【centos6.5】
一、nginx安装
二、nginx配置
三、nginx配置虚拟主机
四、nginx的访问控制
一、Nginx安装
1.1源码包安装Nginx;用rpm卸载Apache服务
【devel包:头文件、动态链接库,供开发用;pcre库:包括pcre兼容的正则表达库;
Zilb是提供数据压缩用的函式库】
[root@localhost ~]# rpm -q httpd
httpd-2.2.15-29.el6.centos.x86_64
[root@localhost ~]# rpm -e httpd --nodeps 【卸载apache】
[root@localhost ~]# rpm -q httpd
package httpd is not installed
[root@localhost ~]# rpm -q pcre-devel zlib-devel gcc gcc-c++ make
package pcre-devel is not installed
package zlib-devel is not installed
package gcc is not installed
package gcc-c++ is not installed
make-3.81-20.el6.x86_64
[root@localhost yum.repos.d]# umount /dev/sr0
[root@localhost yum.repos.d]# mkdir /media/cdrom
[root@localhost yum.repos.d]# mount /dev/sr0 /media/cdrom
mount: block device /dev/sr0 is write-protected, mounting read-only
[root@localhost yum.repos.d]# cd /etc/yum.re*
[root@localhost yum.repos.d]# mkdir a/
[root@localhost yum.repos.d]# mv C* a/
[root@localhost yum.repos.d]# cat a/*M* >locp.repo
[root@localhost yum.repos.d]# sed -i '20 s/0/1/' locp.repo
[root@localhost yum.repos.d]# yum -y clean all
Loaded plugins: fastestmirror, refresh-packagekit, security
Cleaning repos: c6-media
Cleaning up Everything
Cleaning up list of fastest mirrors
[root@localhost yum.repos.d]# yum makecache
Loaded plugins: fastestmirror, refresh-packagekit, security
Determining fastest mirrors
* c6-media:
file:///media/CentOS/repodata/repomd.xml: [Errno 14] Could not open/read file:///media/CentOS/repodata/repomd.xml
Trying other mirror.
file:///media/cdrecorder/repodata/repomd.xml: [Errno 14] Could not open/read file:///media/cdrecorder/repodata/repomd.xml
Trying other mirror.
c6-media | 4.0 kB 00:00 ...
c6-media/group_gz | 220 kB 00:00 ...
c6-media/filelists_db | 5.8 MB 00:00 ...
c6-media/primary_db | 4.4 MB 00:00 ...
c6-media/other_db | 2.7 MB 00:00 ...
Metadata Cache Created
[root@localhost yum.repos.d]# cd
[root@localhost ~]# yum -y install pcre-devel zlib-devel gcc-c++
[root@localhost ~]# rpm -q pcre-devel zlib-devel gcc gcc-c++ make
pcre-devel-7.8-6.el6.x86_64
zlib-devel-1.2.3-29.el6.x86_64
gcc-4.4.7-4.el6.x86_64
gcc-c++-4.4.7-4.el6.x86_64
make-3.81-20.el6.x86_64
1.2创建运行用户、组
【-s 表示指定用户所用shell; /sbin/nologin 表示不登陆 ; -M 表示不创建用户主目录; 目的是把Nginx服务的默认用户nobody 改为 nginx 增加安全性】
[root@localhost ~]# useradd -M -s /sbin/nologin nginx
[root@localhost ~]# tail -1 /etc/passwd ;tail -1 /etc/group 【查看属组属主】
nginx:x:500:500::/home/nginx:/sbin/nologin
nginx:x:500:
1.3编译安装Nginx
[root@localhost ~]# tar xf nginx-1.6.0.tar.gz -C /usr/src/
[root@localhost ~]# cd /usr/src/nginx-1.6.0/
[root@localhost nginx-1.6.0]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
checking for OS
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"
[root@localhost nginx-1.6.0]# make &&make install
【--with-http_stub_status_module模块,为日志统计模块】
[root@localhost nginx-1.6.0]# cd
[root@localhost ~]# ls /usr/local/nginx
conf html logs sbin
【conf配置文件;html网站;logs日志;sbin用来存放用于管理员使用的存储二进制系统程序文件】
1.4为主程序nginx创建链接文件
【ln -s 源文件 目标文件,创建软连接;;ln 源文件 目标文件 ,创建硬链接
删除硬软链接用rm softlink_file或者unlink softlink_file】
[root@localhost ~]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
[root@localhost ~]# ll /usr/local/sbin/nginx
lrwxrwxrwx. 1 root root 27 4月 21 01:53 /usr/local/sbin/nginx -> /usr/local/nginx/sbin/nginx
1.5 Nginx的运行控制方法
