GhaSShee

Nginx

# examples of Server * http server * ftp server * smtp server * dns server * upperCase server (* return received ascii code converting into UpperCase *)

# History * apache HTTP server 1995~ * IIS (microsft) * google server * iPlanet (old : sun java system web server) * Zeus * lighttpd * Nginx (2009~, 3rd share(2011)) * ENS (2017~)

# Role of Server 1. data broadcasting 2. application execution ``` input -> dynamically -> output old days : web server + CGI(Common Gateway Interface) now : web server future : web3 (ENS ... ) ``` 3. proxy processing

# Apache * developped by `c++/c` * LAMP(Linux + Apache + MySQL + Perl/PHP/(Python?)) * v1.3 --- multi thread ---->v2.0 (2000) * task processing : multi processing * parallerization : multi processing # Nginx * developped by `c` * concurrent programming * light * 1.5~2.0x faster than Apache * task processing : single processing * parallerization : event driven

## Non-Blocking & No-Sync ## configuration add below into nginx.conf ``` http { ... ... server { location /{ root /var/www/html; } location ~ /¥. { deny all; } } } ```

## CGI not recommended on nginx ## SSI ``` ``` this is SSI built in html ``` ``` exec not supported on nginx SSI -> javascript/on client : preferred SSI example : ``` ```

# SECURITY ``` $ htpasswd -c /path/to/htpasswd sduser New password: input password Re-type new password: input password Adding password for user sduser ``` ## Basic 認証 Apache Directory regulation ``` Order Allow,Deny Allow from 192.168.0.0/24 127.0.0.1 Deny from All AuthType Basic AuthName "Secret Page" AuthUserFile /etc/to/.htpasswd Require valid-user Satisfy Any ``` Nginx ``` location /secret_html { root /path/to/secret_html allow 192.168.0.1/24; allow 127.0.0.1; deny all; auth_basic "Secret Page"; auth_basic_user_file /etc/to/.htpasswd; satisfy any; } ``` ## Digest 認証 Apache ``` AuthType Digest AuthName "Secret Pages" AuthDigestDomain /secret_diges/ AuthUserFile /etc/to/.digest_pw Require valid-user ``` Nginx ``` auth_digest_user_file /etc/to/.digest_pw location /private{ auth_digest 'secret Pages' } ``` @ Nginx not supported : external DB 認証

# mod_rewrite * mod_rewrite : Apache の黒魔術 ## mod_rewrite conditional http redirect configuration e.g. ``` RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ RewriteCond %{HTTP:X-Forwarded-HTTPS} !^on$ [NC] RewriteRule ^(.+)$ http://ghasshee.com/$1 [R] ``` ## nginx alternatives ``` if ($request_method ~ '^(GET|HEAD)$') { set $redirecthttps "tr"; } if ($http_x_forwarded_http !~* 'on' ) { set $redirecthttps "${redirecthttp}ue"; } if ( $redirecthttps = "true" ) { rewrite /(.+)$ https://ghasshee.com/$1 redirect; } ```
# MODULE ADD #Apache you can add your dinamic module ``` sudo apxs -c -i your_module.c ``` @Nginx you have to compile with --add-module option ``` tar zxf ngx_http_upstream_consistent_hash.tar.gz tar zxf nginx-1.6.0.tar.gz cd nginx-1.6.0 $ ./configure --with-http_stub_status_module ¥ --add-module="../ngx_http_upstream_consistent_hash" $ make ```

#Reverse Proxy Server ==> Port:80 Nginx(proxy) Port:8080 ==> Apache(web) @apache httpd.conf ``` ... #Listen 12.34.56.78:80 #Listen 80 Listen 127.0.0.1:8080 ... ``` @Nginx /etc/nginx/nginx.conf ``` http{ ... ## set cache dir proxy_pass_path /var/cache/nginx/cache/ levels=1:2 keys_zone=cache_zone:40m inactive=7d max_size=100m; ## set temp_file dir proxy_temp_path /var/cache/nginx/temp/; include /etc/nginx/conf.d/*.conf; #include /etc/nginx/sites-available/*.conf; //comment-out } ``` /etc/nginx/conf.d/proxy.conf ``` server { #if #80 port access then moves listen 80; location / { proxy_pass http://127.0.0.1:8080; ## 80 --pass--> local:8080 proxy_http_version 1.1; ## version of http at the pass ## pass header information with below proxy_set_header Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded_Proto http; ## define the name of cache zone kept proxy_cache cache_zone; ## Cache-Keeping-Time when Web Page returns 0 proxy_cache_valid 200 302 20m ## Cache-keeping-Time when Web Page returns ERROR proxy_cache_valid 404 20m } } ```

