nginx配置
预习笔记
12.7 默认虚拟主机
12.8 Nginx用户认证
12.9 Nginx域名重定向
12.10 Nginx访问日志
12.11 Nginx日志切割
12.12 静态文件不记录日志和过期时间
12.13 Nginx防盗链
12.14 Nginx访问控制
12.15 Nginx解析php相关配置
12.16 Nginx代理
1. nginx配置虚拟主机
在Nginx中也有默认虚拟主机,跟httpd类似,第一个被Nginx加载的虚拟主机就是默认主机,但和httpd不相同的地方是,它还有一个配置用来标记默认虚拟主机,也就是说,如果没有这个标记,第一个虚拟主机为默认虚拟主机。
1.1 修改配置主配置文件
[root@linux-02 nginx]# vim conf/nginx.conf
## 把以下这段配置文件删除 ##
server
{
listen 80;
server_name localhost;
index index.html index.htm index.php;
root /usr/local/nginx/html;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
}
}
## 添加以下配置文件 ##
include vhost/*.conf
1.2 修改虚拟主机配置文件
[root@linux-02 nginx]# mkdir conf/vhost
[root@linux-02 nginx]# vim conf/vhost/xihaji.com.conf
server
{
listen 80 default_server; //默认虚拟主机服务
server_name xihaji.com;//主机名 xihaji.com
index index.html index.htm index.php; //定义索引页
root /data/wwwroot/xihaji.com; //默认虚拟主机网站目录
}
1.3 测试虚拟主机结果
创建一个虚拟主机的目录,并且在目录下创建一个index.html文本。由于上文修改过nginx配置文件,需要对配置文件做一个-t的检测,进行重新加载。
[root@linux-02 nginx]# mkdir -p /data/wwwroot/xihaji.com/
[root@linux-02 nginx]# echo "this is a test file ." > /data/wwwroot/xihaji.com/index.html
[root@linux-02 nginx]# ./sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-02 nginx]# ./sbin/nginx -s reload
[root@linux-02 nginx]# curl -x127.0.0.1:80 xihaji.com
this is a test file .
[root@linux-02 nginx]#
2.nginx用户认证
在前面学习LAMP的时候,就有学到对一个目录做一个认证,或者对一个php文件做一个用户认证,同样nginx也可以做这样的认证,认证的时候使用的是apache的htpasswd命令创建一个文件。
2.1 对网站的根目录做用户认证
2.1.1 修改虚拟主机配置文件
配置文件总的location / 代表是的是根目录
[root@linux-02 nginx]# vim conf/vhost/xihaji.com.conf
server
{
listen 80 default_server;
server_name xihaji.com;
index index.html index.htm index.php;
root /data/wwwroot/xihaji.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
2.1.2 借助apache的htpasswd命令生成一个用户密码文件
[root@linux-02 local]# yum install -y httpd
已加载插件:fastestmirror
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Repository contrib is listed more than once in the configuration
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* epel: my.fedora.ipserverone.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
正在解决依赖关系
--> 正在检查事务
---> 软件包 httpd.x86_64.0.2.4.6-89.el7.centos 将被 安装
--> 正在处理依赖关系 httpd-tools = 2.4.6-89.el7.centos,它被软件包 httpd-2.4.6-89.el7.centos.x86_64 需要
--> 正在处理依赖关系 /etc/mime.types,它被软件包 httpd-2.4.6-89.el7.centos.x86_64 需要
--> 正在处理依赖关系 libaprutil-1.so.0()(64bit),它被软件包 httpd-2.4.6-89.el7.centos.x86_64 需要
--> 正在处理依赖关系 libapr-1.so.0()(64bit),它被软件包 httpd-2.4.6-89.el7.centos.x86_64 需要
--> 正在检查事务
---> 软件包 apr.x86_64.0.1.4.8-3.el7_4.1 将被 安装
---> 软件包 apr-util.x86_64.0.1.5.2-6.el7 将被 安装
---> 软件包 httpd-tools.x86_64.0.2.4.6-89.el7.centos 将被 安装
---> 软件包 mailcap.noarch.0.2.1.41-2.el7 将被 安装
--> 解决依赖关系完成
依赖关系解决
=====================================================================================================================================
Package 架构 版本 源 大小
=====================================================================================================================================
正在安装:
httpd x86_64 2.4.6-89.el7.centos updates 2.7 M
为依赖而安装:
apr x86_64 1.4.8-3.el7_4.1 base 103 k
apr-util x86_64 1.5.2-6.el7 base 92 k
httpd-tools x86_64 2.4.6-89.el7.centos updates 90 k
mailcap noarch 2.1.41-2.el7 base 31 k
事务概要
=====================================================================================================================================
安装 1 软件包 (+4 依赖软件包)
总下载量:3.0 M
安装大小:10 M
