文章目录
Nginx默认虚拟主机
Nginx默认虚拟主机,其实默认就已经设置了。在Nginx的配置文件中,server就代表着默认虚拟主机。一般的,你有几个网站就设置几个server。
还有另一种设置方式,在配置文件中不要去设置server,直接重新写一个虚拟主机配置文件(vhost/*.conf)
# vim /usr/local/nginx/conf/nginx.conf
//将server那段去掉,后面新增一行,配置文件变为
user nobody nobody;
worker_processes 2;
error_log /usr/local/nginx/logs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 6000;
}
http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 3526;
server_names_hash_max_size 4096;
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
sendfile on;
tcp_nopush on;
keepalive_timeout 30;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 8 4k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
client_max_body_size 10m;
client_body_buffer_size 256k;
client_body_temp_path /usr/local/nginx/client_body_temp;
proxy_temp_path /usr/local/nginx/proxy_temp;
fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
fastcgi_intercept_errors on;
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm
application/xml;
include vhost/*.conf; //此行为新增
}
在/usr/local/nginx/conf/
目录下,创建一个目录vhost,并在目录下创建一个新文件。这个vhost就类似于Apache中的虚拟配置文件。
# cd /usr/local/nginx/conf/
# mkdir vhost
# cd vhost/
# touch aaa.com.conf
然后编辑新建的文件
# vim aaa.com.conf
server
{
listen 80 default_server; // 有default_server这个标记的就是默认虚拟主机
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}
创建/data/wwwroot/default
,并在defualt目录下编写index.html文件
# mkdir /data/wwwroot/default
# cd /data/wwwroot/default/
# vim index.html
# cat index.html
didibibabo
检测一下配置文件语法是否正确
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
重启Nginx服务或者重新加载
# /usr/local/nginx/sbin/nginx -s reload
注意:一般的,在服务器跑动的时候,都选择重新加载配置文件,而不是重启服务/etc/init.d/nginx restart
,重启服务会短暂关闭然后在启动。
# curl localhost
didibibabo
# curl -x127.0.0.1:80 www.abc.com
didibibabo
默认虚拟主机就是只要你解析过来是这个IP,不管什么域名,都会访问到默认虚拟主机。
Nginx用户认证
做用户认证就是为了安全,在做httpd的用户认证时就已经说到过
重新创建一个虚拟主机文件test.com.conf
# cd /usr/local/nginx/conf/vhost/
# ls
aaa.com.conf
# vim test.com.conf
\\输入如下内容
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;//用户名密码文件
}
}
生成密码的工具是htpasswd,这个工具在Apache用户认证时就安装过了,没安装的就用
yum install -y httpd
安装上。
为其他用户做用户认证:
# /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd huhu
New password:
Re-type new password:
Adding password for user huhu
# cat /usr/local/nginx/conf/htpasswd
huhu:$apr1$W/p0AvHO$FO7PxyXhG3RXoUuoOHdLC.
检查配置文件语法并重新加载配置文件:
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
# /usr/local/nginx/sbin/nginx -s reload
测试:
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -x127.0.0.1:80 test.com
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
//出现401,需要用户认证。
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -uhuhu:qwe123 -x127.0.0.1:80 test.com
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
出现404,因为我们还没有test.com这个文件。
写一个index.html,再次测试
[root@iz2zef1im6qv29viqhtk3qz vhost]# mkdir /data/wwwroot/test.com
[root@iz2zef1im6qv29viqhtk3qz vhost]# echo "test.com" > /data/wwwroot/test.com/index.html
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -uhuhu:qwe123 -x127.0.0.1:80 test.com
test.com
这个用户认证时针对整个站点,只针对某个特定目录的用户认证。针对admin目录。
修改虚拟配置文件:
#vim test.com.conf
//修改如下
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
检查配置文件语法并重新加载配置文件:
[root@iz2zef1im6qv29viqhtk3qz vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@iz2zef1im6qv29viqhtk3qz vhost]# /usr/local/nginx/sbin/nginx -s reload
测试:
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -x127.0.0.1:80 test.com
test.com
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -x127.0.0.1:80 test.com/admin
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
针对某个.php文件
配置文件写成location ~ admin.php
\\修改配置文件
[root@iz2zef1im6qv29viqhtk3qz vhost]# vim test.com.conf
\\检查配置文件是否正确
[root@iz2zef1im6qv29viqhtk3qz vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
\\重新加载
[root@iz2zef1im6qv29viqhtk3qz vhost]# /usr/local/nginx/sbin/nginx -s reload
\\访问test.com,正常
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -x127.0.0.1:80 test.com
test.com
\\访问test.com/admin,提示404,因为我们没有写这个文件
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -x127.0.0.1:80 test.com/admin
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
\\访问test.com/admin.php,提示401,需要用户验证
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -x127.0.0.1:80 test.com/admin.php
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
