Linux基礎(day51)
12.13 Nginx防盜鏈
Nginx防盜鏈目錄概要
- 配置以下,能夠和上面的配置結合起來
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
Nginx防盜鏈
- Nginx防盜鏈配置須要和不記錄日誌和過時時間結合在一塊兒,由於都用到了「location」
- 打開配置文件 vim /usr/local/nginx/conf/vhost/test.com.conf
- 註釋掉一些配置
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#{
# expires 7d;
# access_log off;
#}
添加一些配置php
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d; //過時時間7天
valid_referers none blocked server_names *.test.com ; //定義一個白名單,referer就是指一些域名
if ($invalid_referer) { //若是不是白名單裏的
return 403; //返回403
}
access_log off;
}
最後結果以下css
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#{
# expires 7d;
# access_log off;
#}
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
access_log /tmp/test.com.log combined_realip;
}
保存退出
- 添加的配置中的 ~* 表示不區分大小寫,另外防盜鏈的配置裏面server_names能夠不寫照樣
- 檢查配置文件語法錯誤,並從新加載配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@hf-01 ~]#
- 測試
[root@hf-01 ~]# curl -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 22:50:02 GMT Content-Type: image/gif Content-Length: 8 Last-Modified: Thu, 04 Jan 2018 21:50:34 GMT Connection: keep-alive ETag: "5a4ea1aa-8" Expires: Thu, 11 Jan 2018 22:50:02 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes [root@hf-01 ~]#
- 測試防盜鏈,使用curl -e
[root@hf-01 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 22:51:54 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@hf-01 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 22:52:22 GMT Content-Type: image/gif Content-Length: 8 Last-Modified: Thu, 04 Jan 2018 21:50:34 GMT Connection: keep-alive ETag: "5a4ea1aa-8" Expires: Thu, 11 Jan 2018 22:52:22 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes [root@hf-01 ~]#
- 再訪問curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif顯示403,而在訪問curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif顯示200,則表示防盜鏈配置成功
12.14 Nginx訪問控制
Nginx訪問控制目錄概要
- 需求:訪問/admin/目錄的請求,只容許某幾個IP訪問,配置以下:
location /admin/
{
allow 192.168.74.129;
allow 127.0.0.1;
deny all;
}
- mkdir /data/wwwroot/test.com/admin/
- echo 「test,test」>/data/wwwroot/test.com/admin/1.html
- -t && -s reload
- curl -x127.0.0.1:80 test.com/admin/1.html -I
- curl -x192.168.133.130:80 test.com/admin/1.html -I
- 能夠匹配正則
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
- 根據user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
- deny all和return 403效果同樣
Nginx訪問控制
- Nginx訪問控制,在平時運維網站的時候,常常會有一些請求不正常,或者故意的作一些限制,一些重要的內容禁止別人訪問,就能夠作一個白名單,只容許本身的公網IP或者本身公司內的公網IP去訪問
- 在作Nginx訪問控制目錄的時候,限制的這個目錄下沒有index.html文件或者index.php文件,就會默認403
- 編輯配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
- 增長訪問控制的代碼
location /admin/
{
allow 192.168.74.129; //白名單
allow 127.0.0.1; //白名單
deny all; //所有deny
}
最後結果以下html
[root@hanfeng ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
假設訪問的目錄是admin,作一個限制
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
#}
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.74.129;
allow 127.0.0.1;
deny all;
}
access_log /tmp/test.com.log combined_realip;
}
而後保存退出
- 而後檢查配置文件語法錯誤,而後從新加載配置文件
[root@hanfeng ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@hanfeng ~]# /usr/local/nginx/sbin/nginx -s reload [root@hanfeng ~]#
- 測試
[root@hf-01 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 21:04:13 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Wed, 03 Jan 2018 21:43:17 GMT Connection: keep-alive ETag: "5a4d4e75-13" Accept-Ranges: bytes [root@hf-01 ~]# curl -x192.168.74.150:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 21:06:56 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Wed, 03 Jan 2018 21:43:17 GMT Connection: keep-alive ETag: "5a4d4e75-13" Accept-Ranges: bytes [root@hf-01 ~]#