Downloading packages:
(1/5): apr-1.4.8-3.el7_4.1.x86_64.rpm | 103 kB 00:00:01
(2/5): mailcap-2.1.41-2.el7.noarch.rpm | 31 kB 00:00:00
(3/5): httpd-tools-2.4.6-89.el7.centos.x86_64.rpm | 90 kB 00:00:01
(4/5): apr-util-1.5.2-6.el7.x86_64.rpm | 92 kB 00:00:06
(5/5): httpd-2.4.6-89.el7.centos.x86_64.rpm | 2.7 MB 00:00:07
-------------------------------------------------------------------------------------------------------------------------------------
总计 391 kB/s | 3.0 MB 00:00:07
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : apr-1.4.8-3.el7_4.1.x86_64 1/5
正在安装 : apr-util-1.5.2-6.el7.x86_64 2/5
正在安装 : httpd-tools-2.4.6-89.el7.centos.x86_64 3/5
正在安装 : mailcap-2.1.41-2.el7.noarch 4/5
正在安装 : httpd-2.4.6-89.el7.centos.x86_64 5/5
验证中 : httpd-tools-2.4.6-89.el7.centos.x86_64 1/5
验证中 : mailcap-2.1.41-2.el7.noarch 2/5
验证中 : httpd-2.4.6-89.el7.centos.x86_64 3/5
验证中 : apr-1.4.8-3.el7_4.1.x86_64 4/5
验证中 : apr-util-1.5.2-6.el7.x86_64 5/5
已安装:
httpd.x86_64 0:2.4.6-89.el7.centos
作为依赖被安装:
apr.x86_64 0:1.4.8-3.el7_4.1 apr-util.x86_64 0:1.5.2-6.el7 httpd-tools.x86_64 0:2.4.6-89.el7.centos mailcap.noarch 0:2.1.41-2.el7
完毕!
[root@linux-02 local]# htpasswd -c /usr/local/nginx/conf/htpasswd xihaji
New password:
Re-type new password:
Adding password for user xihaji
[root@linux-02 local]#
2.1.3 查看测试结果
[root@linux-02 local]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-02 local]# /usr/local/nginx/sbin/nginx -s reload
[root@linux-02 local]# curl -x127.0.0.1:80 xihaji.com
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.16.0</center>
</body>
</html>
[root@linux-02 local]# curl -x127.0.0.1:80 xihaji.com -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.16.0
Date: Tue, 14 May 2019 12:14:12 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
[root@linux-02 local]# curl -uxihaji:123456 -x127.0.0.1:80 xihaji.com -I
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Tue, 14 May 2019 12:14:24 GMT
Content-Type: text/html
Content-Length: 22
Last-Modified: Tue, 14 May 2019 11:00:20 GMT
Connection: keep-alive
ETag: "5cda9fc4-16"
Accept-Ranges: bytes
[root@linux-02 local]#
2.2 对某个文件做用户认证
2.2.1 修改虚拟主机配置文件
上文配置文件中的location / 代表是对虚拟主机根目录做设置,如果对文件做权限可以使用 ~ php (~代表匹配),这样可以对文件做权限设置。
[root@linux-02 nginx]# vim conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location ~ php
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
2.1.2 查看测试结果
[root@linux-02 nginx]# curl -x192.168.141.129:80 test.com
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.16.0</center>
</body>
</html>
[root@linux-02 nginx]# curl -x192.168.141.129:80 test.com/1.php
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.16.0</center>
</body>
</html>
[root@linux-02 nginx]# curl -uxihaji:123456 -x192.168.141.129:80 test.com/1.php
123456
[root@linux-02 nginx]# curl -uxihaji:123456 -x192.168.141.129:80 test.com/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Tue, 14 May 2019 13:10:57 GMT
Content-Type: application/octet-stream
Content-Length: 7
Last-Modified: Tue, 14 May 2019 13:05:43 GMT
Connection: keep-alive
ETag: "5cdabd27-7"
Accept-Ranges: bytes
3. nginx域名重定向
3.1 修改虚拟主机配置文件
[root@linux-02 nginx]# vim conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
}
server_name 此处可以添加多个域名,在LAMP学习中,了解到httpd的虚拟主机配置文件中,server_name 只可以添加一个,如果想要添加多个域名,需要使用serveralias来定义。
permanent:永久跳转,状态码301,redirect:临时跳转,状态码302。
3.2 查看测试结果
