Nginx默认虚拟主机、 Nginx用户认证、Nginx域名重定向、访问日志·····
2024-05-12 13:26:29
2019独角兽企业重金招聘Python工程师标准>>> 
Ngninx默认虚拟主机
1.vim /usr/local/nginx/conf/nginx.conf //增加
2.include vhost/*.conf
3.mkdir /usr/local/nginx/conf/vhost
4.cd !$; vim default.conf //加入如下内容
server
{listen 80 default_server; // 有这个标记的就是默认虚拟主机server_name aaa.com;index index.html index.htm index.php;root /data/wwwroot/default;
}
5.mkdir -p /data/wwwroot/default/
6.echo “This is a default site.”>/data/wwwroot/default/index.html
7./usr/local/nginx/sbin/nginx -t
8./usr/local/nginx/sbin/nginx -s reload
9.curl localhost
10.curl -x127.0.0.1:80 123.com
操作演示:
[root@xuexi-001 ~]# ls /usr/local/nginx/conf/
fastcgi.conf mime.types scgi_params.default
fastcgi.conf.default mime.types.default uwsgi_params
fastcgi_params nginx.conf uwsgi_params.default
fastcgi_params.default nginx.conf.bak win-utf
koi-utf nginx.conf.default
koi-win scgi_params
[root@xuexi-001 ~]# cd !$
cd /usr/local/nginx/conf/
[root@xuexi-001 conf]# vi nginx.conf
//添加以下内容
include vhost/*.conf;······ 注意在配置文件中这里需要添加分号
[root@xuexi-001 conf]# mkdir vhost
//创建vhost 目录
[root@xuexi-001 conf]# cd vhost/
[root@xuexi-001 vhost]# ls
[root@xuexi-001 vhost]# vi aaa.com.conf
//在vhost目录中创建一个 aaa.com.conf
[root@xuexi-001 vhost]# mkdir /data/wwwroot/default
//创建default 目录
[root@xuexi-001 vhost]# cd /data/wwwroot/default/
[root@xuexi-001 default]# vi index.html
//在default目录中创建一个index.html 文件
添加以下内容:
server
{listen 80 default_server; // 有这个标记的就是默认虚拟主机server_name aaa.com;index index.html index.htm index.php;root /data/wwwroot/default;
}
[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -t
//测试配置文件
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
更改完配置文件后,需要测试一下配置文件是否正确
[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -s reload
//重新加载或者 重启
[root@xuexi-001 conf]# /etc/init.d/nginx restart
测试:
[root@xuexi-001 conf]# curl localhost
This is the default site.
[root@xuexi-001 conf]# curl -x127.0.0.1:80 123.com
This is the default site.
[root@xuexi-001 conf]# curl -x127.0.0.1:80 aaa.com
This is the default site.
Nginx用户认证
vim /usr/local/nginx/conf/vhost/test.com.conf//写入如下内容
server
{listen 80;server_name test.com;index index.html index.htm index.php;root /data/wwwroot/test.com;location /{auth_basic "Auth";auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}yum install -y httpdhtpasswd -c /usr/local/nginx/conf/htpasswd aming-t && -s reload //测试配置并重新加载
操作演示:
[root@xuexi-001 conf]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{listen 80;server_name test.com;index index.html index.htm index.php;root /data/wwwroot/test.com;location /{auth_basic "Auth";//定义用户认证的名字auth_basic_user_file /usr/local/nginx/conf/htpasswd;//用户名密码文件}
}
[root@xuexi-001 conf]# yum install -y httpd
//如果之前安装过httpd 可以直接使用Apache 的密码文件,如果没有安装过可以使用 yum 安装
[root@xuexi-001 conf]# htpasswd -c /usr/local/nginx/conf/htpasswd guo
// 生成htppasswd 文件并指定用户为 guo
: -c 是生成用户,第一次使用时创建用户,第二次使用就是覆盖了,所以在新生成用户的时候使用
[root@xuexi-001 conf]# /usr/local/apache2/bin/htpasswd -c /usr/local/nginx/conf/htpasswd guo
New password: 111111
Re-type new password: 111111
Adding password for user guo
// 在安装apache 后可以直接调用Apache 密码生成命令htpasswd
[root@xuexi-001 conf]# cat /usr/local/nginx/conf/htpasswd
guo:$apr1$Y7bzCOYA$dlpXLo.zp8uvpmFQKim1E0
// 查看生成的密码文件
[root@xuexi-001 conf]# /usr/local/apache2/bin/htpasswd /usr/local/nginx/conf/htpasswd user1
// 如果想再为一个新的用户创建密码文件,这里需要将-c 去掉,如果加上就把原来生成usr/local/nginx/conf/htpasswd覆盖了
New password:
Re-type new password:
Adding password for user user1
[root@xuexi-001 conf]# cat /usr/local/nginx/conf/htpasswd
guo:$apr1$Y7bzCOYA$dlpXLo.zp8uvpmFQKim1E0
user1:$apr1$Vq/C6L7V$mOURmyhpCNbJ5PYgOOWmq.
