学习笔记0518----nginx和php-fpm配置
nginx配置
预习笔记
12.17 Nginx负载均衡 12.18 ssl原理 12.19 生成ssl密钥对 12.20 Nginx配置ssl 12.21 php-fpm的pool 12.22 php-fpm慢执行日志 12.23 open_basedir 12.24 php-fpm进程管理
1. nginx负载均衡
负载均衡在服务端开发中算是一个比较重要的特性。因为Nginx除了作为常规的Web服务器外,还会被大规模的用于反向代理前端,因为Nginx的异步框架可以处理很大的并发请求,把这些并发请求hold住之后就可以分发给后台服务端(backend servers,也叫做服务池, 后面简称backend)来做复杂的计算、处理和响应,这种模式的好处是相当多的:隐藏业务主机更安全,节约了公网IP地址,并且在业务量增加的时候可以方便地扩容后台服务器。
1.1 创建一个nginx的负载均衡配置
[root@linux-02 ~]# cd /usr/local/nginx/conf/vhost/
[root@linux-02 vhost]# vim load.conf
upstream baidu //定义一个模块名
{
ip_hash; //负载均衡的一种算法
server 183.232.231.174:80; //如果是80端口,可以省略
server 183.232.231.172:80;
}
server
{
listen 80;
server_name www.baidu.com;
location /
{
proxy_pass http://baidu;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}1.2 安装bind-utils包
dig 命令可以查看到域名的详细解析。
[root@linux-02 test.com]# yum install -y bind-utils
已加载插件:fastestmirror
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Repository contrib is listed more than once in the configuration
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 6.9 kB 00:00:00
* base: mirrors.aliyun.com
* epel: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB 00:00:00
epel | 4.7 kB 00:00:00
extras | 3.4 kB 00:00:00
mariadb-main | 2.9 kB 00:00:00
mariadb-maxscale | 2.4 kB 00:00:00
mariadb-tools | 2.9 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/5): mariadb-maxscale/7/x86_64/primary_db | 6.7 kB 00:00:02
(2/5): mariadb-main/7/x86_64/primary_db | 54 kB 00:00:03
(3/5): updates/7/x86_64/primary_db | 5.0 MB 00:00:04
(4/5): epel/x86_64/updateinfo | 1.0 MB 00:00:07
(5/5): epel/x86_64/primary_db | 6.7 MB 00:00:10
正在解决依赖关系
--> 正在检查事务
---> 软件包 bind-utils.x86_64.32.9.9.4-73.el7_6 将被 安装
--> 正在处理依赖关系 bind-libs = 32:9.9.4-73.el7_6,它被软件包 32:bind-utils-9.9.4-73.el7_6.x86_64 需要
--> 正在处理依赖关系 liblwres.so.90()(64bit),它被软件包 32:bind-utils-9.9.4-73.el7_6.x86_64 需要
--> 正在处理依赖关系 libisccfg.so.90()(64bit),它被软件包 32:bind-utils-9.9.4-73.el7_6.x86_64 需要
--> 正在处理依赖关系 libisccc.so.90()(64bit),它被软件包 32:bind-utils-9.9.4-73.el7_6.x86_64 需要
--> 正在处理依赖关系 libisc.so.95()(64bit),它被软件包 32:bind-utils-9.9.4-73.el7_6.x86_64 需要
--> 正在处理依赖关系 libdns.so.100()(64bit),它被软件包 32:bind-utils-9.9.4-73.el7_6.x86_64 需要
--> 正在处理依赖关系 libbind9.so.90()(64bit),它被软件包 32:bind-utils-9.9.4-73.el7_6.x86_64 需要
--> 正在检查事务
---> 软件包 bind-libs.x86_64.32.9.9.4-73.el7_6 将被 安装