[root@linux-02 nginx]# ./sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-02 nginx]# ./sbin/nginx -s reload
[root@linux-02 nginx]# curl -x127.0.0.1:80 test1.com
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.16.0</center>
</body>
</html>
[root@linux-02 nginx]# curl -x192.168.141.129:80 test1.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.16.0
Date: Wed, 15 May 2019 02:56:20 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://test.com/
[root@linux-02 nginx]# curl -x192.168.141.129:80 test1.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.16.0
Date: Wed, 15 May 2019 02:56:37 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://test.com/index.html
4. nginx日志
4.1 nginx日志格式
nginx的日志在配置文件/usr/local/nginx/conf/nginx.conf 中已经有定义,注意:配置文件中nginx认为分号才算一行码,代码如下
[root@linux-02 ~]# cat /usr/local/nginx/conf/vhost/test.com.conf
省略
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
//combined_realip 代表日志的名称,我们可以随便命名一个名字
| 变量 | 含义 |
|---|---|
| $remote_addr | 客户端ip(公网ip) |
| $http_x_forwarded_for | 代理服务器的ip |
| $time_local | 服务器本地时间 |
| $host | 访问主机名(域名) |
| $request_uri | 访问的url地址 |
| $status | 状态码 |
| $http_referer | referer |
| $http_user_agent | user_agent |
4.1.1 定义虚拟主机中的日志路径和格式
nginx的配置已经定义日志的格式,但是我们的虚拟主机中还未定义日志的存放路径,所以给虚拟主机配置文件中添加一行日志的存放路径以及格式。
[root@linux-02 ~]# vim /usr/local/nginx/conf/vhost/xihaji.com.conf
server
{
listen 80 default_server;
server_name xihaji.com;
index index.html index.htm index.php;
root /data/wwwroot/xihaji.com;
access_log /tmp/xihaji.log combined_realip;
}
4.1.2 查看测试结果
[root@linux-02 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-02 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@linux-02 ~]# curl -x127.0.0.1:80 xihaji.com/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Wed, 15 May 2019 11:39:37 GMT
Content-Type: text/html
Content-Length: 22
Last-Modified: Tue, 14 May 2019 11:00:20 GMT
Connection: keep-alive
ETag: "5cda9fc4-16"
Accept-Ranges: bytes
[root@linux-02 ~]# curl -x127.0.0.1:80 xihaji.com/admin/1.png -I
HTTP/1.1 404 Not Found
Server: nginx/1.16.0
Date: Wed, 15 May 2019 11:39:48 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
[root@linux-02 ~]# cat /tmp/xihaji.log
127.0.0.1 - [15/May/2019:19:39:37 +0800] xihaji.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [15/May/2019:19:39:48 +0800] xihaji.com "/admin/1.png" 404 "-" "curl/7.29.0"
[root@linux-02 ~]#
4.2 nginx日志切割
前面我们在学习apache的时候有提到过,如果一个日志一只写,会越来越大,也不方便运维人员查看日志,所以,我们需要对日志做一个切割操作,但是nginx又不像apache有自己的切割工具,所以在给nginx做日志切割的时候,我们要自定义一个脚本对日志进行切割。
4.2.1 定义一个nginx的日志切割脚本
用户自定义的脚本建议放置到 /usr/local/sbin/ 目录下,方便管理。
[root@linux-02 ~]# vim /usr/local/sbin/nginx_logrotate.sh
#! /bin/bash
d=`date -d "-1 day" +%Y%m%d` //表示昨天的日期
logdir="/tmp/" //配置文件中定义的日志在/tmp/目录下
nginx_pid="/usr/local/nginx/logs/nginx.pid" // nginx的pid
cd $logdir //进入日志目录
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid` // 相当于 /usr/local/nginx/sbin/nginx -s reload 重载nginx.pid,然后就会再次生成一个新的日志文件。否则不生成日志文件。
4.2.2 查看此脚本的运行过程
[root@linux-02 ~]# sh /usr/local/sbin/nginx_logrotate.sh
[root@linux-02 ~]# sh -x /usr/local/sbin/nginx_logrotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20190514
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls xihaji.log
+ for log in '`ls *.log`'
+ mv xihaji.log xihaji.log-20190514
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 65924
[root@linux-02 ~]# ls /tmp/
mysql.sock pear php-fcgi.sock vmware-root_6225-1681331162 xihaji.log xihaji.log-20190514
