12.13 Nginx防盗链

打开配置文件，添加以下内容

[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.confserver
{listen 80;server_name test.com test2.com test3.com;index index.html index.htm index.php;root /data/wwwroot/test.com;if ($host != 'test.com' ) {rewrite  ^/(.*)$  http://test.com/$1  permanent;}
#    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#    {
#          expires      7d;
#          access_log off;
#    }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{expires 7d;valid_referers none blocked server_names  *.test.com ;if ($invalid_referer) {return 403;}access_log off;
}location ~ .*\.(js|css)${
#          expires      12h;
:wq[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]#

下面来做一个测试

[root@localhost ~]# curl -x127.0.0.1:80 -I test.com/2.gif
HTTP/1.1 404 Not Found
Server: nginx/1.12.1
Date: Thu, 27 Jan 2018 14:27:24 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive[root@localhost ~]# ls /data/wwwroot/test.com/
1.gif  2.js  admin  index.html
[root@localhost ~]# curl -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 27 Jan 2018 14:27:46 GMT
Content-Type: image/gif
Content-Length: 14
Last-Modified: Thu, 27 Jan 2018 14:02:00 GMT
Connection: keep-alive
ETag: "59e8b058-e"
Expires: Thu, 27 Jan 2018 20:17:46 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes[root@localhost ~]# curl -e "http://www.baidu.com/1.txt"  -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 27 Jan 2018 14:28:36 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive[root@localhost ~]# curl -e "http://www.test.com/1.txt"  -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 27 Jan 2018 14:28:45 GMT
Content-Type: image/gif
Content-Length: 14
Last-Modified: Thu, 27 Jan 2018 14:02:00 GMT
Connection: keep-alive
ETag: "59e8b058-e"
Expires: Thu, 27 Jan 2018 20:18:45 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes[root@localhost ~]# [root@localhost ~]# !cat
cat /tmp/test.com.log
127.0.0.1 - [27 Jan 2018:22:02:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:22:03:58 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:22:06:06 +0800] test.com "/2.jslasdflk" 404 "-" "curl/7.29.0"
[root@localhost ~]#

这个说明防盗链配置成功了

12.14 Nginx访问控制

修改配置文件内容

[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.confserver
{listen 80;server_name test.com test2.com test3.com;index index.html index.htm index.php;root /data/wwwroot/test.com;if ($host != 'test.com' ) {rewrite  ^/(.*)$  http://test.com/$1  permanent;}
#    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#    {
#          expires      7d;
#          access_log off;
#    }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{expires 7d;valid_referers none blocked server_names  *.test.com ;if ($invalid_referer) {return 403;}access_log off;
}location ~ .*\.(js|css)${
#          expires      12h;access_log off;}location /admin/{allow 127.0.0.1;allow 192.168.0.190;deny all;}
:wq

这段配置就是关于访问配置的,这三个规则加起来，只允许前面俩个，一个是127.0.0.1，另一个是 192.168.0.190 其他全部deny

    location /admin/{allow 127.0.0.1;allow 192.168.0.190;deny all;}

检查语法，重新加载

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload

来测试下,/admin/ 没问题，其他不行

[root@localhost ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.GIFHTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sat, 27 Jan 2018 20:13:43 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive[root@localhost ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sat, 27 Jan 2018 20:13:57 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Tue, 27 Jan 2018 20:18:26 GMT
Connection: keep-alive
ETag: "59e60eda-13"
Accept-Ranges: bytes[root@localhost ~]#

现在来换一个ip，重新测试下

[root@localhost ~]# curl -x192.168.0.190:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sat, 27 Jan 2018 20:15:47 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Tue, 27 Jan 2018 20:18:26 GMT
Connection: keep-alive
ETag: "59e60eda-13"
Accept-Ranges: bytes[root@localhost ~]#

看下日志文件，来源ip 是192.168.0.190，因为它是被允许的，是白名单

[root@localhost ~]# cat /tmp/test.com.log
127.0.0.1 - [27 Jan 2018:22:02:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:22:03:58 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:22:06:06 +0800] test.com "/2.jslasdflk" 404 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:20:23:57 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.0.190 - [27 Jan 2018:20:25:47 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
[root@localhost ~]#

