Nginx默認虛擬主機
更改nginx.conf
[root@zyshanlinux-001 ~]# vim /usr/local/nginx/conf/nginx.conf [root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -t ##改完檢查語法 nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
fastcgi_intercept_errors on; tcp_nodelay on; gzip on; gzip_min_length 1k; gzip_buffers 4 8k; gzip_comp_level 5; gzip_http_version 1.1; gzip_types text/plain application/x-javascript text/css text/htm application/xml; include vhost/*.conf; ##記得加“;” }
根據上面的配置文件,創建vhost目錄,進入該目錄新建aaa.com.conf文件;創建/data/wwwroot/default目錄,進入該目錄新建index.html文件,最後檢查語法。
[root@zyshanlinux-001 ~]# cd /usr/local/nginx/conf [root@zyshanlinux-001 conf]# pwd /usr/local/nginx/conf [root@zyshanlinux-001 conf]# mkdir vhost [root@zyshanlinux-001 conf]# cd vhost/ [root@zyshanlinux-001 vhost]# ls [root@zyshanlinux-001 vhost]# vim aaa.com.conf ++++++++++++++++++++++++++++++++++++++++++++++++++▶ server { listen 80 default_server; // 有這個標記的就是默認虛擬主機 server_name aaa.com; index index.html index.htm index.php; root /data/wwwroot/default; } ++++++++++++++++++++++++++++++++++++++++++++++++++◀ [root@zyshanlinux-001 vhost]# mkdir /data/wwwroot/default [root@zyshanlinux-001 vhost]# cd !$ cd /data/wwwroot/default [root@zyshanlinux-001 default]# ls [root@zyshanlinux-001 default]# echo “This is a default site.”>/data/wwwroot/default/index.html [root@zyshanlinux-001 default]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
檢查語法沒錯誤,重啓或重新加載配置。
[root@zyshanlinux-001 default]# /etc/init.d/nginx restart ##重啓或者 [root@zyshanlinux-001 default]# /usr/local/nginx/sbin/nginx -s reload ##重新加載
測試:不管訪問什麼域名,這個默認虛擬主機。只要解析過來,指向該服務器,都能訪問到這個站點
[root@zyshanlinux-001 default]# curl localhost ##原來的是默認頁,現在變成我們配置的 This is a default site. [root@zyshanlinux-001 default]# ls ##就是剛剛定義的index.html index.html [root@zyshanlinux-001 default]# curl -x127.0.0.1:80 aaa.com This is a default site. [root@zyshanlinux-001 default]# curl -x127.0.0.1:80 bbb.com This is a default site. [root@zyshanlinux-001 default]# curl -x127.0.0.1:80 ccc.com This is a default site.
總結
定義默認虛擬主機有兩種方法:
第一種,把它放在第一個位置。怎麼定義它的位置呢?按字符的優先,就是把名字開頭改爲0或a
[root@zyshanlinux-001 default]# cd /usr/local/nginx/conf/ [root@zyshanlinux-001 conf]# ls fastcgi.conf koi-utf nginx.conf scgi_params.default win-utf fastcgi.conf.default koi-win nginx.conf.bak uwsgi_params fastcgi_params mime.types nginx.conf.default uwsgi_params.default fastcgi_params.default mime.types.default scgi_params vhost [root@zyshanlinux-001 conf]# ls vhost/ aaa.com.conf [root@zyshanlinux-001 conf]# tail nginx.conf tcp_nodelay on; gzip on; gzip_min_length 1k; gzip_buffers 4 8k; gzip_comp_level 5; gzip_http_version 1.1; gzip_types text/plain application/x-javascript text/css text/htm application/xml; include vhost/*.conf; }
第二種,加上特殊的標記位。
[root@zyshanlinux-001 conf]# cat vhost/aaa.com.conf server { listen 80 default_server; ##特殊標記位default_server server_name aaa.com; index index.html index.htm index.php; root /data/wwwroot/default; }
還有一個知識點:nginx.conf支持include這樣的語法。
[root@zyshanlinux-001 conf]# tail nginx.conf tcp_nodelay on; gzip on; gzip_min_length 1k; gzip_buffers 4 8k; gzip_comp_level 5; gzip_http_version 1.1; gzip_types text/plain application/x-javascript text/css text/htm application/xml; include vhost/*.conf; }
Nginx用戶認證
1、針對整個網址的。
創建test.com.conf的虛擬主機
[root@zyshanlinux-001 ~]# cd /usr/local/nginx/conf/ [root@zyshanlinux-001 conf]# cd vhost/ [root@zyshanlinux-001 vhost]# ls aaa.com.conf [root@zyshanlinux-001 vhost]# vim test.com.conf
配置文件
server { listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com; location / ##用戶認證相關的配置 { auth_basic "Auth"; ##定義用戶認證的名字 auth_basic_user_file /usr/local/nginx/conf/htpasswd; ##用戶名密碼認證 } }
生成密碼文件,用到apache生成密碼文件的工具,如果沒有就安裝下 yum install -y httpd