[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -s reload
// 测试并重新加载测试并重新加载的好处是可以检查配置文件是否有错误,如果有错误重新加载是不会生效的。如果选择重新启动,如果配置文件有问题,有可能重新启动不起来。
测试:
[root@xuexi-001 conf]# curl -x127.0.0.1:80 test.com -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:22:39 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
//提示错误401 需要指定用户[root@xuexi-001 conf]# curl -uguo:111111 -x 127.0.0.1:80 test.com -I
HTTP/1.1 404 Not Found
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:24:29 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
// 为什么会提示404,因为去访问index.html ,但是咱们还没有创建主目录,test.com这个目录也没有创建。创建目录:
[root@xuexi-001 conf]# mkdir /data/wwwroot/test.com
[root@xuexi-001 conf]# echo "test.com" > /data/wwwroot/test.com/index.html
[root@xuexi-001 conf]# curl -uguo:111111 -x 127.0.0.1:80 test.com -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:28:09 GMT
Content-Type: text/html
Content-Length: 9
Last-Modified: Wed, 04 Jul 2018 16:27:56 GMT
Connection: keep-alive
ETag: "5b3cf58c-9"
Accept-Ranges: bytes[root@xuexi-001 conf]# curl -uguo:111111 -x 127.0.0.1:80 test.com
test.com
访问目录时需要用户认证需要更改配置文件 test.com.conf
[root@xuexi-001 vhost]# vi test.com.conf
server
{listen 80;server_name test.com;index index.html index.htm index.php;root /data/wwwroot/test.com;location /admin/··· // 在这里添加目录名{auth_basic "Auth";auth_basic_user_file /usr/local/nginx/conf/htpasswd;}
}
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
// 测试配置文件并重新加载
[root@xuexi-001 vhost]# mkdir /data/wwwroot/test.com/admin
//创建admin目录
测试:
[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:36:08 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
输入用户名密码测试:
[root@xuexi-001 ~]# cd /data/wwwroot/test.com/admin/
[root@xuexi-001 admin]# vi index.html
test.admin
[root@xuexi-001 admin]# curl -uguo:111111 -x 127.0.0.1:80 test.com/admin/
test.admin
针对某一个URL
[root@xuexi-001 vhost]# vi test.com.conf
server
{listen 80;server_name test.com;index index.html index.htm index.php;root /data/wwwroot/test.com;location ~ admin.php//匹配admin.php的URL{auth_basic "Auth";auth_basic_user_file /usr/local/nginx/conf/htpasswd;}
}
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
//测试配置文件并加载
[root@xuexi-001 test.com]# curl -x 127.0.0.1:80 test.com/admin/
test.admin
//这个时候访问admin就不用输入用户名和密码了
[root@xuexi-001 test.com]# curl -x 127.0.0.1:80 test.com/admin.php -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:50:13 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
Nginx域名重定向
更改 test.com.conf
server
{listen 80;server_name test.com test1.com test2.com;index index.html index.htm index.php;root /data/wwwroot/test.com;if ($host != 'test.com' ) {rewrite ^/(.*)$ http://test.com/$1 permanent;}
}
server_name后面支持写多个域名,这里要和httpd的做一个对比 permanent为永久重定向,状态码为301,如果写redirect则为302
操作演示:
1.编辑配置文件
[root@xuexi-001 ~]# cd /usr/local/nginx/conf/vhost/
[root@xuexi-001 vhost]# ls
aaa.com.conf test.com.conf
[root@xuexi-001 vhost]# vi test.com.conf
添加以下内容:
server
{listen 80;server_name test.com test2.com test3.com;index index.html index.htm index.php;root /data/wwwroot/test.com;if ($host != 'test.com' ) {rewrite ^/(.*)$ http://test.com/$1 permanent;}
}
在Nginx里“server_name” 支持跟多个域名;但是Apache“server_name”只能跟一个域名,需要跟多个域名,需要使用Alisa;
在Nginx的conf配置文件里“server_name ” 设置了多个域名,就会使网站的权重变了,到底需要哪个域名为主站点,所以需要域名重定向
2.测试配置文件并重新加载
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.测试
使用test2.com 访问,显示301,重定向到了http://test.com/index.html
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 15:07:27 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html
4.定义不同的网址测试访问
[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test2.com/admin/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 15:18:09 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/admin/index.html
5.使用一个没有指定的网址去访问,则会显示404,因为此时访问的是默认的虚拟主机,而不是指定的test.com
[root@xuexi-001 test.com]# curl -x127.0.0.1:80 test4.com/index.html/123345 -I
HTTP/1.1 404 Not Found
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 15:10:10 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Nginx访问日志
日志格式
vim /usr/local/nginx/conf/nginx.conf //搜索log_format
| 字段 | 说明 |
|---|---|
| $remote_addr | 客户端IP(公网IP) |
| $http_x_forwarded_for | 代理服务器的IP |
| $time_local | 服务器本地时间 |
| $host | 访问主机名(域名) |
| $request_uri | 访问的url地址 |
| $status | 状态码 |
| $http_referer | referer |
| $http_user_agent | user_agent |
除了在主配置文件nginx.conf里定义日志格式外,还需要在虚拟主机配置文件中增加
access_log /tmp/test.com.log combined_realip;
这里的combined_realip就是在nginx.conf中定义的日志格式名字
-t && -s reload
curl -x127.0.0.1:80 test.com -I
cat /tmp/test.com.log
1.默认的日志文件是在主配置文件中
打开主配置文件:vi /usr/local/nginx/conf/nginx.conf
搜索/log_format 找到以下内容,就是来定义日志格式的
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'' $host "$request_uri" $status'' "$http_referer" "$http_user_agent"';
combined_realip 日志格式的名字,可以随便定义,这里定义成什么名字,后面就引用成什么名字,决定了虚拟主机引用日志的类型
nginx配置文件,有一个特点,以 “ ; ” 分号结尾,配置文件一段如果没有 分号结尾,表示这一段还没有结束,就算中间执行了换行。
2.除了在主配置文件nginx.conf里定义日志格式外,还需要在虚拟主机配置文件去定义access_log /tmp/test.com.log aliang;; 来定义访问日志路径
[root@xuexi-001 vhost]# vi test.com.conf server
