Linux-LNMP-Nginx配置二

• 静态文件不记录日志和过期时间
• Nginx防盗链
• Nginx访问控制
• Nginx解析php相关配置
• Nginx代理
• Nginx负载均衡
• SSL原理
• 生成SSL密钥对
• Nginx配置SSL

静态文件不记录日志和过期时间
在Nginx服务器的虚拟主机配置文件(/usr/local/nginx/conf/vhost/norecord.conf)中定义

vim /usr/local/nginx/conf/vhost/norecord.conf

文件内容如下：

server
{listen 80; server_name www.norecord.com;index index.html index.htm index.php;root /data/wwwroot/norecord;location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)${expires 7d;access_log off;}access_log /tmp/norecord.log combined_realip;
}

创建测试目录,测试文件

mkdir -p /data/wwwroot/norecord
cd /data/wwwroot/norecord/
echo "record_log" > index.html
rz  //从本地上传一张123.jpg图片文件到当前目录下

查看图片和文件

检测语法，加载配置文件

/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload

测试

curl -x127.0.0.1:80 www.norecord.com www.norecord.com/123.jpg -I

有这要的标志(有7天的时间限制)

查看日志

cat /tmp/norecord.log

发现访问图片没有记录日志

Nginx防盗链
实验：仅允许来自这个Referer(https://blog.51cto.com/13480443/2074160) 的链接访问Nginx服务器的www.burglar.com 下以.(gif|jpeg|png|bmp|swf)结尾的文件并且不记录日志
配置虚拟主机

server
{listen 80;server_name www.burglar.com;index index.html index.htm index.php;root /data/wwwroot/burglar;location ~* ^.+\.(gif|jpg|jpeg|png|bmp|swf)${expires 7d;valid_referers server_names "blog.51cto.com/13480443/2074160";if ($invalid_referer){return 403;}access_log off;}access_log /tmp/burglar.log combined_realip;}

valid_referers none blocked server_name *.test.com //表示匹配空referer或以.test.com结尾的referer

Nginx访问控制

限制某个来源ip访问Nginx服务器上的某个目录
server
{listen 80; server_name www.accesscontrol.com www.accesscontrol1.com www.accesscontrol2.com;index index.html index.htm index.php;root /data/wwwroot/accesscontrol;location /admin/{   allow 192.168.221.20;allow 127.0.0.1;deny all;}
}

限制某些来源ip访问Nginx服务器上的某个文件

location ~ .*(upload|image)/.*\.php${deny all;}

可以根据user_agent来进行限制(~ 匹配区分大小写，~* 匹配不区分大小写)

if ($http_user_agent ~* 'Mozilla|curl|Spider/3.0|YoudaoBot|Tomato' ){return 403;}

Nginx是从上往下进行匹配的，如果匹配到就不再往下匹配

Nginx解析php相关配置

vim /usr/local/nginx/conf/vhost/analysis.conf
server{listen 80;server_name www.analysis.com www.analysis1.com www.analysis2.com;index index.html index.htm index.php;root /data/wwwroot/analysis;location ~ \.php$ {include fastcgi_params;fastcgi_pass unix:/tmp/php-fcgi.sock;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/analysis$fastcgi_script_name;}    }

如果下面这行写错了，就会显示返回状态码502(找不到/tmp/php-fcgi.sock)


查询错误日志(/usr/local/nginx/logs/nginx_error.log)

查询php配置文件中定义的"listen"

grep listen /usr/local/php-fpm/etc/php-fpm.conf
listen = /tmp/php-fcgi.sock
listen.mode = 666

如果将php-fpm服务监听ip,重新加载php-fpm服务

vim /usr/local/php-fpm/etc/php-fpm.conf
listen=127.0.0.1:9000
/etc/init.d/php-fpm reload

再次访问还是返回状态码502
将nginx虚拟主机的配置文件改为监听ip和端口的形式

vim /usr/local/nginx/conf/vhost/analysis.conf
fastcgi_pass 127.0.0.1:9000;

检测Nginx配置文件的语法错误，重新加载配置文件，就ok了。
如果将/usr/local/php-fpm/etc/php-fpm.conf文件中的listen.mode = 666注释了，php配置文件与nginx虚拟主机中定义都是sock的，则监听的文件/tmp/php-fcgi.sock的默认权限为660,访问时返回的状态码依然是502
查看错误日志

临时将/tmp/php-fcgi.sock文件中的属主改为nobody,访问又ok了

chown nobody /tmp/php-fcgi.sock

Nginx代理
在代理服务器上作如下设置

vim /usr/local/nginx/conf/vhost/proxy.conf
server
{listen 80;server_name www.qq.com;location /{proxy_pass http://182.254.74.167/;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
}

测试

curl -x127.0.0.1:80 www.qq.com

Nginx负载均衡
dig命令

yum install bind-utils -y
dig baidu.com  //返回了三个ip

配置文件中定义

vim /usr/local/nginx/conf/vhost/balance.conf
upstream baidu
{ip_hash;server 111.13.101.208;server 220.181.57.216;server 123.125.114.144;
}
server
{listen 80;server_name www.baidu.com;location /{proxy_pass http://baidu;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
}

curl -x127.0.0.1:80 www.baidu.com

SSL原理
客户端发送https请求给服务器。
服务器有一套证书(公钥和私钥)，将公钥传递给客户端
客户端收到公钥后，验证合法性，无效则会警告提醒，有效则会生成一串随机字符，用公钥加密码随机字符传递给服务器
服务器用自己的私钥解密，得到明文的字符串，用字符串加密数据传给客户端
客户端用自己的字符串解密得到明文数据。

生成SSL密钥对

openssl genrsa -des3 -out tmp.key 2048  //输入复杂密码2次，tmp.key为私钥
openssl rsa -in tmp.key -out apeng.key    //输入上面的密码一次，转换key，取消密码
rm -f tmp.key
openssl req -new -key apeng.key -out apeng.csr  //生成证书请求文件apeng.csr
openssl x509 -req -days 365 -in apeng.csr -signkey apeng.key -out apeng.crt  //apeng.csr和私钥apeng.key生成apeng.crt公钥

Nginx配置SSL

vim /usr/local/nginx/conf/vhost/ssl.conf
server
{listen 443;server_name www.ssl.com;index index.html index.htm index.php;root /data/wwwroot/ssl;ssl on;ssl_certificate apeng.crt;ssl_certificate_key apeng.key;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;location ~ \.php${include fastcgi_params;fastcgi_pass unix:/tmp/php-fcgi.sock;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/ssl$fastcgi_script_name;}
}

重新编译nginx

./configure --help|grep -i ssl
./configure --prefix=/usr/local/nginx --with-http_ssl_module
make && make install

/etc/init.d/nginx restart
netstat -tlnp

mkdir -p /data/wwwroot/ssl
echo "ssl" > /data/wwwroot/ssl/index.html
vim /etc/hosts
192.168.221.20 www.ssl.com

curl https://www.ssl.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle"of Certificate Authority (CA) public keys (CA certs). If the defaultbundle file isn't adequate, you can specify an alternate fileusing the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented inthe bundle, the certificate verification probably failed due to aproblem with the certificate (it might be expired, or the name mightnot match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, usethe -k (or --insecure) option.

浏览器访问

iptables -I INPUT -p tcp --dport 443 -j ACCEPT