\\访问test.com/admin.php,提示404,因为我们没有写这个文件
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -uhuhu:qwe123 -x127.0.0.1:80 test.com/admin.php
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
nginx域名重定向
更改虚拟配置文件
# vim test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com test3.com; //设置域名
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) { //如果主域名是test.com时,则其他域名都跳转过来, permanent为301
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
这里多个域名都可以写到server_name 后面,不像httpd,需要写到server_alias里
检查并重新加载
[root@iz2zef1im6qv29viqhtk3qz vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@iz2zef1im6qv29viqhtk3qz vhost]# /usr/local/nginx/sbin/nginx -s reload
测试:
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -x127.0.0.1:80 test.com/index.html
test.com
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -x127.0.0.1:80 test3.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 13:39:33 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/index.html
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -x127.0.0.1:80 test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 13:39:43 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/index.html
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -x127.0.0.1:80 test34.com/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 13:39:52 GMT
Content-Type: text/html
Content-Length: 11
Last-Modified: Wed, 19 Sep 2018 11:36:59 GMT
Connection: keep-alive
ETag: "5ba234db-b"
Accept-Ranges: bytes
测试test2.com test3.com 都是301重定向,test34.com 时,访问就是默认虚拟主机。
Nginx访问日志
Nginx的日志格式是在Nginx的主配置文件中/usr/local/nginx/conf/nginx.conf
在配置文件中找到
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
在这里可以修改一下日志的格式名称,将combined_realip修改为huhu
log_format huhu '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
下面是日志字段含义
主配置文件中定义日志的格式,在虚拟主机配置文件中定义日志路径。
打开虚拟主机配置文件,新增一行
server
{
listen 80;
server_name test.com test1.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
access_log /tmp/test.com.log huhu; \\新增此行定义日志路径以及格式,记得加;
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
~
检查配置文件语法并重新加载配置文件
[root@iz2zef1im6qv29viqhtk3qz vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@iz2zef1im6qv29viqhtk3qz vhost]# /usr/local/nginx/sbin/nginx -s reload
检测:
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -x127.0.0.1:80 test3.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 14:01:16 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/index.html
[root@iz2zef1im6qv29viqhtk3qz vhost]# curl -x127.0.0.1:80 test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 14:01:20 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/index.html
\\查看日志
[root@iz2zef1im6qv29viqhtk3qz vhost]# cat /tmp/test.com.log
127.0.0.1 - [19/Sep/2018:22:01:16 +0800] test3.com "/index.html" 301 "-" "curl/7.29.0"
127.0.0.1 - [19/Sep/2018:22:01:20 +0800] test2.com "/index.html" 301 "-" "curl/7.29.0"
Nginx日志切割
nginx由于没有自带的日志切割工具,在切割日志时,需要借助于系统带的日志切割工具,或者是自己写一个日志切割脚本。
脚本统一保存/usr/local/sbin/
目录下
自己定义一个日志切割脚本
# vim /usr/local/sbin/nginx_log_rotate.sh
\\写入如下内容,注释内容可不写
#! /bin/bash
## 假设nginx的日志存放路径为/tmp/
d=`date -d "-1 day" +%Y%m%d`
#定义切割时间(切割一天前的日志)
logdir="/tmp/"
#此处指定要切割的日志路径(该路径来自虚拟主机配置文件)
nginx_pid="/usr/local/nginx/logs/nginx.pid"
#调用pid的目的是执行命令:/bin/kill -HUP `cat $nginx_pid`
#该命令等价于命令:nginx -s reload(重新加载文件),确保与虚拟主机配置文件变更保持同步
#该地址来自nginx配置文件
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
#此处使用通配进行循环,并改名字(切割是每天产生的日志重命名)
/bin/kill -HUP `cat $nginx_pid`
#执行此命令进行重载生成新的日志文件来记录新的日志
执行脚本:
[root@iz2zef1im6qv29viqhtk3qz vhost]# sh -x /usr/local/sbin/nginx_log_rotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20180918
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls test.com.log
+ for log in '`ls *.log`'
+ mv test.com.log test.com.log-20180918
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 972
[root@iz2zef1im6qv29viqhtk3qz vhost]# ls /tmp/
Aegis-<Guid(5A2C30A2-A87D-490A-9281-6765EDAD7CBA)> systemd-private-ecdbc26ef480489bb909d22e927e3845-ntpd.service-oWmtff
hsperfdata_root test.com.log
pear test.com.log-20180918
php-fcgi.sock
- -x : 作用是显示脚本执行过程
注意: 这只是对日志进行了切割,对日志进行删除需要结合任务计划cron使用。切割也得配合cron使用
也可以使用find命令定期自己删除
删除/tmp/目录下30天以前的日志文件
[root@iz2zef1im6qv29viqhtk3qz vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm
rm: missing operand
Try 'rm --help' for more information.