{listen 80;server_name test.com test2.com test3.com;index index.html index.htm index.php;root /data/wwwroot/test.com;if ($host != 'test.com' ) {rewrite ^/(.*)$ http://test.com/$1 permanent;}access_log /tmp/test.com.log combined_realip;
// 定义访问日志路径及日志格式,如果不定义日志格式那么就会走默认的日志格式。combined_realip可修改,自定义名字。
}
3.检查配置文件并重新加载
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
4.测试
[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test2.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 15:57:05 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test3.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 15:57:14 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/[root@xuexi-001 vhost]# cat /tmp/test.com.log
127.0.0.1 - [05/Jul/2018:23:57:05 +0800] test2.com "/" 301 "-" "curl/7.29.0"
127.0.0.1 - [05/Jul/2018:23:57:14 +0800] test3.com "/" 301 "-" "curl/7.29.0"
Nginx日志切割
自定义shell 脚本
vim /usr/local/sbin/nginx_log_rotate.sh//写入如下内容
#! /bin/bash
## 假设nginx的日志存放路径为/data/logs/
d=`date -d "-1 day" +%Y%m%d`
logdir="/data/logs"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
domv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
任务计划
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
####操作演示:
Nginx没有自带日志切割工具,只能借助系统的日志切割的工具或者自己写切割的脚本实现
1.写一个日志切割脚本,首先需要创建一个shell脚本:vim /usr/local/sbin/nginx_log_rotate.sh
注意:所有的shell脚本需要放到/usr/local/sbin/目录下
[root@xuexi-001 vhost]# vim /usr/local/sbin/nginx_log_rotate.sh#! /bin/bash
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
domv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
解释说明:
- d=date -d “-1 day” +%Y%m%d // 生成昨天的日期,格式为年月日
- logdir=”/tmp/” // 上一节的时候,定义了日志存放在/tmp/目录下
- nginx_pid="/usr/local/nginx/logs/nginx.pid"//查找nginx的PID,目的是为了执行/bin/kill -HUP cat $nginx_pid ,而这个命令目的和nginx -s reload 是一样的
- cd $logdir //进入“logdir”日志目录下
- for log in `ls .log` //开始语句循环,看有哪些log后缀的文件
- do //执行
- mv $log $log-$d // 将 log改名为《原名字“`date -d “-1 day” +%Y%m%d` ”这个结尾的文件 》
- done //结束
- /bin/kill -HUP cat $nginx_pid // 重新加载,生成一个新的“nginx_pid=”/usr/local/nginx/logs/nginx.pid”
for 循环命令
[root@xuexi-001 vhost]# ls
aaa.com.conf test.com.conf
[root@xuexi-001 vhost]# for f in `ls `; do ls -l $f ; done
-rw-r--r-- 1 root root 142 7月 4 23:17 aaa.com.conf
-rw-r--r-- 1 root root 292 7月 5 23:54 test.com.conf
2.执行脚本,并加 -x 选项
-x:查看脚本执行的过程
[root@xuexi-001 vhost]# sh -x /usr/local/sbin/nginx_log_rotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20180705
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls php_errors.log test.com.log
+ for log in '`ls *.log`'
+ mv php_errors.log php_errors.log-20180705
+ for log in '`ls *.log`'
+ mv test.com.log test.com.log-20180705
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 1024
3.查看日志切割文件,每天都生成一个日志,在每天切割后,过段时间还要定期清理
[root@xuexi-001 vhost]# ls /tmp/
test.com.log
test.com.log-20180705
4.删除30天以前的日志文件
[root@xuexi-001 vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm
5.写完脚本后,还要加一个任务计划crontab -e
[root@xuexi-001 vhost]#crontab -e0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
shell脚本知识点
1.日志时间切割的定义
- 写shell脚本的时候,如果有命令不明白,可以直接把命令运行一下就知道结果了
- 假设这个命令“ d=date -d “-1 day” +%Y%m%d ”不明白意思
- ctrl+z 把当前操作暂停丢到后台
- 执行date -d “-1 day” +%Y%m%d就是时间,而且是昨天的时间,因为目前做的日志切割都是以天为单位,而且,日志需要过了当天23点59分59秒以后到第二天的0点0分01秒才切割
2.指定PID路径的意义
- “ nginx_pid=”/usr/local/nginx/logs/nginx.pid” ”这条命令的意思,就是指定nginx的PID 的路径所在
- 如果找不到指定PID的所在,那么下面的“ /bin/kill -HUP cat $nginx_pid ”这个命令也将没有办法继续执行
- “ /bin/kill -HUP cat $nginx_pid ” z这条命令的意思就是重新加载一次nginx服务
- 执行“ /bin/kill -HUP cat $nginx_pid ”这条命令的目的是因为切割日志以后 “mv $log $log-$d ” 会将日志移动位置,如果不使用这条命令重新加载一次nginx服务、重新生成一次日志文件,那么将会导致服务出错
- 所以,为了保证“ /bin/kill -HUP cat $nginx_pid ”能准确的执行,需要确定nginx的PID所在
[root@xuexi-001 vhost]# ls /usr/local/nginx/logs/nginx.pid
/usr/local/nginx/logs/nginx.pid
3.循环语句理解
- for f in ‘ls ‘ ; do ls -l $f; done
- for 循环开始,f 表示文件,in 表示做什么,‘ls’in执行的东西; do 执行 ls -f $f;done 结束
- 任务计划
- 脚本写完以后,需要写一个计划,让脚本在规定的时间运行。
- crontab -e
- 0 0 * * * /bin/bash /usr/local/sbin/nginx_logrotate.sh
- 长时间累积,会生成大量的日志需要进行清理
- find /tmp/ -type f -name .log- -mtime +30 |xargs rm
###静态文件不记录日志&过期时间 核心配置参数:
[root@xuexi-001 vhost]# vim test.com.confserver
{listen 80;server_name test.com test2.com test3.com;index index.html index.htm index.php;root /data/wwwroot/test.com;if ($host != 'test.com' ) {rewrite ^/(.*)$ http://test.com/$1 permanent;}location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$//匹配文件类型{expires 7d;//过期时间为7天access_log off;//不记录该类型文件的访问日志}location ~ .*\.(js|css)${expires 12h;//过期时间为12小时access_log off;//不记录该类型文件的访问日志}access_log /tmp/test.com.log combined_realip;//指定日志位置及格式
}
检测:
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
访问index.html:
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com
test.com
[root@xuexi-001 vhost]# cat /tmp/test.com.log
127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0"
访问baidu.jpg文件:
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/baidu.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 16:55:27 GMT
Content-Type: image/jpeg
Content-Length: 12525
Last-Modified: Thu, 05 Jul 2018 16:54:54 GMT
Connection: keep-alive
ETag: "5b3e4d5e-30ed"
Expires: Thu, 12 Jul 2018 16:55:27 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
说明:max-age=604800s=7天,即该文件缓存的过期时间为7天!
