第二十一课 LNMP(二)
目录
一、默认虚拟主机
二、Nginx用户认证
三、Nginx域名重定向
四、Nginx访问日志
五、Nginx日志切割
六、静态文件不记录日志和过期时间
七、Nginx防盗链
八、Nginx访问控制
九、Nginx解析php相关配置
十、Nginx代理
十一、扩展
一、默认虚拟主机
默认虚拟主机一般是配置文件中的第一个虚拟主机。也可以通过在虚拟主机配置文件中设置default_server,指定为默认虚拟主机。
默认配置文件中只有一个虚拟主机,所以默认的虚拟主机就是该虚拟主机。
//默认配置中虚拟主机定义文件
[root@localhost html]# grep -A 13 -w 'server' /usr/local/nginx/conf/nginx.conf
server
{
listen 80;
//主机名localhost
server_name localhost;
index index.html index.htm index.php;
root /usr/local/nginx/html;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
}
}
//虚拟主机首页内容
[root@localhost html]# cat /usr/local/nginx/html/index.html
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
//验证
[root@localhost html]# curl -x127.0.0.1:80 localhost
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
//访问其他未绑定域名,也是打开默认的主页,说明该虚拟主机就是默认虚拟主机
[root@localhost html]# curl -x127.0.0.1:80 a.com
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
以default-server参数在虚拟主机配置文件中指定为默认的虚拟主机
//修改默认的配置文件
//删除默认虚拟主机,并添加两个新的虚拟主机,并指定其中一个为默认的虚拟主机
//删除server段内容
server
{
listen 80;
//主机名localhost
server_name localhost;
index index.html index.htm index.php;
root /usr/local/nginx/html;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
}
}
//添加下列内容
include vhost/*.conf
//在conf目录下新建vhost目录及相应的虚拟主机配置文件
[root@localhost nginx]# mkdir conf/vhost
[root@localhost vhost]# vim aaa.com.conf
//aaa.com虚拟主机的内容
[root@localhost vhost]# vim aaa.com.conf
//添加如下内容
server
{
listen 80 default_server;
server_name aaa.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/aaa.com;
}
server
{
listen 80;
server_name bbb.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/bbb.com;
}
//增加虚拟主机目录及内容
[root@localhost vhost]# mkdir -p /usr/local/nginx/html/aaa.com
[root@localhost vhost]# mkdir -p /usr/local/nginx/html/bbb.com
[root@localhost html]# tree
├── aaa.com
│ └── index.html
├── bbb.com
│ └── index.html
//验证配置文件
[root@localhost html]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
//重载配置文件
[root@localhost html]# /usr/local/nginx/sbin/nginx -s reload
//测试,以未绑定的域名测试,访问到的虚拟主机是aaa.com,说明指定默认虚拟主机aaa.com生效
[root@localhost html]# curl -x127.0.0.1:80 aaa.com
I am aaa.com!
[root@localhost html]# curl -x127.0.0.1:80 bbb.com
I am bbb.com!
[root@localhost html]# curl -x127.0.0.1:80 ccc.com
I am aaa.com!
[root@localhost html]# curl -x127.0.0.1:80 ddd.com
I am aaa.com!
//将默认虚拟主机指定为bbb.com
[root@localhost html]# vim ../conf/vhost/aaa.com.conf
//配置如下
server
{
listen 80;
server_name aaa.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/aaa.com;
}
server
{
listen 80 default_server;
server_name bbb.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/bbb.com;
}
//测试配置文件及重载配置
[root@localhost html]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost html]# /usr/local/nginx/sbin/nginx -s reload
//验证,访问未绑定域名ccc.com和ddd.com,返回bbb.com的内容,说明默认虚拟主机指定成功。
[root@localhost html]# curl -x127.0.0.1:80 aaa.com
I am aaa.com!
[root@localhost html]# curl -x127.0.0.1:80 bbb.com
I am bbb.com!
[root@localhost html]# curl -x127.0.0.1:80 ccc.com
I am bbb.com!
[root@localhost html]# curl -x127.0.0.1:80 ddd.com
I am bbb.com!
二、Nginx用户认证
有时候为了安全需要,需要对用户的访问进行验证。
这里以authtest.com为例
//新建authtest.com配置文件
[root@localhost html]# vim /usr/local/nginx/conf/vhost/authtest.com.conf
//添加如下内容
server
{
listen 80;
server_name authtest.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/authtest.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
[root@localhost authtest.com]# tree
.
