1、对常用I/O模型进行比较说明
阻塞型IO:内核的read调用是阻塞的,需要等待网卡到内核缓冲区;内核到用户缓冲区后才能返回;客户端如果一直不发送数据,服务端进程就会一直阻塞在read函数上不返回,也无法接收其他客户端的连接;
非阻塞型IO:内核提供了一个非阻塞的read函数,数据到达前返回的都是错误值,而不是阻塞等待,需要循环调用read函数,直到返回结果不为错误值为止;另外,非阻塞只是体现在网卡到内核缓冲区不阻塞,如果数据已经到达内核缓冲区,需要完成内核到用户缓冲区的拷贝,这个过程还是阻塞的。
IO多用复用:用户态可以通过一个循环,不停遍历系统调用read函数的状态来判断数据是否已经就绪,但这样就需要一直消耗系统资源。因此就需要内核直接提供这样的功能,直接由内核来遍历fd的状态。能够执行这样事务的函数包括select、poll和epoll等。
- select方式是用户态进程将记录了fd的数组拷贝到内核,内核通过遍历方式检查fd的就绪状态,并返回可读文件描述符的个数,但具体哪个fd可读还是要用户态进程自己去遍历。
- epoll是在内核中保存一份fd数组,后续用户态进程只需要告知内核修改的部分,内核也不再执行轮询,而是通过异步IO事件唤醒,内核将有IO事件的fd返回给进程,进程也不需要去再次遍历fd(分别通过epoll_create()创建file节点、epoll_ctl()用户态传递fd到file节点、epoll_wait()等待epoll事件,返回给进程就绪的fd)。
信号驱动式IO:通过系统调用注册信号处理的回调函数,进程可以继续执行新的请求,这一步是不阻塞的;当有IO就绪时,内核会回调注册的信号回调函数,进程会立即返回将数据复制到用户缓冲区,这一步是阻塞的。
异步IO:所有工作由内核全权完成,直到数据被复制到用户空间,内核直接告知用户进程IO已经完成,两个阶段都是非阻塞的,因为内核会完成数据到用户空间的复制。
2、nginx中的模块分类及常见核心模块有哪些
模块只要分为:核心模块、标准HTTP模块、可选HTTP模块、Stream服务模块和第三方模块。
常见的核心模块包括:
- ngx_core
- ngx_errlog
- ngx_conf
- ngx_events
- ngx_event
- ngx_epoll
- ngx_regex
3、描述nginx中worker_processes、worker_cpu_affinity、worker_rlimit_nofile、worker_connections配置项的含义
- worker_processes:启动worker进程的数量,数值最好与服务器的CPU核数相匹配
- worker_cpu_affinity:将nginx的worker进程绑定到指定的CPU核心,绑定并不意味着当前nginx进程独占一核CPU,但是可以保证进程不会运行在其他核心上
- worker_rlimit_nofile:所有worker进程可以打开的文件数量上限,一个成功的网络连接会对应到一个fd,除了调整这个参数,还需要确认ulimit是否做了per-process限制;
- woker_connections:单个worker进程的最大并发连接数
4、编译安装nginx,实现多域名 https
#!/bin/bash
#****************************************************************************************#
#Author: Yabao11
#QQ: what QQ,no QQ
#Date: 2022-01-04
#FileName: nginx.sh
#URL: https://github.com/yabao11
#Description: Test Script
#Copyright (C): 2022 All rights reserved
#*******************************定义颜色*************************************************#
RED="\e[1;31m"
GREEN="\e[1;32m"
SKYBLUE="\e[1;36m"
YELLOW="\e[1;43m"
BLUE="\e[1;44m"
END="\e[0m"
RandomColor="\e[1;32m"
#****************************************************************************************#
function Ostype {
if grep -i -q "release 6" /etc/centos-release;then
echo Centos6
elif grep -i -q Centos-8 /etc/os-release;then
echo Centos
elif grep -i -q Centos-7 /etc/os-release;then
echo Centos7
elif grep -i -q Ubuntu /etc/os-release;then
echo Ubuntu
elif grep -i -q "RedHat" /etc/os-release;then
echo Redhat
fi
}
function color {
RES_COL=60
MOVE_TO_COL="echo -en \E[${RES_COL}G"
SETCOLOR_SUCCESS="echo -en \E[1;32m"
SETCOLOR_FAILURE="echo -en \E[1;31m"
SETCOLOR_WARNING="echo -en \E[1;33m"
SETCOLOR_NORMAL="echo -en \E[0m"
echo -n "$1" && $MOVE_TO_COL
echo -n "["
if [[ $2 = "success" || $2 = "0" ]]; then
${SETCOLOR_SUCCESS}
echo -n " OK "
elif [[ $2 = "failure" || $2 = "1" ]]; then
${SETCOLOR_FAILURE}
echo -n "FAILED"
else
${SETCOLOR_WARNING}
echo -n "WARNING"
fi
${SETCOLOR_NORMAL}
echo -n "]"
echo
}
function inputerror {
echo -en "输入错误!"