[root@xuexi-001 vhost]# cat /tmp/test.com.log
127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0"
即:无该文件的访问日志!!!
Nginx防盗链
配置如下:
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{expires 7d;valid_referers none blocked server_names *.test.com ;if ($invalid_referer) {return 403;}access_log off;
}
Nginx防盗链配置需要和不记录日志和过期时间结合在一起,因为都用到了“location”
1.打开配置文件 vim /usr/local/nginx/conf/vhost/test.com.conf
注释掉一些配置
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$# {# expires 7d;# access_log off;# }
添加一些配置
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{expires 7d; //过期时间7天valid_referers none blocked server_names *.test.com ; //定义一个白名单,referer就是指一些域名if ($invalid_referer) { //如果不是白名单里的return 403; //返回403}access_log off;
}
3.检查配置文件及加载文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
4.测试
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 -I test.com/baidu.jpg
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:06:56 GMT
Content-Type: image/jpeg
Content-Length: 12525
Last-Modified: Thu, 05 Jul 2018 16:54:54 GMT
Connection: keep-alive
ETag: "5b3e4d5e-30ed"
Expires: Thu, 12 Jul 2018 17:06:56 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
5.测试防盗链,使用curl -e
[root@xuexi-001 vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/baidu.jpg
HTTP/1.1 403 Forbidden
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:08:10 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive[root@xuexi-001 vhost]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/baidu.jpg
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:09:04 GMT
Content-Type: image/jpeg
Content-Length: 12525
Last-Modified: Thu, 05 Jul 2018 16:54:54 GMT
Connection: keep-alive
ETag: "5b3e4d5e-30ed"
Expires: Thu, 12 Jul 2018 17:09:04 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
在访问curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif显示403,而在访问curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif显示200,则表示防盗链配置成功
Nginx访问控制
需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:
location /admin/
{allow 192.168.5.130;allow 127.0.0.1;deny all;
}
- mkdir /data/wwwroot/test.com/admin/
- echo “test,test”>/data/wwwroot/test.com/admin/1.html
- -t && -s reload
- curl -x127.0.0.1:80 test.com/admin/1.html -I
- curl -x192.168.133.130:80 test.com/admin/1.html -I
- 可以匹配正则
location ~ .*(abc|image)/.*\.php$
{deny all;
}
- 根据user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{return 403;
}
- deny all和return 403效果一样
Nginx访问控制,在平时运维网站的时候,经常会有一些请求不正常,或者故意的做一些限制,一些重要的内容禁止别人访问,就可以做一个白名单,只允许自己的公网IP或者自己公司内的公网IP去访问
1.编辑配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
增加访问控制的代码
location /admin/{allow 192.168.5.130;allow 127.0.0.1;deny all;}
2.然后检查配置文件语法错误,然后重新加载配置文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.测试
[root@xuexi-001 vhost]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:19:55 GMT
Content-Type: text/html
Content-Length: 11
Last-Modified: Wed, 04 Jul 2018 16:41:54 GMT
Connection: keep-alive
ETag: "5b3cf8d2-b"
Accept-Ranges: bytes[root@xuexi-001 vhost]# curl -x192.168.5.130:80 -I test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:20:22 GMT
Content-Type: text/html
Content-Length: 11
Last-Modified: Wed, 04 Jul 2018 16:41:54 GMT
Connection: keep-alive
ETag: "5b3cf8d2-b"
Accept-Ranges: bytes
4.查看日志文件,会看到访问的192.168.5.130的来源IP也是192.168.5.130,因为它是被允许的,在白名单之内,所以显示状态码为200
[root@xuexi-001 vhost]# cat /tmp/test.com.log
127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0"
127.0.0.1 - [06/Jul/2018:01:19:55 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.5.130 - [06/Jul/2018:01:20:22 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
针对正则匹配
- 例子
- 网站被黑,数据库被盗窃,就是因为上传图片的目录没有做禁止解析php的操作,最终导致上传了一句话木马,php也能解析,所以网站就会被黑
- 只要能上传的目录,都要禁掉,禁止解析PHP
- 加以下代码,即可禁掉上传的目录解析PHP
location ~ .*(upload|image)/.*\.php$ //只要匹配upload,然后以php结尾的
{deny all; //都禁掉
}
1.打开配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@xuexi-001 vhost]# vim /usr/local/nginx/conf/vhost/test.com.conflisten 80;index index.html index.htm index.php;root /data/wwwroot/test.com;if ($host != 'test.com' ) {rewrite ^/(.*)$ http://test.com/$1 permanent;} # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$# {# expires 7d;# access_log off;# } location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{ expires 7d;valid_referers none blocked server_names *.test.com ;if ($invalid_referer) { return 403; } access_log off;
} location ~ .*\.(js|css)${expires 12h;access_log off;} location /admin/{allow 192.168.5.130;allow 127.0.0.1;deny all;}location ~ .*(upload|image)/.*\.php${ deny all;} access_log /tmp/test.com.log combined_realip;
}
