遇到的问题
大型网站都要面对庞大的用户量,高并发,海量数据等挑战。为了提升系统整体的性能,可以采用垂直扩展和水平扩展两种方式。
垂直扩展:在网站发展早期,可以从单机的角度通过增加硬件处理能力,比如 CPU 处理能力,内存容量,磁盘等方面,实现服务器处理能力的提升。但是,单机是有性能瓶颈的,一旦触及瓶颈,再想提升,付出的成本和代价会极高。这显然不能满足大型分布式系统(网站)所有应对的大流量,高并发,海量数据等挑战。
水平扩展:通过集群来分担大型网站的流量。集群中的应用服务器(节点)通常被设计成无状态,用户可以请求任何一个节点,这些节点共同分担访问压力。水平扩展有两个要点:
应用集群:将同一应用部署到多台机器上,组成处理集群,接收负载均衡设备分发的请求,进行处理,并返回相应数据。
负载均衡:将用户访问请求,通过某种算法,分发到集群中的节点。
什么是负载均衡
负载均衡(Load Balance,简称 LB)是高并发、高可用系统必不可少的关键组件,目标是 尽力将网络流量平均分发到多个服务器上,以提高系统整体的响应速度和可用性。
负载均衡的主要作用如下
高并发:负载均衡通过算法调整负载,尽力均匀的分配应用集群中各节点的工作量,以此提高应用集群的并发处理能力(吞吐量)。
伸缩性:添加或减少服务器数量,然后由负载均衡进行分发控制。这使得应用集群具备伸缩性。
高可用:负载均衡器可以监控候选服务器,当服务器不可用时,自动跳过,将请求分发给可用的服务器。这使得应用集群具备高可用的特性。
安全防护:有些负载均衡软件或硬件提供了安全性功能,如:黑白名单处理、防火墙,防 DDos 攻击等。
负载均衡分为两类:硬件负载均衡、软件负载均衡
硬件负载均衡的 优点:
功能强大:支持全局负载均衡并提供较全面的、复杂的负载均衡算法。
性能强悍:硬件负载均衡由于是在专用处理器上运行,因此吞吐量大,可支持单机百万以上的并发。
安全性高:往往具备防火墙,防 DDos 攻击等安全功能。
硬件负载均衡
硬件负载均衡,一般是在定制处理器上运行的独立负载均衡服务器,价格昂贵,土豪专属。硬件负载均衡的主流产品有:F5 和 A10。
硬件负载均衡的 缺点:
成本昂贵:购买和维护硬件负载均衡的成本都很高。
扩展性差:当访问量突增时,超过限度不能动态扩容。
软件负载均衡
软件负载均衡,应用最广泛,无论大公司还是小公司都会使用。
软件负载均衡从软件层面实现负载均衡,一般可以在任何标准物理设备上运行。
软件负载均衡的 主流产品 有:Nginx、HAProxy、LVS。
LVS 可以作为四层负载均衡器。其负载均衡的性能要优于 Nginx。
HAProxy 可以作为 HTTP 和 TCP 负载均衡器。
Nginx、HAProxy 可以作为四层或七层负载均衡器
实验机器
server端 test3 192.168.23.103 server端 test1 192.168.23.101 代理端 test2 192.168.23.102 win客户端 本机window系统
nginx负载均衡
官网
https://nginx.org/en/docs/http/ngx_http_upstream_module.html
首先三台机器都要先安装nginx
[ root@test3 ~]
[ root@test2 ~]
[ root@test1 ~]
搭建实验数据
[ root@test3 ~]
[ root@test3 ~]
[ root@test1 ~]
[ root@test1 ~]
[ root@test2 ~]
upstream web-pool {
server 192.168 .23.103;
server 192.168 .23.101;
}
server {
listen 80 ;
server_name _;
location / {
proxy_pass http://web-pool;
}
}
此时访问他就以轮询的方式展出
[ root@test2 ~]
this is test1
[ root@test2 ~]
this is test3
[ root@test2 ~]
this is test1
[ root@test2 ~]
this is test3
如果test3和test1做了wordpress博客,并且test3和test1中的wordpress配置name_server 都是 www.wordpress.com 那么在代理端加上请求头和http1.1就可以以轮询的方式访问test3和test1的wordpress
[ root@test2 ~]
upstream web-pool {
server 192.168 .23.103;
server 192.168 .23.101;
}
server {
listen 80 ;
server_name _;
location / {
proxy_pass http://web-pool;
}
}
upstream test {
server 192.168 .23.103;
server 192.168 .23.101;
}
server {
listen 80 ;
server_name www.wordpress.com;
location / {
proxy_pass http://test;
proxy_set_header Host $http_host ;
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_http_version 1.1 ;
}
}
地址池也可以相互调用,因为upstream都是一样的,那么写一个就可以了,但是前提是俩proxy_pass 要和upstream 后面要保持一致
[ root@test2 ~]
upstream web-pool {
server 192.168 .23.103;
server 192.168 .23.101;
}
server {
listen 80 ;
server_name _;
location / {
proxy_pass http://web-pool;
}
}
server {
listen 80 ;
server_name www.wordpress.com;
location / {
proxy_pass http://web-pool;
proxy_set_header Host $http_host ;
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_http_version 1.1 ;
}
}
如果两台nginx挂了其中一个没有问题
负载均衡默认机制,后端nginx挂了,不会访问,但是后端php-fpm挂了,他还会继续访问
但是php-fpm挂了,那怎么办?php-fpm是连接后端数据库的,会报502bad gateway
但nginx会轮询到502这一台机器上 用户会看到502这个报错,如果看到这个报错那还得了
解决
只要后端挂掉了,我就不能再让你访问这台了,虽然你nginx是正常的,但是也不能让你访问,因为已经无法给用户提供给= 服务了
在对应的localion中加上这一个参数,意思是只要遇到500,502,503,504就让他他自动的next,让他访问下一个
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
[ root@test2 ~]
upstream web-pool {
server 192.168 .23.103;
