基于Tengine的反向代理详细配置

454次阅读

没有评论

共计 20025 个字符，预计需要花费 51 分钟才能阅读完成。

系统环境：

SUSE Linux Enterprise Server 10 SP1 (x86_64)

注：所有软件包都放置在 /data/software 目录下

nginx_tcp_proxy_module：

https://github.com/yaoweibin/nginx_tcp_proxy_module

nginx-hmux-module：

https://github.com/wangbin579/nginx-hmux-module

ngx_cache_purge：

http://labs.frickle.com/files/

#———————————————————————————————————————————————

1、内存管理库

# tar -zxvf libunwind-1.0.1.tar.gz

# cd libunwind-1.0.1

# LAGS=-fPIC ./configure –prefix=/usr/local

# make LAGS=-fPIC

# make LAGS=-fPIC install

# tar -zxvf gperftools-2.0.tar.gz

# cd gperftools-2.0

# ./configure –prefix=/usr/local

# make && make install

#———————————————————————————————————————————————

2、正则库

# tar -xvzf pcre-8.32.tar.gz

# cd pcre-8.32

# LAGS=-fPIC ./configure –prefix=/usr/local

# make LAGS=-fPIC

# make LAGS=-fPIC install

#———————————————————————————————————————————————

3、OpenSSL 库

# tar xvzf openssl-1.0.1g.tar.gz

# cd openssl-1.0.1g

# ./config shared –prefix=/usr/local

# make && make install

#———————————————————————————————————————————————

4、IP 地理位置定位组件

# tar xvzf GeoIP-latest.tar.gz

# cd GeoIP-1.5.0

# ./configure –prefix=/usr/local

# make && make install

#———————————————————————————————————————————————

5、相关目录创建

# mkdir -p /data/nginx_temp/{nginx_client,nginx_proxy,nginx_fastcgi,nginx_temp,nginx_cache}

# mkdir -p /data/logs/{nginx,web} /data/web/{data,conf}

#———————————————————————————————————————————————

6、Tengine 编译安装

# tar xvzf nginx-hmux-module-1.3.tar.gz

# tar xvzf nginx_tcp_proxy_module-0.4.5.tar.gz

# tar xvzf tengine-1.5.2.tar.gz

# cd tengine-1.5.2

# patch -p1 < ../nginx_tcp_proxy_module-0.4.5/tcp.patch

# ./configure –prefix=/usr/local/nginx \

–lock-path=/var/lock/nginx.lock \

–pid-path=/var/run/nginx.pid \

–error-log-path=/data/logs/nginx/error.log \

–http-log-path=/data/logs/nginx/access.log \

–user=nobody \

–group=nogroup \

–with-pcre=../pcre-8.32 \

–with-pcre-opt=-fPIC \

–with-openssl=../openssl-1.0.1g \

–with-openssl-opt=-fPIC \

–with-backtrace_module \

–with-http_stub_status_module \

–with-http_gzip_static_module \

–with-http_realip_module \

–with-http_concat_module=shared \

–with-http_sysguard_module=shared \

–with-http_limit_conn_module=shared \

–with-http_limit_req_module=shared \

–with-http_split_clients_module=shared \

–with-http_footer_filter_module=shared \

–with-http_geoip_module=shared \

–with-http_sub_module=shared \

–with-http_access_module=shared \

–with-http_upstream_ip_hash_module=shared \

–with-http_upstream_least_conn_module=shared \

–with-http_referer_module=shared \

–with-http_rewrite_module=shared \

–with-http_memcached_module=shared \

–with-http_upstream_session_sticky_module=shared \

–with-http_addition_module=shared \

–with-http_xslt_module=shared \

–with-http_image_filter_module=shared \

–with-http_user_agent_module=shared \

–with-http_empty_gif_module=shared \

–with-http_browser_module=shared \

–with-google_perftools_module \

–with-http_map_module=shared \

–with-http_userid_filter_module=shared \

–with-http_charset_filter_module=shared \

–with-http_trim_filter_module=shared \

–with-http_lua_module=shared \

–without-http_fastcgi_module \

–without-http_uwsgi_module \

–without-http_scgi_module \

–without-select_module \

–without-poll_module \

–add-module=../nginx-hmux-module-1.3 \

–add-module=../nginx_tcp_proxy_module-0.4.5 \

