1. Nginx Plus概述与环境规划
Nginx Plus是Nginx官方推出的商业版本,在开源Nginx基础上增加了企业级功能,包括高级负载均衡、动态配置、健康检查、会话持久化、实时监控等特性。更多学习教程www.fgedu.net.cn
1.1 Nginx Plus版本说明
Nginx Plus目前主要版本为R30,本教程以Nginx Plus R30为例进行详细讲解。
$ nginx -v
nginx version: nginx/1.25.3 (nginx-plus-r30)
# 查看编译参数
$ nginx -V
nginx version: nginx/1.25.3 (nginx-plus-r30)
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-20) (GCC)
built with OpenSSL 1.1.1k FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib64/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-compat –with-file-aio –with-threads –with-http_addition_module –with-http_auth_request_module –with-http_dav_module –with-http_flv_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_mp4_module –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with-http_slice_module –with-http_ssl_module –with-http_stub_status_module –with-http_sub_module –with-http_v2_module –with-http_v3_module –with-mail –with-mail_ssl_module –with-stream –with-stream_realip_module –with-stream_ssl_module –with-stream_ssl_preread_module –with-cc-opt=’-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC’ –with-ld-opt=’-Wl,-z,relro -Wl,-z,now -pie -Wl,-rpath,/usr/lib64/nginx/modules’
1.2 环境规划
本次安装环境规划如下:
主机名:nginxplus01.fgedu.net.cn
IP地址:192.168.1.51
VIP地址:192.168.1.100
Nginx Plus节点2:
主机名:nginxplus02.fgedu.net.cn
IP地址:192.168.1.52
VIP地址:192.168.1.100
后端服务器节点1:
主机名:web01.fgedu.net.cn
IP地址:192.168.1.53
后端服务器节点2:
主机名:web02.fgedu.net.cn
IP地址:192.168.1.54
后端服务器节点3:
主机名:web03.fgedu.net.cn
IP地址:192.168.1.55
Nginx Plus版本:R30
负载均衡算法:least_conn
1.3 Nginx Plus核心特性
1. 高级负载均衡:支持多种算法和动态配置
2. 主动健康检查:TCP和HTTP健康检查
3. 会话持久化:支持多种会话保持方式
4. 实时监控:内置仪表盘和API
5. 动态配置:无需重启更新配置
6. JWT认证:支持JWT验证
7. OpenID Connect:支持OIDC单点登录
8. WAF功能:内置Web应用防火墙
9. 缓存优化:高级缓存控制
10. 流量管理:限速、熔断、金丝雀发布
与开源版对比:
– 开源版:基础反向代理、负载均衡
– Plus版:企业级功能、技术支持、认证模块
2. 硬件环境要求与检查
在安装Nginx Plus之前,需要对服务器硬件环境进行全面检查。学习交流加群风哥微信: itpux-com
2.1 最低硬件要求
CPU:1核心
内存:512MB
磁盘:1GB
推荐配置(生产环境):
CPU:2核心以上
内存:2GB以上
磁盘:10GB以上
高并发配置:
CPU:4核心以上
内存:4GB以上
网卡:10Gbps
2.2 系统环境检查
# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.8 (Ootpa)
# 检查内核版本
# uname -r
4.18.0-477.27.1.el8_8.x86_64
# 检查内存信息
# free -h
total used free shared buff/cache available
Mem: 15Gi 1.0Gi 13Gi 256Mi 1.0Gi 14Gi
Swap: 7Gi 0B 7Gi
# 检查网络配置
# ip addr show eth0
2: eth0:
link/ether 00:50:56:a3:01:51 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.51/24 brd 192.168.1.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
2.3 依赖包安装
# yum install -y ca-certificates curl gnupg2
# 创建Nginx Plus仓库
# vi /etc/yum.repos.d/nginx-plus.repo
[nginx-plus]
name=nginx-plus repo
baseurl=https://pkgs.nginx.com/plus/rhel/$releasever/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=1
enabled=1
gpgkey=https://cs.nginx.com/static/keys/nginx_signing.key
# 创建证书目录
# mkdir -p /etc/ssl/nginx
# 复制证书文件(需要购买许可证)
# cp nginx-repo.crt /etc/ssl/nginx/
# cp nginx-repo.key /etc/ssl/nginx/
# 设置权限
# chmod 600 /etc/ssl/nginx/nginx-repo.key
# 验证仓库
# yum repolist nginx-plus
# 输出示例:
nginx-plus repo 100
3. Nginx Plus安装步骤
本节详细介绍Nginx Plus的安装过程。学习交流加群风哥QQ113257174
3.1 安装Nginx Plus
# yum install -y nginx-plus
# 输出示例:
Installed:
nginx-plus-30-1.el8.ngx.x86_64
Complete!