手动方法控制Nginx
nginx -t 检测配置文件语法
执行nginx主程序启动Nginx
[root@localhost ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# nginx 【启动nginx服务】
[root@localhost ~]# netstat -anpt |grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5248/nginx
[root@localhost ~]# lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 5248 root 6u IPv4 27794 0t0 TCP *:http (LISTEN)
nginx 5249 nginx 6u IPv4 27794 0t0 TCP *:http (LISTEN)
[root@localhost ~]# killall -1 nginx 【平滑重启】
[root@localhost ~]# killall -s HUP nginx 【平滑重启】
[root@localhost ~]# killall -3 nginx 【正常停止】
[root@localhost ~]# killall -s QUIT nginx 【正常停止】
nginx: 没有进程被杀死
[root@localhost ~]# killall -s USR1 nginx 【用于nginx的日志切换,也就是重新打开一个日志文件,】
nginx: 没有进程被杀死
[root@localhost ~]# killall -s USR2 nginx 【用于平滑升级可执行程序】
nginx: 没有进程被杀死
[root@localhost ~]# nginx -s reload
nginx: [error] open() "/usr/local/nginx/logs/nginx.pid" failed (2: No such file or directory)
[root@localhost ~]# nginx -s stop
nginx: [error] open() "/usr/local/nginx/logs/nginx.pid" failed (2: No such file or directory)
[root@localhost ~]# echo $PATH 【显示当前PATH环境变量,该变量的值由一系列以冒号分隔的目录名组成】
/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
[root@localhost ~]# service iptables stop
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:清除防火墙规则: [确定]
iptables:正在卸载模块: [确定]
1.6在本地主机测试,输入http://192.168.1.133
[root@localhost ~]# cd /usr/local/nginx/logs/
[root@localhost logs]# ls
access.log error.log nginx.pid
[root@localhost logs]# rm -f access.log
[root@localhost logs]# ls
error.log nginx.pid
[root@localhost logs]# killall -s USR1 nginx 【重新打开一个日志文件】
[root@localhost logs]# ls
access.log error.log nginx.pid
[root@localhost logs]# cat access.log 【查看日志文件里边没有东西】
在网页上连接一次后出现日记
[root@localhost logs]# cat access.log 【查看日记】
192.168.1.1 - - [21/Apr/2019:02:58:24 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
[root@localhost logs]# nginx -s stop
[root@localhost logs]# lsof -i :80 【查看80端口号并没有进程】
[root@localhost logs]# nginx 【启动nginx】
[root@localhost logs]# lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 5532 root 6u IPv4 28990 0t0 TCP *:http (LISTEN)
nginx 5533 nginx 6u IPv4 28990 0t0 TCP *:http (LISTEN)
1.7编写nginx服务脚本
[root@A conf]# cd /etc/init.d/
[root@A init.d]# vim nginx
#!/bin/bash
#chkconfig:2345 99 20
#description:Nginx Server Control Scripts shell
PROG="/usr/local/nginx/sbin/nginx"
PIDF="/usr/local/nginx/logs/nginx.pid"
case "$1" in
start)
if [ -f $PIDF ];then
echo "Nginx is running...Start it is error"
else
$PROG
fi
;;
stop)
if [ -f $PIDF ];then
kill -3 $(cat $PIDF)
rm -f $PIDF
else
echo "Nginx is stopping...Stop it is error"
fi
;;
restart)
$0 stop
$0 start
;;
reload)
if [ -f $PIDF ];then
kill -1 $(cat $PIDF)
else
echo "Nginx is stopping...reload it is error"
fi
;;
status)
if [ -f $PIDF ];then
echo "Nginx is running"
else
echo "Nginx is stopped"
fi
;;
*)
echo "Usage: $0(start|stop|restart|reload|status)"
exit 1
esac
exit 0
保存退出,以上全部手写
[root@A init.d]# chmod +x /etc/init.d/nginx 【给执行权限】
[root@A init.d]# chkconfig --add nginx 【添加nginx的运行级别】
[root@A init.d]# chkconfig --list nginx 【查看nginx的运行级别】
nginx 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
[root@A init.d]# /etc/init.d/nginx status 【查看nginx的状态】
Nginx is running
[root@A init.d]# /etc/init.d/nginx start
Nginx is running...Start it is error
