iis迁移到nginx
In this article I would like to touch on the topic of migrating NGINX configuration to ENVOY, because my Kubernetes, which is currently in dev environment, and uses Nginx Ingress Controller, and I wanted to switch to Envoy if Envoy had advantages over Nginx and was easy to migrate.
在本文中,我想谈谈将NGINX配置迁移到ENVOY的主题,因为我的Kubernetes(目前处于开发环境中,并且使用Nginx Ingress Controller),并且如果Envoy比Nginx更具优势,并且我想使用Engin,我想切换到Envoy。易于迁移。
In katacoda there is simple scenario for this,
在katacoda中,有一个简单的方案,
This scenario is intended to support the migration from NGINX to Envoy. This will help you apply your previous experience and understanding of NGINX to Envoy.
此方案旨在支持从NGINX到Envoy的迁移。 这将帮助您将以前对NGINX的经验和理解应用于Envoy。
We learn:
我们学习:
Configure Envoy server configuration and settings 配置Envoy服务器配置和设置 Configure Envoy to proxy traffic to external services. 配置Envoy以将流量代理到外部服务。 Set AccessLog and ErrorLog. 设置AccessLog和ErrorLog。At the end of the scenario, you’ll learn about the core features of Envoy and how to migrate your existing NGINX scripts to the platform.
在场景的最后,您将了解Envoy的核心功能以及如何将现有的NGINX脚本迁移到平台。
NGINX configuration usually has three main components.
NGINX配置通常包含三个主要组件。
NGINX server, logging structure, Gzip feature configuration. It is defined globally across all instances. NGINX服务器,日志记录结构,Gzip功能配置。 它在所有实例中全局定义。 Configure NGINX to accept requests from the one.example.com host on port 8080. 将NGINX配置为在端口8080上接受来自one.example.com主机的请求。 Configure the target location for how to handle traffic to different parts of the URL. 配置目标位置,以了解如何处理URL的不同部分的流量。Not all configurations apply to the Envoy Proxy and you do not need to configure any particular aspect. Envoy Proxy has four main components that support the core infrastructure provided by NGINX.
并非所有配置都适用于Envoy代理,并且您不需要配置任何特定方面。 Envoy代理具有四个主要组件,它们支持NGINX提供的核心基础结构。
Listeners: Defines how the Envoy Proxy accepts incoming requests. Currently, Envoy Proxy only supports TCP-based listeners. Once the connection is established, it is passed through a set of filters for processing.
侦听器 :定义Envoy代理如何接受传入的请求。 当前,Envoy代理仅支持基于TCP的侦听器。 建立连接后,它将通过一组过滤器进行处理。
Filters: It is part of a pipeline architecture that can handle inbound and outbound data. This feature enables filters such as Gzip that compress the data before sending it to the client.
过滤器 :它是可以处理入站和出站数据的管道体系结构的一部分。 使用此功能,可以使用过滤器(例如Gzip)在将数据发送到客户端之前对其进行压缩。
Routers: Forwards traffic to the required destinations defined as a cluster.
路由器 :将流量转发到定义为集群的所需目的地。
Clusters: Define target endpoints and configuration settings for traffic.
群集 :定义流量的目标端点和配置设置。
Use these four components to create an Envoy proxy configuration that matches the defined NGINX configuration.
使用这四个组件来创建与定义的NGINX配置匹配的Envoy代理配置。
The following settings focus on defining the number of worker processes and connections. This shows how NGINX scales to handle demand.
以下设置着重于定义工作进程和连接的数量。 这显示了NGINX如何扩展以处理需求。
worker_processes 2;events { worker_connections 2000;}Envoy spawns worker threads for every hardware thread in the system. Each worker thread runs a non-blocking event loop.
Envoy为系统中的每个硬件线程生成工作线程。 每个工作线程都运行一个非阻塞事件循环。
Listen to all listeners 听所有听众 Accept new connection 接受新的连接 Instantiation of filter stack for connection 实例化用于连接的过滤器堆栈 Processing of all IOs for the life of the connection. 在连接生命周期内处理所有IO。All subsequent connection processing, including forwarding operations, is completely handled within the worker thread.
