Linux运维必备:Nginx Web服务器安装部署与配置详解
本文详细介绍了Nginx Web服务器的安装部署与配置方法。主要内容包括:1) Nginx简介与核心优势,突出其高并发、低消耗的特点;2) 系统环境要求与准备工作;3) 三种安装方式:包管理器安装适合新手,源码编译安装推荐生产环境,Docker容器化安装适合现代云环境;4) Nginx核心配置详解,包括配置文件结构解析。文章提供了完整的命令示例和配置建议,帮助运维人员快速掌握Nginx的部署与管理
·
Linux运维必备:Nginx Web服务器安装部署与配置详解
一、Nginx概述与环境准备
1.1 Nginx简介
什么是Nginx
Nginx(读作"engine-x")是一款轻量级的Web服务器、反向代理服务器,由俄罗斯程序员Igor Sysoev于2004年开发。作为目前最流行的Web服务器之一,Nginx以其高性能、高并发、低内存消耗等特点在互联网领域广泛应用。
Nginx的核心优势
- 高并发处理能力:采用异步非阻塞的事件驱动模型,单机可处理数万并发连接
- 内存消耗低:相比Apache等传统Web服务器,资源占用更少
- 高可用性:稳定性极佳,可7×24小时不间断运行
- 模块化设计:功能通过模块实现,可灵活扩展
- 配置简洁:配置文件语法简单易懂
适用场景分析
- 静态文件服务器
- 反向代理服务器
- 负载均衡器
- HTTP缓存服务器
- API网关
1.2 系统环境要求
支持的Linux发行版
- Ubuntu 18.04/20.04/22.04 LTS
- CentOS 7/8, RHEL 7/8/9
- Debian 10/11
- SUSE Linux Enterprise Server
硬件配置建议
最小配置:
- CPU: 1核心
- 内存: 512MB
- 存储: 10GB
生产环境推荐:
- CPU: 2核心以上
- 内存: 2GB以上
- 存储: 50GB以上SSD
必要的系统权限
- root权限或sudo权限
- 网络连接权限
- 80/443端口访问权限
1.3 环境检查与准备
系统版本确认
# 查看系统版本
cat /etc/os-release
uname -a
# 更新系统包
# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y
# CentOS/RHEL
sudo yum update -y
# 或 CentOS 8+
sudo dnf update -y
端口占用检查
# 检查80和443端口是否被占用
netstat -tlnp | grep -E ':80|:443'
ss -tlnp | grep -E ':80|:443'
防火墙配置准备
# Ubuntu/Debian (UFW)
sudo ufw allow 'Nginx Full'
sudo ufw reload
# CentOS/RHEL (Firewalld)
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
二、Nginx安装方法详解
2.1 包管理器安装(推荐新手)
Ubuntu/Debian系统安装
# 更新包索引
sudo apt update
# 安装Nginx
sudo apt install nginx -y
# 验证安装
nginx -v
# 查看安装路径和配置
nginx -V
CentOS/RHEL系统安装
# CentOS 7/RHEL 7
sudo yum install epel-release -y
sudo yum install nginx -y
# CentOS 8+/RHEL 8+
sudo dnf install nginx -y
# 验证安装
nginx -v
安装版本选择
官方仓库通常提供稳定版本,如需最新版本可添加官方源:
# Ubuntu添加官方源
curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -
sudo add-apt-repository "deb https://nginx.org/packages/ubuntu/ $(lsb_release -cs) nginx"
sudo apt update
sudo apt install nginx
# CentOS添加官方源
sudo tee /etc/yum.repos.d/nginx.repo << 'EOF'
[nginx-stable]
name=nginx stable repo
baseurl=https://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
EOF
sudo yum install nginx -y
2.2 源码编译安装(推荐生产环境)
下载源码包
# 创建工作目录
mkdir -p /usr/local/src
cd /usr/local/src
# 下载最新稳定版本
wget https://nginx.org/download/nginx-1.24.0.tar.gz
tar -zxvf nginx-1.24.0.tar.gz
cd nginx-1.24.0
编译环境准备
# Ubuntu/Debian安装编译依赖
sudo apt install build-essential libpcre3-dev libssl-dev zlib1g-dev libgd-dev libxml2-dev libxslt1-dev -y
# CentOS/RHEL安装编译依赖
sudo yum groupinstall "Development Tools" -y
sudo yum install pcre-devel openssl-devel zlib-devel gd-devel libxml2-devel libxslt-devel -y
配置编译参数
./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-http_auth_request_module \
--with-http_image_filter_module \
--with-file-aio \
--with-http_v2_module \
--with-threads \
--with-stream \
--with-stream_ssl_module \
--with-http_slice_module
编译与安装过程
# 编译
make -j$(nproc)
# 安装
sudo make install
