1. 程式人生 > >Nginx負載均衡+代理+ssl+壓力測試

Nginx負載均衡+代理+ssl+壓力測試

一、Tomcat安裝
1.下載jdk,Tomcat,解壓到/usr/local/
2.配置jdk環境:# vim /etc/profile
export JAVA_HOME=/usr/local/jdk1.8.0_171
export PATH=$JAVA_HOME/bin:$PATH
export CLASSPATH=.:$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib/dt.jar:$CLASSPATH
# source /etc/profile
3.修改Tomcat首頁:# cd /usr/local/apache-tomcat-8.0.1/webapps/
# rm -rf !(ROOT)
# rm -rf ROOT/*
# echo "192.168.11.199" >ROOT/index.html
4.啟動Tomcat

二、nginx安裝
1.下載原始碼包,解壓到/usr/local/
2.安裝編譯依賴:# yum -y install zlib zlib-devel openssl openssl--devel pcre pcre-devel
3.編譯:# ./configure --prefix=/opt/nginx --sbin-path=/usr/bin/nginx --with-http_ssl_module
4.安裝:# make && make install
5.啟動:# nginx

三、負載均衡
1.ssl認證
私鑰:# openssl genrsa -des3 -out jason.key 1024
數字證書: # openssl req -new -key jason.key -out jason.csr
去除訪問密碼:# openssl rsa -in jason.key -out jason-np.key
公鑰:# openssl x509 -req -days 366 -in jason.csr -signkey jason-np.key -out jason.crt

2.修改nginx配置檔案:# vim /opt/nginx/conf/nginx.conf
#全域性配置
worker_processes 1;
pid /var/run/nginx.pid;
worker_rlimit_nofile 65535;

#events配置
events {
use epoll;
accept_mutex on;
multi_accept on;
worker_connections 1024;
}

#HTTP配置
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
tcp_nopush on;
tcp_nodelay on;
client_header_buffer_size 32k;
large_client_header_buffers 4 64k;
client_max_body_size 8m;
server_tokens off;      # 隱藏nginx版本號
proxy_cache_key '$host:$server_port$request_uri';
proxy_temp_file_write_size 64k;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_intercept_errors on;    #開啟錯誤頁面
log_format main '$remote_addr - $remote_user [$time_local] requesthost:"$http_host"; "$request" requesttime:"$request_time"; '
'$status $body_bytes_sent "$http_referer" - $request_body'
'"$http_user_agent" "$http_x_forwarded_for"';     #設定日誌輸出格式
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log main;      #成功日誌格式呼叫log_format
gzip on;        #開啟頁面壓縮,提高頁面開啟速度
gzip_min_length 1k;
gzip_buffers 16 64K;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types text/plain application/x-javascript text/css application/xml application/javascript;
gzip_vary on;


upstream tomcat_server
{
server 192.168.11.199:8080 weight=1;
server 192.168.11.196:8080 weight=2;
}

server
{
listen 443;
server_name 192.168.11.199;
ssl on;
ssl_certificate /opt/nginx/ssl/nginx.crt;        #公鑰
ssl_certificate_key /opt/nginx/ssl/nginx.key;     #私鑰
ssl_session_timeout 5m;

location /
{ proxy_pass http://tomcat_server; }        #負載
}

server
{
listen 70;
root html;
index index.html index.htm;

}

server
{
listen 71;
root html;
index index.html;
error_page 404 = /404.html;
error_page 500 502 503 504 = /50x.html;
}
}

3.編寫日誌分割指令碼
#!/bin/bash
#此指令碼用於自動分割Nginx的日誌,包括access.log和error.log
#每天00:00執行此指令碼 將前一天的access.log重新命名為access-xxxx-xx-xx.log格式,並重新開啟日誌檔案
#Nginx日誌檔案所在目錄
LOG_PATH=/var/log/nginx/
#獲取昨天的日期
YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
#獲取pid檔案路徑
PID=/var/run/nginx.pid
#分割日誌
mv ${LOG_PATH}access.log ${LOG_PATH}access-${YESTERDAY}.log
mv ${LOG_PATH}error.log ${LOG_PATH}error-${YESTERDAY}.log
#向Nginx主程序傳送USR1訊號,重新開啟日誌檔案
kill -USR1 `cat ${PID}`
chmod +x /opt/nginx/conf/log_cut.sh



