51：nginx防盜鏈|訪問控制|解析php相關配置|nginx代理

時間 2019-11-09

標籤 nginx 防盜訪問控制解析 php 相關配置代理欄目 Nginx 简体版

原文原文鏈接

一、nginx防盜鏈；php

編輯虛擬主機配置文件: /usr/local/nginx/conf/vhost/test.com.confcss

註釋：nginx防盜鏈配置須要和不記錄日記和過時時間結合到一塊兒,由於都用到了location；html

[root@localhost_001 vhost]# vim test.com.conf 
[root@localhost_001 vhost]# cat !$
cat test.com.conf
server
{
    listen 80;
    server_name www.test.com bbs.test.com test1.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'www.test.com' ) {
        rewrite  ^/(.*)$  http://www.test.com/$1  permanent;
    } 
    access_log /tmp/test.com.log combined_realip;
    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$           #匹配gif|jpg|jpeg|png|bmp|swf 後綴的文件
    #{
    #     expires      7d;                          #7天后過時
    #     access_log off;                           #匹配「.*.(gif|jpg|jpeg|png|bmp|swf) 」關閉記錄日誌
    #}
#新增的配置,用作防盜鏈；-----------------------------------
    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
    {   
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;   #定義白名單的referer是什麼？
    if ($invalid_referer) {                                  #若是不是白名單裏,則返回狀態碼403;
        return 403;
    }   
    access_log off;
    } 
#防盜鏈配置這裏結束；--------------------------------------------
    
location ~ .*\.(js|css)$
    {
          expires      12h;                           #12個小時後過時
          access_log off;                             #匹配「.*.(js|css) 」關閉記錄日誌
#新增的配置,用作防盜鏈；-----------------------------------
     valid_referers none blocked server_names  *.test.com ;            #定義一個白名單，referer就是指一些域名
    if ($invalid_referer) {                                            #若是不是白名單裏的
        return 403;                                                    #返回403
    }
#防盜鏈配置這裏結束；--------------------------------------------
    }

}

註釋：其實添加的配置文件這裏有三行,首先定義一個白名單,用referer指向一些域名,當若是訪問過了的域名不在白名單裏,則提示403錯誤；mysql

(2):檢測配置文件是否錯誤,並從新加載配置文件；nginx

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

(3):測試: 用curl命令再用 -e 來指定referer；web

[root@localhost_001 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 www.test.com/kaola.jpg -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Tue, 16 Oct 2018 10:44:17 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

[root@localhost_001 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 www.test.com/kaola.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: image/jpeg
Content-Length: 780831
Last-Modified: Tue, 14 Jul 2009 05:32:31 GMT
Connection: keep-alive
ETag: "4a5c186f-bea1f"

註釋：在使用curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 www.test.com/kaola.jpg訪問顯示403forbidden;sql

而在使用 curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 www.test.com/kaola.jpg訪問狀態碼顯示200 OK,表示防盜鏈配置成功；數據庫

二、nginx訪問控制；vim

要求訪問/admin/目錄,只容許幾個IP地址訪問；瀏覽器

(1):編輯虛擬主機配置文件: /usr/local/nginx/conf/vhost/test.com.conf

要增長的訪問控制代碼；

location /admin/
{
    allow 192.168.180.134;            #白名單
    allow 127.0.0.1;                  #白名單
    deny all;                         #所有deny
}

增長後配置文件內容以下；

[root@localhost_001 vhost]# cat test.com.conf 
server
{
    listen 80;
    server_name www.test.com bbs.test.com test1.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'www.test.com' ) {
        rewrite  ^/(.*)$  http://www.test.com/$1  permanent;
    } 
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$       #匹配gif|jpg|jpeg|png|bmp|swf 後綴的文件
    {
          expires      7d;        #7天后過時
          access_log off;        #匹配「.*.(gif|jpg|jpeg|png|bmp|swf) 」關閉記錄日誌
    valid_referers none blocked server_names  *.test.com ;             #定義一個白名單，referer就是指一些域名
     if ($invalid_referer) {                                           #若是不是白名單裏的
        return 403;                                                    #返回403
    }
    }
location ~ .*\.(js|css)$
    {
          expires      12h;        #12個小時後過時
          access_log off;        #匹配「.*.(js|css) 」關閉記錄日誌
     valid_referers none blocked server_names  *.test.com ;            #定義一個白名單，referer就是指一些域名
    if ($invalid_referer) {                                            #若是不是白名單裏的
        return 403;                                                    #返回403
    }
    }
#新增配置訪問控制的內容--------------------------------------------
    location /admin/
    {
    allow 192.168.149.130;            #白名單
    allow 127.0.0.1;                  #白名單
    deny all;                         #所有deny
    }
#配置訪問控制的內容結束--------------------------------------------
    access_log /tmp/test.com.log combined_realip;
}

