ES-nginx 长连接和权限配置
2017-11-10 本文已影响0人
YG_9013
长连接配置
events {
worker_connections 1024;
}
http {
keepalive_timeout 120s 120s;
keepalive_requests 10000;
upstream elasticsearch {
server 127.0.0.1:9200;
keepalive 15;
}
server {
listen 8080;
location / {
proxy_pass http://elasticsearch;
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
}
}
}
当你直接向es发送请求,你可以看到连接数是增加的:
$ curl 'localhost:9200/_nodes/stats/http?pretty' | grep total_opened
# "total_opened" : 13
$ curl 'localhost:9200/_nodes/stats/http?pretty' | grep total_opened
# "total_opened" : 14
# ...
通过nginx访问,结果如下:
$ curl 'localhost:8080/_nodes/stats/http?pretty' | grep total_opened
# "total_opened" : 15
$ curl 'localhost:9200/_nodes/stats/http?pretty' | grep total_opened
# "total_opened" : 15
# ...
- keepalive_timeout
超时时间设置,默认是75s。 - keepalive_requests
一个keepalive连接可处理的请求数量。当请求数量达到时,连接被关闭。默认是100。 - proxy_http_version
HTTP协议中对长连接的支持是从1.1版本之后才有的,最好指定一下版本。 - upstream中的keepalive
设置到upstream服务器的空闲keepalive连接的最大数量。如果空闲的keepalive连接大于该值,最近使用最少的连接将会被关闭。keepalive指令不会限制一个nginx worker进程到upstream服务器连接的总数量
出现大量TIME_WAIT的情况:
1. keepalive_requests设置比较小,高并发下超过此值后nginx会强制关闭和客户端保持的keepalive长连接;(主动关闭连接后导致nginx出现TIME_WAIT)
2. keepalive设置的比较小(空闲数太小),导致高并发下nginx会频繁出现连接数震荡(超过该值会关闭连接),不停的关闭、开启和后端server保持的keepalive长连接;
授权认证
events {
worker_connections 1024;
}
http {
upstream elasticsearch {
server 127.0.0.1:9200;
}
server {
listen 8080;
auth_basic "Protected Elasticsearch";
auth_basic_user_file passwords;
location / {
proxy_pass http://elasticsearch;
proxy_redirect off;
}
}
}
通过openssl生成用户名密码:
printf "john:$(openssl passwd -crypt s3cr3t)n" > passwords
通过不通过密码访问:
$ curl -i localhost:8080
# HTTP/1.1 401 Unauthorized
# ...
通过密码访问:
$ curl -i john:s3cr3t@localhost:8080
# HTTP/1.1 200 OK
# ...
限制某些命令:
location / {
if ($request_filename ~ _shutdown) {
return 403;
break;
}
proxy_pass http://elasticsearch;
proxy_redirect off;
}
