Scribd
Upload
26 views122 pages

Nginx核心知识100讲 第三部分课件

Uploaded by

chentongwin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views122 pages

Nginx核心知识100讲 第三部分课件

Uploaded by

chentongwin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 122

HTTP

/
main
http {
upstream { … }
split_clients {…}
map {…}
geo {…}
server {
if () {…}
location {
limit_except {…}
}
location {
location {
}
}
}
server {
}
}
Context

Syntax: log_format name [escape=default|json|none] string ...;


Default: log_format combined "...";
Context: http

access_log path [format [buffer=size] [gzip[=level]] [flush=time] [if=condition]];


Syntax:
access_log off;
Default: access_log logs/access.log combined;
Context: http, server, location, if in location, limit_except




• rewrite
• root
• proxy_pass
• access_log

• gzip
• server_rewrite
• rewrite
• content
server {
listen 8080;
root /home/geek/nginx/html;
access_log logs/geek.access.log main;
location /test {
root /home/geek/nginx/test;
access_log logs/access.test.log main;
}
location /dlib {
alias dlib/;
}

location / {

}
HTTP

server http server


• char *(*merge_srv_conf)(ngx_conf_t *cf, void *prev, void *conf);

• char *(*merge_loc_conf)(ngx_conf_t *cf, void *prev, void *conf);


Listen
listen address[:port] [default_server] [ssl] [http2 | spdy] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size]
[sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];
listen port [default_server] [ssl] [http2 | spdy] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size]
Syntax:
[accept_filter=filter] [deferred] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];
listen unix:path [default_server] [ssl] [http2 | spdy] [proxy_protocol] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred]
[bind] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];

Default: listen *:80 | *:8000;


Context: server

listen unix:/var/run/nginx.sock;
listen 127.0.0.1:8000;
listen 127.0.0.1;
listen 8000;
listen *:8000;
listen localhost:8000 bind;
listen [::]:8000 ipv6only=on;
listen [::1];
SYN

SYN+ACK CPU
worker
ACK epoll_wait

accept

ngx_http_init_connection
connection_pool_size: epoll_ctl
512

client_header_timeout: 60s
DATA

ACK
epoll_wait ngx_http_wait_request_handler read

client_header_buffer_size:1k
HTTP
URI
header

header

request_pool_size:4k

large_client_header_buffers:4 8k

header

large_client_header_buffers:4 8k

client_header_timeout: 60s
11 http
URI
Syntax: client_header_buffer_size size;

Default: client_header_buffer_size 1k;


Context: http, server

Syntax: large_client_header_buffers number size;

Default: large_client_header_buffers 4 8k;


Context: http, server
.
*
\w
+
\s
?
\d
{n} n
\b
{n,} n
^
{n,m} n m
$
) (
(

url /admin/website/article/35/change/uploads/party/5.jpg
url /static/uploads/party/5.jpg

url
/^\/admin\/website\/article\/(\d+)\/change\/uploads\/(\w+)\/(\w+)\.(png|jpg|gif|jpeg|b
mp)$/

rewrite^/admin/website/solution/(\d+)/change/uploads/(.*)\.(png|jpg|gif|jpeg|bmp)$
/static/uploads/$2/$3.$4 last;
server_name
0
Syntax server_name_in_redirect on | off;
Default server_name_in_redirect off;
Context http, server, location

3 2

server_name *.taohui.tech

1 *
server_name www.taohui.tech ~^www\d+\.taohui\.tech$;
server_name
0 (4 )

server { server {
server_name ~^(www\.)?(.+)$; server_name ~^(www\.)?(?<domain>.+)$;
location / { root /sites/$2; } location / { root /sites/$domain; }
} }