2.检查配置文件语法错误,并重新加载配置文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.测试,首先是访问的那个目录,然后访问的php资源
4.创建一个upload目录,然后在创建一个php文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@xuexi-001 vhost]# mkdir /data/wwwroot/test.com/upload
[root@xuexi-001 vhost]# echo "11111" > /data/wwwroot/test.com/upload/1.php
5.访问upload目录下的1.php文件,会看到是403状态码,被拒绝访问
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.15.1</center>
</body>
</html>
6.这时再upload目录下创建1.txt,再来测试访问
[root@xuexi-001 vhost]# echo "dasdasdas" >/data/wwwroot/test.com/upload/1.txt
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt
dasdasdas
7.查看访问日志cat /tmp/test.com.log
[root@xuexi-001 vhost]# cat /tmp/test.com.log
127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0"
127.0.0.1 - [06/Jul/2018:01:19:55 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.5.130 - [06/Jul/2018:01:20:22 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
127.0.0.1 - [06/Jul/2018:01:27:34 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [06/Jul/2018:01:28:23 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
根据user_agent限制
- 如果你的网站被cc攻击,或者禁掉某些蜘蛛,如果你的网站想做一个被隐藏的网站,不想被别人搜索到,那么就可以将百度、谷歌、有道等这些蜘蛛封掉,没有任何蜘蛛爬到你的网站,也不将网址告诉任何人,那别人就无法知道你的站点,因为你的网站是被隐藏的。
- 只需要根据user_agent限制,添加以下代码
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{return 403;
}
- deny all和return 403效果一样
操作演示:
1.打开配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@xuexi-001 vhost]# vim /usr/local/nginx/conf/vhost/test.com.confif ($host != 'test.com' ) {} # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$# {# expires 7d;# access_log off;# } location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{ expires 7d;valid_referers none blocked server_names *.test.com ;if ($invalid_referer) { return 403; } access_log off;
} location ~ .*\.(js|css)${expires 12h;access_log off;} location /admin/{allow 192.168.5.130;allow 127.0.0.1;deny all;}location ~ .*(upload|image)/.*\.php${ deny all;} if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato'){return 403;} access_log /tmp/test.com.log combined_realip;
}
2.检查配置文件语法错误,并重新加载配置文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.模拟user_agent,访问测试,会看到显示403
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:33:39 GMT
Content-Type: text/plain
Content-Length: 10
Last-Modified: Thu, 05 Jul 2018 17:28:14 GMT
Connection: keep-alive
ETag: "5b3e552e-a"
Accept-Ranges: bytes[root@xuexi-001 vhost]# curl -A "Tomatoslf" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 403 Forbidden
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:35:27 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
3.eny all和return 403效果一样
4.如果访问的时候,改成小写再访问,则状态码为200,因为这个是严格匹配的
[root@xuexi-001 vhost]# curl -A "tomatoslf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:36:52 GMT
Content-Type: text/plain
Content-Length: 10
Last-Modified: Thu, 05 Jul 2018 17:28:14 GMT
Connection: keep-alive
ETag: "5b3e552e-a"
Accept-Ranges: bytes
5.如果想忽略大小写,在配置文件中的匹配符号后加 * 号即可
[root@xuexi-001 vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato'){return 403;}
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@xuexi-001 vhost]# curl -A "tomatoslf" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 403 Forbidden
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:38:45 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Nginx解析php的配置
配置如下:
location ~ \.php${include fastcgi_params;fastcgi_pass unix:/tmp/php-fcgi.sock;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;}
astcgi_pass 用来指定php-fpm监听的地址或者socket
Nginx解析php相关配置
添加以下代码:
location ~ \.php${include fastcgi_params;fastcgi_pass unix:/tmp/php-fcgi.sock; //写错这个路径,就会显示502fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;}
1.打开虚拟主机配置文件,因为现在test.com.conf 还不能解析php,将代码添加到配置文件中
[root@xuexi-001 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf server_name test.com test2.com test3.com;index index.html index.htm index.php;root /data/wwwroot/test.com;if ($host != 'test.com' ) {rewrite ^/(.*)$ http://test.com/$1 permanent;# }
{ expires 7d;valid_referers none blocked server_names *.test.com ;if ($invalid_referer) { return 403; } access_log off;
} location ~ .*\.(js|css)${expires 12h;access_log off;} location /admin/{allow 192.168.5.130;allow 127.0.0.1;deny all;}location ~ .*(upload|image)/.*\.php${ deny all;} if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato'){return 403;} location ~ \.php${include fastcgi_params;fastcgi_pass unix:/tmp/php-fcgi.sock;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;} access_log /tmp/test.com.log combined_realip;
}
2.生成做一个php文件,在/data/wwwroot/test.com/目录下生成3.php
[root@xuexi-001 ~]# vi /data/wwwroot/test.com/3.php<?php
phpinfo();