[root@A init.d]# /etc/init.d/nginx restart
[root@A init.d]# /etc/init.d/nginx stop
[root@A init.d]# /etc/init.d/nginx stop
Nginx is stopping...Stop it is error【nginx正在停止。。。停止它是错误的】
[root@A init.d]# /etc/init.d/nginx start
[root@A init.d]# /etc/init.d/nginx status
Nginx is running
二、Nginx配置文件分析
2.1全局配置
[root@localhost logs]# cd /usr/local/nginx/conf/
[root@localhost conf]# ls 【红色的是主配置文件】
fastcgi.conf koi-win scgi_params
fastcgi.conf.default mime.types scgi_params.default
fastcgi_params mime.types.default uwsgi_params
fastcgi_params.default nginx.conf uwsgi_params.default
koi-utf nginx.conf.default win-utf
[root@localhost conf]# cp nginx.conf{,.bak}
[root@localhost conf]# ls 【查看备份文件】
fastcgi.conf mime.types scgi_params.default
fastcgi.conf.default mime.types.default uwsgi_params
fastcgi_params nginx.conf uwsgi_params.default
fastcgi_params.default nginx.conf.bak win-utf
koi-utf nginx.conf.default
koi-win scgi_params
2.2查看cpu ,很多主机cpu不一样
22.1【查看逻辑cpu个数,同时查看cpu型号】
[root@localhost ~]# cat /proc/cpuinfo |grep name |cut -f2 -d: |uniq -c
1 AMD A6-9225 RADEON R4, 5 COMPUTE CORES 2C+3G
[root@localhost ~]# cat /proc/cpuinfo |grep physical |uniq -c
1 address sizes : 43 bits physical, 48 bits virtual
[root@localhost ~]# fdisk -l 【查看硬盘信息】
[root@localhost ~]# cat /proc/meminfo【查看内存信息】
[root@localhost ~]# cat /proc/cpuinfo |awk "/Physical id/" |sort |uniq |wc -l【查看物理cpu总个数】
[root@localhost ~]# cat /usr/src/nginx-1.6.0/conf/mime.types【查看网站支持哪些后缀文件对外发布】
[root@localhost ~]# cat /proc/cpuinfo 【查看cpu信息】
processor : 0 【逻辑cpu1个】
vendor_id : AuthenticAMD
cpu family : 21
model : 112
model name : AMD A6-9225 RADEON R4, 5 COMPUTE CORES 2C+3G 【cpu型号】
stepping : 0 【cpu步进,在选购cpu时,应尽可能的选择步进比较靠后的产品】
cpu MHz : 2595.159
cache size : 1024 KB 【缓冲1G】
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc up rep_good tsc_reliable nonstop_tsc unfair_spinlock pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw xop fma4 tbm arat xsaveopt fsgsbase bmi1 avx2 smep bmi2
bogomips : 5190.31
TLB size : 1536 4K pages
clflush size : 64
cache_alignment : 64
address sizes : 43 bits physical, 48 bits virtual
power management:
2.2.2以上因为是虚拟机的数据,所以很多东西都没有,补充:
Physical id :0 【代表物理cpu 1个 ;Physical id :1 代表代表第二块物理cpu】
cpuinfo 【 cpu信息】
/proc【内存文件】
cpu cores :8 【8核物理cpu】
siblings :16 【超频】
worker_processes n 【n代表物理cpu总个数】
worker_connections 10240 【并发连接数】并发连接数=10240乘以n
【8核16线程,16+16=32,每一个超线程都可以独立完成一件事】
server【鉴定虚拟主机】
http{
server{}配置段设置特定的网段,同时鉴定虚拟主机,单独指定某一ip的虚拟机
mime.types这个是额外的配置文件,代表多媒体格式(网站支持哪些多媒体格式)
main日志的格式名称
}【代表http配置及虚拟主机设置】
[root@localhost ~]# cat /usr/local/nginx/logs/access.log 【查看日志】
192.168.1.1 - - [21/Apr/2019:02:58:24 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"【192.168.1.1是ip,-是-,-是用户名(不知道用户名时用-代替),[21/Apr/2019:02:58:24 +0800]是本地时间,GET是头部信息,/路径是根,HTTP/1.1是协议及版本号,304是状态,0是发送了0字节,“-”没有信息,】
remote_user【远端客户机ip】
remove_user【远端用户用户名,不知道用户名时用 - 代替】
time_local 【本地时间】
request 【头部信息】
status 【状态】
body_bytes_sent【发送了多少字节】
http_referer【是信息】
http_user_agent【是用的什么浏览器】
http_x_forwarded_for【是没有做转发】
charset koi8-r 【默认是俄语】
charset utf-8 【万国语言字符集,支持很多语言】
access_log【日志】
日志默认是access_log logs/access.log 这个路径
如果把#号去掉,后面的日志名改为www.kgc.cn那么它的日志就会在这个路径里,否则就会在前面的日志路径
locatin / {【网页发布路径,默认是html】
root html
index index.html index.html 【是网页首页和首页后缀】
【注意:如果前面和后面都有日志,后面的日志会把前面的覆盖】
是否为超线程?
