Ngninx默认虚拟主机
1.vim /usr/local/nginx/conf/nginx.conf //增加
2.include vhost/*.conf
3.mkdir /usr/local/nginx/conf/vhost
4.cd !$; vim default.conf //加入如下内容
server
{
listen 80 default_server; // 有这个标记的就是默认虚拟主机
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}
5.mkdir -p /data/wwwroot/default/
6.echo “This is a default site.”>/data/wwwroot/default/index.html
7./usr/local/nginx/sbin/nginx -t
8./usr/local/nginx/sbin/nginx -s reload
9.curl localhost
10.curl -x127.0.0.1:80 123.com
操作演示:
[root@xuexi-001 ~]# ls /usr/local/nginx/conf/
fastcgi.conf mime.types scgi_params.default
fastcgi.conf.default mime.types.default uwsgi_params
fastcgi_params nginx.conf uwsgi_params.default
fastcgi_params.default nginx.conf.bak win-utf
koi-utf nginx.conf.default
koi-win scgi_params
[root@xuexi-001 ~]# cd !$
cd /usr/local/nginx/conf/
[root@xuexi-001 conf]# vi nginx.conf
//添加以下内容
include vhost/*.conf;······ 注意在配置文件中这里需要添加分号
[root@xuexi-001 conf]# mkdir vhost
//创建vhost 目录
[root@xuexi-001 conf]# cd vhost/
[root@xuexi-001 vhost]# ls
[root@xuexi-001 vhost]# vi aaa.com.conf
//在vhost目录中创建一个 aaa.com.conf
[root@xuexi-001 vhost]# mkdir /data/wwwroot/default
//创建default 目录
[root@xuexi-001 vhost]# cd /data/wwwroot/default/
[root@xuexi-001 default]# vi index.html
//在default目录中创建一个index.html 文件
添加以下内容:
server
{
listen 80 default_server; // 有这个标记的就是默认虚拟主机
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}
[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -t
//测试配置文件
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
更改完配置文件后,需要测试一下配置文件是否正确
[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -s reload
//重新加载或者 重启
[root@xuexi-001 conf]# /etc/init.d/nginx restart
测试:
[root@xuexi-001 conf]# curl localhost
This is the default site.
[root@xuexi-001 conf]# curl -x127.0.0.1:80 123.com
This is the default site.
[root@xuexi-001 conf]# curl -x127.0.0.1:80 aaa.com
This is the default site.
Nginx用户认证
vim /usr/local/nginx/conf/vhost/test.com.conf//写入如下内容
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
yum install -y httpd
htpasswd -c /usr/local/nginx/conf/htpasswd aming
-t && -s reload //测试配置并重新加载
操作演示:
[root@xuexi-001 conf]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";//定义用户认证的名字
auth_basic_user_file /usr/local/nginx/conf/htpasswd;//用户名密码文件
}
}
[root@xuexi-001 conf]# yum install -y httpd
//如果之前安装过httpd 可以直接使用Apache 的密码文件,如果没有安装过可以使用 yum 安装
[root@xuexi-001 conf]# htpasswd -c /usr/local/nginx/conf/htpasswd guo
// 生成htppasswd 文件并指定用户为 guo
: -c 是生成用户,第一次使用时创建用户,第二次使用就是覆盖了,所以在新生成用户的时候使用
[root@xuexi-001 conf]# /usr/local/apache2/bin/htpasswd -c /usr/local/nginx/conf/htpasswd guo
New password: 111111
Re-type new password: 111111
Adding password for user guo
// 在安装apache 后可以直接调用Apache 密码生成命令htpasswd
[root@xuexi-001 conf]# cat /usr/local/nginx/conf/htpasswd
guo:$apr1$Y7bzCOYA$dlpXLo.zp8uvpmFQKim1E0
// 查看生成的密码文件
[root@xuexi-001 conf]# /usr/local/apache2/bin/htpasswd /usr/local/nginx/conf/htpasswd user1
// 如果想再为一个新的用户创建密码文件,这里需要将-c 去掉,如果加上就把原来生成usr/local/nginx/conf/htpasswd覆盖了
New password:
Re-type new password:
Adding password for user user1
[root@xuexi-001 conf]# cat /usr/local/nginx/conf/htpasswd
guo:$apr1$Y7bzCOYA$dlpXLo.zp8uvpmFQKim1E0
user1:$apr1$Vq/C6L7V$mOURmyhpCNbJ5PYgOOWmq.