• .taohui.tech taohui.tech *.taohui.tech


• _
• Host
Server 5

21 5

01 * 0

05 02 * 0

0 5 34
04 03
default server
• 1
• listen default
HTTP 11
POST_READ realip

SERVER_REWRITE rewrite

FIND_CONFIG

REWRITE rewrite
POST_REWRITE

PREACCESS limt_conn, limit_req

ACCESS auth_basic, access, auth_request

POST_ACCESS

PRECONTENT try_files

CONTENT index, autoindex, concat


LOG access_log
11 char *ngx_module_names[] = {
……
"ngx_http_static_module",
realip postread "ngx_http_autoindex_module",
"ngx_http_index_module",
"ngx_http_random_index_module",
"ngx_http_mirror_module",
rewrite find_config rewrite "ngx_http_try_files_module",
"ngx_http_auth_request_module",
"ngx_http_auth_basic_module",
limit_req limit_conn preaccess "ngx_http_access_module",
"ngx_http_limit_conn_module",
"ngx_http_limit_req_module",
"ngx_http_realip_module",
access auth_basic auth_request access "ngx_http_referer_module",
"ngx_http_rewrite_module",
"ngx_http_concat_module",
try_files mirrors precontent ……
}

concat random_index index auto_index static content

log log
IP

01 TCP src ip,src port, dst ip,dst port IP 192.168.0.x

02 HTTP X-Forwarded-For IP ADSL


IP 115.204.33.1

03 HTTP X-Real-IP IP
CDN
X-Forwarded-For 115.204.33.1 IP 1.1.1.1
04 X-Real-IP 115.204.33.1

IP 2.2.2.2
X-Forwarded-For 115.204.33.1 1.1.1.1
X-Real-IP 115.204.33.1

Nginx 115.204.33.1
remote_addr 2.2.2.2
IP

binary_remote_addr remote_addr

IP limit_conn
realip

Nginx
• --with-http_realip_module

• set_real_ip_from
• real_ip_header
• real_ip_recursive

• realip_remote_addr
• realip_remote_port
realip

Syntax: set_real_ip_from address | CIDR | unix:;


Default: —
Context: http, server, location

Syntax: real_ip_header field | X-Real-IP | X-Forwarded-For | proxy_protocol;


Default: real_ip_header X-Real-IP;
Context: http, server, location

Syntax: real_ip_recursive on | off;


Default: real_ip_recursive off;
Context: http, server, location
11 char *ngx_module_names[] = {
……
"ngx_http_static_module",
realip postread "ngx_http_autoindex_module",
"ngx_http_index_module",
"ngx_http_random_index_module",
"ngx_http_mirror_module",
rewrite find_config rewrite "ngx_http_try_files_module",
"ngx_http_auth_request_module",
"ngx_http_auth_basic_module",
limit_req limit_conn preaccess "ngx_http_access_module",
"ngx_http_limit_conn_module",
"ngx_http_limit_req_module",
"ngx_http_realip_module",
access auth_basic auth_request access "ngx_http_referer_module",
"ngx_http_rewrite_module",
"ngx_http_concat_module",
try_files mirrors precontent ……
}

concat random_index index auto_index static content

log log
Rewrite return

• Nginx

return code [text]; • 444


Syntax: return code URL; • HTTP 1.0
return URL;
• 301 http1.0
Default: —
Context: server, location, if • 302

• HTTP 1.1

• 303

• 307

• 308
return

server {
server_name return.taohui.tech;
listen 8080;
server location
return
root html/;
error_page 404 /403.html;
return 403; return error_page
location /{
return 404 "find nothing!";
}
}
rewrite return error_page

1. error_page 404 /404.html;


2. error_page 500 502 503 504 /50x.html;
3. error_page 404 =200 /empty.gif;
4. error_page 404 = /404.php;
Syntax: error_page code ... [=[response]] uri;
5. location / {
Default: —
error_page 404 = @fallback;
Context: http, server, location, if in location
}
location @fallback {
proxy_pass http://backend;
}
6. error_page 403 http://example.com/forbidden.html;
7. error_page 404 =301 http://example.com/notfound.html;
rewrite rewrite
Syntax: rewrite regex replacement [flag];
Default: —
Context: server, location, if

