LNMP架構 (Ⅱ)——nginx相關配置、nginx代理
LNMP架構 (Ⅱ)
6、Nginx默認虛擬主機
在Nginx中也有默認虛擬主機,跟httpd相似,第一個被Nginx加載的虛擬主機就是默認主機,但和httpd不相同的地方是,它還有一個配置用來標記默認虛擬主機,也就是說,若是沒有這個標記,第一個虛擬主機爲默認虛擬主機。javascript
編輯nginx.conf主配置文件php
[root@ying01 ~]# cd /usr/local/nginx/conf/ [root@ying01 conf]# vim /usr/local/nginx/conf/nginx.conf
具體看下圖操做:css
建立vhost目錄,並新建aaa.com.conf默認虛擬主機配置內容;html
[root@ying01 conf]# pwd
/usr/local/nginx/conf
[root@ying01 conf]# mkdir vhost //建立vhost目錄
[root@ying01 conf]# cd vhost/
[root@ying01 vhost]# ls
[root@ying01 vhost]# vim aaa.com.conf
如下爲aaa.com.conf內容:
server
{
listen 80 default_server; //默認虛擬主機服務
server_name aaa.com; //主機名 aaa.com
index index.html index.htm index.php; //定義索引頁
root /data/wwwroot/default; //默認虛擬主機網站目錄
}
建立默認的網站目錄java
[root@ying01 vhost]# mkdir /data/wwwroot/default [root@ying01 vhost]# cd /data/wwwroot/default/ [root@ying01 default]# vim index.html //創建index.html文件 如下爲index.html 內容: this is the default site.
檢測語法,從新加載配置文件;測試相關網站;任意的域名,都會指向默認主機的網站名;node
[root@ying01 default]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 default]# /usr/local/nginx/sbin/nginx -s reload [root@ying01 default]# curl localhost //訪問主機 this is the default site. [root@ying01 default]# curl -x127.0.0.1:80 aaa.com //訪問主機名aaa.com this is the default site. [root@ying01 default]# curl -x127.0.0.1:80 ddd.com //任意的域名,都指向主機名 this is the default site. [root@ying01 default]# curl -x127.0.0.1:80 qq.com this is the default site.
查看主配置文件;nginx
[root@ying01 default]# tail /usr/local/nginx/conf/nginx.conf
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm
application/xml;
include vhost/*.conf;
}
最後一行就是包含了默認主機的配置,也能夠把默認主機配置內容放置到下面,效果是同樣的;web
** include vhost/*.conf** 至關於一個虛擬主機的配置內容的模塊,面試
7、Nginx用戶認證
[root@ying01 default]# cd -
/usr/local/nginx/conf/vhost
[root@ying01 vhost]# ls
aaa.com.conf
[root@ying01 vhost]# vim test.com.conf
如下爲增長的配置內容....
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com; //網站目錄
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
建立用戶;ajax
因爲nginx沒有自帶建立用戶的工具,所以須要藉助httpd工具;假如沒有,則用此命令 yum install -y httpd;由於本機已經安裝,所以直接執行;
[root@ying01 vhost]# /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd ying New password: //設置密碼位www123 Re-type new password: Adding password for user ying [root@ying01 vhost]# cat /usr/local/nginx/conf/htpasswd //查看密碼生成文件 ying:$apr1$I3caHAA/$wMALhLwm.1FKdqqJQZj0h0 [root@ying01 vhost]# /usr/local/apache2.4/bin/htpasswd /usr/local/nginx/conf/htpasswd feng //繼續建立用戶 New password: Re-type new password: Adding password for user feng [root@ying01 vhost]# cat /usr/local/nginx/conf/htpasswd //此時有兩個密碼文件生成 ying:$apr1$JRTvjHxp$idElRt2smV.wCQImpZ04w0 feng:$apr1$7kZQZ4VM$2O8ncLmdmqAsyrcvrZ3tH.
