Nginx 默认虚拟主机
-
先编辑nginx.conf 里面把server下面的全删了
vim /usr/local/nginx/conf/nginx.conf
*下面的要删除掉*
server
{
listen 80;
server_name localhost;
index index.html index.htm index.php;
root /usr/local/nginx/html;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
}
}
-
之后在下面增加一行include vhost/*.conf;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm
application/xml;
*需要增加*
include vhost/*.conf;
}
-
创建vhost目录 mkdir /usr/local/nginx/conf/vhost
-
然后进去创建 aaa.com.conf
[root@aminglinux-01 conf]# cd vhost/
[root@aminglinux-01 vhost]# vim aaa.com.conf
-
编辑 aaa.com.conf
server
{
listen 80 default_server; // 有这个标记的就是默认虚拟主机
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}
-
创建/data/wwwroot/default,并写一些东西
[root@aminglinux-01 vhost]# mkdir -p /data/wwwroot/default
[root@aminglinux-01 vhost]# cd /data/wwwroot/default/
vim index.html 写入 This is the default site.
-
检查有没有语法错误 /usr/local/nginx/sbin/nginx -t
[root@aminglinux-01 default]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aminglinux-01 default]#
-
重新加载 /usr/local/nginx/sbin/nginx -s reload
-
测试 curl localhost 正确如下:
[root@aminglinux-01 conf]# curl localhost
This is the default site.
Nginx用户认证
-
vim /usr/local/nginx/conf/vhost/test.com.conf//写入如下内容
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
-
然后安装生成密码的文件 yum install -y httpd
-
生成密码
[root@aminglinux-01 vhost]# htpasswd -c /usr/local/nginx/conf/htpasswd aming
New password:
Re-type new password:
Adding password for user aming
[root@aminglinux-01 vhost]#
-
-t 测试 ,重新加载
-
测试
[root@aminglinux-01 vhost]# curl -x192.168.245.130:80 test.com
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
[root@aminglinux-01 vhost]#
401 说明拒绝访问,再用用户名密码试一次 curl -uaming:123456 -x192.168.245.130:80 test.com
[root@aminglinux-01 vhost]# curl -uaming:123456 -x192.168.245.130:80 test.com
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
[root@aminglinux-01 vhost]#
404 是因为还没有创建test.com 的主目录
[root@aminglinux-01 vhost]# mkdir /data/wwwroot/test.com
[root@aminglinux-01 vhost]# echo "test.com" > /data/wwwroot/test.com/index.html
[root@aminglinux-01 vhost]# curl -uaming:123456 -x192.168.245.130:80 test.com
test.com
[root@aminglinux-01 vhost]#
-
如果想针对个别文件目录进行用户认证,需要编辑vhost 下test.com.conf文件
location /admin/ 这个后面直接加上想限制的文件或者目录就可以了。
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
Nginx域名重定向
- 更改test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
}
-
server_name后面支持写多个域名,这里要和httpd的做一个对比
-
permanent为永久重定向,状态码为301,如果写redirect则为302
-
^/(.*)$ :前面的^代表着域名,
-
/(.*)$后面代表着域名后面的内容
Nginx 访问日志
-
日志格式
vim /usr/local/nginx/conf/nginx.conf //搜索log_format
$remote_addr 客户端IP(公网IP)
$http_x_forwarded_for 代理服务器的IP
$time_local 服务器本地时间
$host 访问主机名(域名)
$request_uri 访问的url地址
$status 状态码
$http_referer referer
$http_user_agent user_agent
-
除了在主配置文件nginx.conf里定义日志格式外,还需要在虚拟主机配置文件中增加 access_log /tmp/1.log combined_realip;
server
{
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
access_log /tmp/1.log combined_realip;
}
这里的combined_realip就是在nginx.conf中定义的日志格式名字
检查,重新加载 -t && -s reload
测试:curl -x192.168.245.130:80 test.com -I
cat /tmp/1.log
[root@aminglinux-01 vhost]# curl -x192.168.245.130:80 test.com -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.8.0
Date: Sat, 21 Oct 2017 01:25:36 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
[root@aminglinux-01 vhost]# cat /tmp/1.log
192.168.245.130 - [21/Oct/2017:09:25:36 +0800] test.com "/" 401 "-" "curl/7.29.0"
[root@aminglinux-01 vhost]#
Nginx 日志切割
因为nginx没有自带的切割工具,所以需要写一个shell脚本
-
写入如下内容 vim /usr/loacal/sbin/nginx_logrotate.sh
#! /bin/bash
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
~
-
运行测试
[root@aminglinux-01 vhost]# sh -x /usr/local/sbin/nginx_logrotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20171020
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls 1.log
+ for log in '`ls *.log`'
+ mv 1.log 1.log-20171020
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 850
+ /root
/usr/local/sbin/nginx_logrotate.sh:行11: /root: 是一个目录
[root@aminglinux-01 vhost]# ls /tmp/
1.log 1.log-20171020 mysql.sock pear php-fcgi.sock systemd-private-b9931a4a12de47bfa443a28713c6f410-vmtoolsd.service-Fu8IIH
[root@aminglinux-01 vhost]#
静态文件不记录日志和过期时间
-
配置文件[root@aminglinux-01 vhost]# vim test.com.conf 下面写入如下配置
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 7d;
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
Nginx防盗链
-
编辑 vi /usr/local/nginx/conf/vhost/test.com.conf
先注释掉之前的配置
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
增加防盗链配置
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
Nginx访问控制
-
需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:
增加配置
location /admin/
{
allow 127.0.0.1;
allow 192.168.245.130;
deny all;
}
只有allow,才能通过访问。其他都会被拒绝。
[root@aminglinux-01 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
[root@aminglinux-01 ~]# mkdir /data/wwwroot/test.com/admin/
[root@aminglinux-01 ~]# echo “test,test”>/data/wwwroot/test.com/admin/1.html
[root@aminglinux-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aminglinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@aminglinux-01 ~]# curl -x192.168.245.130:80 test.com/admin/1.html -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 24 Oct 2017 04:21:33 GMT
Content-Type: text/html
Content-Length: 16
Last-Modified: Tue, 24 Oct 2017 04:19:08 GMT
Connection: keep-alive
ETag: "59eebf3c-10"
Accept-Ranges: bytes
-
禁用能上传目录的php解析功能。
加上这一条配置
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
-
限制user_agent
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
Nginx解析php相关配置
-
配置解析php如下:
vi /usr/local/nginx/conf/vhost/test.com.conf 加入
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
Nginx代理
配置如下内容,就可以通过本机来访问ask.apelearn.com
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://121.201.9.155/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}