1、Nginx默认虚拟主机
在Nginx中也有默认虚拟主机,跟httpd类似,第一个被Nginx加载的虚拟主机就是默认主机,但和httpd不相同的地方是,它还有一个配置用来标记默认虚拟主机,也就是说,如果没有这个标记,第一个虚拟主机为默认虚拟主机。
- 首先删除/usr/local/nginx/conf/nginx.conf 中的一部分内容——>目的是修改nginx.cnf配置,删除server后面的内容 ,重新定义虚拟主机配置所在路径
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
http
{
# server
# {
# listen 80;
# server_name localhost;
# index index.html index.htm index.php;
# root /usr/local/nginx/html;
# location ~ \.php$
# {
# include fastcgi_params;
# fastcgi_pass unix:/tmp/php-fcgi.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
# }
# }
include vhost/*.conf; //指定虚拟主机配置文件目录在vhost/ 下
}
- 创建虚拟主机配置文件,一个虚拟主机就有一个配置文件
[root@localhost conf]# mkdir vhost
[root@localhost conf]# cd vhost
[root@localhost vhost]# ls
[root@localhost vhost]# vim aaa.com.conf //aaa.com网站的虚拟主机配置文件
server
{
listen 80 default_server; //有default_server标志的,代表是默认虚拟主机,只要访问没有指定的域名过来,就会默认访问aaa.com虚拟主机
server_name aaa.com;
index index.html index.php;
root /data/wwwroot/aaa.com;
}
- 创建目录 mkdir -p /data/wwwroot/aaa.com/,进入目录编辑些内容到vim index.html
[root@localhost ~]# mkdir -p /data/wwwroot/aaa.com/
[root@localhost ~]# cd !$
cd /data/wwwroot/aaa.com/
[root@localhost aaa.com]# vim index.html
This is test default site. 写入内容保存退出。
- 检查配置文件、重新加载配置文件:
[root@localhost aaa.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost aaa.com]# /usr/local/nginx/sbin/nginx -s reload
- 测试访问默认页,出来的就是之前/data/wwwroot/aaa.com/index.html里面定义的内容
[root@localhost aaa.com]# curl localhost
This is a test default site.
[root@localhost aaa.com]# curl -x127.0.0.1:80 bbb.com 因为是默认的虚拟主机,所以其他域名如bbb.com也能访问到aaa.com。
This is a test default site.
- 因为修改了nginx.conf的配置,现在看到的默认索引页,是我们刚刚新增的vhost的虚拟主机的索引页了 定义默认虚拟主机的两种办法:
- 默认虚拟主机,是根据目录的第一个.conf了进行选择,所以只需要在vhost目录下依次创建就可以了,当然这种方法不太好
- 只需要在vhost目录的.conf配置文件内,加上一个“default_server ”即可,把当前的这个配置对应的网站设置为第一个默认虚拟主机
2、Nginx用户认证
- 在vhost目录下载增加另外一个虚拟主机配置文件,设置虚拟主机配置文件,加入用户认证配置段:
[root@localhost aaa.com]# cd /usr/local/nginx/conf/vhost/
[root@localhost vhost]# vim test.com.conf //增加并添加认证配置
server
{
listen 80;
server_name test.com;
index index.html index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
- 用apache的htpasswd工具,生成密码文件
[root@localhost ~]# yum install -y httpd 安装apache密码生成工具
[root@localhost ~]# htpasswd -c /usr/local/nginx/conf/htpasswd aming 创建aming用户(创建第二用户时不需加-c)
New password:
Re-type new password:
Adding password for user aming
[root@localhost ~]# cat /usr/local/nginx/conf/htpasswd
aming:$apr1$Z4P7.Rm3$r2bGw1jfz05tJb5jjwNtl1
- 检查配置文件、重新加载配置文件:
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
- 验证用户认证:
[root@localhost ~]# mkdir -p /data/wwwroot/test.com/
[root@localhost ~]# vim /data/wwwroot/test.com/index.html
test.com 写入内容
[root@localhost ~]# curl -x127.0.0.1:80 test.com -I
HTTP/1.1 401 Unauthorized //报401错误,提示需要认证
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 13:56:17 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
[root@localhost ~]# curl -uaming:123456 -x127.0.0.1:80 test.com
test.com
认证指定目录: [root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf server { listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com;
location /admin/ 这里添加admin目录
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