測試
測試前須要檢查語法錯誤,以及從新加載配置文件;
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@ying01 vhost]# curl -x127.0.0.1:80 test.com <html> <head><title>401 Authorization Required</title></head> //出現401碼,須要用戶認證 <body bgcolor="white"> <center><h1>401 Authorization Required</h1></center> <hr><center>nginx/1.4.7</center> </body> </html> [root@ying01 vhost]# curl -x127.0.0.1:80 test.com -I HTTP/1.1 401 Unauthorized Server: nginx/1.4.7 Date: Thu, 05 Jul 2018 11:52:40 GMT Content-Type: text/html Content-Length: 194 Connection: keep-alive WWW-Authenticate: Basic realm="Auth"
用戶認證測試主機
[root@ying01 vhost]# curl -uying:www123 -x127.0.0.1:80 test.com <html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.4.7</center> </body> </html> [root@ying01 vhost]# ls /data/wwwroot/test.com ls: 沒法訪問/data/wwwroot/test.com: 沒有那個文件或目錄 [root@ying01 vhost]# mkdir /data/wwwroot/test.com [root@ying01 vhost]# echo "test.com" > /data/wwwroot/test.com/index.html [root@ying01 vhost]# curl -uying:www123 -x127.0.0.1:80 test.com test.com [root@ying01 vhost]# curl -uying:www123 -x127.0.0.1:80 test.com -I HTTP/1.1 200 OK Server: nginx/1.4.7 Date: Thu, 05 Jul 2018 12:02:26 GMT Content-Type: text/html Content-Length: 9 Last-Modified: Thu, 05 Jul 2018 11:58:32 GMT Connection: keep-alive ETag: "5b3e07e8-9" Accept-Ranges: bytes
有時候咱們須要對某個訪問目錄或者頁面進行認證,而不是全站。因此咱們須要對配置文件進行更改:
[root@ying01 vhost]# vim test.com.conf
如下爲更改的配置內容....
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /admin/ //注意增長了/admin/目錄
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
開始測試某個目錄
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload [root@ying01 vhost]# curl -x127.0.0.1:80 test.com test.com [root@ying01 vhost]# mkdir /data/wwwroot/test.com/admin [root@ying01 vhost]# echo "test.com admin dir" > /data/wwwroot/test.com/admin/index.html [root@ying01 vhost]# curl -uying:www123 -x127.0.0.1:80 test.com/admin/ test.com admin dir
[root@ying01 vhost]# vim test.com.conf
如下爲更改的配置內容....
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location ~ admin.php //注意:此處有更改;表示根目錄下的admin.php文件
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload [root@ying01 vhost]# curl -x127.0.0.1:80 test.com/admin/ //此時不須要用戶認證 test.com admin dir [root@ying01 vhost]# curl -x127.0.0.1:80 test.com/admin.php <html> <head><title>401 Authorization Required</title></head> //此時須要用戶認證 <body bgcolor="white"> <center><h1>401 Authorization Required</h1></center> <hr><center>nginx/1.4.7</center> </body> </html>
總結:
- location /:針對整個目錄作認證
也能夠針對某一個目錄或url作認證,好比:
- location /admin/:針對admin目錄作認證
- location ~ admin.php:針對某個請求的url作認證
auth_basic_user_file:用戶認證文件
8、Nginx域名重定向
當咱們站點有多個域名的時候,權重下降了,可是以前的域名已經被一部分人所依賴了,也不可能去通知你們新的站點,因此咱們就會選擇一個主域名其它的均302跳轉過來!
[root@ying01 vhost]# vim test.com.conf
如下爲更改的配置內容....
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent; //永久跳轉
}
}
permanent:永久跳轉,也就是301
redirect:臨時跳轉,302
在Nginx配置在,server_name後面能夠跟多個域名,permanent爲永久重定向,至關於httpd的R=301.另外還有一個經常使用的redirect,至關於httpd的R=302.