├── index.htm
└── index.html
//生成验证用户及密码
//需要用到htpasswd命令,如果没有,可yum安装httpd
[root@localhost authtest.com]# htpasswd -c /usr/local/nginx/conf/htpasswd user01
New password:
Re-type new password:
Adding password for user user01
//添加第二个用户的时候不要加-c,否则会重新生成文件,之前加的就没有了
[root@localhost authtest.com]# htpasswd /usr/local/nginx/conf/htpasswd user02
New password:
Re-type new password:
Adding password for user user02
[root@localhost authtest.com]# cat /usr/local/nginx/conf/htpasswd
user01:$apr1$as5hy4SY$Zf9zw331d8oKG0L2pHgGE0
user02:$apr1$yYDGoWps$7VrbdC4Dbmut1U6/r8VJQ/
//测试配置以及重载配置文件
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -s reload
//验证
[root@localhost authtest.com]# curl -x127.0.0.1:80 authtest.com
<html>
//401错,需要认证
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
//以正确用户名密码验证
[root@localhost authtest.com]# curl -x127.0.0.1:80 -uuser01:123456 authtest.com
I am authtest.com!!
//限定访问虚拟主机指定目录需要认证,以authtest.com下的admin目录为例
//修改虚拟主机配置文件
[root@localhost authtest.com]# vim /usr/local/nginx/conf/vhost/authtest.com.conf
//修改location的匹配
server
{
listen 80;
server_name authtest.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/authtest.com;
location ~ /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
//新建测试文件
[root@localhost authtest.com]# mkdir admin
[root@localhost authtest.com]# vim admin/index.php
[root@localhost authtest.com]# tree
.
├── admin
│ ├── index.html
│ └── index.php
├── index.htm
└── index.html
//测试配置文件及重载
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -s reload
//验证
[root@localhost authtest.com]# curl -x127.0.0.1:80 authtest.com
I am authtest.com!!
[root@localhost authtest.com]# curl -x127.0.0.1:80 authtest.com/admin/
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
//以正确的用户名密码访问
[root@localhost authtest.com]# curl -x127.0.0.1:80 -uuser02:123456 authtest.com/admin/
I am admin.html
//限制访问特定的页面
//修改虚拟主机配置文件
[root@localhost authtest.com]# vim /usr/local/nginx/conf/vhost/authtest.com.conf
//修改location的匹配
server
{
listen 80;
server_name authtest.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/authtest.com;
location ~ .php$
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
//测试配置文件及重载
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -s reload
//验证
[root@localhost authtest.com]# curl -x127.0.0.1:80 authtest.com
I am authtest.com!!
[root@localhost authtest.com]# curl -x127.0.0.1:80 authtest.com/admin/
I am admin.html
[root@localhost authtest.com]# curl -x127.0.0.1:80 authtest.com/admin/admin.php
<html>
//401需要认证
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
三、Nginx域名重定向
以authtest.com为例,假设其有多个域名,配置如下
server
{
listen 80;
server_name authtest.com authtest1.com auth.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/authtest.com;
}
修改配置
server
{
listen 80;
server_name authtest.com authtest1.com auth.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/authtest.com;
if ($host != 'authtest.com'){
rewrite ^/(.*)$ http://authtest.com/$1 permanent;
}
}
验证
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -s reload
//测试
[root@localhost authtest.com]# curl -x127.0.0.1:80 authtest.com
I am authtest.com!!