[root@zyshanlinux-001 vhost]# /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd zyshan New password: Re-type new password: Adding password for user zyshan [root@zyshanlinux-001 vhost]# cat /usr/local/nginx/conf/htpasswd ##查看生成的密碼文件 zyshan:$apr1$Wfuh6a2Z$pXTYIGYug84CTiduJcK0.. [root@zyshanlinux-001 vhost]# /usr/local/apache2.4/bin/htpasswd /usr/local/nginx/conf/htpasswd user1 ##第二次創建不用-c選項,否則會重置密碼文件(覆蓋) New password: Re-type new password: Adding password for user user1 [root@zyshanlinux-001 vhost]# cat /usr/local/nginx/conf/htpasswd zyshan:$apr1$Wfuh6a2Z$pXTYIGYug84CTiduJcK0.. user1:$apr1$I/L6rpaC$Jc.tewej8VPa7YbpohfJ5.
檢查語法,重新加載配置:重新加載的好處是如果配置文件有錯是不會生效的,不會破壞配置文件。
[root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload [root@zyshanlinux-001 vhost]#
測試:
curl測試,報401需要用戶認證
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test.com -I HTTP/1.1 401 Unauthorized Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 11:20:39 GMT Content-Type: text/html Content-Length: 195 Connection: keep-alive WWW-Authenticate: Basic realm="Auth"
加上用戶密碼,繼續curl測試,報404錯誤,找到該目錄,是因爲還沒創建該網頁的根目錄。
[root@zyshanlinux-001 vhost]# curl -uzyshan:zyshan -x127.0.0.1:80 test.com -I HTTP/1.1 404 Not Found Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 11:22:41 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
確實是沒有這個根目錄,創建目錄,在創建的目錄中新建一個Index.html
[root@zyshanlinux-001 vhost]# ls /data/wwwroot/test.com ls: 無法訪問/data/wwwroot/test.com: 沒有那個文件或目錄 [root@zyshanlinux-001 vhost]# mkdir /data/wwwroot/test.com [root@zyshanlinux-001 vhost]# echo "test.com" > /data/wwwroot/test.com/index.html
測試成功,狀態碼200。
[root@zyshanlinux-001 vhost]# curl -uzyshan:zyshan -x127.0.0.1:80 test.com -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 11:24:32 GMT Content-Type: text/html Content-Length: 9 Last-Modified: Thu, 05 Jul 2018 11:24:21 GMT Connection: keep-alive ETag: "5b3dffe5-9" Accept-Ranges: bytes [root@zyshanlinux-001 vhost]# curl -uzyshan:zyshan -x127.0.0.1:80 test.com test.com
2、針對一個目錄的用戶認證。
[root@zyshanlinux-001 vhost]# !vim vim test.com.conf
配置文件增加目錄
server { listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com; location /admin/ ##添加認證的目錄 { auth_basic "Auth"; auth_basic_user_file /usr/local/nginx/conf/htpasswd; } }
檢查語法,加載配置
[root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
創建測試目標頁面
[root@zyshanlinux-001 vhost]# mkdir /data/wwwroot/test.com/admin [root@zyshanlinux-001 vhost]# echo "test.com admin dir" > /data/wwwroot/test.com/admin/index.html
測試:
curl測試,目錄認證401;加上用戶密碼,認證通過。
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test.com/admin/ -I HTTP/1.1 401 Unauthorized Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 11:35:26 GMT Content-Type: text/html Content-Length: 195 Connection: keep-alive WWW-Authenticate: Basic realm="Auth" [root@zyshanlinux-001 vhost]# curl -uzyshan:zyshan -x127.0.0.1:80 test.com/admin/ test.com admin dir
3、針對的訪問url的認證
修改配置
[root@zyshanlinux-001 vhost]# !vim vim test.com.conf
在配置中匹配(~)admin.php
server { listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com; location ~ admin.php ##匹配admin.php { auth_basic "Auth"; auth_basic_user_file /usr/local/nginx/conf/htpasswd; } }
檢查語法,加載配置
[root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
測試,訪問admin.php就顯示401
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test.com/admin/ test.com admin dir [root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test.com/admin.php <html> <head><title>401 Authorization Required</title></head> <body bgcolor="white"> <center><h1>401 Authorization Required</h1></center> <hr><center>nginx/1.12.1</center> </body> </html>
創建測試目標頁面
[root@zyshanlinux-001 vhost]# vim /data/wwwroot/test.com/admin.php [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
測試成功,輸入用戶密碼。
[root@zyshanlinux-001 vhost]# curl -uzyshan:zyshan -x127.0.0.1:80 test.com/admin.php <?php admin.php;
總結:
location跟“/”,就是針對全站;
location跟目錄,就是針對目錄;
location跟“~”匹配,就是針對url。
Nginx域名重定向
修改配置文件,添加多個域名。