--> 正在处理依赖关系 bind-license = 32:9.9.4-73.el7_6,它被软件包 32:bind-libs-9.9.4-73.el7_6.x86_64 需要
--> 正在检查事务
---> 软件包 bind-license.noarch.32.9.9.4-72.el7 将被 升级
--> 正在处理依赖关系 bind-license = 32:9.9.4-72.el7,它被软件包 32:bind-libs-lite-9.9.4-72.el7.x86_64 需要
---> 软件包 bind-license.noarch.32.9.9.4-73.el7_6 将被 更新
--> 正在检查事务
---> 软件包 bind-libs-lite.x86_64.32.9.9.4-72.el7 将被 升级
---> 软件包 bind-libs-lite.x86_64.32.9.9.4-73.el7_6 将被 更新
--> 解决依赖关系完成
依赖关系解决
=====================================================================================================================================
Package 架构 版本 源 大小
=====================================================================================================================================
正在安装:
bind-utils x86_64 32:9.9.4-73.el7_6 updates 206 k
为依赖而安装:
bind-libs x86_64 32:9.9.4-73.el7_6 updates 1.0 M
为依赖而更新:
bind-libs-lite x86_64 32:9.9.4-73.el7_6 updates 741 k
bind-license noarch 32:9.9.4-73.el7_6 updates 87 k
事务概要
=====================================================================================================================================
安装 1 软件包 (+1 依赖软件包)
升级 ( 2 依赖软件包)
总下载量:2.0 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/4): bind-libs-lite-9.9.4-73.el7_6.x86_64.rpm | 741 kB 00:00:00
(2/4): bind-libs-9.9.4-73.el7_6.x86_64.rpm | 1.0 MB 00:00:00
(3/4): bind-license-9.9.4-73.el7_6.noarch.rpm | 87 kB 00:00:00
(4/4): bind-utils-9.9.4-73.el7_6.x86_64.rpm | 206 kB 00:00:00
-------------------------------------------------------------------------------------------------------------------------------------
总计 2.7 MB/s | 2.0 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在更新 : 32:bind-license-9.9.4-73.el7_6.noarch 1/6
正在安装 : 32:bind-libs-9.9.4-73.el7_6.x86_64 2/6
正在安装 : 32:bind-utils-9.9.4-73.el7_6.x86_64 3/6
正在更新 : 32:bind-libs-lite-9.9.4-73.el7_6.x86_64 4/6
清理 : 32:bind-libs-lite-9.9.4-72.el7.x86_64 5/6
清理 : 32:bind-license-9.9.4-72.el7.noarch 6/6
验证中 : 32:bind-license-9.9.4-73.el7_6.noarch 1/6
验证中 : 32:bind-libs-9.9.4-73.el7_6.x86_64 2/6
验证中 : 32:bind-libs-lite-9.9.4-73.el7_6.x86_64 3/6
验证中 : 32:bind-utils-9.9.4-73.el7_6.x86_64 4/6
验证中 : 32:bind-license-9.9.4-72.el7.noarch 5/6
验证中 : 32:bind-libs-lite-9.9.4-72.el7.x86_64 6/6
已安装:
bind-utils.x86_64 32:9.9.4-73.el7_6
作为依赖被安装:
bind-libs.x86_64 32:9.9.4-73.el7_6
作为依赖被升级:
bind-libs-lite.x86_64 32:9.9.4-73.el7_6 bind-license.noarch 32:9.9.4-73.el7_6
完毕!
