Nginx默認虛擬主機、 Nginx用戶認證、Nginx域名重定向、訪問日誌·····
Ngninx默認虛擬主機
1.vim /usr/local/nginx/conf/nginx.conf //增長
2.include vhost/*.conf
3.mkdir /usr/local/nginx/conf/vhost
4.cd !$; vim default.conf //加入以下內容
server
{
listen 80 default_server; // 有這個標記的就是默認虛擬主機
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}
5.mkdir -p /data/wwwroot/default/
6.echo 「This is a default site.」>/data/wwwroot/default/index.html
7./usr/local/nginx/sbin/nginx -t
8./usr/local/nginx/sbin/nginx -s reload
9.curl localhost
10.curl -x127.0.0.1:80 123.com
操做演示:php
[root@xuexi-001 ~]# ls /usr/local/nginx/conf/
fastcgi.conf mime.types scgi_params.default
fastcgi.conf.default mime.types.default uwsgi_params
fastcgi_params nginx.conf uwsgi_params.default
fastcgi_params.default nginx.conf.bak win-utf
koi-utf nginx.conf.default
koi-win scgi_params
[root@xuexi-001 ~]# cd !$
cd /usr/local/nginx/conf/
[root@xuexi-001 conf]# vi nginx.conf
//添加如下內容
include vhost/*.conf;······ 注意在配置文件中這裏須要添加分號
[root@xuexi-001 conf]# mkdir vhost
//建立vhost 目錄
[root@xuexi-001 conf]# cd vhost/
[root@xuexi-001 vhost]# ls
[root@xuexi-001 vhost]# vi aaa.com.conf
//在vhost目錄中建立一個 aaa.com.conf
[root@xuexi-001 vhost]# mkdir /data/wwwroot/default
//建立default 目錄
[root@xuexi-001 vhost]# cd /data/wwwroot/default/
[root@xuexi-001 default]# vi index.html
//在default目錄中建立一個index.html 文件
添加如下內容:
server
{
listen 80 default_server; // 有這個標記的就是默認虛擬主機
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}
[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -t
//測試配置文件
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
更改完配置文件後,須要測試一下配置文件是否正確
[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -s reload
//從新加載或者 重啓
[root@xuexi-001 conf]# /etc/init.d/nginx restart
測試:
[root@xuexi-001 conf]# curl localhost
This is the default site.
[root@xuexi-001 conf]# curl -x127.0.0.1:80 123.com
This is the default site.
[root@xuexi-001 conf]# curl -x127.0.0.1:80 aaa.com
This is the default site.
Nginx用戶認證
vim /usr/local/nginx/conf/vhost/test.com.conf//寫入以下內容
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
yum install -y httpd
htpasswd -c /usr/local/nginx/conf/htpasswd aming
-t && -s reload //測試配置並從新加載
操做演示:css
[root@xuexi-001 conf]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";//定義用戶認證的名字
auth_basic_user_file /usr/local/nginx/conf/htpasswd;//用戶名密碼文件
}
}
[root@xuexi-001 conf]# yum install -y httpd //若是以前安裝過httpd 能夠直接使用Apache 的密碼文件,若是沒有安裝過可使用 yum 安裝 [root@xuexi-001 conf]# htpasswd -c /usr/local/nginx/conf/htpasswd guo // 生成htppasswd 文件並指定用戶爲 guo : -c 是生成用戶,第一次使用時建立用戶,第二次使用就是覆蓋了,因此在新生成用戶的時候使用 [root@xuexi-001 conf]# /usr/local/apache2/bin/htpasswd -c /usr/local/nginx/conf/htpasswd guo New password: 111111 Re-type new password: 111111 Adding password for user guo // 在安裝apache 後能夠直接調用Apache 密碼生成命令htpasswd [root@xuexi-001 conf]# cat /usr/local/nginx/conf/htpasswd guo:$apr1$Y7bzCOYA$dlpXLo.zp8uvpmFQKim1E0 // 查看生成的密碼文件 [root@xuexi-001 conf]# /usr/local/apache2/bin/htpasswd /usr/local/nginx/conf/htpasswd user1 // 若是想再爲一個新的用戶建立密碼文件,這裏須要將-c 去掉,若是加上就把原來生成usr/local/nginx/conf/htpasswd覆蓋了 New password: Re-type new password: Adding password for user user1 [root@xuexi-001 conf]# cat /usr/local/nginx/conf/htpasswd guo:$apr1$Y7bzCOYA$dlpXLo.zp8uvpmFQKim1E0 user1:$apr1$Vq/C6L7V$mOURmyhpCNbJ5PYgOOWmq. [root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -s reload // 測試並從新加載 測試並從新加載的好處是能夠檢查配置文件是否有錯誤,若是有錯誤從新加載是不會生效的。若是選擇從新啓動,若是配置文件有問題,有可能從新啓動不起來。
測試:html
[root@xuexi-001 conf]# curl -x127.0.0.1:80 test.com -I HTTP/1.1 401 Unauthorized Server: nginx/1.15.1 Date: Wed, 04 Jul 2018 16:22:39 GMT Content-Type: text/html Content-Length: 195 Connection: keep-alive WWW-Authenticate: Basic realm="Auth" //提示錯誤401 須要指定用戶 [root@xuexi-001 conf]# curl -uguo:111111 -x 127.0.0.1:80 test.com -I HTTP/1.1 404 Not Found Server: nginx/1.15.1 Date: Wed, 04 Jul 2018 16:24:29 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive // 爲何會提示404,由於去訪問index.html ,可是我們尚未建立主目錄,test.com這個目錄也沒有建立。 建立目錄: [root@xuexi-001 conf]# mkdir /data/wwwroot/test.com [root@xuexi-001 conf]# echo "test.com" > /data/wwwroot/test.com/index.html [root@xuexi-001 conf]# curl -uguo:111111 -x 127.0.0.1:80 test.com -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Wed, 04 Jul 2018 16:28:09 GMT Content-Type: text/html Content-Length: 9 Last-Modified: Wed, 04 Jul 2018 16:27:56 GMT Connection: keep-alive ETag: "5b3cf58c-9" Accept-Ranges: bytes [root@xuexi-001 conf]# curl -uguo:111111 -x 127.0.0.1:80 test.com test.com