[root@zyshanlinux-001 vhost]# vim test.com.conf server { listen 80; server_name test.com test2.com test3.com; index index.html index.htm index.php; root /data/wwwroot/test.com; if ($host != 'test.com' ) { rewrite ^/(.*)$ http://test.com/$1 permanent; } }
測試:狀態碼301,Location: http://test.com/index.html重定向到該網址
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test2.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 12:41:14 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/index.html [root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test3.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 12:42:49 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html
這個會去訪問默認虛擬主機aaa.com.conf,而不是test.com.conf。
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test4.com/admin/index.html -I HTTP/1.1 404 Not Found Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 12:43:01 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
Nginx訪問日誌
日誌格式
vim /usr/local/nginx/conf/nginx.conf //搜索log_format
| $remote_addr | 客戶端IP(公網IP) |
|---|---|
| $http_x_forwarded_for | 代理服務器的IP |
| $time_local | 服務器本地時間 |
| $host | 訪問主機名(域名) |
| $request_uri | 訪問的url地址 |
| $status | 狀態碼 |
| $http_referer | referer |
| $http_user_agent | user_agent |
自定義格式名字
[root@zyshanlinux-001 vhost]# vim ../nginx.conf
除了在主配置文件nginx.conf裏定義日誌格式外,還需要在虛擬主機配置文件中增加
access_log /tmp/test.com.log zyshan;
這裏的zyshan就是在nginx.conf中定義的日誌格式名字
[root@zyshanlinux-001 vhost]# vim test.com.conf
檢查語法,加載配置
[root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
測試
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test3.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 13:08:40 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html [root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test2.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 13:08:49 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html [root@zyshanlinux-001 vhost]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:21:08:40 +0800] test3.com "/admin/index.html" 301 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:08:49 +0800] test2.com "/admin/index.html" 301 "-" "curl/7.29.0"
日誌的格式就是定義的參數。
Nginx日誌切割
Nginx沒有自帶的日誌切割工具,必須藉助系統來切割或者自己寫切割腳本。
自定義shell切割腳本,shell腳本以後默認放到/usr/local/sbin/路徑下
vim /usr/local/sbin/nginx_log_rotate.sh #! /bin/bash d=`date -d "-1 day" +%Y%m%d` logdir="/tmp/" nginx_pid="/usr/local/nginx/logs/nginx.pid" cd $logdir for log in `ls *.log` do mv $log $log-$d done /bin/kill -HUP `cat $nginx_pid`
測試腳本
[root@zyshanlinux-001 vhost]# sh -x /usr/local/sbin/nginx_logrotate.sh ++ date -d '-1 day' +%Y%m%d + d=20180704 + logdir=/tmp/ + nginx_pid=/usr/local/nginx/logs/nginx.pid + cd /tmp/ ++ ls php_errors.log test.com.log + for log in '`ls *.log`' + mv php_errors.log php_errors.log-20180704 + for log in '`ls *.log`' + mv test.com.log test.com.log-20180704 ++ cat /usr/local/nginx/logs/nginx.pid + /bin/kill -HUP 1150 [root@zyshanlinux-001 vhost]# ls /tmp/ mysql.sock pear php_errors.log-20180704 php-fcgi.sock systemd-private-8705ed05ba92468380893f87570920eb-chronyd.service-LjAKI3 systemd-private-8705ed05ba92468380893f87570920eb-vgauthd.service-RZTfGw systemd-private-8705ed05ba92468380893f87570920eb-vmtoolsd.service-jg7ImD test.com.log test.com.log-20180704
定期清除日誌,找到30天前的日誌並刪除,由於沒有所以報錯;不用30天,就直接刪除成功了。
[root@zyshanlinux-001 vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm rm: 缺少操作數 Try 'rm --help' for more information. [root@zyshanlinux-001 vhost]# find /tmp/ -name *.log-* -type f /tmp/php_errors.log-20180704 /tmp/test.com.log-20180704
寫完腳本後還需要加一個任務計劃。
[root@zyshanlinux-001 vhost]# crontab -e 0 0 * * * /bin/bash /usr/local/sbin/nginx_logrotate.sh
靜態文件不記錄日誌和過期時間
配置文件:[root@zyshanlinux-001 vhost]# vim test.com.conf
server { listen 80; server_name test.com test2.com test3.com; index index.html index.htm index.php; root /data/wwwroot/test.com; if ($host != 'test.com' ) { rewrite ^/(.*)$ http://test.com/$1 permanent; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ ##豎線表示或者的意思,前面的“\.”脫義是爲了精準 { expires 7d; ##配置過期時間,可以長點 access_log off; } location ~ .*\.(js|css)$ { expires 12h; ##時間可以短點 access_log off; } access_log /tmp/test.com.log zyshan; }