[root@ying01 vhost]# curl -x127.0.0.1:80 test2.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.4.7 Date: Thu, 05 Jul 2018 12:38:40 GMT Content-Type: text/html Content-Length: 184 Connection: keep-alive Location: http://test.com/index.html //重定向test [root@ying01 vhost]# curl -x127.0.0.1:80 test3.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.4.7 Date: Thu, 05 Jul 2018 12:38:47 GMT Content-Type: text/html Content-Length: 184 Connection: keep-alive Location: http://test.com/index.html //重定向test [root@ying01 vhost]# curl -x127.0.0.1:80 www.baidu.com/index.html //重定向於默認虛擬主機
9、Nginx日誌
9.1 Nginx訪問日誌
nginx日誌的選項:
名詞 釋義 $remote_addr 客戶端ip(公網ip) $http_x_forwarded_for 代理服務器的ip $time_local 服務器本地時間 $host 訪問主機名(域名) $request_uri 訪問的url地址 $status 狀態碼 $http_referer referer $http_user_agent user_agent
在nginx主配置文件定義日誌的,其中combined_realip爲日誌的名稱,這個名稱能夠自定義,好比這裏自定義爲 ying
[root@ying01 vhost]# vim ../nginx.conf
在nginx主配置文件裏,按下圖並定義日誌名稱
在虛擬主機配置文件裏,定義日誌目錄和格式、名稱;
[root@ying01 vhost]# vim test.com.conf
如下爲更改的配置內容....
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
access_log /tmp/test.com.log ying; //定義日誌格式 和目錄
}
檢測、加載配置後,進行測試;
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload [root@ying01 vhost]# curl -x127.0.0.1:80 test3.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.4.7 Date: Thu, 05 Jul 2018 13:02:43 GMT Content-Type: text/html Content-Length: 184 Connection: keep-alive Location: http://test.com/index.html [root@ying01 vhost]# curl -x127.0.0.1:80 test2.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.4.7 Date: Thu, 05 Jul 2018 13:02:47 GMT Content-Type: text/html Content-Length: 184 Connection: keep-alive Location: http://test.com/index.html [root@ying01 vhost]# cat /tmp/test.com.log //查看生成的日誌 127.0.0.1 - [05/Jul/2018:21:02:43 +0800] test3.com "/index.html" 301 "-" "curl/7.29.0" //依次爲日誌格式 127.0.0.1 - [05/Jul/2018:21:02:47 +0800] test2.com "/index.html" 301 "-" "curl/7.29.0" [root@ying01 vhost]#
9.2 Nginx日誌切割
因爲Nginx不像Apache有本身的切割工具,在此咱們須要寫個腳本完成需求:
[root@ying01 vhost]# vim /usr/local/sbin/nginx_logrotate.sh
如下爲腳本內容:
#! /bin/bash
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/" //假設nginx的日誌存放路徑爲/tmp/
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
腳本語句解釋:
d=date -d "-1 day" +%Y%m%d;生成昨天的日期
[root@ying01 vhost]# date -d "-1 day" +%Y%m%d //執行這個語句,能夠得出答案 20180704 [root@ying01 vhost]# date 2018年 07月 05日 星期四 21:07:49 CSTfor log in ls *.log do mv $log $log-$d done
這是一個for循環,把ls列舉的log文件,執行以日期格式的重命名
nginx_pid=」/usr/local/nginx/logs/nginx.pid」; 就是爲了最後一行而設定的。
/bin/kill -HUP cat $nginx_pid
最後一行的意思和以前使用的 -s reload 是一個意思 重載nginx.pid,而後就會再次生成一個新的日誌文件。不然不生成日誌文件
sh -x 腳本詳細執行過程:
[root@ying01 vhost]# sh -x /usr/local/sbin/nginx_logrotate.sh ++ date -d '-1 day' +%Y%m%d + d=20180704 + logdir=/tmp/ + nginx_pid=/usr/local/nginx/logs/nginx.pid + cd /tmp/ ++ ls php_errors.log test.com.log + for log in '`ls *.log`' + mv php_errors.log php_errors.log-20180704 + for log in '`ls *.log`' + mv test.com.log test.com.log-20180704 ++ cat /usr/local/nginx/logs/nginx.pid + /bin/kill -HUP 913
查看生成的test.com日誌
[root@ying01 vhost]# ls /tmp/ pear php_errors.log-20180704 php-fcgi.sock systemd-private-94cc0dd6651e4992848100fb05207857-chronyd.service-1zARDS systemd-private-94cc0dd6651e4992848100fb05207857-vgauthd.service-0jUT25 systemd-private-94cc0dd6651e4992848100fb05207857-vmtoolsd.service-zegNFj test.com.log test.com.log-20180704
日誌清理
刪除超過一個月的日誌(固然這個也能夠寫在腳本里面)
[root@ying01 vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm
建立執行腳本的計劃:好比:天天0時0分進行切割
[root@ying01 vhost]# crontab -e no crontab for root - using an empty one crontab: installing new crontab 如下爲建立的crontab內容: 0 0 * * * /usr/local/sbin/nginx_log_rotate.sh //天天的0時0分執行此腳本
擴展:日誌的切割
9.3 靜態文件不記錄到日誌和過時時間
虛擬主機配置文件location~能夠指定對應的靜態文件,expires配置過時時間,而access_log 配置爲off就能夠不記錄訪問日誌了
- 配置文件
按如下設置虛擬主機配置文件;
[root@ying01 vhost]# vim test.com.conf
如下爲更改的配置內容....