- 查看日誌文件,會看到訪問的192.168.74.150的來源IP也是192.168.74.129,由於它是被容許的,在白名單以內,因此顯示狀態碼爲200
[root@hf-01 ~]# cat /tmp/test.com.log 127.0.0.1 - [05/Jan/2018:05:51:37 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [08/Jan/2018:05:04:13 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0" 192.168.74.129 - [08/Jan/2018:05:06:56 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" [root@hf-01 ~]#
- 查看IP,而後給ens36網卡配置IP
- 先查看ens36網卡是否鏈接,而後更改鏈接ens36網卡模式爲僅主機鏈接模式
[root@hf-01 ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.74.129 netmask 255.255.255.0 broadcast 192.168.74.255
inet6 fe80::20c:29ff:feff:fe93 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ff:fe:93 txqueuelen 1000 (Ethernet)
RX packets 453 bytes 42359 (41.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 308 bytes 39999 (39.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno16777736:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.74.150 netmask 255.255.255.0 broadcast 192.168.74.255
ether 00:0c:29:ff:fe:93 txqueuelen 1000 (Ethernet)
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::20c:29ff:feff:fe9d prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ff:fe:9d txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13 bytes 2334 (2.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@hf-01 ~]#
- 給ens36網卡自動獲取IP,而後再來查看ens36的網卡IP地址爲192.168.204.128
[root@hf-01 ~]# dhclient ens36 [root@hf-01 ~]#
- 這時再來使用ens36網卡的IP來訪問,會看到訪問的admin目錄爲403
[root@hf-01 ~]# curl -x192.168.204.128:80 -I test.com/admin/ HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 21:17:39 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@hf-01 ~]#
- 這時再來查看日誌文件,會看到來源的IP爲192.168.204.128,在配置文件中被沒有被容許,因此爲403
[root@hf-01 ~]# !cat cat /tmp/test.com.log 127.0.0.1 - [05/Jan/2018:05:51:37 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [08/Jan/2018:05:04:13 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0" 192.168.74.129 - [08/Jan/2018:05:06:56 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.204.128 - [08/Jan/2018:05:17:39 +0800] test.com "/admin/" 403 "-" "curl/7.29.0" [root@hf-01 ~]#
針對正則匹配
- 例子
- 網站被黑,數據庫被盜竊,就是由於上傳圖片的目錄沒有作禁止解析php的操做,最終致使上傳了一句話木馬,php也能解析,因此網站就會被黑
- 只要能上傳的目錄,都要禁掉,禁止解析PHP
- 加如下代碼,便可禁掉上傳的目錄解析PHP
location ~ .*(upload|image)/.*\.php$ //只要匹配upload,而後以php結尾的
{
deny all; //都禁掉
}
- 打開配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#{
# expires 7d;
# access_log off; #}
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.74.129;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
access_log /tmp/test.com.log combined_realip;
}
保存退出
- 檢查配置文件語法錯誤,並從新加載配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@hf-01 ~]#
- 測試,首先是訪問的那個目錄,而後訪問的php資源
- 建立一個upload目錄,而後在建立一個php文件
[root@hf-01 ~]# mkdir /data/wwwroot/test.com/upload [root@hf-01 ~]# echo "11111" > /data/wwwroot/test.com/upload/1.php [root@hf-01 ~]#
- 訪問upload目錄下的1.php文件,會看到是403狀態碼,被拒絕訪問
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@hf-01 ~]#
- 這時再upload目錄下建立1.txt,再來測試訪問
[root@hf-01 ~]# echo "dasdasdas" >/data/wwwroot/test.com/upload/1.txt [root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt dasdasdas [root@hf-01 ~]#
- 查看訪問日誌cat /tmp/test.com.log
[root@hf-01 ~]# cat /tmp/test.com.log
根據user_agent限制
- 若是你的網站被cc攻擊,或者禁掉某些蜘蛛,若是你的網站想作一個被隱藏的網站,不想被別人搜索到,那麼就能夠將百度、谷歌、有道等這些蜘蛛封掉,沒有任何蜘蛛爬到你的網站,也不將網址告訴任何人,那別人就沒法知道你的站點,由於你的網站是被隱藏的。
- 只須要根據user_agent限制,添加如下代碼
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
- deny all和return 403效果同樣
- 打開配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#{ # expires 7d; # access_log off; #} location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.74.129;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
