默認虛擬主機,Nginx用戶認證,Nginx解析php相關配置,Nginx代理

時間 2019-11-15

標籤默認虛擬主機 nginx 用戶認證解析 php 相關配置代理欄目 Nginx 简体版

原文原文鏈接

Nginx 默認虛擬主機

先編輯nginx.conf 裏面把server下面的全刪了

vim /usr/local/nginx/conf/nginx.confjavascript

*下面的要刪除掉*
    server
    
    {
        listen 80;
        server_name localhost;
        index index.html index.htm index.php;
        root /usr/local/nginx/html;
        location ~ \.php$
        {
            include fastcgi_params;
            fastcgi_pass unix:/tmp/php-fcgi.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
        }
    }

以後在下面增長一行include vhost/*.conf;

gzip_http_version 1.1;
    gzip_types text/plain application/x-javascript text/css text/htm
    application/xml;
    *須要增長*
    include vhost/*.conf;

}

建立vhost目錄 mkdir /usr/local/nginx/conf/vhost
而後進去建立 aaa.com.conf

[root@aminglinux-01 conf]# cd vhost/
[root@aminglinux-01 vhost]# vim aaa.com.conf

編輯 aaa.com.conf

server
{
    listen 80 default_server;  // 有這個標記的就是默認虛擬主機
    server_name aaa.com;
    index index.html index.htm index.php;
    root /data/wwwroot/default;
}

建立/data/wwwroot/default，並寫一些東西

[root@aminglinux-01 vhost]# mkdir -p  /data/wwwroot/default
[root@aminglinux-01 vhost]# cd /data/wwwroot/default/

vim index.html 寫入 This is the default site.php

檢查有沒有語法錯誤 /usr/local/nginx/sbin/nginx -t

[root@aminglinux-01 default]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aminglinux-01 default]#

從新加載 /usr/local/nginx/sbin/nginx -s reload
測試 curl localhost 正確以下：

[root@aminglinux-01 conf]# curl localhost
This is the default site.

Nginx用戶認證

vim /usr/local/nginx/conf/vhost/test.com.conf//寫入以下內容

server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    
location  /
    {
        auth_basic              "Auth";
        auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}
}

而後安裝生成密碼的文件 yum install -y httpd
生成密碼

[root@aminglinux-01 vhost]# htpasswd -c /usr/local/nginx/conf/htpasswd aming
New password: 
Re-type new password: 
Adding password for user aming
[root@aminglinux-01 vhost]#

-t 測試 ,從新加載
測試

[root@aminglinux-01 vhost]# curl -x192.168.245.130:80 test.com
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
[root@aminglinux-01 vhost]#

401 說明拒絕訪問，再用用戶名密碼試一次 curl -uaming:123456 -x192.168.245.130:80 test.comcss

[root@aminglinux-01 vhost]# curl -uaming:123456 -x192.168.245.130:80 test.com
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
[root@aminglinux-01 vhost]#

404 是由於尚未建立test.com 的主目錄html

[root@aminglinux-01 vhost]# mkdir /data/wwwroot/test.com
[root@aminglinux-01 vhost]# echo "test.com" > /data/wwwroot/test.com/index.html
[root@aminglinux-01 vhost]# curl -uaming:123456 -x192.168.245.130:80 test.com
test.com
[root@aminglinux-01 vhost]#

若是想針對個別文件目錄進行用戶認證，須要編輯vhost 下test.com.conf文件

location  /admin/      這個後面直接加上想限制的文件或者目錄就能夠了。
    {
        auth_basic              "Auth";
        auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}

Nginx域名重定向

更改test.com.conf

server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
}

server_name後面支持寫多個域名，這裏要和httpd的作一個對比java
permanent爲永久重定向，狀態碼爲301，若是寫redirect則爲302mysql
^/(.*)$ ：前面的^表明着域名，linux
/(.*)$後面表明着域名後面的內容nginx

