I. Introduction
Nginx("engine x") is a high performance HTTP and reverse proxy server, as well as an IMAP/POP3/SMTP server. Nginx was developed by Igor Sysoev for Rambler.ru, the second most visited site in Russia, and it has been running on the site for more than two years. Nginx surpasses Apache's high performance and stability, making more and more websites using Nginx as a web server in China, including portal channels such as Sina Blog, Sina Podcast, Netease News, Tencent Network, Sohu Blog, video sharing websites such as Six Rooms, 56.com, Discuz! Official Forum, Shuimu Community and so on. Famous forums such as Shengda Online and Jinshan Xiaoyao Online are emerging Web 2.0 websites such as Douban, Renren, YUPOO album, Jinshan ICBA and Xunlei Online.
2. Advantages of Nginx
As an HTTP server, Nginx has the following basic features:
Processing static files, indexing files and automatic indexing: Opening file descriptor buffer
2. Cacheless reverse proxy acceleration, simple load balancing and fault tolerance
3. FastCGI, simple load balancing and fault tolerance
4. Modular structure:
Include gzipping, byte ranges, chunked responses, and SSI-filter filters.
If FastCGI or other proxy servers handle multiple SSI s in a single page, the process can run in parallel without requiring phase
Wait for each other.
5. Support for SSL and TLS SN
III. Installation of Nginx
The steps to install Nginx are simple. Before installing Nginx, you need to install Nginx dependencies (after configuring the yum source)
The main reliance is as follows:
1. Install gcc
yum -y install gcc
2. Install pcre
yum install -y pcre-devel
3. Install zlib
download zlib-1.2.8.tar.gz yum info zlib Get the download address http://www.zlib.net/ tar -zxvf zlib-1.2.8.tar.gz //Error: gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error is not recoverable: exiting now mv zlib-1.2.8.tar.gz zlib-1.2.8.tar tar -xvf zlib-1.2.8.tar cd zlib-1.2.8 ./configure make make install
4. Install Nginx
Download: http://nginx.org/en/download.html tar -zxvf nginx-1.10.1.tar.gz cd nginx-1.10.1 ./configure make make install //The default installation directory is / usr/local/nginx
IV. Configuration of Nginx
Nginx.conf is the main configuration file. The configuration of nginx.conf of Nginx is as follows:
user root; #Running user
worker_processes 1; #Start the process, usually set to equal the number of CPUs
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
#Working mode and upper limit of connection number
events {
use epoll; #epoll is a way of multiplexing IO(I/O Multiplexing), but only for Linux 2.6 or more cores, it can greatly improve the performance of nginx.
worker_connections 1024; #Maximum number of concurrent links for a single background worker process
# multi_accept on;
}
#Setting up http server and using its reverse proxy function to provide load balancing support
http {
include /etc/nginx/mime.types;#Set the mime type, which is defined by the mime.type file
default_type application/octet-stream;
access_log /var/log/nginx/access.log; #Setting Log Format
#The sendfile instruction specifies whether nginx calls the sendfile function (zero copy mode) to output files. For general applications,
#It must be set to on. If it is used for downloading heavy load applications such as application disk IO, it can be set to off to balance the processing speed of disk and network I/O and reduce uptime of the system.
sendfile on;
#tcp_nopush on;
#Connection timeout
#keepalive_timeout 0;
keepalive_timeout 65;
tcp_nodelay on;
#Open gzip compression
gzip on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
#Setting Request Buffer
client_header_buffer_size 1k;
large_client_header_buffers 4.4k;
#Setting the list of servers for load balancing
upstream mysvr {
#weigth parameters represent weights, and the higher the weights, the greater the probability of being assigned.
server 10.30.20.25:9200 weight=5;
server 10.30.20.25:9200 weight=1;
server 192.168.8.3:80 weight=6;
}
server {
listen 80; #Listen on port 80
access_log logs/access.log main; #Set the access log for this virtual host
#Default request
location / {
root html; #Specify the resource lookup path for the corresponding uri, where html is the relative path
index index.php index.html index.htm; #Specify the name of the index file on the home page. You can configure multiple files separated by spaces. If there are more than one, look it up in configuration order
}
# Define the error prompt page
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
5. The combination of Nginx and Elastic search
Elastic search is an advanced, high-performance, scalable open source search engine that provides structured and unstructured data for full-text search and real-time analysis.
Specifically, it can use RESTful API through HTTP and easily integrate into the existing web architecture. Therefore, in the case of high concurrency, nginx reverse proxy load balancing is used to multiple Elastic search servers.
