Nginx簡介
Nginx是一個(gè)輕量級的Http服務(wù)器肺孤,Nginx包含一個(gè)單一的master進(jìn)程和多個(gè)worker進(jìn)程民效。所有這些進(jìn)程都是單線程,并且設(shè)計(jì)為同時(shí)處理成千上萬個(gè)連接。Nginx使用操作系統(tǒng)事件機(jī)制來快速響應(yīng)這些請求为流。
Nginx的master進(jìn)程負(fù)責(zé)讀取配置文件、處理套接字让簿、派生worker進(jìn)程敬察、打開日志文件和編譯嵌入式的Perl腳本。
Nginx的worker進(jìn)程運(yùn)行在一個(gè)忙碌的事件循環(huán)處理中尔当,用于處理進(jìn)入的連接莲祸。每一個(gè)Nginx模塊被構(gòu)筑在worker中蹂安,因此任何請求處理、過濾锐帜、處理代理的連接和更多的操作都在worker進(jìn)程中完成田盈。
# docker 中運(yùn)行的nginx
root 3699 3675 0 2018 ? 00:00:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx
systemd+ 3770 3699 0 2018 ? 00:16:35 nginx: worker process
systemd+ 3771 3699 0 2018 ? 00:17:19 nginx: worker process
systemd+ 3772 3699 0 2018 ? 00:15:19 nginx: worker process
systemd+ 3773 3699 0 2018 ? 00:24:05 nginx: worker process
systemd+ 3774 3699 0 2018 ? 00:01:45 nginx: cache manager process
Nginx 容器實(shí)例
為了方便擴(kuò)展和遷移,公司的nginx都跑在Docker環(huán)境中缴阎。Docker版的nginx可以一鍵遷移允瞧,自動(dòng)重啟,相當(dāng)于進(jìn)程守護(hù)蛮拔。
nginx官方鏡像不支持ssl述暂,目前的瀏覽器都把非https的網(wǎng)站標(biāo)識(shí)為不安全,因此支持https是非常必要的建炫,本文在marvambass/nginx-ssl-secure鏡像的基礎(chǔ)上做了部分修改畦韭,以滿足需要,鏡像下載地址為:https://hub.docker.com/r/cbbing/nginx-ssl-secure
實(shí)踐
docker-compose.yml文件
下面為最常用的nginx運(yùn)行的docker配置肛跌,對外開放80艺配,443端口,即http和https惋砂。
version: '2.1'
services:
nginx:
image: cbbing/nginx-ssl-secure
volumes:
- ./conf/conf.d/cer:/etc/nginx/external
- ./conf/conf.d:/etc/nginx/conf.d
- /mydata/logs/nginx_logs:/var/log/nginx
ports:
- 80:80
- 443:443
restart: always
說明:
讀取conf配置妒挎,映射到宿主機(jī)的conf/conf.d文件夾
讀取cer證書,映射到宿主機(jī)的conf/conf.d/cer文件夾
日志文件映射到宿主機(jī)的/mydata/logs/nginx_logs
restart設(shè)置為always西饵,相當(dāng)于進(jìn)程守護(hù)酝掩,宕掉后自動(dòng)重啟。
conf配置
平時(shí)打交道最多的就是conf文件眷柔,熱部署期虾。
一個(gè)典型的conf文件如下:
upstream xxx_api{
server 10.105.10.1:992 ; #api03
}
server {
listen 80;
server_name api.xxx.com;
client_max_body_size 50M;
location / {
add_header X-Cache-Status $upstream_cache_status;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 500s;
proxy_read_timeout 500s;
proxy_send_timeout 500s;
proxy_pass http://xxx_api;
}
access_log /var/log/nginx/xxx_api_http.log main;
}
server {
listen 443;
server_name api.xxx.com;
ssl on;
ssl_certificate conf.d/cer/1_api.xxx.com_bundle.crt;
ssl_certificate_key conf.d/cer/2_api.xxx.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照這個(gè)協(xié)議配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照這個(gè)套件配置
ssl_prefer_server_ciphers on;
client_max_body_size 50M;
location / {
add_header X-Cache-Status $upstream_cache_status;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 500s;
proxy_read_timeout 500s;
proxy_send_timeout 500s;
proxy_pass http://xxx_api;
}
access_log /var/log/nginx/xxx_api_https.log main;
}
第一部分upstream,可以定義多個(gè)后端服務(wù)器驯嘱,通過IPHash/最小連接/輪詢/加權(quán)輪詢/主備等策略實(shí)現(xiàn)負(fù)載均衡镶苞。
第二部分server,是域名訪問的配置項(xiàng)鞠评,包括端口茂蚓,具體域名,location中轉(zhuǎn)設(shè)置項(xiàng)
