Nginx配置
约 2300 字大约 8 分钟
9.nginx配置
Linux内核优化参数
/etc/sysctl.conf
修改 /etc/sysctl.conf 来更改内核参数
修改好配置文件,执行 sysctl -p 命令,使配置立即生效
# 系统最大可以打开的句柄数
fs.file-max = 2024000
fs.nr_open = 1024000
# 参数设置为 1 ,表示允许将TIME_WAIT状态的socket重新用于新的TCP链接,这对于服务器来说意义重大,因为总有大量TIME_WAIT状态的链接存在
net.ipv4.tcp_tw_reuse = 1
# 当keepalive启动时,TCP发送keepalive消息的频度;默认是2小时,将其设置为10分钟,可以更快的清理无效链接。
ner.ipv4.tcp_keepalive_time = 600
# 当服务器主动关闭链接时,socket保持在FIN_WAIT_2状态的最大时间
net.ipv4.tcp_fin_timeout = 30
# 这个参数表示操作系统允许TIME_WAIT套接字数量的最大值,
# 如果超过这个数字,TIME_WAIT套接字将立刻被清除并打印警告信息。
# 该参数默认为180000,过多的TIME_WAIT套接字会使Web服务器变慢。
net.ipv4.tcp_max_tw_buckets = 5000
# 定义UDP和TCP链接的本地端口的取值范围。
net.ipv4.ip_local_port_range = 1024 65000
# 定义了TCP接受缓存的最小值、默认值、最大值
net.ipv4.tcp_rmem = 10240 87380 12582912
# 定义TCP发送缓存的最小值、默认值、最大值。
net.ipv4.tcp_wmem = 10240 87380 12582912
# 与性能无关。用于解决TCP的SYN攻击。
net.ipv4.tcp_syncookies = 1
# 这个参数表示TCP三次握手建立阶段接受SYN请求列队的最大长度,默认1024,
# 将其设置的大一些
# 可以使出现Nginx繁忙来不及accept新连接的情况时,Linux不至于丢失客户端发起的链接请求。
net.ipv4.tcp_max_syn_backlog = 8192
# 这个参数用于设置启用timewait快速回收。
net.ipv4.tcp_tw_recycle = 1
# 选项用于设定系统中最多有多少个TCP套接字不被关联到任何一个用户文件句柄上。
# 如果超过这个数字,孤立链接将立即被复位并输出警告信息。
# 这个限制只是为了防止简单的DOS攻击,
# 不用过分依靠这个限制甚至认为的减小这个值,更多的情况是增加这个值。
net.ipv4.tcp_max_orphans=262114
# 当网卡接收数据包的速度大于内核处理速度时,会有一个列队保存这些数据包。这个参数表示该列队的最大值。
net.core.netdev_max_backlog = 8096
# 表示内核套接字接受缓存区默认大小。
net.core.rmem_default = 6291456
# 表示内核套接字发送缓存区默认大小。
net.core.wmem_default = 6291456
# 表示内核套接字接受缓存区最大大小。
net.core.rmem_max = 12582912
# 表示内核套接字发送缓存区最大大小。
net.core.wmem_max = 12582912
# 选项默认值是128,
# 这个参数用于调节系统同时发起的TCP连接数,
# 在高并发的请求中,默认的值可能会导致链接超时或者重传,因此需要结合高并发请求数来调节此值。
net.core.somaxconn=262114
单进程的文件句柄数配置
/etc/security/limits.conf
* soft nofile 1024000
* hard nofile 1024000
* soft nproc 655360
* hard nproc 655360
* soft stack unlimited
* hard stack unlimited
* soft memlock unlimited
* hard memlock unlimited
进程最大打开文件描述符数
* soft nofile 1000000
* hard nofile 1000000
* soft nproc 655360
* hard nproc 655360
# *代表针对所有用户
# nproc 是代表最大进程数
# nofile 是代表最大文件打开数
hard和soft的区别:在设定上,通常soft会比hard小,
举例来说,soft可以设置为80,而hard设定为100,那么你可以使用到90(没有超过100),但介于80~100之间时,系统会有警告信息通知你。
总之:
- 所有进程打开的文件描述符数不能超过/proc/sys/fs/file-max
- 单个进程打开的文件描述符数不能超过user limit中nofile的soft limit
- nofile的soft limit不能超过其hard limit
- nofile的hard limit不能超过/proc/sys/fs/nr_open
实际配置案例
qfqz-nginx.conf
load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
# -------------------------------------------------------------------------------------------------
user nginx;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 30000;
}
stream {
upstream hbase {
server 127.0.0.1:2181;
}
server {
listen 12181;
proxy_connect_timeout 360s;
proxy_timeout 360s;
proxy_pass hbase;
}
}
# -------------------------------------------------------------------------------------------------
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /etc/nginx/logs/access.log main;
error_log /etc/nginx/logs/error.log warn;
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 120;
client_max_body_size 500M;
gzip on; #该指令用于开启或关闭gzip模块(on/off)
gzip_disable "msie6"; #对IE5与IE6禁用gzip,因为这两个浏览器对于gzip支持不太好
gzip_vary on; #控制在头部是否要插入Vary: Accept-Encoding,目的是为不同的压缩格式提供不同的缓存详见 here
gzip_proxied any; #对于所有的返回都使用压缩
gzip_comp_level 6; #设置压缩强度,1-9,9最大
gzip_buffers 16 8k; #这里指定用于gzip压缩的内存大小,16表示16个,8k表示每块缓存大小,通常为8k一个内存页的大小
gzip_http_version 1.1; #http1.1协议以上的请求都使用gzip
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; #压缩文件类型
server {
listen 443 default ssl;
server_name vcsp-test.lolaage.com; #当前服务器ip地址
ssl_certificate /etc/nginx/4983683__lolaage.com.pem ;
ssl_certificate_key /etc/nginx/4983683__lolaage.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#web服务
location /vcsp-admin-web {
alias /etc/nginx/html/vcsp-admin-web;
index index.html index.htm;
if ($request_filename ~* .*\.(?:htm|html)$)
{
add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
}
if ($request_filename ~* .*\.(?:js|css)$)
{
expires 7d;
}
if ($request_filename ~* .*\.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm)$)
{
expires 7d;
}
}
location /vcsp-web {
alias /etc/nginx/html/vcsp-web;
if ($request_filename ~* .*\.(?:htm|html)$)
{
add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
}
if ($request_filename ~* .*\.(?:js|css)$)
{
expires 7d;
}
if ($request_filename ~* .*\.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm)$)
{
expires 7d;
}
}
location ^~ /vcsp-admin/ {
proxy_pass http://172.18.1.114:8081;
proxy_connect_timeout 15s;
proxy_send_timeout 15s;
proxy_read_timeout 15s;
}
location ^~ /vcsp-server/ {
proxy_pass http://172.18.1.114:16300;
proxy_connect_timeout 15s;
proxy_send_timeout 15s;
proxy_read_timeout 15s;
}
location ^~ /f/uploadFile {
proxy_pass http://172.18.1.114:16400;