3.测试访问3.php,会看到无法解析3.php文件,显示出了源码
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();
4.检查配置文件语法错误,并重新加载配置文件
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
5.再次访问3.php ,就可以正常解析了
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php
6.若是解析php相关配置的 fastcgi_pass unix:/tmp/php-fcgi.sock; 这个路径被写错,会直接显示502,因为sock文件没有被找到
7.将配置文件改错后,重新加载后,再来访问3.php,会看到显示502状态码
location ~ \.php${include fastcgi_params;fastcgi_pass unix:/tmp/php-cgi.sock;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;}
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@xuexi-001 ~]# !curl
curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.15.1</center>
</body>
</html>
8.查看访问日志cat /usr/local/nginx/logs/nginx_error.log,会看到日志文件中会说没有这样的文件或目录
[root@xuexi-001 ~]# cat /usr/local/nginx/logs/nginx_error.log
2018/07/09 09:03:11 [crit] 1608#0: *4 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
9.在遇到502的问题时,需要查看你配置的地址是否正确,首先查看错误日志,然后根据错误日志中提示,查看这个文件是否存在,在查看cat /usr/local/php-fpm/etc/php-fpm.conf你定义的sock是什么,那么在nginx的配置文件中写什么
502的另一种情况
1.假设这时不监听sock,而去监听IP端口
2.首先更改配置vim /usr/local/php-fpm/etc/php-fpm.conf
将#listen = /tmp/php-fcgi.sock注释掉,增加listen = 127.0.0.1:9000
[root@xuexi-001 ~]# vi /usr/local/php-fpm/etc/php-fpm.conf[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
#listen = /tmp/php-fcgi.sock
listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
3.重启php命令为/etc/init.d/php-fpm restart,php也支持reload
[root@xuexi-001 ~]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
4.检查php文件是否存在语法错误,重新加载下nginx的配置文件
[root@xuexi-001 ~]# /usr/local/php-fpm/sbin/php-fpm -t
[09-Jul-2018 09:34:06] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
5.查看监听端口是否为127.0.0.1:9000
[root@xuexi-001 ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1005/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 905/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1256/master
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1813/php-fpm: maste
tcp6 0 0 :::22 :::* LISTEN 905/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1256/master
tcp6 0 0 :::3306 :::* LISTEN 1216/mysqld
6.再次访问3.php
[root@xuexi-001 ~]# curl -x 127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.15.1</center>
</body>
</html>
7.查看配置文件提示文件不存在,这时候需要在配置文件中做一个更改,在php配置那一块,注释掉nix,添加ip和端口
[root@xuexi-001 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf # {# expires 7d;# access_log off;# }location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{expires 7d;valid_referers none blocked server_names *.test.com ;if ($invalid_referer) {return 403;}access_log off;
}location ~ .*\.(js|css)${expires 12h;access_log off;}location /admin/{allow 192.168.5.130;allow 127.0.0.1;deny all;}location ~ .*(upload|image)/.*\.php${deny all;}if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato'){return 403;}location ~ \.php${include fastcgi_params;
# fastcgi_pass unix:/tmp/php-fcgi.sock;fastcgi_pass 127.0.0.1:9000;//注释掉unix,添加ip和端口fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;}access_log /tmp/test.com.log combined_realip;
8.检查语法错误,并重新加载配置文件
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
9.再来访问3.php文件,会看到正常访问
[root@xuexi-001 ~]# curl -x 127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 01:46:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.36
10.若是出现502,要检查下配置文件中的fastcgi_pass 这块是否nginx与php-fpm中所配置的地址是相匹配的
PHP下的listen = /tmp/php-fcgi.sock这段配置很重要,决定了nginx是否能正确解析而不是502
当PHP配置文件 listen 使用sock时,那么对应的nginx配置文件下就必须使用 fastcgi_pass unix:/tmp/php-fcgi.sock;
当PHP配置文件listen 使用 IP加端口“127.0.0.1:9000”的时候,那么对应的nginx就要改成fastcgi_pass 127.0.0.1:9000;
11.配置文件中的 fastcgi_param SCRIPT_FILENAME 中的地址路径/data/wwwroot/test.com$fastcgi_script_name;与配置文件最上方的 root /data/wwwroot/test.com; 相对应起来
502的其他情况
在php5.4及以后的其他版本,有一个特点:更改监听为sock,取消监听IP和端口,注释掉listen.mode
1.更改php-fpm的配置文件,取消注释listen = /tmp/php-fcgi.sock,注释掉#listen = 127.0.0.1:9000和#listen.mode = 666
[root@xuexi-001 ~]# vi /usr/local/php-fpm/etc/php-fpm.conf[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
#listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
2.重新加载php
[root@xuexi-001 ~]# /etc/init.d/php-fpm reload
Reload service php-fpm done
3.查看sock文件的权限为660,属主和属组为root
[root@xuexi-001 ~]# ls -l /tmp/php-fcgi.sock
srw-rw---- 1 root root 0 7月 9 09:51 /tmp/php-fcgi.sock
4.更改nginx虚拟主机配置文件,取消 fastcgi_pass unix:/tmp/php-fcgi.sock; 的注释,注释掉#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/tmp/php-fcgi.sock;这一行的配置是为了nginx去读sock文件
location ~ \.php${include fastcgi_params;fastcgi_pass unix:/tmp/php-fcgi.sock;
# fastcgi_pass 127.0.0.1:9000;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;}
5.检测配置文件并重新加载
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
