12.7 默认虚拟主机
Nginx默认虚拟主机配置,可以在nginx.conf文件中直接定义server,也可以增加语句,在另外的配置文件中配置。
打开 vim /usr/local/nginx/conf/nginx.conf ,添加以下配置:
创建vhost目录,mkdir /usr/local/nginx/conf/vhost
在vhost目录下创建aaa.com .conf配置文件,添加以下内容:
其中:
listen 80 default_server; 监听80端口,default_server表示此虚拟主机为默认虚拟主机。
server_name aaa.com; 虚拟主机名。
index index.html index.htm index.php; 默认索引页。
root /data/wwwroot/default; 访问目录位置。
创建 /data/wwwroot/default 目录默认页面:
mkdir /data/wwwroot/default
vim index.html
检查配置文件的正确性:/usr/local/nginx/sbin/nginx -t。并重新加载配置文件。访问虚拟主机。
总结:定义虚拟主机有两种方法,第一种,在vhost目录中排在第一个的虚拟配置文件。第二种,在虚拟主机配置文件中添 default_server 来定义。
12.8 Nginx用户认证
nginx中用户认证和apache中用户认证类似。
1、在vhost目录中创建 test.com.conf 文件。
vim /usr/local/nginx/conf/vhost/test.com.conf
添加以下内容:
其中:
location /
{
auth_basic "Auth"; 定义用户认证名字。
auth_basic_user_file /usr/local/nginx/conf/htpasswd; 用户名密码文件。
}
生成密码文件,密码文件的生成用的是apache中的htpasswd工具:
-c:指定密码文件目录;
检查语法,重新加载配置文件使之生效,重新加载配置文件而不重启nginx服务,是因为重启服务有可能因为配置文件出错而导致服务异常。
/usr/local/nginx/sbin/nginx -t
usr/local/nginx/sbin/nginx -s reload
测试访问:curl -x127.0.0.1:80 test.com,出现401错误。
指定用户名密码重新访问,访问之前创建虚拟配置文件用户访问目录文件:
mkdir /data/wwwroot/test.com
echo "test.com" > /data/wwwroot/test.com/index.html
2、指定目录,配置用户访问认证。
更改vim /usr/local/nginx/conf/vhost/test.com.conf。
测试:
3、指定文件,配置访问认证。
其中:location ~ admin.php 匹配admin.php的文件。
12.9 Nginx域名重定向
1、修改vhost配置文件
vim /usr/local/nginx/conf/vhost/test.com.conf
其中:server_name 定义多个host;
判断域名重定向条件:
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
permanent 301信息提示。
redirect 302信息提示。
2、测试域名重定向。
[root@liang-00 ~]# curl -x127.0.0.1:80 test2.com -I HTTP/1.1 301 Moved Permanently Server: nginx/1.12.1 Date: Tue, 11 Dec 2018 12:34:50 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/ [root@liang-00 ~]# curl -x127.0.0.1:80 test2.com/admin -I HTTP/1.1 301 Moved Permanently Server: nginx/1.12.1 Date: Tue, 11 Dec 2018 12:34:57 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin [root@liang-00 ~]# curl -x127.0.0.1:80 test2.com/admin/asdasdasd -I HTTP/1.1 301 Moved Permanently Server: nginx/1.12.1 Date: Tue, 11 Dec 2018 12:35:01 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/asdasdasd
12.10 Nginx访问日志
在nginx中日志格式位于nginx.conf配置文件中。
http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 3526;
server_names_hash_max_size 4096;
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
sendfile on;
tcp_nopush on;
keepalive_timeout 30;
client_header_timeout 3m;
client_body_timeout 3m;
combined_realip :日志名字,在虚拟配置文件中引用是会用到。
具体各个字段的含义如下所示:
1、虚拟主机访问日志文件配置。
在主配置文件中定义完访问日志格式后,在虚拟主机配置文件中配置访问日志(主要是访问日志存放路径和启用的访问日志名字)。
2、测试访问日志、记录访问。
首先,检查配置文件语法,重新加载配置文件。
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload
测试:
curl -x127.0.0.1:80 test2.com/admin/sadasdasd -I
curl -x127.0.0.1:80 test3.com/admin/sadasdasd -I