access_log /tmp/test.com.log combined_realip;
}
保存退出
- 檢查配置文件語法錯誤,並從新加載配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@hf-01 ~]#
- 模擬user_agent,訪問測試,會看到顯示403
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 22:04:06 GMT Content-Type: text/plain Content-Length: 10 Last-Modified: Sun, 07 Jan 2018 21:45:54 GMT Connection: keep-alive ETag: "5a529512-a" Accept-Ranges: bytes [root@hf-01 ~]# curl -A "Tomatoslfdfsdf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 22:05:21 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@hf-01 ~]#
- deny all和return 403效果同樣
- 若是訪問的時候,改爲小寫再訪問,則狀態碼爲200,由於這個是嚴格匹配的
[root@hf-01 ~]# curl -A "tomatoslfdfsdf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 22:09:10 GMT Content-Type: text/plain Content-Length: 10 Last-Modified: Sun, 07 Jan 2018 21:45:54 GMT Connection: keep-alive ETag: "5a529512-a" Accept-Ranges: bytes [root@hf-01 ~]#
- 若是想忽略大小寫,在配置文件中的匹配符號後加 * 號便可
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
- 在檢查配置文件,並從新加載
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@hf-01 ~]#
- 再來測試,會顯示403
[root@hf-01 ~]# curl -A "tomatoslfdfsdf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 22:11:06 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@hf-01 ~]#
12.15 Nginx解析php相關配置
Nginx解析php相關配置目錄概要
- 配置以下:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
- fastcgi_pass 用來指定php-fpm監聽的地址或者socket
Nginx解析php相關配置
- 添加如下代碼
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock; //寫錯這個路徑,就會顯示502
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
- 打開虛擬主機配置文件,由於如今test.com.conf還不能解析php,加代碼添加到配置文件中
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#{ # expires 7d; # access_log off; #} location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.74.129;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /tmp/test.com.log combined_realip;
}
保存退出
- 生成作一個php文件,在/data/wwwroot/test.com/目錄下生成3.php
[root@hf-01 ~]# vim /data/wwwroot/test.com/3.php <?php phpinfo(); 保存退出
- 測試訪問3.php,會看到沒法解析3.php文件,顯示出了源碼
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php <?php phpinfo(); [root@hf-01 ~]#
- 這時候檢查配置文件語法錯誤,並從新加載配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@hf-01 ~]#
- 這時候再來訪問3.php,會看到能夠正常解析了
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php
- 如果解析php相關配置的 fastcgi_pass unix:/tmp/php-fcgi.sock; 這個路徑被寫錯,會直接顯示502,由於sock文件沒有被找到
- 將配置文件改錯後,從新加載後,再來訪問3.php,會看到顯示502狀態碼
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf [root@hf-01 ~]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@hf-01 ~]#
- 查看訪問日誌cat /usr/local/nginx/logs/nginx_error.log,會看到日誌文件中會說沒有這樣的文件或目錄
[root@hf-01 ~]# cat /usr/local/nginx/logs/nginx_error.log 2018/01/08 06:42:21 [crit] 3392#0: *22 connect() to unix:/tmp/php-afcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-afcgi.sock:", host: "test.com" [root@hf-01 ~]#
- 在遇到502的問題時,須要查看你配置的地址是否正確,首先查看錯誤日誌,而後根據錯誤日誌中提示,查看這個文件是否存在,在查看cat /usr/local/php-fpm/etc/php-fpm.conf你定義的sock是什麼,那麼在nginx的配置文件中寫什麼
[root@hf-01 ~]# [root@hf-01 ~]# ls /tmp/php-afcgi.sock ls: 沒法訪問/tmp/php-afcgi.sock: 沒有那個文件或目錄 [root@hf-01 ~]# cat /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] listen = /tmp/php-fcgi.sock listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024 [root@hf-01 ~]#
- 這時再去配置文件中更改回來便可,因此只要配置文件中的 fastcgi_pass unix:/tmp/php-fcgi.sock; 地址錯誤,就會顯示502
502的另外一種狀況
- 假設這時不監聽sock,而去監聽IP端口
- 首先更改配置vim /usr/local/php-fpm/etc/php-fpm.conf
- 將#listen = /tmp/php-fcgi.sock註釋掉,增長listen = 127.0.0.1:9000
[root@hf-01 ~]# vim /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] #listen = /tmp/php-fcgi.sock listen = 127.0.0.1:9000 listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024 保存退出
