简介
nginx配置文件结构示例,基本覆盖常用的配置:
|
user olwaf;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 200000;
error_log syslog:facility=local3,severity=warn,server=logserver:514,tag=olwaf warn;
error_log /dev/null warn;
pid /vm_data/openstack/olwaf/nginx.pid;
events {
accept_mutex off;
use epoll;
worker_connections 150000;
}
http {
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
server_tokens off;
server_info off;
server_tag “OLWAF 1.0.0”;
keepalive_timeout 300s;
client_header_timeout 5m;
send_timeout 1m;
check_shm_size 50m;
client_body_buffer_size 64k;
large_client_header_buffers 4 32k;
proxy_request_buffering off;
fastcgi_request_buffering off;
client_body_postpone_size 64k;
proxy_buffering off;
proxy_buffer_size 16k;
underscores_in_headers on;
ignore_invalid_headers off;
server_names_hash_max_size 40000;
server_names_hash_bucket_size 128;
proxy_connect_timeout 5s;
index index.html index.htm;
log_format proxyformat “$time_iso8601 $remote_addr:$remote_port $server_addr:$server_port $upstream_addr $request_time $upstream_response_time $status $upstream_status $request_length $body_bytes_sent \”$request_method $scheme://$http_host$request_uri $server_protocol\” \”$http_referer\” \”$http_user_agent\””;
access_log syslog:facility=local3,severity=info,server=logserver:514,tag=olwaf proxyformat;
log_not_found off;
gzip on;
gzip_http_version 1.0;
gzip_comp_level 6;
gzip_min_length 1024;
gzip_proxied any;
gzip_vary on;
gzip_disable msie6;
gzip_buffers 96 8k;
gzip_types text/xml text/plain text/css application/javascript application/x-javascript application/rss+xml application/atom+xml application/xml application/json;
proxy_redirect off;
proxy_buffers 128 8k;
proxy_intercept_errors off;
limit_req_zone $binary_remote_addr zone=req50k:30m rate=10000r/s;
req_status_zone req_server_status “$server_addr:$server_port,$server_name” 50M;
req_status req_server_status;
proxy_bind 10.65.28.2 10.65.28.3 10.65.28.5 10.65.28.6 10.65.28.7 10.65.28.8 10.65.28.9 10.65.28.10;
global_check_bind 10.65.28.20 10.65.28.21 10.65.28.22 10.65.28.23 10.65.28.26 10.65.28.28;
server {
listen 10.65.27.212:80 backlog=20480;
allow 10.65.27.212;
allow 127.0.0.1;
deny all;
access_log off;
location /check_healthcheck_status {
check_status csv;
}
location /check_req_status {
req_status_show req_server_status;
}
location = /nginx_status {
stub_status on;
}
}
server {
listen 10.65.32.23:8080 backlog=20480;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $remote_port;
limit_req zone=req50k burst=1000;
location / {
proxy_pass http://rp_10_65_32_23_8080;
}
}
upstream rp_10_65_32_23_8080 {
check type=http default_down=false timeout=4000 rise=5 fall=4 interval=5000;
check_http_send “HEAD /healthCheck HTTP/1.0\r\nHOST:10.65.32.23\r\n\r\n”;
server 10.65.16.5:9090 weight=20;
server 10.65.16.6:9090 weight=20;
}
server {
listen 10.65.32.23:443 backlog=20480;
ssl on;
ssl_certificate /vm_data/openstack/olwaf/certificates/f619ca88-b957-9eafaa56e6d5/lb.crt;
ssl_certificate_key /vm_data/openstack/olwaf/certificates/f619ca88-b957-9eafaa56e6d5/lb.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!DH:!EDH;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:rp_10_65_32_23_443:10m;
ssl_session_timeout 600s;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $remote_port;
limit_req zone=req50k burst=1000;
location / {
proxy_pass http://rp_10_65_32_23_443;
}
}
upstream rp_10_65_32_23_443 {
check type=http default_down=false timeout=4000 rise=5 fall=4 interval=5000;
check_http_send “HEAD / HTTP/1.0\r\nHOST:10.65.32.23\r\n\r\n”;
server 172.16.12.6:443 weight=20;
}
}
|
nginx配置解析过程ngx_init_cycle函数,资源初始化的入口:
|
ngx_cycle_t *ngx_init_cycle(ngx_cycle_t *old_cycle)
{
…
//core module create conf.