Architecture diagram:
Advantages of this architecture:
- Logging each API request
- Support a large number of client connections, whether or not keepalives are enabled, much smaller than long connections (using keepalives) to elastic search servers
- Load balancing request Elastic search server
- Cache data to reduce the same content to request the Elastic search server again. NGINX Plus also provides HTTP API clearance interface for cached data
- Provide active health detection (nginx plus only), constantly detect whether the back-end Elastic search server is normal, and actively switch.
- Reporting abundant monitoring indicators (nginx plus only), providing monitoring and management.
- Support dynamic configuration of upstream server group (nginx plus only) through HTTP API, can be added and deleted from upstream server group, online or offline, change weight
- Security verification. Only clients with account name passwords can access the ES cluster.
- Restrict access to special interfaces such as "_shutdown". (This function is quite practical)
- Role-based access control (e.g. user role has data access rights, admin role has cluster control rights)
The following table compares the functions of Elastic search, Elastic search + nginx F/OSS, Elastic search + NGINX Plus:
| Elasticsearch client | nginx F/OSS | NGINX Plus | |
| Horizontal scalability | Y | Y | Y |
| Keepalive optimization | Y | Y | |
| Centralized HTTP access logs | Y | Y | |
| Queuing and concurrency control | Y | ||
| Response caching | Y | Y | |
| Failover of failed connections | Y | Y | Y |
| Active monitoring of Elasticsearch nodes | Y(some clients) | Y | |
| Advanced load balancing methods | Y | Y | |
| Weighted load balancing | Y | Y | |
| Dynamic reconfiguration | Y | ||
| Status monitoring | Y | ||
| General-purpose HTTP load balancing | Y | Y |
Briefly explain the main content of the configuration file of the Nginx server nginx.conf.
1. Setting the request log
#Global error log and PID file
error_log /usr/local/nginx/logs/error.log;
pid /usr/local/nginx/logs/nginx.pid;
http {
#Setting Log Format
access_log /usr/local/nginx/logs/access.log;
}2. Working mode and upper limit of connection number
events {
use epoll; #epoll is a way of multiplexing IO(I/O Multiplexing), but only for Linux 2.6 or more cores, it can greatly improve the performance of nginx.
worker_connections 1024; #Maximum number of concurrent links for a single background worker process
# multi_accept on;
}3. Setting the list of servers for load balancing
upstream mysvr {
#weigth parameters represent weights, and the higher the weights, the greater the probability of being assigned.
#The elastic search on this machine opens port 9200
server 10.30.20.25:9200 weight=5;
server 10.30.20.24:9200 weight=1;
server 10.30.20.23:9200 weight=6;
}4. Setting Request Cache
client_header_buffer_size 1k; large_client_header_buffers 4.4k;
5. Security Verification
server {
listen 80;
auth_basic "Protected Elasticsearch";
auth_basic_user_file passwords;
location / {
proxy_pass http://mysvr;
proxy_redirect off;
}
}The passwords file and nginx.conf are in the same directory. The format is "User Name: crypt(3) Encrypted Password String":
$ printf "john:$(openssl passwd -crypt s3cr3t)n" > passwords
Restart nginx after the above configuration, direct access to the service will be prohibited:
$ curl -i 10.30.20.25:80 # HTTP/1.1 401 Unauthorized # ...
Access smoothly through correct user name and password rules:
$ curl -i john:s3cr3t@10.30.20.25:80 # HTTP/1.1 200 OK # ...
6. Restrict access to special interfaces such as "_shutdown"
-
location / { if ($request_filename ~ _shutdown) { return 403; break; } proxy_pass http://mysvr; proxy_redirect off; }After this configuration, direct access to _shutdown will be denied:
$ curl -i -X POST john:s3cr3t@10.30.20.25:80/_cluster/nodes/_shutdown # HTTP/1.1 403 Forbidden # ....
7. Role-based access control
Distinguishing admins and users, admins can access all API s, while users only allow access to the _search and _analysis interfaces.
# Allow access to /_search and /_analyze for authenticated "users"
server {
listen 80;
auth_basic "Elasticsearch Users";
auth_basic_user_file users;
location / {
return 403;
}
location ~* ^(/_search|/_analyze) {
proxy_pass http://mysvr;
proxy_redirect off;
}
}
# Allow access to anything for authenticated "admins"
server {
listen 80;
auth_basic "Elasticsearch Admins";
auth_basic_user_file admins;
location / {
proxy_pass http://mysvr;
proxy_redirect off;
}
}
Reference link:
http://www.codes51.com/article/detail_157850.html
http://www.cnblogs.com/xiaogangqq123/archive/2011/03/02/1969006.html
http://www.ttlsa.com/nginx/nginx-elasticsearch/
Reproduced in: https://my.oschina.net/asparagus/blog/699224