Puppet模块(六):nginx模块-linux安全运维_跨零代码

跨零代码为大家提供高品质的运维解决方案,请大家多多来访,跨零不胜感激,在此谢过。

一、模块说明

Nginx反向代理服务、缓存服务、负载均衡服务。

二、目录结构

    Puppet模块(六):nginx模块

三、代码展示

1、files目录

conf.d    #其下存放nginx的配置文件,根据环境不同使用不同代码,也可以使用puppet的environments技术,本人暂未研究。

DeployPub     #生产环境的配置文件

DeployTest    #测试环境的配置文件

test01.conf    #nginx虚拟主机配置文件,可以将upstream单独存放一个文件,然后一个server一个文件,后台如10.188.1.11:8888就是你的网站地址了,可用iis/tomcat/apache/php/nginx等等搭建,这就不用说了吧

upstream www{      server 10.188.1.11:8888 weight=5 max_fails=2 fail_timeout=30s;      server 10.188.1.12:8888 weight=5 max_fails=2 fail_timeout=30s;      keepalive 20;  } server {     listen 80;     server_name www.ewin.com;     location /     {           proxy_pass http://www;         proxy_next_upstream http_502 http_504 error timeout invalid_header;         proxy_set_header Host $host;         proxy_set_header X-Forwarded-For $remote_addr;     }     location ~ /purge(/.*)      {         allow 10.188.1.0/24;         deny all;         proxy_cache_purge tmpcache $host$1$is_args$args;     }     location ~ .*/.(gif|jpg|jpeg|png|bmp|swf|css|html|shtml|htm)$     {         proxy_cache tmpcache;         proxy_cache_valid 200 304 12h;         proxy_cache_valid 301 302 1m;         proxy_cache_valid any 1m;         proxy_cache_key $host$uri$is_args$args;         proxy_set_header Host $host;         proxy_set_header X-Forwarded-For $remote_addr;         proxy_pass http://web-html;     }     location /nginxstatus {         stub_status on;         access_log off;         allow 10.188.1.0/24;         deny all;     }     access_log /var/log/nginx/www.log main; } 

pack #存放相关安装包
nginx-1.6.2.tar.gz #下载http://nginx.org/download/nginx-1.6.2.tar.gz
ngx_cache_purge-2.3.tar.gz #下载http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz
openssl-1.0.1j.tar.gz #下载http://www.openssl.org/source/openssl-1.0.1j.tar.gz
pcre-8.35.tar.gz #下载http://cznic.dl.sourceforge.net/project/pcre/pcre/8.35/pcre-8.35.tar.gz
zlib-1.2.8.tar.gz #下载http://zlib.net/zlib-1.2.8.tar.gz
nginx_install.sh #nginx安装脚本

#!/bin/bash cd /usr/local/src/nginx-1.6.2 make clean /bin/bash configure --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx/nginx.pid  --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-pcre=/usr/local/src/pcre-8.35 --with-zlib=/usr/local/src/zlib-1.2.8 --with-openssl=/usr/local/src/openssl-1.0.1j  --with-http_stub_status_module --add-module=/usr/local/src/ngx_cache_purge-2.3 --with-http_perl_module --with-http_realip_module make make install 

说明:编译命令中定义了相关目录、用户等;启用了PCRE(正则匹配)、ZLIB、SSL、STATUS(状态监控)、PURGE(缓存清除插件)、PERL模块、REALIP模块(真实IP)
其中PERL模块用于URL忽略大小写,参考 http://www.cnblogs.com/tommyli/p/3543303.html

