在虚拟机部署Nginx

部署Nginx，使KAE可以使能Nginx的同步模式或异步模式。

1. 在虚拟机安装依赖。

   yum install -y openssl openssl-devel pcre pcre-devel zlib zlib-devel gcc make

2. 若服务器可以访问网络，可以通过wget命令直接下载Nginx源码，通过scp命令将Nginx源码上传到虚拟机的“/home”目录。

   wget https://nginx.org/download/nginx-1.21.5.tar.gz --no-check-certificate

   

   如果虚拟机无法访问网络，可以在openEuler官方社区下载本地源的ISO镜像文件，可以将ISO镜像文件挂载到虚拟机的一个目录下（例如“/iso/”），然后在虚拟机中下载Nginx源码包到“/home”目录。

   mount openEuler-22.03-LTS-SP3-everything-aarch64-dvd.iso /iso/

3. 部署Nginx。

   tar -zxvf nginx-1.21.5.tar.gz
   cd nginx-1.21.5/
   chmod 755 configure
   ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
   make -j 60 && make install

   

   • -j 60：充分利用CPU多核优势，加快编译速度。
   • CPU的核数可以通过lscpu命令查看。
4. 生成OpenSSL证书。

   请参见《Nginx 移植指南》的生成OpenSSL证书章节。

   

   若生成OpenSSL证书时，提示“unable to find 'distinguished_name' in config”，说明与7.c中验证KAE性能时执行的export OPENSSL_CONF=/home/openssl.cnf命令冲突，请参见部署vKAE特性时，在虚拟机部署Nginx过程中生成OpenSSL证书时报错解决该问题。

5. 查看Nginx安装目录。

   ls /usr/local/nginx

6. 确认Nginx版本为目标版本。

   /usr/local/nginx/sbin/nginx -v

7. 在不使能KAE的情况下，配置并启动原生Nginx。
   1. 打开Nginx配置文件。

      cd /usr/local/nginx/conf
      vim nginx.conf

   2. 按“i”键进入编辑模式，将以下内容复制到Nginx配置文件中。

      以下为原生的Nginx配置文件nginx.conf的内容，此配置未进行任何调优，也未启用KAE。

      user  root;
      worker_processes  auto;
      
      #worker_processes  10;
      #worker_cpu_affinity 
      #10000000000000000000000000000000000000000000000000000000000000000000000000000000000
      #100000000000000000000000000000000000000000000000000000000000000000000000000000000000
      #1000000000000000000000000000000000000000000000000000000000000000000000000000000000000
      #10000000000000000000000000000000000000000000000000000000000000000000000000000000000000
      #;
      
      #error_log  logs/error.log;
      #error_log  logs/error.log  notice;
      #error_log  logs/error.log  info;
      
      #pid        logs/nginx.pid;
      
      events {
          worker_connections  1024;
      }
      
      http {
          include       mime.types;
          default_type  application/octet-stream;
      
          #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
          #                  '$status $body_bytes_sent "$http_referer" '
          #                  '"$http_user_agent" "$http_x_forwarded_for"';
      
          #access_log  logs/access.log  main;
      
          sendfile        on;
          #tcp_nopush     on;
      
          #keepalive_timeout  0;
          keepalive_timeout  65;
      
          #gzip  on;
      
          server {
              listen       10000;
              server_name  localhost;
      
              #charset koi8-r;
      
              #access_log  logs/host.access.log  main;
      
              location / {
                  root   html;
                  index  index.html index.htm;
              }
      
              #error_page  404              /404.html;
      
              # redirect server error pages to the static page /50x.html
              #
              error_page   500 502 503 504  /50x.html;
              location = /50x.html {
                  root   html;
              }
          }
      
          # HTTPS server
          #
          server {
              listen       20000 ssl;
              server_name  localhost;
      
              ssl_certificate      /usr/local/nginx/server_2048.crt;
              ssl_certificate_key  /usr/local/nginx/server_2048.key;
      
              ssl_session_cache    shared:SSL:1m;
              ssl_session_timeout  5m;
      
              ssl_ciphers  HIGH:!aNULL:!MD5;
              ssl_prefer_server_ciphers  on;
      
              location / {
                  root   html;
                  index  index.html index.htm;
              }
          }
      
      }

      

      其中，http侦听端口号是10000，https侦听端口号是20000。

   3. 按“Esc”键，输入:wq!，按“Enter”保存并退出编辑。
   4. 运行原生Nginx，并查看Nginx是否启动。

      /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
      ps -ef | grep nginx

      回显中显示Nginx线程，表示Nginx已经启动。

      

      可以看到，nginx.conf配置文件中指定worker_processes为auto，创建的Nginx线程数量为8个，刚好等于8C16G虚拟机的总核数，worker_processes数量也可以根据实际情况进行设置。

      