server 192.168 .23.101;
}
server {
listen 80 ;
server_name _;
location / {
proxy_pass http://web-pool;
}
}
server {
listen 80 ;
server_name www.wordpress.com;
location / {
proxy_pass http://web-pool;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
proxy_set_header Host $http_host ;
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_http_version 1.1 ;
}
}
用这个的问题是,如果是真有问题的话,你发现不了,用户是没有任何感知的,比如说有9台服务器,挂了5台,用户只会用着非常的卡,建议先注释,有问题无法快速解决的时候才用
nginx负载均衡调度算法
轮询 按时间顺序逐一分配到不同的后端服务器(默认) 也叫rr轮询 weight 加权轮询,weight值越大,分配到的访问几率越高 ip_hash 每个请求按访问IP的hash结果分配,这样来自同一IP的固定访问一个后端服务器 url_hash 按照访问URL的hash结果来分配请求,是每个URL定向到同一个后端服务器 least_conn 最少链接数,那个机器链接数少就分发
面试题
1 .如何实现负载均衡
2 .负载均衡的调度算法
[ root@test2 ~]
upstream web-pool {
server 192.168 .23.103 weight = 5 ;
server 192.168 .23.101;
}
server {
listen 80 ;
server_name _;
location / {
proxy_pass http://web-pool;
}
}
server {
listen 80 ;
server_name www.wordpress.com;
location / {
proxy_pass http://web-pool;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
proxy_set_header Host $http_host ;
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_http_version 1.1 ;
}
}
[ root@test2 ~]
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[ root@test2 ~]
此时用浏览器访问,就是test3访问5次,test1访问1次
iphash
[ root@test2 ~]
upstream web-pool {
ip_hash;
server 192.168 .23.103;
server 192.168 .23.101;
}
server {
listen 80 ;
server_name _;
location / {
proxy_pass http://web-pool;
}
}
server {
listen 80 ;
server_name www.wordpress.com;
location / {
proxy_pass http://web-pool;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
proxy_set_header Host $http_host ;
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_http_version 1.1 ;
}
}
[ root@test2 ~]
this is test3
[ root@test2 ~]
this is test3
[ root@test2 ~]
this is test3
[ root@test2 ~]
this is test3
只要你第一次访问那个服务器,后面访问的一直是这个
劣势:会导致负载均衡不均衡
优势:可以解决session会话的问题
session就是把自己的用户名和密码保存到客户端,下次在登录的时候,我们回去验证这个保存的东西,
nginx负载均衡后端服务器的状态
状态 概述 down 当前的server暂时不参与负载均衡 backup 预留的备份服务器 max_fails 允许请求失败的次数 fail_timeout 经过max_fails失败后, 服务暂停时间 max_conns 限制最大的接收连接数
测试down 服务器 不参与请求
[ root@test2 ~]
upstream web-pool {
server 192.168 .23.103 down;
server 192.168 .23.101;
}
server {
listen 80 ;
server_name _;
location / {
proxy_pass http://web-pool;
}
}
server {
listen 80 ;
server_name www.wordpress.com;
location / {
proxy_pass http://web-pool;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
proxy_set_header Host $http_host ;
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_http_version 1.1 ;
}
}
[ root@test2 ~]
this is test1
[ root@test2 ~]
this is test1
[ root@test2 ~]
this is test1
测试backup
[ root@test2 ~]
upstream web-pool {
server 192.168 .23.103;
server 192.168 .23.100;
server 192.168 .23.101 backup;
}
server {
listen 80 ;
server_name _;
location / {
proxy_pass http://web-pool;
}
}
server {
listen 80 ;
server_name www.wordpress.com;
location / {
proxy_pass http://web-pool;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
proxy_set_header Host $http_host ;
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_http_version 1.1 ;
}
}
当 192.168 .23.100 192.168 .23.103 全部都挂了之后 backup才参与调度‘
[ root@test2 ~]
[ root@test2 ~]
this is test3
[ root@test2 ~]
this is test3