for (i = 0; ngx_modules[i]; i++) {
if (ngx_modules[i]->type != NGX_CORE_MODULE) {
continue;
}
module = ngx_modules[i]->ctx;
if (module->create_conf) {
rv = module->create_conf(cycle);
if (rv == NULL) {
ngx_destroy_pool(pool);
return NULL;
}
cycle->conf_ctx[ngx_modules[i]->index] = rv;
}
}
…
conf.ctx = cycle->conf_ctx;
conf.cycle = cycle;
conf.pool = pool;
conf.log = log;
conf.module_type = NGX_CORE_MODULE;
conf.cmd_type = NGX_MAIN_CONF;
#if (NGX_SSL && NGX_SSL_ASYNC)
conf.no_ssl_init = cycle->no_ssl_init;
#endif
#if 0
log->log_level = NGX_LOG_DEBUG_ALL;
#endif
//命令行解析
if (ngx_conf_param(&conf) != NGX_CONF_OK) {
environ = senv;
ngx_destroy_cycle_pools(&conf);
return NULL;
}
//配置解析
if (ngx_conf_parse(&conf, &cycle->conf_file) != NGX_CONF_OK) {
environ = senv;
ngx_destroy_cycle_pools(&conf);
return NULL;
}
…
//core module init conf.
for (i = 0; ngx_modules[i]; i++) {
if (ngx_modules[i]->type != NGX_CORE_MODULE) {
continue;
}
module = ngx_modules[i]->ctx;
if (module->init_conf) {
if (module->init_conf(cycle, cycle->conf_ctx[ngx_modules[i]->index])
== NGX_CONF_ERROR)
{
environ = senv;
ngx_destroy_cycle_pools(&conf);
return NULL;
}
}
}
…
}
|
ngx_conf_parse和ngx_conf_handler函数分析:
|
//ngx_conf_parse函数
…
for ( ;; ) {
rc = ngx_conf_read_token(cf);
/*
* ngx_conf_read_token() may return
*
* NGX_ERROR there is error
* NGX_OK the token terminated by “;” was found
* NGX_CONF_BLOCK_START the token terminated by “{” was found
* NGX_CONF_BLOCK_DONE the “}” was found
* NGX_CONF_FILE_DONE the configuration file is done
*/
if (rc == NGX_ERROR) {
goto done;
}
if (rc == NGX_CONF_BLOCK_DONE) {
if (type != parse_block) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, “unexpected \”}\””);
goto failed;
}
goto done;
}
if (rc == NGX_CONF_FILE_DONE) {
if (type == parse_block) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
“unexpected end of file, expecting \”}\””);
goto failed;
}
goto done;
}
if (rc == NGX_CONF_BLOCK_START) {
if (type == parse_param) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
“block directives are not supported “
“in -g option”);
goto failed;
}
}
//cmd回调函数的执行
rc = ngx_conf_handler(cf, rc);
if (rc == NGX_ERROR) {
goto failed;
}
…
//ngx_conf_handler函数
if (cmd->type & NGX_DIRECT_CONF) {
conf = ((void **) cf->ctx)[ngx_modules[i]->index];
} else if (cmd->type & NGX_MAIN_CONF) {
conf = &(((void **) cf->ctx)[ngx_modules[i]->index]);
} else if (cf->ctx) {
confp = *(void **) ((char *) cf->ctx + cmd->conf);
if (confp) {
conf = confp[ngx_modules[i]->ctx_index];
}
}
rv = cmd->set(cf, cmd, conf);
if (rv == NGX_CONF_OK) {
return NGX_OK;
}
if (rv == NGX_CONF_ERROR) {
return NGX_ERROR;
}
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
“\”%s\” directive %s”, name->data, rv);
…
|
http core module函数分析:
|
…
//create main, server, location conf.
