第二十二次课 LNMP(三)

目录

一、Nginx负载均衡

二、ssl原理

三、生成ssl密钥对

四、Nginx配置ssl

五、php-fpm的pool

六、php-fpm慢执行日志

七、open_basedir

八、php-fpm进程管理

九、扩展

一、Nginx负载均衡

nginx的负载均衡实现过程如下

1.在vhost下添加配置文件proxy.conf

[root@bogon ~]# vim /usr/local/nginx/conf/vhost/proxy.conf
//添加如下内容
//upstream指定后端服务器列表
upstream qq_com
{
ip_hash;
//注意,无法实现ssl连接的负载均衡,即443端口的负载均衡。
//服务器的ip是真实的www.qq.com的服务器ip,可通过dig命令获得。
//dig命令的安装:yum -y install bind-utils
server 111.161.64.40:80;
server 111.161.64.48:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
} //未重启配置的情况情测试访问www.qq.com,访问的是默认主页bbb.com
[root@bogon ~]# curl -x127.0.0.1:80 www.qq.com
I am bbb.com //重新加载配置文件
[root@bogon ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@bogon ~]# /usr/local/nginx/sbin/nginx -s reload //再次测试访问www.qq.com,返回的是真实的www.qq.com的首页代码。说明代理设置成功。
[root@bogon ~]# curl -x127.0.0.1:80 www.qq.com
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta content="text/html; charset=gb2312" http-equiv="Content-Type">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="baidu-site-verification" content="cNitg6enc2">
<title>͚Ѷ˗ҳ</title> ...中间略... s.parentNode.insertBefore(mta, s);
})();
</script>
</body>
</html><!--[if !IE]>|xGv00|f7b3dea4efd93bda0aee0db548e81e53<![endif]-->[root@bogon ~]#

二、ssl原理

ssl的原理如下图所示

LNMP(三)-LMLPHP

过程如下:

1.客户端向服务器发起https请求

2.服务器本身需要有一套数字证书(可向互联上受信任的证书颁发机构申请,收费。也可以自己生成证书,但是不会被浏览器信任,所以需要客户端验证通过,才可以继续访问。)

3.服务器收到https请求后会将公钥传给客户端。

4.客户端浏览器收到公钥后会进行合法性验证。如果证书无效会显示警告信息。如果是有效的证书,则会产生一串随机字符串,并用收到的公钥加密。

5.客户端将加密码的随机字符串传回服务器。服务器端用私钥解密,获得这串随机字符串,服务器端再用这串随机字符串加密传输的数据。(这时候的加密方式称为对称加密,服务器加密数据和客户户解密数据用的同一把钥匙,即这串随机字符串。)

6.服务器端将加密后的数据发送给客户端,客户端收到数据后用同一把钥匙(即随机字符串解密)将数据解密。

三、生成ssl密钥对

因为向互联上受信任的证书颁发机构申请证书是收费的,我们是仅仅是测试环境,可以手动生成自己的证书。

过程如下

1.证书的生成需要安装openssl包,如果没有,可以用yum安装

[root@localhost ~]# yum -y install openssl

2.生成密码对

[root@localhost ~]# cd /usr/local/nginx/conf/
//生成私钥tmp.key
[root@localhost conf]# openssl genrsa -des3 -out tmp.key
Generating RSA private key, 2048 bit long modulus
........................+++
...+++
e is 65537 (0x10001)
//一定要输入密码,否则过不去
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
//转换key,取消密码
[root@localhost conf]# openssl rsa -in tmp.key -out user01.key
Enter pass phrase for tmp.key:
writing RSA key
[root@localhost conf]# rm -f tmp.key
//生成证书请求文件,需要用这个文件和私钥一起生成公钥
[root@localhost conf]# openssl req -new -key user01.key -out user01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:86
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:jieyang
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:authtest.com
Email Address []:[email protected] Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
//生成名为user01.crt的公钥
[root@localhost conf]# openssl x509 -req -days 365 -in user01.csr -signkey user01.key -out user01.crt
Signature ok
subject=/C=86/ST=guangdong/L=jieyang/O=Default Company Ltd/CN=authtest.com/[email protected]
Getting Private key