# 创建nginx用户
sudo useradd -r -s /sbin/nologin nginx
# 创建systemd服务文件
sudo tee /etc/systemd/system/nginx.service << 'EOF'
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
# 重载systemd配置
sudo systemctl daemon-reload
2.3 Docker容器化安装
Docker环境准备
# 安装Docker(Ubuntu)
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
# 启动Docker服务
sudo systemctl start docker
sudo systemctl enable docker
官方镜像使用
# 拉取官方Nginx镜像
docker pull nginx:latest
# 运行Nginx容器
docker run -d \
--name nginx-server \
-p 80:80 \
-p 443:443 \
-v /etc/nginx:/etc/nginx \
-v /var/log/nginx:/var/log/nginx \
-v /usr/share/nginx/html:/usr/share/nginx/html \
nginx:latest
自定义镜像构建
# Dockerfile
FROM nginx:alpine
# 复制自定义配置
COPY nginx.conf /etc/nginx/nginx.conf
COPY default.conf /etc/nginx/conf.d/default.conf
# 复制静态文件
COPY html/ /usr/share/nginx/html/
EXPOSE 80 443
CMD ["nginx", "-g", "daemon off;"]
# 构建镜像
docker build -t custom-nginx .
# 运行容器
docker run -d --name my-nginx -p 80:80 custom-nginx
三、Nginx核心配置详解
3.1 配置文件结构
主配置文件nginx.conf
Nginx的主配置文件通常位于:
- 包管理器安装:
/etc/nginx/nginx.conf - 源码编译安装:
/usr/local/nginx/conf/nginx.conf
配置文件语法规则
# 注释以#开头
# 指令以分号结尾
# 配置块使用大括号{}包围
# 指令格式:指令名 参数1 参数2 ... ;
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
配置块hierarchy结构
# 全局块
user nginx;
worker_processes auto;
# events块
events {
worker_connections 1024;
use epoll;
}
# http块
http {
# http全局块
include /etc/nginx/mime.types;
default_type application/octet-stream;
# server块
server {
# server全局块
listen 80;
server_name example.com;
# location块
location / {
root /usr/share/nginx/html;
index index.html;
}
location /api {
proxy_pass http://backend;
}
}
}
3.2 基础配置项
全局配置参数
# 运行用户
user nginx;
# 工作进程数(建议设置为CPU核心数)
worker_processes auto;
# 错误日志
error_log /var/log/nginx/error.log warn;
# PID文件
pid /var/run/nginx.pid;
# 最大文件描述符数
worker_rlimit_nofile 65535;
Events配置块
events {
# 每个进程的最大连接数
worker_connections 1024;
# 事件驱动模型(Linux使用epoll)
use epoll;
# 允许同时接受多个连接
multi_accept on;
}
HTTP配置块
http {
# MIME类型
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# 访问日志
access_log /var/log/nginx/access.log main;
# 发送文件优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# 连接超时
keepalive_timeout 65;
# 隐藏版本号
server_tokens off;
# Gzip压缩
gzip on;
gzip_vary on;
gzip_min_length 1000;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml;
}
3.3 虚拟主机配置
基于域名的虚拟主机
# 网站1
server {
listen 80;
server_name example1.com www.example1.com;
root /var/www/example1;
index index.html index.htm;
access_log /var/log/nginx/example1.access.log;
error_log /var/log/nginx/example1.error.log;
location / {
try_files $uri $uri/ =404;
}
}
# 网站2
server {
listen 80;
server_name example2.com www.example2.com;
root /var/www/example2;
index index.html index.htm;
access_log /var/log/nginx/example2.access.log;
error_log /var/log/nginx/example2.error.log;
location / {
try_files $uri $uri/ =404;
}
}
基于端口的虚拟主机
# 端口8080
server {
listen 8080;
server_name localhost;
