2013/04/14

CentOS 6.4上面的 Nginx + php-fpm + SSL + VirtualHost 設定



最新版本在:http://jangmt.com/wiki/index.php/Nginx
簡介

  • Nginx是一款效能設計導向的HTTP伺服器
說明
  • 環境 centos 6.4
  • SELINUX 預設啟動 enforcing
安裝 nignx 及移除 apache
  • 可以移除原有的 httpd 及 php
yum remove httpd php
  • 安裝 nginx + php-fpm 程式
[root@c6 html]# yum install nginx php-fpm
... 略 ...
==================================================================================
Package Arch Version Repository Size
==================================================================================
Installing:
nginx x86_64 1.0.15-4.el6 epel 379 k
php-fpm x86_64 5.3.3-22.el6 base 1.1 M
Installing for dependencies:
GeoIP x86_64 1.4.8-1.el6 epel 620 k
Transaction Summary
==================================================================================
Install 3 Package(s)
... 略 ...

  • 啟動及驗證 port
[root@c6 html]# /etc/init.d/nginx restart
Stopping nginx: [FAILED]
Starting nginx: [ OK ]
[root@c6 html]# /etc/init.d/php-fpm restart
Stopping php-fpm: [FAILED]
Starting php-fpm: [ OK ]
[root@c6 html]# netstat -anp | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 28731/nginx
unix 3 [ ] STREAM CONNECTED 1647440 28731/nginx
unix 3 [ ] STREAM CONNECTED 1647439 28731/nginx
[root@c6 html]# netstat -anp | grep php-fpm
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 28743/php-fpm
unix 3 [ ] STREAM CONNECTED 1647522 28743/php-fpm
unix 3 [ ] STREAM CONNECTED 1647521 28743/php-fpm

PHP-fpm 可以工作
  • 設定 PHP-fpm ,讓他可以和 nginx 協同工作,也就是說需要 PHP 時丟給 127.0.0.1:9000 去執行
# 以下這個設定檔是用原本 epel 的範本修改的
[root@c6 conf.d]# cat /etc/nginx/conf.d/default.conf
#
# The default server
#
server {
listen 80 default_server;
server_name _;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
# root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

  • 設定的點在這一段,這段原本全部都是註解掉的,因為原本預設只支援 html 靜態網頁。
location ~ \.php$ {
# 用系統預設的 /usr/share/nginx/html 目錄即可
# 請註解底下這一行,這是設定 nginx 的網頁 root 目錄的位置
#root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
# 請註解掉底下這一行,他的路徑寫的有問題
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# SCRIPT_FILENAME 指的是 php 的來源程式,套入到後面描述的 $fastcgi_script_name 資源
# 加入底下這一行,其中 $document_root 是一個變數,會將根目錄帶入底下這一行
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

  • 重新啟動 nginx
[root@c6 html]# /etc/init.d/nginx restart
Stopping nginx: [ OK ]
Starting nginx: [ OK ]

  • 測試 PHP 可以工作時間並給予一個時間結果 , nginx 的根目錄在 /usr/share/nginx/html/
[root@c6 html]# cat /usr/share/nginx/html/index.php
  • 可以顯示時間及 phpinfo() 資訊即是正確。
  • 所以這種結果會準嗎?? 這值得討論....
Nginx NameBase虛擬主機
  • nginx 的虛擬主機設定
[root@c6 conf.d]# cat /etc/nginx/conf.d/c6.conf
# the c6.jangmt.com
server {
#listen 80;
server_name c6.jangmt.com;
root /home/mtchang/public_html;
index index.html index.htm index.php;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
[root@c6 conf.d]# /etc/init.d/nginx restart
Stopping nginx: [ OK ]
Starting nginx: [ OK ]

[mtchang@c6 ~]$ cat /home/mtchang/public_html/index.php
/home/mtchang/public_html
NGINX 的 SSL

  • 設定檔
[root@c6 conf.d]# cat /etc/nginx/conf.d/c6.conf
# the c6.jangmt.com
server {
#listen 80;
server_name c6.jangmt.com;
listen 443;
ssl on;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
root /home/mtchang/public_html;
index index.html index.htm index.php;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

  • 產生憑證 in /etc/nginx/certs 目錄內
[root@c6 certs]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
.....++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@c6 certs]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:kaohsiung
Locality Name (eg, city) [Default City]:taiwan
Organization Name (eg, company) [Default Company Ltd]:jangmt
Organizational Unit Name (eg, section) []:com
Common Name (eg, your name or your server's hostname) []:mtchang
Email Address []:mtchang.tw@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@c6 certs]# cp server.key server.key.org
[root@c6 certs]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
[root@c6 certs]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=TW/ST=kaohsiung/L=taiwan/O=jangmt/OU=com/CN=mtchang/emailAddress=mtchang.tw@gmail.com
Getting Private key
[root@c6 certs]# pwd
/etc/nginx/certs
[root@c6 certs]# ls -la
total 24
drwxr-xr-x. 2 root root 4096 Apr 14 00:11 .
drwxr-xr-x. 4 root root 4096 Apr 14 00:06 ..
-rw-r--r--. 1 root root 940 Apr 14 00:06 server.crt
-rw-r--r--. 1 root root 696 Apr 14 00:06 server.csr
-rw-r--r--. 1 root root 887 Apr 14 00:06 server.key
-rw-r--r--. 1 root root 963 Apr 14 00:06 server.key.org