4.相關測試
1.gzip壓縮測試:# curl -I -H "Accept-Encoding: gzip, deflate" "192.168.11.199"
2.nginx版本號:F12檢視頁面
3.日誌分割:# ll /var/log/nginx
4.日誌輸出格式:# tail -f /var/log/access-2018-11-08.log
5.錯誤頁面:http://192.168.11.199:71/djkf

5.壓力測試(ApacheBench):# yum -y install httpd-tools
關閉ssl認證測試:
# ab -c 500 -n 20000 http://192.168.11.199:80/index.html #一次5000併發,請求總數為200000
Concurrency Level: 500         #一次請求量
Time taken for tests: 10.484 seconds      #耗時
Complete requests: 20000    #完成請求
Failed requests: 6666      #請求失敗

開啟ssl認證測試:
# ab -c 500 -n 20000 https://192.168.11.199:443/index.html
Concurrency Level: 500
Time taken for tests: 27.011 seconds
Complete requests: 20000
Failed requests: 6667

6.nginx調優:
1.worker_rlimit_nofile 65535;       #檔案開啟數量
worker_connections 65535;       #單個程序最大連線數
sendfile on;             #開啟高效檔案傳輸模式
tcp_nopush on;           #防止網路阻塞
fastcgi_connect_timeout 600;      #指定連線到後端FastCGI的超時時間。
fastcgi_send_timeout 600;        #向FastCGI傳送請求的超時時間。
fastcgi_read_timeout 600;        #指定接收FastCGI應答的超時時間。

7..系統層面
1.檔案資源限制的配置:# vim /etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535
* soft noproc 65535
* hard noproc 65535
#logout重新登入檢視# ulimit -n
2.核心引數:# vim /etc/sysctl.conf
net.ipv4.ip_forward = 0         #出現禁用 IPv4 包轉送
net.ipv4.conf.default.rp_filter = 1     #源路由核查功能
net.ipv4.conf.default.accept_source_route = 0   #禁用所有IP源路由
kernel.sysrq = 0             #禁用SysRq(組合鍵)功能
kernel.core_uses_pid = 1         #控制core檔案的檔名中是否新增pid作為擴充套件
net.ipv4.tcp_syncookies = 1        //這四行標紅內容,一般是發現大量TIME_WAIT時的解決辦法
kernel.msgmnb = 65536       #每個訊息佇列的最大位元組限制。
kernel.msgmax = 65536       #整個系統的最大數量的訊息佇列
kernel.shmmax = 68719476736        #定義單個共享記憶體段的最大值
kernel.shmall = 4294967296        #控制共享記憶體頁數
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1         #啟用有選擇的應答
net.ipv4.tcp_window_scaling = 1        #設定tcp/ip會話的滑動視窗大小是否可變
net.ipv4.tcp_rmem = 4096 87380 4194304        #為每個TCP連線分配的讀、寫緩衝區記憶體大小
net.ipv4.tcp_wmem = 4096 16384 4194304        #為每個TCP連線分配的讀、寫緩衝區記憶體大小
net.core.wmem_default = 8388608       # 傳送套接字緩衝區大小的預設值
net.core.rmem_default = 8388608        #接收套接字緩衝區大小的預設值
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144      #每個網路介面接收資料包的速率比核心處理這些包的速率快時,允許送到佇列的資料包的最大數目
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 1       //#開啟TCP時間戳,這個選擇最好加上
net.ipv4.tcp_synack_retries = 1        #服務端收到sys,還未發出syn+ack
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1       //開啟此功能可以減少TIME-WAIT狀態,但是NAT網路模式下開啟有可能會導致tcp連線錯誤,慎重。
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.ip_conntrack_max = 6553500
# sysctl -p