Scribd
Upload
13 views

Nginx核心知识100讲 第四部分课件

Uploaded by

chentongwin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views

Nginx核心知识100讲 第四部分课件

Uploaded by

chentongwin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 184

/

4 3
2 2

1 1 1 1
Nginx AKF

IP

URL

Round-Robin
least-connected
downstream下游

Nginx

upstream上游
upstream server

Syntax: upstream name { ... }


Default: —
Context: http

Syntax: server address [parameters];


Default: —
Context: upstream
upstream server

c
e 8
P 8 e

I server 0I
backup server server

down
Round-Robin

server
Nginx upstream

weight
Ø 1
max_conns
Ø server worker 0
max_fails
Ø fail_timeout fail_timeout
server
fail_timeout
Ø 10 2
Ø max_fails
Ø max_fails server
keepalive

Ø Ø -

proxy_http_version 1.1;
proxy_set_header Connection "";
upstream_keepalive
Syntax: keepalive connections;
Default: —
Context: upstream
1.15.3
Syntax: keepalive_requests number;
Default: keepalive_requests 100;
Context: upstream
Syntax: keepalive_timeout timeout;
Default: keepalive_timeout 60s;
Context: upstream
resolver

Syntax: resolver address ... [valid=time] [ipv6=on|off];


Default: —
Context: http, server, location

Syntax: resolver_timeout time;


Default: resolver_timeout 30s;
Context: http, server, location
IP Hash
upstream_ip_hash

IP hash ngx_http_upstream_ip_hash_module
--without-http_upstream_ip_hash_module
• IPV4 3
IPV6
• round-robin Syntax: ip_hash;
• realip Default: —
IP Context: upstream
Hash
upstream_hash

hash key ngx_http_upstream_hash_module


--without-http_upstream_ip_hash_module
hash


Syntax: hash key [consistent];
• round-robin
Default: —
Context: upstream
Hash

3 0 server 12 key%5
hash

3 0 server 12 key%4
Hash
Hash
Hash upstream_hash

Syntax: hash key [consistent];


Default: —
Context: upstream
upstream_least_conn

ngx_http_upstream_ least_conn _module


--without-http_upstream_ip_hash_module


Syntax: least_conn;
round-robin
Default: —
Context: upstream
worker
upstream_zone

ngx_http_upstream_ zone _module --


without-http_upstream_ip_hash_module
upstream

Syntax: zone name [size];


nginx worker Default: —
Context: upstream
upstream
ngx_module_t *ngx_modules[] = {
……
&ngx_http_upstream_hash_module,
&ngx_http_upstream_ip_hash_module,
&ngx_http_upstream_least_conn_module,
&ngx_http_upstream_random_module,
&ngx_http_upstream_keepalive_module,
&ngx_http_upstream_zone_module,
……
};
upstream cache
upstream_addr

IP 127.0.0.1:8012

upstream_connect_time

upstream_header_time

http

upstream_response_time

upstream_http_
upstream cache
upstream_bytes_received

upstream_response_length

upstream_status

HTTP 502

upstream_cookie_

Set-Cookie cookie

upstream_trailer_
HTTP
content proxy_pass

cache
proxy_buffering on

cache cache

http proxy_buffering off

proxy_request_bu
ffering on

proxy_request_buffering off

cache cache
HTTP proxy

http/https
Syntax: proxy_pass URL;
Default: —
Context: location, if in location, limit_except
ngx_http_proxy_module
nginx
--without-http_proxy_module

proxy_pass
HTTP proxy
URL

Ø URL http:// https:// IP unix socket


upstream IP
URI
Ø URL URI URL
• URI URL
• location @
• URI URL
• location URI
Ø URL
Ø URL location rewrite break
proxy

Syntax: proxy_method method;


Default: —
Context: http, server, location

Syntax: proxy_http_version 1.0 | 1.1;


Default: proxy_http_version 1.0;
Context: http, server, location
proxy

Syntax: proxy_set_header field value;


proxy_set_header Host $proxy_host;
Default:
proxy_set_header Connection close;
Context: http, server, location
value header

Syntax: proxy_pass_request_headers on | off;


Default: proxy_pass_request_headers on;
Context: http, server, location
proxy

Syntax: proxy_pass_request_body on | off;


Default: proxy_pass_request_body on;
Context: http, server, location

Syntax: proxy_set_body value;


Default: —
Context: http, server, location
Syntax: proxy_request_buffering on | off;
Default: proxy_request_buffering on;
Context: http, server, location

on off

• •
• • nginx
• •
proxy_next_upstream

Syntax: client_body_buffer_size size;
Default: client_body_buffer_size 8k|16k; •
Context: http, server, location client_body_buffer_size

Syntax: client_body_in_single_buffer on | off; • client_body_buffer_size


Default: client_body_in_single_buffer off;

Context: http, server, location



Syntax: client_max_body_size size;
Default: client_max_body_size 1m;
Context: http, server, location

Content-Length
413
Syntax: client_body_temp_path path [level1 [level2 [level3]]];
Default: client_body_temp_path client_body_temp;
Context: http, server, location

Syntax: client_body_in_file_only on | clean | off;


Default: client_body_in_file_only off;
Context: http, server, location
Syntax: client_body_timeout time;
Default: client_body_timeout 60s;
Context: http, server, location

408
HTTP
content proxy_pass

cache
proxy_buffering on
cache cache

http
proxy_buffering off

proxy_request
_buffering on

proxy_request_buffering off

cache cache
Syntax: proxy_connect_timeout time;
Default: proxy_connect_timeout 60s;
Context: http, server, location

http 502

Syntax: proxy_next_upstream http_502 | ..;


