LNMP(三)
第二十二次课 LNMP(三)
目录
一、Nginx负载均衡
二、ssl原理
三、生成ssl密钥对
四、Nginx配置ssl
五、php-fpm的pool
六、php-fpm慢执行日志
七、open_basedir
八、php-fpm进程管理
九、扩展
一、Nginx负载均衡
nginx的负载均衡实现过程如下
1.在vhost下添加配置文件proxy.conf
[root@bogon ~]# vim /usr/local/nginx/conf/vhost/proxy.conf
//添加如下内容
//upstream指定后端服务器列表
upstream qq_com
{
ip_hash;
//注意,无法实现ssl连接的负载均衡,即443端口的负载均衡。
//服务器的ip是真实的www.qq.com的服务器ip,可通过dig命令获得。
//dig命令的安装:yum -y install bind-utils
server 111.161.64.40:80;
server 111.161.64.48:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
//未重启配置的情况情测试访问www.qq.com,访问的是默认主页bbb.com
[root@bogon ~]# curl -x127.0.0.1:80 www.qq.com
I am bbb.com
//重新加载配置文件
[root@bogon ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@bogon ~]# /usr/local/nginx/sbin/nginx -s reload
//再次测试访问www.qq.com,返回的是真实的www.qq.com的首页代码。说明代理设置成功。
[root@bogon ~]# curl -x127.0.0.1:80 www.qq.com
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta content="text/html; charset=gb2312" http-equiv="Content-Type">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="baidu-site-verification" content="cNitg6enc2">
<title>͚Ѷ˗ҳ</title>
...中间略...
s.parentNode.insertBefore(mta, s);
})();
</script>
</body>
</html><!--[if !IE]>|xGv00|f7b3dea4efd93bda0aee0db548e81e53<![endif]-->[root@bogon ~]#
二、ssl原理
ssl的原理如下图所示
过程如下:
1.客户端向服务器发起https请求
2.服务器本身需要有一套数字证书(可向互联上受信任的证书颁发机构申请,收费。也可以自己生成证书,但是不会被浏览器信任,所以需要客户端验证通过,才可以继续访问。)
3.服务器收到https请求后会将公钥传给客户端。
4.客户端浏览器收到公钥后会进行合法性验证。如果证书无效会显示警告信息。如果是有效的证书,则会产生一串随机字符串,并用收到的公钥加密。
5.客户端将加密码的随机字符串传回服务器。服务器端用私钥解密,获得这串随机字符串,服务器端再用这串随机字符串加密传输的数据。(这时候的加密方式称为对称加密,服务器加密数据和客户户解密数据用的同一把钥匙,即这串随机字符串。)
6.服务器端将加密后的数据发送给客户端,客户端收到数据后用同一把钥匙(即随机字符串解密)将数据解密。
三、生成ssl密钥对
因为向互联上受信任的证书颁发机构申请证书是收费的,我们是仅仅是测试环境,可以手动生成自己的证书。
过程如下
1.证书的生成需要安装openssl包,如果没有,可以用yum安装
[root@localhost ~]# yum -y install openssl
2.生成密码对
[root@localhost ~]# cd /usr/local/nginx/conf/
//生成私钥tmp.key
[root@localhost conf]# openssl genrsa -des3 -out tmp.key
Generating RSA private key, 2048 bit long modulus
........................+++
...+++
e is 65537 (0x10001)
//一定要输入密码,否则过不去
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
//转换key,取消密码
[root@localhost conf]# openssl rsa -in tmp.key -out user01.key
Enter pass phrase for tmp.key:
writing RSA key
[root@localhost conf]# rm -f tmp.key
//生成证书请求文件,需要用这个文件和私钥一起生成公钥
[root@localhost conf]# openssl req -new -key user01.key -out user01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:86
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:jieyang
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:authtest.com
Email Address []:kennminn@129.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
//生成名为user01.crt的公钥
[root@localhost conf]# openssl x509 -req -days 365 -in user01.csr -signkey user01.key -out user01.crt
Signature ok
subject=/C=86/ST=guangdong/L=jieyang/O=Default Company Ltd/CN=authtest.com/emailAddress=kennminn@129.com
Getting Private key
四、Nginx配置ssl
这里以authtest.com为例使用自己颁发的证书来配置ssl安全访问
1.首先检查一下nginx是否已经编译了ssl的支持
[root@localhost conf]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
//如果没有--with-http_ssl_module,需要重新编译nginx
configure arguments: --user=nginx --group=nginx --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
2.增加配置文件ssl.conf
[root@localhost conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
//内容如下
erver
{
listen 443;
server_name authtest.com;
index index.html index.php;
root /usr/local/nginx/html/authtest.com;
ssl on;
ssl_certificate user01.crt;
ssl_certificate_key user01.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
[root@localhost conf]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost conf]# /usr/local/nginx/sbin/nginx -s reload
//防火墙放行443端口的访问
[root@localhost conf]# firewall-cmd --zone=public --add-port=443/tcp
success
[root@localhost conf]# firewall-cmd --zone=public --add-port=443/tcp --permanent
success
//本地测试
//本地添加host解析
[root@localhost conf]# echo "127.0.0.1 authtest.com" >> /etc/hosts
[root@localhost conf]# cat !$
cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 authtest.com
//验证,访问成功,提示未受信任的证书,因为是自己颁发的证书,是不被浏览器代理信任的。
[root@localhost conf]# curl https://authtest.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
远程浏览器测试
五、php-fpm的pool
可以通过配置php-fpm的池来隔离不同的虚拟主机。
这里将bbb.com和authtest.com分别放入不同的php-fpm池
过程如下
1.修改php-fpm.conf
[root@localhost conf]# vim /usr/local/php-fpm/etc/php-fpm.conf
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
//新增authtest池
[authtest]
listen = /tmp/authtest.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@localhost conf]# /usr/local/php-fpm/sbin/php-fpm -t
[06-Jul-2018 02:45:52] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@localhost conf]# /etc/init.d/php-fpm restart
[root@localhost ~]# ps aux | grep php-fpm