  • 重新啟動及測試
[root@c6 certs]# /etc/init.d/nginx restart
Stopping nginx: [FAILED]
Starting nginx: [ OK ]
[root@c6 certs]# netstat -anp | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 30610/nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 30610/nginx
unix 3 [ ] STREAM CONNECTED 1702006 30610/nginx
unix 3 [ ] STREAM CONNECTED 1702005 30610/nginx
... skip ...

測試效能
  • 測試工具: ab 指令
  • ab使用範例:
  • 要執行 100 次的 connection, 20 次的 concurrent (並行, 同時):
  • 結果解釋:
  • Time taken for tests: 總共執行花了多久的時間.(以上 100 次共多久)
  • Requests per second: 每秒平均可以處理多少個 connection.
  • 內容:index.php
[mtchang@c6 public_html]$ cat index.php
/home/mtchang/public_html/index.php

  • 內容:index.html
[mtchang@c6 public_html]$ cat index.html
/home/mtchang/public_html

  • 機器規格描述
[mtchang@c6 ~]$ cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 58
model name : Intel(R) Core(TM) i5-3450 CPU @ 3.10GHz
stepping : 9
cpu MHz : 1600.000
cache size : 6144 KB
physical id : 0
siblings : 4
core id : 0
cpu cores : 4
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts
acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good
xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm
pcid sse4_1 sse4_2 popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm ida arat epb xsaveopt
pln pts dts tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms
bogomips : 6186.06
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:
[mtchang@c6 ~]$ free
total used free shared buffers cached
Mem: 3599640 1660092 1939548 0 183164 825952
-/+ buffers/cache: 650976 2948664
Swap: 4194296 0 4194296
[mtchang@c6 ~]$ sudo hdparm -tT /dev/sda5
/dev/sda5:
Timing cached reads: 24092 MB in 2.00 seconds = 12065.08 MB/sec
Timing buffered disk reads: 300 MB in 3.00 seconds = 99.94 MB/sec

  • apache 的 ab 做壓力測試的狀況(靜態 html)
[root@lab html]# ab -n 10000 -c 10 http://c6.jangmt.com/index.html
This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 2006 The Apache Software Foundation, http://www.apache.org/
Benchmarking c6.jangmt.com (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Finished 10000 requests
Server Software: nginx/1.0.15
Server Hostname: c6.jangmt.com
Server Port: 80
Document Path: /index.html
Document Length: 3698 bytes
Concurrency Level: 10
Time taken for tests: 3.654708 seconds
Complete requests: 10000
Failed requests: 0
Write errors: 0
Total transferred: 39100212 bytes
HTML transferred: 36980000 bytes
Requests per second: 2736.20 [#/sec] (mean)
Time per request: 3.655 [ms] (mean)
Time per request: 0.365 [ms] (mean, across all concurrent requests)
Transfer rate: 10447.62 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 1 0.5 1 3
Processing: 0 1 1.0 2 4
Waiting: 0 1 0.5 1 3
Total: 1 3 0.4 3 6
Percentage of the requests served within a certain time (ms)
50% 3
66% 3
75% 3
80% 3
90% 3
95% 4
98% 4
99% 4
100% 6 (longest request)

  • 用 apache 的 ab 做壓力測試的狀況(此範例為 php 的範例)底下是在沒有 fail 的狀況下的數據。
[root@lab html]# ab -n 10 -c 2 http://c6.jangmt.com/index.php
This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 2006 The Apache Software Foundation, http://www.apache.org/
Benchmarking c6.jangmt.com (be patient).....done
Server Software: nginx/1.0.15
Server Hostname: c6.jangmt.com
Server Port: 80
Document Path: /index.php
Document Length: 52564 bytes
Concurrency Level: 2
Time taken for tests: 0.49866 seconds
Complete requests: 10
Failed requests: 0
Write errors: 0
Total transferred: 527110 bytes
HTML transferred: 525640 bytes
Requests per second: 200.54 [#/sec] (mean)
Time per request: 9.973 [ms] (mean)
Time per request: 4.987 [ms] (mean, across all concurrent requests)
Transfer rate: 10307.62 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.6 0 1
Processing: 8 8 1.1 9 10
Waiting: 0 0 0.7 0 1
Total: 9 9 0.3 9 10
Percentage of the requests served within a certain time (ms)
50% 9
66% 9
75% 9
80% 9
90% 10
95% 10
98% 10
99% 10
100% 10 (longest request)

  • 不太精準結論: nignx 有比較好,但是要趕上硬體的差異仍需要很努力....


Nginx-epel-centos.png

Nginx-ssl.png Nginx-ssl-certs.png

張貼留言