Default: proxy_next_upstream error timeout;
Context: http, server, location
TCP keepalive

Syntax: proxy_socket_keepalive on | off;


Default: proxy_socket_keepalive off;
Context: http, server, location
HTTP keepalive

Syntax: keepalive connections;


Default: —
Context: upstream

Syntax: keepalive_requests number;


Default: keepalive_requests 100;
Context: upstream
TCP local address

Syntax: proxy_bind address [transparent] | off;


Default: —
Context: http, server, location


• proxy_bind $remote_addr;
• IP
• proxy_bind $remote_addr transparent;
Syntax: proxy_ignore_client_abort on | off;
Default: proxy_ignore_client_abort off;
Context: http, server, location
HTTP

Syntax: proxy_send_timeout time;


Default: proxy_send_timeout 60s;
Context: http, server, location
HTTP

Syntax: proxy_buffer_size size;


Default: proxy_buffer_size 4k|8k;
Context: http, server, location

error.log upstream sent too big header


HTTP
content proxy_pass

cache
proxy_buffering on
cache cache

http
proxy_buffering off

proxy_request
_buffering on

proxy_request_buffering off

cache cache
HTTP

Syntax: proxy_buffers number size;


Default: proxy_buffers 8 4k|8k;
Context: http, server, location
HTTP
Syntax: proxy_buffering on | off; X-Accel-Buffering
Default: proxy_buffering on; yes
no
Context: http, server, location

Syntax: proxy_max_temp_file_size size;


Default: proxy_max_temp_file_size 1024m;
Context: http, server, location

Syntax: proxy_temp_file_write_size size;


Default: proxy_temp_file_write_size 8k|16k;
Context: http, server, location

Syntax: proxy_temp_path path [level1 [level2 [level3]]];


Default: proxy_temp_path proxy_temp;
Context: http, server, location
Syntax: proxy_busy_buffers_size size;
Default: proxy_busy_buffers_size 8k|16k;
Context: http, server, location
Syntax: proxy_read_timeout time;
Default: proxy_read_timeout 60s;
Context: http, server, location

Syntax: proxy_limit_rate rate;


Default: proxy_limit_rate 0;
Context: http, server, location
Syntax: proxy_store_access users:permissions ...;
Default: proxy_store_access user:rw;
Context: http, server, location

Syntax: proxy_store on | off | string;


Default: proxy_store off;
Context: http, server, location
-

HTTP

copy_filter:

HTTP

postpone_filter:

HTTP

header_filter:
write_filter:
Syntax: proxy_ignore_headers field ...;
Default: —
Context: http, server, location


• nginx proxy_ignore_headers


• X-Accel-Redirect nginx
• X-Accel-Limit-Rate limit_rate
• X-Accel-Buffering
• X-Accel-Charset Content-Type Charset

• X-Accel-Expires nginx @
• Expires nginx X-Accel-Expires
• Cache-Control nginx X-Accel-Expires
• Set-Cookie Set-Cookie proxy_ignore_headers
• Vary Vary: *
Proxy_hide_header

Syntax: proxy_hide_header field;


Default: —
Context: http, server, location

• proxy_hide_header

• proxy_hide_header
• Date ngx_http_header_filter_module nginx
• Server ngx_http_header_filter_module nginx
• X-Pad Apache BUG
• X-Accel- nginx
• proxy_pass_header
• proxy_hide_header

Syntax: proxy_pass_header field;


Default: —
Context: http, server, location
Set-Cookie

proxy_cookie_domain off;
Syntax:
proxy_cookie_domain domain replacement;
Default: proxy_cookie_domain off;
Context: http, server, location

proxy_cookie_path off;
Syntax:
proxy_cookie_path path replacement;
Default: proxy_cookie_path off;
Context: http, server, location
Location

proxy_redirect default;
Syntax: proxy_redirect off;
proxy_redirect redirect replacement;
Default: proxy_redirect default;
Context: http, server, location
proxy_next_upstream error | timeout | invalid_header | http_500 | http_502 | http_503 |
Syntax:
http_504 | http_403 | http_404 | http_429 | non_idempotent | off ...;
Default: proxy_next_upstream error timeout;
Context: http, server, location



• error
• timeout
• invalid_header
• http_
• non_idempotent
• off
proxy_next_upstream

Syntax: proxy_next_upstream_timeout time;


Default: proxy_next_upstream_timeout 0;
Context: http, server, location

Syntax: proxy_next_upstream_tries number;


Default: proxy_next_upstream_tries 0;
Context: http, server, location
error_page

300 error_page

Syntax: proxy_intercept_errors on | off;


Default: proxy_intercept_errors off;
Context: http, server, location
proxy_ssl_certificate ssl_verify_client
proxy_ssl_certificate_key ssl_client_certificate

http https

proxy_ssl_verify ssl_certificate
proxy_ssl_trusted_certificate ssl_certificate_key
Syntax: ssl_certificate file;
Default: —
Context: http, server

Syntax: ssl_certificate_key file;


Default: —
Context: http, server
Syntax: ssl_verify_client on | off | optional | optional_no_ca;
Default: ssl_verify_client off;
Context: http, server

Syntax: ssl_client_certificate file;


Default: —
Context: http, server
Syntax: proxy_ssl_certificate file;
Default: —
Context: http, server, location

proxy_ssl_certificate_key file;
Syntax:

Default: —
Context: http, server, location
Syntax: proxy_ssl_trusted_certificate file;
Default: —
Context: http, server, location