6.访问3.php,依然是502
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.15.1</center>
</body>
</html>
7.查看错误日志
[root@xuexi-001 ~]# tail /usr/local/nginx/logs/
access.log error.log nginx_error.log nginx.pid
[root@xuexi-001 ~]# tail /usr/local/nginx/logs/nginx_error.log
2018/07/09 09:03:11 [crit] 1608#0: *4 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
2018/07/09 09:37:07 [crit] 1847#0: *6 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
2018/07/09 09:59:38 [crit] 2016#0: *12 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
8.sock文件默认权限使660,root用户可以读,root用户组也是可读的,唯独其他用户不能去读
9.看到是由nobody的身份去读nginx的
[root@xuexi-001 ~]# ps aux |grep nginx
root 1005 0.0 0.0 21348 1696 ? Ss 08:38 0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody 2015 0.0 0.1 23272 3452 ? S 09:57 0:00 nginx: worker process
nobody 2016 0.0 0.2 23272 3952 ? S 09:57 0:00 nginx: worker process
root 2080 0.0 0.0 112724 972 pts/0 S+ 10:03 0:00 grep --color=autonginx
10.这时需要临时改变权限为nobody
[root@xuexi-001 ~]# chown nobody /tmp/php-fcgi.sock
11.这时再去访问3.php会看到正常访问
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 02:09:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.36
12.这就是因为nobody用户有读的权限,所以可以正常访问
13.在php-fpm的配置文件中定义listen.mode,就是为了让任何用户可以读
14.再去配置文件中取消listen.mode的注释
listen.mode = 666
15:重启php-fpm的配置文件,查看文件权限,并测试访问
[root@xuexi-001 ~]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@xuexi-001 ~]# ls -l /tmp/php-fcgi.sock
srw-rw-rw- 1 root root 0 7月 9 10:12 /tmp/php-fcgi.sock
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 02:13:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.36
502还有另外一种情况,就是php-fpm服务,资源耗尽,也会显示502,这时候就需要去优化了
Nginx代理
用户访问web服务器不能直接访问,需要找一个中间者,这个中间者可以跟web服务器相通,也可以跟用户相通。还有就是用户访问web服务器可以访问,就是比较慢,也可以使用nginx代理
在nginx虚拟主机下创建一个新的文件 proxy.conf
- cd /usr/local/nginx/conf/vhost
- vim proxy.conf
添加以下内容:
server
{listen 80;server_name ask.apelearn.com; //定义用户访问的域名location /{proxy_pass http://121.201.9.155/; //告诉nginx真正的ip在这里(web服务器ip)proxy_set_header Host $host; //$host 等于 上面的 server_nameproxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
}还没有设置代理文件,测试访问www.baidu.com/robots.txt
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I
HTTP/1.1 404 Not Found
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 03:02:14 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
设置代理服务器:
- 创建文件并添加配置文件内容
[root@xuexi-001 ~]# cd /usr/local/nginx/conf/vhost/
[root@xuexi-001 vhost]# vi proxy.confserver
{listen 80;server_name www.baidu.com; location /{proxy_pass http://119.75.216.20/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
}
2.测试配置文件并重新加载文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.不使用代理测试,访问成功
[root@xuexi-001 vhost]# curl www.baidu.com/robots.txt -I
HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Length: 2754
Content-Type: text/plain
Date: Mon, 09 Jul 2018 03:07:38 GMT
Etag: "ac2-5563e2ac212b7"
Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Server: Apache
Set-Cookie: BAIDUID=C30CA25B16D70C6E28ADB714EB6A80BC:FG=1; expires=Tue, 09-Jul-19 03:07:38 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding,User-Agent
- 使用代理测试
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 03:07:56 GMT
Content-Type: text/plain
Content-Length: 2754
Connection: keep-alive
Accept-Ranges: bytes
Etag: "ac2-5563e2ab4b400"
Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Set-Cookie: BAIDUID=D904E71FD19FBCAEB64951864689F629:FG=1; expires=Tue, 09-Jul-19 03:07:56 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding,User-Agent
curl -x127.0.0.1:80 www.baidu.com/robots.txt -I //指定本机, 也能访问, 正常情况不配置代理, 本地不可能访问到远程的站点, 代理服务器就是配置代理的这个虚拟机, web服务器就是论坛
Nginx代理是在一台代理服务器中自定义一个域名,该域名指向一个或多个IP,然后将用户的请求通过这台代理服务器解析指定的IP所对应的web服务器;
当该域名指向多个IP时,需要使用upstream保证用户可以通过代理服务器正常访问每个IP,即为负载均衡。
Nginx代理
用户访问web服务器不能直接访问,需要找一个中间者,这个中间者可以跟web服务器相通,也可以跟用户相通。还有就是用户访问web服务器可以访问,就是比较慢,也可以使用nginx代理
在nginx虚拟主机下创建一个新的文件 proxy.conf
- cd /usr/local/nginx/conf/vhost
- vim proxy.conf
添加以下内容:
server
{listen 80;server_name ask.apelearn.com; //定义用户访问的域名location /{proxy_pass http://121.201.9.155/; //告诉nginx真正的ip在这里(web服务器ip)proxy_set_header Host $host; //$host 等于 上面的 server_nameproxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
}还没有设置代理文件,测试访问www.baidu.com/robots.txt
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I
HTTP/1.1 404 Not Found
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 03:02:14 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
设置代理服务器:
- 创建文件并添加配置文件内容
[root@xuexi-001 ~]# cd /usr/local/nginx/conf/vhost/
[root@xuexi-001 vhost]# vi proxy.confserver