[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -s reload
// 测试并重新加载
测试并重新加载的好处是可以检查配置文件是否有错误,如果有错误重新加载是不会生效的。如果选择重新启动,如果配置文件有问题,有可能重新启动不起来。
测试:
[root@xuexi-001 conf]# curl -x127.0.0.1:80 test.com -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:22:39 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
//提示错误401 需要指定用户
[root@xuexi-001 conf]# curl -uguo:111111 -x 127.0.0.1:80 test.com -I
HTTP/1.1 404 Not Found
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:24:29 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
// 为什么会提示404,因为去访问index.html ,但是咱们还没有创建主目录,test.com这个目录也没有创建。
创建目录:
[root@xuexi-001 conf]# mkdir /data/wwwroot/test.com
[root@xuexi-001 conf]# echo "test.com" > /data/wwwroot/test.com/index.html
[root@xuexi-001 conf]# curl -uguo:111111 -x 127.0.0.1:80 test.com -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:28:09 GMT
Content-Type: text/html
Content-Length: 9
Last-Modified: Wed, 04 Jul 2018 16:27:56 GMT
Connection: keep-alive
ETag: "5b3cf58c-9"
Accept-Ranges: bytes
[root@xuexi-001 conf]# curl -uguo:111111 -x 127.0.0.1:80 test.com
test.com
访问目录时需要用户认证需要更改配置文件 test.com.conf
[root@xuexi-001 vhost]# vi test.com.conf
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /admin/··· // 在这里添加目录名
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
// 测试配置文件并重新加载
[root@xuexi-001 vhost]# mkdir /data/wwwroot/test.com/admin
//创建admin目录
测试:
[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:36:08 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
输入用户名密码测试:
[root@xuexi-001 ~]# cd /data/wwwroot/test.com/admin/
[root@xuexi-001 admin]# vi index.html
test.admin
[root@xuexi-001 admin]# curl -uguo:111111 -x 127.0.0.1:80 test.com/admin/
test.admin
针对某一个URL
[root@xuexi-001 vhost]# vi test.com.conf
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location ~ admin.php//匹配admin.php的URL
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
//测试配置文件并加载
[root@xuexi-001 test.com]# curl -x 127.0.0.1:80 test.com/admin/
test.admin
//这个时候访问admin就不用输入用户名和密码了
[root@xuexi-001 test.com]# curl -x 127.0.0.1:80 test.com/admin.php -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:50:13 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
Nginx域名重定向
更改 test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
}
server_name后面支持写多个域名,这里要和httpd的做一个对比 permanent为永久重定向,状态码为301,如果写redirect则为302
操作演示:
1.编辑配置文件
[root@xuexi-001 ~]# cd /usr/local/nginx/conf/vhost/
[root@xuexi-001 vhost]# ls
aaa.com.conf test.com.conf
[root@xuexi-001 vhost]# vi test.com.conf
添加以下内容:
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
}
在Nginx里“server_name” 支持跟多个域名;但是Apache“server_name”只能跟一个域名,需要跟多个域名,需要使用Alisa;
在Nginx的conf配置文件里“server_name ” 设置了多个域名,就会使网站的权重变了,到底需要哪个域名为主站点,所以需要域名重定向
2.测试配置文件并重新加载
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.测试
使用test2.com 访问,显示301,重定向到了http://test.com/index.html
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 15:07:27 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html
4.定义不同的网址测试访问
[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test2.com/admin/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 15:18:09 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/admin/index.html
5.使用一个没有指定的网址去访问,则会显示404,因为此时访问的是默认的虚拟主机,而不是指定的test.com
[root@xuexi-001 test.com]# curl -x127.0.0.1:80 test4.com/index.html/123345 -I
HTTP/1.1 404 Not Found
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 15:10:10 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Nginx访问日志
日志格式
vim /usr/local/nginx/conf/nginx.conf //搜索log_format
| 字段 | 说明 |
|---|---|
| $remote_addr | 客户端IP(公网IP) |
| $http_x_forwarded_for | 代理服务器的IP |
| $time_local | 服务器本地时间 |
| $host | 访问主机名(域名) |
| $request_uri | 访问的url地址 |
| $status | 状态码 |
| $http_referer | referer |
| $http_user_agent | user_agent |
除了在主配置文件nginx.conf里定义日志格式外,还需要在虚拟主机配置文件中增加
access_log /tmp/test.com.log combined_realip;
这里的combined_realip就是在nginx.conf中定义的日志格式名字