- 重啓php 命令爲/etc/init.d/php-fpm restart,php重啓也支持reload
[root@hf-01 ~]# /etc/init.d/php-fpm restart Gracefully shutting down php-fpm . done Starting php-fpm done [root@hf-01 ~]#
- 檢查php文件是否存在語法錯誤,從新加載下nginx的配置文件
[root@hf-01 ~]# /usr/local/php-fpm/sbin/php-fpm -t [08-Jan-2018 07:10:32] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@hf-01 ~]#
- 查看監聽端口是否爲127.0.0.1:9000
[root@hf-01 ~]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1539/master tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 3528/php-fpm: maste tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1218/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1191/sshd tcp6 0 0 ::1:25 :::* LISTEN 1539/master tcp6 0 0 :::3306 :::* LISTEN 1566/mysqld tcp6 0 0 :::22 :::* LISTEN 1191/sshd [root@hf-01 ~]#
- 這時在來訪問3.php,會看到顯示爲502
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@hf-01 ~]#
- 查看配置文件會提示說文件不存在
- 這時候只須要在配置文件中作一個更改,在php配置那一塊,註釋掉unix,添加ip和端口
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
在php配置那一塊,註釋掉unix,添加ip和端口
#fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_pass 127.0.0.1:9000;
保存退出
- 檢查語法錯誤,並從新加載配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@hf-01 ~]#
- 再來訪問3.php文件,會看到正常訪問
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 23:23:11 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.30 [root@hf-01 ~]#
- 如果出現502,要檢查下配置文件中的fastcgi_pass 這塊是否nginx與php-fpm中所配置的地址是相匹配的
- PHP下的listen = /tmp/php-fcgi.sock這段配置很重要,決定了nginx是否能正確解析而不是502
- 當PHP配置文件 listen 使用sock時,那麼對應的nginx配置文件下就必須使用 fastcgi_pass unix:/tmp/php-fcgi.sock;
- 當PHP配置文件listen 使用 IP加端口「127.0.0.1:9000」的時候,那麼對應的nginx就要改爲fastcgi_pass 127.0.0.1:9000;
- 配置文件中的 fastcgi_param SCRIPT_FILENAME 中的地址路徑/data/wwwroot/test.com$fastcgi_script_name;與配置文件最上方的 root /data/wwwroot/test.com; 相對應起來
502的其餘狀況
- 在php5.4及之後的其餘版本,有一個特色
- 更改監聽爲sock,取消監聽IP和端口,註釋掉listen.mode
- 更改php-fpm的配置文件,取消註釋listen = /tmp/php-fcgi.sock,註釋掉#listen = 127.0.0.1:9000和#listen.mode = 666
[root@hf-01 ~]# vi /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] listen = /tmp/php-fcgi.sock #listen = 127.0.0.1:9000 #listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024 保存退出
- 從新加載php
[root@hf-01 ~]# /etc/init.d/php-fpm reload Reload service php-fpm done
- 查看sock文件的權限爲660,屬主和屬組爲root
[root@hf-01 ~]# ls -l /tmp/php-fcgi.sock srw-rw---- 1 root root 0 1月 8 07:47 /tmp/php-fcgi.sock
- 更改nginx虛擬主機配置文件,取消 fastcgi_pass unix:/tmp/php-fcgi.sock; 的註釋,註釋掉#fastcgi_pass 127.0.0.1:9000;
- fastcgi_pass unix:/tmp/php-fcgi.sock;這一行的配置是爲了nginx去讀sock文件
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
- 從新加載nginx配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload
- 這時候再來訪問3.php,依然仍是顯示502
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 502 Bad Gateway Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 23:54:07 GMT Content-Type: text/html Content-Length: 173 Connection: keep-alive
- 查看訪問日誌文件,顯示訪問文件,權限被拒絕
[root@hf-01 ~]# !tail tail /usr/local/nginx/logs/nginx_error.log 2018/01/08 06:42:21 [crit] 3392#0: *22 connect() to unix:/tmp/php-afcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-afcgi.sock:", host: "test.com" 2018/01/08 07:13:39 [crit] 3518#0: *24 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com" 2018/01/08 07:54:07 [crit] 3790#0: *32 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "HEAD HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com" [root@hf-01 ~]#
- sock文件默認權限使660,root用戶能夠讀,root用戶組也是可讀的,惟獨其餘用戶不能去讀
- 看到是由nobody的身份去讀nginx的
