

1、worker_processes auto

worker_processes auto; #auto等于物理核心数,可指定数量,一般等于小于物理核心数


events {

    worker_connections 1024; #单进程响应1024个请求,一共响应的请求等于worker_processes乘以worker_connections的数量;


(1)、worker_connections number;

  每个worker进程所能够打开的最大并发连接数数量;worker_processes * worker_connections

(2)、use method;

   指明并发连接请求的处理方法;use epoll;

(3)、accept_mutex on | off;




$remote_addr 远程主机地址

$remote_user 远程访问用户

$time_local  本地时间

$request 请求url 报文的起始行

$status 响应码

$body_bytes_sent body的字节数

$http_referer 引用

$http_user_agent 客户端代理用的是什么浏览器访问的

$http_x_forwarded_for 记录真正的客户端的地址


access_log  /var/log/nginx/access.log  main;# 日志存放地址

sendfile            on;#提升性能

keepalive_timeout   65;#保持连接启用

default_type        application/octet-stream;#默认识别成8进制的数据流


listen       80 default_server;#默认虚拟主机

listen       [::]:80 default_server;#ipv6的端口的默认虚拟主机

server_name  _;#对于默认主机来说,下划线可以匹配所有主机名

root         /usr/share/nginx/html;#默认网页根路径

location / {

        } #个人设置

error_page #错误页

  5、worker_cpu_affinity cpumask ...;

  worker_cpu_affinity auto [cpumask];     

[root@node01 nginx]# vim nginx.conf

user nginx;

worker_processes auto;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

#worker_cpu_affinity auto;#自己绑定


[root@node01 nginx]# ps axo comm,pid,psr | grep nginx

nginx             4997   0

nginx             4998   3

nginx             4999   2

nginx             5000   0

nginx             5001   1


[root@node01 nginx]# vim nginx.conf

user nginx;

worker_processes auto;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

worker_cpu_affinity auto;#自己绑定

[root@node01 nginx]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 nginx]# nginx -s reload

[root@node01 nginx]# ps axo comm,pid,psr | grep nginx

nginx             4997   0

nginx             6638   0

nginx             6639   1

nginx             6640   2

nginx             6641   3


[root@node02 ~]# yum install -y httpd-tools

[root@node02 ~]# ab -n 10000 -c 100


[root@node01 nginx]# watch -n.5 'ps axo comm,pid,psr | grep nginx'



[root@node01 nginx]# vim nginx.conf

user nginx;

worker_processes auto;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

#worker_cpu_affinity auto;

worker_cpu_affinity 1000 0100 0010 0001;

[root@node01 nginx]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 nginx]# nginx -s reload

[root@node01 nginx]# watch -n.5 'ps axo comm,pid,psr | grep nginx'

Every 0.5s: ps axo comm,pid,psr | grep nginx                                                                          Mon Jan 28 14:06:16 2019

nginx             4997   3

nginx             7314   3

nginx             7315   2

nginx             7316   1

nginx             7317   0

 自定义worker_processes数量 自定义绑定cpu     

[root@node01 nginx]# vim nginx.conf

user nginx;

worker_processes 2;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

#worker_cpu_affinity auto;

worker_cpu_affinity 1000 0100;

[root@node01 nginx]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 nginx]# nginx -s reload

[root@node01 nginx]#

[root@node01 nginx]#

[root@node01 nginx]#

[root@node01 nginx]# watch -n.5 'ps axo comm,pid,psr | grep nginx'

Every 0.5s: ps axo comm,pid,psr | grep nginx                                                                          Mon Jan 28 14:12:44 2019

nginx             4997   3

nginx             7962   3

nginx             7963   2

6、 worker_priority number;指定worker进程的nice值,设定worker进程优先级;[-20,20]        

[root@node01 nginx]# vim nginx.conf

user nginx;

worker_processes 2;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

#worker_cpu_affinity auto;

worker_cpu_affinity 1000 0100;

worker_priority -5;

