nginx模块

发表于 | 分类于

模块分类

  1. 官方模块
  2. 第三方模块

所编译的模块

–with 后面主要是 所开启的模块

1
2
3
4
5
6
[root@instance-2 ~]# nginx -V
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

–with-http_stub_status_module

Nginx 的客户端状态

示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@R7000:/etc/nginx/conf.d# cat test.conf

server {
    listen 81 default_server;
    listen [::]:81 default_server;
   # listen      80;
    #ilisten [::]:83 ipv6only=on;
    server_name localhost;
    charset     utf-8;
    client_max_body_size 75M;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
  }
    location /mystatus {
        stub_status;  # 使用  stub_status 模块
  }
}

root@R7000:/etc/nginx/conf.d# nginx -s reload  # 重载 
root@R7000:/etc/nginx/conf.d# curl http://localhost:81/mystatus
Active connections: 2  # 活跃连接数
server accepts handled requests  # 接受数 处理数  总的请求数
 8 8 12
Reading: 0 Writing: 1 Waiting: 1  # 当前状态 读 写 等待(keep-alive)

–with-http_random_index_module

目录中选择一个作为随机主页

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@R7000:/etc/nginx/conf.d# cat test.conf

server {
    listen 81 default_server;
    listen [::]:81 default_server;
   # listen      80;
    #ilisten [::]:83 ipv6only=on;
    server_name localhost;
    charset     utf-8;
    client_max_body_size 75M;

    location / {
        root   /usr/share/nginx/html;  # 文件目录
        random_index on;
       # index  index.html index.htm;
  }
}

root@R7000:/usr/share/nginx/html# ll
total 20
drwxr-xr-x 2 root root 4096 2月  20 21:45 ./
drwxr-xr-x 4 root root 4096 2月  20 21:14 ../
-rw-r--r-- 1 root root  258 2月  20 21:43 index1.html
-rw-r--r-- 1 root root  258 2月  20 21:44 index2.html
-rw-r--r-- 1 root root  258 2月  20 21:45 index3.html

–with-http_sub_module

HTTP 内容替换

1
2
3
4
5
6
location / {
    root   /opt/app/code;
    index  index.html index.htm;
    sub_filter '<a>imooc' '<a>IMOOC';
    sub_filter_once off;
}

连接请求限制

连接限制

limit_conn_zone key zone=name:size

limit_conn_zone number

请求限制

limit_req_zone zone=name:size rate=rate

limit_req_zone=name [burst=number][nodelay]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
    limit_conn_zone $binary_remote_addr zone=conn_zone:1m;
    limit_req_zone $binary_remote_addr zone=req_zone:1m rate=1r/s;
server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;


    location / {
        root /opt/app/code;
        limit_conn conn_zone 1;
        #limit_req zone=req_zone burst=3 nodelay;
        #limit_req zone=req_zone burst=3;
        #limit_req zone=req_zone; 
        index  index.html index.htm;
    }

访问控制

基于 ip

http_access_module

局限性: 可能获取不到用户的真实 ip

x_forwarded_for=IP1,IP2…. 一般 IP1 为用户 IP ,但可能被篡改

使用 geo 模块 ,或者 通过 HTTP 自定义变量传递

1
2
3
4
5
6
location ~ ^/admin.html {
    root   /opt/app/code;
    allow 222.128.189.0/24;
    deny all;
    index  index.html index.htm;
}

基于用户的信任登录

http_auth_basic_module

局限性: 用户信息依赖文件,效率低下

使用 LUA

利用 nginx-auth-ldap 模块