訪問目錄時須要用戶認證須要更改配置文件 test.com.confpython
[root@xuexi-001 vhost]# vi test.com.conf
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /admin/··· // 在這裏添加目錄名
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
// 測試配置文件並從新加載
[root@xuexi-001 vhost]# mkdir /data/wwwroot/test.com/admin
//建立admin目錄
測試:
[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:36:08 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
輸入用戶名密碼測試:
[root@xuexi-001 ~]# cd /data/wwwroot/test.com/admin/
[root@xuexi-001 admin]# vi index.html
test.admin
[root@xuexi-001 admin]# curl -uguo:111111 -x 127.0.0.1:80 test.com/admin/
test.admin
針對某一個URLmysql
[root@xuexi-001 vhost]# vi test.com.conf
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location ~ admin.php//匹配admin.php的URL
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
//測試配置文件並加載
[root@xuexi-001 test.com]# curl -x 127.0.0.1:80 test.com/admin/
test.admin
//這個時候訪問admin就不用輸入用戶名和密碼了
[root@xuexi-001 test.com]# curl -x 127.0.0.1:80 test.com/admin.php -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:50:13 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
Nginx域名重定向
更改 test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
}
server_name後面支持寫多個域名,這裏要和httpd的作一個對比 permanent爲永久重定向,狀態碼爲301,若是寫redirect則爲302nginx
操做演示:web
1.編輯配置文件sql
[root@xuexi-001 ~]# cd /usr/local/nginx/conf/vhost/
[root@xuexi-001 vhost]# ls
aaa.com.conf test.com.conf
[root@xuexi-001 vhost]# vi test.com.conf
添加如下內容:
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
}
在Nginx裏「server_name」 支持跟多個域名;可是Apache「server_name」只能跟一個域名,須要跟多個域名,須要使用Alisa;shell
在Nginx的conf配置文件裏「server_name 」 設置了多個域名,就會使網站的權重變了,到底須要哪一個域名爲主站點,因此須要域名重定向數據庫
2.測試配置文件並從新加載
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.測試
使用test2.com 訪問,顯示301,重定向到了http://test.com/index.html
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test2.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 15:07:27 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/index.html
4.定義不一樣的網址測試訪問
[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test2.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 15:18:09 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html
5.使用一個沒有指定的網址去訪問,則會顯示404,由於此時訪問的是默認的虛擬主機,而不是指定的test.com
[root@xuexi-001 test.com]# curl -x127.0.0.1:80 test4.com/index.html/123345 -I HTTP/1.1 404 Not Found Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 15:10:10 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
Nginx訪問日誌
日誌格式
vim /usr/local/nginx/conf/nginx.conf //搜索log_format
| 字段 | 說明 |
|---|---|
| $remote_addr | 客戶端IP(公網IP) |
| $http_x_forwarded_for | 代理服務器的IP |
| $time_local | 服務器本地時間 |
| $host | 訪問主機名(域名) |
| $request_uri | 訪問的url地址 |
| $status | 狀態碼 |
| $http_referer | referer |
| $http_user_agent | user_agent |
除了在主配置文件nginx.conf裏定義日誌格式外,還須要在虛擬主機配置文件中增長
access_log /tmp/test.com.log combined_realip;
這裏的combined_realip就是在nginx.conf中定義的日誌格式名字
-t && -s reload
curl -x127.0.0.1:80 test.com -I
cat /tmp/test.com.log
1.默認的日誌文件是在主配置文件中
打開主配置文件:vi /usr/local/nginx/conf/nginx.conf
搜索/log_format 找到如下內容,就是來定義日誌格式的
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
combined_realip 日誌格式的名字,能夠隨便定義,這裏定義成什麼名字,後面就引用成什麼名字,決定了虛擬主機引用日誌的類型
nginx配置文件,有一個特色,以 「 ; 」 分號結尾,配置文件一段若是沒有 分號結尾,表示這一段尚未結束,就算中間執行了換行。
2.除了在主配置文件nginx.conf裏定義日誌格式外,還須要在虛擬主機配置文件去定義access_log /tmp/test.com.log aliang;; 來定義訪問日誌路徑
[root@xuexi-001 vhost]# vi test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
access_log /tmp/test.com.log combined_realip;
// 定義訪問日誌路徑及日誌格式,若是不定義日誌格式那麼就會走默認的日誌格式。combined_realip可修改,自定義名字。
}
3.檢查配置文件並從新加載
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
4.測試