for (m = 0; ngx_modules[m]; m++) {
if (ngx_modules[m]->type != NGX_HTTP_MODULE) {
continue;
}
module = ngx_modules[m]->ctx;
mi = ngx_modules[m]->ctx_index;
if (module->create_main_conf) {
ctx->main_conf[mi] = module->create_main_conf(cf);
if (ctx->main_conf[mi] == NULL) {
return NGX_CONF_ERROR;
}
}
if (module->create_srv_conf) {
ctx->srv_conf[mi] = module->create_srv_conf(cf);
if (ctx->srv_conf[mi] == NULL) {
return NGX_CONF_ERROR;
}
}
if (module->create_loc_conf) {
ctx->loc_conf[mi] = module->create_loc_conf(cf);
if (ctx->loc_conf[mi] == NULL) {
return NGX_CONF_ERROR;
}
}
}
pcf = *cf;
cf->ctx = ctx;
/* init input body filter pointer */
ngx_http_top_input_body_filter = ngx_http_dummy_input_body_filter;
//执行preconfiguration
for (m = 0; ngx_modules[m]; m++) {
if (ngx_modules[m]->type != NGX_HTTP_MODULE) {
continue;
}
module = ngx_modules[m]->ctx;
if (module->preconfiguration) {
if (module->preconfiguration(cf) != NGX_OK) {
return NGX_CONF_ERROR;
}
}
}
/* parse inside the http{} block */
cf->module_type = NGX_HTTP_MODULE;
cf->cmd_type = NGX_HTTP_MAIN_CONF;
rv = ngx_conf_parse(cf, NULL);
if (rv != NGX_CONF_OK) {
goto failed;
}
/*
* init http{} main_conf’s, merge the server{}s’ srv_conf’s
* and its location{}s’ loc_conf’s
*/
cmcf = ctx->main_conf[ngx_http_core_module.ctx_index];
cscfp = cmcf->servers.elts;
//执行模块的init_main_conf
for (m = 0; ngx_modules[m]; m++) {
if (ngx_modules[m]->type != NGX_HTTP_MODULE) {
continue;
}
module = ngx_modules[m]->ctx;
mi = ngx_modules[m]->ctx_index;
/* init http{} main_conf’s */
if (module->init_main_conf) {
rv = module->init_main_conf(cf, ctx->main_conf[mi]);
if (rv != NGX_CONF_OK) {
goto failed;
}
}
rv = ngx_http_merge_servers(cf, cmcf, module, mi);
if (rv != NGX_CONF_OK) {
goto failed;
}
}
/* create location trees */
//创建location 二叉树
for (s = 0; s < cmcf->servers.nelts; s++) {
clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index];
if (ngx_http_init_locations(cf, cscfp[s], clcf) != NGX_OK) {
return NGX_CONF_ERROR;
}
if (ngx_http_init_static_location_trees(cf, clcf) != NGX_OK) {
return NGX_CONF_ERROR;
}
}
…
//模块postconfiguration
for (m = 0; ngx_modules[m]; m++) {
if (ngx_modules[m]->type != NGX_HTTP_MODULE) {
continue;
}
module = ngx_modules[m]->ctx;
if (module->postconfiguration) {
if (module->postconfiguration(cf) != NGX_OK) {
return NGX_CONF_ERROR;
}
}
}
if (ngx_http_variables_init_vars(cf) != NGX_OK) {
return NGX_CONF_ERROR;
}
…
|
ngx_http_core_server函数分析:
|
…
//server 块中create_srv_conf & create_loc_conf
for (i = 0; ngx_modules[i]; i++) {
if (ngx_modules[i]->type != NGX_HTTP_MODULE) {
continue;
}
module = ngx_modules[i]->ctx;
if (module->create_srv_conf) {
mconf = module->create_srv_conf(cf);
if (mconf == NULL) {
return NGX_CONF_ERROR;
}
ctx->srv_conf[ngx_modules[i]->ctx_index] = mconf;
}
if (module->create_loc_conf) {
mconf = module->create_loc_conf(cf);
if (mconf == NULL) {
return NGX_CONF_ERROR;
}
ctx->loc_conf[ngx_modules[i]->ctx_index] = mconf;
}
}
…
/* parse inside server{} */
pcf = *cf;
cf->ctx = ctx;
cf->cmd_type = NGX_HTTP_SRV_CONF;
rv = ngx_conf_parse(cf, NULL);
*cf = pcf;
…
|
ngx_http_core_location函数分析:
|
…
for (i = 0; ngx_modules[i]; i++) {
if (ngx_modules[i]->type != NGX_HTTP_MODULE) {
continue;
}
module = ngx_modules[i]->ctx;
if (module->create_loc_conf) {
ctx->loc_conf[ngx_modules[i]->ctx_index] =
module->create_loc_conf(cf);
if (ctx->loc_conf[ngx_modules[i]->ctx_index] == NULL) {
return NGX_CONF_ERROR;
}
}
}
…
|
来源:freebuf.com 2020-12-12 17:21:47 by: stan1y
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
请登录后发表评论
注册