[root@iz2zef1im6qv29viqhtk3qz vhost]# find /tmp/ -name *.log-* -type f
/tmp/test.com.log-20180918
因为现在还没有符合条件的日志,所以不会删除。
设置执行计划
# crontab -e
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
设置为每天0点0分,执行此条脚本。
静态文件不记录日志和过期时间
在test.com.conf中新增一段配置
server
{
listen 80;
server_name test.com test1.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
access_log /tmp/test.com.log huhu;
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
\\新增下面内容
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 7d;
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
}
- location ~ 匹配文件类型
- expires 过期时间
- access_log 是否记录该类型文件的访问日志
检查配置文件语法并重新加载配置文件
[root@iz2zef1im6qv29viqhtk3qz vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@iz2zef1im6qv29viqhtk3qz vhost]# /usr/local/nginx/sbin/nginx -s reload
新建几个文件
[root@iz2zef1im6qv29viqhtk3qz vhost]# cd /data/wwwroot/test.com/
[root@iz2zef1im6qv29viqhtk3qz test.com]# ls
index.html
[root@iz2zef1im6qv29viqhtk3qz test.com]# vim 1.gif
[root@iz2zef1im6qv29viqhtk3qz test.com]# vim 2.js
[root@iz2zef1im6qv29viqhtk3qz test.com]# cat 1.gif
sdfsddfvf
[root@iz2zef1im6qv29viqhtk3qz test.com]# cat 2.js
fdfgcfbdcv
测试
[root@iz2zef1im6qv29viqhtk3qz test.com]# curl -x127.0.0.1:80 test.com/1.gif
sdfsddfvf
[root@iz2zef1im6qv29viqhtk3qz test.com]# curl -x127.0.0.1:80 test.com/2.js
fdfgcfbdcv
[root@iz2zef1im6qv29viqhtk3qz test.com]# curl -x127.0.0.1:80 test.com/index.html
test.com
[root@iz2zef1im6qv29viqhtk3qz test.com]# curl -x127.0.0.1:80 test.com/2.jssdf
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
[root@iz2zef1im6qv29viqhtk3qz test.com]# cat /tmp/test.com.log
127.0.0.1 - [19/Sep/2018:23:05:49 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [19/Sep/2018:23:09:59 +0800] test.com "/2.jssdf" 404 "-" "curl/7.29.0"
- 说明访问gif和js的时候不会记录日志,和我们上面定义的配置文件一样。
- 配置文件只定义了js结尾的文件,所以2.jssdf依然会记录日志
我们也可以查看一下过期时间
[root@iz2zef1im6qv29viqhtk3qz test.com]# curl -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 15:07:28 GMT
Content-Type: image/gif
Content-Length: 10
Last-Modified: Wed, 19 Sep 2018 15:04:09 GMT
Connection: keep-alive
ETag: "5ba26569-a"
Expires: Wed, 26 Sep 2018 15:07:28 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
- Cache-Control: max-age=604800 就代表着过期时间,前面我们定义的gif过期时间是7天
如果注释掉前面配置文件里的expires,则此处不会显示。
Nginx防盗链
Nginx防盗链也是使用location板块,和不记录静态文件和过期时间写在一起
打开配置文件,把之前设置的关于GIF的location注释掉,新增一段配置
# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
access_log /tmp/test.com.log huhu;
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
//新增如下内容,删除//注释内容
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ; //定义白名单
if ($invalid_referer) { //如果不是白名单的referer ,返回403
return 403;
}
access_log off;
}
}
注意:location ~ ^.+.这里匹配到的后面的内容是不区分大小写。*
检查配置文件并且重新加载
[root@iz2zef1im6qv29viqhtk3qz test.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@iz2zef1im6qv29viqhtk3qz test.com]# /usr/local/nginx/sbin/nginx -s reload
测试
//当referer为qq.com,不在白名单时,返回403
[root@iz2zef1im6qv29viqhtk3qz ~]# curl -e "http://www.qq.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 15:27:20 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
//当referer为test.com,在白名单时,返回200
[root@iz2zef1im6qv29viqhtk3qz ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 15:27:33 GMT