-t && -s reload
curl -x127.0.0.1:80 test.com -I
cat /tmp/test.com.log
1.默认的日志文件是在主配置文件中
打开主配置文件:vi /usr/local/nginx/conf/nginx.conf
搜索/log_format 找到以下内容,就是来定义日志格式的
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
combined_realip 日志格式的名字,可以随便定义,这里定义成什么名字,后面就引用成什么名字,决定了虚拟主机引用日志的类型
nginx配置文件,有一个特点,以 “ ; ” 分号结尾,配置文件一段如果没有 分号结尾,表示这一段还没有结束,就算中间执行了换行。
2.除了在主配置文件nginx.conf里定义日志格式外,还需要在虚拟主机配置文件去定义access_log /tmp/test.com.log aliang;; 来定义访问日志路径
[root@xuexi-001 vhost]# vi test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
access_log /tmp/test.com.log combined_realip;
// 定义访问日志路径及日志格式,如果不定义日志格式那么就会走默认的日志格式。combined_realip可修改,自定义名字。
}
3.检查配置文件并重新加载
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
4.测试
[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test2.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 15:57:05 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/
[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test3.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 15:57:14 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/
[root@xuexi-001 vhost]# cat /tmp/test.com.log
127.0.0.1 - [05/Jul/2018:23:57:05 +0800] test2.com "/" 301 "-" "curl/7.29.0"
127.0.0.1 - [05/Jul/2018:23:57:14 +0800] test3.com "/" 301 "-" "curl/7.29.0"
Nginx日志切割
自定义shell 脚本
vim /usr/local/sbin/nginx_log_rotate.sh//写入如下内容
#! /bin/bash
## 假设nginx的日志存放路径为/data/logs/
d=`date -d "-1 day" +%Y%m%d`
logdir="/data/logs"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
任务计划
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
####操作演示:
Nginx没有自带日志切割工具,只能借助系统的日志切割的工具或者自己写切割的脚本实现
1.写一个日志切割脚本,首先需要创建一个shell脚本:vim /usr/local/sbin/nginx_log_rotate.sh
注意:所有的shell脚本需要放到/usr/local/sbin/目录下
[root@xuexi-001 vhost]# vim /usr/local/sbin/nginx_log_rotate.sh
#! /bin/bash
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
解释说明:
- d=date -d “-1 day” +%Y%m%d // 生成昨天的日期,格式为年月日
- logdir=”/tmp/” // 上一节的时候,定义了日志存放在/tmp/目录下
- nginx_pid="/usr/local/nginx/logs/nginx.pid"//查找nginx的PID,目的是为了执行/bin/kill -HUP cat $nginx_pid ,而这个命令目的和nginx -s reload 是一样的
- cd $logdir //进入“logdir”日志目录下
- for log in `ls .log` //开始语句循环,看有哪些log后缀的文件
- do //执行
- mv $log $log-$d // 将 log改名为《原名字“`date -d “-1 day” +%Y%m%d` ”这个结尾的文件 》
- done //结束
- /bin/kill -HUP cat $nginx_pid // 重新加载,生成一个新的“nginx_pid=”/usr/local/nginx/logs/nginx.pid”
for 循环命令
[root@xuexi-001 vhost]# ls
aaa.com.conf test.com.conf
[root@xuexi-001 vhost]# for f in `ls `; do ls -l $f ; done
-rw-r--r-- 1 root root 142 7月 4 23:17 aaa.com.conf
-rw-r--r-- 1 root root 292 7月 5 23:54 test.com.conf
2.执行脚本,并加 -x 选项
-x:查看脚本执行的过程
[root@xuexi-001 vhost]# sh -x /usr/local/sbin/nginx_log_rotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20180705
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls php_errors.log test.com.log
+ for log in '`ls *.log`'
+ mv php_errors.log php_errors.log-20180705
+ for log in '`ls *.log`'
+ mv test.com.log test.com.log-20180705
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 1024
3.查看日志切割文件,每天都生成一个日志,在每天切割后,过段时间还要定期清理
[root@xuexi-001 vhost]# ls /tmp/
test.com.log
test.com.log-20180705
4.删除30天以前的日志文件
[root@xuexi-001 vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm
5.写完脚本后,还要加一个任务计划crontab -e
[root@xuexi-001 vhost]#crontab -e
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
shell脚本知识点
1.日志时间切割的定义
- 写shell脚本的时候,如果有命令不明白,可以直接把命令运行一下就知道结果了
- 假设这个命令“ d=date -d “-1 day” +%Y%m%d ”不明白意思
- ctrl+z 把当前操作暂停丢到后台
- 执行date -d “-1 day” +%Y%m%d就是时间,而且是昨天的时间,因为目前做的日志切割都是以天为单位,而且,日志需要过了当天23点59分59秒以后到第二天的0点0分01秒才切割
2.指定PID路径的意义
- “ nginx_pid=”/usr/local/nginx/logs/nginx.pid” ”这条命令的意思,就是指定nginx的PID 的路径所在
- 如果找不到指定PID的所在,那么下面的“ /bin/kill -HUP cat $nginx_pid ”这个命令也将没有办法继续执行
- “ /bin/kill -HUP cat $nginx_pid ” z这条命令的意思就是重新加载一次nginx服务
- 执行“ /bin/kill -HUP cat $nginx_pid ”这条命令的目的是因为切割日志以后 “mv $log $log-$d ” 会将日志移动位置,如果不使用这条命令重新加载一次nginx服务、重新生成一次日志文件,那么将会导致服务出错
- 所以,为了保证“ /bin/kill -HUP cat $nginx_pid ”能准确的执行,需要确定nginx的PID所在