[root@node01 nginx]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 nginx]# nginx -s reload

[root@node01 nginx]# ps axo comm,pid,psr,ni  | grep nginx

nginx             4997   3   0

nginx             8718   3  -5

nginx             8719   2  -5

  7、  worker_rlimit_nofile number;worker进程所能够打开的文件数量上限;

[root@node01 nginx]# vim nginx.conf

user nginx;

worker_processes 2;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

#worker_cpu_affinity auto;

worker_cpu_affinity 1000 0100;

worker_priority -5;

worker_rlimit_nofile 65535;

[root@node01 nginx]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 nginx]# nginx -s reload

 8、   与套接字相关的配置:



[root@node01 vhost1]# vim /etc/nginx/conf.d/vhost1.conf

server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        location / {


                allow all;



[root@node01 vhost1]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 vhost1]# nginx -s reload


[root@node02 ~]# curl http://www.hehe.com

<h1>Nginx Vhost 1</h1>

[root@node03 ~]# curl http://www.hehe.com


<head><title>403 Forbidden</title></head>

<body bgcolor="white">

<center><h1>403 Forbidden</h1></center>





server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        location / {

                root /data/nginx/vhost2;

                allow all;


        location ~*  \.(jpg|jpeg|jfif)$ {


                allow all;




root 和alias的区别

root 匹配的是左侧的目录  alias匹配的则是右侧的

server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        location / {

        #       root /data/nginx/vhost2;

                allow all;


        location ~*  \.(jpg|jpeg|jfif)$ {


                allow all;


        location ^~ /images/ {

                root   /data/pictures/;#匹配的是pictures/下面的images目录



server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        location / {

        #       root /data/nginx/vhost2;

                allow all;


        location ~*  \.(jpg|jpeg|jfif)$ {


                allow all;


        location ^~ /images/ {

                alias   /data/pictures/;#匹配的是pictures/目录



server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        location / {

        #       root /data/nginx/vhost2;

                allow all;


        location ~*  \.(jpg|jpeg|jfif)$ {


                allow all;


        location ^~ /images/ {

                root   /data/pictures/;#匹配的是pictures/下面的images目录


        error_page 404  /notfound.html;

        location = /notfound.html {

                root /data/nginx/error_pages;



[root@node01 ~]# mkdir /data/nginx/error_pages

[root@node01 ~]# vim /data/nginx/error_pages/notfound.html



server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        location / {

        #       root /data/nginx/vhost2;

                allow all;


        location ~*  \.(jpg|jpeg|jfif)$ {


                allow all;


        location ^~ /images/ {

                alias   /data/pictures/;


        error_page 404 =200 /notfound.html;

        location = /notfound.html {

                root /data/nginx/error_pages;





   (1)、keepalive_timeout timeout [header_timeout];


   (2)、keepalive_requests number;


   (3)、keepalive_disable none | browser ...;


   (4)、send_timeout time;


   (5) 、client_body_buffer_size size;


      (1)、limit_rate rate;


      (2) 、limit_except method ... { ... }


                        limit_except GET {


                            deny  all;



        (1)、aio on | off | threads[=pool];是否启用aio功能;

        (2)、directio size | off; 在Linux主机启用O_DIRECT标记,此处意味文件大于等于给定的大小时使用,例如directio 4m;

          (3)、open_file_cache off; open_file_cache max=N [inactive=time];

                            nginx可以缓存以下三种信息: (1) 文件的描述符、文件大小和最近一次的修改时间;(2) 打开的目录结构; (3) 没有找到的或者没有权限访问的文件的相关信息;



13、ngx_http_access_module 访问控制模块



                    (1)、allow address | CIDR | unix: | all;

                    (2)、deny address | CIDR | unix: | all;

                        http, server, location, limit_except



                    (1)、auth_basic string | off;