[root@linux-02 test.com]# 1.3 使用dig命令测试负载均衡
[root@linux-02 vhost]# dig www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61498
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 600 IN A 183.232.231.174
www.baidu.com. 600 IN A 183.232.231.172
;; Query time: 8 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: 六 5月 18 03:09:17 CST 2019
;; MSG SIZE rcvd: 74
[root@linux-02 vhost]# curl -x127.0.0.1:80 www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>©2017 Baidu <a href=http://www.baidu.com/duty/>使用百度前必读</a> <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a> 京ICP证030173号 <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
[root@linux-02 vhost]# 1.4 负载均衡扩展
Nginx负载均衡(工作在七层“应用层”)功能主要是通过upstream模块实现,Nginx负载均衡默认对后端服务器有健康检测的能力,仅限于端口检测,在后端服务器比较少的情况下负载均衡能力表现突出。 Nginx的几种负载均衡算法: 1、轮询(默认):每个请求按时间顺序逐一分配到不同的后端服务器,如果后端某台服务器宕机,则自动剔除故障机器,使用户访问不受影响。 2、weight:指定轮询权重,weight值越大,分配到的几率就越高,主要用于后端每台服务器性能不均衡的情况。 3、ip_hash:每个请求按访问IP的哈希结果分配,这样每个访客固定访问一个后端服务器,可以有效的解决动态网页存在的session共享问题。 4、fair(第三方):更智能的一个负载均衡算法,此算法可以根据页面大小和加载时间长短智能地进行负载均衡,也就是根据后端服务器的响应时间来分配请求,响应时间短的优先分配。如果想要使用此调度算法,需要Nginx的upstream_fair模块。 5、url_hash(第三方):按访问URL的哈希结果来分配请求,使每个URL定向到同一台后端服务器,可以进一步提高后端缓存服务器的效率。如果想要使用此调度算法,需要Nginx的hash软件包。 在upstream模块中,可以通过server命令指定后端服务器的IP地址和端口,同时还可以设置每台后端服务器在负载均衡调度中的状态,常用的状态有以下几种: 1、down:表示当前server暂时不参与负载均衡。 2、backup:预留的备份机,当其他所有非backup机器出现故障或者繁忙的时候,才会请求backup机器,这台机器的访问压力最轻。 3、max_fails:允许请求的失败次数,默认为1,配合fail_timeout一起使用 4、fail_timeout:经历max_fails次失败后,暂停服务的时间,默认为10s(某个server连接失败了max_fails次,则nginx会认为该server不工作了。同时,在接下来的 fail_timeout时间内,nginx不再将请求分发给失效的server。) 一个负载均衡器的名称为whsirserver,这个名称可以自己定义,在后面proxy_pass直接调用即可。 proxy_next_upstream参数用来定义故障转移策略,当后端服务器节点返回500、502和执行超时等错误时,自动将请求转发到upstream负载均衡器中的另一台服务器,实现故障转移。
2. 配置ssl证书
2.1 ssl原理
1)浏览器发送一个https的请求给服务器; 2)服务器要有一套数字证书,可以自己制作,也可以向组织申请,区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出>提示页面,这套证书其实就是一对公钥和私钥; 3)服务器会把公钥传输给客户端; 4)客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密; 5)客户端把加密后的随机字符串传输给服务器; 6)服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起,这样除非知道私钥,否则无法获取数据内容); 7)服务器把加密后的数据传输给客户端; 8)客户端收到数据后,再用自己的私钥也就是那个随机字符串解密;
在这里插入图片描述
2.2 服务端配置ssl证书
2.2.1 生成私钥文件
[root@linux-02 conf]# openssl genrsa -des3 -out test.key 2048
Generating RSA private key, 2048 bit long modulus
.............................+++
.............................+++
e is 65537 (0x10001)
Enter pass phrase for test.key: //需要设置私钥的密码
Verifying - Enter pass phrase for test.key:
[root@linux-02 conf]# ls
fastcgi.conf htpasswd mime.types.default scgi_params uwsgi_params.default
fastcgi.conf.default koi-utf nginx.conf scgi_params.default vhost
fastcgi_params koi-win nginx.conf.bak test.key win-utf
fastcgi_params.default mime.types nginx.conf.default uwsgi_params2.2.2 转换key,取消密码
[root@linux-02 conf]# openssl rsa -in test.key -out xhjlinux.key
Enter pass phrase for test.key: //输入刚才生成私钥设置的密码
writing RSA key
[root@linux-02 conf]# 2.2.3 生成证书的请求文件
[root@linux-02 conf]# openssl req -new -key xhjlinux.key -out xhjlinux.csr //生成证书的请求文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: //定义国家名,2字母代码
State or Province Name (full name) []: //州或省名
Locality Name (eg, city) [Default City]: //本地名
Organization Name (eg, company) [Default Company Ltd]:Organizational Unit Name (eg, section) []: //组织或者公司名称
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: //可选的公司名称
[root@linux-02 conf]# 2.2.4 生成公钥文件
[root@linux-02 conf]# openssl x509 -req -days 365 -in xhjlinux.csr -signkey xhjlinux.key -out xhjlinux.crt
Signature ok
subject=/C=11/ST=zhejiang/L=hangzhou/O=no
Getting Private key
[root@linux-02 conf]# 2.3 Nginx配置ssl
2.3.1 添加ssl配置文件
[root@linux-02 conf]# cd vhost/
[root@linux-02 vhost]# vim ssl.conf
server
{
listen 443;
server_name xihaji.com;
index index.html index.php;
root /data/wwwroot/xihaji.com;
ssl on;
ssl_certificate xhjlinux.crt;
ssl_certificate_key xhjlinux.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}2.3.2 检查配置文件是否正确