四、Nginx配置ssl

这里以authtest.com为例使用自己颁发的证书来配置ssl安全访问

1.首先检查一下nginx是否已经编译了ssl的支持

[root@localhost conf]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
//如果没有--with-http_ssl_module,需要重新编译nginx
configure arguments: --user=nginx --group=nginx --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

2.增加配置文件ssl.conf

[root@localhost conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
//内容如下
erver
{
listen 443;
server_name authtest.com;
index index.html index.php;
root /usr/local/nginx/html/authtest.com;
ssl on;
ssl_certificate user01.crt;
ssl_certificate_key user01.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
} [root@localhost conf]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost conf]# /usr/local/nginx/sbin/nginx -s reload
//防火墙放行443端口的访问
[root@localhost conf]# firewall-cmd --zone=public --add-port=443/tcp
success
[root@localhost conf]# firewall-cmd --zone=public --add-port=443/tcp --permanent
success //本地测试
//本地添加host解析
[root@localhost conf]# echo "127.0.0.1 authtest.com" >> /etc/hosts
[root@localhost conf]# cat !$
cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 authtest.com
//验证,访问成功,提示未受信任的证书,因为是自己颁发的证书,是不被浏览器代理信任的。
[root@localhost conf]# curl https://authtest.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

远程浏览器测试

LNMP(三)-LMLPHP

LNMP(三)-LMLPHP

LNMP(三)-LMLPHP

五、php-fpm的pool

可以通过配置php-fpm的池来隔离不同的虚拟主机。

这里将bbb.com和authtest.com分别放入不同的php-fpm池

过程如下

1.修改php-fpm.conf

[root@localhost conf]# vim /usr/local/php-fpm/etc/php-fpm.conf
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
//新增authtest池
[authtest]
listen = /tmp/authtest.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024 [root@localhost conf]# /usr/local/php-fpm/sbin/php-fpm -t
[06-Jul-2018 02:45:52] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@localhost conf]# /etc/init.d/php-fpm restart [root@localhost ~]# ps aux | grep php-fpm
root 1905 0.0 0.4 227308 4964 ? Ss 02:46 0:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 1906 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1907 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1908 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1909 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1910 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1911 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1912 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1913 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1914 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1915 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1916 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1917 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1918 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1919 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1920 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1921 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1922 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1923 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1924 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1925 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1926 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1927 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1928 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1929 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1930 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1931 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1932 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1933 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1934 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1935 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1936 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1937 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1938 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1939 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1940 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1941 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1942 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1943 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1944 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1945 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
root 2012 0.0 0.0 112664 980 pts/1 S+ 02:49 0:00 grep --color=auto php-fpm

2.修改authtest.com.conf配置文件,引用authtest池

    location ~ \.php$
{
include fastcgi_params;
//将socket修改为authtest池
fastcgi_pass unix:/tmp/authtest.sock;
# fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html/authtest.com$fastcgi_script_name; }

3.修改aaa.com.conf配置文件,给bbb.com引用www池

    location ~ \.php$
{
include fastcgi_params;
//改为www池的socket
fastcgi_pass unix:php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html/bbb.com$fastcgi_script_name;
}

4.重载配置验证

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# ps aux | grep php-fpm
[root@localhost ~]# ps aux | grep php-fpm | grep -v 'grep'
root 1905 0.0 0.4 227308 4964 ? Ss 02:46 0:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 1906 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1907 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1908 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1909 0.0 0.4 227248 4732 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1910 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1911 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1912 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1913 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1914 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1915 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1916 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1917 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1918 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1919 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1920 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1921 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1922 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1923 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1924 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1925 0.0 0.4 227248 4740 ? S 02:46 0:00 php-fpm: pool www
php-fpm 1926 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1927 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1928 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1929 0.0 0.4 227248 4736 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1930 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1931 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1932 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1933 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1934 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1935 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1936 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1937 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1938 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1939 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1940 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1941 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1942 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1943 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1944 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest
php-fpm 1945 0.0 0.4 227248 4744 ? S 02:46 0:00 php-fpm: pool authtest