檢查語法,加載配置
[root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
測試用的文件創建
[root@zyshanlinux-001 vhost]# cd /data/wwwroot/test.com/ [root@zyshanlinux-001 test.com]# ls admin admin.php index.html [root@zyshanlinux-001 test.com]# vim 1.gif [root@zyshanlinux-001 test.com]# vim 2.js
測試靜態文件不記錄日誌
[root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 test.com/1.gif djfijdifjei [root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 test.com/2.js djfkdjk [root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 test.com/index.html test.com [root@zyshanlinux-001 test.com]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:21:50:44 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" [root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 test.com/index.html test.com [root@zyshanlinux-001 test.com]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:21:50:44 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:52:09 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" [root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 test.com/2.js djfkdjk [root@zyshanlinux-001 test.com]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:21:50:44 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:52:09 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" [root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 test.com/2.jshuh <html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@zyshanlinux-001 test.com]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:21:50:44 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:52:09 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:52:51 +0800] test.com "/2.jshuh" 404 "-" "curl/7.29.0"
測試過期時間
[root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 -I test.com/2.js HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 13:55:49 GMT Content-Type: application/javascript Content-Length: 8 Last-Modified: Thu, 05 Jul 2018 13:49:35 GMT Connection: keep-alive ETag: "5b3e21ef-8" Expires: Fri, 06 Jul 2018 01:55:49 GMT Cache-Control: max-age=43200 ##過期時間,是由配置文件expires 7d;定義的 Accept-Ranges: bytes
修改配置文件
[root@zyshanlinux-001 test.com]# vi /usr/local/nginx/conf/vhost/test.com.conf # expires 12h; ##把這句註釋掉
過期時間消失
[root@zyshanlinux-001 test.com]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 test.com]# /usr/local/nginx/sbin/nginx -s reload [root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 -I test.com/2.js HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:00:20 GMT Content-Type: application/javascript Content-Length: 8 Last-Modified: Thu, 05 Jul 2018 13:49:35 GMT Connection: keep-alive ETag: "5b3e21ef-8" Accept-Ranges: bytes
Nginx防盜鏈
修改配置文件:[root@zyshanlinux-001 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; ##加入白名單 if ($invalid_referer) { return 403; } access_log off; }
測試
[root@zyshanlinux-001 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:17:44 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@zyshanlinux-001 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:17:20 GMT Content-Type: image/gif Content-Length: 12 Last-Modified: Thu, 05 Jul 2018 13:49:22 GMT Connection: keep-alive ETag: "5b3e21e2-c" Expires: Thu, 12 Jul 2018 14:17:20 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
Nginx訪問控制
配置文件:vi /usr/local/nginx/conf/vhost/test.com.conf 添加下面這段
apache的allow和deny是有順序的,最後的一個才決定是allow還是deny;而nginx是從上往下匹配,匹配成功就不往下匹配了。
1、針對目錄的訪問控制:
location /admin/ { allow 127.0.0.1; allow 192.168.106.128; deny all; } access_log /tmp/test.com.log zyshan; }
白名單測試
