Nginx防盜鏈、訪問控制 Nginx解析php相關配置及Nginx代理

6月11日任務

12.13 Nginx防盜鏈
12.14 Nginx訪問控制
12.15 Nginx解析php相關配置
12.16 Nginx代理
擴展
502問題彙總 http://ask.apelearn.com/question/9109
location優先級 http://blog.lishiming.net/?p=100

Nginx防盜鏈目錄概要

• 配置以下，能夠和上面的配置結合起來

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}

Nginx防盜鏈

• Nginx防盜鏈配置須要和不記錄日誌和過時時間結合在一塊兒，由於都用到了「location」
• 打開配置文件 vim /usr/local/nginx/conf/vhost/test.com.conf
• 註釋掉一些配置

#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    #{
    #      expires      7d;
    #      access_log off;
    #}

添加一些配置

location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;        //過時時間7天
    valid_referers none blocked server_names  *.test.com ;   //定義一個白名單，referer就是指一些域名
    if ($invalid_referer) {                                        //若是不是白名單裏的
        return 403;                                                   //返回403
    }
    access_log off;
}

最後結果以下

[root@yong-01 vhost]# vim test.com.conf 

server
{
    listen 80;
    server_name test.com test1.com test2.com;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }   
    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    #{
    #      expires      7d;
    #      access_log off;
    #}     
    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
    {   
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }   
    access_log off;
}   
    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }     
    access_log /tmp/test.com.log combined_realip;
}

• 添加的配置中的 ~* 表示不區分大小寫，另外防盜鏈的配置裏面server_names能夠不寫照樣
• 檢查配置文件語法錯誤，並從新加載配置文件

[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -s reload

• 測試

[root@yong-01 vhost]# curl -x127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 11 Jun 2018 12:20:35 GMT
Content-Type: image/gif
Content-Length: 10
Last-Modified: Sat, 09 Jun 2018 01:44:01 GMT
Connection: keep-alive
ETag: "5b1b30e1-a"
Expires: Mon, 18 Jun 2018 12:20:35 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

• 測試防盜鏈，使用curl -e

[root@yong-01 vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Mon, 11 Jun 2018 12:21:59 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

[root@yong-01 vhost]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 11 Jun 2018 12:22:11 GMT
Content-Type: image/gif
Content-Length: 10
Last-Modified: Sat, 09 Jun 2018 01:44:01 GMT
Connection: keep-alive
ETag: "5b1b30e1-a"
Expires: Mon, 18 Jun 2018 12:22:11 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

• 再訪問curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif顯示403，而在訪問curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif顯示200，則表示防盜鏈配置成功

Nginx訪問控制目錄概要

• 需求：訪問/admin/目錄的請求，只容許某幾個IP訪問，配置以下：

location /admin/
{
    allow 192.168.180.134;
    allow 127.0.0.1;
    deny all;
}

• mkdir /data/wwwroot/test.com/admin/
• echo 「test,test」>/data/wwwroot/test.com/admin/1.html
• -t && -s reload
• curl -x127.0.0.1:80 test.com/admin/1.html -I
• curl -x192.168.180.134:80 test.com/admin/1.html -I
• 能夠匹配正則

location ~ .*(abc|image)/.*\.php$
{
        deny all;
}

• 根據user_agent限制

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}

• deny all和return 403效果同樣

Nginx訪問控制

• Nginx訪問控制，在平時運維網站的時候，常常會有一些請求不正常，或者故意的作一些限制，一些重要的內容禁止別人訪問，就能夠作一個白名單，只容許本身的公網IP或者本身公司內的公網IP去訪問
• 編輯配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
• 增長訪問控制的代碼

location /admin/
{
    allow 192.168.180.134;            //白名單
    allow 127.0.0.1;            //白名單
    deny all;        //所有deny
}

最後結果以下

[root@yong-01 vhost]# vim test.com.conf 

server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    #{
    #      expires      7d;
    #      access_log off;
    #}
    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
    {
          expires 7d;
          valid_referers none blocked server_names  *.test.com ;
          if ($invalid_referer) {
             return 403;
          }
          access_log off;
    }

    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    location /admin/
    {
    allow 192.168.180.134;
    allow 127.0.0.1;
    deny all;
    }
   access_log /tmp/test.com.log combined_realip;
}