[root@linux-02 ~]#
4.2.3 创建定时任务
上文的脚本可以生成昨天的一个日志,可以设置一个定时任务,每天的0点0分执行这个脚本。
[root@linux-02 ~]# crontab -e
no crontab for root - using an empty one
0 0 * * * /usr/local/sbin/nginx_logrotate.sh
crontab: installing new crontab
[root@linux-02 ~]# crontab -l
0 0 * * * /usr/local/sbin/nginx_logrotate.sh
4.2.4 清除日志
如果日志越来越大,旧的日志会占用系统的硬盘空间大小,这时候就需要删除我们去删除日志了,比如说删除30天前的日志。可以使用命令,也可以设置一个定时任务。由于我们是虚拟机,并没有很多日志,所以无法看到操作效果。
[root@linux-02 ~]# find /tmp/ -type f -name *.log-* -mtime 30 | xargs rm
4.3 静态文件不记录日志和浏览器缓存时间
虚拟主机配置文件location~可以指定对应的静态文件,expires配置过期时间,而access_log 配置为off就可以不记录访问日志了
4.3.1 修改配置文件
[root@linux-02 ~]# vim /usr/local/nginx/conf/vhost/xihaji.com.conf
server
{
listen 80 default_server;
server_name xihaji.com;
index index.html index.htm index.php;
root /data/wwwroot/xihaji.com;
access_log /tmp/xihaji.log combined_realip;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 7d;
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
}
4.3.2 测试结果
通过下面的测试可以看到图片和js文件访问都没有日志的生成,可以是用curl -I查看到状态中包含:
Expires: Wed, 22 May 2019 12:20:25 GMT
Cache-Control: max-age=604800
以上两项包含了过期的时候
[root@linux-02 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-02 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@linux-02 ~]# echo '123' > /data/wwwroot/xihaji.com/1.jpg
[root@linux-02 ~]# echo '123' > /data/wwwroot/xihaji.com/2.js
[root@linux-02 ~]# curl -x127.0.0.1:80 xihaji/1.jpg
123
[root@linux-02 ~]# curl -x127.0.0.1:80 xihaji/index.html
this is a test file .
[root@linux-02 ~]# curl -x127.0.0.1:80 xihaji/2.js
123
[root@linux-02 ~]# curl -x127.0.0.1:80 xihaji/1.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Wed, 15 May 2019 12:20:25 GMT
Content-Type: image/jpeg
Content-Length: 4
Last-Modified: Wed, 15 May 2019 12:19:16 GMT
Connection: keep-alive
ETag: "5cdc03c4-4"
Expires: Wed, 22 May 2019 12:20:25 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[root@linux-02 ~]# curl -x127.0.0.1:80 xihaji/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Wed, 15 May 2019 12:20:30 GMT
Content-Type: text/html
Content-Length: 22
Last-Modified: Tue, 14 May 2019 11:00:20 GMT
Connection: keep-alive
ETag: "5cda9fc4-16"
Accept-Ranges: bytes
[root@linux-02 ~]# curl -x127.0.0.1:80 xihaji/2.js -I
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Wed, 15 May 2019 12:20:47 GMT
Content-Type: application/javascript
Content-Length: 4
Last-Modified: Wed, 15 May 2019 12:19:23 GMT
Connection: keep-alive
ETag: "5cdc03cb-4"
Expires: Thu, 16 May 2019 00:20:47 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
[root@linux-02 ~]# cat /tmp/xihaji.log
127.0.0.1 - [15/May/2019:20:20:03 +0800] xihaji "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [15/May/2019:20:20:30 +0800] xihaji "/index.html" 200 "-" "curl/7.29.0"
[root@linux-02 ~]#
5. nginx防盗链
5.1修改配置文件
[root@linux-02 ~]# vim /usr/local/nginx/conf/vhost/xihaji.com.conf
server
{
listen 80 default_server;
server_name xihaji.com;
index index.html index.htm index.php;
root /data/wwwroot/xihaji.com;
access_log /tmp/xihaji.log combined_realip;
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.xihaji.com;
if ($invalid_referer)
{
return 403;
}
access_log off;
}
}
5.2 测试结果
[root@linux-02 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-02 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@linux-02 ~]# ls /data/wwwroot/xihaji.com/
1.jpg 2.js index.html