编辑完ssl配置文件,此时检查语法,发现当前Nginx并不支持SSL,因为当时辑Nginx编译时并没有配置支持SSL的参数;
[root@linux-02 vhost]# ../../sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@linux-02 vhost]# 2.3.3 查找nginx的ssl模块
[root@linux-02 vhost]# cd ../../../src/nginx-1.16.0/
[root@linux-02 nginx-1.16.0]# ./con
conf/ configure contrib/
[root@linux-02 nginx-1.16.0]# ./con
conf/ configure contrib/
[root@linux-02 nginx-1.16.0]# ./configure --help |grep ssl
--with-http_ssl_module enable ngx_http_ssl_module
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-stream_ssl_module enable ngx_stream_ssl_module
--with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL2.3.4 重新编译安装nginx
[root@linux-02 nginx-1.16.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
checking for OS
+ Linux 3.10.0-957.el7.x86_64 x86_64
checking for C compiler ... found
+ using GNU C compiler
+ gcc version: 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
checking for gcc -pipe switch ... found
checking for -Wl,-E switch ... found
checking for gcc builtin atomic operations ... found
checking for C99 variadic macros ... found
checking for gcc variadic macros ... found
checking for gcc builtin 64 bit byteswap ... found
checking for unistd.h ... found
checking for inttypes.h ... found
checking for limits.h ... found
checking for sys/filio.h ... not found
checking for sys/param.h ... found
checking for sys/mount.h ... found
checking for sys/statvfs.h ... found
checking for crypt.h ... found
checking for Linux specific features
checking for epoll ... found
checking for EPOLLRDHUP ... found
checking for EPOLLEXCLUSIVE ... not found
checking for O_PATH ... found
checking for sendfile() ... found
checking for sendfile64() ... found
checking for sys/prctl.h ... found
checking for prctl(PR_SET_DUMPABLE) ... found
checking for prctl(PR_SET_KEEPCAPS) ... found
checking for capabilities ... found
checking for crypt_r() ... found
checking for sys/vfs.h ... found
checking for nobody group ... found
checking for poll() ... found
checking for /dev/poll ... not found
checking for kqueue ... not found
checking for crypt() ... not found
checking for crypt() in libcrypt ... found
checking for F_READAHEAD ... not found
checking for posix_fadvise() ... found
checking for O_DIRECT ... found
checking for F_NOCACHE ... not found
checking for directio() ... not found
checking for statfs() ... found
checking for statvfs() ... found
checking for dlopen() ... not found
checking for dlopen() in libdl ... found
checking for sched_yield() ... found
checking for sched_setaffinity() ... found
checking for SO_SETFIB ... not found
checking for SO_REUSEPORT ... found
checking for SO_ACCEPTFILTER ... not found
checking for SO_BINDANY ... not found
checking for IP_TRANSPARENT ... found
checking for IP_BINDANY ... not found
checking for IP_BIND_ADDRESS_NO_PORT ... not found
checking for IP_RECVDSTADDR ... not found
checking for IP_SENDSRCADDR ... not found
checking for IP_PKTINFO ... found
checking for IPV6_RECVPKTINFO ... found
checking for TCP_DEFER_ACCEPT ... found
checking for TCP_KEEPIDLE ... found
checking for TCP_FASTOPEN ... found
checking for TCP_INFO ... found
checking for accept4() ... found
checking for eventfd() ... found
checking for int size ... 4 bytes
checking for long size ... 8 bytes
checking for long long size ... 8 bytes
checking for void * size ... 8 bytes
checking for uint32_t ... found
checking for uint64_t ... found
checking for sig_atomic_t ... found
checking for sig_atomic_t size ... 4 bytes
checking for socklen_t ... found
checking for in_addr_t ... found
checking for in_port_t ... found
checking for rlim_t ... found
checking for uintptr_t ... uintptr_t found
checking for system byte ordering ... little endian
checking for size_t size ... 8 bytes
checking for off_t size ... 8 bytes
checking for time_t size ... 8 bytes
checking for AF_INET6 ... found