如果有俩个逻辑cpu具有相同的“core id”,那么超线程是打开的
2.2.3修改网页路径为/haolilong查看[此处的路径必须是绝对路径,因根下没有目录haolilong,需要创建]
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
root /haolilong;
index index.html index.htm;
[root@localhost ~]# service iptables stop
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:清除防火墙规则: [确定]
iptables:正在卸载模块: [确定]
[root@localhost ~]# mkdir /haolilong
[root@localhost ~]# find / -name index.html
/haolilong/index.html
[root@localhost ~]# echo "<h1>a boy can do evering for girl<h1>" > /haolilong/index.html
[root@localhost ~]# nginx -s reload
[root@localhost ~]# echo "a boy can do evering for girl; 为和度我不度她" > /haolilong/index.html
[root@localhost ~]# nginx -s reload
因缺东西所以不能解析汉字
[root@localhost ~]# cat > /haolilong/index.html <<EO
> a boy can do evering for girl
> 为和度我 不度她
> something just like this
> EO
[root@localhost ~]# nginx -s reload
2.3 HTTP配置及虚拟主机设置
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
user nginx nginx;
worker_processes 1;
error_log logs/error.log info;
pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name www.kgc.cn;
charset utf-8;
access_log logs/kgc.access.log main;
location / {
root /kgc;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 80;
server_name www.benet.cn;
charset utf-8;
access_log logs/benet.access.log main;
location / {
root /benet;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
保存退出
【因以上修改的内容里,kgc,benet并不存在,所以需要创建】
[root@localhost ~]# mkdir /{kgc,benet}
[root@localhost ~]# echo "<h1>www.kgc.cn</h1>" > /kgc/index.html
[root@localhost ~]# echo "<h1>www.benet.cn</h1>" > /benet/index.html
[root@localhost ~]# nginx -s reload
因以上的俩域名并没有DNS,所以可以修改本地win7的host文件
【system32是Windows操作系统的系统文件夹,是操作系统的神经中枢,文件里有DDL文件,控制面板小程序(.CPL),设备驱动(.drv),帮助文件(.hlp和.cnt),MS-DOS工具(.com),语言支持文件(.nls),屏幕保护(.scr),安装信息文件(.inf),】【drivers是系统正常运行必须的驱动】【etc配置文件】【hosts将一些常用的网址域名与其对应的ip地址建立一个关联“数据库”,当用户在浏览器中输入一个需要登陆的网址时,系统会首先自动从hosts文件中寻找对应的ip地址,一旦找到,则系统会将网址提交DNS域名解析服务器进行ip地址的解析】【hosts文件配置的映射是静态的,如果网络上的计算机更改了请及时更新IP地址,否则将不能访问】
方法一
打开本地计算机,C盘里点开文件windoes→System32→drivers→etc→工具(在最上层)→文件夹选项→查看→隐藏受保护的操作系统文件→显示隐藏→hosts→打开记事本方式→删除全部内容→写入自己的ip192.168.1.133和所有名www.kgc.cn www.benet.cn→保存→打开本地字符界面ping所有域名,都可以ping通→再打开本地网页输入域名都可以解析出来→→
方法二
打开虚拟机计算机windows7,C盘里点开文件windoes→System32→drivers→etc→hosts→删除内容,写入自己的ip和所有域名→
【以上就是基于不同域名的虚拟主机技术,他们同一个ip打开的页面不一样】
以下是解析成果
2.4Nginx的统计信息
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name www.kgc.cn;
charset utf-8;
access_log logs/kgc.access.log main;
location / {
root /kgc;
index index.html index.htm;
}
location ~ /status {
stub_status on;
access_log off;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 80;
server_name www.benet.cn;
charset utf-8;
access_log logs/benet.access.log main;
location / {
root /benet;
index index.html index.htm;
}
location ~ /status {
stub_status on;
access_log off;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
保存退出,添加这几行,最好按以上位置添加,否则有可能出错
[root@localhost ~]# ulimit -n 【程可打开句柄数限制】
1024
[root@localhost ~]# ulimit -n 10000 【设置句柄数为10000】
解析成功