[root@xuexi-001 vhost]# ls /usr/local/nginx/logs/nginx.pid
/usr/local/nginx/logs/nginx.pid
3.循环语句理解
- for f in ‘ls ‘ ; do ls -l $f; done
- for 循环开始,f 表示文件,in 表示做什么,‘ls’in执行的东西; do 执行 ls -f $f;done 结束
- 任务计划
- 脚本写完以后,需要写一个计划,让脚本在规定的时间运行。
- crontab -e
- 0 0 * * * /bin/bash /usr/local/sbin/nginx_logrotate.sh
- 长时间累积,会生成大量的日志需要进行清理
- find /tmp/ -type f -name .log- -mtime +30 |xargs rm
###静态文件不记录日志&过期时间 核心配置参数:
[root@xuexi-001 vhost]# vim test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$//匹配文件类型
{
expires 7d;//过期时间为7天
access_log off;//不记录该类型文件的访问日志
}
location ~ .*\.(js|css)$
{
expires 12h;//过期时间为12小时
access_log off;//不记录该类型文件的访问日志
}
access_log /tmp/test.com.log combined_realip;//指定日志位置及格式
}
检测:
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
访问index.html:
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com
test.com
[root@xuexi-001 vhost]# cat /tmp/test.com.log
127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0"
访问baidu.jpg文件:
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/baidu.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 16:55:27 GMT
Content-Type: image/jpeg
Content-Length: 12525
Last-Modified: Thu, 05 Jul 2018 16:54:54 GMT
Connection: keep-alive
ETag: "5b3e4d5e-30ed"
Expires: Thu, 12 Jul 2018 16:55:27 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
说明:max-age=604800s=7天,即该文件缓存的过期时间为7天!
[root@xuexi-001 vhost]# cat /tmp/test.com.log
127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0"
即:无该文件的访问日志!!!
Nginx防盗链
配置如下:
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
Nginx防盗链配置需要和不记录日志和过期时间结合在一起,因为都用到了“location”
1.打开配置文件 vim /usr/local/nginx/conf/vhost/test.com.conf
注释掉一些配置
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
添加一些配置
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d; //过期时间7天
valid_referers none blocked server_names *.test.com ; //定义一个白名单,referer就是指一些域名
if ($invalid_referer) { //如果不是白名单里的
return 403; //返回403
}
access_log off;
}
3.检查配置文件及加载文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
4.测试
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 -I test.com/baidu.jpg
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:06:56 GMT
Content-Type: image/jpeg
Content-Length: 12525
Last-Modified: Thu, 05 Jul 2018 16:54:54 GMT
Connection: keep-alive
ETag: "5b3e4d5e-30ed"
Expires: Thu, 12 Jul 2018 17:06:56 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
5.测试防盗链,使用curl -e
[root@xuexi-001 vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/baidu.jpg
HTTP/1.1 403 Forbidden
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:08:10 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@xuexi-001 vhost]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/baidu.jpg
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:09:04 GMT
Content-Type: image/jpeg
Content-Length: 12525
Last-Modified: Thu, 05 Jul 2018 16:54:54 GMT
Connection: keep-alive
ETag: "5b3e4d5e-30ed"
Expires: Thu, 12 Jul 2018 17:09:04 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
在访问curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif显示403,而在访问curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif显示200,则表示防盗链配置成功
Nginx访问控制
需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
- mkdir /data/wwwroot/test.com/admin/
- echo “test,test”>/data/wwwroot/test.com/admin/1.html
- -t && -s reload
- curl -x127.0.0.1:80 test.com/admin/1.html -I
- curl -x192.168.133.130:80 test.com/admin/1.html -I
- 可以匹配正则
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
- 根据user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
- deny all和return 403效果一样
Nginx访问控制,在平时运维网站的时候,经常会有一些请求不正常,或者故意的做一些限制,一些重要的内容禁止别人访问,就可以做一个白名单,只允许自己的公网IP或者自己公司内的公网IP去访问
1.编辑配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
增加访问控制的代码
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
2.然后检查配置文件语法错误,然后重新加载配置文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.测试