root 1905 0.0 0.4 227308 4964 ? Ss 02:46 0:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 1906 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1907 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1908 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1909 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1910 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1911 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1912 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1913 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1914 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1915 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1916 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1917 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1918 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1919 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1920 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1921 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1922 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1923 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1924 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1925 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1926 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1927 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1928 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1929 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1930 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1931 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1932 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1933 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1934 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1935 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1936 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1937 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1938 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1939 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1940 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1941 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1942 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1943 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1944 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1945 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
root 2012 0.0 0.0 112664 980 pts/1 S+ 02:49 0:00 grep --color=auto php-fpm
2.修改authtest.com.conf配置文件,引用authtest池
location ~ \.php$
{
include fastcgi_params;
//将socket修改为authtest池
fastcgi_pass unix:/tmp/authtest.sock;
# fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html/authtest.com$fastcgi_script_name;
}
3.修改aaa.com.conf配置文件,给bbb.com引用www池
location ~ \.php$
{
include fastcgi_params;
//改为www池的socket
fastcgi_pass unix:php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html/bbb.com$fastcgi_script_name;
}
4.重载配置验证
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# ps aux | grep php-fpm
[root@localhost ~]# ps aux | grep php-fpm | grep -v 'grep'
root 1905 0.0 0.4 227308 4964 ? Ss 02:46 0:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 1906 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1907 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1908 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1909 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1910 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1911 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1912 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1913 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1914 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1915 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1916 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1917 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1918 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1919 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1920 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1921 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1922 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1923 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1924 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1925 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1926 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1927 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1928 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1929 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1930 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1931 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1932 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1933 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1934 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1935 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1936 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1937 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1938 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1939 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1940 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1941 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1942 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1943 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1944 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1945 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fom池的写法也可以采用如nginx配置文件的写法,全局配置与单独的虚拟主机分隔。
//编辑/usr/local/php-fpm/etc/php-fpm.conf
vim /usr/local/php-fpm/etc/php-fpm.conf
//将池的配置信息从php-fpm.conf中删除
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
//增加一句
include=etc/php-fpm.d/*.conf
//新建php-fpm.d/www.conf
[root@localhost ~]# mkdir /usr/local/php-fpm/etc/php-fpm.d
[root@localhost ~]# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf
//添加如下内容
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
//新建php-fpm.d/authtest.conf