在这里我添加一个块网卡ens37

[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.0.190  netmask 255.255.255.0  broadcast 192.168.202.255inet6 fe80::ecdd:28b7:612b:cb7  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:2e:28:f2  txqueuelen 1000  (Ethernet)RX packets 959  bytes 90762 (88.6 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 722  bytes 90139 (88.0 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.202.151  netmask 255.255.255.0  broadcast 192.168.202.255ether 00:0c:29:2e:28:f2  txqueuelen 1000  (Ethernet)ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.0.173  netmask 255.255.255.0  broadcast 192.168.202.255inet6 fe80::707c:946e:3252:cf7f  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:2e:28:fc  txqueuelen 1000  (Ethernet)RX packets 8  bytes 1048 (1.0 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 11  bytes 1650 (1.6 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1  (Local Loopback)RX packets 117  bytes 10333 (10.0 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 117  bytes 10333 (10.0 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@localhost ~]#

给ens37 自动获取一个ip地址,地址为192.168.0.173

[root@localhost ~]# dhclient ens37
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.0.190  netmask 255.255.255.0  broadcast 192.168.202.255inet6 fe80::ecdd:28b7:612b:cb7  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:2e:28:f2  txqueuelen 1000  (Ethernet)RX packets 1029  bytes 97446 (95.1 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 772  bytes 97801 (95.5 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.202.151  netmask 255.255.255.0  broadcast 192.168.202.255ether 00:0c:29:2e:28:f2  txqueuelen 1000  (Ethernet)ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.0.173  netmask 255.255.255.0  broadcast 192.168.202.255inet6 fe80::707c:946e:3252:cf7f  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:2e:28:fc  txqueuelen 1000  (Ethernet)RX packets 18  bytes 2216 (2.1 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 16  bytes 2796 (2.7 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1  (Local Loopback)RX packets 117  bytes 10333 (10.0 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 117  bytes 10333 (10.0 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@localhost ~]#

接下来用这个ip来实验下

[root@localhost ~]# curl -x192.168.0.173:80 test.com/admin/
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost ~]# !cat
cat /tmp/test.com.log
127.0.0.1 - [27 Jan 2018:22:02:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:22:03:58 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:22:06:06 +0800] test.com "/2.jslasdflk" 404 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:20:23:57 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.0.190 - [27 Jan 2018:20:25:47 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.0.173 - [27 Jan 2018:20:34:03 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
[root@localhost ~]#

来源ip 192.168.0.173 并没有被允许，所以报错误403

而这个是被允许的，127.0.0.1

[root@localhost ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sat, 27 Jan 2018 20:46:44 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Tue, 27 Jan 2018 20:18:26 GMT
Connection: keep-alive
ETag: "59e60eda-13"
Accept-Ranges: bytes[root@localhost ~]#

进入配置文件/usr/local/nginx/conf/vhost/test.com.conf,只要是匹配upload的，然后以php结尾的，都给他屏蔽

[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conflocation ~ .*\.(js|css)${
#          expires      12h;access_log off;}location /admin/{allow 127.0.0.1;allow 192.168.0.190;deny all;}location ~ .*(upload|image)/.*\.php$
{   deny all;
}:wq[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]#

创建一个目录 upload, 再再下面创建一个1.php 在里面写入1111
再次访问下

[root@localhost ~]# mkdir /data/wwwroot/test.com/upload
[root@localhost ~]# echo "1111" > /data/wwwroot/test.com/upload/1.php
[root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost ~]#

再访问下txt 不访问php,就可以访问

[root@localhost ~]# echo "1111" > /data/wwwroot/test.com/upload/1.txt
[root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.txt
1111
[root@localhost ~]# [root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sat, 27 Jan 2018 20:57:44 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive[root@localhost ~]#

看下日志

[root@localhost ~]# cat /tmp/test.com.log
127.0.0.1 - [27 Jan 2018:22:02:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:22:03:58 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:22:06:06 +0800] test.com "/2.jslasdflk" 404 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:20:23:57 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.0.190 - [27 Jan 2018:20:25:47 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.0.173 - [27 Jan 2018:20:34:03 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:20:36:44 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:21:14:52 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:21:17:13 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
127.0.0.1 - [27 Jan 2018:21:17:44 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
[root@localhost ~]#