checking for setproctitle() ... not found
checking for pread() ... found
checking for pwrite() ... found
checking for pwritev() ... found
checking for sys_nerr ... found
checking for localtime_r() ... found
checking for clock_gettime(CLOCK_MONOTONIC) ... found
checking for posix_memalign() ... found
checking for memalign() ... found
checking for mmap(MAP_ANON|MAP_SHARED) ... found
checking for mmap("/dev/zero", MAP_SHARED) ... found
checking for System V shared memory ... found
checking for POSIX semaphores ... not found
checking for POSIX semaphores in libpthread ... found
checking for struct msghdr.msg_control ... found
checking for ioctl(FIONBIO) ... found
checking for struct tm.tm_gmtoff ... found
checking for struct dirent.d_namlen ... not found
checking for struct dirent.d_type ... found
checking for sysconf(_SC_NPROCESSORS_ONLN) ... found
checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ... found
checking for openat(), fstatat() ... found
checking for getaddrinfo() ... found
checking for PCRE library ... found
checking for PCRE JIT support ... found
checking for OpenSSL library ... found
checking for zlib library ... found
creating objs/Makefile
Configuration summary
+ using system PCRE library
+ using system OpenSSL library
+ using system zlib library
nginx path prefix: "/usr/local/nginx"
nginx binary file: "/usr/local/nginx/sbin/nginx"
nginx modules path: "/usr/local/nginx/modules"
nginx configuration prefix: "/usr/local/nginx/conf"
nginx configuration file: "/usr/local/nginx/conf/nginx.conf"
nginx pid file: "/usr/local/nginx/logs/nginx.pid"
nginx error log file: "/usr/local/nginx/logs/error.log"
nginx http access log file: "/usr/local/nginx/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"
[root@linux-02 nginx-1.16.0]# make && make install2.3.5 重新启动nginx
[root@linux-02 nginx-1.16.0]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 确定 ]
[root@linux-02 nginx-1.16.0]# ps aux |grep nginx
root 11953 0.0 0.0 46064 1252 ? Ss 22:49 0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody 11954 0.0 0.2 48600 4144 ? S 22:49 0:00 nginx: worker process
nobody 11955 0.0 0.2 48600 4144 ? S 22:49 0:00 nginx: worker process
root 11958 0.0 0.0 112724 988 pts/0 S+ 22:49 0:00 grep --color=auto nginx
[root@linux-02 nginx-1.16.0]# /usr/local/nginx/sbin/nginx -t
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-02 nginx-1.16.0]#
[root@linux-02 xihaji.com]# netstat -ltnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 11953/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6920/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 7385/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 11953/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 7255/mysqld
tcp6 0 0 :::22 :::* LISTEN 6920/sshd
tcp6 0 0 ::1:25 :::* LISTEN 7385/master
[root@linux-02 xihaji.com]# 2.3.6 查看ssl效果
先在windows上设置好hosts文件,用浏览器打开页面,如果无法访问,可以清空iptables,或者添加443端口。会提示如下信息。
在这里插入图片描述
在这里插入图片描述
3. php-fpm相关设置
3.1 添加一个池子
3.1.1 配置文件中添加一个pool
php-fpm的pool,Nginx可以配置多个虚拟主机,php-fpm配置文件php-fpm.conf可以设置多个pool,每个pool可以监听一个端口,在其中一个pool资源耗尽,会导致其他站点无法访问资源,报502错误。有必要把站点进行分离,分别使用单独的pool。
在php-fpm配置文件中添加一个xihaji.com的池子
[root@linux-02 xihaji.com]# cd /usr/local/php-fpm/
[root@linux-02 php-fpm]# ls
bin etc include lib php sbin var
[root@linux-02 php-fpm]# cd etc/
[root@linux-02 etc]# ls
pear.conf php-fpm.conf php-fpm.conf.default php.ini
[root@linux-02 etc]# vim php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[xihaji.com]
listen = /tmp/xihaji.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@linux-02 etc]# /usr/local/php-fpm/sbin/php-fpm -t
[18-May-2019 23:24:08] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful3.1.2 查看php进程
[root@linux-02 etc]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm .. done
Starting php-fpm done
[root@linux-02 etc]#
[root@linux-02 etc]# ps aux | grep php