[root@localhost authtest.com]# curl -x127.0.0.1:80 authtest1.com
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
[root@localhost authtest.com]# curl -x127.0.0.1:80 auth.com
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
四、Nginx访问日志
Nginx日志的格式一般在nginx.conf里面配置。常见配置如下
[root@localhost ~]# grep -A 2 log_format /usr/local/nginx/conf/nginx.conf
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
常见日志字段说明
| 字段 | 说明 |
|---|---|
| $remote_addr | 记录客户端IP |
| $http_x_forwarded_for | 记录客户端IP |
| $time_local | 服务器本地时间 |
| $host | 访问的主机名(域名) |
| $request_uri | 访问的uri地址 |
| $status | 状态码 |
| $http_referer | refer |
| $http_user_agent | 用户代理 |
日志定义方式
1.在nginx.conf中定义日志的格式
//这里以默认的格式为例
[root@localhost ~]# grep -A 2 log_format /usr/local/nginx/conf/nginx.conf
//日志格式定义方式:logformat 日志格式名称 记录的日志字段
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
2.在子虚拟主机配置文件中引用设置日志
//以aaa.com.conf的bbb.com为例
server
{
listen 80;
server_name aaa.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/aaa.com;
}
server
{
listen 80 default_server;
server_name bbb.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/bbb.com;
//引用主配置文件中的combined_realip日志格式
access_log /tmp/access_bbb.com.log combined_realip;
}
//以远程浏览器和curl代理分别访问bbb.com
[root@localhost nginx]# curl -x127.0.0.1:80 bbb.com
I am bbb.com!
[root@localhost nginx]# curl -x127.0.0.1:80 bbb.com
I am bbb.com!
//检查日志内容,正确记录,说明日志配置成功。
[root@localhost nginx]# cat /tmp/access_bbb.com.log
10.0.1.229 - [04/Jul/2018:02:49:10 -0400] bbb.com "/" 200 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
127.0.0.1 - [04/Jul/2018:02:52:39 -0400] bbb.com "/" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:02:52:42 -0400] bbb.com "/" 200 "-" "curl/7.29.0"
五、Nginx日志切割
nginx产生的访问日志文件一直就是一个,不会自动进行切割,如果访问量很大的话,将会导致日志文件容易非常大,不便于管理。可以使用shell脚本结合crontab命令非常方便的进行切割。
脚本内容如下
[root@localhost tmp]# vim /usr/local/sbin/nginx_log_rotate.sh
#!/bin/bash
d=$(date -d yesterday +%Y%m%d)
log_dir="/tmp"
nginx_pid=$(cat /usr/local/nginx/logs/nginx.pid )
cd $log_dir
for log in $(ls *.log)
do
mv $log ${log}_$d
touch $log
done
/usr/bin/kill -USR1 $nginx_pid
脚本测试
[root@localhost tmp]# sh /usr/local/sbin/nginx_log_rotate.sh
[root@localhost tmp]# ls -l *.log*
//因为bbb.com没有用户访问,所以新日志文件写入量是0
-rw-r--r--. 1 nginx root 0 Jul 4 03:42 access_bbb.com.log
-rw-r--r--. 1 nginx root 1060 Jul 4 03:40 access_bbb.com.log_20180703
//访问bbb.com
[root@localhost tmp]# curl -x127.0.0.1:80 bbb.com -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Wed, 04 Jul 2018 07:52:23 GMT
Content-Type: text/html
Content-Length: 14
Last-Modified: Tue, 03 Jul 2018 08:32:25 GMT
Connection: keep-alive
ETag: "5b3b3499-e"
Accept-Ranges: bytes
[root@localhost tmp]# curl -x127.0.0.1:80 bbb.com
I am bbb.com!
[root@localhost tmp]# ls -l *.log*
//已经往新的日志文件里写东西了
-rw-r--r--. 1 nginx root 906 Jul 4 03:52 access_bbb.com.log
-rw-r--r--. 1 nginx root 1060 Jul 4 03:40 access_bbb.com.log_20180703
在任务计划中添加相应的任务
[root@localhost tmp]# crontab -e
no crontab for root - using an empty one
//添加计划任务
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
[root@localhost tmp]# crontab -l
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
六、静态文件不记录日志和过期时间
有些静态文件的访问没有必要记录到日志访问记录里。这可以通过修改配置文件来排除相应的记录。
以bbb.com为例,在配置中添加如下内容
[root@localhost vhost]# vim /usr/local/nginx/conf/vhost/aaa.com.conf
server
{
listen 80;
server_name aaa.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/aaa.com;
}
server
{
listen 80 default_server;
server_name bbb.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/bbb.com;
//匹配以“.”+“gif或jpg或jpeg或png”结尾的访问
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
//本地缓存超时时间
expires 7d;
access_log off;
}
//匹配以“.”+“js或css”结尾的访问
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
access_log /tmp/access_bbb.com.log combined_realip;
}
//测度配置文件及重载
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
测试
//新建测试文件
[root@localhost bbb.com]# tree
.