                    (2)、auth_basic_user_file file;

                        location /admin/ {

                            alias /webapps/app1/data/;

                            auth_basic "Admin Area";

                            auth_basic_user_file /etc/nginx/.ngxpasswd;




[root@node01 ~]# htpasswd -c -m /etc/nginx/.ngxpasswd tom

New password:

Re-type new password:

Adding password for user tom

[root@node01 ~]# htpasswd  -m /etc/nginx/.ngxpasswd jerry

New password:

Re-type new password:

Adding password for user jerry

[root@node01 ~]# cat /etc/nginx/.ngxpasswd



[root@node01 ~]# vim /etc/nginx/conf.d/vhost1.conf

server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        location / {

        #       root /data/nginx/vhost2;

                allow all;


        location ~* ^/(admin|login) {

                auth_basic "admin area or login url";

                auth_basic_user_file  /etc/nginx/.ngxpasswd;


        location ~*  \.(jpg|jpeg|jfif)$ {


                allow all;


        location ^~ /images/ {

                alias   /data/pictures/;


        error_page 404 =200 /notfound.html;

        location = /notfound.html {

                root /data/nginx/error_pages;



[root@node01 ~]# mkdir /data/nginx/vhost1/admin

[root@node01 ~]# vim  /data/nginx/vhost1/admin/index.html

[root@node01 ~]# more   /data/nginx/vhost1/admin/index.html

<h1>Admin Area</h1>

[root@node01 ~]#

[root@node01 ~]#

[root@node01 ~]#

[root@node01 ~]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 ~]# nginx -s reload



                    Active connections: 活动状态的连接数;








[root@node01 ~]# vim /etc/nginx/conf.d/vhost1.conf

server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        location / {

        #       root /data/nginx/vhost2;

                allow all;


        location ~* ^/(admin|login) {

                auth_basic "admin area or login url";

                auth_basic_user_file  /etc/nginx/.ngxpasswd;


        location ~*  \.(jpg|jpeg|jfif)$ {


                allow all;


        location ^~ /images/ {

                alias   /data/pictures/;


        error_page 404 =200 /notfound.html;

        location = /notfound.html {

                root /data/nginx/error_pages;


        location /ngxstatus {




[root@node01 ~]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 ~]# nginx -s reload

[root@node01 ~]# curl http://www.hehe.com/ngxstatus

Active connections: 2

server accepts handled requests

2 2 4

Reading: 0 Writing: 1 Waiting: 1



[root@node01 ~]# vim   /etc/nginx/conf.d/vhost1.conf

server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        access_log /var/log/nginx/vhost1_access.log main;

        location / {

        #       root /data/nginx/vhost2;

                allow all;


        location ~* ^/(admin|login) {

                auth_basic "admin area or login url";

                auth_basic_user_file  /etc/nginx/.ngxpasswd;


        location ~*  \.(jpg|jpeg|jfif)$ {


                allow all;


        location ^~ /images/ {

                alias   /data/pictures/;


        error_page 404 =200 /notfound.html;

        location = /notfound.html {

                root /data/nginx/error_pages;


        location /ngxstatus {


                access_log off;



[root@node01 ~]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 ~]# nginx -s reload

[root@node01 ~]# tail -f /var/log/nginx/

access.log              access.log-20190128.gz  error.log               error.log-20190128.gz   vhost1_access.log

[root@node01 ~]# tail -f /var/log/nginx/vhost1_access.log - - [28/Jan/2019:19:29:15 +0800] "GET /images/test001.jpg HTTP/1.1" 200 12931 "-" "curl/7.29.0" "-"




[root@node01 ~]# vim   /etc/nginx/nginx.conf

[root@node01 ~]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 ~]# nginx -s reload

[root@node01 nginx]# cp nginx.conf /data/nginx/vhost1/nginx.html





[root@node02 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.


Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Beijing

Locality Name (eg, city) [Default City]:Beijing

Organization Name (eg, company) [Default Company Ltd]:heheda

Organizational Unit Name (eg, section) []:devops

Common Name (eg, your name or your server's hostname) []:node02.hehe.com

Email Address []:

[root@node02 CA]# ls

cacert.pem  certs  crl  newcerts  private

[root@node02 CA]# touch index.txt

[root@node02 CA]# echo 01 > serial

[root@node02 CA]# ll

总用量 8

-rw-r--r--  1 root root 1334 1月  29 10:41 cacert.pem

drwxr-xr-x. 2 root root    6 4月  11 2018 certs

drwxr-xr-x. 2 root root    6 4月  11 2018 crl

-rw-r--r--  1 root root    0 1月  29 10:41 index.txt

drwxr-xr-x. 2 root root    6 4月  11 2018 newcerts

drwx------. 2 root root   23 1月  29 10:38 private

-rw-r--r--  1 root root    3 1月  29 10:41 serial


[root@node01 nginx]# mkdir /etc/nginx/ssl

[root@node01 nginx]# cd /etc/nginx/ssl/

[root@node01 ssl]#

[root@node01 ssl]#

[root@node01 ssl]# ls

[root@node01 ssl]# (umask 077; openssl genrsa -out nginx.key 2048)

Generating RSA private key, 2048 bit long modulus



e is 65537 (0x10001)

[root@node01 ssl]# ls


[root@node01 ssl]# openssl req -new -key nginx.key -out nginx.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.


Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Beijing

Locality Name (eg, city) [Default City]:Beijing

Organization Name (eg, company) [Default Company Ltd]:heheda

Organizational Unit Name (eg, section) []:devops

Common Name (eg, your name or your server's hostname) []:node01.hehe.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@node01 ssl]# ll

总用量 8

-rw-r--r-- 1 root root 1013 1月  29 13:21 nginx.csr

-rw------- 1 root root 1675 1月  29 10:42 nginx.key


[root@node01 ssl]# scp nginx.csr node02:/tmp/

The authenticity of host 'node02 (' can't be established.

ECDSA key fingerprint is SHA256:tMT8xiLAjrhvRkah4txBY1OVsq4KZzdK+mW9G7LK/ZU.

ECDSA key fingerprint is MD5:e2:c3:6d:0d:d8:5e:05:94:dc:9e:9e:4f:87:de:8d:68.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'node02,' (ECDSA) to the list of known hosts.

root@node02's password:

nginx.csr                                                                                                   100% 1013   657.2KB/s   00:00

[root@node02 CA]# openssl ca -in /tmp/nginx.csr -out /etc/pki/CA/certs/nginx.crt -days 365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)


            Not Before: Jan 29 05:26:21 2019 GMT

            Not After : Jan 29 05:26:21 2020 GMT


            countryName               = CN

            stateOrProvinceName       = Beijing

            organizationName          = heheda

            organizationalUnitName    = devops

            commonName                = node01.hehe.com

        X509v3 extensions:

            X509v3 Basic Constraints:


            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:


            X509v3 Authority Key Identifier:


Certificate is to be certified until Jan 29 05:26:21 2020 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@node02 CA]# ls

cacert.pem  certs  crl  index.txt  index.txt.attr  index.txt.old  newcerts  private  serial  serial.old

[root@node02 CA]# cd newcerts/

[root@node02 newcerts]# ls


[root@node02 newcerts]# cd ..

[root@node02 CA]# ls

cacert.pem  certs  crl  index.txt  index.txt.attr  index.txt.old  newcerts  private  serial  serial.old

[root@node02 CA]# ll certs/

总用量 8

-rw-r--r-- 1 root root 4480 1月  29 13:26 nginx.crt

[root@node02 CA]# scp certs/nginx.crt node01:/etc/nginx/ssl/

The authenticity of host 'node01 (' can't be established.