[root@linux-02 ~]# curl -e "http://www.baidu.com/2.txt" -x127.0.0.1:80 xihaji.com/1.jpgg -I
HTTP/1.1 404 Not Found
Server: nginx/1.16.0
Date: Thu, 16 May 2019 06:36:34 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
[root@linux-02 ~]# curl -e "http://www.baidu.com/2.txt" -x127.0.0.1:80 xihaji.com/1.jpg -I
HTTP/1.1 403 Forbidden
Server: nginx/1.16.0
Date: Thu, 16 May 2019 06:36:43 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
[root@linux-02 ~]# curl -x127.0.0.1:80 xihaji.com/1.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Thu, 16 May 2019 06:37:00 GMT
Content-Type: image/jpeg
Content-Length: 4
Last-Modified: Wed, 15 May 2019 12:19:16 GMT
Connection: keep-alive
ETag: "5cdc03c4-4"
Expires: Thu, 23 May 2019 06:37:00 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[root@linux-02 ~]#
6. nginx访问控制
6.1 设置ip白名单
[root@linux-02 ~]# vim /usr/local/nginx/conf/vhost/xihaji.com.conf
## 对目录做设置,只允许什么ip可以访问 ##
location /admin/
{
allow 127.0.0.1;
allow 192.168.141.129;
deny all;
}
测试结果,正常结果应该为200才对,这儿有人说是目录后不加 / ,nginx访问默认为文件,而不是目录。
[root@linux-02 test.com]# curl -x192.168.141.129:80 xihaji.com/admin -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.16.0
Date: Fri, 17 May 2019 09:55:25 GMT
Content-Type: text/html
Content-Length: 169
Location: http://xihaji.com/admin/
Connection: keep-alive
[root@linux-02 test.com]# curl -x192.168.141.129:80 xihaji.com/admin/ -I
HTTP/1.1 403 Forbidden
Server: nginx/1.16.0
Date: Fri, 17 May 2019 09:55:28 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
[root@linux-02 test.com]#
6.2 设置目录下的某些文件不可访问
修改配置文件如下:
[root@linux-02 ~]# vim /usr/local/nginx/conf/vhost/xihaji.com.conf
server
{
listen 80 default_server;
server_name xihaji.com;
index index.html index.htm index.php;
root /data/wwwroot/xihaji.com;
access_log /tmp/xihaji.log combined_realip;
location ~ .*(admin)/.*\.php$
{
deny all;
}
}
使用curl来进行测试操作。
[root@linux-02 logs]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-02 logs]# /usr/local/nginx/sbin/nginx -s reload
[root@linux-02 logs]# echo "phpinfo" > /data/wwwroot/xihaji.com/admin/1.php
[root@linux-02 logs]# curl -x127.0.0.1:80 www.xihaji.com/admin/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.16.0
Date: Thu, 16 May 2019 11:26:27 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
[root@linux-02 logs]# curl -x127.0.0.1:80 www.xihaji.com/admin/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Thu, 16 May 2019 11:26:49 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Thu, 16 May 2019 10:52:49 GMT
Connection: keep-alive
ETag: "5cdd4101-6"
Accept-Ranges: bytes
6.3 根据user_agent做限制
修改配置文件,添加如下内容
[root@linux-02 test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /admin
{
allow 127.0.0.1;
allow 192.168.141.129;
deny all;
}
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
查看测试结果如下:
[root@linux-02 test.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-02 test.com]# /usr/local/nginx/sbin/nginx -s reload
[root@linux-02 test.com]# curl -A 'Tomato' -x127.0.0.1:80 test.com/index.html
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.16.0</center>
</body>
</html>
[root@linux-02 test.com]# curl -A 'baidu' -x127.0.0.1:80 test.com/index.html
123456
[root@linux-02 test.com]# curl -A 'baidu' -x127.0.0.1:80 test.com/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Thu, 16 May 2019 12:02:22 GMT
Content-Type: text/html
Content-Length: 7
Last-Modified: Wed, 15 May 2019 02:07:19 GMT