针对user_agent限制
if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato’)
{
return 403;
}
return 403和deny all 效果是一样的
测试

打开配置文件

[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.confserver
{listen 80;server_name test.com test2.com test3.com;index index.html index.htm index.php;root /data/wwwroot/test.com;if ($host != 'test.com' ) {rewrite  ^/(.*)$  http://test.com/$1  permanent;}
#    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#    {
#          expires      7d;
#          access_log off;
#    }if ($invalid_referer) {return 403;}access_log off;
}location ~ .*\.(js|css)${
#          expires      12h;access_log off;}location /admin/{allow 127.0.0.1;allow 192.168.0.190;deny all;}location ~ .*(upload|image)/.*\.php$
{deny all;
}if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{return 403;
}:wq[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# !curl
curl -x127.0.0.1:80 test.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sat, 27 Jan 2018 22:12:47 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive[root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sat, 27 Jan 2018 22:13:01 GMT
Content-Type: text/plain
Content-Length: 5
Last-Modified: Sat, 27 Jan 2018 20:57:00 GMT
Connection: keep-alive
ETag: "59eb48cc-5"
Accept-Ranges: bytes[root@localhost ~]#

现在要做一个模拟user_agent

[root@localhost ~]# curl -A "Tomatoalsdkflsd"  -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sat, 27 Jan 2018 22:14:10 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive[root@localhost ~]#

如果是小写就可以

[root@localhost ~]# curl -A "tomatoalsdkflsd"  -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sat, 27 Jan 2018 22:14:42 GMT
Content-Type: text/plain
Content-Length: 5
Last-Modified: Sat, 27 Jan 2018 20:57:00 GMT
Connection: keep-alive
ETag: "59eb48cc-5"
Accept-Ranges: bytes[root@localhost ~]#

如果想要不区分大小写，去配置文件里，改下配置文件在~ 后面加个*

if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{return 403;
}access_log /tmp/test.com.log aming;}
:wq[root@localhost ~]# !curl
curl -A "tomatoalsdkflsd"  -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sat, 27 Jan 2018 22:18:09 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive[root@localhost ~]# curl -A "tomatoalsdkflsd"  -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sat, 27 Jan 2018 22:18:22 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive[root@localhost ~]#

这样改成小写也是403错误，这就是访问控制

12.15 Nginx解析php相关配置

配置如下：

location ~ \.php${include fastcgi_params;fastcgi_pass unix:/tmp/php-fcgi.sock;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;}

fastcgi_pass 用来指定php-fpm监听的地址或者socket

先打开虚拟主机配置文件，把这段放到配置文件里去

#    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#    {
#          expires      7d;
#          access_log off;
#    }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{expires 7d;valid_referers none blocked server_names  *.test.com ;if ($invalid_referer) {return 403;}{
#          expires      12h;access_log off;}location /admin/{allow 127.0.0.1;allow 192.168.0.190;deny all;}location ~ .*(upload|image)/.*\.php$
{deny all;
}if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{return 403;
}location ~ \.php${include fastcgi_params;fastcgi_pass unix:/tmp/php-fcgi.sock;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;}
:wq

因为现在，这个虚拟主机配置文件，它还不能够去解析php，我们先不去重新加载，先来做一个php，

[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
[root@localhost ~]# vi /data/wwwroot/test.com/upload/1.
1.php  1.txt
[root@localhost ~]# vi /data/wwwroot/test.com/upload/1.
1.php  1.txt
[root@localhost ~]# vi /data/wwwroot/test.com/
1.gif       2.js        admin/      index.html  upload/
[root@localhost ~]# vi /data/wwwroot/test.com/3.php<?php
phpinfo();
~                                                                                      :wq[root@localhost ~]# vi /data/wwwroot/test.com/3.php
[root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();
[root@localhost ~]#

不能解析，直接把源码给显示出来了
现在重新加载下,再来看下，其实就可了，这既是php.info的页面，只不过在curl显示出来的是网页的源码，如果把它放到浏览器里面，它就会显示一个漂亮的表格

