如何附加Nginx的sticky模块?

Nginx

1 基础知识

1.1 模块的简介

– “nginx-sticky-module-ng ”模块用于添加粘性cookie以始终转发到同一上游服务器
– “nginx-sticky-module-ng ”模块处理多个后端服务器时会与同一后端服务器保持持久会话
– “nginx-sticky-module-ng ”模块解决“ ip_hash”在多个浏览器同一IP地址时失败的场景

1.2 模块的机制

– “nginx-sticky-module-ng ”模块使用cookie跟踪上游服务器使每个浏览器独一无二
– “nginx-sticky-module-ng ”模块无法使用会切换回Round Robin Upstream或返回“Bad Gateway”
注:ound Robin Upstream或返回“Bad Gateway”由no_fallback标志决定

1.3 模块的缺陷

– “nginx-sticky-module-ng ”模块需要浏览器cookie支持,否则无法使用。

2 最佳实践

2.1 环境配置

2.1.1 系统环境

IP Address = 10.168.0.154
Host Name = any.cmdschool.org
OS = CentOS 7.3 x86_64

2.1.2 yum源配置

yum -y install gcc gcc-c++ make expat-devel 
yum -y install rpm-build redhat-lsb
yum -y install vim wget

2.1.3 创建构建用户

useradd -u 1001 builder

2.1.4 关闭selinux

setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

2.2 构建rpm包部分

2.2.1 下载安装包

su - builder
cd ~
wget https://nginx.org/packages/rhel/7/SRPMS/nginx-1.20.1-1.el7.ngx.src.rpm
wget https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/get/1.2.6.tar.bz2 -O nginx-sticky-module-ng_1.2.6.tar.bz2

另外,其他版本请从如下链接下载,
http://nginx.org/packages/
https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/downloads/?tab=tags

2.2.2 解压并测试构建环境

rpm -ivh rpm -ivh nginx-1.20.1-1.el7.ngx.src.rpm
rpmbuild -bb rpmbuild/SPECS/nginx.spec

如果看到类似提示,

error: Failed build dependencies:
        openssl-devel >= 1.0.2 is needed by nginx-1:1.20.1-1.el7.ngx.x86_64
        zlib-devel is needed by nginx-1:1.20.1-1.el7.ngx.x86_64
        pcre-devel is needed by nginx-1:1.20.1-1.el7.ngx.x86_64

请先解决包的依赖关系然后重试:

exit
yum -y install openssl-devel zlib-devel pcre-devel

2.2.3 配置nginx_cookie_flag_modele模块

tar -xf nginx-sticky-module-ng_1.2.6.tar.bz2
cp -a nginx-goodies-nginx-sticky-module-ng-c78b7dd79d0d/ rpmbuild/BUILD/nginx-sticky-module-ng

2.2.4 修改构建文件

cd rpmbuild/SPECS
cp nginx.spec nginx.spec.orig

修改配置文件参数,

vim nginx.spec

修改包含如下关键字的行,

%define BASE_CONFIGURE_ARGS

在该行增加如下参数,

--add-module=../nginx-sticky-module-ng

2.2.5 重新构建rpm包

diff -uN nginx.spec.orig nginx.spec > nginx-sticky-module-ng.patch
patch -p0 < nginx-sticky-module-ng.patch

如果出现如下提示,按照以下向导处理,

patching file nginx.spec
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n] y
Hunk #1 FAILED at 64.
1 out of 1 hunk FAILED -- saving rejects to file nginx.spec.rej