root 12024 6.5 0.2 229580 5000 ? Ss 23:26 0:02 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 12025 0.0 0.2 229520 4740 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12026 0.0 0.2 229520 4740 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12027 0.1 0.2 229520 4740 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12028 0.0 0.2 229520 4740 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12029 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12030 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12031 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12032 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12033 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12034 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12035 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12036 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12037 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12038 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12039 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12040 0.0 0.2 229520 4748 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12041 0.0 0.2 229520 4748 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12042 0.0 0.2 229520 4748 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12043 0.0 0.2 229520 4748 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12044 0.0 0.2 229520 4748 ? S 23:26 0:00 php-fpm: pool www
php-fpm 12045 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12046 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12047 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12048 0.0 0.2 229520 4744 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12049 0.0 0.2 229520 4748 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12050 0.0 0.2 229520 4748 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12051 0.0 0.2 229520 4748 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12052 0.0 0.2 229520 4748 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12053 0.0 0.2 229520 4748 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12054 0.0 0.2 229520 4748 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12055 0.0 0.2 229520 4748 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12056 0.0 0.2 229520 4752 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12057 0.0 0.2 229520 4752 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12058 0.0 0.2 229520 4752 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12059 0.0 0.2 229520 4752 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12060 0.0 0.2 229520 4752 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12061 0.0 0.2 229520 4752 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12062 0.1 0.2 229520 4752 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12063 0.0 0.2 229520 4752 ? S 23:26 0:00 php-fpm: pool xihaji.com
php-fpm 12064 0.0 0.2 229520 4752 ? S 23:26 0:00 php-fpm: pool xihaji.com
root 12067 0.0 0.0 112724 984 pts/0 R+ 23:26 0:00 grep --color=auto php3.2 添加多个pool
3.2.1 配置文件分开添加pool
php-fpm的配置可以像nginx添加一个vhost文件夹,添加多个pool。
[root@linux-02 etc]# mkdir php-fpm.d
[root@linux-02 etc]# cat php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
include = etc/php-fpm.d/*.conf
[root@linux-02 etc]# cd php-fpm.d
[root@linux-02 php-fpm.d]# vim www.conf
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@linux-02 php-fpm.d]# vim xihaji.conf
[xihaji.com]
listen = /tmp/xihaji.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 10243.2.2 检查php-fpm的文件是否正确
[root@linux-02 sbin]# /usr/local/php-fpm/sbin/php-fpm -t
[18-May-2019 23:39:47] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@linux-02 sbin]# 3.2.3 给虚拟主机添加pool
[root@linux-02 vhost]# vim /usr/local/nginx/conf/vhost/xihaji.com.conf
server
{
listen 80 ;
server_name xihaji.com;
index index.html index.htm index.php;
root /data/wwwroot/xihaji.com;
access_log /tmp/xihaji.log combined_realip;
