多線程架構
master進程主要用來管理worker進程冒嫡,具體包括如下4個主要功能:
(1)接收來自外界的信號。
(2)向各worker進程發(fā)送信號漱逸。
(3)監(jiān)控woker進程的運行狀態(tài)艺蝴。
(4)當woker進程退出后(異常情況下),會自動重新啟動新的woker進程际起。
woker進程主要用來處理網(wǎng)絡事件,各個woker進程之間是對等且相互獨立的吐葱,它們同等競爭來自客戶端的請求街望,一個請求只可能在一個woker進程中處理,woker進程個數(shù)一般設置為機器CPU核數(shù)唇撬。
參考文獻
官方文檔 | 在線文檔
安裝 | 應用實例 | 安全實例 | Nginx限流特技
反向代理-proxy_buffering
Aiod | ngx_http_core_module-日志常用參數(shù)
安裝過程
編譯選項:
--with-http_image_filter_module=dynamic --需要GD
--with-pcre-jit
--with-file-aio
--with-http_v2_module
--with-http_realip_module
--with-http_addition_module
--with-http_xslt_module=dynamic
--with-http_sub_module
--with-http_dav_module
--with-http_flv_module
--with-http_mp4_module
--with-http_gunzip_module
--with-http_gzip_static_module
--with-http_random_index_module
--with-http_secure_link_module
--with-http_slice_module
--需要pcre JIT
--with-http_geoip_module=dynamic --需要GeoIP GeoIP-devel
| 編譯參數(shù) | ||
|---|---|---|
| --with-stream | 支持TCP代理以及負載均衡功能 | 官網(wǎng) |
錯誤記錄:參考錯誤記錄
配置文件:參考配置文件
功能:安裝nginx、編譯sticky模塊展融、添加service服務
#!/bin/bash
nginxdir=/usr/local/nginx
nginxver=nginx-1.12.2
#funtion
nginx_init () {
curl -L https://raw.githubusercontent.com/mainiubaba/One/master/bash/nginx > /etc/init.d/nginx
if [ $? -eq '0' ];
then
chmod +x /etc/init.d/nginx
else
echo "add /etc/init.d/nginx filed."
exit
fi
}
if [ -d ${nginxdir} ];
then
echo "${nginxdir} directory exists"
else
mkdir ${nginxdir}
fi
#yum
yum -y install cmake make gcc gcc-c++ libevent nss zlib zlib-devel openssl openssl-devel glibc glibc-devel compat-expat1 glibc.i686 procps procmail ncurses-devel ncurses-libs ncurses-base ncurses libuuid-devel pcre pcre-devel libxslt libxml2 libxml2-devel gd-devel perl-ExtUtils-Embed perl-devel libxslt-devel
#wget tar
if [ -f ${nginxdir}/${nginxver}.tar.gz ];
then
rm -r ${nginxdir}/${nginxver}.tar.gz
rm -rf ${nginxdir}/${nginxver}
wget -P $nginxdir http://nginx.org/download/${nginxver}.tar.gz
else
wget -P $nginxdir http://nginx.org/download/${nginxver}.tar.gz
fi
wget -P $nginxdir https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/get/08a395c66e42.zip
#unzip
cd $nginxdir
tar -zxf nginx-1.12.2.tar.gz
unzip 08a395c66e42.zip
mv nginx-goodies-nginx-sticky-module-ng-08a395c66e42 nginx-sticky-module
#configure
cd ${nginxdir}/nginx-1.12.2
./configure \
--prefix=/usr/local/nginx/ \
--user=nginx \
--group=nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_stub_status_module \
--with-http_ssl_module \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body \
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
--lock-path=/var/lock/subsys/nginx \
--with-file-aio \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--add-module=${nginxdir}/nginx-sticky-module
make -j 4
make install
if [ $? -eq '0' ];
then
nginx_init
fi
功能:安裝nginx窖认、編譯sticky模塊、添加service服務告希、編譯modsecurity(2.9.2)模塊扑浸、添加owasp規(guī)則
#!/bin/bash
nginxdir=/usr/local/nginx
nginxver=nginx-1.12.2
modsecurity_path=/etc/nginx
# funtion
nginx_init () {
curl -L https://raw.githubusercontent.com/guaiguaile/One/master/bash/nginx > /etc/init.d/nginx
if [ $? -eq '0' ];
then
chmod +x /etc/init.d/nginx
else
echo "add /etc/init.d/nginx filed."