Content-Type: image/gif
Content-Length: 10
Last-Modified: Wed, 19 Sep 2018 15:04:09 GMT
Connection: keep-alive
ETag: "5ba26569-a"
Expires: Wed, 26 Sep 2018 15:27:33 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
//依然不显示日志,access_log off;
[root@iz2zef1im6qv29viqhtk3qz ~]# cat /tmp/test.com.log
127.0.0.1 - [19/Sep/2018:23:05:49 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [19/Sep/2018:23:09:59 +0800] test.com "/2.jssdf" 404 "-" "curl/7.29.0"
Nginx访问控制
匹配IP
访问某个目录的时候,只允许某几个IP访问
修改配置文件,添加一段配置
注意:新增的配置文件一定要在server{}内
# vim /usr/local/nginx/conf/vhost/test.com.conf
\\添加以下内容,注意删除注释
location /aaa/
{
allow 127.0.0.1; #规则,允许ip 127.0.0.1访问,这里的ip就是访问日志里的$remote_addr
deny all; #规则,拒绝所有
}
- 也可以配置为allow all;然后deny某些ip
- 匹配规则是从上往下匹配,当匹配到一个规则就不再往下匹配了
检查配置文件并重新加载
[root@iz2zef1im6qv29viqhtk3qz ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@iz2zef1im6qv29viqhtk3qz ~]# /usr/local/nginx/sbin/nginx -s reload
创建测试目录和文件
# mkdir /data/wwwroot/test.com/aaa
# echo 'aaa test' > /data/wwwroot/test.com/aaa/index.html
测试
# curl -x127.0.0.1:80 test.com/aaa/index.html
aaa test
# curl -x172.17.153.149:80 test.com/aaa/index.html
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
匹配正则
再增加一段配置内容
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
拒绝所有abc结尾目录下或者image结尾目录下以.php结尾文件的访问请求
检查配置文件重新加载
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
# /usr/local/nginx/sbin/nginx -s reload
创建一个image目录,并且创建一个a.php
创建一个aabc目录,并且创建一个a.php
# mkdir /data/wwwroot/test.com/image
# mkdir /data/wwwroot/test.com/aabc
# echo 'image' > /data/wwwroot/test.com/image/a.php
# echo 'image' > /data/wwwroot/test.com/image/a.html
# echo 'abc' > /data/wwwroot/test.com/aabc/a.php
测试
# curl -x127.0.0.1:80 test.com/image/a.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
# curl -x127.0.0.1:80 test.com/aabc/a.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
# curl -x127.0.0.1:80 test.com/image/a.html
image
根据user_agent限制
拒绝所有user_agent为Spider/3.0、YoudaoBot、Tomato的访问请求,添加如下配置文件
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
- deny all和return 403效果一样
检查配置文件重新加载
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
# /usr/local/nginx/sbin/nginx -s reload
测试,模拟user_agent
//image/a.html是可以正常访问的
[root@iz2zef1im6qv29viqhtk3qz ~]# curl -x127.0.0.1:80 test.com/image/a.html
image
//正常返回200
[root@iz2zef1im6qv29viqhtk3qz ~]# curl -x127.0.0.1:80 test.com/image/a.html -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 20 Sep 2018 14:47:16 GMT
Content-Type: text/html
Content-Length: 6
Last-Modified: Thu, 20 Sep 2018 14:34:08 GMT
Connection: keep-alive
ETag: "5ba3afe0-6"
Accept-Ranges: bytes
//模拟user_agent,匹配到Tomato,就会返回403
[root@iz2zef1im6qv29viqhtk3qz ~]# curl -A "Tomatosdas" -x127.0.0.1:80 test.com/image/a.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Thu, 20 Sep 2018 14:48:15 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
//因为还没有做大小写匹配,所以返回还是200
[root@iz2zef1im6qv29viqhtk3qz ~]# curl -A "tomatosdas" -x127.0.0.1:80 test.com/image/a.html -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 20 Sep 2018 14:48:24 GMT
Content-Type: text/html
Content-Length: 6
Last-Modified: Thu, 20 Sep 2018 14:34:08 GMT
Connection: keep-alive
ETag: "5ba3afe0-6"
Accept-Ranges: bytes
如何匹配大小写?