      多种方式的重启和退出Nginx命令。

      • 重启Nginx。

        sudo systemctl restart nginx

      • 优雅重启Nginx。

        sudo nginx -s reload

      • 退出Nginx。

        /usr/local/nginx/sbin/nginx -s quit

        或者

        /usr/local/nginx/sbin/nginx -s stop

8. 配置使能KAE + Nginx的同步模式。
   1. 在“usr/local/nginx/conf”目录下创建一个名为nginx_kae.conf的配置文件。

      vim nginx_kae.conf

   2. 按“i”键进入编辑模式，将以下内容复制到Nginx配置文件中。
      以下为配置KAE使能 + Nginx同步模式的Nginx配置文件nginx.conf的内容，此配置已进行Nginx参数调优。

      user  root;
      worker_processes auto;
      #4-7
      #worker_cpu_affinity
      #10000
      #100000
      #1000000
      #10000000
      #;
      #daemon off;
      error_log  /dev/null;
      
      worker_rlimit_nofile 102400;
      events {
              use epoll;
              worker_connections 102400;
              accept_mutex off;
              multi_accept on;
      }
      
      
      http {
              include       mime.types;
              default_type  application/octet-stream;
              #log_format  main  '$remote_addr - $remote_user [$time_local] $request_time "$request" '
              #        '$status $body_bytes_sent $request_length $bytes_sent "$http_referer" '
              #        '"$http_user_agent" "$http_x_forwarded_for"';
              #access_log  logs/access.log  main;
              access_log  off;
      
              sendfile      on;
              tcp_nopush    on;
              tcp_nodelay   on;
              server_tokens off;
              sendfile_max_chunk 512k;
              keepalive_timeout  65;
              keepalive_requests 20000;
              client_header_buffer_size 4k;
              large_client_header_buffers 4 32k;
              server_names_hash_bucket_size 128;
              client_max_body_size 100m;
              open_file_cache max=102400 inactive=40s;
              open_file_cache_valid 50s;
              open_file_cache_min_uses 1;
              open_file_cache_errors on;
              #gzip  on;
      
          server {
              listen       10000 reuseport;
              server_name  localhost;
      
              #charset koi8-r;
      
              #access_log  logs/host.access.log  main;
      
              location / {
                  root   html;
                  index  index.html index.htm;
              }
      
              #error_page  404              /404.html;
      
              # redirect server error pages to the static page /50x.html
              #
              error_page   500 502 503 504  /50x.html;
              location = /50x.html {
                  root   html;
              }
      
          }
          # HTTPS server
          #
          server {
              listen       20000 ssl reuseport;
              server_name  localhost;
      
              ssl_certificate  /usr/local/nginx/server_2048.crt;
              ssl_certificate_key  /usr/local/nginx/server_2048.key;
      
              ssl_session_cache    shared:SSL:1m;
              ssl_session_timeout  5m;
              ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
              ssl_ciphers  AES256-GCM-SHA384;
              ssl_prefer_server_ciphers  on;
              ssl_session_tickets  off;
              location / {
                  root   html;
                  index  index.html index.htm;
              }
              access_log  off;
          }
      
      }

   3. 按“Esc”键，输入:wq!，按“Enter”保存并退出编辑。
   4. 运行使能KAE+参数调优过的Nginx同步模式的配置文件。
      

      运行使能KAE+参数调优过的Nginx同步模式的配置文件，只需要在Nginx执行命令前添加OPENSSL_CONF=/home/openssl.cnf。

      /usr/local/nginx/sbin/nginx -s stop || true; sleep 1;
      OPENSSL_CONF=/home/openssl.cnf /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx_kae.conf

9. 配置使能KAE + Nginx的异步模式。
   

   配置使能KAE + Nginx的异步模式，需要额外下载适配异步模式的Nginx源代码。该源代码支持同步或异步模式，可以适配KAE或Intel QAT硬件加速。

   1. 下载适配异步模式的Nginx源代码，在github中选择版本0.4.9，并编译安装Nginx。

      cd /home
      git clone https://github.com/intel/asynch_mode_nginx.git
      cd /home/asynch_mode_nginx/
      yum install gcc gcc-c++ make libtool zlib zlib-devel pcre pcre-devel perl-devel perl-ExtUtils-Embed perl-WWW-Curl wget -y
      ./configure --prefix=/usr/share/nginx --add-dynamic-module=modules/nginx\_qat\_module --with-cc-opt="-DNGX\_SECURE\_MEM -Wno-error=deprecated-declarations" --with-http\_ssl\_module --with-http\_v2\_module
      make -j60 && make install

      

      上述7和8都使用原生的Nginx进行测试，路径位于“/usr/local/nginx”。为避免冲突，异步模式的Nginx安装在“/usr/share/nginx”路径下。