(2):檢測配置文件語法是否有錯誤,並從新加載配置文件；

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

(3):建立admin目錄及測試文件；

[root@localhost_001 vhost]# mkdir /data/wwwroot/test.com/admin
[root@localhost_001 vhost]# echo "test.test" > /data/wwwroot/test.com/admin/index.html

(4):測試；用curl命令測試,不過須要加referer；

[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: text/html
[root@localhost_001 vhost]# curl -e "http://www.test.com/1.txt" -x192.168.149.129:80 www.test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.4.7T
Content-Type: text/html
Content-Length: 10

(5):查看錯誤日記,會看到訪問者的IP192.168.149.129,由於他是被容許的,在白名單以內,因此顯示的狀態碼是200 OK；

[root@localhost_001 vhost]# tail /tmp/test.com.log

127.0.0.1 - [16/Oct/2018:19:02:39 +0800] www.test.com "/admin/index.html" 200 "-" "curl/7.29.0"
192.168.149.129 - [16/Oct/2018:19:04:09 +0800] www.test.com "/admin/index.html" 200 "http://www.test.com/1.txt" "curl/7.29.0"

註釋：這時咱們使用瀏覽器去訪問：瀏覽器的IP是192.168.149.135:；

查看錯誤日記,發現有訪問者IP是192.168.149.135,被403 Forbidden了；

[root@localhost_001 tmp]# tail test.com.log
127.0.0.1 - [16/Oct/2018:19:02:39 +0800] www.test.com "/admin/index.html" 200 "-" "curl/7.29.0"
192.168.149.129 - [16/Oct/2018:19:04:09 +0800] www.test.com "/admin/index.html" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.149.135 - [16/Oct/2018:19:08:59 +0800] www.test.com "/admin/index.html" 403 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"

針對正則匹配；

網站被黑,數據庫信息被盜竊,由於上傳圖片的目錄沒有限制php的解析,最終致使悲劇；

註釋：只要是能上傳的目錄,都要禁止解析php才能夠；

(1):打開虛擬主機配置文件：/usr/local/nginx/conf/vhost/test.com.conf

註釋：在access_log /tmp/test.com.log combined_realip;上面添加便可；

location ~ .*(upload|image)/.*\.php$      #只要匹配upload和image的目錄,而後以php結尾的;
{
        deny all;              #都禁掉;
}

(2):檢測配置文件是否有錯誤,並從新啓動配置文件；

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

(3):建立upload目錄,並在其目錄下建立一個php的文件；測試用；

[root@localhost_001 vhost]# mkdir /data/wwwroot/test.com/upload
[root@localhost_001 vhost]# echo "11111" > /data/wwwroot/test.com/upload/1.php
[root@localhost_001 vhost]# echo "11111" > /data/wwwroot/test.com/upload/1.txt

(4):用curl命令來測試；

[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/upload/1.txt
11111

註釋：發現upload目錄下的php文件被禁止了,而1.txt是能夠訪問的；

查看訪問日記,發現訪問/upload/1.php的被禁止了,而訪問1.txt的還能夠正常訪問；

[root@localhost_001 vhost]# tail /tmp/test.com.log
127.0.0.1 - [17/Oct/2018:10:42:15 +0800] www.test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [17/Oct/2018:10:42:19 +0800] www.test.com "/upload/1.txt" 200 "-" "curl/7.29.0"

user_anget限制；

你的網站被cc攻擊，或者禁掉某些蜘蛛，若是你的網站想作一個被隱藏的網站，不想被別人搜索到，那麼就能夠將百度、谷歌、有道等這些蜘蛛封掉，沒有任何蜘蛛爬到你的網站，也不將網址告訴任何人，那別人就沒法知道你的站點，由於你的網站是被隱藏的；

