差异对比
ApacheNginx
配置繁琐配置相对简单原生支持动态和静态页面支持静态页面模块相对安全高性能模块出产迅速、社区活跃BUG 相对较少,消耗资源较多BUG相对较多,节省资源对加密支持较好对反向代理支持较好同步阻塞型应用异步非阻塞型应用
Nginx 的安装
yum -y
install gcc gcc-c++ lrzsz zlib zlib-devel pcre pcre-devel
tar -zxvf nginx-xxx
tar -zxvf openssl-xxx
./configure --user
=nginx --group
=nginx --prefix
=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-openssl
=/root/openssl-1.0.2h --with-stream
&& make && make install
make && make install
Nginx 实验
1、模块启用
vi /usr/local/nginx/conf/nginx.conf
location /abc
{
stub_status on
;
}
2、Nginx 访问控制列表(ACL)
基于用户名密码的访问控制
vi /usr/local/nginx/conf/nginx.conf
location /abc
{
stub_status on
;
auth_basic
"Welcome to nginx!";
auth_basic_user_file /usr/local/nginx/html/a.psd
;
}
htpasswd -c /usr/local/nginx/html/a.psd zhangsan
htpasswd -m /usr/local/nginx/html/a.psd lisi
基于 IP 的访问控制
vi /usr/local/nginx/conf/nginx.conf
location /abc
{
stub_status on;
auth_basic "Welcome to nginx
!";
auth_basic_user_file /usr/local/nginx/html/a.psd;
allow 192.168.66.250; 允许250拒绝所有
deny 192.168.66.0/24;
}
3、虚拟主机
在主配置文件中复制 server{} 区域, 不同的 server 区域则是不同的虚拟主机, 同 apache 拥有基于域名端口的虚拟主机
4、反向代理
location /
{
proxy_pass http
://192.168.1.3
:80;
}
5、七层负载调度 - 基于 Apache
Nginx 负载区域构建
upstream atguigu.com
{
ip_hash;
server 192.168.1.240
:80 weight 2;
server 192.168.1.241
:80 weight 1;
server 192.168.1.242
:80 weight 1 backup;
}
location /
{
proxy_pass http
://atguigu.com;
}
6、HTTPS 加密访问
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
cp server.key server.key.org
openssl x509 -req -days 365 -sha256 -in server.csr -signkey server.key -out servernew.crt
cp servernew.crt /usr/local/nginx/conf/server.crt
cp server.key /usr/local/nginx/conf/server.key
ssl on
;
ssl_certificate server.crt
;
ssl_certificate_key server.key
;
ssl_session_timeout 5m
;
ssl_protocols TLSv1
;
ssl_ciphers HIGH:
!RC4:
!MD5:
!aNULL:
!eNULL:
!NULL:
!DH:
!EDH:
!EXP:+MEDIUM
;
ssl_prefer_server_ciphers on
;
7、地址跳转
server
{
listen 80;
server_name www.hongfu.com;
rewrite ^(.*)$ https
://$host$1 permanent;
}
8、Nginx 配置 HSTS
add_header Strict-Transport-Security
"max-age=63072000; includeSubdomains; preload;";
9、避免点击劫持,还要添加 X-Frame-Options 头部,确保不会嵌入到 frame 或 iframe,使得网站的内容不会嵌入到其他网站**
add_header X-Frame-Options
"DENY";
10、HTTP 2.0 配置
server
{
listen 443 ssl http2
;
server_name pan.rocblog.top
;
ssl_certificate /usr/local/nginx/html/https/pan.pem
;
ssl_certificate_key /usr/local/nginx/html/https/pan.key
;
}
https://http2.akamai.com/demo
1:chrome浏览器:下载插件:HTTP/2 and SPDY indicator
2:firefox浏览器:下载插件HTTP/2 and SPDY indicator 2.3
传递真实地址至后端服务器
1、前端 Nginx,后端 Tomcat
location /
{
proxy_pass http://localhost:8080
;
proxy_set_header X-Real-IP
$remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header Host
$http_host;
proxy_intercept_errors on
;
}
<Valve className
="org.apache.catalina.valves.AccessLogValve" directory
="logs"
prefix
="access_log." suffix
=".txt"
pattern
="Remote User[ %{X-Forwarded-For}i %l %u %t ] Request[ "%r" ] Status Code[ %s ] Bytes[ %b ] Referer[ "%{Referer}i" ] Agent[ "%{User-agent}i" ]" /
>
2、前端 Nginx,后端 Nginx
location /
{
proxy_pass http://localhost:8000
;
proxy_set_header X-Real-IP
$remote_addr;
proxy_set_header X-Forwarded-For
$remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header Host
$host;
proxy_redirect off
;
}
location /
{
proxy_pass http://localhost:8000
;
proxy_set_header X-Real-IP
$remote_addr;
proxy_set_header X-Forwarded-For
$remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header Host
$host;
proxy_redirect off
;
set_real_ip_from 192.168.1.0/24
;
set_real_ip_from 192.168.2.1
;
real_ip_header X-Real-IP
;
}
3、前端 Nginx 后端 Apache
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
wget https://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
tar zxvf mod_rpaf-0.6.tar.gz
cd mod_rpaf-0.6
sed -i
's/remote_addr/client_addr/' mod_rpaf-2.0.c
sed -i
's/remote_ip/client_ip/' mod_rpaf-2.0.c
/usr/local/apache2/bin/apxs -i -c -n mod_rpaf-2.0.slo mod_rpaf-2.0.c
vi /usr/local/apache/conf/httpd.conf
Include conf/extra/httpd-rpaf.conf
vi /usr/local/apache/conf/extra/httpd-rpaf.conf
LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1 10.8.0.110
RPAFheader X-Forwarded-For
Nginx 缓存设置
server
{
location ~* \.
(html
)$
{
access_log off
;
add_header Cache-Control max-age
=no-cache
;
}
location ~* \.
(css
|js
|png
|jpg
|jpeg
|gif
|gz
|svg
|mp4
|ogg
|ogv
|webm
|htc
|xml
|woff
)$
{
access_log off
;
add_header Cache-Control max-age
=360000
;
}
}
反向代理会让缓存失效,可以进行如下设置
http
{
...
include nginx_proxy.conf
;
proxy_cache_path /data/nuget-cache levels
=1:2 keys_zone
=nuget-cache:20m max_size
=50g inactive
=168h
;
server
{
listen 80
;
server_name xxx.abc.com
;
location /
{
proxy_pass http://localhost:7878
;
add_header Cache-Control max-age
=no-cache
;
}
location ~* \.
(css
|js
|png
|jpg
|jpeg
|gif
|gz
|svg
|mp4
|ogg
|ogv
|webm
|htc
|xml
|woff
)$
{
access_log off
;
add_header Cache-Control
"public,max-age=30*24*3600";
proxy_pass http://localhost:7878
;
}
}
}
proxy_cache nuget-cache
;
proxy_cache_valid 168h
;
proxy_ignore_headers Set-Cookie Cache-Control
;
proxy_hide_header Cache-Control
;
proxy_hide_header Set-Cookie
;
Nginx 开启压缩
gzip on
;
gzip_min_length 1k
;
gzip_buffers 4 16k
;
gzip_http_version 1.1
;
gzip_comp_level 9
;
gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php application/javascript application/json
;
gzip_disable
"MSIE [1-6]\.";
gzip_vary on
;