   2. 在“/root”目录下创建一个名为nginx_kae_async.conf的文件。

      vim nginx_kae_async.conf

   3. 按“i”键进入编辑模式，将以下内容复制到nginx_kae_async.conf文件中。

      以下为配置KAE使能 + Nginx异步模式的Nginx配置文件nginx.conf的内容，此配置已进行Nginx参数调优，并启用KAE。其中Nginx线程数可以根据实际需求进行更改，使用auto一般会占满虚拟机的所有核。http占用端口号为10000，https占用端口号为20000。

      # For more information on configuration, see:
      #   * Official English Documentation: http://nginx.org/en/docs/
      #   * Official Russian Documentation: http://nginx.org/ru/docs/
      
      user root;
      worker_processes auto;
      
      #worker_processes  10;
      #worker_cpu_affinity 
      #10000000000000000000000000000000000000000000000000000000000000000000000000000000000
      #100000000000000000000000000000000000000000000000000000000000000000000000000000000000
      #1000000000000000000000000000000000000000000000000000000000000000000000000000000000000
      #10000000000000000000000000000000000000000000000000000000000000000000000000000000000000
      #;
      
      events  {
          use epoll;
          worker_connections 102400;
          accept_mutex off;
          multi_accept on;
      }
      
      error_log /var/log/nginx/error.log;
      pid /run/nginx.pid;
      
      include /usr/share/nginx/modules/*.conf;
      
      http {
          log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                            '$status $body_bytes_sent "$http_referer" '
                            '"$http_user_agent" "$http_x_forwarded_for"';
      
          # access_log off;
          # access_log  /var/log/nginx/access.log  main;
      
          sendfile            on;
          tcp_nopush          on;
          tcp_nodelay         on;
          keepalive_timeout   65s;
          types_hash_max_size 4096;
      
          include             /usr/local/nginx/conf/mime.types;
          default_type        application/octet-stream;
      
          # Load modular configuration files from the /etc/nginx/conf.d directory.
          # See http://nginx.org/en/docs/ngx_core_module.html#include
          # for more information.
          include /etc/nginx/conf.d/*.conf;
              access_log  off;
              server_tokens off;
              sendfile_max_chunk 512k;
              keepalive_requests 20000;
              client_header_buffer_size 4k;
              large_client_header_buffers 4 32k;
              server_names_hash_bucket_size 128;
              client_max_body_size 100m;
              open_file_cache max=102400 inactive=40s;
              open_file_cache_valid 50s;
              open_file_cache_min_uses 1;
              open_file_cache_errors on;
      
          server {
              listen       10000;
              listen       [::]:10000;
              location / {
                  root html;
                  index index.html index.htm;
              }
              error_page 500 502 503 504  /50x.html;
              location = /50x.html {
                  root html;
              }
          }
      
      # Settings for a TLS enabled server.
      #
         server {
             listen 20000 ssl http2 asynch;
             listen [::]:20000 ssl http2 asynch;
             server_name localhost;
             ssl_asynch on;
             ssl_certificate /usr/local/nginx/server_2048.crt;
             ssl_certificate_key /usr/local/nginx/server_2048.key;
             ssl_session_cache shared:SSL:1m;
             ssl_session_timeout 5m;
             ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
             ssl_ciphers  "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256    EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
      
             ssl_prefer_server_ciphers  on;
      
             location / {
                  root html;
                  index index.html index.htm;
            }
      
         }
          gzip on;
          gzip_buffers 4 16k;
          gzip_comp_level 9;
          gzip_disable "MSIE [1-6]\.";
          gzip_http_version 1.1;
          gzip_min_length 500k;
          gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml;
          gzip_vary on;
          proxy_buffer_size 1024k;
          proxy_buffers 16 1024k;
          proxy_busy_buffers_size 2048k;
          proxy_temp_file_write_size 2048k;
       }

   4. 按“Esc”键，输入:wq!，按“Enter”保存并退出编辑。
   5. 复用安装原生Nginx后的OpenSSL证书路径（路径在“/usr/local/nginx/conf/mime.types”）。

      将mime.types、server_2048.crt和server_2048.key文件拷贝到一个新的路径。

      

      若要自己创建OpenSSL证书，可在新的路径下运行下述命令：

      openssl genrsa -des3 -out server_2048.key 2048
      openssl rsa -in server_2048.key -out server_2048.key
      openssl req -new -key server_2048.key -out server_2048.csr
      openssl rsa -in server_2048.key -out server_2048.key
      openssl x509 -req -days 365 -in server_2048.csr -signkey server_2048.key -out server_2048.crt

   6. 运行使能KAE+参数调优过的Nginx异步模式的配置文件。
      

      运行使能KAE + 参数调优过的Nginx异步模式的配置文件，也只需要在Nginx执行命令前添加OPENSSL_CONF=/home/openssl.cnf。

      /usr/share/nginx/sbin/nginx -s stop || true; sleep 1;
      OPENSSL_CONF=/home/openssl.cnf /usr/share/nginx/sbin/nginx -c /root/nginx_kae_async.conf