所有后续连接处理,包括转发操作,都在工作线程中完全处理。
All Envoy connection pools are per worker thread. The HTTP/2 connection pool creates only one connection to each upstream host at a time, but if you have four workers, there are four HTTP/2 connections per upstream host in steady state. By keeping everything in a single worker thread, you can write almost any code as if it were a single thread, with no locks. Unnecessarily large numbers of workers waste memory, increase idle connections, and reduce connection pool hit rates.
所有Envoy连接池都是每个工作线程。 HTTP/2连接池一次只能创建一个与每个上游主机的连接,但是如果您有四个工作线程,则处于稳定状态的每个上游主机有四个HTTP/2连接。 通过将所有内容保留在单个工作线程中,您几乎可以将所有代码编写为好像是单个线程,而没有锁。 不必要的大量工作人员浪费内存,增加空闲连接并降低连接池命中率。
The next block of NGINX settings defines HTTP settings such as:
NGINX设置的下一个块定义HTTP设置,例如:
Supported MIME types 支持的MIME类型 Default timeout 默认超时 Gzip settings Gzip设置These are set within the Filters component within the Envoy Proxy, which we will discuss later.
这些是在Envoy代理的Filters组件中设置的,我们将在后面讨论。
Within the http block of the NGINX configuration below, it listens on port 8080 and responds to requests to the domains one.example.com and www.sample.mars.com .
在下面NGINX配置的http块内,它侦听端口8080并响应对域one.example.com和www.sample.mars.com的请求。
server { listen 8080; server_name one.example.com www.one.example.com;Envoy sets these with the listeners component.
特使使用侦听器组件设置它们。
The most important setting when starting Envoy is to define a listener. You need to create a configuration file that describes how to run your Envoy instance.
启动Envoy时最重要的设置是定义一个侦听器。 您需要创建一个配置文件来描述如何运行Envoy实例。
The following snippet creates a new listener and binds it to port 8080.
以下代码段创建了一个新的侦听器,并将其绑定到端口8080。
static_resources: listeners: - name: listener_0 address: socket_address: { address: 0.0.0.0, port_value: 8080 }In NGNIX, it server_nameis filtersset by the Envoy component, so it does not need to be defined here.
在NGNIX中,它的server_name是由Envoy组件设置的filters ,因此无需在此处定义。
NGINX locationblocks define how traffic is handled and where it is forwarded. With the settings below, all traffic (/) to your site will http://targetCluster/be proxied.
NGINX location块定义了如何处理流量以及将流量转发到何处。 使用下面的设置,将代理到您网站的所有流量(/) http://targetCluster/ 。
location / { proxy_pass http://targetCluster/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr;}In Envoy, filtersit is set in the component.
在Envoy中, filters已在组件中设置。
For static settings, filtersdefines how to handle the request. In this case, we set to server_namesmatch in the previous step filters. Defined domainsas routesa request that matches is received, the traffic is forwarded to the cluster.
对于静态设置, filters定义了如何处理请求。 在这种情况下,我们在前面的步骤filters中将server_names设置为match。 将定义为routes的domains接收到匹配的请求,并将流量转发到群集。
filter_chains: - filters: - name: envoy.http_connection_manager config: codec_type: auto stat_prefix: ingress_http route_config: name: local_route virtual_hosts: - name: backend domains: - "sample.mars.com" - "www.sample.mars.com" routes: - match: prefix: "/" route: cluster: targetCluster http_filters: - name: envoy.routerAs the name implies HTTP, it is a filter that controls. Other examples of filters, Redis, Mongo, TCPthere seems to be such. For more information on other load balancing policies, please see the Envoy documentation.