此时把test3的nginx停了,在测试
[ root@test2 ~]
this is test1
[ root@test2 ~]
this is test1
nginx编译安装
什么情况下会用到编译安装呢
当yum安装或者二进制安装的版本不满足你的需求,或者当yum安装或者二进制安装没有你需要的模块,此时需要用到编译安装,也可以只能安装位置
现在的需求是想加一个nginx负载均衡健康检查模块 nginx_upstream_check_module
[ root@test2 ~]
upstream web-pool {
server 192.168 .23.103:80 max_fails = 2 fail_timeout = 10s;
server 192.168 .23.101:80 max_fails = 2 fail_timeout = 10s;
check interval = 3000 rise = 2 fall = 3 timeout = 1000 type = http;
}
server {
listen 80 ;
server_name _;
location / {
proxy_pass http://web-pool;
}
location /upstream_check {
check_status;
}
}
server {
listen 80 ;
server_name www.wordpress.com;
location / {
proxy_pass http://web-pool;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
proxy_set_header Host $http_host ;
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_http_version 1.1 ;
}
}
[ root@test2 ~]
nginx: [ emerg] unknown directive "check_status" in /etc/nginx/conf.d/1.conf:24
nginx: configuration file /etc/nginx/nginx.conf test failed
访问 192.168 .23.102/upstream_check ,监控后端服务器的一个工作情况
编译安装,解决一些依赖
yum install -y gcc glibc gcc-c++ pcre-devel openssl-devel patch
下载nginx的源码包和第三方的依赖
wget http://nginx.org/download/nginx-1.22.1.tar.gz
wget https://github.com/yaoweibin/nginx_upstream_check_module/archive/master.zip
解压
unzip maaster.zip
创建一个专门用于存放nginx模块的目录
mkdir /root/nginx_module
[ root@test2 ~]
./configure --prefix= /opt/nginx --sbin-path= /usr/sbin/nginx --modules-path= /usr/lib64/nginx/modules --conf-path= /etc/nginx/nginx.conf --error-log-path= /var/log/nginx/error.log --http-log-path= /var/log/nginx/access.log --http-client-body-temp-path= /var/lib/nginx/tmp/client_body --http-proxy-temp-path= /var/lib/nginx/tmp/proxy --http-fastcgi-temp-path= /var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path= /var/lib/nginx/tmp/uwsgi --http-scgi-temp-path= /var/lib/nginx/tmp/scgi --pid-path= /run/nginx.pid --lock-path= /run/lock/subsys/nginx --user= nginx --group= nginx --with-compat --with-debug --with-file-aio --with-google_perftools_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module= dynamic --with-http_mp4_module --with-http_perl_module= dynamic --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_xslt_module= dynamic --with-mail= dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream= dynamic --with-stream_ssl_module --add-module= /root/nginx_module/nginx_upstream_check_module/ --with-stream_ssl_preread_module --with-threads --with-cc-opt= '-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt= '-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
checking for --with-ld-opt= "-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E" .. . not found
./configure: error: the invalid value in --with-ld-opt= "-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E"
[ root@test2 nginx-1.20.1]
重新编译即可
报
./configure: error: the HTTP XSLT module requires the libxml2/libxslt
libraries. You can either do not enable the module or install the libraries.
yum install libxslt* -y
yum install libxml* -y
或者
yum -y install libxml2 libxml2-devel libxslt-devel
报
./configure: error: the Google perftools module requires the Google perftools
library. You can either do not enable the module or install the library.
