This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
сервис_http [2022/09/26 06:19] val [NGINX] |
сервис_http [2024/05/07 14:23] val [Нагрузочное тестирование] |
||
---|---|---|---|
Line 87: | Line 87: | ||
==== CentOS ==== | ==== CentOS ==== | ||
- | * Сервис Firewall [[Сервис Firewall#CentOS 7]] | + | * Сервис Firewall [[Сервис Firewall#CentOS]] |
<code> | <code> | ||
Line 539: | Line 539: | ||
===== Поддержка протокола HTTPS ===== | ===== Поддержка протокола HTTPS ===== | ||
+ | * [[Letsencrypt Certbot]] | ||
+ | * [[https://stackoverflow.com/questions/31370454/sslcertificatechainfile-is-obsolete|SSLCertificateChainFile is now obsolete, and any intermediate certificates are supposed to be included in the server certificate file]] | ||
==== Debian/Ubuntu ==== | ==== Debian/Ubuntu ==== | ||
<code> | <code> | ||
Line 813: | Line 815: | ||
[[http://grolmsnet.de/kerbtut/firefox.html]] | [[http://grolmsnet.de/kerbtut/firefox.html]] | ||
+ | |||
+ | ==== Управление доступом к HTTP серверу с использованием OpenID аутентификации ==== | ||
+ | |||
+ | * [[https://github.com/zmartzone/mod_auth_openidc/wiki/GitLab-OAuth2]] | ||
+ | * [[Инструмент GitLab#Сервер OpenID]] из GitLab | ||
+ | * [[Сервис Keycloak]] | ||
+ | |||
+ | * [[https://www.janua.fr/using-apache2-mod_auth_openidc-module-with-keycloak-openid-connect/|Using apache2 mod_auth_openidc module with Keycloak (OpenID Connect)]] | ||
+ | |||
+ | <code> | ||
+ | gate# apt install libapache2-mod-auth-openidc | ||
+ | </code><code> | ||
+ | # cat /etc/apache2/conf-available/serve-cgi-bin.conf | ||
+ | </code><code> | ||
+ | ... | ||
+ | <IfDefine ENABLE_USR_LIB_CGI_BIN> | ||
+ | |||
+ | ## GitLab | ||
+ | OIDCSSLValidateServer Off | ||
+ | OIDCProviderMetadataURL https://server.corpX.un/.well-known/openid-configuration | ||
+ | OIDCRedirectURI http://gate.corpX.un/cgi-bin/test-cgi | ||
+ | OIDCClientID e...............................................4 #Application ID | ||
+ | OIDCClientSecret 7.................................................4 #Secret | ||
+ | OIDCCryptoPassphrase anystring | ||
+ | |||
+ | ## Keycloak | ||
+ | OIDCSSLValidateServer Off | ||
+ | OIDCProviderMetadataURL https://keycloak.corpX.un/realms/corpX/.well-known/openid-configuration | ||
+ | OIDCRedirectURI http://gate.corpX.un/cgi-bin/test-cgi | ||
+ | #OIDCClientID test-cgi | ||
+ | OIDCClientID any-client | ||
+ | OIDCCryptoPassphrase anystring | ||
+ | ... | ||
+ | #Require all granted | ||
+ | AuthType openid-connect | ||
+ | Require valid-user | ||
+ | ... | ||
+ | </code><code> | ||
+ | # a2enmod auth_openidc | ||
+ | </code><code> | ||
+ | Проверка: http://gate.corpX.un/cgi-bin/test-cgi/ !!! Последний / обязательно !!! | ||
+ | </code> | ||
===== Протокол WebDAV ===== | ===== Протокол WebDAV ===== | ||
Line 848: | Line 892: | ||
* [[https://mail.bmstu.ru:9100/~val/Mastering%20NGINX%20RUS.pdf]] | * [[https://mail.bmstu.ru:9100/~val/Mastering%20NGINX%20RUS.pdf]] | ||
+ | * [[https://blog.sefdar.ru/nginx-%D0%BF%D0%B5%D1%80%D0%B5%D0%BD%D0%B0%D0%BF%D1%80%D0%B0%D0%B2%D0%BB%D0%B5%D0%BD%D0%B8%D1%8F-proxy_redirect-%D0%B8-redirect/|NGINX перенаправления proxy_redirect и redirect]] | ||
<code> | <code> | ||
Line 863: | Line 908: | ||
} | } | ||
} | } | ||
- | </code><code> | + | </code> |
+ | === Подключение, тестирование, применение и мониторинг конфигурации === | ||
+ | <code> | ||
# ln -s /etc/nginx/sites-available/user1 /etc/nginx/sites-enabled/user1 | # ln -s /etc/nginx/sites-available/user1 /etc/nginx/sites-enabled/user1 | ||
# service nginx configtest | # service nginx configtest | ||
- | |||
# tail /var/log/nginx/error.log | # tail /var/log/nginx/error.log | ||
или | или | ||
- | # nginx -t -c /etc/nginx/nginx.conf | + | # nginx -t #-c /etc/nginx/nginx.conf |
+ | или | ||
+ | # nginx -T | ||
# service nginx restart | # service nginx restart | ||
+ | |||
+ | # tail -f /var/log/nginx/access.log -f /var/log/nginx/error.log | ||
</code><code> | </code><code> | ||
gate.isp.un$ wget -O - -q http://server.corpX.un | gate.isp.un$ wget -O - -q http://server.corpX.un | ||
Line 895: | Line 945: | ||
} | } | ||
} | } | ||
- | </code><code> | ||
- | # ln -s /etc/nginx/sites-available/myapp1 /etc/nginx/sites-enabled/myapp1 | ||
</code> | </code> | ||