[root@xuexi-001 vhost]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:19:55 GMT
Content-Type: text/html
Content-Length: 11
Last-Modified: Wed, 04 Jul 2018 16:41:54 GMT
Connection: keep-alive
ETag: "5b3cf8d2-b"
Accept-Ranges: bytes
[root@xuexi-001 vhost]# curl -x192.168.5.130:80 -I test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:20:22 GMT
Content-Type: text/html
Content-Length: 11
Last-Modified: Wed, 04 Jul 2018 16:41:54 GMT
Connection: keep-alive
ETag: "5b3cf8d2-b"
Accept-Ranges: bytes
4.查看日志文件,会看到访问的192.168.5.130的来源IP也是192.168.5.130,因为它是被允许的,在白名单之内,所以显示状态码为200
[root@xuexi-001 vhost]# cat /tmp/test.com.log
127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0"
127.0.0.1 - [06/Jul/2018:01:19:55 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.5.130 - [06/Jul/2018:01:20:22 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
针对正则匹配
- 例子
- 网站被黑,数据库被盗窃,就是因为上传图片的目录没有做禁止解析php的操作,最终导致上传了一句话木马,php也能解析,所以网站就会被黑
- 只要能上传的目录,都要禁掉,禁止解析PHP
- 加以下代码,即可禁掉上传的目录解析PHP
location ~ .*(upload|image)/.*\.php$ //只要匹配upload,然后以php结尾的
{
deny all; //都禁掉
}
1.打开配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@xuexi-001 vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
listen 80;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
access_log /tmp/test.com.log combined_realip;
}
2.检查配置文件语法错误,并重新加载配置文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.测试,首先是访问的那个目录,然后访问的php资源
4.创建一个upload目录,然后在创建一个php文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@xuexi-001 vhost]# mkdir /data/wwwroot/test.com/upload
[root@xuexi-001 vhost]# echo "11111" > /data/wwwroot/test.com/upload/1.php
5.访问upload目录下的1.php文件,会看到是403状态码,被拒绝访问
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.15.1</center>
</body>
</html>
6.这时再upload目录下创建1.txt,再来测试访问
[root@xuexi-001 vhost]# echo "dasdasdas" >/data/wwwroot/test.com/upload/1.txt
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt
dasdasdas
7.查看访问日志cat /tmp/test.com.log
[root@xuexi-001 vhost]# cat /tmp/test.com.log
127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0"
127.0.0.1 - [06/Jul/2018:01:19:55 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.5.130 - [06/Jul/2018:01:20:22 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
127.0.0.1 - [06/Jul/2018:01:27:34 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [06/Jul/2018:01:28:23 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
根据user_agent限制
- 如果你的网站被cc攻击,或者禁掉某些蜘蛛,如果你的网站想做一个被隐藏的网站,不想被别人搜索到,那么就可以将百度、谷歌、有道等这些蜘蛛封掉,没有任何蜘蛛爬到你的网站,也不将网址告诉任何人,那别人就无法知道你的站点,因为你的网站是被隐藏的。
- 只需要根据user_agent限制,添加以下代码
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
- deny all和return 403效果一样
操作演示:
1.打开配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@xuexi-001 vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($host != 'test.com' ) {
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
access_log /tmp/test.com.log combined_realip;
}
2.检查配置文件语法错误,并重新加载配置文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.模拟user_agent,访问测试,会看到显示403
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:33:39 GMT
Content-Type: text/plain
Content-Length: 10
Last-Modified: Thu, 05 Jul 2018 17:28:14 GMT
Connection: keep-alive
ETag: "5b3e552e-a"
Accept-Ranges: bytes
[root@xuexi-001 vhost]# curl -A "Tomatoslf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:35:27 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
3.eny all和return 403效果一样
4.如果访问的时候,改成小写再访问,则状态码为200,因为这个是严格匹配的
[root@xuexi-001 vhost]# curl -A "tomatoslf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:36:52 GMT
Content-Type: text/plain
Content-Length: 10
Last-Modified: Thu, 05 Jul 2018 17:28:14 GMT
Connection: keep-alive
ETag: "5b3e552e-a"
Accept-Ranges: bytes
5.如果想忽略大小写,在配置文件中的匹配符号后加 * 号即可
[root@xuexi-001 vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@xuexi-001 vhost]# curl -A "tomatoslf" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 403 Forbidden