Active connections: 1 【目前活动的访问量】
server accepts handled requests
16 16 31
Reading: 0 Writing: 1 Waiting: 0
三、nginx配置虚拟主机
3.1基于域名的虚拟主机【这个之前已经说过,此处就不演示了】
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
user nginx nginx;
worker_processes 1;
error_log logs/error.log info;
pid logs/nginx.pid;
events {
use epoll;
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name www.kgc.cn;
charset utf-8;
access_log logs/kgc.access.log main;
location / {
root /kgc;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 80;
server_name www.benet.cn;
charset utf-8;
access_log logs/benet.access.log main;
location / {
root /benet;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
3.2 基于ip地址的虚拟主机
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf 【添加ip】
server {
listen 192.168.168.131; 【不加端口默认为80】
server_name www.kgc.cn;
charset utf-8;
access_log logs/kgc.access.log main;
location / {
root /kgc;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 192.168.168.132;
server_name www.benet.cn;
charset utf-8;
access_log logs/benet.access.log main;
location / {
root /benet;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
保存退出
[root@localhost ~]# ifconfig eth1:0 192.168.168.132/24 【因前面配置文件里添加了192.168.168.132ip,然而,设备里并没有,所以需要添加】
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a8:4b:aa brd ff:ff:ff:ff:ff:ff
inet 192.168.168.131/24 brd 192.168.168.255 scope global eth1
inet 192.168.168.132/24 brd 192.168.168.255 scope global secondary eth1:0
inet6 fe80::20c:29ff:fea8:4baa/64 scope link
valid_lft forever preferred_lft forever
【修改配置文件里的ip后,不建议平滑重启,建议正常停止,正常启动】
[root@localhost ~]# killall -3 nginx 【正常停止】
[root@localhost ~]# nginx 【正常启动】
[root@localhost ~]# netstat -anpt |grep nginx 【查看端口变成俩个,说明启动成功】
tcp 0 0 192.168.168.132:80 0.0.0.0:* LISTEN 8192/nginx
tcp 0 0 192.168.168.131:80 0.0.0.0:* LISTEN 8192/nginx
You have new mail in /var/spool/mail/root
[root@localhost ~]# netstat -anpt|grep nginx 【查看端口】
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6517/nginx
客户及测试
3.3、基于端口的虚拟主机
[root@localhost ~]# cat /usr/local/nginx/conf/nginx.conf 【添加端口】
server {
listen 192.168.168.131:6666;
server_name www.kgc.cn;
charset utf-8;
access_log logs/kgc.access.log main;
location / {
root /kgc;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 192.168.168.131:8888;
server_name www.benet.cn;
charset utf-8;
access_log logs/benet.access.log main;
location / {
root /benet;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
保存退出
[root@localhost ~]# killall -3 nginx 【正常关闭】
[root@localhost ~]# nginx
[root@localhost ~]# /etc/init.d/nginx restart
[root@localhost ~]# netstat -anpt |grep nginx
tcp 0 0 192.168.168.131:8888 0.0.0.0:* LISTEN 8192/nginx
tcp 0 0 192.168.168.131:6666 0.0.0.0:* LISTEN 8192/nginx
四、nginx的访问控制
4.1 基于用户的访问
【passwd命令创建用户和修改密码,-c 创建一个加密文件,-b 在命令行中一并输入用户和密码而不是根据提示输入密码】
[root@localhost ~]# htpasswd -c -b /usr/local/nginx/passwd.db admin 123123【创建用户和密码】
Adding password for user admin
[root@localhost ~]# cat /usr/local/nginx/passwd.db 【查看密码和用户】
admin:9lUvC7QIGJk1.