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ //匹配.gif等格式的靜態文件不計入日誌
{
expires 7d; //有效期7天
access_log off; //不記錄日誌
}
location ~ .*\.(js|css)$ //匹配js或者css文件
{
expires 12h; //有效期12小時
access_log off;
}
access_log /tmp/test.com.log ying;
}
- 測試
在網站test.com目錄下,建立gif和css文件
[root@ying01 vhost]# cd /data/wwwroot/test.com/ [root@ying01 test.com]# ls admin index.html [root@ying01 test.com]# vim 1.gif [root@ying01 test.com]# vim 2.css
如今開始訪問,而後看生成的日誌;從下面試驗,能夠看出日誌不記錄gif及css文件;
[root@ying01 test.com]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 test.com]# /usr/local/nginx/sbin/nginx -s reload [root@ying01 test.com]# curl -x127.0.0.1:80 test.com/1.gif aaaaaaaa [root@ying01 test.com]# curl -x127.0.0.1:80 test.com/2.css bbbbbbbbb [root@ying01 test.com]# curl -x127.0.0.1:80 test.com/index.html test.com [root@ying01 test.com]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:23:33:01 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" [root@ying01 test.com]# curl -x127.0.0.1:80 test.com/2.css bbbbbbbbb [root@ying01 test.com]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:23:33:01 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
10、Nginx防盜鏈
防盜鏈代碼,裏面包含過時時間;
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_refere) {
return 403;
}
access_log off;
}
把此代碼,放入虛擬主機配置中;
[root@ying01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d; //包含過時時間
valid_referers none blocked server_names *.test.com; //定義白名單
if ($invalid_referer) { //條件語句,是否匹配白名單
return 403; //不符合,無效的引用者,則返回403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
access_log /tmp/test.com.log ying;
}
檢查語句,並加載配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
測試,針對有效referer和無效referer的對比;
[root@ying01 ~]# curl -e "http://www.qq.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 403 Forbidden //無效refer,返回403 Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 00:48:58 GMT Content-Type: text/html Content-Length: 168 Connection: keep-alive root@ying01 ~]# curl -e "http://xx.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 200 OK //白名單的refer Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 00:51:19 GMT Content-Type: image/gif Content-Length: 10 Last-Modified: Thu, 05 Jul 2018 15:29:40 GMT Connection: keep-alive ETag: "5b3e3964-a" Expires: Fri, 13 Jul 2018 00:51:19 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
11、Nginx訪問控制
爲了提升安全性,咱們須要將某些頁面加密處理!