root /var/www/port8080;
location / {
try_files $uri $uri/ =404;
}
}
# 端口8081
server {
listen 8081;
server_name localhost;
root /var/www/port8081;
location / {
try_files $uri $uri/ =404;
}
}
SSL/HTTPS配置
server {
listen 443 ssl http2;
server_name example.com www.example.com;
# SSL证书配置
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
# SSL安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
root /var/www/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}
# HTTP重定向到HTTPS
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
四、Nginx服务管理
4.1 服务控制命令
启动、停止、重启服务
# Systemd管理(推荐)
sudo systemctl start nginx # 启动
sudo systemctl stop nginx # 停止
sudo systemctl restart nginx # 重启
sudo systemctl reload nginx # 重载配置
sudo systemctl status nginx # 查看状态
# 直接命令管理
sudo nginx # 启动
sudo nginx -s stop # 快速停止
sudo nginx -s quit # 优雅停止
sudo nginx -s reload # 重载配置
sudo nginx -s reopen # 重新打开日志文件
配置文件语法检查
# 检查配置文件语法
sudo nginx -t
# 检查特定配置文件
sudo nginx -t -c /path/to/nginx.conf
# 显示详细信息
sudo nginx -T
平滑重载配置
# 测试配置并重载
sudo nginx -t && sudo nginx -s reload
# 或使用systemd
sudo nginx -t && sudo systemctl reload nginx
4.2 开机自启动配置
Systemd服务配置
# 启用开机自启动
sudo systemctl enable nginx
# 禁用开机自启动
sudo systemctl disable nginx
# 查看启动状态
sudo systemctl is-enabled nginx
传统init.d脚本配置
# CentOS/RHEL 6及更早版本
sudo chkconfig nginx on
# Ubuntu使用update-rc.d
sudo update-rc.d nginx enable
服务状态监控
# 查看详细状态
sudo systemctl status nginx -l
# 查看最近日志
sudo journalctl -u nginx --since "1 hour ago"
# 实时监控日志
sudo journalctl -u nginx -f
4.3 日志管理
访问日志配置
http {
# 定义日志格式
log_format combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
log_format json escape=json '{'
'"time": "$time_iso8601",'
'"remote_addr": "$remote_addr",'
'"request": "$request",'
'"status": $status,'
'"body_bytes_sent": $body_bytes_sent,'
'"http_referer": "$http_referer",'
'"http_user_agent": "$http_user_agent"'
'}';
# 访问日志
access_log /var/log/nginx/access.log combined;
server {
# 单独站点日志
access_log /var/log/nginx/site.access.log json;
}
}
错误日志配置
# 全局错误日志
error_log /var/log/nginx/error.log warn;
server {
# 站点错误日志
error_log /var/log/nginx/site.error.log;
# 关闭特定location的日志
location /health {
access_log off;
return 200 "OK";
}
}
日志轮转设置
# 创建logrotate配置
sudo tee /etc/logrotate.d/nginx << 'EOF'
/var/log/nginx/*.log {
daily
missingok
rotate 52
compress
delaycompress
notifempty
create 644 nginx adm
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
run-parts /etc/logrotate.d/httpd-prerotate; \
fi \
endscript
postrotate
invoke-rc.d nginx rotate >/dev/null 2>&1
endscript
}
EOF
# 手动测试轮转
sudo logrotate -d /etc/logrotate.d/nginx
sudo logrotate -f /etc/logrotate.d/nginx
五、常见应用场景配置
5.1 静态文件服务
静态网站部署
server {
listen 80;
server_name static.example.com;
root /var/www/static;
index index.html index.htm;
# 静态文件缓存
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
add_header Pragma public;
}