–with-ld-opt=’-ltcmalloc_minimal’ \

–http-client-body-temp-path=/data/nginx_temp/nginx_client \

–http-proxy-temp-path=/data/nginx_temp/nginx_proxy \

–http-fastcgi-temp-path=/data/nginx_temp/nginx_fastcgi

# make && make install

#———————————————————————————————————————————————

7、Tengine 缓存刷新模块

# cd /data/software

# tar xvzf ngx_cache_purge-2.0.tar.gz

# ./dso_tool –add-module=/data/software/ngx_cache_purge-2.0

#———————————————————————————————————————————————

8、Tengine 配置

# rm -f /usr/local/nginx/html/*.html

# rm -f /usr/local/nginx/conf/*.default

# mkdir /usr/local/nginx/conf/SET

# vim /usr/local/nginx/conf/nginx.conf

user nobody nogroup;

worker_processes auto;

worker_cpu_affinity auto;

error_log /data/logs/nginx/error.log crit;

pid /var/run/nginx.pid;

google_perftools_profiles /var/tmp/tcmalloc;

worker_rlimit_nofile 65535;

dso {

load ngx_http_rewrite_module.so;

load ngx_http_access_module.so;

load ngx_http_concat_module.so;

load ngx_http_limit_conn_module.so;

load ngx_http_limit_req_module.so;

load ngx_http_sysguard_module.so;

load ngx_http_upstream_session_sticky_module.so;

load ngx_http_cache_purge_module.so;

load ngx_http_trim_filter_module.so;

}

events {

use epoll;

worker_connections 10240;

}

http {

server_tokens off;

server_tag off;

autoindex off;

access_log off;

include mime.types;

default_type application/octet-stream;

server_names_hash_bucket_size 128;

client_header_buffer_size 32k;

large_client_header_buffers 4 32k;

client_max_body_size 10m;

client_body_buffer_size 256k;

sendfile on;

tcp_nopush on;

keepalive_timeout 60;

tcp_nodelay on;

gzip on;

gzip_min_length 1k;

gzip_buffers 4 16k;

gzip_http_version 1.0;

gzip_comp_level 2;

gzip_types text/plain application/x-javascript text/css application/xml;

gzip_vary on;

proxy_connect_timeout 600;

proxy_read_timeout 600;

proxy_send_timeout 600;

proxy_buffer_size 128k;

proxy_buffers 4 128k;

proxy_busy_buffers_size 256k;

proxy_temp_file_write_size 256k;

proxy_headers_hash_max_size 1024;

proxy_headers_hash_bucket_size 128;

proxy_redirect off;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_temp_path /data/nginx_temp/nginx_temp;

proxy_cache_path /data/nginx_temp/nginx_cache levels=1:2 keys_zone=cache_one:2048m inactive=30m max_size=60g;

# backend web server address pool

include SET/*.conf;

log_format access ‘$remote_addr – $remote_user [$time_local] “$request”‘

‘$status $body_bytes_sent “$http_referer”‘

‘”$http_user_agent” $http_x_forwarded_for’;

# system resource overload protect

server {

sysguard on;

sysguard_load load=10.5 action=/loadlimit;

sysguard_mem swapratio=20% action=/swaplimit;

sysguard_mem free=100M action=/freelimit;

location /loadlimit {

return 503;

}

location /swaplimit {

return 503;

}

location /freelimit {

return 503;

}

# refuse request server by ipaddr

server {

server_name _;

return 404;

}

# web page cache and proxy setting

include /data/web/conf/*.conf;

}

# vim /usr/local/nginx/conf/SET/NORTH1.conf

upstream NORTH1_SERVER_PROXY {

consistent_hash $request_uri;

server 192.168.1.101:80 weight=1;

server 192.168.1.102:80 weight=1;

server 192.168.1.103:80 weight=1;

server 192.168.1.104:80 weight=1;

session_sticky;

check interval=3000 rise=2 fall=5 timeout=1000 type=http;

check_http_send “GET / HTTP/1.0\r\n\r\n”;

check_http_expect_alive http_2xx http_3xx;