• 而後檢查配置文件語法錯誤，而後從新加載配置文件

[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -s reload

• 測試

[root@yong-01 vhost]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 11 Jun 2018 12:48:05 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Thu, 07 Jun 2018 14:25:33 GMT
Connection: keep-alive
ETag: "5b19405d-13"
Accept-Ranges: bytes

[root@yong-01 vhost]# curl -e "http://www.test.com/1.txt" -x192.168.180.134:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 11 Jun 2018 12:49:43 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Thu, 07 Jun 2018 14:25:33 GMT
Connection: keep-alive
ETag: "5b19405d-13"
Accept-Ranges: bytes

• 查看日誌文件，會看到訪問的來源IP也是192.168.180.134，由於它是被容許的，在白名單以內，因此顯示狀態碼爲200

[root@yong-01 vhost]# cat /tmp/test.com.log
127.0.0.1 - [09/Jun/2018:09:45:28 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [11/Jun/2018:20:48:01 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
127.0.0.1 - [11/Jun/2018:20:48:05 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.180.134 - [11/Jun/2018:20:49:43 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"

• 查看IP，而後給ens37網卡配置IP
• 先查看ens37網卡是否鏈接，而後更改鏈接ens37網卡模式爲僅主機鏈接模式

[root@yong-01 vhost]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.180.134  netmask 255.255.255.0  broadcast 192.168.180.255
        inet6 fe80::8004:45b5:96c5:3ca5  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:29:2b:60  txqueuelen 1000  (Ethernet)
        RX packets 2816  bytes 250885 (245.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1664  bytes 221897 (216.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.1  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::af5:df02:5a53:e408  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:29:2b:6a  txqueuelen 1000  (Ethernet)
        RX packets 153  bytes 52046 (50.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 37  bytes 3246 (3.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 200  bytes 17668 (17.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 200  bytes 17668 (17.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

• 給ens37網卡自動獲取IP，而後再來查看ens36的網卡IP地址爲192.168.100.1
• 這時再來使用ens37網卡的IP來訪問，會看到訪問的admin目錄爲403

[root@yong-01 vhost]# curl -x192.168.100.1:80 test.com/admin/ -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Mon, 11 Jun 2018 12:58:12 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

• 這時再來查看日誌文件，會看到來源的IP爲192.168.100.1，在配置文件中被沒有被容許，因此爲403

[root@yong-01 vhost]# !cat
cat /tmp/test.com.log
127.0.0.1 - [09/Jun/2018:09:45:28 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [11/Jun/2018:20:48:01 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
127.0.0.1 - [11/Jun/2018:20:48:05 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.100.1 - [11/Jun/2018:20:57:48 +0800] test.com "/admin/" 403 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.100.1 - [11/Jun/2018:20:58:12 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"

針對正則匹配

• 例子
• 網站被黑，數據庫被盜竊，就是由於上傳圖片的目錄沒有作禁止解析php的操做，最終致使上傳了一句話木馬，php也能解析，因此網站就會被黑
• 只要能上傳的目錄，都要禁掉，禁止解析PHP
• 加如下代碼,便可禁掉上傳的目錄解析PHP

location ~ .*(upload|image)/.*\.php$        //只要匹配upload，而後以php結尾的
{
        deny all;            //都禁掉
}

• 打開配置文件vim /usr/local/nginx/conf/vhost/test.com.conf，在access_log上面加上這一段
• 檢查配置文件語法錯誤，並從新加載配置文件

[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -s reload

• 測試，首先是訪問的那個目錄，而後訪問的php資源
• 建立一個upload目錄，而後在建立一個php文件

[root@yong-01 vhost]# mkdir /data/wwwroot/test.com/upload
[root@yong-01 vhost]# echo "123456" > /data/wwwroot/test.com/upload/1.php

• 訪問upload目錄下的1.php文件，會看到是403狀態碼，被拒絕訪問

[root@yong-01 vhost]# curl -x127.0.0.1:80 test.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Mon, 11 Jun 2018 13:08:26 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

• 這時再upload目錄下建立1.txt，再來測試訪問

[root@yong-01 vhost]# echo "123456" > /data/wwwroot/test.com/upload/1.txt
[root@yong-01 vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt
123456