[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test2.com -I HTTP/1.1 301 Moved Permanently Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 15:57:05 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/ [root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test3.com -I HTTP/1.1 301 Moved Permanently Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 15:57:14 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/ [root@xuexi-001 vhost]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:23:57:05 +0800] test2.com "/" 301 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:23:57:14 +0800] test3.com "/" 301 "-" "curl/7.29.0"
Nginx日誌切割
自定義shell 腳本
vim /usr/local/sbin/nginx_log_rotate.sh//寫入以下內容
#! /bin/bash
## 假設nginx的日誌存放路徑爲/data/logs/
d=`date -d "-1 day" +%Y%m%d`
logdir="/data/logs"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
任務計劃
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
####操做演示:
Nginx沒有自帶日誌切割工具,只能藉助系統的日誌切割的工具或者本身寫切割的腳本實現
1.寫一個日誌切割腳本,首先須要建立一個shell腳本:vim /usr/local/sbin/nginx_log_rotate.sh
注意:全部的shell腳本須要放到/usr/local/sbin/目錄下
[root@xuexi-001 vhost]# vim /usr/local/sbin/nginx_log_rotate.sh
#! /bin/bash
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
解釋說明:
- d=date -d 「-1 day」 +%Y%m%d // 生成昨天的日期,格式爲年月日
- logdir=」/tmp/」 // 上一節的時候,定義了日誌存放在/tmp/目錄下
- nginx_pid="/usr/local/nginx/logs/nginx.pid"//查找nginx的PID,目的是爲了執行/bin/kill -HUP cat $nginx_pid ,而這個命令目的和nginx -s reload 是同樣的
- cd $logdir //進入「logdir」日誌目錄下
- for log in `ls .log` //開始語句循環,看有哪些log後綴的文件
- do //執行
- mv $log $log-$d // 將 log更名爲《原名字「`date -d 「-1 day」 +%Y%m%d` 」這個結尾的文件 》
- done //結束
- /bin/kill -HUP cat $nginx_pid // 從新加載,生成一個新的「nginx_pid=」/usr/local/nginx/logs/nginx.pid」
for 循環命令
[root@xuexi-001 vhost]# ls aaa.com.conf test.com.conf [root@xuexi-001 vhost]# for f in `ls `; do ls -l $f ; done -rw-r--r-- 1 root root 142 7月 4 23:17 aaa.com.conf -rw-r--r-- 1 root root 292 7月 5 23:54 test.com.conf
2.執行腳本,並加 -x 選項
-x:查看腳本執行的過程
[root@xuexi-001 vhost]# sh -x /usr/local/sbin/nginx_log_rotate.sh ++ date -d '-1 day' +%Y%m%d + d=20180705 + logdir=/tmp/ + nginx_pid=/usr/local/nginx/logs/nginx.pid + cd /tmp/ ++ ls php_errors.log test.com.log + for log in '`ls *.log`' + mv php_errors.log php_errors.log-20180705 + for log in '`ls *.log`' + mv test.com.log test.com.log-20180705 ++ cat /usr/local/nginx/logs/nginx.pid + /bin/kill -HUP 1024
3.查看日誌切割文件,天天都生成一個日誌,在天天切割後,過段時間還要按期清理
[root@xuexi-001 vhost]# ls /tmp/ test.com.log test.com.log-20180705
4.刪除30天之前的日誌文件
[root@xuexi-001 vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm
5.寫完腳本後,還要加一個任務計劃crontab -e
[root@xuexi-001 vhost]#crontab -e 0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
shell腳本知識點
1.日誌時間切割的定義
- 寫shell腳本的時候,若是有命令不明白,能夠直接把命令運行一下就知道結果了
- 假設這個命令「 d=date -d 「-1 day」 +%Y%m%d 」不明白意思
- ctrl+z 把當前操做暫停丟到後臺
- 執行date -d 「-1 day」 +%Y%m%d就是時間,並且是昨天的時間,由於目前作的日誌切割都是以天爲單位,並且,日誌須要過了當天23點59分59秒之後到次日的0點0分01秒才切割
2.指定PID路徑的意義
- 「 nginx_pid=」/usr/local/nginx/logs/nginx.pid」 」這條命令的意思,就是指定nginx的PID 的路徑所在
- 若是找不到指定PID的所在,那麼下面的「 /bin/kill -HUP cat $nginx_pid 」這個命令也將沒有辦法繼續執行
- 「 /bin/kill -HUP cat $nginx_pid 」 z這條命令的意思就是從新加載一次nginx服務
- 執行「 /bin/kill -HUP cat $nginx_pid 」這條命令的目的是由於切割日誌之後 「mv $log $log-$d 」 會將日誌移動位置,若是不使用這條命令從新加載一次nginx服務、從新生成一第二天志文件,那麼將會致使服務出錯
- 因此,爲了保證「 /bin/kill -HUP cat $nginx_pid 」能準確的執行,須要肯定nginx的PID所在
[root@xuexi-001 vhost]# ls /usr/local/nginx/logs/nginx.pid /usr/local/nginx/logs/nginx.pid
3.循環語句理解
- for f in ‘ls ‘ ; do ls -l $f; done
- for 循環開始,f 表示文件,in 表示作什麼,‘ls’in執行的東西; do 執行 ls -f $f;done 結束
- 任務計劃
- 腳本寫完之後,須要寫一個計劃,讓腳本在規定的時間運行。
- crontab -e
- 0 0 * * * /bin/bash /usr/local/sbin/nginx_logrotate.sh
- 長時間累積,會生成大量的日誌須要進行清理
- find /tmp/ -type f -name .log- -mtime +30 |xargs rm
###靜態文件不記錄日誌&過時時間 核心配置參數:
[root@xuexi-001 vhost]# vim test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$//匹配文件類型
{
expires 7d;//過時時間爲7天
access_log off;//不記錄該類型文件的訪問日誌
}
location ~ .*\.(js|css)$
{
expires 12h;//過時時間爲12小時
access_log off;//不記錄該類型文件的訪問日誌
}
access_log /tmp/test.com.log combined_realip;//指定日誌位置及格式
}
檢測:
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload 訪問index.html: [root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com test.com [root@xuexi-001 vhost]# cat /tmp/test.com.log 127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0" 訪問baidu.jpg文件: [root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/baidu.jpg -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 16:55:27 GMT Content-Type: image/jpeg Content-Length: 12525 Last-Modified: Thu, 05 Jul 2018 16:54:54 GMT Connection: keep-alive ETag: "5b3e4d5e-30ed" Expires: Thu, 12 Jul 2018 16:55:27 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes 說明:max-age=604800s=7天,即該文件緩存的過時時間爲7天! [root@xuexi-001 vhost]# cat /tmp/test.com.log 127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0" 即:無該文件的訪問日誌!!!
Nginx防盜鏈
配置以下:
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
Nginx防盜鏈配置須要和不記錄日誌和過時時間結合在一塊兒,由於都用到了「location」
1.打開配置文件 vim /usr/local/nginx/conf/vhost/test.com.conf
註釋掉一些配置
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
添加一些配置
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d; //過時時間7天
valid_referers none blocked server_names *.test.com ; //定義一個白名單,referer就是指一些域名
if ($invalid_referer) { //若是不是白名單裏的
return 403; //返回403
}
access_log off;
}
3.檢查配置文件及加載文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
4.測試
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 -I test.com/baidu.jpg HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:06:56 GMT Content-Type: image/jpeg Content-Length: 12525 Last-Modified: Thu, 05 Jul 2018 16:54:54 GMT Connection: keep-alive ETag: "5b3e4d5e-30ed" Expires: Thu, 12 Jul 2018 17:06:56 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
5.測試防盜鏈,使用curl -e
[root@xuexi-001 vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/baidu.jpg HTTP/1.1 403 Forbidden Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:08:10 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@xuexi-001 vhost]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/baidu.jpg HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:09:04 GMT Content-Type: image/jpeg Content-Length: 12525 Last-Modified: Thu, 05 Jul 2018 16:54:54 GMT Connection: keep-alive ETag: "5b3e4d5e-30ed" Expires: Thu, 12 Jul 2018 17:09:04 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
在訪問curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif顯示403,而在訪問curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif顯示200,則表示防盜鏈配置成功
Nginx訪問控制
需求:訪問/admin/目錄的請求,只容許某幾個IP訪問,配置以下:
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
- mkdir /data/wwwroot/test.com/admin/
- echo 「test,test」>/data/wwwroot/test.com/admin/1.html
- -t && -s reload
- curl -x127.0.0.1:80 test.com/admin/1.html -I
- curl -x192.168.133.130:80 test.com/admin/1.html -I
- 能夠匹配正則
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
- 根據user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
- deny all和return 403效果同樣
Nginx訪問控制,在平時運維網站的時候,常常會有一些請求不正常,或者故意的作一些限制,一些重要的內容禁止別人訪問,就能夠作一個白名單,只容許本身的公網IP或者本身公司內的公網IP去訪問
1.編輯配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
增長訪問控制的代碼
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
2.而後檢查配置文件語法錯誤,而後從新加載配置文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.測試
[root@xuexi-001 vhost]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:19:55 GMT Content-Type: text/html Content-Length: 11 Last-Modified: Wed, 04 Jul 2018 16:41:54 GMT Connection: keep-alive ETag: "5b3cf8d2-b" Accept-Ranges: bytes [root@xuexi-001 vhost]# curl -x192.168.5.130:80 -I test.com/admin/ -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:20:22 GMT Content-Type: text/html Content-Length: 11 Last-Modified: Wed, 04 Jul 2018 16:41:54 GMT Connection: keep-alive ETag: "5b3cf8d2-b" Accept-Ranges: bytes
4.查看日誌文件,會看到訪問的192.168.5.130的來源IP也是192.168.5.130,由於它是被容許的,在白名單以內,因此顯示狀態碼爲200
[root@xuexi-001 vhost]# cat /tmp/test.com.log 127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0" 127.0.0.1 - [06/Jul/2018:01:19:55 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0" 192.168.5.130 - [06/Jul/2018:01:20:22 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
針對正則匹配
- 例子
- 網站被黑,數據庫被盜竊,就是由於上傳圖片的目錄沒有作禁止解析php的操做,最終致使上傳了一句話木馬,php也能解析,因此網站就會被黑