# Gzip压缩
location ~* \.(css|js|html|htm)$ {
gzip_static on;
expires 30d;
}
# 安全配置
location ~ /\. {
deny all;
}
}
文件下载服务配置
server {
listen 80;
server_name download.example.com;
root /var/www/downloads;
# 下载限速
location /downloads {
limit_rate 1m; # 限制每个连接1MB/s
# 设置下载头
add_header Content-Disposition "attachment";
# 大文件支持断点续传
add_header Accept-Ranges bytes;
}
# 防盗链
location ~* \.(zip|rar|exe|dmg)$ {
valid_referers none blocked server_names *.example.com;
if ($invalid_referer) {
return 403;
}
}
}
目录浏览设置
server {
listen 80;
server_name files.example.com;
root /var/www/files;
location / {
autoindex on; # 启用目录浏览
autoindex_exact_size off; # 显示友好的文件大小
autoindex_localtime on; # 显示本地时间
charset utf-8; # 避免中文乱码
}
# 美化目录浏览页面
location = /autoindex.css {
root /etc/nginx/autoindex;
}
add_header Content-Type text/html;
}
5.2 反向代理配置
代理后端应用服务器
# 定义后端服务器组
upstream backend_app {
server 127.0.0.1:8080;
server 127.0.0.1:8081;
# 权重负载均衡
server 127.0.0.1:8082 weight=3;
# 备用服务器
server 127.0.0.1:8083 backup;
}
server {
listen 80;
server_name app.example.com;
# 代理到后端应用
location / {
proxy_pass http://backend_app;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 超时设置
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
# 缓冲设置
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
}
# API接口代理
location /api/ {
proxy_pass http://127.0.0.1:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 禁用缓存(动态内容)
proxy_cache_bypass $http_pragma;
proxy_cache_revalidate on;
}
}
负载均衡配置
# 不同的负载均衡算法
upstream backend_round_robin {
# 默认轮询
server 192.168.1.10:8080;
server 192.168.1.11:8080;
server 192.168.1.12:8080;
}
upstream backend_least_conn {
# 最少连接数
least_conn;
server 192.168.1.10:8080;
server 192.168.1.11:8080;
server 192.168.1.12:8080;
}
upstream backend_ip_hash {
# IP哈希(会话保持)
ip_hash;
server 192.168.1.10:8080;
server 192.168.1.11:8080;
server 192.168.1.12:8080;
}
upstream backend_weighted {
# 加权轮询
server 192.168.1.10:8080 weight=5;
server 192.168.1.11:8080 weight=3;
server 192.168.1.12:8080 weight=2;
}
健康检查设置
upstream backend_with_health_check {
server 192.168.1.10:8080 max_fails=3 fail_timeout=30s;
server 192.168.1.11:8080 max_fails=3 fail_timeout=30s;
server 192.168.1.12:8080 max_fails=2 fail_timeout=10s;
# 定期检查(需要nginx_upstream_check_module模块)
check interval=3000 rise=2 fall=3 timeout=1000 type=http;
check_http_send "HEAD /health HTTP/1.0\r\n\r\n";
check_http_expect_alive http_2xx http_3xx;
}
server {
listen 80;
server_name app.example.com;
location / {
proxy_pass http://backend_with_health_check;
}
# 健康检查状态页面
location /nginx_status {
check_status;
access_log off;
allow 192.168.1.0/24;
deny all;
}
}
5.3 性能优化配置
缓存配置
# 定义缓存路径和配置
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=60m use_temp_path=off;
server {
listen 80;
server_name cached.example.com;
location / {
proxy_pass http://backend_app;
# 启用缓存
proxy_cache my_cache;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