root@localhost ~]# curl -x127.0.0.1:80 test.com //添加目录后访问网址不需要用户认证
test.com
[root@localhost ~]# curl -uaming:123456 -x127.0.0.1:80 test.com/index.html
test.com
[root@localhost ~]# curl -x127.0.0.1:80 test.com/admin/
<html> //401提示用户认证
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost ~]# mkdir -p /data/wwwroot/test.com/admin //创建目录
[root@localhost ~]# echo "test.com admin dir" > 写入内容 /data/wwwroot/test.com/admin/index.html
[root@localhost ~]# curl -x127.0.0.1:80 test.com/admin/
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost ~]# curl -uaming:123456 -x127.0.0.1:80 test.com/admin/
test.com admin dir
[root@localhost ~]# curl -uaming:123456 -x127.0.0.1:80 test.com/admin/index.html
test.com admin dir
认证指定URL [root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf server { listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com;
location ~ admin.php // 这里添加URL { auth_basic "Auth"; auth_basic_user_file /usr/local/nginx/conf/htpasswd; } }
3、Nginx域名重定向
- 设置虚拟主机配置文件,加入域名重定向配置段;Nginx的域名重定向与httpd类似。
- 在Nginx里“server_name” 支持跟多个域名;但是Apache“server_name”只能跟一个域名,需要跟多个域名,需要使用Alisa;
- 在Nginx的conf配置文件里“server_name ” 设置了多个域名,就会使网站的权重变了,到底需要哪个域名为主站点,所以需要域名重定向
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com; //支持多个域名,与apache不同,所以要域名重定向,跳转到test.com上,不影响他的搜索权重
index index.html index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com')
{
rewrite ^/(.*)$ http://test.com/$1 permanent;
} //使用rewrite模块实现。permanent为永久重定向,状态码为301;redirect是临时重定向,302状态码。
# location /
# {
# auth_basic "Auth";
# auth_basic_user_file /usr/local/nginx/conf/htpasswd;
# }
}
rewrite ^/(.)$ http://test.com/$1 permanent; // ^/(.)$ 正式写法 http://$host/(.*)$ 这段可以直接省略掉的,同时还可以加上一些规则,
检查配置文件、重新加载配置文件:
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
-验证;定义的test1,test2.com都301;没有定义的刚是200;
[root@localhost ~]# curl -x127.0.0.1:80 test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 15:18:31 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html
[root@localhost ~]# curl -x127.0.0.1:80 test1.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 15:20:58 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html
[root@localhost ~]# curl -x127.0.0.1:80 test3.com/index.html -I
HTTP/1.1 200 OK //没有定义则指向虚拟主机
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 15:21:04 GMT
Content-Type: text/html
Content-Length: 29
Last-Modified: Tue, 03 Jul 2018 13:15:54 GMT
Connection: keep-alive
ETag: "5b3b770a-1d"
Accept-Ranges: bytes
[root@localhost ~]# curl -x127.0.0.1:80 test11111.com/admin/index.html/dadfafaf -I
HTTP/1.1 404 Not Found //没有定义且没有目录则404
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 15:24:31 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
4、Nginx访问日志
- 日志格式
- vim /usr/local/nginx/conf/nginx.conf //搜索log_format
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
$remote_addr | 客户端IP(公网IP) |
---|---|
$http_x_forwarded_for | 代理服务器的IP |
$time_local | 服务器本地时间 |
$host | 访问主机名(域名) |
$request_uri | 访问的URL地址 |
$status | 状态码 |
$http_referer | referer |
$http_user_agent | user_agent |
- combined_realip 日志格式的名字,可以随便定义,这里定义成什么名字,后面就引用成什么名字,决定了虚拟主机引用日志的类型
- nginx配置文件,有一个特点,以 “ ; ” 分号结尾,配置文件一段如果没有 分号结尾,表示这一段还没有结束,就算中间执行了换行。
