NGINX

Tips

• /usr/share/nginx/html 静态文件目录

• /etc/nginx/nginx.conf 配置目录

• /etc/nginx/conf.d/*.conf 其他的配置目录

• /var/log/nginx/access.log 日志

• 核心变量

• 可在日志中使用 $request_time $upstream_response_time 来记录访问使用时间

• ngx_http_auth_request_module

  • 可将授权交由其他请求处理
  • 教程

• Reference

  • agentzh's Nginx Tutorials
  • Full Example Configuration
  • 第三方模块列表
  • Ngx PageSpeed
  • Doc
  • NGINX Reverse Proxy
  • NAXSI
    • is an open-source, high performance, low rules maintenance WAF for NGINX
    • NAXSI means Nginx Anti XSS & SQL Injection.

• denji/homebrew-nginx

• Virtual Hosts on nginx

# brew 安装
brew install nginx
# 查看已安装模块
nginx -V 2>&1 | tr -- - '\n' | grep 'module[^a-z=]'
# 基于当前目录启动
nginx -p $PWD -c nginx.conf -g 'daemon off;'

常用配置

Websocket 反向代理

location /chat/ {
    proxy_pass http://backend;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

也可以直接使用客户端的参数

http {
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }
    server {
        # ...
        location /chat/ {
            proxy_pass http://backend;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
    }
}

简单暴力的映射

sites.conf

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name $http_host;
    root /sites/$http_host;
    access_log logs/$http_host;
    gzip on;
}

docker run --rm -it -v $PWD:/sites -v $PWD/sites.conf:/etc/nginx/conf.d/default.conf -p 8080:80 --name web wener/nginx

# 默认日志格式
log_format combined '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';
# 添加了压缩信息的日志
log_format compression '$remote_addr - $remote_user [$time_local] '
                       '"$request" $status $bytes_sent '
                       '"$http_referer" "$http_user_agent" "$gzip_ratio"';
# 添加了响应时间的日志
log_format timed  '$remote_addr - $remote_user [$time_local] '
                  '"$request" $status $body_bytes_sent '
                  '"$http_referer" "$http_user_agent"'
                  '"$http_x_forwarded_for" $request_time $upstream_response_time';

https://www.nginx.com/resources/admin-guide/logging-and-monitoring/

$upstream_connect_time – The time spent on establishing a connection with an upstream server $upstream_header_time – The time between establishing a connection and receiving the first byte of the response header from the upstream server $upstream_response_time – The time between establishing a connection and receiving the last byte of the response body from the upstream server $request_time – The total time spent processing a request

常用配置

proxy.nginx

proxy_redirect          off;
proxy_set_header        Host                $host;
proxy_set_header        X-Real-IP           $remote_addr;
proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header        X-Forwarded-Proto   $scheme;
# client_max_body_size    200m;
# client_body_buffer_size 128k;
proxy_connect_timeout   90;
proxy_send_timeout      90;
proxy_read_timeout      90;
proxy_buffers           32 4k;

location / {
    proxy_pass http://mysvr;
    include conf/proxy.nginx;
}

proxy_ws.nginx

• 反向代理 websocket

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header        Host                $host;
proxy_set_header        X-Real-IP           $remote_addr;
proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header        X-Forwarded-Proto   $scheme;
proxy_buffering off;
proxy_redirect  off;
chunked_transfer_encoding off;
# 因为是 ws, 所以将超时时间设置的长一点
proxy_read_timeout 600s;

location /socket.io/ {
    proxy_pass http://mysvr/socket.io/;
    include conf/proxy_ws.nginx;
}

conf/proxy_ssl.nginx

• 反向代理 SSL
• Securing HTTP Traffic to Upstream Servers
• 还是需要证书信息, 因为 SNI

ssl_session_cache    shared:SSL:1m;
ssl_session_timeout  10m;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_verify_client off;
ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

proxy_elb.nginx

• https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
• http://scottwb.com/blog/2013/10/28/always-on-https-with-nginx-behind-an-elb/

pagespeed

https://github.com/apache/incubator-pagespeed-ngx

https://github.com/sitespeedio/sitespeed.io

Build ngx_pagespeed From Source https://www.modpagespeed.com/doc/build_ngx_pagespeed_from_source

https://en.wikipedia.org/wiki/Google_PageSpeed_Tools

主要内容

管理

代理和缓存

重写和访问控制

管理出入流

性能调优

listen

http://nginx.org/en/docs/http/ngx_http_core_module.html#listen

listen address[:port] [default_server] [ssl] [http2 | spdy] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];
listen port [default_server] [ssl] [http2 | spdy] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];
listen unix:path [default_server] [ssl] [http2 | spdy] [proxy_protocol] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];

stream

• ngx_stream_core_module

  • 自 1.9.0

• ngx_stream_proxy_module

  • allows proxying data streams over TCP, UDP and UNIX-domain sockets.

• 参考

  • TCP/UDP Load Balancing with NGINX: Overview, Tips, and Tricks
  • Announcing UDP Load Balancing in NGINX
    • March 15, 2016

# Load balance UDP-based DNS traffic across two servers
stream {
    upstream dns_upstreams {
        server 192.168.136.130:53;
        server 192.168.136.131:53;
    }
    server {
        listen 53 udp;
        proxy_pass dns_upstreams;
        proxy_timeout 1s;
        proxy_responses 1;
        error_log logs/dns.log;
    }
}

ngx_stream_core_module
ngx_stream_access_module
ngx_stream_geo_module
ngx_stream_geoip_module
ngx_stream_js_module
ngx_stream_limit_conn_module
ngx_stream_log_module
ngx_stream_map_module
ngx_stream_proxy_module
ngx_stream_realip_module
ngx_stream_return_module
ngx_stream_split_clients_module
ngx_stream_ssl_module
ngx_stream_ssl_preread_module
ngx_stream_upstream_module
ngx_stream_upstream_hc_module

Choosing an NGINX Plus Load‑Balancing Technique https://www.nginx.com/blog/choosing-nginx-plus-load-balancing-techniques/

proxy_responses 控制 Nginx 应该等待上游返回多少信息

对于单 udp 会话, 不做特殊处理时, nginx 能够从上游接收到多个包, 但只会从下游接收到一个包. 因为下一次从下游接收到的包会认为是另外一个会话. 导致 udp 适用于下载但不适用于上传.

10 Tips for 10x Application Performance https://www.nginx.com/blog/10-tips-for-10x-application-performance/

IP Transparency and Direct Server Return with NGINX and NGINX Plus as Transparent Proxy https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/

https://www.kernel.org/doc/Documentation/networking/tproxy.txt https://github.com/benoitc/tproxy

tproxy 要求 upstream 修改默认路由, 保证所有请求都能被路由回去. 因此在 VPN 的情况下会有点尴尬

PROXY 10.0.1.1, 172.16.0.1

SERVER 10.0.2.1, 192.168.1.2

代理服务器通过 10.0.0.0/16 和后端服务器通讯, SERVER LAN 地址为 192.168.1.0/24, 要求 SERVER 能正确把包导回需修改默认路由为 10.0.1.1, 因此只能有一个前端的反向代理, 还是非常的不方便使用

如果有多个网卡, 还需要开启转发.

# server
route del default gw 172.16.0.1
route add default gw 10.0.1.1
route -n
# 或者使用 ip 命令
ip ro del default via 172.16.0.1 dev eth0
# proxy
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
# 针对 80 端口
iptables -t mangle -A PREROUTING -p tcp -s 10.0.0.0/16 --sport 80 -j MARK --set-xmark 0x1/0xffffffff
iptables -t mangle -L