+ | |||
+ | * [[#Подключение, тестирование, применение и мониторинг конфигурации]] | ||
==== Прокси "красивого" URL в приложение (пример 3) ==== | ==== Прокси "красивого" URL в приложение (пример 3) ==== | ||
Line 903: | Line 953: | ||
<code> | <code> | ||
# host mail | # host mail | ||
- | mail.corpX.un is an alias for server.corpX.un. | ||
- | server.corpX.un has address 192.168.X.10 | ||
- | |||
# host webd | # host webd | ||
- | webd.corpX.un has address 192.168.X.10 | + | # host www |
+ | # host autoconfig | ||
+ | # host corpX.un | ||
+ | |||
+ | ... has address 192.168.X.10 | ||
- | root@server# cat /var/opt/gitlab/nginx/conf/my.conf | + | root@server# cat /var/opt/gitlab/nginx/conf/corpX.conf |
</code><code> | </code><code> | ||
server { | server { | ||
Line 922: | Line 973: | ||
listen 80; | listen 80; | ||
server_name mail.corpX.un; | server_name mail.corpX.un; | ||
+ | return 301 http://server.corpX.un:81/mail; | ||
+ | # return 301 http://gate.corpX.un:81/mail; | ||
+ | } | ||
+ | server { | ||
+ | listen 80; | ||
+ | server_name corpX.un www.corpX.un; | ||
location / { | location / { | ||
- | proxy_pass http://server.corpX.un:81/mail/; | + | proxy_pass http://server.corpX.un:81/; |
} | } | ||
} | } | ||
+ | # server { | ||
+ | # listen 80; | ||
+ | # server_name autoconfig.corpX.un; | ||
+ | # location / { | ||
+ | # proxy_pass http://gate.corpX.un:81/; | ||
+ | # } | ||
+ | # } | ||
</code><code> | </code><code> | ||
- | root@server# cat /var/opt/gitlab/nginx/conf/nginx.conf | + | # cat /etc/gitlab/gitlab.rb |
</code><code> | </code><code> | ||
... | ... | ||
- | include /var/opt/gitlab/nginx/conf/my.conf; | + | nginx['custom_nginx_config'] = "include /var/opt/gitlab/nginx/conf/corpX.conf;" |
+ | ... | ||
+ | </code> | ||
+ | * [[Инструмент GitLab#Проверка конфигурации и перезапуск]] | ||
+ | <code> | ||
+ | root@server# less /var/opt/gitlab/nginx/conf/nginx.conf | ||
+ | </code><code> | ||
+ | ... | ||
+ | include /var/opt/gitlab/nginx/conf/corpX.conf; | ||
} | } | ||
</code><code> | </code><code> | ||
Line 938: | Line 1010: | ||
root@server# gitlab-ctl restart nginx | root@server# gitlab-ctl restart nginx | ||
</code> | </code> | ||
+ | |||
+ | ==== HTTPS Прокси (пример 4) ==== | ||
+ | |||
+ | <code> | ||
+ | gate1# cat /etc/nginx/sites-available/gowebd | ||
+ | </code><code> | ||
+ | server { | ||
+ | listen 80; | ||
+ | server_name gowebd.corpX.un; | ||
+ | return 301 https://gowebd.corpX.un$request_uri; | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | listen 443 ssl; | ||
+ | server_name gowebd.corpX.un; | ||
+ | ssl_certificate /root/gowebd.crt; | ||
+ | ssl_certificate_key /root/gowebd.key; | ||
+ | |||
+ | location / { | ||
+ | # proxy_pass http://192.168.X.10:8000; | ||
+ | # proxy_pass http://192.168.X.64; | ||
+ | |||
+ | # proxy_set_header Host $host; | ||
+ | # proxy_set_header X-Forwarded-For $remote_addr; | ||
+ | |||
+ | # proxy_set_header X-Forwarded-Proto $scheme; | ||
+ | # proxy_set_header X-Forwarded-Port $server_port; | ||
+ | } | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | |||
+ | * [[#Подключение, тестирование, применение и мониторинг конфигурации]] | ||
+ | |||
+ | ===== Нагрузочное тестирование ===== | ||
+ | |||
+ | * [[Сервис INETD]] | ||
+ | |||
+ | ==== curl ==== | ||
+ | |||
+ | * [[https://www.aloneguid.uk/posts/2022/09/curl-stress-testing/|Stress Testing with cURL]] | ||
+ | |||
+ | <code> | ||
+ | userX@gate.isp.un$ seq 1 1000 | xargs -P100 -I{} curl http://192.168.X.10:8000/path{} > /dev/null 2>&1 | ||
+ | </code> | ||
+ | |||
+ | ==== wrk ==== | ||
+ | |||
+ | * [[https://github.com/wg/wrk|wrk - a HTTP benchmarking tool]] | ||
+ | |||
+ | ==== vegeta ==== | ||
+ | |||
+ | * [[https://lindevs.com/install-vegeta-on-ubuntu|Install Vegeta on Ubuntu 20.04]] | ||
+ | * [[https://github.com/tsenart/vegeta/releases|github/tsenart/vegeta/releases]] | ||
+ | * [[https://val.bmstu.ru/unix/WWW/vegeta_12.11.0_linux_amd64.tar.gz]] | ||
+ | |||
+ | <code> | ||
+ | external-host# curl http://192.168.13.10:8000 | ||
+ | |||
+ | external-host# echo "GET http://192.168.13.10:8000" | vegeta attack -duration=20s -rate=100 | vegeta report | ||
+ | |||
+ | server# tail -f /var/log/syslog | ||
+ | </code> | ||
+ |