1. nginx.conf配置
user nginx;
worker_processes 8; //根据cpu配置
worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000; //根据cpu配置,4核或者其它不一样
worker_rlimit_nofile 65535;
#error_log /var/log/nginx/error.log crit;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
use epoll;
worker_connections 65535;
multi_accept on;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
client_max_body_size 250m;
client_body_timeout 20s;
client_header_timeout 20s;
client_body_buffer_size 256k;
large_client_header_buffers 4 64k;
send_timeout 15s;
keepalive_timeout 60s;
types_hash_max_size 2048;
client_header_buffer_size 16k;
fastcgi_buffers 256 16k;
fastcgi_buffer_size 128k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
open_file_cache max=65535 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
gzip on;
gzip_min_length 1k;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
include /etc/nginx/mime.types;
default_type application/octet-stream;
set_real_ip_from 100.64.0.0/10;
real_ip_header X-Forwarded-For;
include /etc/nginx/conf.d/*.conf;
}
2. server 段配置
limit_req_zone $binary_remote_addr zone=vlimit:10m rate=30r/s; //限流zone是名称,10m是用10m存ip,30r/s是每秒每个ip允许30个请求
upstream php-fpm { //开启多个进程池,进行轮询
server unix:/dev/shm/http-php-cgi.sock; //写入到内存提升性能
server unix:/dev/shm/www-php-cgi.sock;
}
server {
listen 80;
server_name xxxxx;
deny xxx.xxx.xxx.xx;
access_log /var/www/logs/access.log main buffer=32k;
error_log /var/www/logs/error.log;
root /var/www/wwwroot/xxx;
index index.html index.htm index.php;
add_header 'Access-Control-Allow-Origin' '*';
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security max-age=86400;
#add_header Content-Security-Policy "upgrade-insecure-requests;";
add_header X-Frame-Options SAMEORIGIN;
limit_req zone=vlimit burst=4 nodelay; //限流的名称,burst 表示1个请求会存储到burst队列,不会直接返回503,有助于流量平滑,不会直接拒绝 nodelay表示直接处理降低排队时间,两个要配合使用,否则可能会rtt增加
limit_req_status 503; //超出限流控制返回的状态码
location / {
}
location ~ \.php {
#fastcgi_pass 127.0.0.1:9000; //以tcp方式与php通信,有些说tcp更稳定
#fastcgi_pass unix:/dev/shm/php-cgi.sock; //使用unix方式通信,文件存于内存位置提升性能,但是有说法unix方式高并发下不稳定
fastcgi_pass php-fpm; //以轮询方式,参考文件首部upstream
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
3. php 优化
找到php-fpm.d/目录,里面的www.conf文件复制一份名字随意
修改配置
; Start a new pool named 'www'.
[www] //第二个文件这个必须换成其它名字
....
;listen = 127.0.0.1:9000 //tcp方式
listen = /dev/shm/www-php-cgi.sock //sock方式
...
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
listen.backlog = 1024 //这个值调大,据说可以提升unix方式在高并发下的稳定性
...
pm = static //有好几种方式,static,dynamic,ondemand 默认为dynamic,具体看自己
; Note: This value is mandatory.
pm.max_children = 150 根据前面配置的方式这个值自己设置,一般说一个进程30m内存
4. 系统内核tcp参数优化
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 65535
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 524288 699050 1048576
net.ipv4.tcp_fin_timeout = 1
4. 系统文件句柄
查看 ulimit -a
修改
ulimit -n 65535 //仅本次有效
永久修改
修改文件cat /etc/security/limits.conf,这个值可以改大点,不会影响什么
# End of file
root soft nofile 655350
root hard nofile 655350
* soft nofile 655350
* hard nofile 655350
5. 常用大日志分析 awk
access.log 是要分析的日志文件
$1,$2,$3具体代表什么根据你的日志格式
22/Sep/2020:21 根据你日志里面的时间格式调整,你需要分析哪个时间点
awk '{print $4,$1}' access.log | grep 22/Sep/2020:21 | awk '{print $2}'| sort | uniq | wc -l //统计时间段有多少ip访问
cat access.log |grep 22/Sep/2020:21:01|awk '{print $11}' |sort|uniq -c|sort -nr | head -10 //统计访问最多的前10个来源
cat access.log |grep 22/Sep/2020:21:01|awk '{print $7}' |sort|uniq -c|sort -nr | head -10 //统计访问最多的前10个页面
grep ^104.179.60.129 access.log| awk '{print $1,$4,$7}' //查看某个ip访问的页面
awk '{++S[$1]} END {for (a in S) print a,S[a]}' access.log > log.txt //每个ip访问的次数,输出到文件
通过以上方式,你可以看到你有多少个请求,查看访问最多的来源,可以看下是否非法请求,另外根据ip访问的次数,可以看到是否非法ip,如果是非法ip,可以通过nginx deny拒绝访问
6. 其它
读写分离:如果事务里面包含查询语句,会分配到主实例,尽量缩小事务范围,另外业务流程中如果有update,delete语句也会到主实例,所以考虑下是否需要异步
php看下是否需要升级到比较高到版本。一些语法上到优化。
参考文章 参考文章