[root@hf-01 ~]# ps aux |grep nginx root 1218 0.0 0.1 21784 1692 ? Ss 00:11 0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf nobody 3929 0.0 0.3 23664 3692 ? S 08:18 0:00 nginx: worker process nobody 3930 0.0 0.3 23664 3692 ? S 08:18 0:00 nginx: worker process root 3932 0.0 0.0 112676 984 pts/0 R+ 08:18 0:00 grep --color=auto nginx [root@hf-01 ~]#
- 這時臨時改變權限爲nobody
[root@hf-01 ~]# chown nobody /tmp/php-fcgi.sock [root@hf-01 ~]#
- 這時再去訪問3.php會看到正常訪問
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Mon, 08 Jan 2018 00:22:43 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.30 [root@hf-01 ~]#
- 這就是由於nobody用戶有讀的權限,因此能夠正常訪問
- 在php-fpm的配置文件中定義listen.mode,就是爲了讓任何用戶能夠讀
- 再去配置文件中取消listen.mode的註釋
[root@hf-01 ~]# vi /usr/local/php-fpm/etc/php-fpm.conf listen.mode = 666
- 而後重啓php-fpm的配置文件
[root@hf-01 ~]# /etc/init.d/php-fpm restart Gracefully shutting down php-fpm . done Starting php-fpm done [root@hf-01 ~]#
- 查看文件的權限
[root@hf-01 ~]# !ls ls -l /tmp/php-fcgi.sock srw-rw-rw- 1 root root 0 1月 8 08:28 /tmp/php-fcgi.sock [root@hf-01 ~]#
- 訪問3.php會看到正常訪問
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Mon, 08 Jan 2018 00:30:04 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.30 [root@hf-01 ~]#
502的另外狀況
- 就是php-fpm服務,資源耗盡,也會顯示502,這時候就須要去優化了
12.16 Nginx代理
Nginx代理目錄概要
- cd /usr/local/nginx/conf/vhost
- vim proxy.conf //加入以下內容
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://121.201.9.155/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Nginx代理
- 需求:
- 用戶須要訪問web服務器,但用戶由於各類緣由沒辦法訪問或者訪問很慢(私網無訪問、境內訪問國外服務器),因此,就須要一個能訪問web服務器的代理者,讓用戶經過代理服務器訪問
- 解決方法
- 建立代理服務器
- 首先切換目錄cd /usr/local/nginx/conf/vhost
[root@hanfeng ~]# cd /usr/local/nginx/conf/vhost [root@hanfeng vhost]#
- 新建一個配置文件vim proxy.conf
[root@hanfeng vhost]# vim proxy.conf
加入如下內容
server
{
listen 80;
server_name ask.apelearn.com; //定義域名,論壇的網站
location /
{
proxy_pass http://121.201.9.155/; //定義域名,論壇的IP
proxy_set_header Host $host; //定義訪問的域名 爲 $host =server_name ask.apelearn.com
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
保存退出
- 配置文件中,沒有了root,由於這是一個代理服務器,它不須要訪問本地服務器上的任何文件
- 在配置完成後,這臺虛擬機就能夠訪問ask.apelearn.com論壇了
- 檢查配置文件語法錯誤,並從新加載配置文件
[root@hanfeng vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@hanfeng vhost]# /usr/local/nginx/sbin/nginx -s reload [root@hanfeng vhost]#
- robots是針對蜘蛛的索引的一個列表,通常網站都會有robots
[root@hanfeng vhost]# curl ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/[root@hanfeng vhost]# [root@hanfeng vhost]#
- 測試代理是否成功,指定本機的IP,也能去訪問
[root@hanfeng vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/[root@hanfeng vhost]#
- 正常狀況下,不去配置這個代理,是不可能經過本地訪問到遠程的站點的
擴展
-
502問題彙總mysql
-
location優先級nginx
相關文章
- 1. python day51
- 2. day51——爬蟲(一)
- 3. day51—JavaScript綁定事件
- 4. day51-Django項目的建立
- 5. Linux基礎-最基礎
- 6. linux基礎第一週---linux基礎
- 7. Linux基礎-01-Linux基礎命令
- 8. Linux(一):Linux基礎
- 9. 【Linux】Linux基礎-2
- 10. 【Linux】Linux基礎-3
- 更多相關文章...
- • Kotlin 基礎語法 - Kotlin 教程
- • Scala 基礎語法 - Scala教程
- • Kotlin學習(二)基本類型
- • ☆基於Java Instrument的Agent實現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 升級Gradle後報錯Gradle‘s dependency cache may be corrupt (this sometimes occurs
- 2. Smarter, Not Harder
- 3. mac-2019-react-native 本地環境搭建(xcode-11.1和android studio3.5.2中Genymotion2.12.1 和VirtualBox-5.2.34 )
- 4. 查看文件中關鍵字前後幾行的內容
- 5. XXE萌新進階全攻略
- 6. Installation failed due to: ‘Connection refused: connect‘安卓studio端口占用
- 7. zabbix5.0通過agent監控winserve12
- 8. IT行業UI前景、潛力如何?
- 9. Mac Swig 3.0.12 安裝
- 10. Windows上FreeRDP-WebConnect是一個開源HTML5代理,它提供對使用RDP的任何Windows服務器和工作站的Web訪問
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. python day51
- 2. day51——爬蟲(一)
- 3. day51—JavaScript綁定事件
- 4. day51-Django項目的建立
- 5. Linux基礎-最基礎
- 6. linux基礎第一週---linux基礎
- 7. Linux基礎-01-Linux基礎命令
- 8. Linux(一):Linux基礎
- 9. 【Linux】Linux基礎-2
- 10. 【Linux】Linux基礎-3