Connection: keep-alive
ETag: "5cdb7457-7"
Accept-Ranges: bytes
[root@linux-02 test.com]#
7. Nginx解析php相关配置
7.1 添加解析php的配置段
[root@linux-02 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~* \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
7.2 nginx不重新加载,查看php文件结果
nginx如没有配置php解析模块,查看php文件的时候只会查看到php源码。
[root@linux-02 test.com]# curl -x127.0.0.1:80 test.com/1.php
<?php
phpinfo();
7.3 nginx重新加载,查看php文件结果
php解析模块加载,我们可以查看到php的文件信息是网页的html代码。
[root@linux-02 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[root@linux-02 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-02 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@linux-02 ~]# cd /data/wwwroot/test.com/
[root@linux-02 test.com]# ls
1.php admin index.html
[root@linux-02 test.com]# vim 1.php
[root@linux-02 test.com]# curl -x127.0.0.1:80 test.com/1.php
……省略部分
This program is free software; you can redistribute it and/or modify it under the terms of the PHP License as published by the PHP Group and included in the distribution in the file: LICENSE
</p>
<p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
</p>
<p>If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact license@php.net.
</p>
</td></tr>
</table>
</div></body></html>
7.4 网页出现502的原因
- 其中fastcgi_pass用来指定php-fpm的sock地址,如果php-fpm监听的是一个tcp:port的地址(比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000。这个地址一定要和php-fpm服务监听的地址匹配,否则是会报502的错误。
- 如果内存中出现大量的php-fpm进程占据了内存,也会同样导致此502的错误。
- 配置中需要注意的地方:fastcgi_param SCRIPT_FILENAME 后面跟的路径为该站点的根目录,和前面定义的root那个路径保持一致,如果这里配置不对,访问PHP页面会出现404;
8. Nginx代理
Nginx代理是一种反向代理。反向代理(Reverse Proxy)方式是指以代理服务器来接受Internet上的连接请求,然后将请求转发给内部网络上的服务器;并将从服务器上得到的结果返回给Internet上请求连接的客户端,此时代理服务器对外就表现为一个服务器。
创建proxy.conf配置文件,写入以下代码;
8.1 修改配置文件
因为是代理服务器所以不需要访问本地服务器的任何文件,不需要设置root; ask.apelearn.com; 定义一个域名;
proxy_pass http://47.104.7.242/;真实WEB服务器的IP地址。
$host; 也就是咱们的server_name。
[root@linux-02 ~]# vim /usr/local/nginx/conf/vhost/proxy.conf
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://47.104.7.242/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
8.2 使用本机的的回环地址来测试看能否访问此地址
[root@linux-02 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-02 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@linux-02 ~]# curl -x127.0.0.1:80 ask.apelearn.com -I
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Thu, 16 May 2019 22:39:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ape__Session=b22hduvp5j96rcd13oei5310v4; path=/; domain=.apelearn.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
myheader: web1
8.3 查看此网站的rebots
[root@linux-02 ~]# curl -x127.0.0.1:80 ask.apelearn.com/robots -I
HTTP/1.1 404 Not Found
Server: nginx/1.16.0
Date: Thu, 16 May 2019 22:40:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ape__Session=567htm0i51t9r65jeqg6ik7tm1; path=/; domain=.apelearn.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
[root@linux-02 ~]# curl -x127.0.0.1:80 ask.apelearn.com/robots
<!doctype html>
<html>
<head>
<meta charset="utf-8" />
<title>文件未找到</title>
<link rel="stylesheet" type="text/css" href="http://ask.apelearn.com/static/css/default/common.css" />
</head>
<body class="aw-404">
<div class="aw-404-wrap">
<img src="http://ask.apelearn.com/static/css/default/img/404-logo.png"/>
<p>你访问的页面不存在</p>
<p><a href="http://ask.apelearn.com">返回网站首页</a></p>
</div>
</body>
</html>[root@linux-02 ~]#
扫一扫
295
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