[root@liang-00 ~]# cat /tmp/test.com.log 127.0.0.1 - [11/Dec/2018:21:11:12 +0800] test2.com "/admin/sadasdasd" 301 "-" "curl/7.29.0" 127.0.0.1 - [11/Dec/2018:21:11:16 +0800] test3.com "/admin/sadasdasd" 301 "-" "curl/7.29.0" [root@liang-00 ~]#
12.11 Nginx日志切割
Nginx中没有自带的日志切割命令,所以要想对nginx日志文件进行切割,就需要自己编写shell脚本来实现了。
/usr/local/sbin 目录为约定的所有shell脚本存放的位置。
1、创建编写nginx日志切割shell脚本。
vim /usr/local/sbin/nginx_logrotate.sh
内容:
其中:
d=`date -d "-1 day" +%Y%m%d` 要添加的日期后缀变量,一般是把昨天的日志进行切割。
[root@liang-00 ~]# date -d "-1 day" +%Y%m%d 20181210 [root@liang-00 ~]# date Tue Dec 11 21:32:14 CST 2018 [root@liang-00 ~]#
logdir=“/tmp/” 日志所在的位置
nginx_pid="/usr/local/nginx/logs/nginx.pid" log日志的pid。
for log in `ls *.log`;do mv $log $log-$d ; done 进入日志文件目录,遍历日志文件,把昨天的日志文件进行重命名切割。
关于for循环:
/bin/kill -HUP `cat $nginx_pid` 相当于重新加载日志文件进程,生成新的以 .log结尾的访问日志
3、测试,执行日志切割shell脚本。
sh -x /usr/local/sbin/nginx_logrotate.sh # -x 选项显示执行过程。
[root@liang-00 ~]# sh -x /usr/local/sbin/nginx_logrotate.sh ++ date -d '-1 day' +%Y%m%d + d=20181210 + logdir=/tmp/ + nginx_pid=/usr/local/nginx/logs/nginx.pid + cd /tmp/ ++ ls test.com.log + for log in '`ls *.log`' + mv test.com.log test.com.log-20181210 ++ cat /usr/local/nginx/logs/nginx.pid + /bin/kill -HUP 1002 [root@liang-00 ~]#
[root@liang-00 ~]# sh /usr/local/sbin/nginx_logrotate.sh
[root@liang-00 ~]# ls /tmp/
123.txt php_errors.log-20181210 test.com.log
mysql.sock php-fcgi.sock test.com.log-20181210
pear systemd-private-b29a7e11f8044dab92cb04a3a09cca24-chronyd.service-f2jCY6 vmware-root
[root@liang-00 ~]#
4、长此以来,每天都会生产一个切割日志,可以用find命令对超过一定天数的日志文件进行删除。
5、因为是每天都要对日志进行切割,所以用 crontab 建立任务计划。
0 0 * * * /bin/bash /usr/local/sbin/nginx_logrotate.sh
12.12 静态文件不记录日志和过期时间
对nginx虚拟配置文件进行静态文件不记录日志和过期时间配置。
1、在虚拟配置文件中添加以下配置:
其中:
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ nginx中的正则,匹配图片类型文件。
expires 7d; 设置图片过期时间
2、测试配置。
创建模拟图片、js文件:1.jpg、2.js
curl -x127.0.0.1:80 test.com/1.jpg -I
curl -x127.0.0.1:80 test.com/2.js -I
curl -x127.0.0.1:80 test.com/index.html -I
查看日志文件,只有访问的 index.html 记录了访问日志。
[root@liang-00 test.com]# cat /tmp/test.com.log 127.0.0.1 - [11/Dec/2018:22:11:21 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" [root@liang-00 test.com]#
访问的1.jpg和2.js都显示了过期时间。
[root@liang-00 test.com]# curl -x127.0.0.1:80 test.com/1.jpg -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Tue, 11 Dec 2018 14:11:04 GMT Content-Type: image/jpeg Content-Length: 10 Last-Modified: Tue, 11 Dec 2018 14:09:28 GMT Connection: keep-alive ETag: "5c0fc518-a" Expires: Tue, 18 Dec 2018 14:11:04 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes [root@liang-00 test.com]# curl -x127.0.0.1:80 test.com/2.js -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Tue, 11 Dec 2018 14:11:10 GMT Content-Type: application/javascript Content-Length: 8 Last-Modified: Tue, 11 Dec 2018 14:09:38 GMT Connection: keep-alive ETag: "5c0fc522-8" Expires: Wed, 12 Dec 2018 02:11:10 GMT Cache-Control: max-age=43200 Accept-Ranges: bytes
12.13 Nginx防盗链
nginx的防盗链配置。