[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# </table>
<h2>PHP License</h2>
<table>
<tr class="v"><td>
<p>
This program is free software; you can redistribute it and/or modify it under the terms of the PHP License as published by the PHP Group and included in the distribution in the file:  LICENSE
</p>
<p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
</p>
<p>If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact license@php.net.
</p>
</td></tr>
</table>
</div></body></html>[root@localhost ~]#

其实这部分配置就是用来解析php的 vi /usr/local/nginx/conf/vhost/test.com.conf

location ~ \.php${include fastcgi_params;fastcgi_pass unix:/tmp/php-fcgi.sock;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;}access_log /tmp/test.com.log aming;}

假如故意把它写错，少了一个f , fastcgi_pass unix:/tmp/php-cgi.sock,
再去访问，它会变成502，为什么呢，因为它找不到你的那个socket

location ~ \.php${include fastcgi_params;fastcgi_pass unix:/tmp/php-cgi.sock;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;}access_log /tmp/test.com.log aming;}
:wq[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# !curl
curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost ~]#

咱们可以看看nginx的错误日志


[root@localhost ~]# tail /usr/local/nginx/logs/
access.log       error.log        nginx_error.log  nginx.pid
[root@localhost ~]# tail /usr/local/nginx/logs/error.log
27 Jan 2018 21:11:27 [notice] 2322#0: signal process started
27 Jan 2018 22:00:49 [notice] 2399#0: signal process started
27 Jan 2018 22:11:14 [notice] 2435#0: signal process started
27 Jan 2018 22:24:28 [notice] 2447#0: signal process started
27 Jan 2018 20:21:18 [notice] 2323#0: signal process started
27 Jan 2018 21:12:48 [notice] 2748#0: signal process started
27 Jan 2018 21:22:41 [notice] 2781#0: signal process started
27 Jan 2018 21:28:03 [notice] 2870#0: signal process started
27 Jan 2018 21:46:59 [notice] 2966#0: signal process started
27 Jan 2018 21:51:59 [notice] 2997#0: signal process started[root@localhost ~]# vi /usr/local/nginx/conf/nginx.confuser nobody nobody;
worker_processes 2;
error_log /usr/local/nginx/logs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
worker_rlimit_nofile 5120

把级别改下，改成debug

[root@localhost ~]# vi /usr/local/nginx/conf/nginx.confuser nobody nobody;
worker_processes 2;
error_log /usr/local/nginx/logs/nginx_error.log debug;

然后再重启下

[root@localhost ~]# vi /usr/local/nginx/conf/nginx.conf
[root@localhost ~]# /etc/init.d/nginx restart
Restarting nginx (via systemctl):                          [  确定  ]
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# [root@localhost ~]# !curl
curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost ~]#

依然是502错误
再看下日志

[root@localhost ~]# tail /usr/local/nginx/logs/nginx_error.log
27 Jan 2018 21:57:38 [notice] 3082#0: nginx/1.12.1
27 Jan 2018 21:57:38 [notice] 3082#0: built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
27 Jan 2018 21:57:38 [notice] 3082#0: OS: Linux 3.10.0-514.el7.x86_64
27 Jan 2018 21:57:38 [notice] 3082#0: getrlimit(RLIMIT_NOFILE): 1024:4096
27 Jan 2018 21:57:38 [notice] 3083#0: start worker processes
27 Jan 2018 21:57:38 [notice] 3083#0: start worker process 3084
27 Jan 2018 21:57:38 [notice] 3083#0: start worker process 3085
27 Jan 2018 21:58:01 [notice] 3085#0: *1 "Spider/3.0|YoudaoBot|Tomato" does not match "curl/7.29.0", client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", host: "test.com"
27 Jan 2018 21:58:01 [crit] 3085#0: *1 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
27 Jan 2018 21:58:01 [info] 3085#0: *1 client 127.0.0.1 closed keepalive connection
[root@localhost ~]# [root@localhost ~]# ls /tmp/php-cgi.sock
ls: 无法访问/tmp/php-cgi.sock: 没有那个文件或目录
[root@localhost ~]# cat /usr/local/php-fpm/etc/php
cat: /usr/local/php-fpm/etc/php: 没有那个文件或目录
[root@localhost ~]# cat /usr/local/php-fpm/etc/php
php-fpm.conf          php-fpm.conf.default  php.ini
[root@localhost ~]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@localhost ~]#

