12.7 Nginx默认虚拟主机
12.8 Nginx用户认证
12.9 Nginx域名重定向
12.10 Nginx访问日志
12.11 Nginx日志切割
12.12 静态文件不记录日志和过期时间
12.13 Nginx防盗链
12.14 Nginx访问控制
12.15 Nginx解析php相关配置
12.16 Nginx代理
12.17扩展
12.18课堂笔记
12.7 Nginx默认虚拟主机
自定义默认虚拟主机
一、修改nginx配置文件
• vim /usr/local/nginx/conf/nginx.conf
修改内容如下:
1、将http配置server部分删掉
2、在http部分最后添加一句
include vhost/*.conf;
二、创建vhost目录
• mkdir /usr/local/nginx/conf/vhost
三、编辑自定义虚拟主机文件
cd /usr/local/nginx/conf/vhost
• vim aaa.conf
#加入如下内容
server
{
listen 80 default_server; #有这个标记的就是默认虚拟主机
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/aaa;
}
四、创建指定网站目录
• mkdir -p /data/wwwroot/aaa/
五、测试默认虚拟主机是否配置完成
1、添加内容到/data/wwwroot/default/index.html
• echo “This is a default site.”>/data/wwwroot/aaa/index.html
2、检查配置文件语法并重新加载
• /usr/local/nginx/sbin/nginx -t
• /usr/local/nginx/sbin/nginx -s reload
3、测试
• curl localhost
• curl -x127.0.0.1:80 123.com
[root@xinlinux-03 aaa]# curl localhost
“This is a default site.”
[root@xinlinux-03 aaa]# curl -x127.0.0.1:80 123.com
“This is a default site.”
[root@xinlinux-03 aaa]# curl -x127.0.0.1:80 hdiag.com
“This is a default site.”
两种方法改为默认虚拟主机
1、在vhost目录下第一个.conf的虚拟主机为默认虚拟主机
2、定义虚拟主机时加上“default_server”字段就是默认虚拟主机
12.8 Nginx用户认证
一、自定义一个虚拟主机配置文件
• vim /usr/local/nginx/conf/vhost/test.com.conf
#写入如下内容
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
二、生成密码文件
• yum install -y httpd
#如果已经安装Apache则不用下载
• /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd xin
#使用htpasswd -c生成密码文件到/usr/local/nginx/conf/htpasswd,并增加用户xin
[root@xinlinux-03 aaa]# /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd xin
New password:
Re-type new password:
Adding password for user xin
三、测试配置并重新加载
• /usr/local/nginx/sbin/nginx-t
/usr/local/nginx/sbin/nginx -s reload
四、创建网站目录test.com
• mkdir /data/wwwroot/test.com
五、测试
• echo “test.com”>/data/wwwroot/test.com/index.html
• curl -x127.0.0.1:80 test.com -I #状态码为401说明需要验证
[root@xinlinux-03 aaa]# curl -x127.0.0.1:80 test.com -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 09:12:27 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
• curl -uxin:1234 -x127.0.0.1:80 test.com
#访问状态码变为200
[root@xinlinux-03 aaa]# curl -uxin:1234 -x127.0.0.1:80 test.com
“test.com”
• 编辑windows的hosts文件,然后在浏览器中访问test.com会有输入用户、密码的弹窗
• 针对目录的用户认证(修改location后面的内容)
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/admin/2.php -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 09:23:46 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
[root@xinlinux-03 test.com]# curl -uxin:1234 -x127.0.0.1:80 test.com/admin/2.php -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 09:23:10 GMT
Content-Type: application/octet-stream
Content-Length: 4
Last-Modified: Wed, 19 Sep 2018 09:17:52 GMT
Connection: keep-alive
ETag: "5ba21440-4"
Accept-Ranges: bytes
针对URL的用户认证
location ~ admin.php
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
12.9 Nginx域名重定向
更改test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
#if语句表示主域名为test.com,将匹配的其他域名跳转到主域名
}
#server_name后面支持写多个域名,这里要和httpd的做一个对比
#permanent为永久重定向,状态码为301,如果写redirect则为302
[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test1.com/admin/2.php -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 09:27:40 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/admin/2.php
[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test4.com/admin/2.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 09:27:47 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
12.10 Nginx访问日志
配置日志格式也在主配置文件
• vim /usr/local/nginx/conf/nginx.conf
#搜索log_format
日志文件设定参数格式 |
|
$remote_addr | 客户端IP(公网IP) |
$http_x_forwarded_for | 代理服务器的IP |
$time_local | 服务器本地时间 |