[root@localhost ~]# vim /usr/local/php-fpm/etc/php-fpm.d/authtest.conf
//添加如下内容
[authtest]
listen = /tmp/authtest.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@localhost php-fpm]# /usr/local/php-fpm/sbin/php-fpm -t
[06-Jul-2018 03:24:28] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@localhost php-fpm]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@localhost php-fpm]# ps aux | grep php-fpm | grep -v 'grep'
root 2736 0.2 0.4 227336 4976 ? Ss 03:25 0:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 2737 0.0 0.4 227276 4736 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2738 0.0 0.4 227276 4736 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2739 0.0 0.4 227276 4736 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2740 0.0 0.4 227276 4736 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2741 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2742 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2743 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2744 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2745 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2746 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2747 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2748 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2749 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2750 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2751 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2752 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2753 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2754 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2755 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2756 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2757 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2758 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2759 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2760 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2761 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2762 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2763 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2764 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2765 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2766 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2767 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2768 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2769 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2770 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2771 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2772 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2773 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2774 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2775 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2776 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
六、php-fpm慢执行日志
有时候php的执行很慢,我们想查找慢的原因,这可以通过配置php-fpm的慢执行日志功能实现。
在authtest中演示
1.编译authtest.conf
[root@localhost php-fpm]# vim /usr/local/php-fpm/etc/php-fpm.d/authtest.conf
[authtest]
listen = /tmp/authtest.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
//增加下面两行内容
//request_slowlog_timeout的值一般设为2秒,这里只是为了测试
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
[root@localhost php-fpm]# /usr/local/php-fpm/sbin/php-fpm -t
[06-Jul-2018 03:41:52] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@localhost php-fpm]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
//因为listen = /tmp/authtest.sock是被authtest.com引用的,
//在authtest.com虚拟主机中新建测试脚本
[root@localhost conf]# vim /usr/local/nginx/html/authtest.com/sleep.php
<?php echo "test slow log";
sleep(2);
echo "done";
?>
[root@localhost conf]# curl authtest.com/sleep.php
test slow logdone
[root@localhost conf]# tail /usr/local/php-fpm/var/log/www-slow.log
[06-Jul-2018 03:47:22] [pool authtest] pid 2860
//日志记录了是sleep.php的第二行执行慢,这是一个sleep函数,睡眠2s
script_filename = /usr/local/nginx/html/authtest.com/sleep.php
[0x00007f6e4ad77278] sleep() /usr/local/nginx/html/authtest.com/sleep.php:2
七、open_basedir
nginx中也可以通过php-fpm的open_basedir功能,隔离不同的虚拟主机以增强安全性。
有两种方式定义open_basedir,一种是定义在php.ini中,一种是在虚拟主机配置文件中定义。 在php.ini定义缺乏灵活性,所以一般在虚拟主机的配置文件中定义。
这里以authtest.com虚拟主机为例配置open_basedir
//编辑authtest.conf
[root@localhost php-fpm]# vim /usr/local/php-fpm/etc/php-fpm.d/authtest.conf
[authtest]
listen = /tmp/authtest.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
//增加下列语句,basedir一定要定义正确,否则会导致故障。下面会进行演示
php_admin_value[open_basedir]=/usr/local/nginx/html/authtest.com:/tmp/
[root@localhost php-fpm]# /usr/local/php-fpm/sbin/php-fpm -t
[06-Jul-2018 04:25:11] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@localhost php-fpm]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
//此时访问是正常的
[root@localhost php-fpm]# curl authtest.com/sleep.php
test slow logdone
[root@localhost php-fpm]#
[root@localhost php-fpm]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@localhost php-fpm]# curl authtest.com/sleep.php -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Fri, 06 Jul 2018 08:35:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
//若basedir配置有问题,这里故障将authtest.com改成bbb.com
php_admin_value[open_basedir]=/usr/local/nginx/html/bbb.com:/tmp/
[root@localhost php-fpm]# curl authtest.com/sleep.php
No input file specified.