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:38:45 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Nginx解析php的配置
配置如下:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
astcgi_pass 用来指定php-fpm监听的地址或者socket
Nginx解析php相关配置
添加以下代码:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock; //写错这个路径,就会显示502
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
1.打开虚拟主机配置文件,因为现在test.com.conf 还不能解析php,将代码添加到配置文件中
[root@xuexi-001 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
# }
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /tmp/test.com.log combined_realip;
}
2.生成做一个php文件,在/data/wwwroot/test.com/目录下生成3.php
[root@xuexi-001 ~]# vi /data/wwwroot/test.com/3.php
<?php
phpinfo();
3.测试访问3.php,会看到无法解析3.php文件,显示出了源码
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();
4.检查配置文件语法错误,并重新加载配置文件
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
5.再次访问3.php ,就可以正常解析了
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php
6.若是解析php相关配置的 fastcgi_pass unix:/tmp/php-fcgi.sock; 这个路径被写错,会直接显示502,因为sock文件没有被找到
7.将配置文件改错后,重新加载后,再来访问3.php,会看到显示502状态码
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@xuexi-001 ~]# !curl
curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.15.1</center>
</body>
</html>
8.查看访问日志cat /usr/local/nginx/logs/nginx_error.log,会看到日志文件中会说没有这样的文件或目录
[root@xuexi-001 ~]# cat /usr/local/nginx/logs/nginx_error.log
2018/07/09 09:03:11 [crit] 1608#0: *4 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
9.在遇到502的问题时,需要查看你配置的地址是否正确,首先查看错误日志,然后根据错误日志中提示,查看这个文件是否存在,在查看cat /usr/local/php-fpm/etc/php-fpm.conf你定义的sock是什么,那么在nginx的配置文件中写什么
502的另一种情况
1.假设这时不监听sock,而去监听IP端口
2.首先更改配置vim /usr/local/php-fpm/etc/php-fpm.conf
将#listen = /tmp/php-fcgi.sock注释掉,增加listen = 127.0.0.1:9000
[root@xuexi-001 ~]# vi /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
#listen = /tmp/php-fcgi.sock
listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
3.重启php命令为/etc/init.d/php-fpm restart,php也支持reload
[root@xuexi-001 ~]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
4.检查php文件是否存在语法错误,重新加载下nginx的配置文件
[root@xuexi-001 ~]# /usr/local/php-fpm/sbin/php-fpm -t
[09-Jul-2018 09:34:06] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
5.查看监听端口是否为127.0.0.1:9000
[root@xuexi-001 ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1005/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 905/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1256/master
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1813/php-fpm: maste
tcp6 0 0 :::22 :::* LISTEN 905/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1256/master
tcp6 0 0 :::3306 :::* LISTEN 1216/mysqld
6.再次访问3.php
[root@xuexi-001 ~]# curl -x 127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.15.1</center>
</body>
</html>
7.查看配置文件提示文件不存在,这时候需要在配置文件中做一个更改,在php配置那一块,注释掉nix,添加ip和端口
[root@xuexi-001 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
location ~ \.php$
{
include fastcgi_params;
# fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_pass 127.0.0.1:9000;//注释掉unix,添加ip和端口
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /tmp/test.com.log combined_realip;
8.检查语法错误,并重新加载配置文件
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
9.再来访问3.php文件,会看到正常访问
[root@xuexi-001 ~]# curl -x 127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 01:46:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.36
10.若是出现502,要检查下配置文件中的fastcgi_pass 这块是否nginx与php-fpm中所配置的地址是相匹配的
-
PHP下的listen = /tmp/php-fcgi.sock这段配置很重要,决定了nginx是否能正确解析而不是502
-
当PHP配置文件 listen 使用sock时,那么对应的nginx配置文件下就必须使用 fastcgi_pass unix:/tmp/php-fcgi.sock;
-
当PHP配置文件listen 使用 IP加端口“127.0.0.1:9000”的时候,那么对应的nginx就要改成fastcgi_pass 127.0.0.1:9000;
11.配置文件中的 fastcgi_param SCRIPT_FILENAME 中的地址路径/data/wwwroot/test.com$fastcgi_script_name;与配置文件最上方的 root /data/wwwroot/test.com; 相对应起来
502的其他情况
在php5.4及以后的其他版本,有一个特点:更改监听为sock,取消监听IP和端口,注释掉listen.mode
1.更改php-fpm的配置文件,取消注释listen = /tmp/php-fcgi.sock,注释掉#listen = 127.0.0.1:9000和#listen.mode = 666