$host | 访问主机名(域名) |
$request_uri | 访问的url地址 |
$status | 状态码 |
$http_referer | referer |
$http_user_agent | user_agent |
#除了在主配置文件nginx.conf里定义日志格式外,还需要在虚拟主机配置文件中增加
access_log /tmp/test.com.log combined_realip;
#这里的combined_realip就是在nginx.conf中定义的日志格式名字
/usr/local/nginx/sbin/nginx-t
/usr/local/nginx/sbin/nginx -s reload
curl -x127.0.0.1:80 test.com -I
cat /tmp/test.com.log
[root@xinlinux-03 test.com]# cat /tmp/test.com.log
127.0.0.1 - [19/Sep/2018:17:34:16 +0800] test.com "/" 200 "-" "curl/7.29.0"
12.11 Nginx日志切割
一、定义shell 脚本
• vim /usr/local/sbin/nginx_logrotate.sh
#写入如下内容
#! /bin/bash
# 假设nginx的日志存放路径为/data/logs/
d=`date -d "-1 day" +%Y%m%d`
#日志时间
logdir="/usr/local/nginx/logs"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
#将日志文件改为后缀加时间
done
/bin/kill -HUP `cat $nginx_pid`
#生成新的日志文件
二、添加一个任务计划
crontab -e
0 0 * * * /bin/bash /usr/local/sbin/nginx_logrotate.sh
12.12 静态文件不记录日志和过期时间
• 配置如下
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 7d;
#定义过期时间
access_log off;
#静态文件不记录off
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
/usr/local/nginx/sbin/nginx-t
/usr/local/nginx/sbin/nginx -s reload
测试
cd /data/wwwroot/test.com
vim 1.gif
vim 2.js
curl -x127.0.0.1:80 test.com/1.gif
curl -x127.0.0.1:80 test.com/2.js
curl -x127.0.0.1:80 test.com/1.gifhaksdl
[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/1.gif
gahi
[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/2.js
123giouh
[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/1.gifhaksdl
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
[root@xinlinux-03 test.com]# cat /tmp/test.com.log
127.0.0.1 - [19/Sep/2018:18:22:42 +0800] test.com "/1.gifhaksdl" 404 "-" "curl/7.29.0"
12.13 Nginx防盗链
•配置如下,可以和上面的配置结合起来
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
#设置*.test.com的网站为白名单
if ($invalid_referer) {
return 403;
}
access_log off;
}
/usr/local/nginx/sbin/nginx-t
/usr/local/nginx/sbin/nginx -s reload
测试
curl -e "http://www.baidu.com" -x127.0.0.1:80 -I test.com/1.gif
[root@xinlinux-03 test.com]# curl -e "http://www.baidu.com" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 10:26:48 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
curl -e "http://www.test.com" -x127.0.0.1:80 -I test.com/1.gif
[root@xinlinux-03 test.com]# curl -e "http://www.test.com" -x127.0.0.1:80-I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 10:26:55 GMT
Content-Type: image/gif
Content-Length: 5
Last-Modified: Wed, 19 Sep 2018 09:42:00 GMT
Connection: keep-alive
ETag: "5ba219e8-5"
Expires: Wed, 26 Sep 2018 10:26:55 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
12.14 Nginx访问控制
•需求:访问/admin/目录的请求,只允许某几个IP访问
一、编辑主配置文件 /usr/local/nginx/conf/nginx.conf
配置如下:
location /admin/
{
allow 192.168.233.150;
allow 127.0.0.1;
deny all;
#没有order顺序
}
二、测试
1、创建amdin目录并添加内容到admin/1.html
• mkdir /data/wwwroot/test.com/admin/
• echo “test,test”>/data/wwwroot/test.com/admin/1.html
/usr/local/nginx/sbin/nginx-t
/usr/local/nginx/sbin/nginx -s reload
• curl -x127.0.0.1:80 test.com/admin/1.html -I
•curl -x192.168.233.150:80 test.com/admin/1.html -I
•可以匹配正则(这段配置将/upload/目录下所有.php结尾的deny掉)
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/upload/2.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 10:41:36 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/admin.php -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 10:42:00 GMT
Content-Type: application/octet-stream
Content-Length: 0
Last-Modified: Wed, 19 Sep 2018 09:17:19 GMT
Connection: keep-alive
ETag: "5ba2141f-0"
Accept-Ranges: bytes
•根据user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
#~加上一个*号"~*"可以忽略大小写
{