配置文件,匹配符号后面加*
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
检查配置文件重新加载后再次测试
[root@iz2zef1im6qv29viqhtk3qz ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@iz2zef1im6qv29viqhtk3qz ~]# /usr/local/nginx/sbin/nginx -s reload
[root@iz2zef1im6qv29viqhtk3qz ~]# curl -A "tomatosdas" -x127.0.0.1:80 test.com/image/a.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Thu, 20 Sep 2018 14:51:48 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
Nginx解析php相关配置
监听sock配置
添加配置文件
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
配置释义:
location ~ \.php$ #location匹配所有document_uri以 .php 结尾的访问请求
{
include fastcgi_params; #引用fastcgi_params常量文件
fastcgi_pass unix:/tmp/php-fcgi.sock;
#指定PHP的sock文件路径,
#如果php-fpm.conf配置listen是ip:port,这里也需要配置为相同的ip:port
#这里配置错误会出现502报错
fastcgi_index index.php; #指定php的索引页
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
#指定PHP程序的请求路径, $ 符号前面的路径需要和虚拟主机的root路径相同
#这个路径有问题会出现404报错
配置完之后先不要重新加载,只需检查下是否正确
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
先创建一个PHP文件看能否正常解析
# vim /data/wwwroot/test.com/aaa/aaa.php
<?php
phpinfo();
# curl -x127.0.0.1:80 test.com/aaa/aaa.php
<?php
phpinfo();
不能解析PHP
这时候再把刚才新增的那段配置重新加载一下看能否解析
# /usr/local/nginx/sbin/nginx -s reload
# curl -x127.0.0.1:80 test.com/aaa/aaa.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; color: #222; font-family: sans-serif;}
pre {margin: 0; font-family: monospace;}
a:link {color: #009; text-decoration: none; background-color: #fff;}
a:hover {text-decoration: underline;}
table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;}
省略。。。。。
可以正常解析,使用curl访问出来的是网页的源码,如果放到浏览器里,就会正常显示。
配置文件一定要写正确,如果
fastcgi_pass unix:/tmp/php-fcgi.sock;
有误,就会出现502错误
我们可以将配置文件故意修改错误,然后重新加载测试一下
# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-cgi.sock; //将php-fcgi.sock改为php-cgi.sock
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
# /usr/local/nginx/sbin/nginx -s reload
# curl -x127.0.0.1:80 test.com/aaa/aaa.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
查看错误日志
# tail /usr/local/nginx/logs/nginx_error.log
2018/09/17 23:20:05 [emerg] 20653#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/09/17 23:20:05 [emerg] 20653#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/09/17 23:20:05 [emerg] 20653#0: still could not bind()
2018/09/17 23:37:22 [emerg] 20830#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/09/17 23:37:22 [emerg] 20830#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/09/17 23:37:22 [emerg] 20830#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/09/17 23:37:22 [emerg] 20830#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/09/17 23:37:22 [emerg] 20830#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/09/17 23:37:22 [emerg] 20830#0: still could not bind()
2018/09/20 23:30:22 [crit] 10734#0: *85 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/aaa/aaa.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
提示找不到文件或目录,如果遇到502就要检查配置文件是否存在,查看错误日志。
可以查看/usr/local/php-fpm/etc/php-fpm.conf
配置文件里定义的监听到底是什么
# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock \\注意看这里
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
监听IP端口
在/usr/local/php-fpm/etc/php-fpm.conf
将监听设置为监听端口,注释原来的listen,新增一行
# vi /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
# listen = /tmp/php-fcgi.sock //注释原有listen
listen = 127.0.0.1:9000 //新增一行
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
检查配置文件是否正确,支持-t,并重新加载
# /usr/local/php-fpm/sbin/php-fpm -t
[24-Sep-2018 20:26:38] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