# 缓存键
proxy_cache_key "$scheme$request_method$host$request_uri";
# 添加缓存状态头
add_header X-Cache-Status $upstream_cache_status;
# 缓存锁定
proxy_cache_lock on;
proxy_cache_lock_timeout 5s;
proxy_cache_lock_age 5s;
}
# 缓存清理接口
location ~ /purge(/.*) {
allow 127.0.0.1;
deny all;
proxy_cache_purge my_cache "$scheme$request_method$host$1";
}
}
Gzip压缩
http {
# Gzip配置
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/json
application/javascript
application/xml+rss
application/atom+xml
image/svg+xml;
# Brotli压缩(需要模块支持)
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
}
连接数优化
# 工作进程配置
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
events {
worker_connections 4096;
use epoll;
multi_accept on;
accept_mutex off;
}
http {
# 连接优化
keepalive_timeout 65;
keepalive_requests 100;
client_max_body_size 100m;
client_body_buffer_size 128k;
# 发送优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# 超时优化
client_header_timeout 15;
client_body_timeout 15;
send_timeout 15;
# 缓冲区优化
client_header_buffer_size 4k;
large_client_header_buffers 8 4k;
output_buffers 1 32k;
postpone_output 1460;
}
六、安全加固与最佳实践
6.1 安全配置
隐藏版本信息
http {
# 隐藏Nginx版本
server_tokens off;
# 自定义Server头(需要编译时添加more_headers模块)
more_set_headers "Server: WebServer";
}
访问控制配置
server {
listen 80;
server_name secure.example.com;
# IP白名单
location /admin {
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
# 基础认证
auth_basic "Admin Area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
# 限制请求方法
location / {
limit_except GET HEAD POST {
deny all;
}
}
# 防止访问隐藏文件
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# 防止访问备份文件
location ~ ~$ {
deny all;
access_log off;
log_not_found off;
}
}
防DDoS基础设置
http {
# 限制连接数
limit_conn_zone $remote_addr zone=conn_limit_per_ip:10m;
limit_conn_zone $server_name zone=conn_limit_per_server:10m;
# 限制请求速率
limit_req_zone $remote_addr zone=req_limit_per_ip:10m rate=5r/s;
}
server {
listen 80;
server_name protected.example.com;
# 应用限制
limit_conn conn_limit_per_ip 20;
limit_conn conn_limit_per_server 1000;
limit_req zone=req_limit_per_ip burst=10 nodelay;
# 缓冲区限制
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
# 超时限制
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
location / {
# 特定路径的严格限制
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
# 拒绝空User-Agent
if ($http_user_agent = "") {
return 444;
}
root /var/www/html;
index index.html;
}
}
6.2 监控与维护
性能监控指标
server {
listen 80;
server_name monitor.example.com;
# Nginx状态监控
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
allow 192.168.1.0/24;
deny all;
}
# 详细状态信息(需要nginx-module-vts)
location /status {
vhost_traffic_status_display;
vhost_traffic_status_display_format html;
allow 127.0.0.1;
allow 192.168.1.0/24;
deny all;
}
}
常用监控工具
- 使用Prometheus + Grafana监控
# 安装nginx-prometheus-exporter
wget https://github.com/nginxinc/nginx-prometheus-exporter/releases/download/v0.10.0/nginx-prometheus-exporter-0.10.0-linux-amd64.tar.gz
