nginx+php安装脚本
#!/bin/sh
[ `whoami` != "root" ] && echo "please use root" && exit 1
function format() {
echo -e "\033[32m Success!!!\033[0m\n"
echo "#########################################################"
}
cd /opt
echo "正在下载yum源"
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm &> /dev/null
wget http://rpms.remirepo.net/enterprise/remi-release-7.rpm &> /dev/null
yum install -y http://rpms.famillecollet.com/enterprise/remi-release-7.rpm &> /dev/null
rpm -Uvh remi-release-7.rpm epel-release-latest-7.noarch.rpm &> /dev/null
yum -y install yum-utils &> /dev/null
yum-config-manager --enable remi-php71 > /tmp/remi-php71.txt
format
cat /tmp/remi-php71.txt |grep remi-php71 &> /dev/null
TT=`echo $?`
if [ $TT -eq 0 ];then
echo "正在下载php7.1版本包"
yum -y install php-mysql php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-soap curl curl-devel php-redis php-event php-fpm &> /dev/null
format
else
echo "php7.1版本相关包未下载成功,请稍后重新配置yum源后再下载php7.1"
echo -e "\033[41;37;5m FAILURE \033[0m"
fi
echo "直接安装nginx"
yum -y install nginx nginx-mod-http-perl nginx-mod-stream nginx-filesystem nginx-mod-mail nginx-mod-http-image-filter nginx-all-modules nginx-mod-http-geoip nginx-mod-http-xslt-filter git &> /dev/null
format
echo "正在修改nginx配置主配置文件"
cat > /etc/nginx/nginx.conf << EOF
user nginx nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
multi_accept on;
}
http {
server
{
listen 80 default_server;
server_name _;
return 403;
}
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $host [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
proxy_max_temp_file_size 128M;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_buffer_size 256k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
server_tokens off;
access_log off;
include /etc/nginx/conf.d/*.conf;
}
EOF
format
echo "启动nginx和php-fpm以及设置开机自启"
systemctl start nginx php-fpm
systemctl enable nginx php-fpm &> /dev/null
format
echo "firewalld添加80端口"
firewall-cmd --permanent --add-port=80/tcp &> /dev/null
firewall-cmd --reload &> /dev/null
format
nginx——server写法
server {
listen 80;
server_name localhost;
###http跳转https
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl;
###定义证书路经
ssl_certificate /etc/nginx/key/server.crt;
ssl_certificate_key /etc/nginx/key/server.key;
server_name localhost;
###限制nginx访问ip,若是ip太多可以使用引用ip池方式
# if ( $http_x_forwarded_for !~ '1.1.1.1|2.2.2.2' ) {
# return 403;
# }
#引用ip池方式
if ($ip_whitelist = 1) {
break;
}
return 403;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
}
# location / {
# proxy_pass http://103.70.225.221:8080;
# proxy_redirect off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# }
}
nginx白名单池定义规则
cat /etc/nginx/ip_white.conf
1.1.1.1 1;
2.2.2.2 1;
3.3.3.3 1;
多个域名https证书配置
方法一:
server
{
listen 80;
server_name abc.com www.abc.com edf.com www.edf.com;
rewrite ^(.*)$ https://$host$1 permanent;
root /home/website/Deposit;
index index.html index.htm index.html;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /home/wwwlogs/access.log;
error_log /home/wwwlogs/error.log info;
}
server
{
listen 443;
server_name abc.com www.abc.com;
root /home/website/Deposit;
index index.php index.htm index.html;
ssl on;
ssl_certificate /etc/nginx/ssl/abc.com_ssl.crt;
ssl_certificate_key /etc/nginx/ssl/abc.com_ssl.key;
include /etc/nginx/conf.d/php.type;
}
server
{
listen 443;
server_name edf.com www.edf.com;