# 验证安装
$ nginx -v
nginx version: nginx/1.25.3 (nginx-plus-r30)
# 检查模块
$ nginx -V 2>&1 | grep -o ‘with-[^ ]*’
with-compat
with-file-aio
with-threads
with-http_ssl_module
with-http_v2_module
with-http_v3_module
with-stream_ssl_module
3.2 创建目录结构
# mkdir -p /etc/nginx/conf.d
# mkdir -p /etc/nginx/ssl
# mkdir -p /var/log/nginx
# mkdir -p /var/cache/nginx
# 设置权限
# chown -R nginx:nginx /var/log/nginx
# chown -R nginx:nginx /var/cache/nginx
# 检查目录结构
$ ls -la /etc/nginx/
# 输出示例:
total 64
drwxr-xr-x. 4 root root 4096 Apr 4 10:00 .
drwxr-xr-x. 93 root root 8192 Apr 4 10:00 ..
-rw-r–r–. 1 root root 1077 Apr 4 10:00 fastcgi.conf
-rw-r–r–. 1 root root 1077 Apr 4 10:00 fastcgi_params
-rw-r–r–. 1 root root 2837 Apr 4 10:00 koi-utf
-rw-r–r–. 1 root root 2223 Apr 4 10:00 koi-win
-rw-r–r–. 1 root root 5349 Apr 4 10:00 mime.types
-rw-r–r–. 1 root root 649 Apr 4 10:00 nginx.conf
-rw-r–r–. 1 root root 180 Apr 4 10:00 scgi_params
-rw-r–r–. 1 root root 418 Apr 4 10:00 uwsgi_params
-rw-r–r–. 1 root root 3071 Apr 4 10:00 win-utf
drwxr-xr-x. 2 root root 24 Apr 4 10:00 conf.d
drwxr-xr-x. 2 root root 24 Apr 4 10:00 ssl
3.3 创建基础配置
# cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
# 创建新配置
# vi /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 65535;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript;
include /etc/nginx/conf.d/*.conf;
}
# 验证配置
$ nginx -t
# 输出示例:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
3.4 启动Nginx Plus服务
# systemctl start nginx
# 设置开机自启
# systemctl enable nginx
# 检查状态
# systemctl status nginx
# 输出示例:
● nginx.service – nginx – high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2026-04-04 10:00:00 CST; 1s ago
Main PID: 12345 (nginx)
Tasks: 3 (limit: 49134)
Memory: 5.5M
CGroup: /system.slice/nginx.service
├─12345 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
├─12346 nginx: worker process
└─12347 nginx: worker process
# 检查端口
# netstat -tlnp | grep nginx
# 输出示例:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 12345/nginx: master
# 测试访问
$ curl -I http://192.168.1.51
# 输出示例:
HTTP/1.1 200 OK
Server: nginx/1.25.3 (nginx-plus-r30)
Date: Sat, 04 Apr 2026 02:00:00 GMT
Content-Type: text/html
Connection: keep-alive
4. Nginx Plus参数配置
Nginx Plus参数配置是性能优化的关键步骤,直接影响系统性能。更多学习教程公众号风哥教程itpux_com
4.1 全局参数配置
# vi /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
worker_priority -5;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
# 加载动态模块
load_module modules/ngx_http_app_protect_module.so;
load_module modules/ngx_http_js_module.so;
events {
worker_connections 65535;
use epoll;
multi_accept on;
accept_mutex on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for” ‘
‘rt=$request_time uct=”$upstream_connect_time” ‘
‘uht=”$upstream_header_time” urt=”$upstream_response_time”‘;
access_log /var/log/nginx/access.log main;
# 性能优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
keepalive_requests 1000;
reset_timedout_connection on;
client_body_timeout 10;
send_timeout 10;
# 缓冲配置
client_body_buffer_size 16k;
client_header_buffer_size 1k;
client_max_body_size 100m;
large_client_header_buffers 4 8k;
# 文件缓存
open_file_cache max=10000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# Gzip压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml;
include /etc/nginx/conf.d/*.conf;
}
# 验证配置
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 重载配置
# nginx -s reload
4.2 性能优化配置