• 查看訪問日誌cat /tmp/test.com.log 1.php是403 1.txt是200

[root@yong-01 vhost]# tail -5 /tmp/test.com.log
127.0.0.1 - [11/Jun/2018:21:08:21 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [11/Jun/2018:21:08:26 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [11/Jun/2018:21:08:52 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
127.0.0.1 - [11/Jun/2018:21:08:57 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"

根據user_agent限制

• 若是你的網站被cc攻擊，或者禁掉某些蜘蛛，若是你的網站想作一個被隱藏的網站，不想被別人搜索到，那麼就能夠將百度、谷歌、有道等這些蜘蛛封掉，沒有任何蜘蛛爬到你的網站，也不將網址告訴任何人，那別人就沒法知道你的站點，由於你的網站是被隱藏的。
• 只須要根據user_agent限制，添加如下代碼

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}

• deny all和return 403效果同樣
• 打開配置文件vim /usr/local/nginx/conf/vhost/test.com.conf 添加如下代碼

 

• 檢查配置文件語法錯誤，並從新加載配置文件

[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -s reload

• 模擬user_agent，訪問測試，會看到顯示403

[root@yong-01 vhost]# curl -x127.0.0.1:80 test.com/admin/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 11 Jun 2018 13:16:38 GMT
Content-Type: text/plain
Content-Length: 5
Last-Modified: Mon, 11 Jun 2018 13:16:35 GMT
Connection: keep-alive
ETag: "5b1e7633-5"
Accept-Ranges: bytes

[root@yong-01 vhost]# curl -A "Tomatosfdas" -x127.0.0.1:80 test.com/admin/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Mon, 11 Jun 2018 13:17:10 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

• deny all和return 403效果同樣
• 若是訪問的時候，改爲小寫再訪問，則狀態碼爲200，由於這個是嚴格匹配的

[root@yong-01 vhost]# curl -A "tomatosfdas" -x127.0.0.1:80 test.com/admin/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 11 Jun 2018 13:17:38 GMT
Content-Type: text/plain
Content-Length: 5
Last-Modified: Mon, 11 Jun 2018 13:16:35 GMT
Connection: keep-alive
ETag: "5b1e7633-5"
Accept-Ranges: bytes

• 若是想忽略大小寫，在配置文件中的匹配符號後加 * 號便可

[root@yong-01 vhost]# vim test.com.conf 

  if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
    {
      return 403;
    }

• 在檢查配置文件，並從新加載

[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -s reload

• 再來測試，會顯示403

[root@yong-01 vhost]# curl -A "tomatosfdas" -x127.0.0.1:80 test.com/admin/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Mon, 11 Jun 2018 13:19:29 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

Nginx解析php相關配置目錄概要

• 配置以下：

location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }

• fastcgi_pass 用來指定php-fpm監聽的地址或者socket

Nginx解析php相關配置

• 添加如下代碼

location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;        //寫錯這個路徑，就會顯示502
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }

• 打開虛擬主機配置文件，由於如今test.com.conf還不能解析php，加代碼添加到配置文件中

• 先建立一個php文件，在/data/wwwroot/test.com/目錄下建立3.php

[root@yong-01 vhost]# vim /data/wwwroot/test.com/3.php
<?php
phpinfo();

• 測試訪問3.php，會看到沒法解析3.php文件，顯示出了源碼

[root@yong-01 vhost]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();

• 這時候檢查配置文件語法錯誤，並從新加載配置文件

[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -s reload

• 這時候再來訪問3.php，會看到能夠正常解析了

[root@yong-01 vhost]# curl -x127.0.0.1:80 test.com/3.php

• 如果解析php相關配置的 fastcgi_pass unix:/tmp/php-fcgi.sock; 這個路徑被寫錯，會直接顯示502，由於sock文件沒有被找到
• 將配置文件改錯後，從新加載後，再來訪問3.php，會看到顯示502狀態碼

[root@yong-01 vhost]# curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>

• 查看訪問日誌cat /usr/local/nginx/logs/nginx_error.log，會看到日誌文件中會說沒有這樣的文件或目錄

[root@yong-01 vhost]# cat /usr/local/nginx/logs/nginx_error.log 
2018/06/11 21:44:48 [crit] 2348#0: *33 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"