2、manifests目录
init.pp

class nginx{     include nginx::install,nginx::config,nginx::service } 

install.pp

class nginx::install {     Exec{  path => ['/usr/bin','/usr/sbin','/bin'] }     package { ['perl-devel','perl-ExtUtils-Embed']:       #'perl','pcre','zlib-devel','gcc-c++','gcc','openssl-devel'       #注意:主机安装的其他模块中已有的package不重复,如果只安装本nginx模块,则需要将上面注释的package都加在列表中。      ensure => installed,      before => Exec['install_nginx'],     }   file { '/usr/local/src':       ensure  => directory,       source  => 'puppet:///modules/nginx/pack',       ignore  => '.svn',       owner   => root,       group   => root,       mode    => '0640',       recurse => remote,       before  => Exec['install_nginx'],   }   exec { 'pcre':       command     => 'tar -zxf pcre-8.35.tar.gz',       cwd         => '/usr/local/src',       refreshonly => true,       subscribe   => File['/usr/local/src'],       before      => Exec['install_nginx'], }   exec { 'zlib':       command     => 'tar -zxf zlib-1.2.8.tar.gz',       cwd         => '/usr/local/src',       refreshonly => true,       subscribe   => File['/usr/local/src'],       before      => Exec['install_nginx'], } exec { 'openssl':       command     => 'tar -zxf openssl-1.0.1j.tar.gz',       cwd         => '/usr/local/src',       refreshonly => true,       subscribe   => File['/usr/local/src'],       before      => Exec['install_nginx'], } exec { 'cache':       command     => 'tar -zxf ngx_cache_purge-2.3.tar.gz',       cwd         => '/usr/local/src',       refreshonly => true,       subscribe   => File['/usr/local/src'],       before      => Exec['install_nginx'], } exec { 'nginx':       command     => 'tar -zxf nginx-1.6.2.tar.gz',       cwd         => '/usr/local/src/',       refreshonly => true,       subscribe   => File['/usr/local/src'],       before      => Exec['install_nginx'], }   file { '/usr/local/src/nginx_install.sh':       ensure  => file,       owner   => root,       group   => root,       mode    => 755,       source  => 'puppet:///modules/nginx/nginx_install.sh',       before  => Exec['install_nginx'],   }   exec { 'install_nginx':       command     => '/bin/bash nginx_install.sh',       cwd         => "/usr/local/src",       refreshonly => true,       subscribe   => File['/usr/local/src/nginx_install.sh'],   } } 

config.pp #$nginx_conf参数用来确认主机使用哪个环境的配置文件,可在foreamen的主机属性里设置,或节点site.pp里设置

class nginx::config {     include nginx::config::iptables     group { "nginx":         ensure => present,         before => USER["nginx"],     }     user { "nginx":         ensure => present,         groups => 'nginx',         shell  => '/sbin/nologin',     }     file { '/etc/nginx/nginx.conf':         ensure  => file,         owner   => root,         group   => root,         mode    => 400,         content => template("nginx/nginx.conf.erb"),         require => Class['nginx::install'],     }     case $nginx_conf  {          pub: {             file { '/etc/nginx/conf.d':                 ensure  => directory,                 source  => 'puppet:///modules/nginx/conf.d/DeployPub',                 ignore  => '.svn',                 owner   => root,                 group   => root,                 mode    => '0640',                 recurse => remote,                 require => Class['nginx::install'],             }         }         test: {             file { '/etc/nginx/conf.d':                 ensure  => directory,                 source  => 'puppet:///modules/nginx/conf.d/DeployTest',                 ignore  => '.svn',                 owner   => root,                 group   => root,                 mode    => '0640',                 recurse => remote,                 require => Class['nginx::install'],             }         }     }     file { 'nginxd':         path    => '/etc/rc.d/init.d/nginxd',         ensure  => file,         owner   => root,         group   => root,         mode    => 755,         content => template("nginx/nginxd.erb"),         require => Class['nginx::install'],     } } class nginx::config::iptables {      Exec{  path => ['/usr/bin','/usr/sbin','/bin','/sbin'] }     exec { 'open_port_80':         command => 'iptables -I INPUT -p tcp --dport 80 -j ACCEPT',         unless  => 'grep "tcp --dport 80" /etc/sysconfig/iptables 2>/dev/null',         notify  => Exec['save_port_80'],     }     exec { 'save_port_80':         command     => 'service iptables save',         refreshonly => true,     } } 

service.pp

class nginx::service {     service { 'nginxd':          ensure     => 'running',         enable     => 'true',         hasrestart => 'true',         hasstatus  => 'true',         subscribe  => Class["nginx::config"],     } } 