root /home/website/Deposit;
index index.php index.htm index.html;
ssl on;
ssl_certificate /etc/nginx/ssl/edf.com_ssl.crt;
ssl_certificate_key /etc/nginx/ssl/edf.com_ssl.key;
include /etc/nginx/conf.d/php.type;
}
引用 /etc/nginx/conf.d/php.type内容把php文件转发给php-fpm处理
cat /etc/nginx/conf.d/php.type
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
}
方法二:
server
{
listen 80;
server_name abc.com www.abc.com edf.com www.edf.com wss.abc.com;
if ($host ~ 'wss.abc.com') ##判断后端wss域名
{
rewrite ^(.*)$ wss://$host$1 permanent; ##跳转到wss协议
}
rewrite ^(.*)$ https://$host$1 permanent;
root /home/website/aoyaDeposit;
index index.php index.htm index.html;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /home/wwwlogs/access.log;
error_log /home/wwwlogs/error.log info;
}
server
{
listen 443;
server_name abc.com www.abc.com wss.abc.com;
root /home/website/aoyaDeposit;
index index.php index.htm index.html;
ssl on;
ssl_certificate /etc/nginx/ssl/abc.com_ssl.crt;
ssl_certificate_key /etc/nginx/ssl/abc.com_ssl.key;
location / {
try_files $uri $uri/ /index.php$is_args$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
if ($host ~ 'wss.abc.com') ##判断后端wss域名
{
proxy_pass http://192.168.0.139:8084; ##后端websocket服务地址及端口
}
}
location ~ \.php {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
}
}
server
{
listen 443;
server_name edf.com www.edf.com;
root /home/website/aoyaDeposit;
index index.php index.htm index.html;
ssl on;
ssl_certificate /etc/nginx/ssl/edf.com_ssl.crt;
ssl_certificate_key /etc/nginx/ssl/edf.com_ssl.key;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
}
匹配指定多种开头反代,否则返回400
location ~* ^/(gg|bb|aa|dd) {
proxy_pass http://aaa;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
location / {
return 400;
}
nginx单ip并发限制
Nginx 有2个模块用于控制访问“数量”和“速度”,简单的说,控制单ip最多同时有 多少个访问,并且控制每秒钟最多访问多少次, 同时并发访问不能太多,也不能太快,不然就返回503直接不处理。
ngx_http_limit_zone_module 限制同时并发访问的数量
ngx_http_limit_req_module 限制访问数据,每秒内最多几个请求
一、普通配置
什么叫普通配置?
普通配置就是针对【用户浏览器】→【网站服务器】这种常规模式的nginx配置。那么,如果我要对单IP做访问限制,绝大多数教程都是这样写的:
http模块中配置如下
http {
*****
***********
*******************
## 用户的 IP 地址 $binary_remote_addr 作为 Key,每个 IP 地址最多有 50 个并发连接
## 你想开 几千个连接 刷死我? 超过 50 个连接,直接返回 503 错误给你,根本不处理你的请求了
limit_conn_zone $binary_remote_addr zone=TotalConnLimitZone:10m ;
limit_conn TotalConnLimitZone 50;
limit_conn_log_level notice;
## 用户的 IP 地址 $binary_remote_addr 作为 Key,每个 IP 地址每秒处理 10 个请求
## 你想用程序每秒几百次的刷我,没戏,再快了就不处理了,直接返回 503 错误给你
limit_req_zone $binary_remote_addr zone=ConnLimitZone:10m rate=10r/s;
limit_req_log_level notice;
*********
***************
***********************
## server内具体配置如下
server {
listen 80;
server_name aaa.com;
index index.html index.php;
*******
************
## 最多 5 个排队, 由于每秒处理 10 个请求 + 5个排队,你一秒最多发送 15 个请求过来,再多就直接返回 503 错误给你了
limit_req zone=ConnLimitZone burst=5 nodelay;
*******
************
}
二、CDN之后
目前国内已经争相出现了百度云加速、加速乐、360网站卫士以及安全宝等免费CDN。让我们这些小网站也能免费享受以前高大上的CDN加速服务。
于是,网站的访问模式就变为:
用户浏览器 → CDN节点 → 网站源服务器
甚至是更复杂的模式:
用户浏览器 → CDN节点(CDN入口、CC\DDoS攻击流量清洗等) → 阿里云盾 → 源服务器
可以看到,我们的网站中间经历了好几层的透明加速和安全过滤, 这种情况下,我们就不能用上面的“普通配置”。因为普通配置中基于【源IP的限制】的结果就是,我们把【CDN节点】或者【阿里云盾】给限制了,因为这里“源IP”地址不再是真实用户的IP,而是中间CDN节点的IP地址。
我们需要限制的是最前面的真实用户,而不是中间为我们做加速的加速服务器。
其实,当一个 CDN 或者透明代理服务器把用户的请求转到后面服务器的时候,这个 CDN 服务器会在 Http 的头中加入一个记录
X-Forwarded-For : 用户IP, 代理服务器IP
如果中间经历了不止一个代理服务器,这个记录会是这样
X-Forwarded-For : 用户IP, 代理服务器1-IP, 代理服务器2-IP, 代理服务器3-IP, ….