对比过后发现文件名出错，这时在去看nginx下的conf配置是否正确
发现就是虚拟主机配置文件出错，修改回正确的sock名字就恢复正常
再进入配置文件,把地址写对 fastcgi_pass unix:/tmp/php-fcgi.sock;

location ~ \.php${include fastcgi_params;fastcgi_pass unix:/tmp/php-fcgi.sock;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;}access_log /tmp/test.com.log aming;}
-- INSERT --

假如现在我不监听socket ，监听ip端口，来改下配置文件

[root@localhost ~]# vi /usr/local/php-fpm/etc/php-fpm.conf[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
#listen = /tmp/php-fcgi.sock
listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
~                                                                                        ~
:wq[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]#

重启php

[root@localhost ~]# /etc/init.d/php-fpm reload
Reload service php-fpm  done
[root@localhost ~]#

再来看下监听端口，12.7.0.0.1 在监听

[root@localhost ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3083/nginx: master
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1331/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2060/master
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      3279/php-fpm: maste
tcp6       0      0 :::3306                 :::*                    LISTEN      1975/mysqld
tcp6       0      0 :::22                   :::*                    LISTEN      1331/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      2060/master
[root@localhost ~]#

再来curl看看，还是502 ，看下日志，一样的提示不存在

[root@localhost ~]# !curl
curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost ~]# [root@localhost ~]# !tail
tail /usr/local/nginx/logs/nginx_error.log
27 Jan 2018 22:25:34 [notice] 3219#0: gracefully shutting down
27 Jan 2018 22:25:34 [notice] 3219#0: exiting
27 Jan 2018 22:25:34 [notice] 3219#0: exit
27 Jan 2018 22:25:34 [notice] 3083#0: signal 17 (SIGCHLD) received
27 Jan 2018 22:25:34 [notice] 3083#0: worker process 3218 exited with code 0
27 Jan 2018 22:25:34 [notice] 3083#0: worker process 3219 exited with code 0
27 Jan 2018 22:25:34 [notice] 3083#0: signal 29 (SIGIO) received
27 Jan 2018 22:27:39 [notice] 3304#0: *3 "Spider/3.0|YoudaoBot|Tomato" does not match "curl/7.29.0", client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", host: "test.com"
27 Jan 2018 22:27:39 [crit] 3304#0: *3 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
27 Jan 2018 22:27:39 [info] 3304#0: *3 client 127.0.0.1 closed keepalive connection
[root@localhost ~]#

既然知道了它监听的是ip 和端口，所以在配置文件中做一个更改


location ~ \.php${include fastcgi_params;
#        fastcgi_pass unix:/tmp/php-fcgi.sock;fastcgi_pass 127.0.0.1:9000;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;}access_log /tmp/test.com.log aming;:wqnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /etc/init.d/php-fpm reload
Reload service php-fpm  done
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# [root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php<p>If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact license@php.net.
</p>
</td></tr>
</table>
</div></body></html>[root@localhost ~]#

以后出现502 检查配置文件里的 nginx 和php-fpm里面所配置额ip地址是不是一样的，
还有一个是一个路径/data/wwwroot/test.com 要写对

关于502错误还有一个地方，需要说下

[root@localhost ~]# vi /usr/local/php-fpm/etc/php-fpm.conf[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
#listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
~
:wq
[root@localhost ~]# vi /usr/local/php-fpm/etc/php-fpm.conf
[root@localhost ~]# /etc/init.d/php-fpm reload
Reload service php-fpm  done
[root@localhost ~]# ls -l /tmp/php-fcgi.sock
srw-rw----. 1 root root 0 10月 22 00:05 /tmp/php-fcgi.sock
[root@localhost ~]#

现在取改下配置文件
fastcgi_pass unix:/tmp/php-fcgi.sock; 这一行配置是让nginx 去读sock的文件

location ~ \.php${include fastcgi_params;fastcgi_pass unix:/tmp/php-fcgi.sock;
#        fastcgi_pass 127.0.0.1:9000;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;}access_log /tmp/test.com.log aming;}
:wq[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload[root@localhost ~]# !curl
curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost ~]#