[root@xuexi-001 ~]# vi /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
#listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
2.重新加载php
[root@xuexi-001 ~]# /etc/init.d/php-fpm reload
Reload service php-fpm done
3.查看sock文件的权限为660,属主和属组为root
[root@xuexi-001 ~]# ls -l /tmp/php-fcgi.sock
srw-rw---- 1 root root 0 7月 9 09:51 /tmp/php-fcgi.sock
4.更改nginx虚拟主机配置文件,取消 fastcgi_pass unix:/tmp/php-fcgi.sock; 的注释,注释掉#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/tmp/php-fcgi.sock;这一行的配置是为了nginx去读sock文件
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
# fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
5.检测配置文件并重新加载
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
6.访问3.php,依然是502
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.15.1</center>
</body>
</html>
7.查看错误日志
[root@xuexi-001 ~]# tail /usr/local/nginx/logs/
access.log error.log nginx_error.log nginx.pid
[root@xuexi-001 ~]# tail /usr/local/nginx/logs/nginx_error.log
2018/07/09 09:03:11 [crit] 1608#0: *4 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
2018/07/09 09:37:07 [crit] 1847#0: *6 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
2018/07/09 09:59:38 [crit] 2016#0: *12 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
8.sock文件默认权限使660,root用户可以读,root用户组也是可读的,唯独其他用户不能去读
9.看到是由nobody的身份去读nginx的
[root@xuexi-001 ~]# ps aux |grep nginx
root 1005 0.0 0.0 21348 1696 ? Ss 08:38 0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody 2015 0.0 0.1 23272 3452 ? S 09:57 0:00 nginx: worker process
nobody 2016 0.0 0.2 23272 3952 ? S 09:57 0:00 nginx: worker process
root 2080 0.0 0.0 112724 972 pts/0 S+ 10:03 0:00 grep --color=autonginx
10.这时需要临时改变权限为nobody
[root@xuexi-001 ~]# chown nobody /tmp/php-fcgi.sock
11.这时再去访问3.php会看到正常访问
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 02:09:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.36
12.这就是因为nobody用户有读的权限,所以可以正常访问
13.在php-fpm的配置文件中定义listen.mode,就是为了让任何用户可以读
14.再去配置文件中取消listen.mode的注释
listen.mode = 666
15:重启php-fpm的配置文件,查看文件权限,并测试访问
[root@xuexi-001 ~]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@xuexi-001 ~]# ls -l /tmp/php-fcgi.sock
srw-rw-rw- 1 root root 0 7月 9 10:12 /tmp/php-fcgi.sock
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 02:13:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.36
502还有另外一种情况,就是php-fpm服务,资源耗尽,也会显示502,这时候就需要去优化了
Nginx代理
用户访问web服务器不能直接访问,需要找一个中间者,这个中间者可以跟web服务器相通,也可以跟用户相通。还有就是用户访问web服务器可以访问,就是比较慢,也可以使用nginx代理
在nginx虚拟主机下创建一个新的文件 proxy.conf
- cd /usr/local/nginx/conf/vhost
- vim proxy.conf
添加以下内容:
server
{
listen 80;
server_name ask.apelearn.com; //定义用户访问的域名
location /
{
proxy_pass http://121.201.9.155/; //告诉nginx真正的ip在这里(web服务器ip)
proxy_set_header Host $host; //$host 等于 上面的 server_name
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
还没有设置代理文件,测试访问www.baidu.com/robots.txt
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I
HTTP/1.1 404 Not Found
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 03:02:14 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
设置代理服务器:
- 创建文件并添加配置文件内容
[root@xuexi-001 ~]# cd /usr/local/nginx/conf/vhost/
[root@xuexi-001 vhost]# vi proxy.conf
server
{
listen 80;
server_name www.baidu.com;
location /
{
proxy_pass http://119.75.216.20/; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
2.测试配置文件并重新加载文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.不使用代理测试,访问成功
[root@xuexi-001 vhost]# curl www.baidu.com/robots.txt -I
HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Length: 2754
Content-Type: text/plain
Date: Mon, 09 Jul 2018 03:07:38 GMT
Etag: "ac2-5563e2ac212b7"
Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Server: Apache
Set-Cookie: BAIDUID=C30CA25B16D70C6E28ADB714EB6A80BC:FG=1; expires=Tue, 09-Jul-19 03:07:38 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding,User-Agent
- 使用代理测试
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 03:07:56 GMT
Content-Type: text/plain