ECDSA key fingerprint is SHA256:0VrA1bIJY59rAo4HPYPuI9OBPgzS3mmmVZ4Erhkvs/I.

ECDSA key fingerprint is MD5:d3:ca:de:bf:b3:ad:38:25:71:e6:d6:07:5b:c9:7a:17.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'node01,' (ECDSA) to the list of known hosts.

root@node01's password:

Permission denied, please try again.

root@node01's password:

nginx.crt                                                                                                   100% 4480     3.9MB/s   00:00


[root@node01 nginx]# cp conf.d/vhost1.conf conf.d/vhost1_ssl.conf

[root@node01 nginx]# vim conf.d/vhost1_ssl.conf

server {

        listen 443 ssl;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        ssl on;

        ssl_certificate /etc/nginx/ssl/nginx.crt;

        ssl_certificate_key /etc/nginx/ssl/nginx.key;

        ssl_protocols sslv3 TLSv1 tlsv1.1 tlsv1.2;

        ssl_session_cache shared:SSL:10m;


[root@node01 nginx]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 nginx]# nginx -s reload

[root@node01 nginx]# ss -tnl

State      Recv-Q Send-Q                          Local Address:Port                                         Peer Address:Port

LISTEN     0      128                                         *:111                                                     *:*

LISTEN     0      128                                         *:80                                                      *:*

LISTEN     0      128                                         *:22                                                      *:*

LISTEN     0      100                                                                             *:*

LISTEN     0      128                                         *:443                                                     *:*

LISTEN     0      128                                        :::111                                                    :::*

LISTEN     0      128                                        :::80                                                     :::*

LISTEN     0      128                                        :::22                                                     :::*

LISTEN     0      100                                       ::1:25                                                     :::*




rewrite *.png --> *.jpg

[root@node01 vhost1]# vim /etc/nginx/conf.d/vhost1.conf

server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        rewrite  /(.*)\.png$ /$1.jpg;


[root@node01 vhost1]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 vhost1]# nginx -s reload


示例02:rewrite http-->https

[root@node01 vhost1]# vim /etc/nginx/conf.d/vhost1.conf

server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        rewrite /(.*)$ https://www.hehe.com/$1;


[root@node01 vhost1]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 vhost1]# nginx -s reload


示例03:rewrite  多个rewrite

[root@node01 vhost1]# vim /etc/nginx/conf.d/vhost1.conf

server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        rewrite  /(.*)\.png$ http://www.hehe.com/$1.jpg;

        rewrite /(.*)$ https://www.hehe.com/$1;


[root@node01 vhost1]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 vhost1]# nginx -s reload


示例04:rewrite redirect

[root@node01 vhost1]# vim /etc/nginx/conf.d/vhost1.conf

server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        rewrite /(.*).png$  /$1.jpg redirect;


[root@node01 vhost1]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 vhost1]# nginx -s reload


示例05: rewrite  permanent

[root@node01 vhost1]# vim /etc/nginx/conf.d/vhost1.conf

server {

        listen 80;

        server_name www.hehe.com;

        root /data/nginx/vhost1;

        #rewrite  /(.*)\.png$ /$1.jpg;

        #rewrite  /(.*)\.png$ http://www.hehe.com/$1.jpg;

        #rewrite /(.*)$ https://www.hehe.com/$1;

        #rewrite /(.*).png$  /$1.jpg;

        #rewrite /(.*).png$  /$1.jpg redirect;

        rewrite /(.*).png$  /$1.jpg permanent;


[root@node01 vhost1]# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@node01 vhost1]# nginx -s reload



         (1)、valid_referers none | blocked | server_names | string ...;






                    regular expression:被指定的正则表达式模式匹配到的字符串;要使用~打头,例如 ~.*\.magedu\.com;


valid_referers none block server_names *.magedu.com*.mageedu.commagedu.* mageedu.* ~\.magedu\.;

                    if($invalid_referer) {