location ~* \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/xihaji.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/xihaji.com$fastcgi_script_name;
}
[root@linux-02 vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com ;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location ~* \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}3.2.4 检查nginx配置
由于nginx配置含有ssl配置,且ssl证书是我们自动生成的所以会有警告的提示。
[root@linux-02 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-02 vhost]# /usr/local/nginx/sbin/nginx -s reload
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/nginx/conf/vhost/ssl.conf:7
[root@linux-02 vhost]# 3.2.5 查看php进程
[root@linux-02 vhost]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@linux-02 vhost]# ps aux|grep php
root 12278 4.3 0.2 229608 4988 ? Ss 23:47 0:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 12279 0.0 0.2 229548 4740 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12280 0.0 0.2 229548 4740 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12281 0.0 0.2 229548 4740 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12282 0.0 0.2 229548 4740 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12283 0.0 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12284 0.0 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12285 0.0 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12286 0.0 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12287 0.0 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12288 0.0 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12289 0.0 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12290 0.0 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12291 0.0 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12292 0.0 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12293 0.0 0.2 229548 4748 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12294 0.0 0.2 229548 4748 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12295 0.0 0.2 229548 4748 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12296 0.0 0.2 229548 4748 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12297 0.0 0.2 229548 4748 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12298 0.0 0.2 229548 4748 ? S 23:47 0:00 php-fpm: pool www
php-fpm 12299 0.0 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12300 0.2 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12301 0.0 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12302 0.0 0.2 229548 4744 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12303 0.0 0.2 229548 4748 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12304 0.3 0.2 229548 4748 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12305 0.1 0.2 229548 4748 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12306 0.2 0.2 229548 4748 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12307 0.2 0.2 229548 4748 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12308 0.0 0.2 229548 4748 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12309 0.0 0.2 229548 4752 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12310 0.3 0.2 229548 4752 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12311 0.0 0.2 229548 4752 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12312 0.0 0.2 229548 4752 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12313 0.0 0.2 229548 4752 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12314 0.0 0.2 229548 4752 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12315 0.0 0.2 229548 4752 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12316 0.0 0.2 229548 4752 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12317 0.0 0.2 229548 4752 ? S 23:47 0:00 php-fpm: pool xihaji.com
php-fpm 12318 0.0 0.2 229548 4752 ? S 23:47 0:00 php-fpm: pool xihaji.com
root 12320 0.0 0.0 112724 988 pts/0 R+ 23:47 0:00 grep --color=auto php
[root@linux-02 vhost]# ls /tmp/*.sock