11.1 針對某個目錄設置
訪問控制的核心代碼;
location /admin/ //在admin目錄下操做
{
allow 127.0.0.1;
allow 192.168.112.136;
deny all;
}
把此代碼,放入虛擬主機配置中;
[root@ying01 ~]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
location /admin/
{
#allow 127.0.0.1; //注意不執行,能夠測試的時候作對比
allow 192.168.72.130;
deny all;
}
access_log /tmp/test.com.log ying;
}
檢查語句,並加載配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
測試,經過容許192.1638.112.136和禁止127.0.0.1來作實驗,這兩個IP主機都能鏈接到;
[root@ying01 ~]# curl -x127.0.0.1:80 -I test.com/admin/ HTTP/1.1 403 Forbidden //禁止訪問,由於這個IP禁止 Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 01:30:37 GMT Content-Type: text/html Content-Length: 168 Connection: keep-alive [root@ying01 ~]# curl -x192.168.112.136:80 -I test.com/admin/ HTTP/1.1 200 OK //這個IP能夠訪問 Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 01:32:18 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Thu, 05 Jul 2018 12:09:55 GMT Connection: keep-alive ETag: "5b3e0a93-13" Accept-Ranges: bytes
11.2 針對目錄下的某類文件
這裏主要是爲了防止上傳php文件,以避免形成木馬文件,影響安全;
在上傳目錄upload和image,禁止.php的文件;
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
把此代碼,放入虛擬主機配置中;
[root@ying01 ~]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
location /admin/
{
#allow 127.0.0.1;
allow 192.168.72.130;
deny all;
}
location ~ .*(upload|image)/.*\.php$ //匹配.php文件
{
deny all; //禁止
}
access_log /tmp/test.com.log ying;
}
檢查語句,並加載配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
測試:在upload目錄下,分別建立1.txt和1.php文件,可以訪問1.txt,不可以訪問1.php;
[root@ying01 ~]# echo "1111" > /data/wwwroot/test.com/upload/1.php [root@ying01 ~]# echo "2222" > /data/wwwroot/test.com/upload/1.txt [root@ying01 ~]# curl -x192.168.112.136:80 test.com/upload/1.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.4.7</center> </body> </html> [root@ying01 ~]# curl -x192.168.112.136:80 test.com/upload/1.txt 2222
11.3 根據user-agent限制
不想被蜘蛛爬本身的網站,咱們徹底能夠根據user-agent去禁止掉
禁止相關的user-agent,訪問網站;
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
把此代碼,放入虛擬主機配置中;
[root@ying01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
location /admin/
{
#allow 127.0.0.1;
allow 192.168.72.130;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') //user_agent匹配'Spider/3.0|YoudaoBot|Tomato
{
return 403;
}
access_log /tmp/test.com.log ying;
}
檢查語句,並加載配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
測試user_agent,不一樣值的試驗
[root@ying01 ~]# curl -A "Tomato" -x192.168.112.136:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden //user_agent爲Tomato,禁止訪問 Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 02:47:01 GMT Content-Type: text/html Content-Length: 168 Connection: keep-alive [root@ying01 ~]# curl -A "Spider/3.0" -x192.168.112.136:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden //user_agent爲Spider/3.0,禁止訪問 Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 02:47:40 GMT Content-Type: text/html Content-Length: 168 Connection: keep-alive [root@ying01 ~]# curl -A "123456" -x192.168.112.136:80 test.com/upload/1.txt -I HTTP/1.1 200 OK //user_agent爲除設置的3個外,任意指定,能夠訪問 Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 02:47:54 GMT Content-Type: text/plain Content-Length: 5 Last-Modified: Fri, 06 Jul 2018 02:31:59 GMT Connection: keep-alive ETag: "5b3ed49f-5" Accept-Ranges: bytes
12、Nginx解析php相關配置
先建立一個3.php文件;
[root@ying01 ~]# vim /data/wwwroot/test.com/3.php <?php phpinfo();
測試這個3.php文件,此時不可以解析;
[root@ying01 ~]# curl -x192.168.112.136:80 test.com/3.php <?php phpinfo();
解析php文件的配置文件
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
把此代碼,放入虛擬主機配置中;
[root@ying01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
location /admin/
{
#allow 127.0.0.1;
allow 192.168.72.130;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /tmp/test.com.log ying;
}
檢查語句,並加載配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
因爲用curl測試,篇幅過長,在瀏覽器測試:從下圖能夠看出可以解析php
解析php代碼釋義:
其中fastcgi_pass用來指定php-fpm的地址,若是php-fpm監聽的是一個tcp:port的地址(好比127.0.0.1:9000),那麼也須要在這裏改爲fastcgi_pass 127.0.0.1:9000。這個地址必定要和php-fpm服務監聽的地址匹配,否是會報502錯誤.還有一個地方要注意fastcgi_param SCRIPT_FILENAME 後面跟的路徑爲該站點的根目錄,和前面定義的root那個路徑保持一致,若是這裏配置不對,訪問PHP頁面會出現404;還有一種502的現象,若是內存中出現大量的php-fpm進程佔據了內存,也會一樣致使此問題!