Content-Length: 2754
Connection: keep-alive
Accept-Ranges: bytes
Etag: "ac2-5563e2ab4b400"
Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Set-Cookie: BAIDUID=D904E71FD19FBCAEB64951864689F629:FG=1; expires=Tue, 09-Jul-19 03:07:56 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding,User-Agent
curl -x127.0.0.1:80 www.baidu.com/robots.txt -I //指定本机, 也能访问, 正常情况不配置代理, 本地不可能访问到远程的站点, 代理服务器就是配置代理的这个虚拟机, web服务器就是论坛
Nginx代理是在一台代理服务器中自定义一个域名,该域名指向一个或多个IP,然后将用户的请求通过这台代理服务器解析指定的IP所对应的web服务器;
当该域名指向多个IP时,需要使用upstream保证用户可以通过代理服务器正常访问每个IP,即为负载均衡。
Nginx代理
用户访问web服务器不能直接访问,需要找一个中间者,这个中间者可以跟web服务器相通,也可以跟用户相通。还有就是用户访问web服务器可以访问,就是比较慢,也可以使用nginx代理
在nginx虚拟主机下创建一个新的文件 proxy.conf
- cd /usr/local/nginx/conf/vhost
- vim proxy.conf
添加以下内容:
server
{
listen 80;
server_name ask.apelearn.com; //定义用户访问的域名
location /
{
proxy_pass http://121.201.9.155/; //告诉nginx真正的ip在这里(web服务器ip)
proxy_set_header Host $host; //$host 等于 上面的 server_name
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
还没有设置代理文件,测试访问www.baidu.com/robots.txt
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I
HTTP/1.1 404 Not Found
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 03:02:14 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
设置代理服务器:
- 创建文件并添加配置文件内容
[root@xuexi-001 ~]# cd /usr/local/nginx/conf/vhost/
[root@xuexi-001 vhost]# vi proxy.conf
server
{
listen 80;
server_name www.baidu.com;
location /
{
proxy_pass http://119.75.216.20/; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
2.测试配置文件并重新加载文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.不使用代理测试,访问成功
[root@xuexi-001 vhost]# curl www.baidu.com/robots.txt -I
HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Length: 2754
Content-Type: text/plain
Date: Mon, 09 Jul 2018 03:07:38 GMT
Etag: "ac2-5563e2ac212b7"
Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Server: Apache
Set-Cookie: BAIDUID=C30CA25B16D70C6E28ADB714EB6A80BC:FG=1; expires=Tue, 09-Jul-19 03:07:38 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding,User-Agent
- 使用代理测试
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 03:07:56 GMT
Content-Type: text/plain
Content-Length: 2754
Connection: keep-alive
Accept-Ranges: bytes
Etag: "ac2-5563e2ab4b400"
Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Set-Cookie: BAIDUID=D904E71FD19FBCAEB64951864689F629:FG=1; expires=Tue, 09-Jul-19 03:07:56 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding,User-Agent
curl -x127.0.0.1:80 www.baidu.com/robots.txt -I //指定本机, 也能访问, 正常情况不配置代理, 本地不可能访问到远程的站点, 代理服务器就是配置代理的这个虚拟机, web服务器就是论坛
Nginx代理是在一台代理服务器中自定义一个域名,该域名指向一个或多个IP,然后将用户的请求通过这台代理服务器解析指定的IP所对应的web服务器;
当该域名指向多个IP时,需要使用upstream保证用户可以通过代理服务器正常访问每个IP,即为负载均衡。
Nginx负载均衡
Nginx负载均衡即为当代理服务器将自定义的域名解析到多个指定IP时,通过upstream来保证用户可以通过代理服务器正常访问各个IP。
负载均衡配置:
vim /usr/local/nginx/conf/vhost/load.conf // 写入如下内容
upstream qq.com·····qq.com这里这个名字可以自定义
{
ip_hash;·····使同一个用户始终保持在同一个机器上
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
upstream来指定多个web server
操作演示:
1.使用dig命令查看域名的解析地址,如果没有使用yum -y install bind-utils
[root@xuexi-001 ~]# dig qq.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22029
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com. IN A
;; ANSWER SECTION:
qq.com. 246 IN A 111.161.64.40
qq.com. 246 IN A 111.161.64.48
// 返回两个IP地址
;; Query time: 10 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 二 7月 10 23:22:25 CST 2018
;; MSG SIZE rcvd: 67
2.可以使用解析到的两个IP可以制作负载均衡
3.在默认的虚拟机里面新建一个文件load.conf ,并添加以下内容
[root@xuexi-001 ~]# vim /usr/local/nginx/conf/vhost/load.conf
upstream qq_com
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;····定义监听端口的域名
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
正常情况下使用本机访问www.qq.com 会显示默认页
[root@xuexi-001 ~]# curl -x 127.0.0.1:80 www.qq.com
This is the default site.
4.检测配置文件及重新加载
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
5.重新加载配置文件后在测试,会出现qq.com的网页的代码
扫一扫
969
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