可以看到经过好多层代理之后, 用户的真实IP 在第一个位置, 后面会跟一串中间代理服务器的IP地址,从这里取到用户真实的IP地址,针对这个 IP 地址做限制就可以了。
那么针对CDN模式下的访问限制配置就应该这样写:
http模块中配置如下
http {
*****
***********
## 这里取得原始用户的IP地址
map $http_x_forwarded_for $clientRealIp {
"" $remote_addr;
~^(?P<firstAddr>[0-9\.]+),?.*$ $firstAddr;
}
## 针对原始用户 IP 地址做限制
limit_conn_zone $clientRealIp zone=TotalConnLimitZone:20m ;
limit_conn TotalConnLimitZone 50;
limit_conn_log_level notice;
## 针对原始用户 IP 地址做限制
limit_req_zone $clientRealIp zone=ConnLimitZone:20m rate=10r/s;
#limit_req zone=ConnLimitZone burst=10 nodelay; #如果开启此条规则,burst=10的限制将会在nginx全局生效
limit_req_log_level notice;
*********
***************
***********************
## server内具体配置如下
server {
listen 80;
server_name aaa.com;
index index.html index.php;
*******
************
## 最多 5 个排队, 由于每秒处理 10 个请求 + 5个排队,你一秒最多发送 15 个请求过来,再多就直接返回 503 错误给你了
limit_req zone=ConnLimitZone burst=5 nodelay;
*******************
**************************
}
接下来使用ab命令测试会有部分请求失败。
[root@sa-test ~]# ab -r -k -c 100 -n 100 http://aaa.com/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking ay018.com (be patient).....done
Server Software: cloudflare
Server Hostname: aaa.com
Server Port: 80
Document Path: /
Document Length: 5 bytes
Concurrency Level: 100
Time taken for tests: 0.069 seconds
Complete requests: 100
Failed requests: 94
(Connect: 0, Receive: 0, Length: 94, Exceptions: 0)
Write errors: 0
Non-2xx responses: 94
Keep-Alive requests: 0
Total transferred: 54170 bytes
HTML transferred: 18736 bytes
Requests per second: 1448.58 [#/sec] (mean)
Time per request: 69.033 [ms] (mean)
Time per request: 0.690 [ms] (mean, across all concurrent requests)
Transfer rate: 766.31 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 2 5 1.0 5 6
Processing: 8 17 5.6 16 47
Waiting: 8 17 5.6 16 46
Total: 14 22 5.7 21 53
Percentage of the requests served within a certain time (ms)
50% 21
66% 23
75% 25
80% 26
90% 28
95% 31
98% 40
99% 53
100% 53 (longest request)
简单判断脚本,判断php线程数量,超过150个则重启php-fpm。
#!/bin/bash
php_num=`ps aux | grep php | wc -l`
if [ $php_num -gt 150 ];then
echo `date +"%Y-%m-%d %H:%M:%S"` >> /etc/php-fpm.d/php_num.txt
echo $php_num >> /etc/php-fpm.d/php_num.txt
systemctl restart php-fpm
fi