# vi /etc/sysctl.d/99-nginx.conf
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65535
fs.file-max = 2097152
vm.swappiness = 0
# 使配置生效
# sysctl -p /etc/sysctl.d/99-nginx.conf
# 用户限制
# vi /etc/security/limits.d/nginx.conf
nginx soft nofile 65535
nginx hard nofile 65535
nginx soft nproc 65535
nginx hard nproc 65535
# 验证限制
$ ulimit -n
65535
5. 负载均衡配置
Nginx Plus提供高级负载均衡功能,本节介绍详细的配置方法。from:www.itpux.com
5.1 HTTP负载均衡配置
# vi /etc/nginx/conf.d/lb.conf
upstream web_servers {
zone web_servers 64k;
# 负载均衡算法
least_conn;
# 后端服务器
server 192.168.1.53:80 weight=3;
server 192.168.1.54:80 weight=2;
server 192.168.1.55:80 weight=1 backup;
# 会话持久化
sticky learn create=$upstream_cookie_serverid
lookup=$cookie_serverid
zone=client_sessions:1m;
# 连接保持
keepalive 32;
keepalive_timeout 60s;
keepalive_requests 1000;
}
server {
listen 80;
server_name www.fgedu.net.cn;
location / {
proxy_pass http://web_servers;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection “”;
# 超时配置
proxy_connect_timeout 10s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲配置
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 16k;
}
}
# 验证配置
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 重载配置
# nginx -s reload
5.2 TCP/UDP负载均衡配置
# vi /etc/nginx/nginx.conf
stream {
# MySQL负载均衡
upstream mysql_servers {
zone mysql_servers 64k;
least_conn;
server 192.168.1.53:3306 weight=3;
server 192.168.1.54:3306 weight=2;
server 192.168.1.55:3306 backup;
}
server {
listen 3306;
proxy_pass mysql_servers;
proxy_timeout 3s;
proxy_connect_timeout 1s;
}
# Redis负载均衡
upstream redis_servers {
zone redis_servers 64k;
least_conn;
server 192.168.1.53:6379;
server 192.168.1.54:6379 backup;
}
server {
listen 6379;
proxy_pass redis_servers;
proxy_timeout 3s;
proxy_connect_timeout 1s;
}
# DNS负载均衡
upstream dns_servers {
zone dns_servers 64k;
least_conn;
server 192.168.1.53:53;
server 192.168.1.54:53;
}
server {
listen 53 udp;
proxy_pass dns_servers;
proxy_timeout 3s;
proxy_connect_timeout 1s;
}
}
# 验证配置
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 重载配置
# nginx -s reload
5.3 高级负载均衡功能
# vi /etc/nginx/conf.d/advanced-lb.conf
upstream api_servers {
zone api_servers 64k;
# 一致性哈希
hash $request_uri consistent;
server 192.168.1.53:8080;
server 192.168.1.54:8080;
server 192.168.1.55:8080;
# 慢启动
server 192.168.1.56:8080 slow_start=30s;
# 会话持久化
sticky cookie srv_id expires=1h domain=.fgedu.net.cn path=/;
}
server {
listen 80;
server_name api.fgedu.net.cn;
# 限速
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/s;
location / {
limit_req zone=api_limit burst=200 nodelay;
proxy_pass http://api_servers;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 熔断
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 3;
proxy_next_upstream_timeout 10s;
}
# 金丝雀发布
location /v2/ {
proxy_pass http://api_servers_v2;
}
}
# 验证配置
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 重载配置
# nginx -s reload
6. 健康检查配置
Nginx Plus提供主动健康检查功能,可以实时监控后端服务器状态。更多学习教程www.fgedu.net.cn
6.1 HTTP健康检查
# vi /etc/nginx/conf.d/health.conf
upstream web_servers {
zone web_servers 64k;
server 192.168.1.53:80;
server 192.168.1.54:80;
server 192.168.1.55:80;
}
# 匹配条件
match health_check {
status 200;
header Content-Type = text/html;
body ~ “Welcome”;
}
server {
listen 80;
server_name www.fgedu.net.cn;
location / {
proxy_pass http://web_servers;
health_check interval=5s fails=3 passes=2 match=health_check;