Syntax: proxy_ssl_verify on | off;


Default: proxy_ssl_verify off;
Context: http, server, location
ssl 1


• ssl_cipher: ECDHE-RSA-AES128-GCM-SHA256
• ssl_ciphers:
• ssl_protocol: TLS TLSv1.2
• ssl_curves: secp384r1:secp521r1

• ssl_client_raw_cert:
• ssl_client_escaped_cert: urlencode
• ssl_client_cert: tab
• ssl_client_fingerprint: SHA1
ssl 2

• ssl_server_name: TLS SNI(Server Name Indication)
• ssl_client_i_dn: RFC2253 issuer dn CN=…,O=…,L=…,C=…
• ssl_client_i_dn_legacy: RFC2253 issuer dn /C=…/L=…/O=…/CN=…
• ssl_client_s_dn: RFC2253 subject dn CN=…,OU=…,O=…,L=…,ST=…,C=…
• ssl_client_s_dn_legacy: subject dn /C=…/ST=…/L=…/O=…/OU=…/CN=…

• ssl_client_v_end: Dec 1 11:56:11 2028 GMT
• ssl_client_v_remain: ssl_client_v_end 3649
• ssl_client_v_start: Dec 4 11:56:11 2018 GMT

• ssl_client_serial: 8BE947674841BD44
• ssl_early_data: TLS1.3 early data 1
• ssl_client_verify: FAILED: NONE SUCCESS
• ssl_session_id: sessionid
• ssl_session_reused: session session r .

• CA
• openssl genrsa -out ca.key 2048
• CA
• openssl req -new -x509 -days 3650 -key ca.key -out ca.crt


• openssl genrsa -out a.pem 1024
• openssl rsa -in a.pem -out a.key

• openssl req -new -key a.pem -out a.csr
• CA
• openssl x509 -req -sha256 -in a.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out a.crt

• openssl verify -CAfile ca.crt a.crt
nginx



• 304


• nginx



• 304 nginx


• nginx
Etag

ETagHTTP
Web ETag

URL Etag Etags


etags

W/
'W/'( )
Etag
etag

Syntax: etag on | off;


Default: etag on;
Context: http, server, location

ngx_sprintf(etag->value.data, "\"%xT-%xO\"",
r->headers_out.last_modified_time,
r->headers_out.content_length_n)
If-None-Match
If-None-Match GETGET HEAD
ETag 200
ETag

GET HEAD 304 Not Modified


412 Precondition Failed
304 200 Cache-Control Content-
Location Date ETag Expires Vary

ETag

If-Modified-Since If-None-Match

• GET HEAD ETag


• PUT If-None-Match used *
If-Modified-Since

If-Modified-Since
200
304 Last-Modified
If-Unmodified-Since, If-Modified-Since GET HEAD

If-None-Match If-Modified-Since If-


None-Match
not_modified


• If-Modified-Since If-None-Match
Last-Modified 200
304 Not Modified


• 200
expires
expires [modified] time;
Syntax:
expires epoch | max | off;
Default: expires off;
Context: http, server, location, if in location
• max:
• Expires: Thu, 31 Dec 2037 23:55:55 GMT
• Cache-Control: max-age=315360000 10
• off Expires Cache-Control
• epoch
• Expires: Thu, 01 Jan 1970 00:00:01 GMT
• Cache-Control: no-cache
• time
• @ @18h30m
• Expires Cache-Control
• time Expires time time

• Cache-Control Expires

• Cache-Control: no-cache Expires
not_modified
2 0 3

E
, 01 1

etag
1 3

E
4

0 1 3

1 off
E 2 exact&& if_modified_since!=last_modified_time
0 3 before&&if_modified_since<last_modified_time
0 , 01 1

1 1

1 4 if_none_match
2 ETag if_none_match
not_modified

Syntax: if_modified_since off | exact | before;


Default: if_modified_since exact;
Context: http, server, location

• off
• if_modified_since
• exact
• if_modified_since last_modified
• before
• if_modified_since last_modified 304
If-Match
If-Match GET HEAD
ETag PUT

The comparison with the stored ETag


ETag W/

For GET HEAD Range


ETag 416 (Range Not Satisfiable )
PUT, If-Match
412 (Precondition Failed
)
If-Unmodified-Since

HTTP If-Unmodified-Since
POST non-safe
412 (Precondition Failed)

• non-safe POST wiki

• If-Range
not_modified
2 0 3

E
, 01 1

etag
1 3

E
4

0 1 3

1 off
E 2 exact&& if_modified_since!=last_modified_time
0 3 before&&if_modified_since<last_modified_time
0 , 01 1

1 1

1 4 if_none_match
2 ETag if_none_match
nginx
Syntax: proxy_cache zone | off;
Default: proxy_cache off;
Context: http, server, location

proxy_cache_path path [levels=levels] [use_temp_path=on|off]


keys_zone=name:size [inactive=time] [max_size=size] [manager_files=number]
Syntax: [manager_sleep=time] [manager_threshold=time] [loader_files=number]
[loader_sleep=time] [loader_threshold=time] [purger=on|off] [purger_files=number]
[purger_sleep=time] [purger_threshold=time];
Default: —
Context: http
proxy_cache_path 1

• path

• levels
• 3 1 2
• use_temp_path
• on proxy_temp_path
• off path
• keys_zone
• name proxy_cache
• size 1MB 8000 key
• inactive
• inactive
• 10
• max_size
• cache manager LRU
proxy_cache_path 2
• manager_files
• cache manager 1
• 100
• manager_sleep
• cache manager
• 200
• manager_threshold