Nginx 訪問日誌

日誌格式

vim /usr/local/nginx/conf/nginx.conf //搜索log_formatsql

$remote_addr                客戶端IP(公網IP)
$http_x_forwarded_for       代理服務器的IP
$time_local                 服務器本地時間
$host                       訪問主機名（域名）
$request_uri                訪問的url地址
$status                     狀態碼
$http_referer               referer
$http_user_agent            user_agent

除了在主配置文件nginx.conf裏定義日誌格式外，還須要在虛擬主機配置文件中增長 access_log /tmp/1.log combined_realip;

server
{
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;

location  /
    {
        auth_basic              "Auth";
        auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
    }
    access_log /tmp/1.log combined_realip;

}

這裏的combined_realip就是在nginx.conf中定義的日誌格式名字shell

檢查，從新加載 -t && -s reload

測試：curl -x192.168.245.130:80 test.com -I

cat /tmp/1.log

[root@aminglinux-01 vhost]# curl -x192.168.245.130:80 test.com -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.8.0
Date: Sat, 21 Oct 2017 01:25:36 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"

[root@aminglinux-01 vhost]# cat /tmp/1.log 
192.168.245.130 - [21/Oct/2017:09:25:36 +0800] test.com "/" 401 "-" "curl/7.29.0"
[root@aminglinux-01 vhost]#

Nginx 日誌切割

由於nginx沒有自帶的切割工具，因此須要寫一個shell腳本

寫入以下內容 vim /usr/loacal/sbin/nginx_logrotate.sh

#! /bin/bash
d=`date -d "-1 day" +%Y%m%d` 
logdir="/tmp/"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
    mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
~

運行測試

[root@aminglinux-01 vhost]# sh -x /usr/local/sbin/nginx_logrotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20171020
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls 1.log
+ for log in '`ls *.log`'
+ mv 1.log 1.log-20171020
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 850
+ /root
/usr/local/sbin/nginx_logrotate.sh:行11: /root: 是一個目錄

[root@aminglinux-01 vhost]# ls /tmp/
1.log  1.log-20171020  mysql.sock  pear  php-fcgi.sock  systemd-private-b9931a4a12de47bfa443a28713c6f410-vmtoolsd.service-Fu8IIH
[root@aminglinux-01 vhost]#

靜態文件不記錄日誌和過時時間

配置文件[root@aminglinux-01 vhost]# vim test.com.conf 下面寫入以下配置

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
          expires      7d;
          access_log off;
    }
location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }

Nginx防盜鏈

編輯 vi /usr/local/nginx/conf/vhost/test.com.conf

先註釋掉以前的配置

#    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#    {
#          expires      7d;
#          access_log off;
#    }

增長防盜鏈配置

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}

Nginx訪問控制

需求：訪問/admin/目錄的請求，只容許某幾個IP訪問，配置以下：

增長配置

location /admin/
   {
    allow 127.0.0.1;
    allow 192.168.245.130;
    deny all;
   }

只有allow，才能經過訪問。其餘都會被拒絕。

[root@aminglinux-01 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
[root@aminglinux-01 ~]# mkdir /data/wwwroot/test.com/admin/
[root@aminglinux-01 ~]# echo 「test,test」>/data/wwwroot/test.com/admin/1.html
[root@aminglinux-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aminglinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@aminglinux-01 ~]# curl -x192.168.245.130:80 test.com/admin/1.html -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 24 Oct 2017 04:21:33 GMT
Content-Type: text/html
Content-Length: 16
Last-Modified: Tue, 24 Oct 2017 04:19:08 GMT
Connection: keep-alive
ETag: "59eebf3c-10"
Accept-Ranges: bytes

加上這一條配置

location ~ .*(abc|image)/.*\.php$
{
        deny all;
}

限制user_agent

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')

{
      return 403;
}

Nginx解析php相關配置

配置解析php以下：

vi /usr/local/nginx/conf/vhost/test.com.conf 加入

location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }

Nginx代理

配置以下內容，就能夠經過本機來訪問ask.apelearn.com

server
{
    listen 80;
    server_name ask.apelearn.com;

    location /
    {
        proxy_pass      http://121.201.9.155/;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}