}
# 健康检查状态页面
location /health_status {
health_check_status;
allow 192.168.1.0/24;
deny all;
}
}
# 验证配置
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 重载配置
# nginx -s reload
# 访问健康检查状态页面
$ curl http://192.168.1.51/health_status
# 输出示例:
{
“servers”: {
“backends”: {
“web_servers”: {
“peers”: [
{
“id”: 0,
“server”: “192.168.1.53:80”,
“name”: “192.168.1.53”,
“backup”: false,
“weight”: 1,
“state”: “healthy”,
“active”: 0,
“requests”: 100,
“header_time”: 10,
“response_time”: 20
}
]
}
}
}
}
6.2 TCP健康检查
# vi /etc/nginx/nginx.conf
stream {
upstream mysql_servers {
zone mysql_servers 64k;
server 192.168.1.53:3306;
server 192.168.1.54:3306;
server 192.168.1.55:3306;
}
server {
listen 3306;
proxy_pass mysql_servers;
# TCP健康检查
health_check interval=5s fails=3 passes=2;
}
# MySQL健康检查
upstream mysql_servers_advanced {
zone mysql_servers_advanced 64k;
server 192.168.1.53:3306;
server 192.168.1.54:3306;
}
match mysql_handshake {
send \x00;
expect ~* “mysql”;
}
server {
listen 3307;
proxy_pass mysql_servers_advanced;
health_check match=mysql_handshake;
}
}
# 验证配置
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 重载配置
# nginx -s reload
6.3 慢启动配置
# vi /etc/nginx/conf.d/slow-start.conf
upstream web_servers {
zone web_servers 64k;
least_conn;
# 慢启动:新服务器在30秒内逐渐增加权重
server 192.168.1.53:80 slow_start=30s;
server 192.168.1.54:80 slow_start=30s;
server 192.168.1.55:80 slow_start=30s;
}
server {
listen 80;
server_name www.fgedu.net.cn;
location / {
proxy_pass http://web_servers;
health_check interval=5s fails=3 passes=2;
}
}
# 验证配置
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 重载配置
# nginx -s reload
7. 监控与管理
Nginx Plus提供实时监控和管理API,本节介绍常用的监控方法。学习交流加群风哥微信: itpux-com
7.1 状态API配置
# vi /etc/nginx/conf.d/status.conf
server {
listen 8080;
server_name localhost;
# 状态页面
location /nginx_status {
stub_status;
allow 192.168.1.0/24;
deny all;
}
# Plus状态API
location /api {
api write=on;
allow 192.168.1.0/24;
deny all;
}
# Plus仪表盘
location /dashboard {
root /usr/share/nginx/html;
index dashboard.html;
allow 192.168.1.0/24;
deny all;
}
}
# 验证配置
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 重载配置
# nginx -s reload
# 访问状态API
$ curl http://192.168.1.51:8080/nginx_status
# 输出示例:
Active connections: 10
server accepts handled requests
100 100 1000
Reading: 0 Writing: 1 Waiting: 9
# 访问Plus API
$ curl http://192.168.1.51:8080/api/5/nginx
# 输出示例:
{
“version”: “1.25.3 (nginx-plus-r30)”,
“build”: “nginx-plus-r30”,
“address”: “192.168.1.51”,
“generation”: 1,
“load_timestamp”: “2026-04-04T10:00:00.000Z”,
“timestamp”: “2026-04-04T10:01:00.000Z”,
“pid”: 12345,
“ppid”: 1,
“workers”: [
{
“id”: 0,
“pid”: 12346,
“accepted”: 100,
“dropped”: 0,
“active”: 10,
“idle”: 5,
“connections”: 100,
“requests”: 1000
}
]
}
7.2 动态配置管理
$ curl http://192.168.1.51:8080/api/5/http/upstreams/web_servers
# 输出示例:
{
“peers”: [
{
“id”: 0,
“server”: “192.168.1.53:80”,
“name”: “192.168.1.53”,
“backup”: false,
“weight”: 3,
“state”: “healthy”,
“active”: 0,
“requests”: 100,
“header_time”: 10,
“response_time”: 20
}
],
“keepalive”: 32
}
# 动态添加服务器
$ curl -X POST -d ‘{“server”:”192.168.1.56:80″}’ \
http://192.168.1.51:8080/api/5/http/upstreams/web_servers/servers
# 输出示例:
{
“id”: 3,
“server”: “192.168.1.56:80”,
“weight”: 1
}
# 动态修改服务器权重
$ curl -X PATCH -d ‘{“weight”:5}’ \
http://192.168.1.51:8080/api/5/http/upstreams/web_servers/servers/3