顾名思义, HTTP是一个可控制的过滤器。 过滤器的其他示例( Redis , Mongo , TCP似乎也是如此。 有关其他负载平衡策略的更多信息,请参阅Envoy文档。
Upstream configuration in NGINX defines a set of target servers to handle traffic. Two clusters are assigned in the following cases:
NGINX中的上游配置定义了一组目标服务器来处理流量。 在以下情况下,将分配两个群集:
upstream targetCluster { 172.22.0.5:80; 172.22.0.6:80; }In Envoy, it clustersis set by the component.
在Envoy中,它的clusters由组件设置。
The upstream equivalent is clustersdefined as. In the following cases, the host that handles the traffic is defined. How to access the host, such as timeouts, is defined as a cluster configuration. This gives you more control over aspects such as timeouts and load balancing.
上游等效项是定义为的clusters 。 在以下情况下,将定义处理流量的主机。 如何访问主机(例如超时)被定义为群集配置。 这使您可以更好地控制超时和负载平衡等方面。
clusters: - name: targetCluster connect_timeout: 0.25s type: STRICT_DNS dns_lookup_family: V4_ONLY lb_policy: ROUND_ROBIN hosts: [ { socket_address: { address: 172.22.0.5, port_value: 80 }}, { socket_address: { address: 172.22.0.6, port_value: 80 }} ]STRICT_DNSWhen using service discovery, Envoy resolves the specified DNS target continuously and asynchronously. Each IP address returned in the DNS results is considered an explicit host in the upstream cluster. So if the query returns two IP addresses, Envoy should assume that there are two hosts in the cluster and balance the load on both. When a host is removed from the results, Envoy considers the host non-existent and drains traffic from the existing connection pool.
STRICT_DNS使用服务发现时,Envoy连续且异步地解析指定的DNS目标。 DNS结果中返回的每个IP地址都被视为上游群集中的显式主机。 因此,如果查询返回两个IP地址,Envoy应该假定群集中有两个主机,并平衡两个主机上的负载。 从结果中删除主机后,Envoy会认为该主机不存在,并从现有连接池中抽出流量。
Error log: Instead of pipe the error logs to disk, follow the Envoy cloud-native approach. This means that all of the application log stdoutand stderrwill be output to.
错误日志 :遵循Envoy云原生方法,而不是将错误日志传递到磁盘。 这意味着所有应用程序日志stdout和stderr都将输出到。
Access log: Access logging is optional and is disabled by default. To enable access logging, set a clause envoy.http_connection_managerwithin access_log. The output path can be either stdouta device such as, or a file on disk , depending on your requirements. In the following example, all access logs are stdoutoutput to. The default Log Format is as follow
访问日志:访问日志是可选的,默认情况下处于禁用状态。 要启用访问日志记录, envoy.http_connection_manager在access_log设置子句envoy.http_connection_manager 。 根据您的要求,输出路径可以是stdout设备(例如),也可以是磁盘上的文件。 在以下示例中,所有访问日志都将输出到stdout 。 默认的日志格式如下
- name: envoy.http_connection_managerconfig:codec_type: autostat_prefix: ingress_httpaccess_log:- name: envoy.file_access_logconfig:path: "/dev/stdout"route_config:Example log format:
日志格式示例:
[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%"%RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION%%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%""%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\nExample output:
输出示例:
[2020-09-10T20:37:02.221Z] "GET / HTTP/1.1" 200 - 0 58 4 1 "-" "curl/7.47.0" "f21ebd42-6770-4aa5-88d4-e56118165a7d" "one.example.com" "172.22.0.5:80"You can change the output by customizing the fields.
您可以通过自定义字段来更改输出。
access_log:- name: envoy.file_access_log config: path: "/dev/stdout" format: "[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n"You can also use the field to output the log as json.
您还可以使用该字段将日志输出为json。
access_log:- name: envoy.file_access_log config: path: "/dev/stdout" json_format: {"protocol": "%PROTOCOL%", "duration": "%DURATION%", "request_method": "%REQ(:METHOD)%"}If you add the settings for envoy so far, it will be as follows.