return 403;
}
#deny all和return 403效果一样
/usr/local/nginx/sbin/nginx-t
/usr/local/nginx/sbin/nginx -s reload
curl -A "Tomatoafghra" -x127.0.0.1:80 test.com -I
[root@xinlinux-03 test.com]# curl -A "Tomatoafghra" -x127.0.0.1:80 test.com
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
12.15 Nginx解析php相关配置
配置虚拟主机配置文件
• 配置如下:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
#fastcgi_pass 用来指定php-fpm监听的地址或者socket,php-fpm定义的是什么,nginx配置文件就要些什么;如果路径写错会出现502状态
#如果路径改成fastcgi_pass 127.0.0.1:9000则变成监听端口
/usr/local/nginx/sbin/nginx-t
/usr/local/nginx/sbin/nginx -s reload
vim /data/wwwroot/test.com/1.php
<?php
echo "123456";
?>
[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/1.php
<?php
echo "123456";
?>
[root@xinlinux-03 test.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xinlinux-03 test.com]# /usr/local/nginx/sbin/nginx -s reload
[root@xinlinux-03 test.com]# !curl
curl -x127.0.0.1:80 test.com/1.php
123456[root@xinlinux-03 test.com]#
实验:将虚拟主机配置文件sock路径写错漏了fc
1、-t并重载
/usr/local/nginx/sbin/nginx-t
/usr/local/nginx/sbin/nginx -s reload
2、curl -x127.0.0.1:80 test.com/1.php -I
[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/1.php -I
HTTP/1.1 502 Bad Gateway
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 10:55:10 GMT
Content-Type: text/html
Content-Length: 172
Connection: keep-alive
3、查看错误日志
tail /usr/local/nginx/logs/nginx_error.log
2018/09/19 18:55:10 [crit] 1400#0: *49 connect() to unix:/tmp/php-gi.sockfailed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "HEAD HTTP://test.com/1.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-gi.sock:", host: "test.com"
#发现提示找不到socket文件
4、更正虚拟主机配置的sock路径,与php_fpm的sock路径保持一致,然后在重试一次
[root@xinlinux-03 test.com]# !curl
curl -x127.0.0.1:80 test.com/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 11:00:56 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.32
#另一种502状态
vim /usr/local/php-fpm/etc/php-fpm.conf
#如果监听socket没有在php配置文件定义sock文件的权限666,则会变成默认660权限,状态也会出现502
测试前:
[root@xinlinux-03 test.com]# ll /tmp/php-fcgi.sock
srw-rw-rw- 1 root root 0 9月 19 16:59 /tmp/php-fcgi.sock
修改权限后:
[root@xinlinux-03 test.com]# ll /tmp/php-fcgi.sock
srw-rw---- 1 root root 0 9月 19 19:20 /tmp/php-fcgi.sock
测试:
1、将php-fpm的sock文件权限去掉,-t并重载
/usr/local/pgp-fpm/sbin/php-fpm -t
/etc/init.d/php-fpm restart
2、curl -x127.0.0.1:80 test.com/1.php -I
[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/1.php -I
HTTP/1.1 502 Bad Gateway
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 11:25:57 GMT
Content-Type: text/html
Content-Length: 172
Connection: keep-alive
3、查看sock文件属性
[root@xinlinux-03 test.com]# ll /tmp/php-fcgi.sock
srw-rw---- 1 root root 0 9月 19 19:20 /tmp/php-fcgi.sock
#由nginx的配置文件可以知道是nobody用户启动nginx的
[root@xinlinux-03 test.com]# chown nobody /tmp/php-fcgi.sock
[root@xinlinux-03 test.com]# ll /tmp/php-fcgi.sock
srw-rw---- 1 nobody root 0 9月 19 19:32 /tmp/php-fcgi.sock
[root@xinlinux-03 test.com]# !curl
curl -x127.0.0.1:80 test.com/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 11:34:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.32
4、将权限改回去,-t并重载
/usr/local/pgp-fpm/sbin/php-fpm -t
/etc/init.d/php-fpm restart
5、curl -x127.0.0.1:80 test.com/1.php -I
[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 11:30:19 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.32
12.16 Nginx代理
• cd /usr/local/nginx/conf/vhost
• vim proxy.conf
#加入如下内容
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://121.201.9.155/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
/usr/local/nginx/sbin/nginx-t
/usr/local/nginx/sbin/nginx -s reload
curl -x127.0.0.1:80 ask.apelearn.com/roots.txt