├── 1.js
├── 2.css
├── huang.jpg
├── index.html
├── Screenshot_20180627-200020.png
└── Screenshot_20180627-202910.png
[root@localhost bbb.com]# curl -x127.0.0.1:80 bbb.com/1.js
aabbcc
[root@localhost bbb.com]# curl -x127.0.0.1:80 bbb.com/2.css
bbccdd
[root@localhost bbb.com]# curl -x127.0.0.1:80 bbb.com/index.html
I am bbb.com!
[root@localhost bbb.com]# cat /tmp/access_bbb.com.log
127.0.0.1 - [04/Jul/2018:04:17:06 -0400] bbb.com "/index.html" 200 "-" "curl/7.29.0"
[root@localhost bbb.com]# curl -x127.0.0.1:80 bbb.com/index.html
I am bbb.com!
[root@localhost bbb.com]# cat /tmp/access_bbb.com.log
127.0.0.1 - [04/Jul/2018:04:17:06 -0400] bbb.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:04:18:14 -0400] bbb.com "/index.html" 200 "-" "curl/7.29.0"
[root@localhost bbb.com]# curl -x127.0.0.1:80 bbb.com/2.css
bbccdd
[root@localhost bbb.com]# curl -x127.0.0.1:80 bbb.com/1.js
aabbcc
[root@localhost bbb.com]# cat /tmp/access_bbb.com.log
127.0.0.1 - [04/Jul/2018:04:17:06 -0400] bbb.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:04:18:14 -0400] bbb.com "/index.html" 200 "-" "curl/7.29.0"
[root@localhost bbb.com]# curl -x127.0.0.1:80 bbb.com/1.js.aaa
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
[root@localhost bbb.com]# curl -x127.0.0.1:80 bbb.com/1.js.bb
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
[root@localhost bbb.com]# cat /tmp/access_bbb.com.log
127.0.0.1 - [04/Jul/2018:04:17:06 -0400] bbb.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:04:18:14 -0400] bbb.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:04:19:08 -0400] bbb.com "/1.js.aaa" 404 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:04:19:13 -0400] bbb.com "/1.js.bb" 404 "-" "curl/7.29.0"
//另外,exprire控制本地缓存时间
[root@localhost bbb.com]# curl -x127.0.0.1:80 bbb.com/1.js -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Wed, 04 Jul 2018 08:21:17 GMT
Content-Type: application/javascript
Content-Length: 7
Last-Modified: Wed, 04 Jul 2018 08:11:27 GMT
Connection: keep-alive
ETag: "5b3c812f-7"
Expires: Wed, 04 Jul 2018 20:21:17 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
//如果修改,相应的时间值也会变更
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost bbb.com]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost bbb.com]# curl -x127.0.0.1:80 bbb.com/1.js -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Wed, 04 Jul 2018 08:24:00 GMT
Content-Type: application/javascript
Content-Length: 7
Last-Modified: Wed, 04 Jul 2018 08:11:27 GMT
Connection: keep-alive
//已经变更
ETag: "5b3c812f-7"
Accept-Ranges: bytes
七、Nginx防盗链
nginx的防盗链配置如下
以bbb.com为例
//修改bbb.com的配置文件
[root@localhost bbb.com]# vim /usr/local/nginx/conf/vhost/aaa.com.conf
server
{
listen 80 default_server;
server_name bbb.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/bbb.com;
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.bbb.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
access_log /tmp/access_bbb.com.log combined_realip;
}
//测试配置文件及重载
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost bbb.com]# /usr/local/nginx/sbin/nginx -s reload
//验证
[root@localhost bbb.com]# curl -x127.0.0.1:80 bbb.com/huang.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Wed, 04 Jul 2018 08:50:26 GMT
Content-Type: image/jpeg
Content-Length: 24924
Last-Modified: Wed, 04 Jul 2018 03:49:34 GMT
Connection: keep-alive
ETag: "5b3c43ce-615c"
Expires: Wed, 11 Jul 2018 08:50:26 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[root@localhost bbb.com]# curl -e "http://www.baidu.com" -x127.0.0.1:80 bbb.com/huang.jpg -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Wed, 04 Jul 2018 08:50:45 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@localhost bbb.com]# curl -e "http://www.bbb.com" -x127.0.0.1:80 bbb.com/huang.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Wed, 04 Jul 2018 08:50:57 GMT
Content-Type: image/jpeg
Content-Length: 24924
Last-Modified: Wed, 04 Jul 2018 03:49:34 GMT
Connection: keep-alive
ETag: "5b3c43ce-615c"
Expires: Wed, 11 Jul 2018 08:50:57 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
八、Nginx访问控制
nginx可以针对目录的访问进行控制(以authtest.com的admin目录为例)
[root@localhost authtest.com]# tree
.