# Nginx に引っ越し # /etc/hosts ``` #/etc/hosts 203.0.113.16 web.nginx.example.com ``` @ curl , without `/etc/hosts`, the code has the same action with the `/etc/hosts` alias ``` curl -v-H "Host: web.nginx.example.com" http://203.0.113.16/contents/article1 ```

# server_name in case one nginx - several servers, you have to designate `server_name` ``` Perfect Match : app.nginx.le.com Wild Card : *.nginx.example.com app.nginx.* Regular Expression : ~^app\d*\,nginx\.example\.com$ ```

# location ``` location /path/content {A}　 ## Longest Match location = /path/content2 {B} ## Perfect Match location ^~ /path/content3 {C} ## Longest Match (Priority) location ~ /path/content[0-9] {D} ## Regular Expression Match location ~* /path/content[0-9] {E} ## Regular Expression Match (no distinction between Big character & small character) ``` access e.g. ``` /path/content2 -> B /path/content9 -> D /path/CONTENT4 -> E /path/content30 -> C /path/content -> A /path/content_x -> A ```

# e.g. location /etc/nginx/nginx.conf ``` server { ... location = / { root /var/www/html; index index.html } location /pub { location \.(git|png|jpg)$ { ## if (picturefile) root /var/www/content; ## directly connect . } location /pub { ## else proxy_pass http://127.0.0.1:5000 ## reverse proxy } } location /css { location \.css$ { root /var/www/css; } location /css { deny all; } } location / { root /var/www/html; } } ```

# Mime Types mime types (Content Type) ``` E-mailに文字以外のデータを含めるのに、データ形式を識別するためのコードの体系。転じて、 HTTPなどでもデータの種類を表すコードとして利用「type/subtype」の形式で記述され、例えばプレーンテキストは「text/plain」、 HTML文書は「text/html」、 JPEG画像は「image/jpeg」 typeに指定できるものには text（文字）、image（画像）、video（動画）、audio（音声）、 application（アプリケーション固有）、 message（メールメッセージ）、multipart（複数形式が混在）など RFCなどに登録されていない非公式なsubtypeは接頭辞「x-」を付け、「application/x-lzh」また、企業などが自社固有のデータ形式を使う場合は接頭辞「vnd.」を付け、「application/vnd.ms-word」データ形式が不明あるいは任意のバイナリ形式の場合は「application/octet-stream」 ``` # e.g. broadcast `.pub` file as `text/plain` ``` server { ... include mime.types; types { text/plain pub; } default_type application/octet-stream; } ``` # e.g.under `/download` dir , # broadcast all as binary ``` server { ... location /download/ { types {} default_type application/octet-stream; } } ``` # enable gzip ``` server { ... gzip on; gzip_types text/plain text/css text/xml appliction/javascript; gzip_min_length 1000; ##no-zip less than 1000 bytes } ``` # check gzip is valid ``` $ curl -v -s -H "Accept-Encoding: gzip" -H "Host: web.nginx.example.com" http://203.0.113.16/ > /dev/null ... >Accept-Encoding: gzip ## request for making gzip valid ... >Content-Encoding: gzip ## response that gzip is valid ... ```

# Reverse Proxy definition `X-Forwarded-For` : Client's IP address `X-Forwarded-Host` : Hostname which Client has. `X-Forwaded-Server` : Hostname of Proxy Server ``` server { ... proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwaded-Server $host; proxy_set_header Host $host; } ``` remove unneeded header ``` server { ... proxy_hide_header X-Cache; proxy_hide_header X-Cache-Lookup; proxy_hide_header Warning; proxy_hide_header Via; } ```

## moving from Apache to Nginx ``` $ nginx -t ## check if configuration is valid $ service httpd stop ; service nginx start ```

# open another port and broadcast Apache & Nginx at the same time 1. open only 8080 for nginx ``` server { # listen 80; listen 8080; } ``` 2. check 3. open both 80 & 8080 for nginx 4. stop Apache 5. ``` $ service nginx reload ## or $ nginx -s reload ```

# After moving ## reflect confiuration ``` $ nginx -s reload $ service nginx reload $ service nginx restart $ service nginx stop && service nginx start ```

## LOG rotaion ``` nginx -s reopen ## reopen with another log file ``` nginx 公式rpmには `/var/log/nginx/*.log` をlogrotateする設定が `/etc/logrotate.d/nginx`がある

## 重要な指標 * Network Traffic (inbound/outbound) [Mbps] * CPU use ratio (user/system/iowait/...) [%] * Memory use ratio (used/buffer/cache/avail/swap) [%] * Load Average

# [`http_stub_status ` module](http://wiki.nginx.org/HttpStubStatusModule) stub_status output ``` $ curl -s http://localhost/___nginx_status ``` configuration enabling stub_status ``` server { ... location / ___nginx_status { stub_status on; ## permit only local network access # allow 10.0.0.0/8; allow 127.0.0.1; deny all; } } ```

# LOG Format edit LogFormat as you want