# 动态下线服务器
$ curl -X PATCH -d ‘{“down”:true}’ \
http://192.168.1.51:8080/api/5/http/upstreams/web_servers/servers/3
# 动态删除服务器
$ curl -X DELETE \
http://192.168.1.51:8080/api/5/http/upstreams/web_servers/servers/3
7.3 监控指标
$ curl http://192.168.1.51:8080/api/5/connections
# 输出示例:
{
“accepted”: 1000,
“dropped”: 0,
“active”: 10,
“idle”: 5
}
# 获取SSL统计
$ curl http://192.168.1.51:8080/api/5/ssl
# 输出示例:
{
“handshakes”: 100,
“handshakes_failed”: 0,
“session_reuses”: 50
}
# 获取请求统计
$ curl http://192.168.1.51:8080/api/5/http/requests
# 输出示例:
{
“total”: 10000,
“accepted”: 10000,
“dropped”: 0,
“active”: 10,
“current”: 1
}
# 获取缓存统计
$ curl http://192.168.1.51:8080/api/5/http/caches
# 输出示例:
{
“cache_zone”: {
“size”: 1048576,
“max_size”: 1073741824,
“cold”: false,
“hit”: {
“responses”: 5000,
“bytes”: 52428800
},
“miss”: {
“responses”: 5000,
“bytes”: 52428800,
“responses_written”: 100,
“bytes_written”: 1048576
}
}
}
8. 安全配置
Nginx Plus提供完善的安全功能,本节介绍常用的安全配置方法。更多学习教程公众号风哥教程itpux_com
8.1 SSL/TLS配置
# mkdir -p /etc/nginx/ssl
# 生成自签名证书(测试用)
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/nginx/ssl/fgedu.key \
-out /etc/nginx/ssl/fgedu.crt \
-subj “/C=CN/ST=BJ/L=BJ/O=FGedu/OU=IT/CN=*.fgedu.net.cn”
# 设置权限
# chmod 600 /etc/nginx/ssl/fgedu.key
# HTTPS配置
# vi /etc/nginx/conf.d/ssl.conf
server {
listen 80;
server_name www.fgedu.net.cn;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name www.fgedu.net.cn;
ssl_certificate /etc/nginx/ssl/fgedu.crt;
ssl_certificate_key /etc/nginx/ssl/fgedu.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# 安全头部
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;
add_header X-Frame-Options “SAMEORIGIN” always;
add_header X-XSS-Protection “1; mode=block” always;
add_header X-Content-Type-Options “nosniff” always;
location / {
proxy_pass http://web_servers;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# 验证配置
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 重载配置
# nginx -s reload
8.2 访问控制配置
# vi /etc/nginx/conf.d/access.conf
server {
listen 80;
server_name admin.fgedu.net.cn;
# IP访问控制
location / {
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
proxy_pass http://admin_servers;
}
# 基本认证
location /private/ {
auth_basic “Restricted Area”;
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://admin_servers;
}
}
# 创建密码文件
# htpasswd -c /etc/nginx/.htpasswd admin
New password:
Re-type new password:
Adding password for user admin
# 验证配置
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 重载配置
# nginx -s reload
8.3 限速配置
# vi /etc/nginx/conf.d/rate-limit.conf
# 定义限速区域
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
server {
listen 80;
server_name api.fgedu.net.cn;
location / {
# 请求限速
limit_req zone=api_limit burst=200 nodelay;
limit_req_status 429;
# 连接限速
limit_conn conn_limit 100;
limit_conn_status 429;
proxy_pass http://api_servers;
}
# 自定义错误页面
error_page 429 = @too_many_requests;
location @too_many_requests {
default_type application/json;
return 429 ‘{“error”: “Too Many Requests”}’;
}
}
# 验证配置
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 重载配置
# nginx -s reload
9. 升级与迁移
Nginx Plus升级和迁移是运维工作中的重要环节,需要仔细规划和执行。from:www.itpux.com
9.1 版本升级
$ nginx -v
nginx version: nginx/1.25.3 (nginx-plus-r29)
# 备份配置
# cp -r /etc/nginx /backup/nginx_$(date +%Y%m%d)
# 升级Nginx Plus
# yum update nginx-plus
# 输出示例:
Upgraded:
nginx-plus-30-1.el8.ngx.x86_64
Complete!