(1):打開虛擬主機配置文件：/usr/local/nginx/conf/vhost/test.com.conf

註釋：在access_log /tmp/test.com.log combined_realip;上面添加便可；

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}

註釋：return 403 和deny all的功能是同樣子的；

(2):檢測配置文件是否有錯誤,並從新啓動配置文件；

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

(3):測試,使用curl -A 「Tomato」模擬user_agent測試；會發現狀態碼爲403；

[root@localhost_001 test.com]# curl -x127.0.0.1:80 www.test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 02:53:37 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Wed, 17 Oct 2018 02:41:33 GMT
Connection: keep-alive
ETag: "5bc6a15d-6"
Accept-Ranges: bytes
[root@localhost_001 test.com]# curl -A "Tomato" -x127.0.0.1:80 www.test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 02:53:51 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

註釋：由於限制是嚴格匹配,若是把user_agent改爲小寫訪問,則也顯示狀態碼爲200；

若是想忽略大小寫,則須要在虛擬配置文件的匹配符號後面加上 * 便可；

[root@localhost_001 vhost]# vim test.com.conf 
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
    {
      return 403;
    }

檢測配置文件並從新加載服務；

[root@localhost_001 test.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 test.com]# /usr/local/nginx/sbin/nginx -s reload

再來測試,會看403 Forbidden；

[root@localhost_001 vhost]# !curl
curl -A "tomato" -x127.0.0.1:80 www.test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 02:59:56 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

nginx解析php的相關配置；

註釋：由於如今test.com.conf還不能解析php，加代碼添加到配置文件中；

(1):打開虛擬主機配置文件：/usr/local/nginx/conf/vhost/test.com.conf

註釋：在access_log /tmp/test.com.log combined_realip;上面添加便可；

location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;        ####寫錯這個路徑，就會顯示502；
#上表示指定fastcgi的監聽端口和地址,能夠是socket或者是127.0.0.1:9000；
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; #腳本文件請求的路徑    
    }

(2):在根目錄/data/wwwroot/test.com/建立解析的php的文件；

[root@localhost_001 vhost]# vim /data/wwwroot/test.com/2.php
[root@localhost_001 vhost]# cat /data/wwwroot/test.com/2.php 
<?php
phpinfo();
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php
<?php
phpinfo();

測試訪問後,出現源碼了；沒法正常解析；

(3):這是檢測語法錯誤,並從新加載服務；

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

(4):再次訪問網站根目錄下2.php的文件,發現能夠正常解析了；

[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php  -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 03:09:18 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

註釋：虛擬主機配置問解析php的相關配置fastcgi_pass unix:/tmp/php-fcgi.sock;寫錯,會直接顯示狀態碼502,表示sock沒找到；

將配置改錯一個字母,再來訪問2.php,發現顯示報錯狀態碼502；

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php -I
HTTP/1.1 502 Bad Gateway
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 03:18:54 GMT
Content-Type: text/html
Content-Length: 172
Connection: keep-alive

查看nginx的錯誤日記,看到提示說沒有這個文件或者目錄；

[root@localhost_001 vhost]# cat /usr/local/nginx/logs/nginx_error.log 
2018/10/17 11:18:54 [crit] 1522#0: *26 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: www.test.com, request: "HEAD HTTP://www.test.com/2.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "www.test.com"

註釋：在遇到nginx報502錯誤時,須要查看你配置的socket或IP地址是否正確,而後查看錯誤日記,根據錯誤日記的提示查看這個文件是否存在；

註釋：在nginx的配置文件 /usr/local/php-fpm/etc/php-fpm.conf 裏面定義的listen監聽方式是什麼；那麼在nginx的配置中就須要寫什麼；

[root@localhost_001 vhost]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]               
pid = /usr/local/php-fpm/var/run/php-fpm.pid                
error_log = /usr/local/php-fpm/var/log/php-fpm.log        
[www]                    
listen = /tmp/php-fcgi.sock  #須要和ngin虛擬主機裏的路徑一致；      
listen.mode = 666       
user = php-fpm        
group = php-fpm             
[root@localhost_001 vhost]# vim  test.com.conf
    location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-cgi.sock;   #須要和php-fpm配置文件一直;寫錯這個路徑，就會顯示502;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }

註釋；這兩個地方必需要一致；否則會包502錯誤；

502的另外一種狀況,假設不使用sokcet監聽,在使用IP+端口監聽的方式；

(1):編輯php-fpm的配置文件 /usr/local/php-fpm/etc/php-fpm.conf

將#listen = /tmp/php-fcgi.sock註釋了,而後添加 listen = 127.0.0.1:9000

[root@localhost_001 vhost]# vim /usr/local/php-fpm/etc/php-fpm.conf
[root@localhost_001 vhost]# cat !$
cat /usr/local/php-fpm/etc/php-fpm.conf
[global]               
pid = /usr/local/php-fpm/var/run/php-fpm.pid                
error_log = /usr/local/php-fpm/var/log/php-fpm.log        
[www]                    
#listen = /tmp/php-fcgi.sock        
listen = 127.0.0.1:9000
listen.mode = 666       
user = php-fpm        
group = php-fpm             
pm = dynamic                    
pm.max_children = 50            
pm.start_servers = 20                       
pm.min_spare_servers = 5           
pm.max_spare_servers = 35       
pm.max_requests = 500

(2):檢測php-fpm,並重啓啓動php-fpm(也支持reload從新加載服務);

[root@localhost_001 vhost]# /usr/local/php-fpm/sbin/php-fpm -t
[17-Oct-2018 11:52:52] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@localhost_001 vhost]# service php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done

(3):查看監聽端口,已經變成IP+端口的監聽方式；

[root@localhost_001 vhost]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      831/nginx: master p 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      780/sshd            
tcp        0      0 0.0.0.0:56888           0.0.0.0:*               LISTEN      780/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      962/master          
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      1599/php-fpm: maste 
tcp6       0      0 :::22                   :::*                    LISTEN      780/sshd            
tcp6       0      0 :::56888                :::*                    LISTEN      780/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      962/master          
tcp6       0      0 :::3306                 :::*                    LISTEN      1028/mysqld

(4):這時候再來訪問下2.php文件；會包502錯誤；

[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>

(5):咱們查看錯誤日記,發現仍是報錯誤；

[root@localhost_001 vhost]# tail /usr/local/nginx/logs/nginx_error.log 
2018/10/17 11:54:55 [crit] 1541#0: *28 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: www.test.com, request: "GET HTTP://www.test.com/2.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "www.test.com"

6:這是須要修改虛擬主機配置文件/usr/local/nginx/conf/vhost/test.com.conf,註釋掉unix,修改成127.0.0.1:9000；

[root@localhost_001 vhost]# vim test.com.conf 
在php配置那一塊，註釋掉unix，添加ip和端口
        #fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_pass 127.0.0.1:9000;

7:檢測語法錯誤,並從新加載配置文件；

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

8:再次訪問2.php,能夠看到正常訪問了；

</div></body></html>[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 04:00:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

註釋：如果出現502，要檢查下nginx虛擬主機配置文件中的fastcgi_pass 這塊是否與php-fpm中所配置的地址是相匹配的；

註釋：文件中的 fastcgi_param SCRIPT_FILENAME 中的地址路徑/data/wwwroot/test.com$fastcgi_script_name;與配置文件最上方的 root /data/wwwroot/test.com; 相對應起來；

502的其餘狀況；php5.4及之後的其餘版本，有一個特色；

在其php-ftp的配置文件(/usr/local/php-fpm/sbin/php-fpm.conf)裏,有一個listen.mode = 666 的配置,意思是保證全部用戶都對socket(/tmp/php-fcgi.sock)這個文件有讀寫的權限；

而nginx的用戶的是nobody,nginx要結合php使用,要保證nobody對socket文件有讀寫的權限.若是把這個文件註釋掉,其默認權限爲440,對普通用戶沒有執行權限,也是就是nobody就沒法讀取這個文件,全部會顯示502錯誤；以下；

1:首先在php的配置文件(/usr/local/php-fpm/etc/php-ftpm.etc)文件裏註釋掉 listen.mode = 666;(基於socket在tmp/php-fcgi.sock)