echo -e "\E[${RES_COL}G["$RED"退出"$END"]"
}
function nginx_install {
yum -y install wget gcc pcre-devel openssl-devel zlib-devel > /dev/null || { color "软件安装失败.." 1; return 1; }
[ -e ${file_path}/${nginx_file}.tar.gz ] || wget -P ${file_path}/ http://nginx.org/download/${nginx_file}.tar.gz > /dev/null || { color "文件下载失败.." 1; return 1; }
tar xf ${file_path}/${nginx_file}.tar.gz -C ${file_path}/ > /dev/null || { color "文件解压缩失败.." 1; return 1; }
useradd -r -M -s /sbin/nologin nginx
cd ${file_path}/${nginx_file} || { color "找不到目录.." 1;return 1; }
if [ $# -gt 4 ];then
./configure $* > /dev/null && color "configure成功.." 0 || { color "configure失败.." 1; return 1; }
make -j `lscpu | awk 'NR==4{print $2}'` > /dev/null && color "make成功!" 0 || { color "make失败.." 1; return 1; }
#如果直接在脚本后面提供了nginx版本,则安装该版本的nginx,可使用默认参数,或用户自己指定参数
else
[ ]
if [ -e ${nginx_path} ]; then
read -p "/data/nginx 文件已存在,是否强制安装(会直接删除/data/nginx)?(yes or no)" askuser
askuser=`echo $askuser | tr 'A-Z' 'a-z'`
case $askuser in
y|yes)
rm -rf /data/nginx
;;
n|no)
exit
;;
*)
inputerror
exit
;;
esac
else
echo -e $GREEN"开始执行configure.."$END
fi
read -p "你是否想要使用脚本默认的参数安装?(回车使用默认参数,或输入自己的参数)" readpref
[ -v readpref ] && echo -e "警告!你自行输入了编译参数,路径参数除了--prefix=之外,不要定义其他路径参数!给你2秒确认一下。"$END; sleep 2;
if [[ $readpref =~ path ]];then
read -p "还有path参数在里面...真的不能带path,你确定要继续?" readaction
readaction=`echo $readaction | tr 'A-Z' 'a-z'`
case $readaction in
y|yes)
;;
n|no)
exit
;;
*)
inputerror
exit
;;
esac
fi
default_statement=(${readpref:="--prefix=${nginx_path} --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module"})
[ ${#default_statement[*]} -gt 4 ] && echo -e $GREEN"开始执行configure.."$END || exit;
[ -v readpref ] && nginx_path=${default_statement[0]#*=}
./configure ${default_statement[*]} > /dev/null && color "configure成功.." 0 || { color "configure失败.." 1; exit; }
make -j `lscpu | awk 'NR==4{print $2}'` > /dev/null && color "make成功!" 0 || { color "make失败.." 1; exit; }
make install > /dev/null && color "install成功!" 0 || { color "install失败.." 1; exit; }
mkdir -p ${nginx_path}/run
mkdir ${nginx_path}/conf/conf.d
chown -R nginx.nginx ${nginx_path}
[ -e /usr/sbin/nginx ] && { color "nginx软链接存在,需删除" 2; rm -rf /usr/sbin/nginx; }
ln -s ${nginx_path}/sbin/nginx /usr/sbin/ &> /dev/null || color "/usr/sbin/nginx创建失败,请自行创建链接.." 1
cat > /usr/lib/systemd/system/nginx.service <<EOF
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=${nginx_path}/run/nginx.pid
ExecStart=/usr/sbin/nginx -c ${nginx_path}/conf/nginx.conf
ExecReload=/bin/sh -c "/bin/kill -s HUP \$(/bin/cat ${nginx_path}/run/nginx.pid)"
ExecStop=/bin/sh -c "/bin/kill -s TERM \$(/bin/cat ${nginx_path}/run/nginx.pid)"
[Install]
WantedBy=multi-user.target
EOF
chown nginx.nginx /usr/lib/systemd/system/nginx.service
color "服务配置完毕,请自行启动!" 2
tar -P -zcf ${file_path}/${nginx_file}/man/nginx.8.gz ${file_path}/${nginx_file}/man/nginx.8
mv ${file_path}/${nginx_file}/man/nginx.8.gz /usr/share/man/man8/
color "man帮助配置完毕!" 0
nginx_config
systemctl daemon-reload
fi
}
function nginx_config {