root@zyshanlinux-001 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:28:46 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Thu, 05 Jul 2018 11:35:20 GMT Connection: keep-alive ETag: "5b3e0278-13" Accept-Ranges: bytes [root@zyshanlinux-001 ~]# curl -x192.168.106.128:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:29:47 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Thu, 05 Jul 2018 11:35:20 GMT Connection: keep-alive ETag: "5b3e0278-13" Accept-Ranges: bytes [root@zyshanlinux-001 ~]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:21:50:44 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:52:09 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:52:51 +0800] test.com "/2.jshuh" 404 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:22:16:09 +0800] test.com "/1.git" 404 "http://www.bai.du/1.txt" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:22:16:34 +0800] test.com "/1.git" 404 "http://www.test.com/1.txt" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:22:28:46 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:22:29:28 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.106.128 - [05/Jul/2018:22:29:47 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
2、針對正則訪問控制
修改配置:vi /usr/local/nginx/conf/vhost/test.com.conf 添加下面這段
location ~ .*(upload|image)/.*\.php$ { deny all; }
檢查語法,加載配置
[root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -s reload
測試
[root@zyshanlinux-001 ~]# mkdir /data/wwwroot/test.com/upload [root@zyshanlinux-001 ~]# echo "1111" > /data/wwwroot/test.com/upload/1.php [root@zyshanlinux-001 ~]# curl -x127.0.0.1:80 -I test.com/upload/1.php HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:43:31 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@zyshanlinux-001 ~]# echo "1111" > /data/wwwroot/test.com/upload/1.txt [root@zyshanlinux-001 ~]# curl -x127.0.0.1:80 -I test.com/upload/1.txt HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:44:13 GMT Content-Type: text/plain Content-Length: 5 Last-Modified: Thu, 05 Jul 2018 14:44:08 GMT Connection: keep-alive ETag: "5b3e2eb8-5" Accept-Ranges: bytes
3、根據user_agent限制
修改配置:vi /usr/local/nginx/conf/vhost/test.com.conf 添加下面這段
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') { return 403; }
檢查語法,加載配置
[root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -s reload
測試
[root@zyshanlinux-001 ~]# curl -A "Tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:50:23 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
deny all和return 403效果一樣
因爲配置文件是嚴格匹配大小寫的,所以tomatoa是狀態碼200
[root@zyshanlinux-001 ~]# curl -A "tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:53:27 GMT Content-Type: text/plain Content-Length: 5 Last-Modified: Thu, 05 Jul 2018 14:44:08 GMT Connection: keep-alive ETag: "5b3e2eb8-5" Accept-Ranges: bytes
如果想忽略大小寫:修改配置,在匹配(~)後面加上*號
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato') { return 403; }
Nginx解析php的配置
1、監聽sock
修改配置:vi /usr/local/nginx/conf/vhost/test.com.conf 添加下面這段
配置如下: location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; ##注意這行路徑不可寫錯,不然會報502的錯。 fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; } ##fastcgi_pass 用來指定php-fpm監聽的地址或者socket
測試前先創建一個php
[root@zyshanlinux-001 ~]# vi /data/wwwroot/test.com/3.php <?php phpinfo();
先不加載配置文件,測試一下php的解析,結果是解析不了,直接返回源碼。
[root@zyshanlinux-001 ~]# curl -x127.0.0.1:80 test.com/3.php <?php phpinfo();
加載配置再測試,測試結果是成功了,訪問到網頁的源碼,在瀏覽器上是一個很漂亮的表格形式。
[root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -s reload [root@zyshanlinux-001 ~]# curl -x127.0.0.1:80 test.com/3.php <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <style type="text/css"> body {background-color: #fff; color: #222; font-family: sans-serif;} pre {margin: 0; font-family: monospace;} a:link {color: #009; text-decoration: none; background-color: #fff;} a:hover {text-decoration: underline;} table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;} .center {text-align: center;} .center table {margin: 1em auto; text-align: left;} .center th {text-align: center !important;} td, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;} h1 {font-size: 150%;} ...