• 在遇到502的問題時，須要查看你配置的地址是否正確，首先查看錯誤日誌，而後根據錯誤日誌中提示，查看這個文件是否存在，在查看cat /usr/local/php-fpm/etc/php-fpm.conf你定義的sock是什麼，那麼在nginx的配置文件中寫什麼

這兩個地方的路徑必須是同樣的 不能錯 不然就報502錯誤

• 這時再去配置文件中更改回來便可，因此只要配置文件中的 fastcgi_pass unix:/tmp/php-fcgi.sock; 地址錯誤，就會顯示502

502的另外一種狀況

1. 假設這時不監聽sock，而去監聽IP端口
2. 首先更改配置vim /usr/local/php-fpm/etc/php-fpm.conf

• 將#listen = /tmp/php-fcgi.sock註釋掉，增長listen = 127.0.0.1:9000

[root@yong-01 vhost]# vim /usr/local/php-fpm/etc/php-fpm.conf

[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
#listen = /tmp/php-fcgi.sock
listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

• 重啓php 命令爲/etc/init.d/php-fpm restart，php重啓也支持reload

[root@yong-01 vhost]# service php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done

• 檢查php文件是否存在語法錯誤，從新加載下nginx的配置文件

[root@yong-01 vhost]# /usr/local/php-fpm/sbin/php-fpm -t
[11-Jun-2018 21:51:56] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -s reload

• 查看監聽端口是否爲127.0.0.1:9000

[root@yong-01 vhost]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1178/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1120/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1477/master         
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      2497/php-fpm: maste 
tcp6       0      0 :::22                   :::*                    LISTEN      1120/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1477/master         
tcp6       0      0 :::3306                 :::*                    LISTEN      1431/mysqld

1. 這時在來訪問3.php，會看到顯示爲502

[root@yong-01 vhost]# curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>

• 查看配置文件會提示說文件不存在
• 這時候只須要在配置文件中作一個更改，在php配置那一塊，註釋掉unix，添加ip和端口

[root@yong-01 vhost]# vim test.com.conf 
在php配置那一塊，註釋掉unix，添加ip和端口
        #fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_pass 127.0.0.1:9000;
保存退出

• 檢查語法錯誤，並從新加載配置文件

[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -s reload

• 再來訪問3.php文件，會看到正常訪問

[root@yong-01 vhost]# curl -x127.0.0.1:80 test.com/3.php

• 如果出現502，要檢查下配置文件中的fastcgi_pass 這塊是否nginx與php-fpm中所配置的地址是相匹配的
• PHP下的listen = /tmp/php-fcgi.sock這段配置很重要，決定了nginx是否能正確解析而不是502
  • 當PHP配置文件 listen 使用sock時，那麼對應的nginx配置文件下就必須使用 fastcgi_pass unix:/tmp/php-fcgi.sock；
  • 當PHP配置文件listen 使用 IP加端口「127.0.0.1：9000」的時候，那麼對應的nginx就要改爲fastcgi_pass 127.0.0.1：9000；
• 配置文件中的 fastcgi_param SCRIPT_FILENAME 中的地址路徑/data/wwwroot/test.com$fastcgi_script_name;與配置文件最上方的 root /data/wwwroot/test.com; 相對應起來

502的其餘狀況

• 在php5.4及之後的其餘版本，有一個特色
• 更改監聽爲sock，取消監聽IP和端口，註釋掉listen.mode
• 更改php-fpm的配置文件，取消註釋listen = /tmp/php-fcgi.sock，註釋掉#listen = 127.0.0.1:9000和#listen.mode = 666

[root@yong-01 vhost]# vim /usr/local/php-fpm/etc/php-fpm.conf

[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
#listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

• 從新加載php

[root@yong-01 vhost]# /etc/init.d/php-fpm reload 
Reload service php-fpm  done

• 查看sock文件的權限爲660，屬主和屬組爲root

[root@yong-01 vhost]# ll /tmp/php-fcgi.sock 
srw-rw---- 1 root root 0 6月  11 21:57 /tmp/php-fcgi.sock