再去访问的时候依然会报502
查看下日志 Permission denied 权限被拒绝了临时以nobody用户去读

[root@localhost ~]# tail /usr/local/nginx/logs/nginx_error.log
27 Jan 2018 21:08:17 [crit] 3506#0: *25 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
[root@localhost ~]# [root@localhost ~]# ps aux |grep nginx
root       1306  0.0  0.1  21288  1696 ?        Ss   10月21   0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody     3505  0.0  0.3  23168  3456 ?        S    00:08   0:00 nginx: worker process
nobody     3506  0.0  0.3  23168  3960 ?        S    00:08   0:00 nginx: worker process
root       3513  0.0  0.0 112680   976 pts/1    R+   00:11   0:00 grep --color=auto nginx
[root@localhost ~]#

可以把phpsock文件改下改成nobody,再来访问就不会502了，因为nobody用户有读权限

[root@localhost ~]# chown nobody /tmp/php-fcgi.sock
[root@localhost ~]# [root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php<p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
</p>
<p>If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact license@php.net.
</p>
</td></tr>
</table>
</div></body></html>[root@localhost ~]#

进入php-fpm配置文件

[root@localhost ~]# vi /usr/local/php-fpm/etc/php-fpm.conf[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 444
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
~                                                                                                    :wq[root@localhost ~]# vi /usr/local/php-fpm/etc/php-fpm.conf
[root@localhost ~]# /etc/init.d/php-fpm reload
Reload service php-fpm  done
[root@localhost ~]# ls -l /tmp/php-fcgi.sock
srw-rw----. 1 nobody root 0 10月 22 00:05 /tmp/php-fcgi.sock
[root@localhost ~]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm [27 Jan 2018 00:17:50] NOTICE: PHP message: PHP Deprecated:  Comments starting with '#' are deprecated in Unknown on line 1 in Unknown on line 0done
[root@localhost ~]# ls -l /tmp/php-fcgi.sock
sr--r--r--. 1 root root 0 10月 22 00:17 /tmp/php-fcgi.sock
[root@localhost ~]# !curl
curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>

因为nginx默认访问php服务的用户的nobody，而且660权限,因为文件所属主、组是root，只能root用户访问，nobody用户去调用 sock的时候，将出现错误，最终返回502

12.16 Nginx代理

[root@localhost ~]# cd /usr/local/nginx/conf/vhost
[root@localhost vhost]# vi proxy.confserver
{
{listen 80;server_name ask.apelearn.com;location /{proxy_pass      http://121.201.9.155/;proxy_set_header Host   $host;proxy_set_header X-Real-IP      $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
}:wq[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost vhost]#

测试下

[root@localhost vhost]# curl ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#User-agent: *Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@localhost vhost]# [root@localhost vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#User-agent: *Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@localhost vhost]#

正常情况下如果不配置代理，你怎么可能通过本地访问到远程的站点，这就是一个代理，这个代理服务器就是我的虚拟机，web服务器就是一个论坛
首先是域名，定义远程服务端，也就是你的web服务器，它的ip写在这里就可以，这就是nginx的代理

Disallow: /*/ajax/[root@localhost vhost]# cat proxy.conf
server
{listen 80;server_name ask.apelearn.com;location /{proxy_pass      http://121.201.9.155/;proxy_set_header Host   $host;proxy_set_header X-Real-IP      $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
}

扩展

502问题汇总 http://ask.apelearn.com/question/9109

常见的502错误
1.配置错误
因为nginx找不到php-fpm了，所以报错，一般是fastcgi_pass后面的路径配置错误了，后面可以是socket或者是ip:port

2.资源耗尽
lnmp架构在处理php时，nginx直接调取后端的php-fpm服务，如果nginx的请求量偏高，我们又没有给php-fpm配置足够的子进程，那么php-fpm就会资源耗尽，一旦资源耗尽nginx找不到php-fpm就会出现502错误，

解决方案
去调整php-fpm.conf中的pm.max_children数值，使其增加，但是也不能无限增加，毕竟资源有限，一般4G内存机器如果跑php-fpm和nginx，不跑mysql可以设置为150，8G为300以此类推