php-fom池的写法也可以采用如nginx配置文件的写法,全局配置与单独的虚拟主机分隔。

//编辑/usr/local/php-fpm/etc/php-fpm.conf
vim /usr/local/php-fpm/etc/php-fpm.conf
//将池的配置信息从php-fpm.conf中删除 [global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log //增加一句
include=etc/php-fpm.d/*.conf //新建php-fpm.d/www.conf
[root@localhost ~]# mkdir /usr/local/php-fpm/etc/php-fpm.d
[root@localhost ~]# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf
//添加如下内容
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024 //新建php-fpm.d/authtest.conf
[root@localhost ~]# vim /usr/local/php-fpm/etc/php-fpm.d/authtest.conf
//添加如下内容
[authtest]
listen = /tmp/authtest.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024 [root@localhost php-fpm]# /usr/local/php-fpm/sbin/php-fpm -t
[06-Jul-2018 03:24:28] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [root@localhost php-fpm]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@localhost php-fpm]# ps aux | grep php-fpm | grep -v 'grep'
root 2736 0.2 0.4 227336 4976 ? Ss 03:25 0:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 2737 0.0 0.4 227276 4736 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2738 0.0 0.4 227276 4736 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2739 0.0 0.4 227276 4736 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2740 0.0 0.4 227276 4736 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2741 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2742 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2743 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2744 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2745 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2746 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2747 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2748 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2749 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2750 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2751 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2752 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2753 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2754 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2755 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2756 0.0 0.4 227276 4744 ? S 03:25 0:00 php-fpm: pool authtest
php-fpm 2757 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2758 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2759 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2760 0.0 0.4 227276 4740 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2761 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2762 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2763 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2764 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2765 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2766 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2767 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2768 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2769 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2770 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2771 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2772 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2773 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2774 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2775 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www
php-fpm 2776 0.0 0.4 227276 4748 ? S 03:25 0:00 php-fpm: pool www

六、php-fpm慢执行日志

有时候php的执行很慢,我们想查找慢的原因,这可以通过配置php-fpm的慢执行日志功能实现。

在authtest中演示

1.编译authtest.conf

[root@localhost php-fpm]# vim /usr/local/php-fpm/etc/php-fpm.d/authtest.conf
[authtest]
listen = /tmp/authtest.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
//增加下面两行内容
//request_slowlog_timeout的值一般设为2秒,这里只是为了测试
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log [root@localhost php-fpm]# /usr/local/php-fpm/sbin/php-fpm -t
[06-Jul-2018 03:41:52] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [root@localhost php-fpm]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done //因为listen = /tmp/authtest.sock是被authtest.com引用的,
//在authtest.com虚拟主机中新建测试脚本
[root@localhost conf]# vim /usr/local/nginx/html/authtest.com/sleep.php <?php echo "test slow log";
sleep(2);
echo "done";
?> [root@localhost conf]# curl authtest.com/sleep.php
test slow logdone
[root@localhost conf]# tail /usr/local/php-fpm/var/log/www-slow.log [06-Jul-2018 03:47:22] [pool authtest] pid 2860
//日志记录了是sleep.php的第二行执行慢,这是一个sleep函数,睡眠2s
script_filename = /usr/local/nginx/html/authtest.com/sleep.php
[0x00007f6e4ad77278] sleep() /usr/local/nginx/html/authtest.com/sleep.php:2

七、open_basedir

nginx中也可以通过php-fpm的open_basedir功能,隔离不同的虚拟主机以增强安全性。

有两种方式定义open_basedir,一种是定义在php.ini中,一种是在虚拟主机配置文件中定义。 在php.ini定义缺乏灵活性,所以一般在虚拟主机的配置文件中定义。

这里以authtest.com虚拟主机为例配置open_basedir

//编辑authtest.conf
[root@localhost php-fpm]# vim /usr/local/php-fpm/etc/php-fpm.d/authtest.conf
[authtest]
listen = /tmp/authtest.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
//增加下列语句,basedir一定要定义正确,否则会导致故障。下面会进行演示
php_admin_value[open_basedir]=/usr/local/nginx/html/authtest.com:/tmp/ [root@localhost php-fpm]# /usr/local/php-fpm/sbin/php-fpm -t
[06-Jul-2018 04:25:11] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [root@localhost php-fpm]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
//此时访问是正常的
[root@localhost php-fpm]# curl authtest.com/sleep.php
test slow logdone
[root@localhost php-fpm]#
[root@localhost php-fpm]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@localhost php-fpm]# curl authtest.com/sleep.php -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Fri, 06 Jul 2018 08:35:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30 //若basedir配置有问题,这里故障将authtest.com改成bbb.com
php_admin_value[open_basedir]=/usr/local/nginx/html/bbb.com:/tmp/ [root@localhost php-fpm]# curl authtest.com/sleep.php
No input file specified.
[root@localhost php-fpm]# curl authtest.com/sleep.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.14.0
Date: Fri, 06 Jul 2018 08:34:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