• 更改nginx虛擬主機配置文件，取消 fastcgi_pass unix:/tmp/php-fcgi.sock; 的註釋，註釋掉#fastcgi_pass 127.0.0.1:9000;
• fastcgi_pass unix:/tmp/php-fcgi.sock;這一行的配置是爲了nginx去讀sock文件
• 從新加載nginx配置文件

[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -s reload

• 這時候再來訪問3.php，依然仍是顯示502

[root@yong-01 vhost]# curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>

• 查看訪問日誌文件，顯示訪問文件，權限被拒絕

[root@yong-01 vhost]# tail /usr/local/nginx/logs/nginx_error.log 
2018/06/11 21:44:48 [crit] 2348#0: *33 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
2018/06/11 21:53:20 [crit] 2523#0: *35 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
2018/06/11 21:59:12 [crit] 2650#0: *39 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"

• sock文件默認權限使660，root用戶能夠讀，root用戶組也是可讀的，惟獨其餘用戶不能去讀
• 看到是由nobody的身份去讀nginx的

[root@yong-01 vhost]# ps aux |grep nginx
root      1178  0.0  0.0  25584  1824 ?        Ss   19:51   0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody    2649  0.0  0.1  27276  3600 ?        S    21:58   0:00 nginx: worker process
nobody    2650  0.0  0.2  27276  3848 ?        S    21:58   0:00 nginx: worker process
root      2672  0.0  0.0 112676   984 pts/0    R+   22:00   0:00 grep --color=auto nginx

• 這時臨時改變權限爲nobody

[root@yong-01 vhost]# chown nobody /tmp/php-fcgi.sock

• 這時再去訪問3.php會看到正常訪問

[root@yong-01 vhost]# curl -x127.0.0.1:80 test.com/3.php

• 這就是由於nobody用戶有讀的權限，因此能夠正常訪問
• 在php-fpm的配置文件中定義listen.mode，就是爲了讓任何用戶能夠讀
• 再去配置文件中取消listen.mode的註釋

[root@yong-01 vhost]# vim /usr/local/php-fpm/etc/php-fpm.conf
listen.mode = 666

• 而後重啓php-fpm的配置文件

[root@yong-01 vhost]# service php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done

• 查看文件的權限

[root@yong-01 vhost]# ll /tmp/php-fcgi.sock 
srw-rw-rw- 1 root root 0 6月  11 22:02 /tmp/php-fcgi.sock

• 訪問3.php會看到正常訪問

[root@yong-01 vhost]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 11 Jun 2018 14:03:18 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

 

Nginx代理目錄概要

• cd /usr/local/nginx/conf/vhost
• vim proxy.conf //加入以下內容

server
{
    listen 80;
    server_name ask.apelearn.com;

    location /
    {
        proxy_pass      http://121.201.9.155/;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Nginx代理

• 需求：
  • 用戶須要訪問web服務器，但用戶由於各類緣由沒辦法訪問或者訪問很慢（私網無訪問、境內訪問國外服務器），因此，就須要一個能訪問web服務器的代理者，讓用戶經過代理服務器訪問
• 解決方法
  • 建立代理服務器
• 首先切換目錄cd /usr/local/nginx/conf/vhost，新建一個配置文件vim proxy.conf

[root@yong-01 vhost]# vim proxy.conf

server
{
    listen 80;
    server_name ask.apelearn.com;                       //定義域名，論壇的網站
    location /
    {
        proxy_pass      http://121.201.9.155/;         //定義域名，論壇的IP
        proxy_set_header Host   $host;                   //定義訪問的域名 爲 $host =server_name ask.apelearn.com
        proxy_set_header X-Real-IP      $remote_addr; 
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

• 配置文件中，沒有了root，由於這是一個代理服務器，它不須要訪問本地服務器上的任何文件
• 在配置完成後，這臺虛擬機就能夠訪問ask.apelearn.com論壇了
• 檢查配置文件語法錯誤，並從新加載配置文件

[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yong-01 vhost]# /usr/local/nginx/sbin/nginx -s reload

• robots是針對蜘蛛的索引的一個列表，通常網站都會有robots

[root@yong-01 vhost]# curl ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/

• 測試代理是否成功，指定本機的IP，也能去訪問

[root@yong-01 vhost]# curl -x127.0.0.1:80  ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/

• 正常狀況下，不去配置這個代理，是不可能經過本地訪問到遠程的站點的