- 只要能上傳的目錄,都要禁掉,禁止解析PHP
- 加如下代碼,便可禁掉上傳的目錄解析PHP
location ~ .*(upload|image)/.*\.php$ //只要匹配upload,而後以php結尾的
{
deny all; //都禁掉
}
1.打開配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@xuexi-001 vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
listen 80;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
access_log /tmp/test.com.log combined_realip;
}
2.檢查配置文件語法錯誤,並從新加載配置文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.測試,首先是訪問的那個目錄,而後訪問的php資源
4.建立一個upload目錄,而後在建立一個php文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload [root@xuexi-001 vhost]# mkdir /data/wwwroot/test.com/upload [root@xuexi-001 vhost]# echo "11111" > /data/wwwroot/test.com/upload/1.php
5.訪問upload目錄下的1.php文件,會看到是403狀態碼,被拒絕訪問
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/upload/1.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.15.1</center> </body> </html>
6.這時再upload目錄下建立1.txt,再來測試訪問
[root@xuexi-001 vhost]# echo "dasdasdas" >/data/wwwroot/test.com/upload/1.txt [root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt dasdasdas
7.查看訪問日誌cat /tmp/test.com.log
[root@xuexi-001 vhost]# cat /tmp/test.com.log 127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0" 127.0.0.1 - [06/Jul/2018:01:19:55 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0" 192.168.5.130 - [06/Jul/2018:01:20:22 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 127.0.0.1 - [06/Jul/2018:01:27:34 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0" 127.0.0.1 - [06/Jul/2018:01:28:23 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
根據user_agent限制
- 若是你的網站被cc攻擊,或者禁掉某些蜘蛛,若是你的網站想作一個被隱藏的網站,不想被別人搜索到,那麼就能夠將百度、谷歌、有道等這些蜘蛛封掉,沒有任何蜘蛛爬到你的網站,也不將網址告訴任何人,那別人就沒法知道你的站點,由於你的網站是被隱藏的。
- 只須要根據user_agent限制,添加如下代碼
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
- deny all和return 403效果同樣
操做演示:
1.打開配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@xuexi-001 vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($host != 'test.com' ) {
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
access_log /tmp/test.com.log combined_realip;
}
2.檢查配置文件語法錯誤,並從新加載配置文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.模擬user_agent,訪問測試,會看到顯示403
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:33:39 GMT Content-Type: text/plain Content-Length: 10 Last-Modified: Thu, 05 Jul 2018 17:28:14 GMT Connection: keep-alive ETag: "5b3e552e-a" Accept-Ranges: bytes [root@xuexi-001 vhost]# curl -A "Tomatoslf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:35:27 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
3.eny all和return 403效果同樣
4.若是訪問的時候,改爲小寫再訪問,則狀態碼爲200,由於這個是嚴格匹配的
[root@xuexi-001 vhost]# curl -A "tomatoslf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:36:52 GMT Content-Type: text/plain Content-Length: 10 Last-Modified: Thu, 05 Jul 2018 17:28:14 GMT Connection: keep-alive ETag: "5b3e552e-a" Accept-Ranges: bytes
5.若是想忽略大小寫,在配置文件中的匹配符號後加 * 號便可
[root@xuexi-001 vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@xuexi-001 vhost]# curl -A "tomatoslf" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 403 Forbidden
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:38:45 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Nginx解析php的配置
配置以下:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
astcgi_pass 用來指定php-fpm監聽的地址或者socket
Nginx解析php相關配置
添加如下代碼:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock; //寫錯這個路徑,就會顯示502
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
1.打開虛擬主機配置文件,由於如今test.com.conf 還不能解析php,將代碼添加到配置文件中
[root@xuexi-001 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
# }
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /tmp/test.com.log combined_realip;
}
2.生成作一個php文件,在/data/wwwroot/test.com/目錄下生成3.php
[root@xuexi-001 ~]# vi /data/wwwroot/test.com/3.php <?php phpinfo();
3.測試訪問3.php,會看到沒法解析3.php文件,顯示出了源碼
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php <?php phpinfo();
4.檢查配置文件語法錯誤,並從新加載配置文件
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
5.再次訪問3.php ,就能夠正常解析了
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php