3、templates目录
nginx.conf.erb

user nginx nginx; worker_processes 1; error_log /var/log/nginx/error.log crit; pid /var/run/nginx/nginx.pid; worker_rlimit_nofile 1024; #ulimit -n events {     use epoll;     worker_connections 1024; }    http {     include mime.types;     default_type application/octet-stream;     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '     '$status $body_bytes_sent "$http_referer" '     '"$http_user_agent" "$http_x_forwarded_for"';     access_log  /var/log/nginx/access.log  main;     #charset utf-8;     server_names_hash_bucket_size 128;      client_header_buffer_size 32k;      large_client_header_buffers 4 64k;      perl_set $url '             sub {                     my $r = shift;                     my $re = lc($r->uri);                     return $re;             }             ';     server_tokens off;     sendfile on;     autoindex on;      tcp_nopush on;      tcp_nodelay on;     keepalive_timeout 65;      #压缩功能     gzip on;      gzip_min_length 1k;      gzip_buffers 4 16k;      gzip_http_version 1.1;      gzip_comp_level 2;      gzip_types text/plain application/x-javascript text/css application/xml;     gzip_vary on;     #limit_zone crawler $binary_remote_addr 10m;      #缓存功能     #客户端请求的最大的单个文件字节数     client_max_body_size 300m;      #缓冲区代理缓冲用户请求的最大字节数     client_body_buffer_size 128k;     #和后端连接(发起握手)的超时时间     proxy_connect_timeout 600;     #连接成功后等待后端响应的超时时间     proxy_read_timeout 600;     #后端数据回传时间     proxy_send_timeout 600;     #代理请求缓存区保存头信息的块大小     proxy_buffer_size 16k;     proxy_buffers 4 64k;     proxy_busy_buffers_size 128k;     proxy_temp_file_write_size 128k;     #缓存文件路径     proxy_temp_path /usr/local/nginx/proxy_temp;     proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=tmpcache:200m inactive=1d max_size=2g;     #levels两层HASH目录,缓存区名称为tmpcache,内存缓存20M,1天内没被访问会被删除,硬盘缓存200M     include /etc/nginx/conf.d/*.conf; } 

nginxd.erb #nginx服务脚本 service nginxd start

#!/bin/bash # chkconfig: 35 85 15 # description: nginx is a World Wide Web server.  . /etc/rc.d/init.d/functions . /etc/sysconfig/network # Check that networking is up. [ "$NETWORKING" = "no" ] && exit 0 nginx="/usr/sbin/nginx" prog=$(basename $nginx) NGINX_CONF_FILE="/etc/nginx/nginx.conf" [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx lockfile=/var/lock/subsys/nginx make_dirs() {    # make required directories    user=`nginx -V 2>&1 | grep "configure arguments:" | sed 's/[^*]*--user=/([^ ]*/).*//1/g' -`    options=`$nginx -V 2>&1 | grep 'configure arguments:'`    for opt in $options; do        if [ `echo $opt | grep '.*-temp-path'` ]; then            value=`echo $opt | cut -d "=" -f 2`            if [ ! -d "$value" ]; then                # echo "creating" $value                mkdir -p $value && chown -R $user $value            fi        fi    done } start() {     [ -x $nginx ] || exit 5     [ -f $NGINX_CONF_FILE ] || exit 6     make_dirs     echo -n $"Starting $prog: "     daemon $nginx -c $NGINX_CONF_FILE     retval=$?     echo     [ $retval -eq 0 ] && touch $lockfile     return $retval } stop() {     echo -n $"Stopping $prog: "     killproc $prog -QUIT     retval=$?     echo     [ $retval -eq 0 ] && rm -f $lockfile     return $retval } restart() {     configtest || return $?     stop     sleep 1     start } reload() {     configtest || return $?     echo -n $"Reloading $prog: "     killproc $nginx -HUP     RETVAL=$?     echo } force_reload() {     restart } configtest() {   $nginx -t -c $NGINX_CONF_FILE } rh_status() {     status $prog } rh_status_q() {     rh_status >/dev/null 2>&1 } case "$1" in     start)         rh_status_q && exit 0         $1         ;;     stop)         rh_status_q || exit 0         $1         ;;     restart|configtest)         $1         ;;     reload)         rh_status_q || exit 7         $1         ;;     force-reload)         force_reload         ;;     status)         rh_status         ;;     condrestart|try-restart)         rh_status_q || exit 0             ;;     *)         echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"         exit 2 esac

四、Foreman配置

    导入模块

Puppet模块(六):nginx模块

     我这里是以配置组的形式添加给主机了,单个的可以在右下方可用类中点击nginx添加

Puppet模块(六):nginx模块

    添加参数:Puppet模块(六):nginx模块

    推送给客户端主机:

Puppet模块(六):nginx模块

完成后查看报告,根据报告做相应调整。




//下面这个css和插件后台设置的主题有关系,如果需要换样式,则需要修改以下CSS名称

从零到一,创造未来!跨零代码综合IT问题解决服务站,欢迎你的到来。运维教程 只为你绽放。

本文固定链接: http://kua0.com/2019/02/07/puppet模块六:nginx模块-linux安全运维_跨零代码/

为您推荐

发表评论

电子邮件地址不会被公开。 必填项已用*标注