• regex url replacement url


--
• replacement http:// https:// $schema 302
• url flag
--last replacement URI location
--break break break
--redirect 302
--permanent 301
rewrite
html/first/
root html/; └── 1.txt
location /first { html/second/
rewrite /first(.*) /second$1 last; └── 2.txt
return 200 1first!'; html/third/
} └── 3.txt

location /second {
rewrite /second(.*) /third$1 break;
return 200 'second!'; . / 3
}
2 2

location /third { 3
return 200 'third!'; 3
}
rewrite
location /redirect1 {
rewrite /redirect1(.*) $1 permanent;
}
/redirect1/index.html
location /redirect2 {
rewrite /redirect2(.*) $1 redirect;
} 2 3 4

location /redirect3 {
rewrite /redirect3(.*) http://rewrite.taohui.tech$1;
}

location /redirect4 {
rewrite /redirect4(.*) http://rewrite.taohui.tech$1 permanent;
}
rewrite error

Syntax: rewrite_log on | off;

Default: rewrite_log off;

Context: http, server, location, if


rewrite if

Syntax: if (condition) { ... }


Default: —
Context: server, location
if
01 0

02 = !=

03

• ~ !~
• ~* !~*

04 -f !-f

05 -d !-d

06 -e !-e

07 -x !-x
if ($http_user_agent ~ MSIE) {
rewrite ^(.*)$ /msie/$1 break;
}
if ($http_cookie ~* "id=([^;]+)(?:;|$)") {
set $id $1;
}

if if ($request_method = POST) {
return 405;
}
if ($slow) {
limit_rate 10k;
}
if ($invalid_referer) {
return 403;
}
11 char *ngx_module_names[] = {
……
"ngx_http_static_module",
realip postread "ngx_http_autoindex_module",
"ngx_http_index_module",
"ngx_http_random_index_module",
"ngx_http_mirror_module",
rewrite find_config rewrite "ngx_http_try_files_module",
"ngx_http_auth_request_module",
"ngx_http_auth_basic_module",
limit_req limit_conn preaccess "ngx_http_access_module",
"ngx_http_limit_conn_module",
"ngx_http_limit_req_module",
"ngx_http_realip_module",
access auth_basic auth_request access "ngx_http_referer_module",
"ngx_http_rewrite_module",
"ngx_http_concat_module",
try_files mirrors precontent ……
}

concat random_index index auto_index static content

log log
location

location [ = | ~ | ~* | ^~ ] uri { ... }


Syntax:
location @name { ... }
Default: —
Context: server, location

Syntax: merge_slashes on | off;


Default: merge_slashes on;
Context: http, server
location URI


• =
/ • ^~
• merge_slashes on

• ~
location
• ~*
• @
location ~ /Test1/$ {
return 200 'first regular expressions match!';
}

location ~* /Test1/(\w+)$ {
return 200 'longest regular expressions match!';
}

location ^~ /Test1/ {
/Test1 return 200 'stop regular expressions match!';
}
/Test1/
location /Test1/Test2 {
return 200 'longest prefix string match!';
/Test1/Test2 }

/Test1/Test2/ location /Test1 {


return 200 'prefix string match!';
/test1/Test2 }

location = /Test1 {
return 200 'exact match!';
}
location
location

= ^~

= location ^~ location

location

nginx.conf location

location
11 char *ngx_module_names[] = {
……
"ngx_http_static_module",
realip postread "ngx_http_autoindex_module",
"ngx_http_index_module",
"ngx_http_random_index_module",
"ngx_http_mirror_module",
rewrite find_config rewrite "ngx_http_try_files_module",
"ngx_http_auth_request_module",
"ngx_http_auth_basic_module",
limit_req limit_conn preaccess "ngx_http_access_module",
"ngx_http_limit_conn_module",
"ngx_http_limit_req_module",
"ngx_http_realip_module",
access auth_basic auth_request access "ngx_http_referer_module",
"ngx_http_rewrite_module",
"ngx_http_concat_module",
try_files mirrors precontent ……
}

concat random_index index auto_index static content

log log
ngx_http_limit_conn_module

Ø NGX_HTTP_PREACCESS_PHASE

Ø http_limit_conn_module

Ø nginx --without-http_limit_conn_module

• worker

• preaccess

• key postread realip ip


limit_conn

2 0 key
Syntax: limit_conn_zone key zone=name:size;
Default: —
Context: http

1
Syntax: limit_conn zone number;
Default: —
Context: http, server, location
limit_conn

Syntax: limit_conn_log_level info | notice | warn | error;