十3、Nginx代理
原理:Nginx代理是一種反向代理。反向代理(Reverse Proxy)方式是指以代理服務器來接受Internet上的鏈接請求,而後將請求轉發給內部網絡上的服務器;並將從服務器上獲得的結果返回給Internet上請求鏈接的客戶端,此時代理服務器對外就表現爲一個服務器。
假如這家公司有不少臺服務器,爲了節省成本,不能爲全部的服務器都分配公網IP,而若是一個沒有公網的IP的復爲其要提供web服務,就能夠經過代理來實現,這就是 Nginx比httpd愈來愈受歡迎的緣由
建立proxy.conf配置文件,寫入如下代碼;
[root@ying01 ~]# cd /usr/local/nginx/conf/vhost
[root@ying01 vhost]# vim proxy.conf
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://47.91.145.78/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
由於是代理服務器因此不須要訪問本地服務器的任何文件; ask.apelearn.com; 定義一個域名;
proxy_pass http://47.91.145.78/;真實WEB服務器的IP地址。
$host; 也就是我們的server_name
檢查語句,並加載配置文件
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload
開始測試:127.0.0.1就是本身的代理機,訪問論壇
[root@ying01 vhost]# curl -x127.0.0.1:80 ask.apelearn.com -I HTTP/1.1 200 OK Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 03:50:53 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.3 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: ape__Session=tki4271fdrd4nup0jbdco33b63; path=/; domain=.apelearn.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache myheader: web1
測試網站的robots
[root@ying01 vhost]# curl ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/[root@ying01 vhost]#
相關文章
- 1. LNMP架構——Nginx解析PHP相關配置,Nginx代理
- 2. LNMP---nginx反向代理、nginx負載均衡、配置nginx的ssl
- 3. Lnmp架構之Nginx
- 4. Nginx 相關配置
- 5. nginx 相關配置
- 6. Nginx相關配置
- 7. 【LNMP】Nginx防盜鏈、Nginx訪問控制、Nginx解析php相關配置和Nginx代理
- 8. Nginx防盜鏈 Nginx訪問控制 Nginx解析php相關配置 Nginx代理
- 9. Nginx防盜鏈&Nginx訪問控制&Nginx解析php相關配置&Nginx代理
- 10. Nginx防盜鏈,Nginx訪問控制,,Nginx解析php相關配置,Nginx代理
- 更多相關文章...
- • Docker 安裝 Nginx - Docker教程
- • XML 相關技術 - XML 教程
- • NewSQL-TiDB相關
- • IntelliJ IDEA 代碼格式化配置和快捷鍵
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. No provider available from registry 127.0.0.1:2181 for service com.ddbuy.ser 解決方法
- 2. Qt5.7以上調用虛擬鍵盤(支持中文),以及源碼修改(可拖動,水平縮放)
- 3. 軟件測試面試- 購物車功能測試用例設計
- 4. ElasticSearch(概念篇):你知道的, 爲了搜索…
- 5. redux理解
- 6. gitee創建第一個項目
- 7. 支持向量機之硬間隔(一步步推導,通俗易懂)
- 8. Mysql 異步複製延遲的原因及解決方案
- 9. 如何在運行SEPM配置嚮導時將不可認的複雜數據庫密碼改爲簡單密碼
- 10. windows系統下tftp服務器使用
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. LNMP架構——Nginx解析PHP相關配置,Nginx代理
- 2. LNMP---nginx反向代理、nginx負載均衡、配置nginx的ssl
- 3. Lnmp架構之Nginx
- 4. Nginx 相關配置
- 5. nginx 相關配置
- 6. Nginx相關配置
- 7. 【LNMP】Nginx防盜鏈、Nginx訪問控制、Nginx解析php相關配置和Nginx代理
- 8. Nginx防盜鏈 Nginx訪問控制 Nginx解析php相關配置 Nginx代理
- 9. Nginx防盜鏈&Nginx訪問控制&Nginx解析php相關配置&Nginx代理
- 10. Nginx防盜鏈,Nginx訪問控制,,Nginx解析php相關配置,Nginx代理