为定位出错原因,可通过开启php的错误日志功能

[root@localhost php-fpm]# vim /usr/local/php-fpm/etc/php.ini
//生产将display_errors关闭,调试的时候可以开启,这样可以直接在浏览器看到错误
display_errors = Off
//增加error_log保存位置,
error_log = /usr/local/php-fpm/var/log/error.log
//设定日志的记录级别为所有,
error_reporting = E_ALL //将/usr/local/php-fpm/var/log/error.log的权限设为666 //测试
[root@localhost php-fpm]# curl authtest.com/sleep.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.14.0
Date: Fri, 06 Jul 2018 09:59:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30 //日志,明确显示open_basedir限制生效,authtest.com路径不在允许的路径中
[06-Jul-2018 09:57:25 UTC] PHP Warning: Unknown: open_basedir restriction in effect. File(/usr/local/nginx/html/authtest.com/sleep.php) is not within the allowed path(s): (/usr/local/nginx/html/bbb.com:/tmp/) in Unknown on line 0
[06-Jul-2018 09:57:25 UTC] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[06-Jul-2018 09:59:45 UTC] PHP Warning: Unknown: open_basedir restriction in effect. File(/usr/local/nginx/html/authtest.com/sleep.php) is not within the allowed path(s): (/usr/local/nginx/html/bbb.com:/tmp/) in Unknown on line 0
[06-Jul-2018 09:59:45 UTC] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0 //注意,/usr/local/php-fpm/var/log/error.log权限需要666或以上。否则测试的时候报的错是403,禁止访问
//日志
[06-Jul-2018 09:38:12 UTC] PHP Deprecated: Comments starting with '#' are deprecated in Unknown on line 1 in Unknown on line 0
[06-Jul-2018 09:38:26 UTC] PHP Deprecated: Comments starting with '#' are deprecated in Unknown on line 1 in Unknown on line 0

八、php-fpm进程管理

进程管理的配置(以authtest.com为例)

[root@localhost ~]# cat /usr/local/php-fpm/etc/php-fpm.d/authtest.conf
[authtest]
listen = /tmp/authtest.sock
listen.mode = 666
user = php-fpm
group = php-fpm
//动态进程管理,也可以是static
pm = dynamic
//最大子进程数,ps aux可以查看
pm.max_children = 50
//启动服务时会启动的进程数
pm.start_servers = 20
//空闲时段,最小进程数,如果达到这个数值,php-fpm自动派生新的子进程
pm.min_spare_servers = 5
//空闲时段,最大进程数,如果达到这个数值,php-fpm自动销毁空闲的子进程
pm.max_spare_servers = 35
//定义一个子进程最多处理的请求数,即在一个php-fpm子进程最多可以处理这么多请求,当达到该数值,即退出。
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
php_admin_value[open_basedir]=/usr/local/nginx/html/bbb.com:/tmp/ //服务开启时启动的进程数是20
[root@localhost ~]# ps aux | grep authtest | grep -vc 'grep'
20
[root@localhost ~]# sed -i 's#pm.start_servers = 20#pm.start_servers = 30#' /usr/local/php-fpm/etc/php-fpm.d/authtest.conf
[root@localhost ~]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
修改配置后初始启动的进程数已经变为30
[root@localhost ~]# ps aux | grep authtest | grep -vc 'grep'
30

九、扩展

针对请求的uri来代理

http://ask.apelearn.com/question/1049

根据访问的目录来区分后端的web

http://ask.apelearn.com/question/920

nginx长连接

http://www.apelearn.com/bbs/thread-6545-1-1.html

nginx算法分析

http://blog.sina.com.cn/s/blog_72995dcc01016msi.html

nginx中的root和alias区别

http://blog.csdn.net/21aspnet/article/details/6583335

nginx的alias和root配置

http://www.ttlsa.com/nginx/nginx-root_alias-file-path-configuration/

http://www.iigrowing.cn/shi-yan-que-ren-nginx-root-alias-location-zhi-ling-shi-yong-fang-fa.html

05-11 13:14