Default: limit_conn_log_level error;
Context: http, server, location

Syntax: limit_conn_status code;


Default: limit_conn_status 503;
Context: http, server, location
ngx_http_limit_req_module

Ø NGX_HTTP_PREACCESS_PHASE

Ø http_limit_req_module

Ø nginx --without-http_limit_req_module

Ø leaky bucket

• worker

• preaccess

• key postread realip ip


limit_req

Syntax: limit_req_zone key zone=name:size rate=rate ;


Default: —
Context: http
• rate r/s r/m

Syntax: limit_req zone=name [burst=number] [nodelay];


Default: —
Context: http, server, location
• burst 0
• nodelay burst
limit_req

Syntax: limit_req_log_level info | notice | warn | error;


Default: limit_req_log_level error;
Context: http, server, location

Syntax: limit_red_status code;


Default: limit_red_status 503;
Context: http, server, location
limit_req limit_conn

nodelay
11 char *ngx_module_names[] = {
……
"ngx_http_static_module",
realip postread "ngx_http_autoindex_module",
"ngx_http_index_module",
"ngx_http_random_index_module",
"ngx_http_mirror_module",
rewrite find_config rewrite "ngx_http_try_files_module",
"ngx_http_auth_request_module",
"ngx_http_auth_basic_module",
limit_req limit_conn preaccess "ngx_http_access_module",
"ngx_http_limit_conn_module",
"ngx_http_limit_req_module",
"ngx_http_realip_module",
access auth_basic auth_request access "ngx_http_referer_module",
"ngx_http_rewrite_module",
"ngx_http_concat_module",
try_files mirrors precontent ……
}

concat random_index index auto_index static content

log log
IP

Syntax: allow address | CIDR | unix: | all;


Default: — location / {

Context: http, server, location, limit_except deny 192.168.1.1;


allow 192.168.1.0/24;
allow 10.1.1.0/16;
Syntax: deny address | CIDR | unix: | all;
allow 2001:0db8::/32;
Default: —
deny all;
Context: http, server, location, limit_except
}
RFC2617 HTTP Basic Authentication

Nginx
GET / HTTP/1.1
auth_basic

HTTP Basic Authutication


Nginx:
--without-http_auth_basic_module disable ngx_http_auth_basic_module

Syntax: auth_basic string | off;


Default: auth_basic off;
Context: http, server, location, limit_except

Syntax: auth_basic_user_file file;


Default: —
Context: http, server, location, limit_except
Nginx

htpasswd
# comment
name1:password1
name2:password2:comment httpd-tools
name3:password3 htpasswd –c file –b user pass
auth_request

2xx
401 403 Syntax: auth_request uri | off;
Default: auth_request off;
Context: http, server, location

Syntax: auth_request_set $variable value;


Default: —

Nginx Context: http, server, location


--with-http_auth_request_module
access satisfy
access

Syntax: satisfy all | any;


Default: satisfy all;
Context: http, server, location

satisfy satisfy
access
• access
all any
• auth_basic
any all
• auth_request
• access access
2 return access

1 access 5 43

ngx_modules.c location /{
satisfy any;
• &ngx_http_auth_request_module, auth_basic "test auth_basic";
• &ngx_http_auth_basic_module, auth_basic_user_file examples/auth.pass;
deny all;
• &ngx_http_access_module,
}