[root@localhost_001 vhost]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]               
pid = /usr/local/php-fpm/var/run/php-fpm.pid                
error_log = /usr/local/php-fpm/var/log/php-fpm.log        
[www]                    
listen = /tmp/php-fcgi.sock        
#listen = 127.0.0.1:9000
#listen.mode = 666       
user = php-fpm        
group = php-fpm             
pm = dynamic                    
pm.max_children = 50            
pm.start_servers = 20                       
pm.min_spare_servers = 5           
pm.max_spare_servers = 35       
pm.max_requests = 500        
rlimit_files = 1024

(2);檢測並從新加載php-ftpm；

[root@localhost_001 vhost]# /usr/local/php-fpm/sbin/php-fpm -t
[17-Oct-2018 12:22:32] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@localhost_001 vhost]# service php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done

(3):查看tmp目錄下php-fcgi.sock文件,其所屬主組是root,權限是666；

[root@localhost_001 vhost]# ls -la /tmp/php-fcgi.sock 
srw-rw---- 1 root root 0 10月 17 12:29 /tmp/php-fcgi.sock

(4):這時候訪問2.php,會提示狀態碼502錯誤；

[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>

(5):查看nginx的錯誤日記,提示權限不夠(Permission denied)；

[root@localhost_001 vhost]# tail /usr/local/nginx/logs/nginx_error.log 
2018/10/17 12:30:46 [crit] 1753#0: *40 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: www.test.com, request: "GET HTTP://www.test.com/2.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "www.test.com"

註釋：sock文件默認權限是660,root用戶能夠讀,root用戶所在的組也能夠讀,惟獨普通用戶不能夠讀；

註釋：由於nginx結合php使用,使用用nginx的用戶去讀/tmp/php-fcgi.sock文件,咱們來看看nginx是有那個用戶運行的；

[root@localhost_001 vhost]# ps aux |grep nginx
root        831  0.0  0.0  25636  1824 ?        Ss   10:23   0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody     1752  0.0  0.1  27328  3588 ?        S    12:28   0:00 nginx: worker process
nobody     1753  0.0  0.2  27328  3840 ?        S    12:28   0:00 nginx: worker process
root       1799  0.0  0.0 112720   972 pts/0    R+   12:33   0:00 grep --color=auto nginx

註釋：如上,nginx服務時由nobody用戶去運行的；而nobody做爲普通用戶對/tmp/php-fcgi.sock是沒有權限的；

(6):這時臨時修改/tmp/php-fcgi.sock文件的權限；讓nobody有可讀可寫的權限；

[root@localhost_001 vhost]# chown nobody /tmp/php-fcgi.sock 
[root@localhost_001 vhost]# ls -al /tmp/php-fcgi.sock 
srw-rw---- 1 nobody root 0 10月 17 12:29 /tmp/php-fcgi.sock

(7):再次測試訪問；如今狀態碼 200 OK；

[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 04:37:50 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

註釋：這是由於nobody有讀寫的權限,因此能夠訪問/tmp/php-fcgi.sock文件；

nginx代理功能；

用戶訪問web服務器,但用戶由於各類緣由沒辦法訪問或者訪問很慢(私網或境外訪問),因此就須要一臺能訪問web服務器的代理者,讓用戶經過袋裏服務器去訪問；

(1):首先在/usr/local/nginx/conf/vhost/目錄下建立一個文件；

[root@localhost_001 vhost]# vim proxy.conf
server
{
    listen 80;
    server_name ask.apelearn.com;                       #定義域名,要論壇的網站
    location /
    {
        proxy_pass      http://121.201.9.155/;         #定義域名,要論壇的IP
        proxy_set_header Host   $host;                   #定義訪問的域名 爲 $host =server_name ask.apelearn.com
        proxy_set_header X-Real-IP      $remote_addr; 
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

註釋:在配置文件中,沒有了root,由於這是一個代理服務器,它不須要訪問本地服務器上的任何文件；

配置完成後,這臺虛擬機就能夠訪問ask.apelearn.com了；

(2):檢測配置文件是否有錯誤並從新加載配置文件；

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

(3):指定是否代理成功,指定本地的IP地址去訪問；

[root@localhost_001 vhost]# curl -x127.0.0.1:80  ask.apelearn.com/robots.txt
User-agent: *
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/

註釋：robots是針對蜘蛛的索引的一個列表,通常網站都會有robots；

註釋：正常狀況下,不去配置這個代理,是不可能經過本地訪問到遠程的站點的；