如果到目前为止添加特使的设置,将如下所示。
static_resources: listeners: - name: listener_0 address: socket_address: { address: 0.0.0.0, port_value: 8080 } filter_chains: - filters: - name: envoy.http_connection_manager config: codec_type: auto stat_prefix: ingress_http access_log: - name: envoy.file_access_log config: path: "/dev/stdout" route_config: name: local_route virtual_hosts: - name: backend domains: - "sample.mars.com" - "www.sample.mars.com" routes: - match: prefix: "/" route: cluster: targetCluster http_filters: - name: envoy.router clusters: - name: targetCluster connect_timeout: 0.25s type: STRICT_DNS dns_lookup_family: V4_ONLY lb_policy: ROUND_ROBIN hosts: [ { socket_address: { address: 172.22.0.5, port_value: 80 }}, { socket_address: { address: 172.22.0.6, port_value: 80 }} ]Start Envoy based on this setting.
根据此设置启动Envoy。
The line at the top of the nginx configuration file user www www;indicates that you should run NGINX as a low-privileged user for added security.
Nginx配置文件user www www;顶部的行user www www; 表示您应该以低特权用户身份运行NGINX,以提高安全性。
Envoy uses a cloud-native approach to manage process owners. You can specify a low privileged user when launching Envoy through the container.
Envoy使用云原生方法来管理流程所有者。 通过容器启动Envoy时,可以指定低特权用户。
The following command launches Envoy through a Docker container on the host. This command exposes Envoy to listen for requests on port 80. However, Envoy itself is listening on port 8080 as specified by the listener. Also, by --userconfiguration, the process is running as a low privileged user.
以下命令通过主机上的Docker容器启动Envoy。 此命令使Envoy可以在端口80上侦听请求。但是,Envoy本身正在侦听器指定的8080端口上侦听。 同样,通过--user配置,该进程以低特权用户身份运行。
$ docker run --name envoyproxy -p 80:8080 --user 1000:1000 -v /root/envoy.yaml:/etc/envoy/envoy.yaml envoyproxy/envoyThe following curl command makes envoy.yamla request using the host header defined in.
以下curl命令使用在中定义的主机标头使envoy.yaml成为请求。
$ curl -H "Host: sample.mars.com" localhost -iHTTP/1.1 503 Service Unavailablecontent-length: 57content-type: text/plaindate: Thu, 10 Sep 2020 18:38:44 GMTserver: envoyupstream connect error or disconnect/reset before headers$$The result of this request is a 503 error. This is simply because the upstream connection is not running and cannot be used. There are no target destinations available for the request from Envoy’s perspective.Let’s to launch a series of HTTP services that match the configuration that is defined.
该请求的结果是503错误。 这仅仅是因为上游连接未运行且无法使用。 从Envoy的角度来看,没有可用于请求的目标目的地,让我们启动一系列与定义的配置相匹配的HTTP服务。
$ docker run -d katacoda / docker-http-server ; $ docker run -d katacoda / docker-http-server ;Envoy can now successfully proxy traffic to the target destination using the available services.
现在,Envoy可以使用可用服务将流量成功代理到目标目的地。
$ curl -H "Host: sample.mars.com" localhost -iHTTP/1.1 200 OKdate: Thu, 10 Sep 2020 18:43:14 GMTcontent-length: 58content-type: text/html; charset=utf-8x-envoy-upstream-service-time: 0server: envoy<h1>This request was processed by host: 792123c0e13f</h1>$You will see a response indicating which Docker container processed the request.
您将看到一个响应,指示哪个Docker容器处理了请求。
An additional HTTP header appears within the response header of a valid request. The header shows the time spent processing the request by the upstream host in milliseconds.
一个附加的HTTP标头出现在有效请求的响应标头中。 标头显示了上游主机处理请求所花费的时间(以毫秒为单位)。
x-envoy-upstream-service-time: 0server: envoy翻译自: https://medium.com/@iced_burn/migrating-from-nginx-to-envoy-proxy-41ef0e1272bb
iis迁移到nginx