[ -e ${nginx_path}/conf/nginx.conf ] || { color "文件没找到.." 1; exit; }
sed -i.bak -r -e "s/#user.*/user nginx nginx;/" \
-e "s/worker_processes.*/worker_processes auto;/" \
-e "/#error\_log\ \ logs\/error\.log;/i\error_log logs/error.log warn;\npid ${nginx_path}/run/nginx.pid;\nworker_rlimit_nofile 65536;" \
-e "/[[:space:]]+worker\_connections.*/i\use epoll;\naccept_mutex on;\nmulti_accept on;\n" \
-e "s/[[:space:]]+worker_connections.*/worker_connections 65536;/" \
-e "s/[[:space:]]+keepalive_timeout.*/keepalive_timeout 65 65;/" \
-e "/[[:space:]]+# HTTPS server/i\keepalive_requests 3;\ninclude ${nginx_path}/conf/conf.d/*.conf;\n" ${nginx_path}/conf/nginx.conf && { color "配置文件修改成功!" 0; echo -e $GREEN"你可以将服务器配置放在${nginx_path}/conf/conf.d/*.conf中。"$GREEN; }
}
function RootCA {
CAsubject="/C=CN/ST=Shanghai/O=MXX Company Ltd,/CN=MxxRootCA"
local con
if ! [ -d /etc/pki/CA ];then
echo -e $GREEN"CA目录不存在,开始创建CA目录..."$END
mkdir -pv ${cafile_path}{certs,crl,newcerts,private}
touch ${cafile_path}index.txt
echo -n 01 > ${cafile_path}serial
echo -n 01 > ${cafile_path}crlnumber
openssl req -newkey rsa:2048 -subj "$CAsubject" -keyout ${cafile_path}private/cakey.pem -nodes -days 3650 -x509 -out ${cafile_path}cacert.pem
else
! [ -e ${cafile_path}index.txt ] && { touch ${cafile_path}index.txt;echo -e $GREEN"index.txt创建成功!"$END;}
! [ -e ${cafile_path}serial ] && { echo -n 01 > ${cafile_path}serial;echo -e $GREEN"serial创建成功!"$END;}
! [ -e ${cafile_path}crlnumber ] && { echo -n 01 > ${cafile_path}crlnumber;echo -e $GREEN"crlnumber创建成功!"$END;}
if ! [ -e ${cafile_path}private/cakey.pem -o -e ${cafile_path}cacert.pem ];then
echo -e $GREEN"生成cakey.pem|cacert.pem文件..."$END
openssl req -utf8 -newkey rsa:2048 -subj "$CAsubject" -keyout ${cafile_path}private/cakey.key -nodes -days 3650 -x509 -out ${cafile_path}cacert.crt
fi
fi
if [ $? -eq 0 ];then
color "设备配置为RootCA成功!" 0
else
color "RootCA配置失败!" 1
return
fi
}
function certgen {
read -p "你想自己设置证书参数么?(yes or no)" certset
certset=`echo $certset | tr 'A-Z' 'a-z'`
case $certset in
y|yes)
while ((num<2));do
read -p "输入你希望为哪个站点申请证书?(如:*.mxx.com):" sub
manualSubject="/C=CN/ST=Shanghai/O=MXX Company Ltd,/CN="${sub}
read -p "输入你证书的名称:" pkiname
openssl req -newkey rsa:2048 -subj "$manualSubject" -keyout ${cafile_path}private/${pkiname}.key -nodes -out ${cafile_path}${pkiname}.csr &> /dev/null && color "csr生成成功!" 0 || { color "csr生成失败.." 1;exit; }
#生成的证书前面带了一堆状态信息
#openssl ca -days 3650 -in ${cafile_path}${pkiname}.csr -cert ${cafile_path}cacert.pem -keyfile ${cafile_path}private/cakey.pem -out ${cafile_path}certs/${pkiname}.crt -batch &> /dev/null && color "证书生成成功!" 0 || { color "证书生成失败.." 1;exit; }
openssl x509 -req -in ${cafile_path}${pkiname}.csr -CA ${cafile_path}cacert.pem -CAkey ${cafile_path}private/cakey.pem -CAcreateserial -days 3650 -CAserial ${cafile_path}serial -out ${cafile_path}certs/${pkiname}.crt &> /dev/null && color "证书生成成功!" 0 || { color "证书生成失败.." 1;exit; }
echo -e $GREEN"*************;*************************生成证书信息**************************************"$END