解决
yum -y install gperftools
报
./configure: error: perl module ExtUtils::Embed is required
yum -y install perl-devel perl-ExtUtils-Embed
报
./configure: error: the GeoIP module requires the GeoIP library.
You can either do not enable the module or install the library
yum -y install GeoIP GeoIP-devel GeoIP-data
此时编译完成
nginx path prefix: "/opt/nginx"
nginx binary file: "/usr/sbin/nginx"
nginx modules path: "/usr/lib64/nginx/modules"
nginx configuration prefix: "/etc/nginx"
nginx configuration file: "/etc/nginx/nginx.conf"
nginx pid file: "/run/nginx.pid"
nginx error log file: "/var/log/nginx/error.log"
nginx http access log file: "/var/log/nginx/access.log"
nginx http client request body temporary files: "/var/lib/nginx/tmp/client_body"
nginx http proxy temporary files: "/var/lib/nginx/tmp/proxy"
nginx http fastcgi temporary files: "/var/lib/nginx/tmp/fastcgi"
nginx http uwsgi temporary files: "/var/lib/nginx/tmp/uwsgi"
nginx http scgi temporary files: "/var/lib/nginx/tmp/scgi"
[ root@test2 nginx-1.20.1]
make: *** No rule to make target ` build', needed by ` default'. Stop.
再次安装依赖
[root@test2 nginx-1.20.1]# yum -y install make zlib-devel gcc-c++ libtool openssl openssl-devel
再次执行make && make install
cd /root/nginx-1.20.1/objs/
指定一下配置文件
[root@test2 objs]# ./nginx -c /etc/nginx/nginx.conf
重启nginx,访问发现报500
日志报
2024/09/06 21:38:09 [error] 38965#38965: *14 http upstream check module can not find any check server, make sure you' ve added the check servers, client: 192.168 .23.1, server: 192.168 .23.102, request: "GET /upstream_check HTTP/1.1" , host: "192.168.23.102"
解决
给nginx打补丁(根据nginx版本号选择补丁包)
[ root@test2 nginx-1.20.1]
patching file src/http/modules/ngx_http_upstream_hash_module.c
patching file src/http/modules/ngx_http_upstream_ip_hash_module.c
patching file src/http/modules/ngx_http_upstream_least_conn_module.c
patching file src/http/ngx_http_upstream_round_robin.c
patching file src/http/ngx_http_upstream_round_robin.h
在重新编译安装一下nginx即可
nginx 常用模块
nginx如何显示这样的界面
1 .配置 index 索引列表
[ root@test3 conf.d]
server {
listen 80 ;
server_name 192.168 .23.102;
location / {
root /code/index;
autoindex on;
}
}
创建代码目录
[ root@test3 conf.d]
[ root@test3 conf.d]
[ root@test3 conf.d]
[ root@test3 conf.d]
重启nginx
[ root@test3 conf.d]
做hosts解析,浏览器访问
此时创建一个长的文件名,他就会乱码,中文乱码
[ root@test3 conf.d]
解决乱码
[ root@test3 conf.d]
server {
listen 80 ;
server_name 192.168 .23.102;
charset utf-8,gbk;
location / {
root /code/index;
autoindex on;
}
}
此时乱码的问题解决了,接下来就是时间,时间不对
[ root@test3 ~]
server {
listen 80 ;
server_name 192.168 .23.102;
charset utf-8,gbk;
location / {
root /code/index;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
}
}
限速
[ root@test3 ~]
server {
listen 80 ;
server_name 192.168 .23.102;
charset utf-8,gbk;
location / {
root /code/index;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
limit_rate_after 2M; 下载的时候前2M不限速
limit_rate 50k; 2M之后只允许50k的下载速度,也可以不用上面那个,让他全部都50k下载
}
}
nginx状态监控模块
http_stub_status nginx默认就有的
[ root@test3 ~]
server {
listen 80 ;
server_name 192.168 .23.102;
charset utf-8,gbk;
location / {
root /code/index;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
limit_rate_after 2M;
limit_rate 50k;
}
location /nginx_stub {
stub_status;
}
}
nginx访问控制
[ root@test3 ~]
server {
listen 80 ;