特別要注意:
/usr/local/nginx/conf/vhost/test.com.conf配置文件中的fastcgi_pass unix:/tmp/php-fcgi.sock;路徑要和/usr/local/php-fpm/etc/php-fpm.conf配置文件中的listen = /tmp/php-fcgi.sock一致。
2、不監聽sock,改爲監聽IP和端口。
更改配置vi /usr/local/php-fpm/etc/php-fpm.conf
[global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] #listen = /tmp/php-fcgi.sock ##不監聽sock listen = 127.0.0.1:9000 ##增加一行,改爲監聽IP和端口 listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024
更改配置vi /usr/local/nginx/conf/vhost/test.com.conf要與上面的IP端口一致
location ~ \.php$ { include fastcgi_params; #fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_pass 127.0.0.1:9000; ##這裏要和php-fpm.conf的一致 fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; }
加載配置前,查看下端口:
[root@zyshanlinux-001 ~]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1228/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1095/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1451/master tcp6 0 0 :::22 :::* LISTEN 1095/sshd tcp6 0 0 ::1:25 :::* LISTEN 1451/master tcp6 0 0 :::3306 :::* LISTEN 1411/mysqld
加載配置後,需要重裝一下/etc/init.d/php-fpm reload,監聽的IP端口就出現了。
[root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -s reload [root@zyshanlinux-001 ~]# /etc/init.d/php-fpm reload ##需要重啓php-fpm Reload service php-fpm done [root@zyshanlinux-001 ~]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1228/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1095/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1451/master tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 2119/php-fpm: maste tcp6 0 0 :::22 :::* LISTEN 1095/sshd tcp6 0 0 ::1:25 :::* LISTEN 1451/master tcp6 0 0 :::3306 :::* LISTEN 1411/mysqld
測試成功。
[root@zyshanlinux-001 ~]# !curl curl -x127.0.0.1:80 test.com/3.php <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <style type="text/css"> body {background-color: #fff; color: #222; font-family: sans-serif;} pre {margin: 0; font-family: monospace;} a:link {color: #009; text-decoration: none; background-color: #fff;} a:hover {text-decoration: underline;} table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;} .center {text-align: center;} .center table {margin: 1em auto; text-align: left;} .center th {text-align: center !important;} td, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;} h1 {font-size: 150%;} h2 {font-size: 125%;}
總結:
出現502時
1、要檢查php-fpm.conf和test.com.conf中的listen要對應fastcgi_pass的路徑。
2、/usr/local/nginx/conf/vhost/test.com.conf配置文件中的root /data/wwwroot/test.com;路徑要與fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.一致。
3、srw-rw-rw- 1 root root 0 7月 7 21:47 /tmp/php-fcgi.sock該文件權限必須是listen.mode = 666的權限。
4、php-fpm服務資源耗盡了,就會出現502,這時候需要去優化。
Nginx代理
跳轉目標目錄
[root@zyshanlinux-001 ~]# cd /usr/local/nginx/conf/vhost創建代理proxy.conf配置文件,配置如下內容。
server { listen 80; server_name ask.apelearn.com; ##代理域名 location / { proxy_pass http://121.201.9.155/; ##代理目標IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
測試
[root@zyshanlinux-001 vhost]# curl ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/
用本地IP去訪問代理的目標測試,失敗
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt[root@zyshanlinux-001 vhost]# yum install -y bind* [root@zyshanlinux-001 vhost]# dig ask.apelearn.com ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> ask.apelearn.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50873 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ask.apelearn.com. IN A ;; ANSWER SECTION: ask.apelearn.com. 189 IN A 223.94.95.10 ##得到IP ;; Query time: 42 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: 六 7月 07 22:06:48 CST 2018 ;; MSG SIZE rcvd: 61 [root@zyshanlinux-001 vhost]# vi proxy.conf ##修改代理的IP [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload [root@zyshancurl -x127.0.0.1:80 ask.apelearn.com/robots.txt ##成功用本地IP訪問代理目標 # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/
拓展:
nginx.conf 配置詳解 http://www.ha97.com/5194.html
http://my.oschina.net/duxuefeng/blog/34880
nginx rewrite四種flag http://www.netingcn.com/nginx-rewrite-flag.html http://unixman.blog.51cto.com/10163040/1711943
502問題彙總 http://ask.apelearn.com/question/9109
location優先級 http://blog.lishiming.net/?p=100
直播課老師推薦:
rewrite中的break和lasthttps://coding.net/u/aminglinux/p/nginx/git/blob/master/rewrite/break.mdnginx location優先級https://coding.net/u/aminglinux/p/nginx/git/blob/master/location/priority.mdNginx反向代理配置https://coding.net/u/aminglinux/p/nginx/git/blob/master/proxy/f_proxy.md