- 除了在主配置文件nginx.conf里定义日志格式外,还需要在虚拟主机配置文件去定义access_log /tmp/test.com.log combined_realip; 来定义访问日志路径,如果不写日志格式,那就会走默认的日志格式
[root@localhost ~]# cd /usr/local/nginx/conf//vhost/
[root@localhost vhost]# ls
aaa.com.conf test.com.conf
[root@localhost vhost]# vim test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
access_log /tmp/test.com.log combined_realip;
- 检查配置文件、重新加载配置文件:
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
-测试
[root@localhost vhost]# curl -x127.0.0.1:80 test1.com/admin/index.html/dadfafaf -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 16:04:57 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/admin/index.html/dadfafaf
[root@localhost vhost]# curl -x127.0.0.1:80 test2.com/admin/index.html/dadfafaf -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 16:05:04 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/admin/index.html/dadfafaf
[root@localhost vhost]# curl -x127.0.0.1:80 test1.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 16:03:00 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html
- 查看日志cat /tmp/test.com.log
[root@localhost vhost]# cat /tmp/test.com.log
127.0.0.1 - [04/Jul/2018:00:03:00 +0800] test1.com "/index.html" 301 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:00:04:57 +0800] test1.com "/admin/index.html/dadfafaf" 301 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:00:05:04 +0800] test2.com "/admin/index.html/dadfafaf" 301 "-" "curl/7.29.0"
5、Nginx日志切割
Nginx不像Apache一样自带有日志切割的工具,我们要编写shell脚本实现日志切割功能
- vim /usr/local/sbin/nginx_log_rotate.sh//写入shell脚本 :以后为了方便管理,shell脚本统一保存位置/usr/local/sbin/下
[root@localhost vhost]# vim /usr/local/sbin/nginx_log_rotate.sh
#! /bin/bash
## 假设nginx的日志存放路径为/tmp/
d=`date -d "-1 day" +%Y%m%d` //定义切割时间(切割一天前的日志)
logdir="/tmp" //此处指定要切割的日志路径(该路径来自虚拟主机配置文件)
nginx_pid="/usr/local/nginx/logs/nginx.pid" //调用pid的目的是执行命令:/bin/kill -HUP `cat $nginx_pid` ;该命令等价于命令:nginx -s reload(重新加载文件),确保与虚拟主机配置文件变更保持同步;该地址来自nginx配置文件
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done //此处使用通配进行循环,对所有复合条件的日志文件进行切割
/bin/kill -HUP `cat $nginx_pid` //执行此命令进行重载生成新的日志文件来记录新的日志
d=date -d “-1 day” +%Y%m%d // 生成昨天的日期,格式为年月日
logdir=”/tmp/” // 上一节的时候,定义了日志存放在/tmp/目录下
nginx_pid=”/usr/local/nginx/logs/nginx.pid” //查找nginx的PID,目的是为了执行/bin/kill -HUP cat $nginx_pid ,而这个命令目的和nginx -s reload 是一样的
cd $logdir //进入“logdir”日志目录下
for log in ls *.log //开始语句循环,看有哪些 log后缀的文件
do //执行 mv $log $log-$d 改名
done //结束
/bin/kill -HUP cat $nginx_pid // 重新加载,生成一个新的“nginx_pid=”/usr/local/nginx/logs/nginx.pid”
执行shell脚本,并加-x选项,是为了查看脚本执行的过程
[root@localhost vhost]# sh -x /usr/local/sbin/nginx_log_rotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20180703
+ logdir=/tmp
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp
++ ls test.com.log
+ for log in '`ls *.log`'
+ mv test.com.log test.com.log-20180703
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 950
- 查看日志切割文件,每天都生成一个日志,在每天切割后,过段时间还要定期清理
[root@localhost vhost]# ls /tmp/
mysql.sock
pear
php-fcgi.sock
systemd-private-48961cd994ed4ec596b20e16054c856a-chronyd.service-UdCTFK
systemd-private-48961cd994ed4ec596b20e16054c856a-vgauthd.service-wiV5Ul
systemd-private-48961cd994ed4ec596b20e16054c856a-vmtoolsd.service-Q76tJX
test.com.log