3.除了上面的两种错误还有其他的原因，很少有，我们可以借助nginx的错误日志来进行排查vim /usr/local/nginx/logs/nginx_error.log 我们也可以给日志定义级别vim/usr/local/nginx/conf/nginx.conf 找到error_log，默认是crit最严谨的就行，也可以改成debug显示的信息最全面，但是很容易撑爆我们的磁盘。

首先我们需要让浏览器进行访问
修改nginx的配置文件

[root@wqslinux ~]# vim/usr/local/nginx/conf/vhosts/111.confserver
{listen 80;server_name www.111.com;       //域名地址index index.html index.htm index.php;root /data/www/;location ~ \.php$ {include fastcgi_params;fastcgi_pass unix:/tmp/www.sock;  //修改sock#fastcgi_pass 127.0.0.1:9000;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;}}

检查语法是否正常

[root@wqslinux ~]#/usr/local/nginx/sbin/nginx -t

重新加载配置文件

[root@wqslinux ~]# /usr/local/nginx/sbin/nginx-s reload
[root@wqslinux ~]# /etc/init.d/nginx reload检查nginx是那个用户跑的
[root@wqslinux ~]# ps aux |grep nginx
编辑php-fpm文件
我们要在这个php-fpm文件里面设置nginx的用户主，跟组这样才不会显示502
[root@wqslinux ~]# vim/usr/local/php/etc/php-fpm.conf[global]
pid = /usr/local/php/var/run/php-fpm.pid
error_log =/usr/local/php/var/log/php-fpm.log
[www]
listen = /tmp/www.sock
user = php-fpm
group = php-fpm
listen.owner = nobody    //定义属主
listen.group = nobody    //定义属组
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

配置完之后重启php-fpm

[root@wqslinux ~]# /etc/init.d/php-fpm restart

ps：再补充一个，是近期很多同学遇到的问题
这种情况下，使用的是socket，版本高于5.4（含5.4）默认监听的socket文件权限是所有者只读，属组和其他用户没有任何权限。所以，nginx的启动用户（咱们配置的是nobody）就没有办法去读这个socket文件，最终导致502，这个问题可以在nginx的错误日志中发现。解决办法很简单，上面给出的配置文件中就有避免这个问题的配置。

listen.owner = nobody    //定义属主
listen.group = nobody    //定义属组
这两个配置就是定义socket的属主和属组是谁。除了这个还有一种方法
listen.mode = 777

这样nobody也可以有读取权限了。

location优先级 http://blog.lishiming.net/?p=100

在nginx配置文件中，location主要有这几种形式：

正则匹配 location ~ /abc { }
不区分大小写的正则匹配 location ~* /abc { }
匹配路径的前缀，如果找到停止搜索 location ^~ /abc { }
精确匹配 location = /abc { }

5.普通路径前缀匹配 location /abc { }

先说优先级

4 > 3 > 2 > 1 > 5

再来解释一下各个格式

location = / {
#精确匹配 / ，主机名后面不能带任何字符串
[ configuration A ]
}location / {
#因为所有的地址都以 / 开头，所以这条规则将匹配到所有请求
#但是正则和最长字符串会优先匹配
[ configuration B ]
}location /documents/ {#匹配任何以 /documents/ 开头的地址，匹配符合以后，还要继续往下搜索
#只有后面的正则表达式没有匹配到时，这一条才会采用这一条
[ configuration C ]
}location ~ /documents/Abc {#匹配任何以 /documents/ 开头的地址，匹配符合以后，还要继续往下搜索
#只有后面的正则表达式没有匹配到时，这一条才会采用这一条
[ configuration CC ]
}location ^~ /images/ {#匹配任何以 /images/ 开头的地址，匹配符合以后，停止往下搜索正则，采用这一条。
[ configuration D ]
}location ~* \.(gif|jpg|jpeg)$ {#匹配所有以 gif,jpg或jpeg 结尾的请求
#然而，所有请求 /images/ 下的图片会被 config D 处理，因为 ^~ 到达不了这一条正则
[ configuration E ]
}location /images/ {#字符匹配到 /images/，继续往下，会发现 ^~ 存在
[ configuration F ]
}location /images/abc {#最长字符匹配到 /images/abc，继续往下，会发现 ^~ 存在
#F与G的放置顺序是没有关系的
[ configuration G ]
}location ~ /images/abc/ {#只有去掉 config D 才有效：先最长匹配 config G 开头的地址，继续往下搜索，匹配到这一条正则，采用
[ configuration H ]
}