[root@localhost php-fpm]# curl authtest.com/sleep.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.14.0
Date: Fri, 06 Jul 2018 08:34:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
为定位出错原因,可通过开启php的错误日志功能
[root@localhost php-fpm]# vim /usr/local/php-fpm/etc/php.ini
//生产将display_errors关闭,调试的时候可以开启,这样可以直接在浏览器看到错误
display_errors = Off
//增加error_log保存位置,
error_log = /usr/local/php-fpm/var/log/error.log
//设定日志的记录级别为所有,
error_reporting = E_ALL
//将/usr/local/php-fpm/var/log/error.log的权限设为666
//测试
[root@localhost php-fpm]# curl authtest.com/sleep.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.14.0
Date: Fri, 06 Jul 2018 09:59:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
//日志,明确显示open_basedir限制生效,authtest.com路径不在允许的路径中
[06-Jul-2018 09:57:25 UTC] PHP Warning: Unknown: open_basedir restriction in effect. File(/usr/local/nginx/html/authtest.com/sleep.php) is not within the allowed path(s): (/usr/local/nginx/html/bbb.com:/tmp/) in Unknown on line 0
[06-Jul-2018 09:57:25 UTC] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[06-Jul-2018 09:59:45 UTC] PHP Warning: Unknown: open_basedir restriction in effect. File(/usr/local/nginx/html/authtest.com/sleep.php) is not within the allowed path(s): (/usr/local/nginx/html/bbb.com:/tmp/) in Unknown on line 0
[06-Jul-2018 09:59:45 UTC] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
//注意,/usr/local/php-fpm/var/log/error.log权限需要666或以上。否则测试的时候报的错是403,禁止访问
//日志
[06-Jul-2018 09:38:12 UTC] PHP Deprecated: Comments starting with '#' are deprecated in Unknown on line 1 in Unknown on line 0
[06-Jul-2018 09:38:26 UTC] PHP Deprecated: Comments starting with '#' are deprecated in Unknown on line 1 in Unknown on line 0
八、php-fpm进程管理
进程管理的配置(以authtest.com为例)
[root@localhost ~]# cat /usr/local/php-fpm/etc/php-fpm.d/authtest.conf
[authtest]
listen = /tmp/authtest.sock
listen.mode = 666
user = php-fpm
group = php-fpm
//动态进程管理,也可以是static
pm = dynamic
//最大子进程数,ps aux可以查看
pm.max_children = 50
//启动服务时会启动的进程数
pm.start_servers = 20
//空闲时段,最小进程数,如果达到这个数值,php-fpm自动派生新的子进程
pm.min_spare_servers = 5
//空闲时段,最大进程数,如果达到这个数值,php-fpm自动销毁空闲的子进程
pm.max_spare_servers = 35
//定义一个子进程最多处理的请求数,即在一个php-fpm子进程最多可以处理这么多请求,当达到该数值,即退出。
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
php_admin_value[open_basedir]=/usr/local/nginx/html/bbb.com:/tmp/
//服务开启时启动的进程数是20
[root@localhost ~]# ps aux | grep authtest | grep -vc 'grep'
20
[root@localhost ~]# sed -i 's#pm.start_servers = 20#pm.start_servers = 30#' /usr/local/php-fpm/etc/php-fpm.d/authtest.conf
[root@localhost ~]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
修改配置后初始启动的进程数已经变为30
[root@localhost ~]# ps aux | grep authtest | grep -vc 'grep'
30
九、扩展
针对请求的uri来代理
http://ask.apelearn.com/question/1049
根据访问的目录来区分后端的web
http://ask.apelearn.com/question/920
nginx长连接
http://www.apelearn.com/bbs/thread-6545-1-1.html
nginx算法分析
http://blog.sina.com.cn/s/blog_72995dcc01016msi.html
nginx中的root和alias区别
http://blog.csdn.net/21aspnet/article/details/6583335
nginx的alias和root配置
http://www.ttlsa.com/nginx/nginx-root_alias-file-path-configuration/
http://www.iigrowing.cn/shi-yan-que-ren-nginx-root-alias-location-zhi-ling-shi-yong-fang-fa.html
LNMP(三)的更多相关文章
- Docker Compose编排工具部署lnmp实践及理论(详细)
目录 一.理论概述 编排 部署 Compose原理 二.使用docker compose 部署lnmp 三.测试 四.总结 一.理论概述 Docker Compose是一个定义及运行多个Docker容 ...
- centos6下安装dedecms
几经波折,终于安装成功!!! 一.centos6下安装WDCP 1.连接linux 在百度直接搜索下载xshell,通过ssh连接 2.安装wdcp 下载安装wget http://dl.wdlinu ...
- (三)、LNMP的搭建,并制作rpm包
中小型规模网站集群架构:yum仓库搭建 : 矮哥linux运维群:93324526 编译的三条命令的规则 ./configure 就是在本地创建了一个Makefile文件 (也就是指定一下各种配置参数 ...