}

# mkdir -p /data/logs/web/test.qq.com

# vim /data/web/conf/test.qq.com.conf

server {

listen 80;

server_name test.qq.com;

index index.html index.htm index.php;

root /data/nginx_temp/nginx_cache;

access_log on;

trim on;

trim_jscss on;

location / {

proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;

proxy_pass http://NORTH1_SERVER_PROXY;

#存在静态首页时，才需添加此规则

if (-d $request_filename) {

rewrite ^/(.*)$ http://$host/index.html break;

}

location ~ .*\. (php)?$ {

proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;

proxy_pass http://NORTH1_SERVER_PROXY;

}

location ~ /purge(/.*) {

allow 127.0.0.1;

allow 192.168.1.0/24;

deny all;

proxy_cache_purge cache_one $host$1$is_args$args;

}

location ~ .*\.(htm|html|js|css|gif|jpg|jpeg|png|bmp|ico|swf|flv)$ {

proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;

proxy_cache cache_one;

proxy_cache_valid 200 304 15m;

proxy_cache_valid 301 302 10m;

proxy_cache_valid any 1m;

proxy_cache_key $host$uri$is_args$args;

add_header Ten-webcache ‘$upstream_cache_status from $host’;

proxy_pass http://NORTH1_SERVER_PROXY;

expires 30m;

}

location ~ /\.ht {

deny all;

}

access_log /data/logs/web/test.qq.com/access.log access;

}

#———————————————————————————————————————————————

9、Tengine 启动脚本

# vim /etc/init.d/nginx

#!/bin/sh

#

# nginx – this script start and stop the nginx daemon

#

# chkconfig: 2345 55 25

# description: Startup script for nginx

# processname: nginx

# config: /usr/local/nginx/conf/nginx.conf

# pidfile: /var/run/nginx.pid

#

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

DAEMON=/usr/local/nginx/sbin/nginx

CONFIGFILE=/usr/local/nginx/conf/nginx.conf

PIDFILE=/var/run/nginx.pid

SCRIPTNAME=/etc/init.d/nginx

LOCKFILE=/var/lock/nginx.lock

set -e

[-x “$DAEMON”] || exit 0

start() {

echo “Startting Nginx……”

[-x $DAEMON] || exit 5

[-f $CONFIGFILE] || exit 6

$DAEMON -c $CONFIGFILE || echo -n “Nginx already running!”

[$? -eq 0] && touch $LOCKFILE

}

stop() {

echo “Stopping Nginx……”

MPID=`ps aux | grep nginx | awk ‘/master/{print $2}’`

if [“${MPID}X” != “X” ]; then

kill -QUIT $MPID

[$? -eq 0] && rm -f $LOCKFILE

else

echo “Nginx server is not running!”

fi

}

reload() {

echo “Reloading Nginx……”

MPID=`ps aux | grep nginx | awk ‘/master/{print $2}’`

if [“${MPID}X” != “X” ]; then

kill -HUP $MPID

else

echo “Nginx can’t reload!”

fi

}

case “$1” in

start)

start

;;

stop)

stop

;;

reload)

reload

;;

restart)

stop

sleep 1

start

;;

*)

echo “Usage: $SCRIPTNAME {start|stop|reload|restart}”

exit 3

;;

esac

exit 0

# chmod +x /etc/init.d/nginx

# chkconfig –add nginx

# service nginx start

#———————————————————————————————————————————————

10、Tengine 健康检测

# mkdir -p /data/web/data/mycheckweb.act.qq.com

# echo “OK” > /data/web/data/mycheckweb.act.qq.com/index.html

# echo “ 你的内网 IP mycheckweb.act.qq.com” >> /etc/hosts

# touch /var/lock/check_web.lock

#vim /data/web/conf/checkweb_for_nginx.conf

server {

listen 80;

server_name mycheckweb.act.qq.com;

access_log off;

location / {

root /data/web/data/mycheckweb.act.qq.com;

index index.html;