2 deny all auth_basic 2 allow all 3


11 char *ngx_module_names[] = {
……
"ngx_http_static_module",
realip postread "ngx_http_autoindex_module",
"ngx_http_index_module",
"ngx_http_random_index_module",
"ngx_http_mirror_module",
rewrite find_config rewrite "ngx_http_try_files_module",
"ngx_http_auth_request_module",
"ngx_http_auth_basic_module",
limit_req limit_conn preaccess "ngx_http_access_module",
"ngx_http_limit_conn_module",
"ngx_http_limit_req_module",
"ngx_http_realip_module",
access auth_basic auth_request access "ngx_http_referer_module",
"ngx_http_rewrite_module",
"ngx_http_concat_module",
try_files mirrors precontent ……
}

concat random_index index auto_index static content

log log
precontent try_files

try_files file ... uri;


Syntax:
try_files file ... =code;
Default: — ngx_http_try_files_module
Context: server, location

url root alias

URL code
precontent mirror

ngx_http_mirror_module
Nginx
--without-http_mirror_module

Syntax: mirror uri | off;


Default: mirror off;
Context: http, server, location

Syntax: mirror_request_body on | off;


Default: mirror_request_body on;
Context: http, server, location
content root alias

Syntax: alias path; Syntax: root path;


Default: — Default: root html;
Context: location Context: http, server, location, if in location

url root url

alias location
URL
location /root {
root html;
}
html/first/
└── 1.txt location /alias {
alias html;
}
URL
location ~ /root/(\w+\.txt) {
/root root html/first/$1;
}
/alias
location ~ /alias/(\w+\.txt) {
/root/1.txt
alias html/first/$1;
/alias/1.txt }
/RealPath/1.txt

location /RealPath/ { realpath_root


alias html/realpath/;
document_root document_root
I
request_filename
/
content-type

Syntax: types { ... }


Default: types { text/html html; image/gif gif; image/jpeg jpg; }
Context: http, server, location
Syntax: default_type mime-type;
Default: default_type text/plain;
Context: http, server, location
Syntax: types_hash_bucket_size size;
Default: types_hash_bucket_size 64;
Context: http, server, location

Syntax: types_hash_max_size size;


Default: types_hash_max_size 1024;
Context: http, server, location
Syntax: log_not_found on | off;
Default: log_not_found on;
Context: http, server, location

[error] 10156#0: *10723 open() "/html/first/2.txt/root/2.txt" failed (2: No such file or directory)
URL /

static root/alias
URL / 301
Syntax: server_name_in_redirect on | off;
Default: server_name_in_redirect off;
Context: http, server, location

Syntax: port_in_redirect on | off;


Default: port_in_redirect on;
Context: http, server, location

Syntax: absolute_redirect on | off;


Default: absolute_redirect on;
Context: http, server, location
/ content index

/ index

ngx_http_index_module

Syntax: index file ...;


Default: index index.html;
Context: http, server, location
index.html content autoindex

index index
/

ngx_http_index_module Syntax: random_index on | off;


Nginx Default: random_index off;
--with-http_random_index_module Context: location
content autoindex

URL /
ngx_http_index_module
html/xml/json/jsonp
Nginx
root/alias
--without-http_autoindex_module
autoindex
Syntax: autoindex on | off;
Default: autoindex off;
Context: http, server, location
Syntax: autoindex_exact_size on | off;
Default: autoindex_exact_size on;
Context: http, server, location
Syntax: autoindex_format html | xml | json | jsonp;
Default: autoindex_format html;
Context: http, server, location
Syntax: autoindex_localtime on | off;
Default: autoindex_localtime off;
Context: http, server, location
content concat

ngx_http_concat_module
Tengine(https://github.com/alibaba/nginx-http-concat)
--add-module=../nginx-http-concat/

uri ?? , ?
https://g.alicdn.com/??kissy/k/6.2.4/seed-min.js,kg/global-util/1.0.7/index-
min.js,tb/tracker/4.3.5/index.js,kg/tb-nav/2.5.3/index-min.js,secdev/sufei_data/3.3.5/index.js
concat
concat on | off concat_delimiter string
default concat off Default NONE
Context http, server, location Context http, server, locatione