6.如果解析php相關配置的 fastcgi_pass unix:/tmp/php-fcgi.sock; 這個路徑被寫錯,會直接顯示502,由於sock文件沒有被找到
7.將配置文件改錯後,從新加載後,再來訪問3.php,會看到顯示502狀態碼
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@xuexi-001 ~]# !curl
curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.15.1</center>
</body>
</html>
8.查看訪問日誌cat /usr/local/nginx/logs/nginx_error.log,會看到日誌文件中會說沒有這樣的文件或目錄
[root@xuexi-001 ~]# cat /usr/local/nginx/logs/nginx_error.log 2018/07/09 09:03:11 [crit] 1608#0: *4 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
9.在遇到502的問題時,須要查看你配置的地址是否正確,首先查看錯誤日誌,而後根據錯誤日誌中提示,查看這個文件是否存在,在查看cat /usr/local/php-fpm/etc/php-fpm.conf你定義的sock是什麼,那麼在nginx的配置文件中寫什麼
502的另外一種狀況
1.假設這時不監聽sock,而去監聽IP端口
2.首先更改配置vim /usr/local/php-fpm/etc/php-fpm.conf
將#listen = /tmp/php-fcgi.sock註釋掉,增長listen = 127.0.0.1:9000
[root@xuexi-001 ~]# vi /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] #listen = /tmp/php-fcgi.sock listen = 127.0.0.1:9000 listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024
3.重啓php命令爲/etc/init.d/php-fpm restart,php也支持reload
[root@xuexi-001 ~]# /etc/init.d/php-fpm restart Gracefully shutting down php-fpm . done Starting php-fpm done
4.檢查php文件是否存在語法錯誤,從新加載下nginx的配置文件
[root@xuexi-001 ~]# /usr/local/php-fpm/sbin/php-fpm -t [09-Jul-2018 09:34:06] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
5.查看監聽端口是否爲127.0.0.1:9000
[root@xuexi-001 ~]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1005/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 905/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1256/master tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1813/php-fpm: maste tcp6 0 0 :::22 :::* LISTEN 905/sshd tcp6 0 0 ::1:25 :::* LISTEN 1256/master tcp6 0 0 :::3306 :::* LISTEN 1216/mysqld
6.再次訪問3.php
[root@xuexi-001 ~]# curl -x 127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.15.1</center> </body> </html>
7.查看配置文件提示文件不存在,這時候須要在配置文件中作一個更改,在php配置那一塊,註釋掉nix,添加ip和端口
[root@xuexi-001 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
location ~ \.php$
{
include fastcgi_params;
# fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_pass 127.0.0.1:9000;//註釋掉unix,添加ip和端口
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /tmp/test.com.log combined_realip;
8.檢查語法錯誤,並從新加載配置文件
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
9.再來訪問3.php文件,會看到正常訪問
[root@xuexi-001 ~]# curl -x 127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 01:46:17 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.36
10.如果出現502,要檢查下配置文件中的fastcgi_pass 這塊是否nginx與php-fpm中所配置的地址是相匹配的
-
PHP下的listen = /tmp/php-fcgi.sock這段配置很重要,決定了nginx是否能正確解析而不是502
-
當PHP配置文件 listen 使用sock時,那麼對應的nginx配置文件下就必須使用 fastcgi_pass unix:/tmp/php-fcgi.sock;
-
當PHP配置文件listen 使用 IP加端口「127.0.0.1:9000」的時候,那麼對應的nginx就要改爲fastcgi_pass 127.0.0.1:9000;
11.配置文件中的 fastcgi_param SCRIPT_FILENAME 中的地址路徑/data/wwwroot/test.com$fastcgi_script_name;與配置文件最上方的 root /data/wwwroot/test.com; 相對應起來
502的其餘狀況
在php5.4及之後的其餘版本,有一個特色:更改監聽爲sock,取消監聽IP和端口,註釋掉listen.mode
1.更改php-fpm的配置文件,取消註釋listen = /tmp/php-fcgi.sock,註釋掉#listen = 127.0.0.1:9000和#listen.mode = 666
[root@xuexi-001 ~]# vi /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] listen = /tmp/php-fcgi.sock #listen = 127.0.0.1:9000 #listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024
2.從新加載php
[root@xuexi-001 ~]# /etc/init.d/php-fpm reload Reload service php-fpm done
3.查看sock文件的權限爲660,屬主和屬組爲root
[root@xuexi-001 ~]# ls -l /tmp/php-fcgi.sock srw-rw---- 1 root root 0 7月 9 09:51 /tmp/php-fcgi.sock
4.更改nginx虛擬主機配置文件,取消 fastcgi_pass unix:/tmp/php-fcgi.sock; 的註釋,註釋掉#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/tmp/php-fcgi.sock;這一行的配置是爲了nginx去讀sock文件
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
# fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
5.檢測配置文件並從新加載
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
6.訪問3.php,依然是502
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.15.1</center> </body> </html>
7.查看錯誤日誌