}

location ~ health_status {

check_status;

allow 127.0.0.1;

allow 192.168.1.0/24;

deny all;

}

# vim /usr/local/nginx/sbin/check_web.sh

#!/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

retval=`ping -c 3 mycheckweb.act.qq.com | awk ‘/received/ {print $4}’`

[[${retval} -eq 0 ]] && exit 1

retval=`curl -I -s “http://mycheckweb.act.qq.com” | grep “200 OK”`

if [[“${retval}x” = “x” ]]; then

[[-e /usr/local/nginx]] && /sbin/service nginx restart >/dev/null 2>&1

fi

#chmod +x /usr/local/nginx/sbin/check_web.sh

# crontab -e

*/5 * * * * (flock –timeout=0 /var/lock/check_web.lock /usr/local/nginx/sbin/check_web.sh >/dev/null 2>&1)

#———————————————————————————————————————————————

11、Tengine 访问日志切割与清理

# vim /usr/local/nginx/sbin/cut_nginx_log.sh

#!/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

## the nginx access logs base path

WEBLOG_PATH=”/data/logs/web”

retval=`ps aux | grep ngin[x] | wc -l`

if [${retval} -eq 0 ]; then

echo “The daemon process for nginx has no found.”

exit 1

fi

## avoid errors for USR1 signal, and modify 750 privilege

chown -R nobody:nogroup /data/logs/{nginx,web}

chmod -R 750 /data/logs/{nginx,web}

## cut nginx access logs

for LOGFILE in `find ${WEBLOG_PATH} -type f -name access.log`

do

LOGPATH=`dirname ${LOGFILE}`

mv ${LOGPATH}/access.log ${LOGPATH}/access_$(date -d “yesterday” +”%Y-%m-%d”).log

done

kill -USR1 `ps aux | grep nginx | awk ‘/master/{print $2}’`

## and then modify original privileges

chown -R nobody:nogroup /data/logs/{nginx,web}

chmod -R 640 /data/logs/{nginx,web}

## clear 10 days ago’s nginx access logs

LOGFILE=access_$(date -d “10 days ago” +”%Y-%m-%d”).log

find ${WEBLOG_PATH} -type f -name ${LOGFILE} -exec rm -f {} \;

# crontab -e

00 00 * * * /bin/bash /usr/local/nginx/sbin/cut_nginx_log.sh >/dev/null 2>&1

#———————————————————————————————————————————————

12、系统优化

## 网络参数设置

# vim /etc/sysctl.conf

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 1200

net.ipv4.ip_local_port_range = 1024 65000

net.ipv4.tcp_max_syn_backlog = 8192

net.ipv4.tcp_max_tw_buckets = 80000

net.core.somaxconn = 32768

net.ipv4.tcp_keepalive_probes = 5

net.ipv4.tcp_keepalive_intvl = 20

net.core.wmem_default = 8388608

net.core.rmem_default = 8388608

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

net.ipv4.tcp_rmem = 4096 87380 16777216

net.ipv4.tcp_wmem = 4096 65536 16777216

net.core.netdev_max_backlog = 32768

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_synack_retries = 2

net.ipv4.tcp_syn_retries = 2

net.ipv4.tcp_retries2 = 5

net.ipv4.tcp_mem = 41943040 73400320 94371840

net.ipv4.tcp_max_orphans = 3276800

fs.file-max = 1300000

# sysctl -p

## 文件描述符设置

# echo “ulimit -SHn 65535” >> /etc/profile

# source /etc/profile

#———————————————————————————————————————————————

13、测试

本地 HOSTS 绑定访问

http://mycheckweb.act.qq.com/health_status

相关阅读 ：

CentOS 6.4 制作 Tengine 的 rpm 包 http://www.linuxidc.com/Linux/2013-12/93786.htm

Tengine 动态开启模块试用 http://www.linuxidc.com/Linux/2012-12/75849.htm

CentOS 6.3 用 ICC 编译 PHP5.4.8+Percona5.5.27+Tengine1.4.1 http://www.linuxidc.com/Linux/2012-12/76636.htm