• 50
• loader_files
• cache loader
• 100
• loader_sleep

• 200
• loader_threshold

• 50
Syntax: proxy_cache_key string;
Default: proxy_cache_key $scheme$proxy_host$request_uri;
Context: http, server, location
Syntax: proxy_cache_valid [code ...] time;
Default: —
Context: http, server, location


• code 404 5m;


• 200
• 301
• 302

• X-Accel-Expires
• 0 nginx
• @
• Set-Cookie
• Vary: *
Syntax: proxy_no_cache string ...;
Default: —
Context: http, server, location

Syntax: proxy_cache_bypass string ...;


Default: —
Context: http, server, location
HEAD

Syntax: proxy_cache_convert_head on | off;


Default: proxy_cache_convert_head on;
Context: http, server, location
upstream_cache_status

• upstream_cache_status
• MISS
• HIT
• EXPIRED
• STALE
• UPDATING
• REVALIDATED Nginx
• BYPASS
LRU
proxy_cache

cache_methods
proxy_cache_min_uses

proxy_cache_convert_head GET

proxy_key md5

cache_pass

proxy_cache_background_update
method

Syntax: proxy_cache_methods GET | HEAD | POST ...;


Default: proxy_cache_methods GET HEAD;
Context: http, server, location
X-Accel-Expires

X-Accel-Expires
Syntax: X-Accel-Expires [offseconds]
Default: X-Accel-Expires off

0
@
Vary
Vary HTTP (response)
content negotiation algorithm
headers .

304 Not Modified Vary 200 OK

• Vary: *
• Cache-Control: private,

• proxy_ignore_headers
• Vary: <header-name>, <header-name>, ...
• http
Set-Cookie
Set-Cookie: <cookie-name>=<cookie-value>
Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date>
Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<non-zero-digit>
Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>
Set-Cookie: <cookie-name>=<cookie-value>; Path=<path-value>
Set-Cookie: <cookie-name>=<cookie-value>; Secure
Set-Cookie: <cookie-name>=<cookie-value>; HttpOnly

Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Strict


Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Lax

Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnly

Set-Cookie proxy_ignore_headers
proxy_no_cache

proxy_cache_valid

200 206

cache etag last_modified



9 9
Syntax: proxy_cache_lock on | off;
Default: proxy_cache_lock off; 9 9
Context: http, server, location
2 1 14 1 5 6 3
85 9

Syntax: proxy_cache_lock_timeout time;


Default: proxy_cache_lock_timeout 5s; nginx
Context: http, server, location
1 65 7 3 4 1 8
5

Syntax: proxy_cache_lock_age time; 0


Default: proxy_cache_lock_age 5s;
Context: http, server, location
65 3 14
— stale

proxy_cache_use_stale error | timeout | invalid_header |


Syntax: updating | http_500 | http_502 | http_503 | http_504 |
http_403 | http_404 | http_429 | off ...;
Default: proxy_cache_use_stale off; 1 1
0 0
Context: http, server, location nginx 1
0

Syntax: proxy_cache_background_update on | off;


Default: proxy_cache_background_update off;
Context: http, server, location
proxy_cache_use_stale
• updating

• stale-while-revalidate
• updating
• Cache-Control: max-age=600, stale-while-revalidate=30
• stale-if-error

stale-while-revalidate stale-if-error
• Cache-Control: max-age=600, stale-if-error=1200
• error

• timeout

• http_(500|502|503|504|403|404|429)

Syntax: proxy_cache_background_update on | off;
Default: proxy_cache_background_update off;
Context: http, server, location
proxy_cache_use_stale

Syntax: proxy_cache_revalidate on | off;


Default: proxy_cache_revalidate off;
Context: http, server, location
If-Modified-Since If-None-Match
304

• ngx_cache_purge https://github.com/FRiCKLE/ngx_cache_purge
• --add-module= nginx

• HTTP

•syntax: proxy_cache_purge on|off|<method> [from all|<ip> [.. <ip>]]


•default: none
•context: http, server, location

•syntax: proxy_cache_purge zone_name key


•default: none
•context: location
uwsgi_pass fastcgi_pass scgi_pass proxy_pass
uwsgi_pass_request_head fastcgi_pass_request_head scgi_pass_request_heade proxy_pass_request_
ers ers rs headers
uwsgi_pass_request_body fastcgi_pass_request_body scgi_pass_request_body proxy_pass_request_
body
proxy_method
proxy_http_version
proxy_set_header
proxy_set_body
uwsgi_request_buffering fastcgi_request_buffering scgi_request_buffering proxy_request_buffer
ing
uwsgi_connect_timeout fastcgi_connect_timeout scgi_connect_timeout proxy_connect_timeout
uwsgi_bind fastcgi_bind scgi_bind proxy_bind
TCPkeepalive uwsgi_socket_keepalive fastcgi_socket_keepalive scgi_socket_keepalive proxy_socket_keepalive
uwsgi_ignore_client_abort fastcgi_ignore_client_abor scgi_ignore_client_abor proxy_ignore_client_abo
t t rt
HTTP proxy_headers_hash_buc
ket_size
HTTP proxy_headers_hash_ma
x_size
uwsgi_send_timeout scgi_send_timeout fastcgi_send_timeout proxy_send_timeout
uwsgi_buffering fastcgi_buffering scgi_buffering proxy_buffering
uwsgi_temp_path fastcgi_temp_path scgi_temp_path proxy_temp_path
uwsgi_temp_file_write_s fastcgi_temp_file_write_si scgi_temp_file_write_s proxy_temp_file_write_s
ize ze ize ize
uwsgi_max_temp_file_si fastcgi_max_temp_file_si scgi_max_temp_file_si proxy_max_temp_file_si
ze ze ze ze
uwsgi_buffer_size fastcgi_buffer_size scgi_buffer_size proxy_buffer_size
uwsgi_buffers fastcgi_buffers scgi_buffers proxy_buffers
uwsgi_busy_buffers_size fastcgi_busy_buffers_size scgi_busy_buffers_size proxy_busy_buffers_size
uwsgi_store fastcgi_store scgi_store proxy_store
uwsgi_store_access fastcgi_store_access scgi_store_access proxy_store_access
uwsgi_read_timeout fastcgi_read_timeout scgi_read_timeout proxy_read_timeout
uwsgi_limit_rate fastcgi_limit_rate scgi_limit_rate proxy_limit_rate
uwsgi_hide_header fastcgi_hide_header scgi_hide_header proxy_hide_header