[root@xuexi-001 ~]# tail /usr/local/nginx/logs/ access.log error.log nginx_error.log nginx.pid [root@xuexi-001 ~]# tail /usr/local/nginx/logs/nginx_error.log 2018/07/09 09:03:11 [crit] 1608#0: *4 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com" 2018/07/09 09:37:07 [crit] 1847#0: *6 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com" 2018/07/09 09:59:38 [crit] 2016#0: *12 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
8.sock文件默認權限使660,root用戶能夠讀,root用戶組也是可讀的,惟獨其餘用戶不能去讀
9.看到是由nobody的身份去讀nginx的
[root@xuexi-001 ~]# ps aux |grep nginx root 1005 0.0 0.0 21348 1696 ? Ss 08:38 0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf nobody 2015 0.0 0.1 23272 3452 ? S 09:57 0:00 nginx: worker process nobody 2016 0.0 0.2 23272 3952 ? S 09:57 0:00 nginx: worker process root 2080 0.0 0.0 112724 972 pts/0 S+ 10:03 0:00 grep --color=autonginx
10.這時須要臨時改變權限爲nobody
[root@xuexi-001 ~]# chown nobody /tmp/php-fcgi.sock
11.這時再去訪問3.php會看到正常訪問
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 02:09:35 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.36
12.這就是由於nobody用戶有讀的權限,因此能夠正常訪問
13.在php-fpm的配置文件中定義listen.mode,就是爲了讓任何用戶能夠讀
14.再去配置文件中取消listen.mode的註釋
listen.mode = 666
15:重啓php-fpm的配置文件,查看文件權限,並測試訪問
[root@xuexi-001 ~]# /etc/init.d/php-fpm restart Gracefully shutting down php-fpm . done Starting php-fpm done [root@xuexi-001 ~]# ls -l /tmp/php-fcgi.sock srw-rw-rw- 1 root root 0 7月 9 10:12 /tmp/php-fcgi.sock [root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 02:13:39 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.36
502還有另一種狀況,就是php-fpm服務,資源耗盡,也會顯示502,這時候就須要去優化了
Nginx代理
用戶訪問web服務器不能直接訪問,須要找一箇中間者,這個中間者能夠跟web服務器相通,也能夠跟用戶相通。還有就是用戶訪問web服務器能夠訪問,就是比較慢,也可使用nginx代理
在nginx虛擬主機下建立一個新的文件 proxy.conf
- cd /usr/local/nginx/conf/vhost
- vim proxy.conf
添加如下內容:
server
{
listen 80;
server_name ask.apelearn.com; //定義用戶訪問的域名
location /
{
proxy_pass http://121.201.9.155/; //告訴nginx真正的ip在這裏(web服務器ip)
proxy_set_header Host $host; //$host 等於 上面的 server_name
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
尚未設置代理文件,測試訪問www.baidu.com/robots.txt
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I HTTP/1.1 404 Not Found Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 03:02:14 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
設置代理服務器:
- 建立文件並添加配置文件內容
[root@xuexi-001 ~]# cd /usr/local/nginx/conf/vhost/
[root@xuexi-001 vhost]# vi proxy.conf
server
{
listen 80;
server_name www.baidu.com;
location /
{
proxy_pass http://119.75.216.20/; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
2.測試配置文件並從新加載文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.不使用代理測試,訪問成功
[root@xuexi-001 vhost]# curl www.baidu.com/robots.txt -I HTTP/1.1 200 OK Accept-Ranges: bytes Connection: Keep-Alive Content-Length: 2754 Content-Type: text/plain Date: Mon, 09 Jul 2018 03:07:38 GMT Etag: "ac2-5563e2ac212b7" Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT P3p: CP=" OTI DSP COR IVA OUR IND COM " Server: Apache Set-Cookie: BAIDUID=C30CA25B16D70C6E28ADB714EB6A80BC:FG=1; expires=Tue, 09-Jul-19 03:07:38 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1 Vary: Accept-Encoding,User-Agent
- 使用代理測試
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 03:07:56 GMT Content-Type: text/plain Content-Length: 2754 Connection: keep-alive Accept-Ranges: bytes Etag: "ac2-5563e2ab4b400" Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT P3p: CP=" OTI DSP COR IVA OUR IND COM " Set-Cookie: BAIDUID=D904E71FD19FBCAEB64951864689F629:FG=1; expires=Tue, 09-Jul-19 03:07:56 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1 Vary: Accept-Encoding,User-Agent
curl -x127.0.0.1:80 www.baidu.com/robots.txt -I //指定本機, 也能訪問, 正常狀況不配置代理, 本地不可能訪問到遠程的站點, 代理服務器就是配置代理的這個虛擬機, web服務器就是論壇
Nginx代理是在一臺代理服務器中自定義一個域名,該域名指向一個或多個IP,而後將用戶的請求經過這臺代理服務器解析指定的IP所對應的web服務器;
當該域名指向多個IP時,須要使用upstream保證用戶能夠經過代理服務器正常訪問每一個IP,即爲負載均衡。
Nginx代理
用戶訪問web服務器不能直接訪問,須要找一箇中間者,這個中間者能夠跟web服務器相通,也能夠跟用戶相通。還有就是用戶訪問web服務器能夠訪問,就是比較慢,也可使用nginx代理
在nginx虛擬主機下建立一個新的文件 proxy.conf
- cd /usr/local/nginx/conf/vhost
- vim proxy.conf
添加如下內容:
server
{
listen 80;
server_name ask.apelearn.com; //定義用戶訪問的域名
location /
{
proxy_pass http://121.201.9.155/; //告訴nginx真正的ip在這裏(web服務器ip)
proxy_set_header Host $host; //$host 等於 上面的 server_name