tar xzf nginx-prometheus-exporter-0.10.0-linux-amd64.tar.gz
sudo cp nginx-prometheus-exporter /usr/local/bin/
# 创建systemd服务
sudo tee /etc/systemd/system/nginx-exporter.service << 'EOF'
[Unit]
Description=Nginx Prometheus Exporter
After=network.target
[Service]
Type=simple
User=nginx
ExecStart=/usr/local/bin/nginx-prometheus-exporter -nginx.scrape-uri=http://localhost/nginx_status
Restart=always
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable nginx-exporter
sudo systemctl start nginx-exporter
- 日志分析脚本
#!/bin/bash
# nginx-log-analyzer.sh
LOG_FILE="/var/log/nginx/access.log"
DATE=$(date +%Y-%m-%d)
echo "=== Nginx 访问统计 ($DATE) ==="
echo
# 访问量统计
echo "1. 总访问量:"
grep "$DATE" $LOG_FILE | wc -l
# IP访问排行
echo "2. IP访问排行 Top 10:"
grep "$DATE" $LOG_FILE | awk '{print $1}' | sort | uniq -c | sort -rn | head -10
# 状态码统计
echo "3. HTTP状态码统计:"
grep "$DATE" $LOG_FILE | awk '{print $9}' | sort | uniq -c | sort -rn
# 最耗时请求
echo "4. 响应时间最长的请求 Top 10:"
grep "$DATE" $LOG_FILE | awk '{print $NF, $7}' | sort -rn | head -10
# 404错误统计
echo "5. 404错误页面 Top 10:"
grep "$DATE" $LOG_FILE | awk '($9 ~ /404/)' | awk '{print $7}' | sort | uniq -c | sort -rn | head -10
维护检查清单
#!/bin/bash
# nginx-health-check.sh
echo "=== Nginx健康检查报告 ==="
echo "检查时间: $(date)"
echo
# 1. 服务状态检查
echo "1. 服务状态:"
if systemctl is-active nginx &>/dev/null; then
echo " ✓ Nginx服务正在运行"
else
echo " ✗ Nginx服务未运行"
fi
# 2. 配置文件检查
echo "2. 配置文件语法:"
if nginx -t &>/dev/null; then
echo " ✓ 配置文件语法正确"
else
echo " ✗ 配置文件语法错误:"
nginx -t
fi
# 3. 端口监听检查
echo "3. 端口监听状态:"
ss -tlnp | grep :80 &>/dev/null && echo " ✓ 端口80正在监听" || echo " ✗ 端口80未监听"
ss -tlnp | grep :443 &>/dev/null && echo " ✓ 端口443正在监听" || echo " ✗ 端口443未监听"
# 4. 磁盘空间检查
echo "4. 磁盘空间:"
df -h | grep -E "(/$|/var)" | awk '{if($5+0 > 80) print " ✗ "$6" 使用率过高: "$5; else print " ✓ "$6" 使用率正常: "$5}'
# 5. 日志文件大小检查
echo "5. 日志文件大小:"
find /var/log/nginx -name "*.log" -size +100M -exec ls -lh {} \; | awk '{print " ⚠ 大日志文件: "$9" ("$5")"}'
# 6. SSL证书到期检查
echo "6. SSL证书检查:"
for cert in /etc/ssl/certs/*.crt; do
if [ -f "$cert" ]; then
exp_date=$(openssl x509 -in "$cert" -noout -enddate 2>/dev/null | cut -d= -f2)
if [ -n "$exp_date" ]; then
exp_timestamp=$(date -d "$exp_date" +%s)
current_timestamp=$(date +%s)
days_until_exp=$(( ($exp_timestamp - $current_timestamp) / 86400 ))
if [ $days_until_exp -lt 30 ]; then
echo " ⚠ 证书即将过期: $(basename $cert) ($days_until_exp 天)"
fi
fi
fi
done
echo
echo "检查完成"
七、故障排除与常见问题
7.1 安装过程常见问题
依赖包缺失解决
# Ubuntu/Debian常见依赖问题
sudo apt install build-essential libpcre3-dev libssl-dev zlib1g-dev
# CentOS/RHEL常见依赖问题
sudo yum install gcc gcc-c++ pcre-devel openssl-devel zlib-devel
# 编译时缺少模块依赖
# 安装图像处理模块依赖
sudo apt install libgd-dev # Ubuntu
sudo yum install gd-devel # CentOS
# 安装XML处理模块依赖
sudo apt install libxml2-dev libxslt1-dev # Ubuntu