1、在虚拟配置文件中增加以下内容。
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; if ($invalid_referer) { return 403; } access_log off; }
~* 表示忽略大小写
valid_referers none blocked server_names *.test.com ; #referer的白名单
if ($invalid_referer) {
return 403; 如果不在白名单内返回403。
2、测试防盗链。
[root@liang-00 test.com]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/1.jpg -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Tue, 11 Dec 2018 14:26:23 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@liang-00 test.com]# [root@liang-00 test.com]# curl -e "http://test.com/1.txt" -x127.0.0.1:80 test.com/1.jpg -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Tue, 11 Dec 2018 14:28:09 GMT Content-Type: image/jpeg Content-Length: 10 Last-Modified: Tue, 11 Dec 2018 14:09:28 GMT Connection: keep-alive ETag: "5c0fc518-a" Expires: Tue, 18 Dec 2018 14:28:09 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes [root@liang-00 test.com]#
12.14 Nginx访问控制
Nginx访问控制,对一些比较重要的站点文件进行保护,只有特定的用户才能访问。
1、对配/admin/的请求配置访问控制。
location /admin/ { allow 127.0.0.1; allow 192.168.37.200; deny all; }
与apache不同的是上面表示只允许 127.0.0.1 和 192.168.37.200 访问 /admin/ 目录。
测试。
穿件admin目录和文件
[root@liang-00 test.com]# mkdir /data/wwwroot/test.com/admin [root@liang-00 test.com]# echo "111" > /data/wwwroot/test.com/admin/1.txt
curl -x192.168.37.200:80 test.com/admin/1.txt -I
[root@liang-00 test.com]# curl -x192.168.37.200:80 test.com/admin/1.txt -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Tue, 11 Dec 2018 14:51:39 GMT Content-Type: text/plain Content-Length: 4 Last-Modified: Tue, 11 Dec 2018 14:51:29 GMT Connection: keep-alive ETag: "5c0fcef1-4" Accept-Ranges: bytes
访问日志记录。
[root@liang-00 test.com]# cat /tmp/test.com.log 127.0.0.1 - [11/Dec/2018:22:11:21 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 192.168.37.200 - [11/Dec/2018:22:49:47 +0800] test.com "/admin/" 404 "-" "curl/7.29.0" 192.168.37.200 - [11/Dec/2018:22:49:54 +0800] test.com "/admin/asd" 404 "-" "curl/7.29.0" 192.168.37.200 - [11/Dec/2018:22:51:39 +0800] test.com "/admin/1.txt" 200 "-" "curl/7.29.0" 192.168.37.200 - [11/Dec/2018:22:51:44 +0800] test.com "/admin/1.txt" 200 "-" "curl/7.29.0" [root@liang-00 test.com]#
2、匹配正则
对一些目录进行禁止解析php文件。
location ~* .*(upload|image)/.*\.php$ { deny all; }
测试,创建测试目录和文件。
mkdir /data/wwwroot/test.com/upload
echo "111" > /data/wwwroot/test.com/upload/1.php
测试:curl -x192.168.37.200:80 test.com/upload/1.php -I
[root@liang-00 test.com]# curl -x192.168.37.200:80 test.com/upload/1.php -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Tue, 11 Dec 2018 15:04:55 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@liang-00 test.com]#
3、根据user_agent进行控制。
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') { return 403; }
deny all 和return 403 效果是一样的。
测试:
[root@liang-00 test.com]# curl -A "Tomatodasad" -x127.0.0.1:80 test.com -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Tue, 11 Dec 2018 15:09:14 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@liang-00 test.com]#
12.15 Nginx解析php相关配置
Nginx解析php配置如下。
location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; }
1、测试
创建php文件添加内容:
<?php phpinfo(); >
测试:curl -x127.0.0.1:80 test.com/3.php 正常解析php。
2、关于502错误码的分析,第一种情况:socket文件拼写错误。
配置文件中socket文件名写错,比如php-fcgi.sock写成php-cgi.sock。
[root@liang-00 test.com]# curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.12.1</center> </body> </html>
这种错误在nginx的错误日志文件 nginx_error.log 中会有记录。
[root@liang-00 test.com]# cat /usr/local/nginx/logs/nginx_error.log
2018/12/11 23:31:32 [crit] 4364#0: *43 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
[root@liang-00 test.com]#
nginx监听的 /tmp/php-fcgi.sock 文件要和php配置文件中的:listen = /tmp/php-fcgi.sock 文件一致。
[root@liang-00 test.com]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
2、关于502错误码的分析,第二种情况:php中监听的是ip和端口,而在nginx配置中没有配置成监听ip和端口。
把php-fpm.conf中的监听方式改为ip和端口,检查配置文件,重新加载。
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
#listen = /tmp/php-fcgi.sock
listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
/usr/local/php-fpm/sbin/php-fpm -t
/usr/local/nginx/sbin/nginx -s reload
测试:
[root@liang-00 test.com]# curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.12.1</center> </body> </html>
错误日志显示,未找到监听的socket文件:
[root@liang-00 test.com]# cat /usr/local/nginx/logs/nginx_error.log
2018/12/11 23:31:32 [crit] 4364#0: *43 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
2018/12/11 23:54:54 [crit] 4580#0: *45 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
[root@liang-00 test.com]#
更改ngixn虚拟配置文件。
重新加载配置文件,能够正常访问。
另外:fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; 路径要与 root /data/wwwroot/test.com;一致。
3、关于502错误码的分析,第三种情况:php-fpm中 listen.mode 权限不够或者未写。
把php中listen.mode 权限去掉。
测试访问:
[root@liang-00 test.com]# cat /usr/local/nginx/logs/nginx_error.log
2018/12/11 23:31:32 [crit] 4364#0: *43 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
2018/12/11 23:54:54 [crit] 4580#0: *45 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
2018/12/12 00:07:41 [crit] 5066#0: *55 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
[root@liang-00 test.com]#
12.16 Nginx代理
Nginx拥有代理功能,用户要访问web服务器,但是不能直接访问的,因为服务器地址是私网地址。这时我们就可以用nginx代理来实现访问。
1、在/usr/local/nginx/conf/vhost/ 中添加新的配置文件proxy.conf文件。
内容:
server { listen 80; server_name ask.apelearn.com; location / { proxy_pass http://223.94.95.10/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
因为实在做代理,所以不要本地的访问目录。
proxy_set_header Host $host; 指的是server_name中的ask.apelearn.com。
2、测试访问连接。
curl ask.apelearn.com/robots.txt
[root@liang-00 vhost]# curl ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/
curl -x192.168.37.200:80 ask.apelearn.com/robots.txt
[root@liang-00 vhost]# curl -x192.168.37.200:80 ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/