# 验证版本
$ nginx -v
nginx version: nginx/1.25.3 (nginx-plus-r30)
# 验证配置
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 平滑升级
# nginx -s reload
9.2 配置迁移
# tar -czf nginx_backup_$(date +%Y%m%d).tar.gz \
/etc/nginx \
/var/log/nginx \
/var/cache/nginx
# 迁移到新服务器
# scp nginx_backup_*.tar.gz root@newserver:/backup/
# 在新服务器解压
# tar -xzf nginx_backup_*.tar.gz -C /
# 验证配置
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 启动服务
# systemctl start nginx
10. 生产环境实战案例
本节提供一个完整的生产环境配置案例,帮助读者更好地理解Nginx Plus的实际应用。更多学习教程www.fgedu.net.cn
10.1 生产环境完整配置
# vi /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 65535;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format json escape=json ‘{‘
‘”time”:”$time_iso8601″,’
‘”remote”:”$remote_addr”,’
‘”host”:”$host”,’
‘”method”:”$request_method”,’
‘”uri”:”$request_uri”,’
‘”status”:$status,’
‘”size”:$body_bytes_sent,’
‘”referer”:”$http_referer”,’
‘”ua”:”$http_user_agent”,’
‘”rt”:$request_time,’
‘”uct”:”$upstream_connect_time”,’
‘”uht”:”$upstream_header_time”,’
‘”urt”:”$upstream_response_time”‘
‘}’;
access_log /var/log/nginx/access.log json;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript;
# 限速区域
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
include /etc/nginx/conf.d/*.conf;
}
# 负载均衡配置
# vi /etc/nginx/conf.d/lb.conf
upstream web_servers {
zone web_servers 64k;
least_conn;
server 192.168.1.53:80 weight=3 slow_start=30s;
server 192.168.1.54:80 weight=2 slow_start=30s;
server 192.168.1.55:80 weight=1 backup slow_start=30s;
keepalive 32;
}
match health_check {
status 200;
header Content-Type = text/html;
body ~ “Welcome”;
}
server {
listen 80;
server_name www.fgedu.net.cn;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name www.fgedu.net.cn;
ssl_certificate /etc/nginx/ssl/fgedu.crt;
ssl_certificate_key /etc/nginx/ssl/fgedu.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;
add_header X-Frame-Options “SAMEORIGIN” always;
add_header X-XSS-Protection “1; mode=block” always;
add_header X-Content-Type-Options “nosniff” always;
location / {
limit_req zone=api_limit burst=200 nodelay;
limit_conn conn_limit 100;
proxy_pass http://web_servers;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection “”;
health_check interval=5s fails=3 passes=2 match=health_check;
}
}
# 状态API配置
# vi /etc/nginx/conf.d/status.conf
server {
listen 8080;
server_name localhost;
location /nginx_status {
stub_status;
allow 192.168.1.0/24;
deny all;
}
location /api {
api write=on;
allow 192.168.1.0/24;
deny all;
}
location /dashboard {
root /usr/share/nginx/html;
index dashboard.html;
allow 192.168.1.0/24;
deny all;
}
location /health_status {
health_check_status;
allow 192.168.1.0/24;
deny all;
}
}
10.2 高可用配置
# vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id NGINX_PLUS_MASTER
}
vrrp_script check_nginx {
script “killall -0 nginx”
interval 2
weight -20
fall 3
rise 2
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass fgedu2026
}
virtual_ipaddress {
192.168.1.100/24 dev eth0 label eth0:0
}
track_script {
check_nginx
}
}
# 启动Keepalived
# systemctl start keepalived
# systemctl enable keepalived
10.3 性能调优实战
$ ab -n 100000 -c 1000 https://192.168.1.100/
# 输出示例:
Server Software: nginx/1.25.3
Server Hostname: 192.168.1.100
Server Port: 443
SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
Concurrency Level: 1000
Time taken for tests: 10.000 seconds
Complete requests: 100000
Failed requests: 0
Requests per second: 10000.00 [#/sec] (mean)
Time per request: 100.000 [ms] (mean)
# 查看监控指标
$ curl http://192.168.1.51:8080/api/5/http/upstreams/web_servers
# 输出示例:
{
“peers”: [
{
“id”: 0,
“server”: “192.168.1.53:80”,
“name”: “192.168.1.53”,
“backup”: false,
“weight”: 3,
“state”: “healthy”,
“active”: 100,
“requests”: 50000,
“header_time”: 10,
“response_time”: 20
}
],
“keepalive”: 32
}
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
联系我们
在线咨询:
微信号:itpux-com
工作日:9:30-18:30,节假日休息