继续完成重构

rpmbuild -bb nginx.spec
exit

如果见到如下错误提示,

../nginx-sticky-module-ng/ngx_http_sticky_misc.c: In function 'ngx_http_sticky_misc_md5':
../nginx-sticky-module-ng/ngx_http_sticky_misc.c:152:15: error: 'MD5_DIGEST_LENGTH' undeclared (first use in this function)
   u_char hash[MD5_DIGEST_LENGTH];
               ^
../nginx-sticky-module-ng/ngx_http_sticky_misc.c:152:15: note: each undeclared identifier is reported only once for each function it appears in
../nginx-sticky-module-ng/ngx_http_sticky_misc.c:152:10: error: unused variable 'hash' [-Werror=unused-variable]
   u_char hash[MD5_DIGEST_LENGTH];
          ^
../nginx-sticky-module-ng/ngx_http_sticky_misc.c: In function 'ngx_http_sticky_misc_hmac_md5':
../nginx-sticky-module-ng/ngx_http_sticky_misc.c:189:15: error: 'MD5_DIGEST_LENGTH' undeclared (first use in this function)
   u_char hash[MD5_DIGEST_LENGTH];
               ^
../nginx-sticky-module-ng/ngx_http_sticky_misc.c:190:12: error: 'MD5_CBLOCK' undeclared (first use in this function)
   u_char k[MD5_CBLOCK];
            ^
../nginx-sticky-module-ng/ngx_http_sticky_misc.c:190:10: error: unused variable 'k' [-Werror=unused-variable]
   u_char k[MD5_CBLOCK];
          ^
../nginx-sticky-module-ng/ngx_http_sticky_misc.c:189:10: error: unused variable 'hash' [-Werror=unused-variable]
   u_char hash[MD5_DIGEST_LENGTH];
          ^
cc1: all warnings being treated as errors
make[1]: *** [objs/addon/nginx-sticky-module-ng/ngx_http_sticky_misc.o] Error 1
make[1]: Leaving directory `/home/builder/rpmbuild/BUILD/nginx-1.20.1'
make: *** [build] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.mo5WCM (%build)

你可以尝试使用如下命令编辑文件,

su - builder
vim ~/rpmbuild/BUILD/nginx-sticky-module-ng/ngx_http_sticky_misc.c

然后加入引入,

#include <nginx.h>
#...
#include <openssl/sha.h>
#include <openssl/md5.h>
#...

2.3 配置Nginx服务

2.3.1 安装nginx包

cd /home/builder/rpmbuild/RPMS/x86_64/
yum -y install nginx-1.20.1-1.el7.ngx.x86_64.rpm

2.3.2 确认模块启用

nginx -V

显示如下:

nginx version: nginx/1.20.1
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=../nginx-sticky-module-ng --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

可见配置的参数后面有加载模块:

--add-module=../nginx-sticky-module-ng

2.3.3 启动服务并配置自启动

systemctl start nginx.service
systemctl enable nginx.service

2.3.4 配置防火墙

firewall-cmd --permanent --add-service http --add-service https
firewall-cmd --reload
firewall-cmd --list-all

2.3.5 增加测试配置

vim /etc/nginx/conf.d/default.conf

加入如下行:

#...
upstream exchange-rpc {
    zone exchange-rpc 64k;
    server excmail01.cmdschool.org:443;
    server excmail02.cmdschool.org:443;
    sticky;
}
#...
server {
    [..]
    location /rpc/rpcproxy.dll {
        proxy_pass https://exchange-rpc;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_request_buffering off;
        proxy_set_header Connection "Keep-Alive";
    }
    [..]
}

2.3.6 校验配置文件

nginx -t

如果看到以下提示则达到预期,

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

2.3.7 重启服务使配置生效

systemctl reload nginx.service

参阅文档
======================
非官方模块的使用
——————-
https://serverfault.com/questions/832790/sticky-sessions-with-nginx-proxy

Nginx官方推荐的第三方模块
————————
https://www.nginx.com/resources/wiki/modules/

sticy模块的GitHub
———————
https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/src/master/
https://github.com/lusis/nginx-sticky-module

错误处理
—————–
https://blog.csdn.net/zhaikaiyun/article/details/113110734

nginx官方模块的使用方法(用法与本章阐述的开源模块有差异且只有企业版本支持)
———————
https://docs.nginx.com/nginx/deployment-guides/load-balance-third-party/microsoft-exchange/
http://nginx.org/en/docs/http/ngx_http_upstream_module.html

没有评论

发表回复

Nginx
如何解决https请求不安全http页被阻止问题?

1 前言 一个问题,一篇文章,一出故事。 笔者最近代理公司应用,发现https的页面有请求不安全的h …

Nginx
如何Nginx代理上游的子项目或文件夹?

1 前言 一个问题,一篇文章,一出故事。 笔者接到任务需要把Tomcat的其中一个应用号使用Ngin …

Nginx
如何安装部署RHEL 9 Nignx?

1 前言 一个问题,一篇文章,一出故事。 笔者需要基于RHEL 9部署Nginx环境,于是整理此文。 …