{listen 80;server_name www.baidu.com; location /{proxy_pass http://119.75.216.20/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
}
2.测试配置文件并重新加载文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.不使用代理测试,访问成功
[root@xuexi-001 vhost]# curl www.baidu.com/robots.txt -I
HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Length: 2754
Content-Type: text/plain
Date: Mon, 09 Jul 2018 03:07:38 GMT
Etag: "ac2-5563e2ac212b7"
Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Server: Apache
Set-Cookie: BAIDUID=C30CA25B16D70C6E28ADB714EB6A80BC:FG=1; expires=Tue, 09-Jul-19 03:07:38 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding,User-Agent
- 使用代理测试
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I
HTTP/1.1 200 OK
Server: nginx/1.15.1
Date: Mon, 09 Jul 2018 03:07:56 GMT
Content-Type: text/plain
Content-Length: 2754
Connection: keep-alive
Accept-Ranges: bytes
Etag: "ac2-5563e2ab4b400"
Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Set-Cookie: BAIDUID=D904E71FD19FBCAEB64951864689F629:FG=1; expires=Tue, 09-Jul-19 03:07:56 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding,User-Agent
curl -x127.0.0.1:80 www.baidu.com/robots.txt -I //指定本机, 也能访问, 正常情况不配置代理, 本地不可能访问到远程的站点, 代理服务器就是配置代理的这个虚拟机, web服务器就是论坛
Nginx代理是在一台代理服务器中自定义一个域名,该域名指向一个或多个IP,然后将用户的请求通过这台代理服务器解析指定的IP所对应的web服务器;
当该域名指向多个IP时,需要使用upstream保证用户可以通过代理服务器正常访问每个IP,即为负载均衡。
Nginx负载均衡
Nginx负载均衡即为当代理服务器将自定义的域名解析到多个指定IP时,通过upstream来保证用户可以通过代理服务器正常访问各个IP。
负载均衡配置:
vim /usr/local/nginx/conf/vhost/load.conf // 写入如下内容
upstream qq.com·····qq.com这里这个名字可以自定义
{ip_hash;·····使同一个用户始终保持在同一个机器上server 61.135.157.156:80;server 125.39.240.113:80;
}
server
{listen 80;server_name www.qq.com;location /{proxy_pass http://qq_com;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
}upstream来指定多个web server
操作演示:
1.使用dig命令查看域名的解析地址,如果没有使用yum -y install bind-utils
[root@xuexi-001 ~]# dig qq.com; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22029
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com. IN A;; ANSWER SECTION:
qq.com. 246 IN A 111.161.64.40
qq.com. 246 IN A 111.161.64.48
// 返回两个IP地址
;; Query time: 10 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 二 7月 10 23:22:25 CST 2018
;; MSG SIZE rcvd: 67
2.可以使用解析到的两个IP可以制作负载均衡
3.在默认的虚拟机里面新建一个文件load.conf ,并添加以下内容
[root@xuexi-001 ~]# vim /usr/local/nginx/conf/vhost/load.confupstream qq_com
{ip_hash;server 61.135.157.156:80;server 125.39.240.113:80;
}
server
{listen 80;server_name www.qq.com;····定义监听端口的域名location /{proxy_pass http://qq_com;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
}
正常情况下使用本机访问www.qq.com 会显示默认页
[root@xuexi-001 ~]# curl -x 127.0.0.1:80 www.qq.com
This is the default site.
4.检测配置文件及重新加载
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
5.重新加载配置文件后在测试,会出现qq.com的网页的代码
转载于:https://my.oschina.net/u/3850965/blog/1841434
Nginx默认虚拟主机、 Nginx用户认证、Nginx域名重定向、访问日志·····相关推荐
- php nginx 域名重定向,Nginx默认虚拟主机、用户认证、域名重定向
Nginx默认虚拟主机定义默认虚拟主机配置文件,在http下面加入include vhost/*.conf 在/usr/local/nginx/conf/下创建目录 #mkdir vhost/ //创 ...
- linux的Nginx安装、默认虚拟主机、用户认证、域名重定向配置介绍
Nginx介绍 Nginx官网(http://nginx.org),最新版1.13,最新稳定版1.12 Nginx应用场景:web服务.反向代理.负载均衡 Nginx著名分支,淘宝基于Nginx开发的 ...
- 12.6-12.9 Nginx安装,默认虚拟主机,用户认证,域名重定向
12.6 Nginx安装 大纲 1 进入src目录,把nginx下载在此目录 #cd /usr/local/src #wget http://nginx.org/download/nginx-1.8 ...
- Nginx安装、默认虚拟主机、Nginx用户认证、Nginx域名重定向
12.6 Nginx安装 安装包下载到/usr/local/src目录 [root@taoyuan ~]# cd /usr/local/src [root@taoyuan src]# wget htt ...
- 11-4 12 Nginx安装 默认虚拟主机 用户认证 域名重定向
2019独角兽企业重金招聘Python工程师标准>>> 12.6 Nginx安装 12.7 默认虚拟主机 12.8 Nginx用户认证 12.9 Nginx域名重定向 扩展 ngin ...
- php编译安装, 编译安装nginx, yum安装nginx, nginx虚拟主机,默认虚拟主机
编译安装PHP-7.3.0 1. 下载程序 下载php 7.3.0 cd /usr/local/src wget http://cn2.php.net/distributions/php-7.3.0. ...
- Apache用户认证、域名跳转、Apache访问日志
httpd的用户认证 注意: 本章使用浏览器进行检测的前提是在物理机hosts文件添加虚拟机IP和虚拟主机域名. 配置用户认证 编辑httpd配置文件/usr/local/apache2.4/conf ...
- 12.6 Nginx安装 12.7 默认虚拟主机 12.8 Nginx用户认证 12.9 Nginx
12.6 Nginx安装 [root@martin001 conf]# chkconfig --add nginx [root@martin001 conf]# chkconfig nginx on ...
- nginx之虚拟主机与请求的分发
由于IP地址有限,因此经常存在多个主机域名对应同一个IP地址的情况,这时nginx.conf中就可以按照server_name(对应用户请求中的主机域名)并通过server块来定义虚拟主机,每个ser ...
最新文章
- 项目中遇到的Integer问题--转
- php正则引用不能计算,php正则表达式 后向引用~
- 八十六、Spring Cloud Consul:服务治理与配置中心
- linux下查看隐藏的文件
- Amazing 2020
- 【干货】快速部署微软开源GPU管理利器: OpenPAI
- 数据卡片_手把手教你构建企业实时数据大屏
- Java Web 项目SSO实战
- Java堆分配参数总结
- x264源码下载信息
- Windows 10 预览版安装
- 清空SQL数据库日志
- 使用python来刷csdn下载积分(一)
- tengine2.2.3报错502的The proxy server received an invalid response from an upstream server问题处理...
- MIME - 文件类型
- android amr 转 wav,iOS amr和wav 音频格式转换
- Win11系统桌面状态栏电池图标不显示怎么办?
- impress.js css模板,使用impress.js制作幻灯片
- 解决IE11无法下载文件的问题
- 做一个心无杂念的平凡人