基于淘宝 Tengine 和 Scribe 的 WEB 日志收集方案 http://www.linuxidc.com/Linux/2012-02/52997.htm

基于 Tengine 部署 LNMP 环境 http://www.linuxidc.com/Linux/2014-01/95148.htm

Tengine 的详细介绍 ：请点这里
Tengine 的下载地址 ：请点这里

本文永久更新链接地址 ：http://www.linuxidc.com/Linux/2015-09/123058.htm

正文完

星哥玩云-微信公众号

发表至：服务器应用

2022年1月21日

0

转载说明：除特殊说明外本站文章皆由CC-4.0协议发布，转载请注明出处。

Linux下NFS搭建步骤

LAMP架构验证码出不来解决方法

.NET Core1.1+VS2017RC+MySQL+EF搭建多层Web应用程序

Zabbix监控入门知识

LVS负载均衡之LVS-DR搭建Web群集与LVS结合Keepalived搭建高可用Web群集

CentOS 7 中安装、配置和安全加固 FTP 服务指南

怎样在废旧的硬件上安装 Xen 虚拟机监视器

Docker安装Hadoop集群

CentOS6 32位安装Ghost

基于Tengine的反向代理详细配置

星哥带你玩飞牛NAS-6：抖音视频同步工具，视频下载自动下载保存

星哥带你玩飞牛NAS-3：安装飞牛NAS后的很有必要的操作

我把用了20年的360安全卫士卸载了

再见zabbix！轻量级自建服务器监控神器在Linux 的完整部署指南

飞牛NAS中安装Navidrome音乐文件中文标签乱码问题解决、安装FntermX终端

如何安装2026年最强个人助理ClawdBot、完整安装教程

300元就能买到的”小钢炮”？惠普7L四盘位小主机解析

星哥带你玩飞牛 NAS-10：备份微信聊天记录、数据到你的NAS中!

终于收到了以女儿为原型打印的3D玩偶了

星哥带你玩飞牛NAS硬件02：某鱼6张左右就可拿下5盘位的飞牛圣体NAS

免费图片视频管理工具让灵感库告别混乱

恶意团伙利用 PHP-FPM 未授权访问漏洞发起大规模攻击

自己手撸一个AI智能体—跟创业大佬对话

星哥带你玩飞牛NAS-16：不再错过公众号更新，飞牛NAS搭建RSS

零成本上线！用 Hugging Face免费服务器+Docker 快速部署HertzBeat 监控平台

240 元左右！五盘位 NAS主机，7 代U硬解4K稳如狗，拓展性碾压同价位

星哥玩云

星哥带你玩飞牛NAS-6：抖音视频同步工具，视频下载自动下载保存

星哥带你玩飞牛NAS-3：安装飞牛NAS后的很有必要的操作

我把用了20年的360安全卫士卸载了

再见zabbix！轻量级自建服务器监控神器在Linux 的完整部署指南

飞牛NAS中安装Navidrome音乐文件中文标签乱码问题解决、安装FntermX终端

一句话生成拓扑图！AI+Draw.io 封神开源组合，工具让你的效率爆炸

在Windows系统中通过VMware安装苹果macOS15

150元打造低成本NAS小钢炮，捡一块3865U工控板

300元就能买到的”小钢炮”？惠普7L四盘位小主机解析

星哥带你玩飞牛NAS-12：开源笔记的进化之路，效率玩家的新选择

免费图片视频管理工具让灵感库告别混乱

Prometheus：监控系统的部署与指标收集

仅2MB大小！开源硬件监控工具：Win11 无缝适配，CPU、GPU、网速全维度掌控

零成本上线！用 Hugging Face免费服务器+Docker 快速部署HertzBeat 监控平台

国产开源公众号AI知识库 Agent：突破未认证号限制，一键搞定自动回复，重构运营效率

颠覆 AI 开发效率！开源工具一站式管控 30+大模型ApiKey，秘钥付费+负载均衡全搞定