concat_types MIME types


Default concat_types: text/css application/x-javascript
Context http, server, location

concat_unique on | off concat_ignore_file_error on | off


Default concat_unique on Default off
Context http, server, location Context http, server, location

concat_max_files numberp
Default concat_max_files 10
Context http, server, location
11 char *ngx_module_names[] = {
……
"ngx_http_static_module",
realip postread "ngx_http_autoindex_module",
"ngx_http_index_module",
"ngx_http_random_index_module",
"ngx_http_mirror_module",
rewrite find_config rewrite "ngx_http_try_files_module",
"ngx_http_auth_request_module",
"ngx_http_auth_basic_module",
limit_req limit_conn preaccess "ngx_http_access_module",
"ngx_http_limit_conn_module",
"ngx_http_limit_req_module",
"ngx_http_realip_module",
access auth_basic auth_request access "ngx_http_referer_module",
"ngx_http_rewrite_module",
"ngx_http_concat_module",
try_files mirrors precontent ……
}

concat random_index index auto_index static content

log log
log log

HTTP ngx_http_log_module
access

Syntax: log_format name [escape=default|json|none] string ...;


Default: log_format combined "...";
Context: http

combined

log_format combined '$remote_addr - $remote_user [$time_local] '


'"$request" $status $body_bytes_sent ' '"$http_referer"
"$http_user_agent"';
access_log path [format [buffer=size] [gzip[=level]] [flush=time] [if=condition]];
Syntax:
access_log off;
Default: access_log logs/access.log combined;
Context: http, server, location, if in location, limit_except

Ø path cache
Ø if
Ø



• flush
• worker reopen
Ø

• buffer 64KB
• 1 1 9
open_log_file_cache max=N [inactive=time] [min_uses=N] [valid=time];
Syntax:
open_log_file_cache off;
Default: open_log_file_cache off;
Context: http, server, location

max LRU

inactive 10

min_uses inactive min_uses 1

valid valid 60

off
limit_req zone=req_one
HTTP
burst=120;
preaccess limit_req limit_conn limit_conn c_zone 1;

access access auth_basic


satisfy any;
content concat static allow 192.168.1.0/32;
auth_basic_user_file
header image_filter gzip
access.pass;
HTTP

body image_filter gzip gzip on;


image_filter resize 80 80;
HTTP
-

HTTP

copy_filter:

HTTP

postpone_filter:

HTTP

header_filter:
write_filter:
sub

ngx_http_sub_filter_module
Nginx
--with-http_sub_module
sub
Syntax: sub_filter string replacement;
Default: —
Context: http, server, location

Syntax: sub_filter_last_modified on | off;


Default: sub_filter_last_modified off;
Context: http, server, location

Syntax: sub_filter_once on | off;


Default: sub_filter_once on;
Context: http, server, location

Syntax: sub_filter_types mime-type ...;


Default: sub_filter_types text/html;
Context: http, server, location
addition

ngx_http_addition_filter_module
Nginx
--with-http_addition_module
url
addition

Syntax: add_before_body uri;


Default: —
Context: http, server, location

Syntax: add_after_body uri;


Default: —
Context: http, server, location

Syntax: addition_types mime-type ...;


Default: addition_types text/html;
Context: http, server, location
Nginx

Preconfiguration
http access

HTTP nginx.conf
HTTP 2
HTTP 3 2

TCP 3 2

Nginx 0 4 12

HTTP 3 2

Nginx 5
HTTP

arg_ URL

query_string args

args URL

is_args URL ?

content_length HTTP Content-Length

content_type Content-Type
HTTP

uri URI URL ?