proxy_connect_timeout 30s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
location ^~ /f/d1 {
proxy_pass http://139.159.189.11:16400;
proxy_connect_timeout 30s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
location ^~ /f/d2 {
proxy_pass http://139.159.189.11:16400;
proxy_connect_timeout 30s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
location ^~ /f/u2 {
proxy_pass http://139.159.189.11:16400;
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
location ^~ /srs1/ {
proxy_pass http://139.159.189.11:8088/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 1800s;
proxy_send_timeout 1800s;
proxy_read_timeout 1800s;
}
location ~ (^/websocket) {
proxy_pass http://172.18.1.114:1239;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 1800s;
proxy_send_timeout 1800s;
proxy_read_timeout 1800s;
}
}
}
gzwjw-nginx.conf
# -------------------------------------------------------------------------------------------------
user nginx;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 30000;
}
# -------------------------------------------------------------------------------------------------
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 500M;
server {
listen 80;
server_name egc-test.lolaage.com; #当前服务器ip地址
root /usr/share/nginx/html/webinfo;
# 网关服务ip和端口
location ^~ /gateway/ {
proxy_pass http://172.18.1.104:5555;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
location ~ (^/ws/) {
proxy_pass http://172.18.1.104:60002;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
location ^~ /wsMsgNotice/ {
proxy_pass http://172.18.1.104:60003;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 120s;
proxy_set_header Upgrade websocket;
proxy_set_header Connection Upgrade;
}
location ^~ /adapter/ {
proxy_pass http://172.18.1.104:8070/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
location ~ (^/dx/) {
proxy_pass http://172.18.1.104:5555;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
# socket服务ip和端口
location ~ (^/egc-socket/) {
proxy_pass http://172.18.1.104:8180;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 文件服务ip和端口
location ~ (^/f/) {
proxy_pass http://172.18.1.104:16400;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
# srs服务ip和flv拉流端口
location ^~ /srs1/ {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://172.18.1.104:8090/; #flv格式拉流端口
proxy_set_header Cookie $http_cookie;
add_header Access-Control-Allow-Methods *;
add_header Access-Control-Allow-Origin $http_origin;
}
# webSocket 朗视通讯用
location ^~ /adapterSocket/ {
proxy_redirect off;
proxy_pass http://172.18.1.104:8071/;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Access-Control-Allow-Methods *;
add_header Access-Control-Allow-Origin $http_origin;
}
# 通讯websocket用于对讲通话
location ^~ /egc-tcp-websocket/ {
proxy_pass http://172.18.1.104:1239/egc-tcp-websocket/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 443 ssl;
server_name egc-test.lolaage.com;
client_max_body_size 500M;
root /usr/share/nginx/html/webinfo;
index index.html index.htm;
ssl_certificate /etc/nginx/4983683__lolaage.com.pem;
ssl_certificate_key /etc/nginx/4983683__lolaage.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# 网关服务ip和端口
location ^~ /gateway/ {
proxy_pass http://172.18.1.104:5555;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
location ^~ /adapter/ {
proxy_pass http://172.18.1.104:8070/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
location ~ (^/dx/) {
proxy_pass http://172.18.1.104:5555;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
location ~ (^/ws/) {
proxy_pass http://172.18.1.104:60002;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
location ^~ /wsMsgNotice/ {
proxy_pass http://172.18.1.104:60003;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 120s;
proxy_set_header Upgrade websocket;
proxy_set_header Connection Upgrade;
}
# socket服务ip和端口
location ~ (^/egc-socket/) {
proxy_pass http://172.18.1.104:38183;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 文件服务ip和端口
location ~ (^/f/) {
proxy_pass http://172.18.1.104:16400;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
# srs服务ip和flv拉流端口
location ^~ /srs1/ {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://172.18.1.104:8090/; #flv格式拉流端口
proxy_set_header Cookie $http_cookie;
add_header Access-Control-Allow-Methods *;
add_header Access-Control-Allow-Origin $http_origin;
}
# webSocket 朗视通讯用
location ^~ /adapterSocket/ {
proxy_redirect off;
proxy_pass http://172.18.1.104:8071/;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 通讯websocket用于对讲通话
location ^~ /egc-tcp-websocket/ {
proxy_pass http://172.18.1.104:1239/egc-tcp-websocket/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}