server_name 192.168 .23.102;
charset utf-8,gbk;
location / {
root /code/index;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
limit_rate_after 2M;
limit_rate 50k;
}
location /nginx_stub {
stub_status;
allow 192.168 .23.102;
deny all;
}
}
[ root@test3 ~]
[ root@test3 ~]
< html>
< head> < title> 403 Forbidden< /title> < /head>
< body>
< center> < h1 >403 Forbidden< /h1 >< /center>
< hr> < center> nginx/1.20.1 < /center>
< /body>
< /html>
基于用户登录的认证方式
ngx_http_auth_basic_module
[ root@test3 ~]
server {
listen 80 ;
server_name 192.168 .23.102;
charset utf-8,gbk;
location / {
root /code/index;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
limit_rate_after 2M;
limit_rate 50k;
}
location /nginx_stub {
stub_status;
auth_basic "welcome my website" ;
auth_basic_user_file conf/htpasswd;
}
}
手动生成密码
[ root@test3 ~]
[ root@test3 ~]
Adding password for user root
-c 创建新文件
-b 运行命令行输入密码
重启nginx
此时日志里面的远程用户就可有了 $remote_user
nginx访问限制
在企业中经常遇到这种情况,服务器流量异常,负载过大等等,对于大流量恶意的攻击访问,会带来带宽的浪费,服务器压力,影响业务,往往考虑对同一个ip连接数,请求数,进行限制 ngx_http_limit_conn_module
模块可以根据定义的key来限制每个键值的连接数,如同一个IP来源的连接数 limit_conn_module
连接频率限制 limit_req_module
请求频率限制
语法:
连接数
Syntax: limit_conn_zone key zone = name:size;
Default: —
Context: http
请求数
Syntax: limit_conn zone number;
Default: —
Context: http, server, location
[ root@test3 ~]
http {
limit_conn_zone $remote_addr zone = conn_zone:10M;
[ root@test3 ~]
server {
listen 80 ;
server_name 192.168 .23.102;
charset utf-8,gbk;
limit_conn conn_zone 1 ;
location / {
root /code/index;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
limit_rate_after 2M;
limit_rate 50k;
}
location /nginx_stub {
stub_status;
auth_basic "welcome my website" ;
auth_basic_user_file conf/htpasswd;
}
}
[ root@test3 ~]
limit_conn_zone $remote_addr zone = conn_zone:10M;
server {
listen 80 ;
server_name 192.168 .23.102;
charset utf-8,gbk;
limit_conn conn_zone 1 ;
location / {
root /code/index;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
limit_rate_after 2M;
limit_rate 50k;
}
location /nginx_stub {
stub_status;
auth_basic "welcome my website" ;
auth_basic_user_file conf/htpasswd;
}
}
[ root@test3 ~]
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[ root@test3 ~]
[ root@test3 ~]
limit_conn_zone $remote_addr zone = conn_zone:10M;
server {
listen 80 ;
server_name 192.168 .23.102;
charset utf-8,gbk;
limit_conn conn_zone 100 ;
location / {
root /code/index;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
limit_rate_after 2M;
limit_rate 50k;
}
location /nginx_stub {
stub_status;
auth_basic "welcome my website" ;
auth_basic_user_file conf/htpasswd;
}
}
[ root@test3 ~]
limit_conn_zone $remote_addr zone = conn_zone:10M;
limit_req_zone $binary_remote_addr zone = one:10m rate = 1r/s;
server {
listen 80 ;
server_name 192.168 .23.102;
charset utf-8,gbk;
limit_conn conn_zone 100 ;
limit_req zone = one burst = 5 ;
location / {
root /code/index;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
limit_rate_after 2M;
limit_rate 50k;
}
location /nginx_stub {
stub_status;
auth_basic "welcome my website" ;
auth_basic_user_file conf/htpasswd;
}
}
[ root@test3 ~]
limit_conn_zone $remote_addr zone = conn_zone:10M;
limit_req_zone $binary_remote_addr zone = one:10m rate = 1r/s;
server {
listen 80 ;
server_name 192.168 .23.102;