uwsgi_ignore_headers fastcgi_ignore_headers scgi_ignore_headers proxy_ignore_headers


Set-Cookie proxy_cookie_domain

Set-Cookie proxy_cookie_path
URL
proxy_redirect
Location
uwsgi_pass_header fastcgi_pass_header scgi_pass_header proxy_pass_header
uwsgi_next_upstream fastcgi_next_upstream scgi_next_upstream proxy_next_upstream
uwsgi_next_upstream_timeo fastcgi_next_upstream_timeo scgi_next_upstream_time proxy_next_upstream_ti
ut ut out meout
uwsgi_next_upstream_tries fastcgi_next_upstream_tries scgi_next_upstream_tries proxy_next_upstream_tri
es
uwsgi_intercept_errors fastcgi_intercept_errors scgi_intercept_errors proxy_intercept_errors
SSL

uwsgi_ssl_certificate proxy_ssl_certificate
a uwsgi_ssl_certificate_key proxy_ssl_certificate_key
uwsgi_ssl_ciphers proxy_ssl_ciphers
c CRL uwsgi_ssl_crl proxy_ssl_crl

uwsgi_ssl_name proxy_ssl_name
a uwsgi_ssl_password_file proxy_ssl_password_file
uwsgi_ssl_protocols proxy_ssl_protocols
SNI uwsgi_ssl_server_name proxy_ssl_server_name
SSL uwsgi_ssl_session_reuse proxy_ssl_session_reuse
uwsgi_ssl_trusted_certificate proxy_ssl_trusted_certificate
uwsgi_ssl_verify proxy_ssl_verify
uwsgi_ssl_verify_depth proxy_ssl_verify_depth
1

uwsgi_cache fastcgi_cache scgi_cache proxy_cache


uwsgi_cache_path fastcgi_cache_path scgi_cache_path proxy_cache_path
uwsgi_cache_bypass fastcgi_cache_bypass scgi_cache_bypass proxy_cache_bypass

uwsgi_cache_background_ fastcgi_cache_background_u scgi_cache_background_ proxy_cache_background_


update pdate update update
uwsgi_cache_key fastcgi_cache_key scgi_cache_key proxy_cache_key
range uwsgi_cache_max_range_o fastcgi_cache_max_range_of scgi_cache_max_range_o proxy_cache_max_range_
ffset fset ffset offset
uwsgi_cache_methods fastcgi_cache_methods scgi_cache_methods proxy_cache_methods
uwsgi_cache_min_uses fastcgi_cache_min_uses scgi_cache_min_uses proxy_cache_min_uses
a uwsgi_cache_valid fastcgi_cache_valid scgi_cache_valid proxy_cache_valid
range uwsgi_force_ranges fastcgi_force_ranges scgi_force_ranges proxy_force_ranges
2

c 304 uwsgi_cache_revalidate fastcgi_cache_revalidate scgi_cache_revalidate proxy_cache_revalidate


c uwsgi_cache_use_stale fastcgi_cache_use_stale scgi_cache_use_stale proxy_cache_use_stale
uwsgi_no_cache fastcgi_no_cache scgi_no_cache proxy_no_cache

HEAD proxy_cache_convert_he
GET
ad
uwsgi_cache_lock fastcgi_cache_lock scgi_cache_lock proxy_cache_lock
uwsgi_cache_lock_age fastcgi_cache_lock_age scgi_cache_lock_age proxy_cache_lock_age

a uwsgi_cache_lock_timeout fastcgi_cache_lock_timeout scgi_cache_lock_timeout proxy_cache_lock_timeo


ut
uwsgi_modifier1

uwsgi_modifier2

uwsgi_param fastcgi_param scgi_param

fastcgi_index

fastcgi_catch_stderr
memcached


• HTTP memcached get memcached
• get get <key>*\r\n
• <command name> <key> <flags> <exptime> <bytes> [noreply]\r\n
• memcached_key key