# /etc/init.d/php-fpm reload
Reload service php-fpm done
重新加载Nginx
# /usr/local/nginx/sbin/nginx -s reload
查看监听端口
# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 972/nginx: master p
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1192/sshd
tcp 0 0 127.0.0.1:32000 0.0.0.0:* LISTEN 889/java
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 10096/php-fpm: mast
测试
# curl -x127.0.0.1:80 test.com/aaa/aaa.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
依然502,查看错误日志
# tail /usr/local/nginx/logs/nginx_error.log
2018/09/17 23:20:05 [emerg] 20653#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/09/17 23:20:05 [emerg] 20653#0: still could not bind()
2018/09/17 23:37:22 [emerg] 20830#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/09/17 23:37:22 [emerg] 20830#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/09/17 23:37:22 [emerg] 20830#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/09/17 23:37:22 [emerg] 20830#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/09/17 23:37:22 [emerg] 20830#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/09/17 23:37:22 [emerg] 20830#0: still could not bind()
2018/09/20 23:30:22 [crit] 10734#0: *85 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/aaa/aaa.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
2018/09/24 20:33:14 [crit] 10124#0: *303 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/aaa/aaa.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
一样的错误,提示不存在。
因为这时候我们知道监听的由sock变为了IP端口,所以一样的要在配置文件里做一下更改
# vi /usr/local/nginx/conf/vhost/test.com.conf
//将最后一段配置修改
location ~ \.php$
{
include fastcgi_params;
# fastcgi_pass unix:/tmp/php-fcgi.sock; //注释原先的fastcgi_pass
fastcgi_pass 127.0.0.1:9000; //新增IP端口的fastcgi_pass
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
检查配置文件是否正确并重新加载
[root@iz2zef1im6qv29viqhtk3qz ~]# /usr/local/php-fpm/sbin/php-fpm -t
[24-Sep-2018 20:40:27] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@iz2zef1im6qv29viqhtk3qz ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@iz2zef1im6qv29viqhtk3qz ~]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@iz2zef1im6qv29viqhtk3qz ~]# /usr/local/nginx/sbin/nginx -s reload
测试
# curl -x127.0.0.1:80 test.com/aaa/aaa.php
省略。。。。
<table>
<tr class="v"><td>
<p>
This program is free software; you can redistribute it and/or modify it under the terms of the PHP License as published by the PHP Group and included in the distribution in the file: LICENSE
</p>
<p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
</p>
<p>If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact license@php.net.
</p>
</td></tr>
</table>
一切正常
Nginx代理
将本机作为代理服务器,论坛作为WEB服务器
首先,在/usr/local/nginx/conf/vhost/
目录下添加一个配置文件 proxy.conf
并写入代理服务器的配置
复制时注意删除注释
# vim /usr/local/nginx/conf/vhost/proxy.conf
server
{
listen 80;
server_name ask.apelearn.com; //写代理服务器的域名
location /
{
proxy_pass http://223.94.95.10/; //这里的IP写web服务的ip
proxy_set_header Host $host; //设定header信息的Host变量
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
检查配置文件并重新加载
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
# /usr/local/nginx/sbin/nginx -s reload
测试
# curl -x127.0.0.1:80 ask.apelearn.com
(访问正常,内容过多已省略)
扩展
nginx.conf 配置详解
https://coding.net/u/aminglinux/p/nginx/git/tree/master/3z
nginx rewrite四种flag
http://unixman.blog.51cto.com/10163040/1711943
https://coding.net/u/aminglinux/p/nginx/git/blob/master/rewrite/break.md
502问题汇总 http://ask.apelearn.com/question/9109
location优先级
https://coding.net/u/aminglinux/p/nginx/git/blob/master/location/priority.md