我要评论1.1 软硬件要求
- linux服务器:redhat 6+ 或 centos 6+,编码 utf-8。
1.2 部署前服务器配置调优
关闭selinux:
修改 /etc/selinux/config 文件中的 selinux 参数值为 disabled。
关闭防火墙:
chkconfig iptables off service iptables stop
修改hostname:
修改 /etc/hosts 文件,添加服务器真实 ip 和 hostname。
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 192.168.1.100 oss-103
修改用户进程可打开文件数限制:
修改 /etc/security/limits.conf 文件,添加:
* soft nproc 65536 * hard nproc 65536 * soft nofile 65536 * hard nofile 65536
修改 /etc/security/limits.d/90-nproc.conf 文件,注释掉:
* soft nproc 1024
修改 /etc/pam.d/login 文件,添加:
session required pam_limits.so
重启 ssh 服务:
service sshd restart
linux服务器时间同步:
- 查看时间:
date - 手动修改时间:
date –s “2015-5-8 19:48:00” - 自动更新时间:
ntpdate -u us.pool.ntp.org
1.3 nginx+keepalived部署
1.3.1 nginx部署
安装约定
- 使用普通用户
aiuap安装。 - 确认服务器已安装 c 环境。
安装过程
上传
nginx-1.8.0.tar.gz到aiuap目录下。创建
nginx文件目录:cd /opt mkdir nginx cd /home/aiuap
将
nginx安装包移动到tmp目录下,进行解压:mv nginx-1.8.0.tar.gz /tmp cd /tmp tar zxvf nginx-1.8.0.tar.gz
安装
nginx:cd nginx-1.8.0 ./configure --prefix=/home/csss/nginx
注意:可能需要安装
pcre-devel和zlib-devel库。编译安装:
make make install
nginx配置
查看 nginx 安装目录:
cd /home/nginx ls
修改 nginx 配置文件 nginx.conf:
vi conf/nginx.conf
配置内容(示例):
worker_processes 24;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream xxxx{
ip_hash;
server 192.168.1.101:8088 weight=1;
}
server {
listen 8099;
server_name localhost;
location / {
root html;
proxy_set_header host $host:$server_port;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_ignore_headers x-accel-expires expires cache-control set-cookie;
proxy_pass http://xxxx/;
}
}
upstream csss {
ip_hash;
server 192.168.1.102:8080 weight=1;
}
server {
listen 9000;
server_name 192.168.1.102;
location / {
root html;
index index.html index.htm;
proxy_pass http://xxxx/;
}
}
}
1.3.2 nginx+keepalived实现双机热备
- 准备一个浮动 ip(如:
192.168.1.200)。 - 配置备
nginx与主nginx相同。 - 安装
keepalived。
安装keepalived
安装依赖库:
yum -y install openssl-devel yum -y install ipvsadm yum -y install libnl libnl-devel yum -y install popt-devel
创建
keepalived安装目录:mkdir /home/keepalived
解压安装包并安装:
tar -zxvf keepalived-1.2.2.tar.gz cd keepalived-1.2.2 ./configure --prefix=/home/test/keepalived make makeinstall
建立软连接:
ln -s /home/test/keepalived/sbin/keepalived /sbin/ ln -s /home/test/keepalived/etc/sysconfig/keepalived /etc/sysconfig/ mkdir /etc/keepalived ln -s /home/test/keepalived/etc/keepalived/keepalived.conf /etc/keepalived/
配置
keepalived:- 主服务器配置:
vi /home/test/keepalived/etc/keepalived/keepalived.conf
- 备服务器配置:
vi /home/keepalived/etc/keepalived/keepalived.conf
- 主服务器配置:
创建脚本
chk_nginx_pid.sh并赋予执行权限:chmod +x /home/test/keepalived/chk_nginx_pid.sh
启动
keepalived:- rhel 7 以下:
keepalived -d -f /home/test/keepalived/etc/keepalived/keepalived.conf
- rhel 7 以上:
systemctl start keepalived.service
- rhel 7 以下:
停止
keepalived:- rhel 7 以下:
service keepalived stop
- rhel 7 以上:
systemctl stop keepalived.service
- rhel 7 以下:
1.3.3 启动和停止nginx
启动 nginx:
/home/nginx/sbin/nginx
停止 nginx:
从容停止:
kill -quit `cat /home/nginx/logs/nginx.pid`
快速停止:
kill -term `cat /home/nginx/logs/nginx.pid`
强制停止:
kill -9 `cat /home/nginx/logs/nginx.pid`
平滑重启:
kill -hup `cat /home/nginx/logs/nginx.pid`
1.4 使用和维护
- 日志位置:
<nginx安装目录>/logs/access.log - 双机状态查看:
ip addr show bond0