document_uri uri

request_uri URL URI

scheme HTTP HTTPS

request_method GET POST

request_length

remote_user HTTP Basic Authentication


HTTP

request_body_file
Ø

• client_body_in_file_only

request_body

request
url GET /?a=1&b=22 HTTP/1.1
HTTP

Host
host

server_name
HTTP

• http_host
• http_user_agent
http_ • http_referer
• http_via
• http_x_forwarded_for
• http_cookie
TCP

binary_remote_addr IPv4 4 IPv6 16

connection

connection_requests keepalive

remote_addr

remote_port

proxy_protocol_addr proxy_protocol
TCP

proxy_protocol_port proxy_protocol

server_addr

server_port

TCP_INFO tcp $tcpinfo_rtt, $tcpinfo_rttvar,


$tcpinfo_snd_cwnd, $tcpinfo_rcv_space

server_protocol HTTP/1.1
Nginx
request_time

server_name

server_name

https

TLS/SSL on

request_completion

OK

request_id

16 id id 16
Nginx
request_filename

document_root

URI root/alias

realpath_root

document_root

limit_rate

set
HTTP

body_bytes_sent sent_http_
• body Ø
bytes_sent • sent_http_content_type
• sent_http_content_length
• http • sent_http_location
status • sent_http_last_modified
• sent_http_connection
• http • sent_http_keep_alive
sent_trailer_ • sent_http_transfer_encoding
• sent_http_cache_control
• • sent_http_link
Ø
Nginx

time_local 14/Nov/2018:15:55:37 +0800

time_iso8601 ISO 8601 2018-11-14T15:55:37+08:00

nginx_version Nginx

pid worker id

pipe p .

hostname hostname

hostname 1970 1 1
referer

Ø daro _ x Ø w _dahv a _
f l _ m
ro da
x_ i
l p x n_

Ø ro - Ø g ro
u te N
referer

Syntax: valid_referers none | blocked | server_names | string ...;


Default: —
Context: server, location

Syntax: referer_hash_bucket_size size;


Default: referer_hash_bucket_size 64;
Context: server, location

Syntax: referer_hash_max_size size;


Default: referer_hash_max_size 2048;
Context: server, location
valid_referers
referer

none • 1
• referer
block • 1
• referer
server_names
• referer server_name

URL
*
• referer

• referer
server_name referer.taohui.tech;

curl -H 'referer: http://www.taohui.org.cn/ttt' referer.taohui.tech/


location /{
curl -H 'referer: http://www.taohui.pub/ttt' referer.taohui.tech/
valid_referers none blocked server_names
*.taohui.pub www.taohui.org.cn/nginx/ curl -H 'referer: ' referer.taohui.tech/
~\.google\.; curl referer.taohui.tech/

curl -H 'referer: http://www.taohui.tech' referer.taohui.tech/


if ($invalid_referer) {
return 403; curl -H 'referer: http://referer.taohui.tech' referer.taohui.tech/
} curl -H 'referer: http://image.baidu.com/search/detail' referer.taohui.tech/
}
curl -H 'referer: http://image.google.com/search/detail' referer.taohui.tech/
secure_link

Ø nginx
url
• secure_link
Ø url nginx nginx
• secure_link_expires secure_link

Ø
Ø URL
Ø URL URL nginx
ngx_http_secure_link_module
Ø
nginx • HTTP URI
URL
--with-http_secure_link_module • IP URL
• URL

secure_link

Syntax: secure_link expression;


Default: —
Context: http, server, location

Syntax: secure_link_md5 expression;


Default: —
Context: http, server, location

Syntax: secure_link_secret word;


Default: —
Context: location
secure_link 0 URL

secure_link_expires
Ø
• /test1.txt?md5=md5 &expires= 2147483647
Ø md5
• echo -n ‘ URL IP ' | openssl md5 -binary | openssl base64 | tr +/ - | tr -d =

Nginx

Ø secure_link $arg_md5,$arg_expires;
Ø secure_link_md5 "$secure_link_expires$uri$remote_addr secret";
URI 1

0 URL
/prefix/hash/link

2 Hash 3
• link md5

secure_link_secret secret;
URI

Ø
• link
Ø
• /prefix/md5/link
Ø md5
• echo -n 'linksecret' | openssl md5 –hex

Nginx

Ø secure_link_secret secret;
map

Syntax: map string $variable { ... }


Default: —
Context: http

Syntax: map_hash_bucket_size size;