• ngx_http_memcached_module --without-http_memcached_module
memcached

memcached_pass proxy_pass
memcached_bind proxy_bind
memcached_buffer_size proxy_buffer_size
memcached_connect_timeout proxy_connect_timeout
range memcached_force_ranges proxy_force_ranges
key flag flag memcached_gzip_flag
gzip
memcached_next_upstream proxy_next_upstream
memcached_next_upstream_timeout proxy_next_upstream_timeout
memcached_next_upstream_tries proxy_next_upstream_tries
memcached_read_timeout proxy_read_timeout
memcached_send_timeout proxy_send_timeout
TCPkeepalive memcached_socket_keepalive proxy_socket_keepalive
websocket

ngx_http_proxy_module

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
3 : ?DA M ID :OM M MJ 3 LCPG ID
20 ,DL MCHLF DU 3 : DOSDO M DLODP V
3MP TDAPM ID MG H D G / D 8ML /D 28
- D 0L MCHLF FWH CDEJ D .MLLD HML FO CD
D ?DA M ID DOPHML - DPP .ML OMJ -JJMT .ODCDL H JP O D
9OHFHL G TTT TDAPM ID MOF - DPP .ML OMJ -JJMT 3D CDOP ML DL V D
D ?DA M ID 0U DLPHMLP DOKDPP FD CDEJ D - DPP .ML OMJ -JJMT 3D CDOP GMOHW HML
D ?DA M ID 6DV - DPP .ML OMJ -JJMT 3D CDOP U TDAPM ID DU DLPHMLP
IF U ./G . :51E - - DPP .ML OMJ -JJMT 3D CDOP U TDAPM ID SDOPHML
.MLLD HML IDD JHSD = FO CD - DPP .ML OMJ -JJMT 3D CDOP U TDAPM ID OM M MJ
:O FK LM GD - DPP .ML OMJ -JJMT 9OHFHL G TTT TDAPM ID MOF
. GD .ML OMJ LM GD D ?DA M ID - D
= FO CD TDAPM ID V- 9 U27 AT. 9D 8:T 04
= FO CD TDAPM ID
websocket 1
• FIN 1 1 1
1
1

• RSV1 RSV2 RSV3 1

0 0
0

• Payload length 7 bits 7 bits + 16 bits


7 + 64 bits
• 0-125 Payload data

• 126 2
Payload Data unsigned
• 127 8
Payload Tada unsigned
websocket 2
• OPCODE 4
• PayloadData opcode
• 0x0
• 0x1
• 0x2
• 0x3-7
• 0x8
• 0x9 ping
• 0xA pong
• 0xB-F

• MASK 1
1 1 Masking-key
PayloadData Masking-key 0

• Masking-key 0 4 MASK 1 4 0
websocket


• A Multiplexing Extension for WebSockets


• Compression Extensions for WebSocket


• Sec-WebSocket-Version WebSocket 13 RFC 6455

• Sec-WebSocket-Key

• Sec-WebSocket-Accept Sec-WebSocket-Key
• Sec-WebSocket-Protocol
• Sec-WebSocket-Extensions WebSocket
websocket

.
slice
Syntax: slice size;
Default: slice 0;
Context: http, server, location


• range range

• http_slice_module --with-http_slice_module
slice
open_file_cache

open_file_cache off;
Syntax:
open_file_cache max=N [inactive=time];
Default: open_file_cache off;
Context: http, server, location





open_file_cache

Syntax: open_file_cache_errors on | off;


Default: open_file_cache_errors off;
Context: http, server, location

Syntax: open_file_cache_min_uses number;


Default: open_file_cache_min_uses 1;
Context: http, server, location

Syntax: open_file_cache_valid time;


Default: open_file_cache_valid 60s;
Context: http, server, location
HTTP2






HTTP2.0

• Connection 1 TCP
Stream
• Stream
Message
• Message HTTP1
Frame
• Frame
HTTP1
• 1-256

Frame

TYPE
•HEADERS HTTP
•DATA
•PRIORITY
•RST_STREAM
•SETTINGS
•PUSH_PROMISE
•PING
•GOAWAY
•WINDOW_UPDATE
•CONTINUATION
PUSH
http2


• ngx_http_v2_module --with-http_v2_module nginx http2


• http2


• TLS/SSL


• listen 443 ssl http2;
nginx

Syntax: http2_push_preload on | off; /test.htm


Default: http2_push_preload off;
Context: http, server, location http2_push
/image.png

Syntax: http2_push uri | off;


Default: http2_push off;
Context: http, server, location
.
nginx http2
• https://github.com/nghttp2/nghttp2/releases
• centos yum yum install nghttp2
Syntax: http2_max_concurrent_pushes number;
Default: http2_max_concurrent_pushes 10;
Context: http, server
Syntax: http2_recv_timeout time;
Default: http2_recv_timeout 30s;
Context: http, server

Syntax: http2_idle_timeout time;


Default: http2_idle_timeout 3m;
Context: http, server
Syntax: http2_max_concurrent_pushes number;
Default: http2_max_concurrent_pushes 10;
Context: http, server

Syntax: http2_max_concurrent_streams number;


Default: http2_max_concurrent_streams 128;
Context: http, server

Syntax: http2_max_field_size size;


Default: http2_max_field_size 4k;
Context: http, server
Syntax: http2_max_requests number;
Default: http2_max_requests 1000;
Context: http, server

Syntax: http2_chunk_size size;


Default: http2_chunk_size 8k;
Context: http, server, location
Syntax: http2_chunk_size size;
Default: http2_chunk_size 8k;
Context: http, server, location
Syntax: http2_recv_buffer_size size;
Default: http2_recv_buffer_size 256k;
Context: http

Syntax: http2_max_header_size size;


Default: http2_max_header_size 16k;
Context: http, server

Syntax: http2_body_preread_size size;