charset utf-8,gbk;
limit_conn conn_zone 100 ;
limit_req zone = one burst = 5 nodelay;
location / {
root /code/index;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
limit_rate_after 2M;
limit_rate 50k;
}
location /nginx_stub {
stub_status;
auth_basic "welcome my website" ;
auth_basic_user_file conf/htpasswd;
}
}
如果觉得网页报503不好看,可以把他定向到一个页面
[ root@test3 code]
limit_conn_zone $remote_addr zone = conn_zone:10M;
limit_req_zone $binary_remote_addr zone = one:10m rate = 1r/s;
server {
listen 80 ;
server_name 192.168 .23.102;
charset utf-8,gbk;
limit_conn conn_zone 100 ;
limit_req zone = one burst = 5 nodelay;
limit_req_status 404 ;
error_page 404 403 /error.html;
location / {
root /code/index;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
limit_rate_after 2M;
limit_rate 50k;
}
location /nginx_stub {
stub_status;
auth_basic "welcome my website" ;
auth_basic_user_file conf/htpasswd;
}
}
[ root@test3 ~]
< img style = 'width:100%;higth:100%;' src = /error.png>
location匹配规则
使用nginx location 可以控制访问网站的路径,但一个 sevrer 可以有多个location ,那多个location 的优先级该如何区分呢
通配符 匹配规则 优先级 = 精确匹配 1 ^~ 以某个字符串开头 2 ~ 区分大小写的正则匹配 3 ~* 不区分大小写的正则匹配 4 / 通用匹配。任何请求都会匹配 5
[ root@test3 ~]
server {
listen 192.168 .23.103;
default_type test/html;
location = / {
return 200 "configuration A" ;
}
location / {
return 200 "configuration B" ;
}
location /documents/ {
return 200 "configuration C" ;
}
location ^~ /images/ {
return 200 "configuration D" ;
}
location ~* \ .( gif| jpg| jpeg) $ {
return 200 "configuration E" ;
}
}
[ root@test3 ~]
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[ root@test3 ~]
测试结果
[ root@test3 ~]
configuration A[ root@test3 ~]
configuration A[ root@test3 ~]
configuration C[ root@test3 ~]
configuration B[ root@test3 ~]
configuration D[ root@test3 ~]
configuration B[ root@test3 ~]
configuration B[ root@test3 ~]
configuration B[ root@test3 ~]
configuration E
nginx四层负载
四层负载均衡是基于传输层协议来封装的(如tcp/ip),那我们前面使用到的七层是指应用层,他的组装在四层的基础之上,无论四层还是七层都是指os网络模型
四层负载均衡的应用场景
1 .四层+七层来做负载均衡,四层可以保证七层的负载均衡的高可用性:如nginx就算无法保证自己服务高可用,需要依赖lvs或者keepalive
2 .如:tcp协议的负载均衡,有写请求是tcp协议的(mysql,ssh),或者说有些请求只需要使用四层进行端口转发就可以了,所以使用四层负载均衡
四层负载总结
1 .仅能转发tcp/ip协议、udp协议,通常用来转发端口,如:tcp/22,udp/53
2 .四层负载可以用来解决七层负载端口限制问题(七层负载最大使用65535个端口)
3 .四层负载可以解决七层负载高可用的问题(多台后端七层负载均衡能同时的使用)
4 .四层负载转发效率比七层高得多,但仅支持tcp/ip协议,不支持https和http协议
5 .通常大并发场景通常会选择使用七层负载前面增加四层负载
创建四层负载均衡配置文件的目录
vim /etc/nginx/nginx.conf
events {
.. ..
}
include /etc/nginx/conf.c/*.conf
http {
.. .. .
}
mkdir /etc/nginx/conf.c
1 .安装部署nginx
yum install nginx -y
2 .配置nginx四层负载,xshell远程连接192.168.23.102的2222 端口 看看是不是连接到 192.168 .23.103:22,端口的四层转发
[ root@test3 conf.d]
stream {
upstream web01 {
server 192.168 .23.102:22;
}
server {
listen 2222 ;
proxy_pass web01;
}
}
[ root@test3 conf.d]
The authenticity of host '[192.168.23.103]:2222 ([192.168.23.103]:2222)' can't be established.
ECDSA key fingerprint is SHA256:KL0Kxcu2FE2TN12tjh7xHD4F5aj3QCk0ibsZbEd6fOU.
ECDSA key fingerprint is MD5:75:05:fa:a3:0e:e5:da:86:92:12:20:3c:a1:11:24:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ' [ 192.168 .23.103] :2222' ( ECDSA) to the list of known hosts.
Last login: Sun Oct 6 06:22:44 2024 from 192.168 .23.1
[ root@test2 ~]
stream {
upstream web01 {
server 192.168 .23.102:80;
}
server {
listen 2222 ;
proxy_pass web01;
}
}