[root@localhost ~]# chmod 400 /usr/local/nginx/passwd.db
[root@localhost ~]# ll /usr/local/nginx/passwd.db 【让密码文件只有读取权限,否则会登录验证失败】
-r--------. 1 root root 20 4月 24 03:00 /usr/local/nginx/passwd.db
[root@localhost ~]# chown nginx:nginx /usr/local/nginx/passwd.db 【属主属组改为nginx】
[root@localhost ~]# ll /usr/local/nginx/passwd.db
-r--------. 1 nginx nginx 20 4月 24 03:00 /usr/local/nginx/passwd.db
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name www.kgc.cn;
charset utf-8;
access_log logs/kgc.access.log main;
location / {
root /kgc;
index index.html index.htm;
auth_basic "secret"; 【添加这俩行,基本认证】
auth_basic_user_file /usr/local/nginx/passwd.db;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 80;
server_name www.benet.cn;
charset utf-8;
access_log logs/benet.access.log main;
location / {
root /benet;
index index.html index.htm;
auth_basic "secret";
auth_basic_user_file /usr/local/nginx/passwd.db;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
保存退出
输入用户名admin,密码123123即可
【网页报错,401 报错,是认证授权失败】
【403报错,拒绝访问】
【404报错,网页地址,路径不对】
4.2 基于ip的访问控制
deny ip/ip段
allow ip/ip段
规则匹配从上往下,如匹配,则停止
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name www.kgc.cn;
charset utf-8;
access_log logs/kgc.access.log main;
location / {
root /kgc;
index index.html index.htm;
#auth_basic "secret";
#auth_basic_user_file /usr/local/nginx/passwd.db;
deny 192.168.168.134;【拒绝192.168.168.132访问】
allow 192.168.168.0/24;【允许192.168.168.0网段访问】
deny all;【拒绝所有】
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 80;
server_name www.benet.cn;
charset utf-8;
access_log logs/benet.access.log main;
location / {
root /benet;
index index.html index.htm;
# auth_basic "secret";
#auth_basic_user_file /usr/local/nginx/passwd.db;
deny 192.168.168.134;【拒绝192.168.168.132访问】
allow 192.168.168.0/24;【允许192.168.168.0网段访问】
deny all;【拒绝所有】
}
保存退出,添加以上
[root@localhost ~]# killall -3 nginx
[root@localhost ~]# nginx
[root@localhost ~]# killall -1 nginx
【意思就是拒绝所有网段的访问,除了允许192.168.168.0网段访问,除了192.168.168.134】
【允许除了192.168.168.134ip的这个网段访问】
测试机wind7 的 ip192.168.168.134。
403代表拒绝访问
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf 【把ip注释】
server {
listen 80;
server_name www.kgc.cn;
charset utf-8;
access_log logs/kgc.access.log main;
location / {
root /kgc;
index index.html index.htm;
#auth_basic "secret";
#auth_basic_user_file /usr/local/nginx/passwd.db;
#deny 192.168.168.134;
allow 192.168.168.0/24;
deny all;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 80;
server_name www.benet.cn;
charset utf-8;
access_log logs/benet.access.log main;
location / {
root /benet;
index index.html index.htm;
#auth_basic "secret";
#auth_basic_user_file /usr/local/nginx/passwd.db;
#deny 192.168.168.134;
allow 192.168.168.0/24;
deny all;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
保存退出
[root@localhost ~]# killall -1 nginx
[root@localhost ~]# killall -3 nginx
[root@localhost ~]# nginx
又可以访问了
实验补充:
1、在vi里粘贴复制的过程中如果内容里的每段开头有#号,那么这一段的内容会自动在每行前面加#,如果要单独禁用这一行,加上#后,把句子单独往后移动几格
2、在实验过程启动nginx时报错80端口已被占用,后来发现是nginx已经启用,所以会报错
3、在编写脚本时注意空格,否则会语法报错
4、修改配置文件里的ip后,不建议平滑重启,建议正常停止,正常启动。
5、在网页域名解析的时候,出现ip可以解析,域名不可以解析,是因为wind7的windoes/System32/drivers/etc/hosts文件是隐藏的没有后缀,显示出来后就有后缀txt后系统就不识别此文件,所以修改完文件后需要继续设置为隐藏,才可使用。
6、出现本地hosts文件无法修改时可以在外边写一份文件复制进去,hosts不能有后缀