test.com.log-20180703
- 删除30天以前的日志文件
[root@localhost vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm
rm: 缺少操作数
Try 'rm --help' for more information. //无符合条件,没有操作
- 写完脚本后,还要加一个任务计划定期进行切割和清理:crontab -e
[root@localhost vhost]# crontab -e
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
6、静态文件不记录日志和过期时间
- 开虚拟主机配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@localhost vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ //匹配gif|jpg|jpeg|png|bmp|swf 后缀的文件
{
expires 7d; //7天后过期
access_log off; //匹配“.*.(gif|jpg|jpeg|png|bmp|swf) ”关闭记录日志
}
location ~ .*\.(js|css)$
{
expires 12h; //12个小时后过期
access_log off; //匹配“.*.(js|css) ”关闭记录日志
}
- 检查配置文件语法错误,并重新加载配置文件
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
- 测试
[root@localhost vhost]# cd /data/wwwroot/test.com/
[root@localhost test.com]# ls
1.txt admin index.html
[root@localhost test.com]# vim 1.gif
[root@localhost test.com]# vim 2.js
[root@localhost test.com]# curl -x127.0.0.1:80 test.com/1.gif
1234567890
[root@localhost test.com]# curl -x127.0.0.1:80 test.com/2.js
0987654321
[root@localhost test.com]# curl -x127.0.0.1:80 test.com/index.html
test.com
- 查看日志
[root@localhost test.com]# cat /tmp/test.com.log
127.0.0.1 - [04/Jul/2018:01:09:50 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
- 测试过期时间,加上-I参数
[root@localhost test.com]# curl -x127.0.0.1:80 test.com/2.js -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 17:13:16 GMT
Content-Type: application/javascript
Content-Length: 11
Last-Modified: Tue, 03 Jul 2018 17:08:58 GMT
Connection: keep-alive
ETag: "5b3badaa-b"
Expires: Wed, 04 Jul 2018 05:13:16 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
max-age=43200 过期时间;如果去掉配置文件中的expires,则不会显示max-age过期时间
7、Nginx防盗链
- 防盗链,可以和不记录访问日志、过期时间的配置段一起设置
进入目录配置防盗链
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~* ^(.+)\.(gif|jpg|jpeg|png|bmp|swf)$ //匹配url
{
expires 7d;
access_log off;
valid_referers none blocked server_names *.test.com; //设定referers白名单
if ($invalid_referer) //如果不是白名单referer
{
return 403; //就返回403拒绝访问
}
}
- 检查配置文件、重新加载配置文件:
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
- 测试
[root@localhost ~]# ls /data/wwwroot/test.com/
1.gif 1.txt 2.js admin index.html
[root@localhost ~]# curl -x127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 04 Jul 2018 10:07:10 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Tue, 03 Jul 2018 17:08:35 GMT
Connection: keep-alive
ETag: "5b3bad93-b"
Expires: Wed, 11 Jul 2018 10:07:10 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[root@localhost ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 04 Jul 2018 10:08:50 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@localhost ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 04 Jul 2018 10:09:15 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Tue, 03 Jul 2018 17:08:35 GMT
Connection: keep-alive
ETag: "5b3bad93-b"
Expires: Wed, 11 Jul 2018 10:09:15 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
- 查看日志
root@localhost ~]# !cat
cat /tmp/test.com.log
127.0.0.1 - [04/Jul/2018:01:09:50 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:18:05:54 +0800] test.com "/2.js" 200 "-" "curl/7.29.0"
8、Nginx访问控制