Default: http2_body_preread_size 64k;
Context: http, server
grpc

• grpc
• https://grpc.io/


• ngx_http_grpc_module --without-http_grpc_module
• ngx_http_v2_module
grpc

grpc_pass proxy_pass
grpc_bind proxy_bind
grpc_buffer_size proxy_buffer_size
grpc_connect_timeout proxy_connect_timeout
grpc_next_upstream proxy_next_upstream
grpc_next_upstream_timeout proxy_next_upstream_timeout
grpc_next_upstream_tries proxy_next_upstream_tries
grpc_read_timeout proxy_read_timeout
grpc_send_timeout proxy_send_timeout
TCPkeepalive grpc_socket_keepalive proxy_socket_keepalive
grpc_hide_header proxy_hide_header
grpc_ignore_header proxy_ignore_header
grpc_intercept_errors proxy_intercept_errors
grpc_pass_header proxy_pass_header
grpc_set_header proxy_set_header
grpc SSL

grpc_ssl_certificate proxy_ssl_certificate
grpc_ssl_certificate_key proxy_ssl_certificate_key
grpc_ssl_ciphers proxy_ssl_ciphers
CRL grpc_ssl_crl proxy_ssl_crl
grpc_ssl_name proxy_ssl_name
grpc_ssl_password_file proxy_ssl_password_file
grpc_ssl_protocols proxy_ssl_protocols
SNI grpc_ssl_server_name proxy_ssl_server_name
SSL grpc_ssl_session_reuse proxy_ssl_session_reuse
grpc_ssl_trusted_certificate proxy_ssl_trusted_certificate
grpc_ssl_verify proxy_ssl_verify
grpc_ssl_verify_depth proxy_ssl_verify_depth
stream 7

POST_ACCEPT realip
PREACCESS limt_conn
ACCESS access
SSL ssl
PREREAD ssl_preread
CONTENT return, stream_proxy
LOG access_log
stream ssl
Syntax: stream { ... }
Default: —
Context: main

Syntax: server { ... }


Default: —
Context: stream

listen address:port [ssl] [udp] [proxy_protocol] [backlog=number] [rcvbuf=size] [sndbuf=size]


Syntax:
[bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];
Default: —
Context: server
1

binary_remote_addr IPv4 4 IPv6 16

connection

remote_addr

remote_port

proxy_protocol_addr proxy_protocol

proxy_protocol_port proxy_protocol
2

protocol TCP UDP

server_addr

server_port
3
• bytes_received

• bytes_sent

• status
• 200 session
• 400 proxy_protocol
• 403 access IP
• 500
• 502
• 503
Nginx

time_local 14/Nov/2018:15:55:37 +0800

time_iso8601 ISO 8601 2018-11-14T15:55:37+08:00

nginx_version Nginx

pid worker id

pipe p .

hostname hostname

msec 1970 1 1
content return

Syntax: return value;


Default: —
Context: server
proxy_protocol

• v1
• PROXY TCP4 202.112.144.236 10.210.12.10 5678 80\r\n
• PROXY TCP6 2001:da8:205::100 2400:89c0:2110:1::21
6324 80\r\n
• PROXY UKNOWN\r\n

• v2
• 12 \r\n\r\n\0\r\nQUIT\n
• 4 2
• 4 0 LOCAL 1 PROXY nginx
PROXY
• 4 1 IPV4 2 IPV6
• 4 1 TCP 2 UDP nginx
TCP
• 2
proxy_protocol

Syntax: proxy_protocol_timeout timeout;


Default: proxy_protocol_timeout 30s;
Context: stream, server
stream proxy_protocol
c P ,3 1207 (120 0 0

a 1207 (120 0 0 ( , 0 _

a 1207 (120 0 0 V

?e I

a I

a I

32 )
post_accept realip

proxy_protocol remote_addr
remote_port realip_remote_addr realip_remote_port
TCP

ngx_stream_realip_module --with-stream_realip_module

Syntax: set_real_ip_from address | CIDR | unix:;


Default: —
Context: stream, server
PREACCESS limit_conn

worker

ngx_stream_limit_conn_module --without-stream_limit_conn_module
limit_conn

Syntax: limit_conn_zone key zone=name:size;


Default: —
Context: stream
Syntax: limit_conn zone number;
Default: —
Context: stream, server
Syntax: limit_conn_log_level info | notice | warn | error;
Default: limit_conn_log_level error;
Context: stream, server
ACCESS access

realip

ngx_stream_access_module --without-stream_access_module
access

Syntax: allow address | CIDR | unix: | all;


Default: —
Context: stream, server

Syntax: deny address | CIDR | unix: | all;


Default: —
Context: stream, server
log stream_log
access_log path format [buffer=size] [gzip[=level]] [flush=time] [if=condition];
Syntax:
access_log off;
Default: access_log off;
Context: stream, server

Syntax: log_format name [escape=default|json|none] string ...;


Default: —
Context: stream

open_log_file_cache max=N [inactive=time] [min_uses=N] [valid=time];


Syntax:
open_log_file_cache off;
Default: open_log_file_cache off;
Context: stream, server
stream TLS/SSL

TLS/SSL TLS/SSL TCP

TLS/SSL TCP TLS/SSL


stream ssl

stream TLS/SSL

ngx_stream_ssl_module nginx --with-


stream_ssl_module
stream ssl http

CRL
DH

TLS

TLS
stream ssl http

session
ticket
ticket
session
stream ssl http
stream ssl 1


• ssl_cipher: ECDHE-RSA-AES128-GCM-SHA256
• ssl_ciphers:
• ssl_protocol: TLS TLSv1.2
• ssl_curves: secp384r1:secp521r1

• ssl_client_raw_cert:
• ssl_client_escaped_cert: urlencode
• ssl_client_cert: tab
• ssl_client_fingerprint: SHA1
stream ssl 2