├── admin
│?? ├── index.html
│?? └── index.php
├── index.htm
└── index.html
//修改authtest.com.conf
[root@localhost authtest.com]# vim /usr/local/nginx/conf/vhost/authtest.com.conf
server
{
listen 80;
server_name authtest.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/authtest.com;
location /admin/
{
allow 10.0.1.229;
allow 127.0.0.1;
deny all;
}
access_log /tmp/authtest.com.log combined_realip;
}
//测试配置文件及重载
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -s reload
//验证
[root@localhost authtest.com]# curl -x127.0.0.1:80 authtest.com/admin/
I am admin.html
//不在白名单中的ip无法访问
[root@localhost authtest.com]# curl -x10.0.1.241:80 authtest.com/admin/
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
//日志
[root@localhost authtest.com]# cat /tmp/authtest.com.log
127.0.0.1 - [04/Jul/2018:05:44:01 -0400] authtest.com "/admin/" 200 "-" "curl/7.29.0"
10.0.1.241 - [04/Jul/2018:05:43:55 -0400] authtest.com "/admin/" 403 "-" "curl/7.29.0"
nigix也可以通过正则表达式,对某些类型的文件访问进行控制(以php文件为例)
//修改authtest.com.conf
[root@localhost authtest.com]# vim /usr/local/nginx/conf/vhost/authtest.com.conf
server
{
listen 80;
server_name authtest.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/authtest.com;
//添加此段内容
location ~ .*admin/.*\.php$
{
deny all;
}
# location /admin/
# {
# allow 10.0.1.229;
# allow 127.0.0.1;
# deny all;
# }
access_log /tmp/authtest.com.log combined_realip;
}
//测试配置文件及重载
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -s reload
//验证
[root@localhost authtest.com]# curl -x127.0.0.1:80 authtest.com/admin/index.html
I am admin.html
[root@localhost authtest.com]# curl -x127.0.0.1:80 authtest.com/admin/index.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
//日志
127.0.0.1 - [04/Jul/2018:05:56:15 -0400] authtest.com "/admin/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:05:56:20 -0400] authtest.com "/admin/index.php" 403 "-" "curl/7.29.0"
此外,nginx也可以针对浏览器进行限制(以限制Spider/3.0、YoudaoBot、Tomato为例)
//修改authtest.com.conf
[root@localhost authtest.com]# vim /usr/local/nginx/conf/vhost/authtest.com.conf
server
{
listen 80;
server_name authtest.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/authtest.com;
location ~ .*admin/.*\.php$
{
deny all;
}
# location /admin/
# {
# allow 10.0.1.229;
# allow 127.0.0.1;
# deny all;
# }
//添加此段内容,也可以用 ~* 不区分大小写
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
access_log /tmp/authtest.com.log combined_realip;
}
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost authtest.com]# /usr/local/nginx/sbin/nginx -s reload
//验证
[root@localhost authtest.com]# curl -x127.0.0.1:80 authtest.com/index.html
I am authtest.com!!
[root@localhost authtest.com]# curl -A "YoudaoBot" -x127.0.0.1:80 authtest.com/index.html
<html>
//YoudaoBot在被禁止的列表中,无法访问
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
[root@localhost authtest.com]# curl -A "YoudaoBotadadasdas" -x127.0.0.1:80 authtest.com/index.html
<html>
//YoudaoBot在被禁止的列表中,无法访问
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
//adadasdas不在被禁止的列表中,可以访问
[root@localhost authtest.com]# curl -A "adadasdas" -x127.0.0.1:80 authtest.com/index.html
I am authtest.com!!