Default: map_hash_bucket_size 32|64|128;
Context: http

Syntax: map_hash_max_size size;


Default: map_hash_max_size 2048;
Context: http
map

switch
ngx_http_map_module
{case: … default: …}
Nginx
--without-http_map_module
map

• • m
• o f n •
• n a c m

c m
• m f

• m h
• i
• e l • * n d
n
map $http_host $name {
hostnames;

default 0;
map
name ~map\.tao\w+\.org.cn 1;
*.taohui.org.cn 2;
• 'Host: map.taohui.org.cn’
map.taohui.tech 3;
• 'Host: map.tao123.org.cn’ map.taohui.* 4;
}
• 'Host: map.taohui.pub’
map $http_user_agent $mobile {
• 'Host: map.taohui.tech’
default 0;
"~Opera Mini" 1;
}
AB split_clients

ngx_http_split_clients_ Ø MurmurHash2
32 hash
module Ø 32 2^32-1
Nginx —without- max
Ø hash/max
http_split_clients_module percent
Ø
0-1%,1%-5%
Ø percent

case
• • xx.xx% 2 100%

• * 100%

split_clients
Syntax: split_clients string $variable { ... }
Default: —
Context: http

split_clients "${http_testcli}" $variant {


0.51% .one;
20.0% .two;
50.5% .three;
40% .four;
* "";
}
geo

Syntax: geo [$address] $variable { ... }


Default: —
Context: http

-
-
geo

Ø geo $address $remote_addr IP


Ø
• IP IP IP

• default
• proxy realip remote_addr X-
Forwarded-For IP
• proxy_recursive
• include
• delete
geo
geo $country {
default ZZ; country
proxy
#include conf/geo.conf;
Ø curl -H 'X-Forwarded-For: 10.1.0.0,127.0.0.2'
proxy 116.62.160.193;
geo.taohui.tech
Ø curl -H 'X-Forwarded-For: 10.1.0.0,127.0.0.1'
127.0.0.0/24 US;
geo.taohui.tech
127.0.0.1/32 RU; Ø curl -H 'X-Forwarded-For:
10.1.0.0/16 RU; 10.1.0.0,127.0.0.1,1.2.3.4' geo.taohui.tech
192.168.1.0/24 UK;
}
MaxMind geoip

Ø MaxMind geoip C
IP
https://dev.maxmind.com/geoip/
legacy/downloadable/
Ø nginx --with-
http_geoip_module
Ø MaxMind
Ø geoip_country geoip_city
ngx_http_geoip_module
nginx.conf
nginx
Ø nginx
--with-http_geoip_module
geoip_country

Syntax: geoip_country file; Ø $geoip_country_code


Default: — • CN US
Context: http Ø $geoip_country_code3
• CHN
Syntax: geoip_proxy address | CIDR;
USA
Default: —
Context: http Ø $geoip_country_name
• China”, “United States”.
geoip_city

Syntax: geoip_city file;


Default: —
Context: http
geoip_city
Ø $geoip_latitude
Ø $geoip_longitude
Ø $geoip_city_continent_code EU AS
Ø geoip_country
• $geoip_city_country_code CN US
• $geoip_city_country_code3 CHN USA
• $geoip_city_country_name China , United States
Ø $geoip_region 02
Ø $geoip_region_name Zhejiang Saint Petersburg
Ø $geoip_city
Ø $geoip_postal_code
Ø $geoip_area_code 408
Ø $geoip_dma_code DMA 807
keepalive

Ø Connection close
HTTP TCP
keepalive



Ø Keep-Alive timeout=n
n
• TCP
n
keepalive

Syntax: keepalive_disable none | browser ...;


Default: keepalive_disable msie6;
Context: http, server, location

Syntax: keepalive_requests number;


Default: keepalive_requests 100;
Context: http, server, location
Syntax: keepalive_timeout timeout [header_timeout];
Default: keepalive_timeout 75s;
Context: http, server, location
/

You might also like