cat ${cafile_path}certs/${pkiname}.crt | openssl x509 -noout -subject -dates -serial
chmod 600 ${cafile_path}private/*.key
echo "证书生成完成"
echo -e $GREEN"**************************************生成证书文件如下**************************************"$END
echo "证书存放目录: "${cafile_path}certs/
echo "证书文件列表: "`ls -t1 ${cafile_path}certs/${pkiname}*`
while true;do
read -p "是否希望合并根证书和服务器证书?" askuser2
askuser2=`echo $askuser2 | tr 'A-Z' 'a-z'`
case $askuser2 in
y|yes)
cat ${cafile_path}certs/${pkiname}.crt ${cafile_path}cacert.pem > /root/${pkiname}_merge.pem && color "合并后的证书的存放位置在/root/"${pkiname}"_merge.pem" 0 || color "证书合并失败.." 1
break
;;
n|no)
break
;;
*)
inputerror
continue
;;
esac
done
while true;do
read -p "是否需要继续生成证书?" askuser3
askuser3=`echo $askuser3 | tr 'A-Z' 'a-z'`
case $askuser3 in
y|yes)
num=1
break
;;
n|no)
break 3
;;
*)
inputerror
break
;;
esac
done
done
;;
n|no)
local INPUT
read -p "生成多少个证书?" INPUT
for((i=1;i<=$INPUT;i++));do
local Rand=`openssl rand -base64 6|sed -rn 's/[/+]//g;p'`
[ $INPUT -eq 2 ] && DN=([1]=Master [2]=Slave) || DN[$i]="centos-$i"
ClientSubject="/C=CN/ST=Shanghai/O=MXX Company Ltd,/OU=$Rand/CN=${DN[$i]}.mxx.com"
openssl req -newkey rsa:2048 -subj "$ClientSubject" -keyout ${cafile_path}private/user-${Rand}.key -nodes -out ${cafile_path}user-${Rand}.csr &> /dev/null
#openssl ca -days 3650 -in ${cafile_path}user-${Rand}.csr -cert ${cafile_path}cacert.pem -keyfile ${cafile_path}private/cakey.pem -out ${cafile_path}certs/user-${Rand}.crt -batch &> /dev/null
#下面的命令虽然可以生成证书,但不会写index文件
openssl x509 -req -in ${cafile_path}user-${Rand}.csr -CA ${cafile_path}cacert.pem -CAkey ${cafile_path}private/cakey.pem -CAcreateserial -days 3650 -CAserial ${cafile_path}serial -out ${cafile_path}certs/user-${Rand}.crt
echo -e $GREEN"*************;*************************生成证书信息**************************************"$END
cat ${cafile_path}certs/user-${Rand}.crt | openssl x509 -noout -subject -dates -serial
done
chmod 600 ${cafile_path}private/*.key
echo "证书生成完成"
echo -e $GREEN"**************************************生成证书文件如下**************************************"$END
echo "证书存放目录: "${cafile_path}certs/
echo "证书文件列表: "`ls -t1 ${cafile_path}certs/ | head -n $INPUT`
;;
*)
inputerror
;;
esac
}
function csrgen {
local cafile_path=/etc/pki/CA/
local capath
local days
read -p "CSR文件的文件路径和文件名(如:/root/xxx.csr)?" capath
read -p "CSR文件的有效期?" days
local crtfile=`echo "$capath" | sed -r -n 's/(.*)\.csr/\1/p'`
openssl ca -days $days -in $capath -cert ${cafile_path}cacert.pem -keyfile ${cafile_path}private/cakey.pem -out ${crtfile}.crt -batch &> /dev/null
echo -e $GREEN"**************************************生成证书信息**************************************"$END
cat ${crtfile}.crt | openssl x509 -noout -subject -dates -serial
echo "证书生成完成"
echo -e $GREEN"**************************************生成证书文件如下**************************************"$END
echo "证书存放目录: "${crtfile}
}
function config_https {
local nginx_conf=`find / -type d -name conf.d | grep nginx`
read -p "输入网站的名字:" website