第三部分log剃幌,是日志存儲(chǔ)的路徑聋涨。日志的格式在nginx.conf中定義的。
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status [$request_body] $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
也可以只定義一個(gè)443端口负乡,80端口通過如下方式重定義:
server
{
listen 80;
server_name api.xxx.com;
rewrite ^/(.*) https://api.xxx.com/$1 permanent;
}
API網(wǎng)關(guān)
一套成熟的API網(wǎng)關(guān)包括如下幾個(gè)方面:
API管理包括:
- 定義和發(fā)布
- 安全
- 流量控制
- 持續(xù)監(jiān)控與維護(hù)
- API分析
負(fù)載均衡
upstream api{
least_conn;
server 10.105.19.5:891 ;
server 10.105.19.5:892 ;
server 10.105.19.5:893 ;
server 10.105.19.5:894 ;
}
這里運(yùn)行了4個(gè)api服務(wù)牍白,通過最小連接策略調(diào)用。
[root@VM_196_57_centos ~]# docker ps
2c8792e403bf "/bin/sh -c 'gunic..." 3 days ago Up 3 days 0.0.0.0:891->8000/tcp p891_api_1
2c8792e403ba "/bin/sh -c 'gunic..." 3 days ago Up 3 days 0.0.0.0:892->8000/tcp p892_api_1
2c8792e403bb "/bin/sh -c 'gunic..." 3 days ago Up 3 days 0.0.0.0:893->8000/tcp p893_api_1
2c8792e403bc "/bin/sh -c 'gunic..." 3 days ago Up 3 days 0.0.0.0:894->8000/tcp p894_api_1
靜態(tài)網(wǎng)頁服務(wù)器
靜態(tài)文件配置demo.conf
server
{
listen 80;
server_name www.xxx.com;
location / {
root /home/demo;
index login.html;
}
access_log /var/log/nginx/demo_http.log main;
}
server {
listen 443;
server_name www.xxx.com;
ssl on;
ssl_certificate conf.d/cer/1_www.xxx.com_bundle.crt;
ssl_certificate_key conf.d/cer/2_www.xxx.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照這個(gè)協(xié)議配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照這個(gè)套件配置
ssl_prefer_server_ciphers on;
client_max_body_size 50M;
location / {
root /home/demo;
index login.html;
}
access_log /var/log/nginx/demo_https.log main;
}
這個(gè)配置即以/home/demo目錄為靜態(tài)文件目錄抖棘,不過/home/demo是容器內(nèi)的路徑茂腥,需要映射到宿主機(jī)目錄/mydata/demo狸涌,實(shí)現(xiàn)動(dòng)態(tài)更新。
version: '2.1'
services:
nginx:
image: cbbing/nginx-ssl-secure
volumes:
- ./conf/conf.d/cer:/etc/nginx/external
- ./conf/conf.d:/etc/nginx/conf.d
- /mydata/logs/nginx_logs:/var/log/nginx
- /mydata/demo:/home/demo
ports:
- 80:80
- 443:443
熱部署
更新了conf文件后最岗,執(zhí)行nginx -t
帕胆,先排查語法錯(cuò)誤,通過后執(zhí)行nginx -s reload
重新加載配置文件實(shí)現(xiàn)熱部署般渡。
nginx熱部署的方式時(shí)惶楼,等舊的worker執(zhí)行完成后kill掉,以更新后的配置啟動(dòng)新的worker
[root@VM_231_16_centos ~]# docker exec -it nginxnew_nginx_1 nginx -t
nginx: [emerg] duplicate upstream "myweb" in /etc/nginx/conf.d/power.xxx.conf:3
nginx: configuration file /etc/nginx/nginx.conf test failed
[root@VM_231_16_centos ~]# docker exec -it nginxnew_nginx_1 nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@VM_231_16_centos ~]# docker exec -it nginxnew_nginx_1 nginx -s reload
參考
http://www.reibang.com/p/5eab0f83e3b4
What Is API Management?
https://cloud.tencent.com/document/product/628/11755
https://cloud.tencent.com/developer/article/1149103
https://zhuanlan.zhihu.com/p/34943332
https://www.infoq.cn/article/comparing-api-gateway-performances