//Tomato在被禁止的列表中,无法访问
[root@localhost authtest.com]# curl -A "Tomato" -x127.0.0.1:80 authtest.com/index.html
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
//日志
127.0.0.1 - [04/Jul/2018:05:56:15 -0400] authtest.com "/admin/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:05:56:20 -0400] authtest.com "/admin/index.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:06:02:42 -0400] authtest.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:06:03:09 -0400] authtest.com "/index.html" 403 "-" "YoudaoBot"
127.0.0.1 - [04/Jul/2018:06:03:16 -0400] authtest.com "/index.html" 403 "-" "YoudaoBotadadasdas"
127.0.0.1 - [04/Jul/2018:06:03:37 -0400] authtest.com "/index.html" 200 "-" "adadasdas"
127.0.0.1 - [04/Jul/2018:06:03:47 -0400] authtest.com "/index.html" 403 "-" "Tomato"
九、Nginx解析php相关配置
之前配置的虚拟主机还没有办法进行虚拟主机的解析。需要对配置文件对行修改。(以authtest.com为例)
//原始配置文件
[root@localhost nginx]# cat /usr/local/nginx/conf/vhost/authtest.com.conf
server
{
listen 80;
server_name authtest.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/authtest.com;
# location ~ .*admin/.*\.php$
# {
# deny all;
# }
# location /admin/
# {
# allow 10.0.1.229;
# allow 127.0.0.1;
# deny all;
# }
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
access_log /tmp/authtest.com.log combined_realip;
}
[root@localhost nginx]# tree html/
html/
├── 1.php
├── 50x.html
├── aaa.com
│ └── index.html
├── authtest.com
│ ├── admin
│ │ ├── index.html
│ │ └── index.php
│ ├── index.htm
│ └── index.html
├── bbb.com
│ ├── 1.js
│ ├── 2.css
│ ├── huang.jpg
│ ├── index.html
│ ├── Screenshot_20180627-200020.png
│ └── Screenshot_20180627-202910.png
├── index.html
└── phpinfo.php
//此时访问index.php是无法解析的
[root@localhost nginx]# curl -x127.0.0.1:80 authtest.com/admin/index.php
<?php
echo "I am admin.php!!"
?>
若需解析php文件,在配置文件增加以下内容
server
{
listen 80;
server_name authtest.com;
index index.html index.htm index.php;
root /usr/local/nginx/html/authtest.com;
# location ~ .*admin/.*\.php$
# {
# deny all;
# }
# location /admin/
# {
# allow 10.0.1.229;
# allow 127.0.0.1;
# deny all;
# }
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
//增加此段location
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html/authtest.com$fastcgi_script_name;
}
access_log /tmp/authtest.com.log combined_realip;
}
[root@localhost nginx]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost nginx]# sbin/nginx -s reload
//验证php解析,此时php文件已经可以正常解析。
[root@localhost nginx]# curl -x127.0.0.1:80 authtest.com/admin/index.php
I am admin.php!![root@localhost nginx]#
php解析配置常见问题
1.fastcgi_pass参数配置错误,如将unix:/tmp/php-fcgi.sock配置成unix:/tmp/php-cgi.sock
//unix:/tmp/php-fcgi.sock配置成unix:/tmp/php-cgi.sock
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html/authtest.com$fastcgi_script_name;
}
[root@localhost nginx]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost nginx]# sbin/nginx -s reload
//验证,此时报内部网部网关错误
[root@localhost nginx]# curl -x127.0.0.1:80 authtest.com/admin/index.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
2.fastcgi_pass中配置的参数与/usr/local/php-fpm/etc/php-fpm.conf中配置的listen不一致
php-fpm中的listen有两种配置方式
listen = /tmp/php-fcgi.sock
或
listen = 127.0.0.1:9000
如果虚拟主机配置文件的里配置与php-fpm中的配置不一致也会报错。
//php-fpm配置
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
#listen = /tmp/php-fcgi.sock
listern = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
//authtest.com虚拟主机php解析段的配置
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html/authtest.com$fastcgi_script_name;
}
//测试php配置文件
[root@localhost nginx]# /usr/local/php-fpm/sbin/php-fpm -t
[04-Jul-2018 22:36:03] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
//重启php
[root@localhost nginx]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@localhost nginx]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost nginx]# /usr/local/nginx/sbin/nginx -s reload
//验证,502内部网错误。
[root@localhost nginx]# curl -x127.0.0.1:80 authtest.com/admin/index.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
//将二者改成一致
location ~ \.php$
{
include fastcgi_params;
# fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html/authtest.com$fastcgi_script_name;
}
[root@localhost nginx]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost nginx]# /usr/local/nginx/sbin/nginx -s reload
//验证
[root@localhost nginx]# !curl
curl -x127.0.0.1:80 authtest.com/admin/index.php
[root@localhost nginx]# netstat -nltup | grep php
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1838/php-fpm: maste
//log
[root@localhost nginx]# tail /usr/local/nginx/logs/nginx_error.log
2018/07/04 22:25:47 [crit] 1735#0: *12 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: authtest.com, request: "GET HTTP://authtest.com/admin/index.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "authtest.com"
2018/07/04 22:37:07 [crit] 1862#0: *14 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: authtest.com, request: "GET HTTP://authtest.com/admin/index.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "authtest.com"
3.若侦听方式为套接字方式(php-fcgi.sock)如果php-fpm.conf中的listen.mode权限配置错误,也会提示错误
//当前套接字权限666
[root@localhost nginx]# ls -l /tmp/php-fcgi.sock
srw-rw-rw-. 1 root root 0 Jul 4 22:47 /tmp/php-fcgi.sock
//若改为444
[root@localhost nginx]# vim /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 444
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
~
[root@localhost nginx]# /usr/local/php-fpm/sbin/php-fpm -t
[04-Jul-2018 22:50:56] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@localhost nginx]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
//验证502错误
[root@localhost nginx]# !curl
curl -x127.0.0.1:80 authtest.com/admin/index.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
//若改为644,测试结果仍为502
//若改为664,测试结果仍为502
//改回666后,测试结果可以正常访问,结论,666是套接字访问时时listen.mode的最小权限。
//log
2018/07/04 22:53:16 [crit] 2024#0: *20 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: authtest.com, request: "GET HTTP://authtest.com/admin/index.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "authtest.com"
2018/07/04 22:54:13 [crit] 2024#0: *22 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: authtest.com, request: "GET HTTP://authtest.com/admin/index.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "authtest.com"
4.有时候服务器资源不足也可能会导致502错误。需要对程序进行优化或升级配置。
十、Nginx代理
代理服务服务器实现
1.新建proxy配置文件
[root@localhost nginx]# vim conf/vhost/proxy.conf
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://10.0.1.229/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log logs/proxy.log combined_realip;
}
}
//测试配置文件及重载
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
//测试
[root@localhost nginx]# curl -x 127.0.0.1:80 ask.apelearn.com -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 05 Jul 2018 03:22:56 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
//访问的是windows上的一个网站。
[root@localhost nginx]# curl -x 127.0.0.1:80 ask.apelearn.com
[root@localhost nginx]# curl -x 127.0.0.1:80 ask.apelearn.com
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
...中间略...
</table>
<address>Apache/2.4.27 (Win64) PHP/5.6.31 Server at ask.apelearn.com Port 80</address>
</body></html>
[root@localhost ~]# curl -x10.0.1.241:80 ask.apelearn.com -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 05 Jul 2018 03:26:26 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
[root@localhost ~]# curl -x10.0.1.241:80 ask.apelearn.com
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
...中间略...
<address>Apache/2.4.27 (Win64) PHP/5.6.31 Server at ask.apelearn.com Port 80</address>
</body></html>
//log
[root@localhost nginx]# tail /usr/local/nginx/logs/proxy.log
127.0.0.1 - [04/Jul/2018:23:22:56 -0400] ask.apelearn.com "/" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:23:24:16 -0400] ask.apelearn.com "/" 200 "-" "curl/7.29.0"
10.0.1.241 - [04/Jul/2018:23:26:17 -0400] ask.apelearn.com "/" 200 "-" "curl/7.29.0"
10.0.1.241 - [04/Jul/2018:23:26:26 -0400] ask.apelearn.com "/" 200 "-" "curl/7.29.0"
十一、扩展
nginx.conf 配置详解
http://my.oschina.net/duxuefeng/blog/34880
nginx rewrite四种flag
http://www.netingcn.com/nginx-rewrite-flag.html
http://unixman.blog.51cto.com/10163040/1711943
502问题汇总
http://ask.apelearn.com/question/9109
location优先级