read -p "输入你证书的文件名(应该是xxx_merge):" pkiname2
[ -e "/root/${pkiname2}.pem" ] || { color "证书不存在.." 1;exit; }
[ -e ${nginx_conf}/server${i}.conf ] && ((i++));
cat > ${nginx_conf}/server${i}.conf <<EOF && color "配置文件生成成功" 0 || { color "配置文件生成失败.." 1; exit; }
server {
listen 80;
listen 443 ssl;
server_name ${website};
ssl_certificate /root/${pkiname2}.pem;
ssl_certificate_key /etc/pki/CA/private/${pkiname2%_*}.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
root /data/server${i};
location / {
index index.html;
if ( \$scheme = http ) {
rewrite ^/(.*)$ https://${website}/\$1 redirect;
}
}
}
EOF
mkdir /data/server${i}
cat > /data/server${i}/index.html <<EOF
<h1>This is my server${i}, website doamin name is ${website}!</h1>
EOF
[ $? -eq 0 ] && color "配置成功!" 0 || color "配置失败.." 1
}
#变量
nginx_file=${1:-nginx-1.18.0}
nginx_path=/data/nginx
file_path=/usr/local/src
cafile_path=/etc/pki/CA/
if [ $# -eq 1 ];then
if [ "$1" == --help ];then
echo -e $GREEN"命令格式:"$END
echo -e $SKYBLUE"./"`basename ./$0`" --help:查看帮助"$END
echo -e $SKYBLUE"./`basename ./$0` NGINX_VERSION:编译安装对应版本的nginx(使用默认编译选项)"$END
echo -e $SKYBLUE"./`basename ./$0`:查看菜单项"$END
else
nginx_install ${nginx_file} || { color "安装失败,参数错误!" 1;exit; }
fi
else
j=1
PS3="请选择您要执行的操作!:"
MENU="
默认选项安装nginx
nginx补充新模块(仅编译,不安装),用于添加新模块
配置nginx
配置RootCA,生成自签名证书
生成服务器证书
配置HTTPS服务
查看命令帮助
退出
"
select M in $MENU ;do
case $REPLY in
1)
nginx_install
;;
2)
read -p "你是否想要自行提供编译参数(至少4个)?(直接回车使用我给你定义的参数)" askpref
install_statement=${askpref:="--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/data/nginx/log/nginx/error.log \
--http-log-path=/data/nginx/log/nginx/access.log \
--pid-path=/data/nginx/run/nginx.pid \
--lock-path=/data/nginx/run/nginx.lock \
--http-client-body-temp-path=/data/nginx/cache/nginx/client_temp \
--http-proxy-temp-path=/data/nginx/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/data/nginx/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/data/nginx/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/data/nginx/cache/nginx/scgi_temp \
--user=nginx \
--group=nginx \
--with-compat \
--with-file-aio \
--with-threads \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module"}
nginx_install ${install_statement}
;;
3)
nginx_config
;;
4)
[ -e /etc/pki/CA ] && rm -rf /etc/pki/CA
RootCA
;;
5)
read -p "您是否有csr文件?(yes or no)" csrfileyes
csrfileyes=`echo $csrfileyes | tr 'A-Z' 'a-z'`
case $csrfileyes in
y|yes)
csrgen
;;
n|no)
certgen
;;
*)
inputerror
;;
esac
;;
6)
i=1
while true;do
config_https
read -p "是否需要继续生成下一个网站?" askuser4
askuser4=`echo $askuser4 | tr 'A-Z' 'a-z'`
case $askuser4 in
y|yes)
((i++))
continue
;;
n|no)
break 2
;;
*)
inputerror
break 2
;;
esac
done
;;
7)
echo -e $GREEN"命令格式:"$END
echo -e $SKYBLUE"./"`basename ./$0`" --help:查看帮助"$END
echo -e $SKYBLUE"./`basename ./$0` NGINX_VERSION:编译安装对应版本的nginx(使用默认编译选项)"$END
echo -e $SKYBLUE"./`basename ./$0`:查看菜单项"$END
;;
*)
exit
;;
esac
done
fi
#--prefix=/data/nginx --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=/usr/local/src/echo-nginx-module
执行结果:
image.png
image.png