• ssl_server_name: TLS SNI(Server Name Indication)
• ssl_client_i_dn: RFC2253 issuer dn CN=…,O=…,L=…,C=…
• ssl_client_i_dn_legacy: RFC2253 issuer dn /C=…/L=…/O=…/CN=…
• ssl_client_s_dn: RFC2253 subject dn CN=…,OU=…,O=…,L=…,ST=…,C=…
• ssl_client_s_dn_legacy: subject dn /C=…/ST=…/L=…/O=…/OU=…/CN=…

• ssl_client_v_end: Dec 1 11:56:11 2028 GMT
• ssl_client_v_remain: ssl_client_v_end 3649
• ssl_client_v_start: Dec 4 11:56:11 2018 GMT

• ssl_client_serial: 8BE947674841BD44
• ssl_early_data: TLS1.3 early data 1
• ssl_client_verify: FAILED: NONE SUCCESS
• ssl_session_id: sessionid
• ssl_session_reused: session session r .
STREAM SSL

HTTPS

nginx stream
stream_ssl_module
TLS

HTTP
SSL_PREREAD


• stream_ssl_preread_module --with-stream_ssl_preread_module

• TLS

• $ssl_preread_protocol
• TLS TLSv1.3
• $ssl_preread_server_name
• SNI
• $ssl_preread_alpn_protocols
• ALPN h2,http/1.1
stream 7

POST_ACCEPT realip
PREACCESS limt_conn
ACCESS access
SSL ssl
PREREAD ssl_preread
CONTENT return, stream_proxy
LOG access_log
preread ssl_preread

Syntax: preread_buffer_size size;


Default: preread_buffer_size 16k;
Context: stream, server

Syntax: preread_timeout timeout;


Default: preread_timeout 30s;
Context: stream, server

Syntax: ssl_preread on | off;


Default: ssl_preread off;
Context: stream, server
STREAM SSL_PREREAD

HTTPS

stream_ssl_preread_module

HTTPS
stream_proxy


• ngx_stream_proxy_module Nginx


• TCP/UDP
• TLS/SSL
• proxy protocol
proxy

Syntax: proxy_download_rate rate; proxy_upload_rate


Default: proxy_download_rate 0;
Context: stream, server

Syntax: proxy_upload_rate rate; proxy_download_rate


Default: proxy_upload_rate 0;
Context: stream, server
stream

proxy_pass proxy_pass
proxy_bind proxy_bind
proxy_buffer_size proxy_buffer_size

proxy_connect_timeout proxy_connect_timeout
TCP proxy_protocol proxy_protocol
proxy_next_upstream proxy_next_upstream
proxy_next_upstream_timeout proxy_next_upstream_timeout
proxy_next_upstream_tries proxy_next_upstream_tries
proxy_timeout proxy_read_timeout
proxy_timeout proxy_send_timeout
TCPkeepalive proxy_socket_keepalive proxy_socket_keepalive
stream ssl http proxy

ssl proxy_ssl
proxy_ssl_certificate proxy_ssl_certificate
proxy_ssl_certificate_key proxy_ssl_certificate_key
proxy_ssl_ciphers proxy_ssl_ciphers
a CRL proxy_ssl_crl proxy_ssl_crl
proxy_ssl_name proxy_ssl_name
proxy_ssl_password_file proxy_ssl_password_file
proxy_ssl_protocols proxy_ssl_protocols
SNI proxy_ssl_server_name proxy_ssl_server_name
SSL proxy_ssl_session_reuse proxy_ssl_session_reuse
proxy_ssl_trusted_certificate proxy_ssl_trusted_certificate
proxy_ssl_verify proxy_ssl_verify
proxy_ssl_verify_depth proxy_ssl_verify_depth
proxy_protocol

• v1
• PROXY TCP4 202.112.144.236 10.210.12.10 5678 80\r\n
• PROXY TCP6 2001:da8:205::100 2400:89c0:2110:1::21
6324 80\r\n
• PROXY UKNOWN\r\n

• v2
• 12 \r\n\r\n\0\r\nQUIT\n
• 4 2
• 4 0 LOCAL 1 PROXY nginx
PROXY
• 4 1 IPV4 2 IPV6
• 4 1 TCP 2 UDP nginx
TCP
• 2
stream proxy

HTTP

HTTP
proxy protocol proxy_protocol on;

HTTP
proxy protocol HTTP
proxy protocol
http http
listen proxy_protocol listen proxy_protocol
UDP

A B C D
session
UDP
• session session 1.15.7
• access
• nginx
• 0 access

Syntax: proxy_requests number;


Default: proxy_requests 0;
Context: stream, server


• proxy_timeout

Syntax: proxy_responses number;


Default: —
Context: stream, server
IP

• proxy_protocol

• IP

• IP


• IP nginx TCP/UDP
• DSR UDP
IP

A B
B A

IP B
C
nginx
B->A C
C A

A B
IP C
IPNOT
• proxy_bind $remote_addr transparent;
• nginx :

61 7E G K-
1 61 7E G 78 PMI R-

• nginx # IP IP nginx

8 1 6E 1
8 1 1 12
8 12 A 1 7 -. . 0/ A A .
A 1 66666666
DSR 1

A B
B A

IP B
C
B
B->A C
A
C
A B
IP C
DSR 2

A
B

IP B
C->B
A
B->A

IP C
DSR
• ip
• proxy_responses 0
• proxy_bind $remote_addr:$remote_port transparent;
• ip nginx

• # route add default gw nginx-ip-address
• ip
• # sysctl -w net.ipv4.ip_forward=1
• nginx


• nginx

/

You might also like