- 对网站目录进行访问控制,限制来源ip:
进入目录配置文件
[root@localhost ~]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf
location /admin/
{
allow 127.0.0.1; //允许本机访问
allow 192.168.222.112; // nginx不像Apache,没有order顺序的概念,如果匹配了ip就执行,后面则不再匹配相同的ip。
deny all; //禁止其他所有ip
}
- 检查配置文件、重新加载配置文件:
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]#
- 测试对目录admin的访问:
[root@localhost ~]# mkdir -p /data/wwwroot/test.com/admin
[root@localhost ~]# curl -x192.168.222.112:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 04 Jul 2018 10:34:00 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Tue, 03 Jul 2018 14:27:38 GMT
Connection: keep-alive
ETag: "5b3b87da-13"
Accept-Ranges: bytes
[root@localhost ~]# curl -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 04 Jul 2018 10:36:27 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Tue, 03 Jul 2018 14:27:38 GMT
Connection: keep-alive
ETag: "5b3b87da-13"
Accept-Ranges: bytes
访问控制——正则匹配,添加正则配置文件
location ~ .(upload|image)/..php$ //禁止访问upload或者image目录下的php文件 {
deny all; }
- 检查配置文件、重新加载配置文件:
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
- 创建upload目录并添加1.php测试
[root@localhost ~]# mkdir /data/wwwroot/test.com/upload
[root@localhost ~]# ls /data/wwwroot/test.com/
1.gif 1.txt 2.js admin index.html upload
[root@localhost ~]# echo "1111" > /data/wwwroot/test.com/upload/1.php
[root@localhost ~]# ls /data/wwwroot/test.com/upload
1.php
[root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
- 访问控制——user_agent限制,添加正则配置文件
if ($http_user_agent ~* 'spider/3.0|YoudaoBot|Tomato') //匹配user_agent,为黑名单,禁止访问
{
return 403;
}
- 检查配置文件、重新加载配置文件:
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
- 测试
[root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost ~]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
注: deny all和return 403效果一样
9、Nginx解析PHP相关配置
进入目录添加配置文件
[root@localhost ~]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf
location ~\.php$
{
include fastcgi_params; //
//php的监听sock, 如果php-fpm配置文件里是监听的127.0.0.1:9000,那么这里改为fastcgi_pass 127.0.0.1:9000
//如果写错了sock路径,会报502
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php; //主页
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; //
}
//php-fpm配置文件
[root@nginx test.com]# vim /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666 //上面监听的是sock,这里必须加权限为666,否则502。因为Nginx进程的运行用户是nobody,没有权限读取sock的话,就报错。
user = php-fpm
group = php-fpm
- 检查配置文件、重新加载配置文件:
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
- 测试 注: 在此注意两点,fastcgi_pass有两种格式,但是无论使用哪种格式都有保证Nginx和php-fpm中格式一致,否则会报错502;fastcgi _param SCRIPT _FILENAME所在行的路径要和root路径一致!
10、Nginx代理
- 用户访问一个网站的时候,那个网站是在私有网内的,外网用户无法访问,可以通过一个能够访问私有网络的代理服务器来间接访问网站。
- 通过代理服务器,也能够提高网站的访问速度。如大陆用户通过香港的代理服务器访问美国的网站,能够提高访问速度。
- 在代理服务器上安装Nginx,并进行配置:vhost下新建一个 proxy.conf
[root@localhost ~]# cd /usr/local/nginx/conf/vhost
[root@localhost vhost]# vim proxy.conf
server
{
listen 80; //监听80端口
server_name ask.apelearn.com; //访问的域名
location /
{
proxy_pass http://121.201.9.155; //代理的web服务器的ip
proxy_set_header Host $Host; //主机名
proxy_set_header X-Real-IP $remote_addr; //客户端ip
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; // 代理服务器ip
}
}
- 检查配置文件、重新加载配置文件:
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
- 测试