不支持

<body bgcolor="white">

<center><h1>405 Not Allowed</h1></center>

<hr> <center>nginx</center>

</body>

</ html>

location/ {

root /data/sitea

limit_exceptGET

allow 192.168. 30.17/32;

deny  all;

}

更换主机：192.168.30.27再次进行测试

[root@centos7 ~]#yy httpd

Loaded plugins: fastestmiror, langpacks

base                                     | I 3.6 kB 00:00:00

Loading mirror speeds from cached hostfile

Resolving Dependencies

-->Running transaction check

--->Package httpd.x86_64 0:2.4.6-67.e17.centos wi1l be installed

-->Processing Dependency: httpd-tools = 2.4.6-67.el7. centos for package: httpd-2.4.6-67 .el7.centos.x86_64

-->Processing Dependency: /etc/mi me.types for package: httpd-

entos.x86_64

-->Processing Dependency: libaprutil-1.so.0() (64bit)for package: httpd-2.4.6-67.e17.centos.x86_64

-->Processing Dependency - libapr-1.so.0()(64bit)for package: httpd-2.4.6-67.e17.centos.x86_64

kanapr-1.so.00(64bit) for package: httpd-2.4.6-67.e17 . centos.x86 64

-->Running transaction check

--->Package apr.x86_64 0:1.4.8-3.e17 will be installed

--->Packkage apr-uti 1.x86_64 0:1.5.2-6.e17 centos will be installe

--->Package httpd-tools.x86_64 0:2.4.6-67.el7.centos wi11 be installed

--->Package mailcap.noarch 0: 2.1. wi11 be installed

-->Finished Dependency Resolution

[root@centos7 ~]#systemctl start httpd

查看主机：192.168.30.6

[root@centos7 ~] #curl -XOPTIONS http://192.168.30.27/

查看主机：192.168.30.17

[root@centos7 ~] #curl -XOPTIONS -I http://192.168.30.27/

HTTP/1.1 200 OK

ate: Wed, 04 Ju1201809:17 :50 GMT

Server: Apache/2.4.6 (centos)

A11ow:OPTICNS,GET,HEAD,POST,TRACE

Content-Length:0

Content-Type: httpd/unix-di rectory

[root@centos7 ~] #curl -XOPTIONS -I http://192.168.30.7/

[root@centos7 ~] #cur1 -XOPTIONS -I http://192.168. 30.7/HTTP/1.1 405 Not A11owed

Server: nginx

Date: Wed, 04 Jul 2018 09:18:17 GMT

content -Type: text/html

Cơntent-Length: 166

Connection: keep-alive

[root@centos7 ~]#location

2.文件操作优化的配置

3)aio on | off | threads[= pool];

 是否启用aio功能

4)directio size | off;

当文件大于等于给定大小时，例如directio 4m ,同步(直接)写磁盘,而非写缓存

5)open_file__cache off;

open_ file_ cache max= N [inactive= time];

nginx可以缓存以下三E种信息:

(1)文件元数据:文件的描述符、文件大小和最近一次的修改时间

(2)打开的目录结构

(3)没有找到的或者没有权限访问的文件的相关信息

max=N :可缓存的缓存项上限;达到上限后会使用LRU算法实现管理

inactive=time : 缓存项的非活动时长,在此处指定的时长内没有人访问、未被命中的或命中的次数少于open_file_cache__min__uses指令所指定的次数的缓存项即为非活动项,将被删除

6)open_file_cache_errors on| off;

是否缓存查找时发生错误的文件一类的信息

默认值为off

7)open_file_cache__min__uses number;

open_file_cache指令的inactivel数指定的时长内,至少被命中此处指定的次数方可被归类为活动项

默认值为1

8)open_file_cache_valid time;

缓存项有效性的检查频率

默认值为60s

3.ngx_http_access_module模块

实现基于ip的访问控制功能

1)allow address| CIDR| unix:| all;

2)deny address| CIDR | unix:| all;

http, server, location, limit_ except

自上而下检查 ,一旦匹配,将生效，条件严格的置前示例:

示例：

location / {

deny 192.168.1.1;

allow 192.168.1.0/24;

allow 10.1.1.0/16;

allow 2001:0db8::/32;

deny all;

}

server_name www.a.com ;

root/data/sitea;

error page 404 /404. html;

location / {

root data/sitea;

#a1low 192.168. 30.17 ;deny al1 ;

deny all;

}

}

生效次序从上往下检查，一旦匹配就不用再进行查看。故应将条件严格、即条件越小的指令往前放。

[root@centos7 ~] #cur1 -XPUT -I http://192.168.30.7/

HTTP/1.1 403 Forbi dden

Server: nginx

Date :Wed, 04 Jul 2018 09: 31: 37 GMT

content-Type:text/htm1

content-Length:162

onnection:pen-alive

"a.com.conf" 11L 202C writtion

[root@centos7 ~] #cur1 -XPUT -I http://192.168.30.7/

HTTP/1.1 403 Forbi dden

Server: nginx

Date :Wed, 04 Jul 2018 09: 31: 37 GMT

content-Type:text/htm1

content-Length:162

onnection:pen-alive

"a.com.conf" 11L 202C writtion

无论从何处访问都拒绝

4.ngx_hrrp_core_module模块

实现基于用户的访问控制,使用basic机制进行用户认证

1)auth__basic string I off;

2)auth__basic_user_file file; :

location /admin/{

auth_basic " Admin Area";

auth_basic_user__file /etc/ nginx/.ngxpasswd;（局限：由于本身没有文件，nginx只能通过httdp工具进行创建用户账号文件）

}

[root@centos7 sitea]#rpm -ql httpdntoolsusr/bin/ab

usr/bin/htdbm

usr/bin/htdigest

usr/bin/htpasswd

usr/bin/httxt2dbm

usr/bin/logresolve

usr/share/doc/httpd-tools-2.4.6

usr/share/doc/httpd-tools-2.4.6/LICENSEusr/share/doc/httpd-tools-2.4.6/NOTICEusr/share/man man1/ab.1.gz

usr/shareman/man1/htdbm.1.gz

usr/share/man man1/htdi gest.1.gz

usr/shareman man1/ htpasswd.1.gz

/usr/share/man man1/httxt2dbm.1.gz

“a.com.conf”13L, 258C written     //进行账号的第一次创建

[root@centos7 vhosts]#nginx

^c[root@centos7 vhosts]#pwd

/etc/nginx/conf.d/vhosts

[root@centos7 vhosts]#ls

a.com.confb.com.confc.com.conf

[r oot@centos7 vhosts ] #htpasswd -cm ngi nxuser httpuser1New pas sword:

Re-type new password:

Adding password for user httpuser1

[root@centos7 vhosts ]#cat ngi nxuser

httpuser1: Sapr1$52zcUNaY $QoIoFKtj7HQ1/YBPSovjo .

[root@centos7 vhosts]#htpasswd -m nginxuser httpuser2

New password:

Re-type new password:

Adding password for user httpuser 2

[root@centos7 vhosts ]#cat nginxuser

httpuser1:Sapr1$52zcUNaY$QoIoFKtj7HQ1/YBPSovjo.

//对特定目录进行验证

5.用户口令文件

1）BJXX4 : tItname:password:comment

2）加密文本:由htpasswd命令实现

httpd-tools所提供