sudo yum install libxml2-devel libxslt-devel # CentOS
编译错误处理
# 常见编译错误1: 权限问题
sudo chown -R $USER:$USER /usr/local/src/nginx-*
cd /usr/local/src/nginx-*
make clean && ./configure [...] && make
# 常见编译错误2: 内存不足
# 增加swap空间
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
# 或者减少并发编译
make -j1
# 常见编译错误3: configure脚本找不到库
# 指定库路径
./configure --with-ld-opt="-L/usr/local/lib" --with-cc-opt="-I/usr/local/include"
权限问题解决
# 创建nginx用户
sudo useradd -r -s /sbin/nologin -M nginx
# 设置正确的文件权限
sudo chown -R nginx:nginx /var/log/nginx
sudo chown -R nginx:nginx /var/cache/nginx
sudo chmod 755 /etc/nginx
sudo chmod 644 /etc/nginx/nginx.conf
# 设置网站目录权限
sudo chown -R nginx:nginx /var/www
sudo chmod -R 755 /var/www
7.2 配置与运行问题
配置语法错误
# 检查配置语法
sudo nginx -t
# 常见语法错误示例及修复:
# 错误1: 缺少分号
# 错误配置
server_name example.com # 缺少分号
# 正确配置
server_name example.com;
# 错误2: 大括号不匹配
# 检查每个开大括号是否有对应的闭大括号
# 错误3: 指令重复
# 某些指令在同一作用域内不能重复出现
# 错误4: 路径不存在
# 确保root、access_log等指令指向的路径存在
sudo mkdir -p /var/www/html
sudo mkdir -p /var/log/nginx
端口冲突解决
# 检查端口占用
sudo netstat -tlnp | grep :80
sudo ss -tlnp | grep :80
# 查找占用进程
sudo lsof -i :80
# 停止冲突服务(如Apache)
sudo systemctl stop apache2 # Ubuntu
sudo systemctl stop httpd # CentOS
# 或者修改Nginx监听端口
server {
listen 8080; # 使用其他端口
server_name example.com;
}
性能问题诊断
# 检查进程状态
ps aux | grep nginx
# 检查连接数
ss -s
# 检查文件描述符使用情况
cat /proc/sys/fs/file-nr
ulimit -n
# 增加文件描述符限制
echo "nginx soft nofile 65535" | sudo tee -a /etc/security/limits.conf
echo "nginx hard nofile 65535" | sudo tee -a /etc/security/limits.conf
# 在nginx.conf中设置
worker_rlimit_nofile 65535;
# 检查内存使用
free -h
cat /proc/meminfo
# 检查磁盘I/O
iostat -x 1
7.3 日志分析与排错
错误日志分析
# 查看错误日志
sudo tail -f /var/log/nginx/error.log
# 常见错误类型及解决方法:
# 1. Permission denied
# [error] open() "/var/www/html/index.html" failed (13: Permission denied)
sudo chown -R nginx:nginx /var/www/html
sudo chmod -R 755 /var/www/html
# 2. No such file or directory
# [error] open() "/var/www/html/favicon.ico" failed (2: No such file or directory)
touch /var/www/html/favicon.ico
# 或在配置中忽略404
location = /favicon.ico {
log_not_found off;
access_log off;
}
# 3. Connection refused
# [error] connect() to 127.0.0.1:8080 failed (111: Connection refused)
# 检查后端服务是否正常运行
sudo systemctl status backend-service
netstat -tlnp | grep 8080
# 4. Too many open files
# [error] accept4() failed (24: Too many open files)
# 增加文件描述符限制(见上面性能问题诊断部分)
访问日志解读
# 标准访问日志格式
# $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
# 示例日志行
# 192.168.1.100 - - [01/Jan/2024:10:30:45 +0000] "GET /index.html HTTP/1.1" 200 1024 "https://google.com" "Mozilla/5.0..."
# 字段含义:
# 192.168.1.100 - 客户端IP
# - - 远程用户(通常为空)
# - - 认证用户(通常为空)
# [01/Jan/2024:10:30:45 +0000] - 请求时间
# "GET /index.html HTTP/1.1" - 请求方法、URI、协议版本
# 200 - HTTP状态码
# 1024 - 响应字节数
# "https://google.com" - 来源页面
# "Mozilla/5.0..." - 用户代理字符串
# 分析脚本示例
#!/bin/bash
# 分析访问日志的常用命令
LOG_FILE="/var/log/nginx/access.log"