- centos shell编程5 LANMP一键安装脚本 lamp sed lnmp 变量和字符串比较不能用-eq cat > /usr/local/apache2/htdocs/index.php <<EOF重定向 shell的变量和函数命名不能有横杠 平台可以用arch命令,获取是i686还是x86_64 curl 下载 第三十九节课
centos shell编程5 LANMP一键安装脚本 lamp sed lnmp 变量和字符串比较不能用-eq cat > /usr/local/apache2/htdocs/ind ...
- LNMP架构三
Nginx代理(正向代理) 正向代理:让局域网内的用户 访问外网,外网不能访问局域网, 场景:如果要从国内访问美国的服务器会很慢,这时候就可以找个香港服务器做代理,香港访问美国是很快的. 代理服务器作 ...
- 高级运维(三):部署Lnmp环境、构建Lnmp平台、地址重写
一.部署LNMP环境 目标: 安装部署Nginx.MariaDB.PHP环境 1> 安装部署Nginx.MariaDB.PHP.PHP-FPM: 2> 启动Nginx.MariaDB.FP ...
- 三十八、LNMP潮流组合搭建
一.安装mysql 数据库 1.1 mysql数据库安装的三种方法: 1)编译安装,在lamp经典组合安装是5.1版本,是configure,make,make install,这里如果是5.5版本 ...
- LNMP系列网站零基础开发记录(三)
[目录] 扯淡吹逼之开发前奏 Django 开发环境搭建及配置 web 页面开发 Django app开发 Django 站点管理 Python 简易爬虫开发 Nginx&uWSGI 服务器配 ...
- lnmp vps服务器删除mysql日志文件三种方法
我在上一篇文章介绍了著名的LNMP主机一键安装工具,对比了军哥lnmp和AMH主机的差别,由于AMH拥有用户后台界面,易于新手操作,值得推荐. 但是,上周末我网站宕机,收到DNSPOD发来了宕机提醒, ...
随机推荐
- ES6多层解构
const info = { person: { name: 'xiaobe', other: { age: 22, } }, song: 'rolling', } // 解构person的内容 co ...
- HDU - 3652
#include<stdio.h> #include<string.h> #include<math.h> #include<time.h> #incl ...
- java非阻塞NIO和阻塞IO
1 非阻塞NIO和阻塞IO 1.1 定义 阻塞IO:线程被阻塞,去处理一个读取和写入,中间如果有等待时间,则线程被占用,也不能处理其他任务: 非阻塞IO(new I ...
- Django 管理站点
这一部分是关于 Django 的自动管理界面.这个特性是这样起作用的:它读取你模式中的元数据,然后提供给你一个强大而且可以使用的界面,网站管理者可以用它立即工作.在这里我们将讨论如何激活,使用和定制这 ...
- python高阶函数(Map、Reduce、Filter、lamba)
Map函数 map()函数接收两个参数,一个是函数,一个是序列,map将传入的函数依次作用到序列的每个元素,并把结果作为新的list返回. 代码如下: >>> def f(x): . ...
- Asp.Net MVC 从客户端<a href="http://www....")中检测到有潜在危险的 Request.Form 值
Asp.Net MVC应用程序, Framework4.0: 则需要在webconfig文件的 <system.web> 配置节中加上 <httpRuntime requestVal ...
- 关于ip通信学习感想
在没有接触过ip通信之前,我对于网络的认识非常浅薄,比如上网只需要交钱和一根网线就可以上网,但自从上了第一节课之后,感觉打开了新世界的大门.我国的移动通信公司也没有权利单独分配独有的ip地址,还要看亚 ...
- Gerapy 安装
1下载: pip install gerapy 2. 在D盘中新建一个文件夹,该然后cd 到该文件夹中,执行: gerapy init # 初始化,可以在任意路径下进行 cd gerapy # 初始化 ...
- 关于生物项目上的blast和viroblast
最近要做一个跟生物有关的项目,隔行如隔山呀,好多工具以前都没听过,blast分到我头上啦,查查,查查 BLAST (Basic Local Alignment Search Tool)是一套在蛋白质数 ...
- 51. N-Queens N皇后
网址:https://leetcode.com/problems/n-queens/ 类似见:https://www.cnblogs.com/tornado549/p/10701124.html