1.5 在已经安装的nginx上增加ssl模块
检查 nginx 版本和模块:
/usr/local/nginx/sbin/nginx -v
下载并配置 nginx 源码:
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
编译但不安装:
make
停止 nginx 并替换二进制文件:
kill -quit `cat /usr/local/nginx/logs/nginx.pid` cp ~/download/nginx-1.10.3/objs/nginx /usr/local/nginx/sbin/
验证模块:
/usr/local/nginx/sbin/nginx -v
修改
nginx.conf文件以支持 ssl。
1.6 配置示例
ssl 配置:
server {
server_name example.com;
listen 443 ssl;
ssl_certificate /usr/local/nginx/conf/example.com_server.txt;
ssl_certificate_key /usr/local/nginx/conf/example.com_private.txt;
location / {
# 配置内容
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 80;
server_name example.com;
rewrite ^(.*)$ https://example.com$1 permanent;
}
以上是对 keepalived+nginx 双机配置的详细指南,包括安装、配置、启动、停止和维护等步骤
1.6 nginx基线配置
1.6.1 检查是否隐藏nginx版本信息
server_tokens off;
1.6.2 检查是否配置日志
修改 nginx.conf 文件
error_log logs/error.log;
error_log logs/error.log notice;
error_log logs/error.log info;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
error_log logs/error.log error;
1.6.3 检查是否控制超时时间
修改 nginx.conf 文件
client_body_timeout 20s; # 设置客户端请求主体读取超时时间 client_header_timeout 10s; # 设置客户端请求头读取超时时间 send_timeout 30s; # 服务端向客户端传输数据的超时时间
1.6.4 检查是否限制客户端下载速度
修改 nginx.conf 文件
limit_conn_zone $binary_remote_addr zone=addr:10m; # 添加该行 limit_conn addr 50; # 每个客户端允许50个线程。 limit_rate 1000k; # 每个线程最大下载速度1000k
1.6.5 检查是否自定义nginx返回的错误信息
修改 nginx 配置文件
error_page 400 401 402 403 404 405 408 410 412 413 414 415 500 501 502 503 504 506 /50x.html;
location = /50x.html {
root html;
}
1.6.6 检查是否配置防盗链设置
location ~* ^.+\.(aa|bb|cc)$ {
valid_referers none blocked 127.0.0.1;
if ($invalid_referer) {
return 403;
}
}
1.6.7 检查是否限制ip访问
deny 1.1.1.1; allow all;
1.7 完整样例配置
worker_processes 4;
error_log logs/error.log;
error_log logs/error.log notice;
error_log logs/error.log info;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
error_log logs/error.log error;
client_body_timeout 20s;
client_header_timeout 10s;
send_timeout 30s;
limit_conn_zone $binary_remote_addr zone=addr:10m;
sendfile on;
keepalive_timeout 65;
server_tokens off;
upstream xxxx {
ip_hash;
server 192.168.107.2:7001 weight=10;
server 192.168.107.3:7001 weight=10;
}
server {
listen 8080 default;
server_name _;
location / {
return 403;
}
}
server {
listen 8080;
server_name 192.168.107.2 192.168.107.4;
add_header set-cookie "httponly=true";
set $flag 0;
if ( $host != '192.168.107.2' ) {
set $flag 1;
}
if ( $host != '192.168.107.4' ) {
set $flag $flag+1;
}
if ( $flag = 3 ) {
return 403;
}
location / {
root html;
proxy_set_header host $host:$server_port;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_ignore_headers x-accel-expires expires cache-control set-cookie;
proxy_pass http://xxxx/;
limit_conn addr 50;
limit_rate 1000k;
deny 1.1.1.1;
allow all;
}
location ~* ^.+\.(aa|bb|cc)$ {
valid_referers none blocked 127.0.0.1;
if ($invalid_referer) {
return 403;
}
}
error_page 400 401 402 403 404 405 408 410 412 413 414 415 500 501 502 503 504 506 /50x.html;
location = /50x.html {
root html;
}
}
}
以上是 nginx 的基线配置指南,包括隐藏版本信息、配置日志、控制超时时间、限制客户端下载速度、自定义错误信息、配置防盗链设置和限制 ip 访问等。
到此这篇关于keepalived+nginx双机配置小结的文章就介绍到这了,更多相关keepalived nginx双机配置内容请搜索代码网以前的文章或继续浏览下面的相关文章希望大家以后多多支持代码网!
发表评论