exit
fi
}
if [ -d ${nginxdir} ];
then
echo "${nginxdir} directory exists"
else
mkdir ${nginxdir}
fi
# yum
yum -y install wget unzip cmake make gcc gcc-c++ libevent nss zlib zlib-devel openssl openssl-devel glibc glibc-devel compat-expat1 glibc.i686 procps procmail ncurses-devel ncurses-libs ncurses-base ncurses libuuid-devel pcre pcre-devel libxslt libxml2 libxml2-devel gd-devel perl-ExtUtils-Embed perl-devel libxslt-devel
# wget tar
if [ -f ${nginxdir}/${nginxver}.tar.gz ];
then
rm -r ${nginxdir}/${nginxver}.tar.gz
rm -rf ${nginxdir}/${nginxver}
wget -P $nginxdir http://nginx.org/download/${nginxver}.tar.gz
else
wget -P $nginxdir http://nginx.org/download/${nginxver}.tar.gz
fi
# wget sticky
wget -P $nginxdir https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/get/08a395c66e42.zip
# unzip
cd $nginxdir
tar -zxf nginx-1.12.2.tar.gz
unzip 08a395c66e42.zip
mv nginx-goodies-nginx-sticky-module-ng-08a395c66e42 nginx-sticky-module
# install modsecurity2.9.2
if [ $? -eq '0' ];
then
echo "Install modsecurity2"
yum install -y git gcc make automake autoconf libtool
yum install -y pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel
if [ $? -eq '0' ];
then
cd ${nginxdir} && git clone https://github.com/SpiderLabs/ModSecurity.git mod_security
else
exit
fi
cd mod_security && \
git checkout v2.9.2 && \
chmod 777 autogen.sh && \
./autogen.sh && \
./configure --enable-standalone-module && \
make
fi
# configure
cd ${nginxdir}/nginx-1.12.2
./configure \
--prefix=/usr/local/nginx/ \
--user=nginx \
--group=nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_stub_status_module \
--with-http_ssl_module \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body \
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
--lock-path=/var/lock/subsys/nginx \
--with-file-aio \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--add-module=${nginxdir}/nginx-sticky-module \
--add-module=${nginxdir}/mod_security/nginx/modsecurity
make -j 4
make install
if [ $? -eq '0' ];
then
nginx_init
# create nobody user
useradd -s /sbin/nologin -M nginx
nginx -t
fi
# install modsecurity owasp
cd ${nginxdir} && git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cp -r owasp-modsecurity-crs/ ${modsecurity_path}
cp ${modsecurity_path}/owasp-modsecurity-crs/crs-setup.conf.example ${modsecurity_path}/owasp-modsecurity-crs/crs-setup.conf
# deploy modsecurity
cp -r /usr/local/nginx/mod_security/{modsecurity.conf-recommended,unicode.mapping} ${modsecurity_path}
cp ${modsecurity_path}/modsecurity.conf-recommended ${modsecurity_path}/modsecurity.conf
sed -i 's/^SecRuleEngine DetectionOnly/SecRuleEngine on/' ${modsecurity_path}/modsecurity.conf
if [ $? -eq '0' ];
then
cat >> ${modsecurity_path}/modsecurity.conf << EOF
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered !!!197-test-196!!!'"
Include owasp-modsecurity-crs/crs-setup.conf
EOF
fi
echo '''
#############################
# #1. nginx開啟ModSecurity
# ...
# location / {
# root html;
# # 開啟ModSecurity
# ModSecurityEnabled on;
# # 選擇ModSecurity配置文件
# ModSecurityConfig /etc/nginx/modsecurity.conf;
# index index.html index.htm;
# }
# ...
# #2. 測試
# #第一:重啟nginx
# nginx -s reload &
# #第二:使用nikto測試owasp 核心規(guī)則是否生效
# #Nikto掃描工具生成惡意請求,包括針對已知易受攻擊的文件燕偶,跨站點腳本(XSS)和其他類型的攻擊的探測喝噪。
# #該工具還會報告?zhèn)鬟f給應用程序的請求,從而揭示應用程序中的潛在漏洞指么。
# git clone https://github.com/sullo/nikto
# cd nikto
# perl program/nikto.pl -h http://localhost
# #可以通過日志進行驗證
# cat /var/log/modsec_audit.log
#############################
'''
Centos7 systemctl.service
# stat /usr/lib/systemd/system/nginx.service
文件:"/usr/lib/systemd/system/nginx.service"
權限:(0644/-rw-r--r--) Uid:( 0/ root) Gid:( 0/ root)
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target
