Location>code7788 >text

nginx grayscale publishing, site speed limiting and anti-theft linking

Popularity:49 ℃/2024-07-26 09:40:49

I. Gray-scale releases (canary releases)

Methods of upgrading or replacing product items with smoother transitions during gray releases are collectively called

primary role

  • Timely identification of project issues
  • Get early feedback from users to improve the product
  • If the project creates problems, the impact of the problems can be minimized

【1】、Gray scale release based on different IPs

proxy proxy

web01 Open port 80 Open port 8001

web02 Open port 80 Open port 8002

Port 80 (old service)

Port 800x (test service)

We have to create clusters and if judgment in nginx to separate new business and old business, according to the IP to distinguish, one type of IP access will show the old business, one type of IP access is new business 1, another type of IP access is new business 2

# Modify the nginx configuration file
# Create 3 clusters
upstream s8001{
        server 192.168.121.171:8001;
    }
    upstream s8002{
        server 192.168.121.172:8002; }
    }
    # The following is the old service
    upstream default{
        server 192.168.121.171:80;
        server 192.168.121.172:80; }
    }
 server {
        listen 80; server_name localhost; } server {
        server_name localhost; } server { listen 80; server_name localhost; }
        # set Set the meaning of the variable so that group=default
        set $group "default"; # set set the meaning of the variable so that group=default
        # Assign a different value to the group by using an if judgment to differentiate between IPs
        if ($remote_addr ~ "192.168.121.171"){
            set $group s8001; # Assign a different value to the group by if judgment.
        }
        if ($remote_addr ~ "192.168.121.172"){
            set $group s8002;
        }
        #charset koi8-r.

        #access_log logs/ main;

        location / {
            # access_logs/ main; location / { if, different values for groups to access different websites
            proxy_pass http://$group; root html; # access_logs
            root html ;
            root html; index ;
        }

Configuring web01

Create a virtual host in web01 listening on port 8001.

server{
        listen 8001;
        server_name localhost;
        root html8001;
        index ;
    }
[root@web01 nginx]# mkdir html8001
[root@web01 nginx]# 
[root@web01 nginx]# echo web01-8001 > html8001/
[root@web01 nginx]# echo web01-80 > html/
[root@web01 nginx]# sbin/nginx

Configuring web02

Create a virtual host in web02 listening on port 8002.

server{
        listen 8002;
        server_name localhost;
        root html8002;
        index ;
[root@web02 nginx]# mkdir html8002
[root@web02 nginx]# echo web02-8002 > html8002/
[root@web02 nginx]# echo web02-80 > html/
[root@web02 nginx]# sbin/nginx

carry out a test

Expected results

When we access the proxy using the IP of 192.168.121.171, we see the new business of web01

When we access the proxy using the IP of 192.168.121.172, we see the new business of web02

When we use another IP to access the proxy, we will see the old business of web01 and web02 as polling

root@proxy[19:30:15]:/usr/local/nginx
$ curl 192.168.121.170
web01-80
root@proxy[19:30:15]:/usr/local/nginx
$ curl 192.168.121.170
web02-80
[root@web01 nginx]# curl 192.168.121.170
web01-8001
[root@web01 nginx]# curl 192.168.121.170
web01-8001
[root@web02 nginx]# curl 192.168.121.170
web02-8002
[root@web02 nginx]# curl 192.168.121.170
web02-8002

[2], through the user id test

For a website, it can have many users to log in, but each user has a corresponding and unique user ID, we can differentiate for the user's ID, so that we can enter the grayscale release!

Prepare a test site

root@proxy[21:41:36]:~
$ ll  
-rw-r--r--. 1 root root 158156 Jun 24 19:49 
root@proxy[21:41:46]:~
$ cp -r php-memcached-demo/* /usr/local/nginx/html/

Modify the web page source code ()

If the username begins with abc, click Start to jump to 192.168.121.171

If not then click start to jump to 192.168.121.172

in order to achieve a gray-scale release

Welcome : <?php
if(preg_match("/^abc/",$_SESSION['login_user'] ) ){
echo "<a href='http://192.168.121.171'>start</a>";";
}
else
{
echo "<a href='http://192.168.121.172'>start</a>";";
}
? >

II. Website speed limit

  • Larger number of files to be shared Larger number of files to be shared
  • Limited bandwidth on the server itself
  • Frequent hacking attacks
  • Maximize business benefits

speed limit

limit_rate 50k; The speed limit is 50k, regardless of the bandwidth given by the carrier.

【1】、Global Speed Limit

# Modify the nginx configuration file, in the http write the following content, if not written into the server, it means that the global speed limit, if written into a server, it means that only limit a certain virtual hosts
#gzip on.
limit_rate 100k; #gzip on; #gzip on; #gzip on; #gzip on
server {
listen 80; server_name localhost; #gzip on; limit_rate 100k; server {
server_name localhost.
...
}
# Run a speed test
[root@web01 nginx]# wget http://192.168.121.171/
--2024-06-24 22:22:28 -- http://192.168.121.171/
Connecting to 192.168.121.171:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104857600 (100M) [application/octet-stream]
Saving to: ''

                           2%[>] 2.44M 99.7KB/s eta 16m 38s

[2], local speed limits

There is a global and not a local, according to the global calculation

There is a global and a local, according to the not counting

limit_rate 0k; 0k means no speed limit

limit_rate 100k; # global speed limit
    server {
        limit_rate 200k; # Local limit for virtual servers
        listen 80; server_name localhost; # localhost speed limit.
        server_name localhost.

        # localhost; server_name localhost; # charset koi8-r; # server_name localhost.

        #access_log logs/ main; #access_logs/ main; #file_a{file_a}
        location /file_a{
        limit_rate 300k; # speed limit for a directory
        }
        location /file_b{
        limit_rate 0k; # 0k means no speed limit
        }

【3】、Speed Limit Bug-Breaking the Limit

On the top we made a speed limit, but there is a bug.

Let's say there are two files in the file_a directory that need to be downloaded, and I'm downloading these two files at the same time, each with a download speed of about 300k, but at this time I'm downloading at a total speed of about 600k on your server, which is equivalent to a disguised breakthrough of our speed limitations

So we need to continue to add limits so that the number of connections can only be 1 at the same time

# modificationsnginxconfiguration file
limit_conn_zone $binary_remote_addr zone=addr:10m; # Setting Connection Limits
    #gzip on;
    limit_rate 100k;
    server {
        limit_rate 200k;
        listen 80;
        server_name localhost;

        #charset koi8-r;

        #access_log logs/ main;
        location /file_a{
        limit_rate 300k;
        limit_conn addr 1; # Enabling Connection Restrictions
        }

III. Anti-theft chains

A link in one website that connects to another website. This is link theft, stealing information from another site and putting it on your own site.

Therefore, we need to configure the anti-stealing link to not allow other websites to steal my data by stealing the link.

Specific realization principles:

Through the referers parameter to realize, referers is a request header, it can identify you from which address to visit my site. We can set it so that only requests from your own IP address and empty requests can see my page, and nothing else will be allowed to see it.

 server {
        listen 80; server_name localhost; server_name
        server_name localhost;
        valid_referers none 192.168.121.171; # Only requests from null and 192.168.121.171 can be accessed
        if ($invalid_referer){
            return 403; # Everything else gets a 403 error
        }
        charset utf8.
<Previous Next>