# 统计状态码
echo "状态码统计:"
awk '{print $9}' $LOG_FILE | sort | uniq -c | sort -rn
# 统计访问最多的IP
echo "访问最多的IP Top 10:"
awk '{print $1}' $LOG_FILE | sort | uniq -c | sort -rn | head -10
# 统计访问最多的页面
echo "访问最多的页面 Top 10:"
awk '{print $7}' $LOG_FILE | sort | uniq -c | sort -rn | head -10
# 统计404错误
echo "404错误统计:"
awk '($9 ~ /404/)' $LOG_FILE | awk '{print $7}' | sort | uniq -c | sort -rn
调试技巧分享
# 1. 启用调试日志
# 在nginx.conf中设置
error_log /var/log/nginx/debug.log debug;
# 2. 使用curl测试
# 测试基本连接
curl -I http://localhost
# 测试特定header
curl -H "Host: example.com" http://localhost
# 测试POST请求
curl -X POST -d "test=data" http://localhost/api
# 3. 使用tcpdump抓包
sudo tcpdump -i any port 80 -A
# 4. 检查SELinux(CentOS/RHEL)
# 查看SELinux状态
getenforce
# 查看SELinux日志
sudo ausearch -m avc -ts recent
# 临时禁用SELinux(不推荐生产环境)
sudo setenforce 0
# 5. 网络连接测试
# 测试端口连通性
telnet localhost 80
# 检查DNS解析
nslookup example.com
dig example.com
# 6. 进程调试
# 跟踪系统调用
sudo strace -p $(pgrep nginx | head -1)
# 查看进程打开的文件
sudo lsof -p $(pgrep nginx | head -1)
八、总结与进阶方向
8.1 核心要点回顾
通过本文的学习,我们掌握了Nginx在Linux环境下的完整部署流程:
安装要点总结:
- 包管理器安装适合快速部署和测试环境
- 源码编译安装提供更好的性能和灵活性,适合生产环境
- Docker容器化安装便于现代化部署和管理
配置要点总结:
- 理解配置文件的层次结构和语法规则
- 掌握虚拟主机、SSL、代理等核心功能配置
- 重视安全配置和性能优化设置
运维要点总结:
- 建立完善的监控和日志管理机制
- 制定规范的故障排除流程
- 定期进行安全检查和性能优化
8.2 生产环境部署建议
架构设计建议:
# 生产环境推荐配置模板
user nginx;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
pid /var/run/nginx.pid;
events {
worker_connections 4096;
use epoll;
multi_accept on;
accept_mutex off;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'$request_time $upstream_response_time';
# 基础优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
server_tokens off;
# Gzip压缩
gzip on;
gzip_vary on;
gzip_min_length 1000;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# 安全设置
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# 限速设置
limit_req_zone $remote_addr zone=login:10m rate=1r/s;
limit_req_zone $remote_addr zone=api:10m rate=10r/s;
# 包含站点配置
include /etc/nginx/conf.d/*.conf;
}
部署检查清单:
- 系统资源充足(CPU、内存、磁盘)
- 防火墙和安全组规则正确配置
- SSL证书有效且自动续期
- 监控告警系统已部署
- 备份和恢复方案已制定
- 日志轮转和清理策略已配置
- 性能基准测试已完成
- 灾难恢复方案已验证
8.3 进一步学习方向
高级功能学习:
-
Nginx Plus商业版功能
- 高级负载均衡算法
- 动态配置API
- 活动健康检查
- 实时监控面板
-
模块扩展开发
- Lua脚本模块(OpenResty)
- 自定义C模块开发
- 第三方模块集成
-
性能调优深入
- 内核参数优化
- 网络栈调优
- 缓存策略优化
- CDN集成
-
安全加固进阶
- WAF集成(ModSecurity)
- DDoS防护策略
- 零信任网络架构
- 证书透明度(CT)
相关技术栈学习:
-
容器化和编排
- Kubernetes中的Ingress Controller
- Service Mesh(Istio/Linkerd)
- Helm Charts部署
-
监控和可观测性
- Prometheus + Grafana
- ELK/EFK日志栈
- Jaeger链路追踪
- OpenTelemetry
-
自动化运维
- Ansible自动化部署
- Terraform基础设施即代码
- GitOps工作流
- CI/CD集成
-
云原生架构
- 微服务网关
- API管理平台
- 服务发现机制
- 配置管理系统
推荐学习资源:
- 官方文档
- Nginx开发者指南
- 《Nginx高性能Web服务器详解》
- 《实战Nginx》
- NGINX University在线课程
通过系统学习Nginx的安装、配置和管理,相信您已经具备了在生产环境中部署和维护Nginx的能力。记住,运维工作需要持续学习和实践,建议在测试环境中多动手实验,逐步积累经验,最终成为一名优秀的Linux运维工程师。
一站式 AI 云服务平台
更多推荐
14
0- 0
已为社区贡献1条内容
所有评论(0)