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
尚未設置代理文件,測試訪問www.baidu.com/robots.txt
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I HTTP/1.1 404 Not Found Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 03:02:14 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
設置代理服務器:
- 建立文件並添加配置文件內容
[root@xuexi-001 ~]# cd /usr/local/nginx/conf/vhost/
[root@xuexi-001 vhost]# vi proxy.conf
server
{
listen 80;
server_name www.baidu.com;
location /
{
proxy_pass http://119.75.216.20/; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
2.測試配置文件並從新加載文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.不使用代理測試,訪問成功
[root@xuexi-001 vhost]# curl www.baidu.com/robots.txt -I HTTP/1.1 200 OK Accept-Ranges: bytes Connection: Keep-Alive Content-Length: 2754 Content-Type: text/plain Date: Mon, 09 Jul 2018 03:07:38 GMT Etag: "ac2-5563e2ac212b7" Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT P3p: CP=" OTI DSP COR IVA OUR IND COM " Server: Apache Set-Cookie: BAIDUID=C30CA25B16D70C6E28ADB714EB6A80BC:FG=1; expires=Tue, 09-Jul-19 03:07:38 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1 Vary: Accept-Encoding,User-Agent
- 使用代理測試
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 03:07:56 GMT Content-Type: text/plain Content-Length: 2754 Connection: keep-alive Accept-Ranges: bytes Etag: "ac2-5563e2ab4b400" Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT P3p: CP=" OTI DSP COR IVA OUR IND COM " Set-Cookie: BAIDUID=D904E71FD19FBCAEB64951864689F629:FG=1; expires=Tue, 09-Jul-19 03:07:56 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1 Vary: Accept-Encoding,User-Agent
curl -x127.0.0.1:80 www.baidu.com/robots.txt -I //指定本機, 也能訪問, 正常狀況不配置代理, 本地不可能訪問到遠程的站點, 代理服務器就是配置代理的這個虛擬機, web服務器就是論壇
Nginx代理是在一臺代理服務器中自定義一個域名,該域名指向一個或多個IP,而後將用戶的請求經過這臺代理服務器解析指定的IP所對應的web服務器;
當該域名指向多個IP時,須要使用upstream保證用戶能夠經過代理服務器正常訪問每一個IP,即爲負載均衡。
Nginx負載均衡
Nginx負載均衡即爲當代理服務器將自定義的域名解析到多個指定IP時,經過upstream來保證用戶能夠經過代理服務器正常訪問各個IP。
負載均衡配置:
vim /usr/local/nginx/conf/vhost/load.conf // 寫入以下內容
upstream qq.com·····qq.com這裏這個名字能夠自定義
{
ip_hash;·····使同一個用戶始終保持在同一個機器上
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
upstream來指定多個web server
操做演示:
1.使用dig命令查看域名的解析地址,若是沒有使用yum -y install bind-utils
[root@xuexi-001 ~]# dig qq.com ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> qq.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22029 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;qq.com. IN A ;; ANSWER SECTION: qq.com. 246 IN A 111.161.64.40 qq.com. 246 IN A 111.161.64.48 // 返回兩個IP地址 ;; Query time: 10 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: 二 7月 10 23:22:25 CST 2018 ;; MSG SIZE rcvd: 67
2.可使用解析到的兩個IP能夠製做負載均衡
3.在默認的虛擬機裏面新建一個文件load.conf ,並添加如下內容
[root@xuexi-001 ~]# vim /usr/local/nginx/conf/vhost/load.conf
upstream qq_com
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;····定義監聽端口的域名
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
正常狀況下使用本機訪問www.qq.com 會顯示默認頁
[root@xuexi-001 ~]# curl -x 127.0.0.1:80 www.qq.com This is the default site.
4.檢測配置文件及從新加載
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
5.從新加載配置文件後在測試,會出現qq.com的網頁的代碼
相關文章
- 1. LNMP(2)Nginx默認虛擬主機、Nginx用戶認證、Nginx域名重定向、Nginx訪問日誌、
- 2. nginx默認虛擬主機、用戶認證、域名重定向
- 3. Nginx安裝、默認虛擬主機、Nginx用戶認證、Nginx域名重定向
- 4. Nginx安裝&默認虛擬主機&Nginx用戶認證&Nginx域名重定向
- 5. Nginx安裝、默認虛擬主機、 Nginx用戶認證、Nginx域名重定向
- 6. Nginx安裝, 默認虛擬主機,Nginx用戶認證,Nginx域名重定向
- 7. Nginx安裝,默認虛擬主機,Nginx用戶認證,Nginx域名重定向
- 8. Nginx安裝-默認虛擬主機-Nginx用戶認證-Nginx域名重定向
- 9. Nginx安裝 默認虛擬主機 Nginx用戶認證 Nginx域名重定向
- 10. Nginx安裝,默認虛擬主機,Nginx用戶認證和域名重定向
- 更多相關文章...
- • Docker 安裝 Nginx - Docker教程
- • MySQL默認值(DEFAULT) - MySQL教程
- • 漫談MySQL的鎖機制
- • PHP Ajax 跨域問題最佳解決方案
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. LNMP(2)Nginx默認虛擬主機、Nginx用戶認證、Nginx域名重定向、Nginx訪問日誌、
- 2. nginx默認虛擬主機、用戶認證、域名重定向
- 3. Nginx安裝、默認虛擬主機、Nginx用戶認證、Nginx域名重定向
- 4. Nginx安裝&默認虛擬主機&Nginx用戶認證&Nginx域名重定向
- 5. Nginx安裝、默認虛擬主機、 Nginx用戶認證、Nginx域名重定向
- 6. Nginx安裝, 默認虛擬主機,Nginx用戶認證,Nginx域名重定向
- 7. Nginx安裝,默認虛擬主機,Nginx用戶認證,Nginx域名重定向
- 8. Nginx安裝-默認虛擬主機-Nginx用戶認證-Nginx域名重定向
- 9. Nginx安裝 默認虛擬主機 Nginx用戶認證 Nginx域名重定向
- 10. Nginx安裝,默認虛擬主機,Nginx用戶認證和域名重定向