再来分析一下A-H配置的执行顺序。

下面2个配置同时存在时

location = / {
[ configuration A ]
}

location / {
[ configuration B ]
}


此时A生效，因为=/优先级高于/2. 下面3个配置同时存在时

location /documents/ {
[ configuration C ]
}

location ~ /documents/ {

[configuration CB]

}

location ~ /documents/abc {
[ configuration CC ]
}


当访问的url为/documents/abc/1.html，此时CC生效，首先CB优先级高于C，而CC更优先于CB3. 下面4个配置同时存在时

location ^~ /images/ {
[ configuration D ]
}

location /images/ {
[ configuration F ]
}

location /images/abc {
[ configuration G ]
}

location ~ /images/abc/ {
[ configuration H ]
}


当访问的链接为/images/abc/123.jpg时，此时D生效。虽然4个规则都能匹配到，但^~优先级是最高的。若^~不存在时，H优先，因为~/images/ > /images/而/images/和/images/abc同时存在时，/images/abc优先级更高，因为后者更加精准4. 下面两个配置同时存在时

location ~* .(gif|jpg|jpeg)$ {
[ configuration E ]
}

location ~ /images/abc/ {

[ configuration H ]
}

当访问的链接为/images/abc/123.jpg时，E生效。因为上面的规则更加精准。

转载于:https://blog.51cto.com/235571/2123567

十二周四次课(6月11日)相关推荐

十二周一次课(6月6日)
12.1 LNMP架构介绍简介 LNMP代表的就是:Linux系统下Nginx+MySQL+PHP这种网站服务器架构. Linux是一类Unix计算机操作系统的统称,是目前最流行的免费操作系统.代表 ...
二年级课程表（4月11日-4月15日）
二年级课程表(4月11日-4月15日) 时间周一周二周三周四周五 9:00-9:25 语文(说文解字) 数学(口诀求商) 语文(口语交际) 数学(应用除法) 语文(古诗诵读) 9:30-9: ...
Linux20180416四周第一次课(4月11日）
4.10/4.11/4.12 lvm讲解 4.13 磁盘故障小案例 LVM的原理是如下: 举例有两个磁盘,各有几个自己的分区,叫做物理卷.不同磁盘的物理卷可以组成卷组,然后在卷组里进行分逻辑卷.最后对 ...
四周第一次课(4月11日）lvm讲解
2019独角兽企业重金招聘Python工程师标准>>> 4.10 lvm讲解忘记安装包名称解决办法: yum provides "/*/pvcreate" ...
4月11日 GCD 总结（二）
4月11日 GCD 总结(二) 一.指定一定数量的延迟之后,使用 GCD 来执行代码--使用 Dispatch_after 和 Dispatch_after_f 函数 1. dispatch_afte ...
二年级课程表（3月7日-3月11日）
二年级课程表(3月7日-3月11日) 时间周一周二周三周四周五 9:00-9:25 语文(传统文化) 数学(速算巧算) 语文(古诗诵读) 数学 ...
案例十:03月11日政采云首页无法访问
一. 故障简述故障简要描述: 于3月11日14:21分收到用户大量反馈政采云首页访问出现502,14:32分运维重启应用后首页可以访问,但协议商品创建等还是出现报错,14:50分架构配置限流后影响消 ...
一周第一次课（12月11日）
一周第一次课(12月11日) 1.1 学习之初定位:目的,职位,城市目标:时间,薪资学习方法:预计与复习,当日事当日毕,笔记的重要性,资源的利用 1.2 约定 centos 7.3系统 VMwa ...
12月11日第壹简报，星期日，农历十一月十八
12月11日第壹简报,星期日,农历十一月十八 1. 北京急救中心呼吁:无症状.轻症患者勿拨打120,为危重症患者留出通道:钟南山:发热患者可先在家做抗原检测,如持续发热再去医院检查. 2. 湖北省第一 ...

十二周四次课(6月11日)