/tmp/mysql.sock /tmp/php-fcgi.sock /tmp/xihaji.sock
[root@linux-02 vhost]# 4.php-fpm慢执行日志
php网站,建议使用lnmp架构的一个好处就是查看“慢日志”,为什么这么说呢?当我们的客户或者manager发现站点访问速度点慢,如果全部的负载均不是很高,一切正常还是慢,怎么办?那唯一的办法就是检查“慢日志”,慢日志会向我们详细的展示某个页面的多少行代码在执行过程中超过了我们设定的阀值!
4.1 php中的pool添加配置
[root@linux-02 vhost]# cd /usr/local/php-fpm/etc/php-fpm.d/
[root@linux-02 php-fpm.d]# ls
www.conf xihaji.conf
[root@linux-02 php-fpm.d]# vim xihaji.conf
[xihaji.com]
listen = /tmp/xihaji.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 2
slowlog = /usr/local/php-fpm/var/log/www_slow.log4.2 域名下添加一个php脚本
[root@linux-02 php-fpm.d]# vim /data/wwwroot/xihaji.com/111.php
<?php
echo "slowlog test!";
sleep(3);
echo "done";
?>4.3 测试脚本查看日志
慢日志脚本可以查看到显示php脚本中第三行有问题。
[root@linux-02 php-fpm.d]# curl -x127.0.0.1:80 xihaji.com/111.php
slowlog test!done
[root@linux-02 php-fpm.d] curl -x127.0.0.1:80 xihaji.com/111.php
slowlog test!done
[root@linux-02 php-fpm.d]# cat /usr/local/php-fpm/var/log/xihaji_slow.log
[19-May-2019 00:29:59] [pool xihaji.com] pid 12419
script_filename = /data/wwwroot/xihaji.com/111.php
[0x00007f243ec7f290] sleep() /data/wwwroot/xihaji.com/111.php:3
[19-May-2019 00:30:34] [pool xihaji.com] pid 12420
script_filename = /data/wwwroot/xihaji.com/111.php
[0x00007f243ec7f290] sleep() /data/wwwroot/xihaji.com/111.php:3
[root@linux-02 php-fpm.d]# 5. php-fpm定义open_basedir
open_basedir 将php所能打开的文件限制在指定的目录树中,包括文件本身。当程序要使用例如fopen()或file_get_contents()打开一个文件时,这个文件的位置将会被检查。当文件在指定的目录树之外,程序将拒绝打开。
本指令不受安全模式打开或关闭的影响。
5.1 修改配置文件
如果一个server有很多个web服务,那么不建议直接把open_basedir直接配置在php.ini中了。Appache可以针对每个虚拟主机设置一个Open_basedir,php-fpm同样也可以针对不同的pool设置不同的Open_basedir。
[root@linux-02 php-fpm.d]# vim xihaji.conf
[xihaji.com]
listen = /tmp/xihaji.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 2
slowlog = /usr/local/php-fpm/var/log/xihaji_slow.log
php_admin_value[open_basedir]=/data/wwwroot/xihaji.com/:/tmp/ /添加此行,限制在xihaij.com和、tmp目录下5.2 测试结果
[root@linux-02 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@linux-02 php-fpm.d]# curl -x127.0.0.1:80 xihaji.com/111.php -I
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Sat, 18 May 2019 17:41:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.39
[root@linux-02 php-fpm.d]# 6.php-fpm进程管理
[root@linux-02 php-fpm.d]# cat xihaji.conf
[xihaji.com]
listen = /tmp/xihaji.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 2
slowlog = /usr/local/php-fpm/var/log/xihaji_slow.log
php_admin_value[open_basedir]=/data/wwwroot/xihaji.com/:/tmp/
[root@linux-02 php-fpm.d]# pm = dynamic:动态进程管理,也可以是static
pm.max_children = 50 : 最大子进程数
pm.start_servers = 20 : 启动服务时会启动的进程数
pm.min_spare_servers = 5 : 定义在空闲时段,子进程数的最少值,如果达到这个值,php-fpm服务会自动派生新的子进程
pm.max_spare_servers = 35 : 定义在空闲时段,子进程数的最大值,如果高于这个值,php-fpm服务会清理空闲的子进程
pm.max_requests = 500 :定义一个字进程最多可以处理多少个进程,这里设置成500,也就是说在一个php-fpm的子进程最多可以处理500个,若达到这个数值时,它就会自动退出。
rlimit_files = 1024 :设置文件打开描述符的rlimit限制. 默认值: 系统定义值 系统默认可打开句柄是1024,可使用 ulimit -n查看,ulimit -n 2048修改(临时修改)。
7.php-fpm定义错误日志
7.1 错误日志不在浏览器显示 display_errors
[root@linux-02 php-fpm.d]# vim /usr/local/php-fpm/etc/php.ini //php配置文件把display_errors 改为Off(正常的线上环境建议是off,不让错误日志显示在浏览器上让别人看到)
在这里插入图片描述
7.2 错误日志存放路径 error_log
在这里插入图片描述
7.3 错误日志的级别 error_reporting
在这里插入图片描述
8. php.ini 和 php-fpm.conf 区别
php.ini是所以php模式中必须的配置文件
两者的区别是,php-fpm.conf是PHP-FPM进程管理器的配置文件,php.ini是PHP解析器的配置文件 php-fpm.conf是PHP-FPM特有的配置文件
php.ini是所以php模式中必须的配置文件
两者的区别是,php-fpm.conf是PHP-FPM进程管理器的配置文件,php.ini是PHP解析器的配置文件
课后总结
nginx重心应该放在哪里? 1 负载均衡 https://github.com/aminglinux/nginx/blob/master/proxy/lb.md
2 反向代理 相关缓存设置 https://github.com/aminglinux/nginx/blob/master/proxy/bu_ca.md
引申:正向代理 https://github.com/aminglinux/nginx/blob/master/proxy/z_proxy.md
对于LNMP中的PHP-FPM,大家应该掌握两点最核心的技能: 1 学会查php-fpm的slow log 2 学会配置php的错误日志(error_log log_error display_error error_reporting)
本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2019-05-18 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读