51:nginx防盗链|访问控制|解析php相关配置|nginx代理

时间  2019-11-09
标签 nginx 防盗 访问 控制 解析 php 相关 配置 代理 栏目 Nginx 繁體版
原文   原文链接

一、nginx防盗链php

编辑虚拟主机配置文件:  /usr/local/nginx/conf/vhost/test.com.confcss

注释:nginx防盗链配置须要和不记录日记和过时时间结合到一块儿,由于都用到了locationhtml

[root@localhost_001 vhost]# vim test.com.conf 
[root@localhost_001 vhost]# cat !$
cat test.com.conf
server
{
    listen 80;
    server_name www.test.com bbs.test.com test1.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'www.test.com' ) {
        rewrite  ^/(.*)$  http://www.test.com/$1  permanent;
    } 
    access_log /tmp/test.com.log combined_realip;
    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$           #匹配gif|jpg|jpeg|png|bmp|swf 后缀的文件
    #{
    #     expires      7d;                          #7天后过时
    #     access_log off;                           #匹配“.*.(gif|jpg|jpeg|png|bmp|swf) ”关闭记录日志
    #}
#新增的配置,用作防盗链;-----------------------------------
    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
    {   
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;   #定义白名单的referer是什么?
    if ($invalid_referer) {                                  #若是不是白名单里,则返回状态码403;
        return 403;
    }   
    access_log off;
    } 
#防盗链配置这里结束;--------------------------------------------
    
location ~ .*\.(js|css)$
    {
          expires      12h;                           #12个小时后过时
          access_log off;                             #匹配“.*.(js|css) ”关闭记录日志
#新增的配置,用作防盗链;-----------------------------------
     valid_referers none blocked server_names  *.test.com ;            #定义一个白名单,referer就是指一些域名
    if ($invalid_referer) {                                            #若是不是白名单里的
        return 403;                                                    #返回403
    }
#防盗链配置这里结束;--------------------------------------------
    }

}

注释:其实添加的配置文件这里有三行,首先定义一个白名单,用referer指向一些域名,当若是访问过了的域名不在白名单里,则提示403错误;mysql

(2):检测配置文件是否错误,并从新加载配置文件nginx

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

(3):测试: 用curl命令再用 -e 来指定refererweb

[root@localhost_001 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 www.test.com/kaola.jpg -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Tue, 16 Oct 2018 10:44:17 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

[root@localhost_001 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 www.test.com/kaola.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: image/jpeg
Content-Length: 780831
Last-Modified: Tue, 14 Jul 2009 05:32:31 GMT
Connection: keep-alive
ETag: "4a5c186f-bea1f"

注释:在使用curl  -e "http://www.baidu.com/1.txt"  -x127.0.0.1:80  www.test.com/kaola.jpg访问显示403forbidden;sql

而在使用 curl  -e  "http://www.test.com/1.txt"  -x127.0.0.1:80  www.test.com/kaola.jpg访问状态码显示200 OK,表示防盗链配置成功;数据库

二、nginx访问控制vim

要求访问/admin/目录,只容许几个IP地址访问;浏览器

(1):编辑虚拟主机配置文件:  /usr/local/nginx/conf/vhost/test.com.conf

要增长的访问控制代码

location /admin/
{
    allow 192.168.180.134;            #白名单
    allow 127.0.0.1;                  #白名单
    deny all;                         #所有deny
}

增长后配置文件内容以下

[root@localhost_001 vhost]# cat test.com.conf 
server
{
    listen 80;
    server_name www.test.com bbs.test.com test1.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'www.test.com' ) {
        rewrite  ^/(.*)$  http://www.test.com/$1  permanent;
    } 
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$       #匹配gif|jpg|jpeg|png|bmp|swf 后缀的文件
    {
          expires      7d;        #7天后过时
          access_log off;        #匹配“.*.(gif|jpg|jpeg|png|bmp|swf) ”关闭记录日志
    valid_referers none blocked server_names  *.test.com ;             #定义一个白名单,referer就是指一些域名
     if ($invalid_referer) {                                           #若是不是白名单里的
        return 403;                                                    #返回403
    }
    }
location ~ .*\.(js|css)$
    {
          expires      12h;        #12个小时后过时
          access_log off;        #匹配“.*.(js|css) ”关闭记录日志
     valid_referers none blocked server_names  *.test.com ;            #定义一个白名单,referer就是指一些域名
    if ($invalid_referer) {                                            #若是不是白名单里的
        return 403;                                                    #返回403
    }
    }
#新增配置访问控制的内容--------------------------------------------
    location /admin/
    {
    allow 192.168.149.130;            #白名单
    allow 127.0.0.1;                  #白名单
    deny all;                         #所有deny
    }
#配置访问控制的内容结束--------------------------------------------
    access_log /tmp/test.com.log combined_realip;
}

(2):检测配置文件语法是否有错误,并从新加载配置文件

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

(3):建立admin目录及测试文件

[root@localhost_001 vhost]# mkdir /data/wwwroot/test.com/admin
[root@localhost_001 vhost]# echo "test.test" > /data/wwwroot/test.com/admin/index.html

(4):测试;用curl命令测试,不过须要加referer;

[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: text/html
[root@localhost_001 vhost]# curl -e "http://www.test.com/1.txt" -x192.168.149.129:80 www.test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.4.7T
Content-Type: text/html
Content-Length: 10

(5):查看错误日记,会看到访问者的IP192.168.149.129,由于他是被容许的,在白名单以内,因此显示的状态码是200 OK

[root@localhost_001 vhost]# tail /tmp/test.com.log

127.0.0.1 - [16/Oct/2018:19:02:39 +0800] www.test.com "/admin/index.html" 200 "-" "curl/7.29.0"
192.168.149.129 - [16/Oct/2018:19:04:09 +0800] www.test.com "/admin/index.html" 200 "http://www.test.com/1.txt" "curl/7.29.0"

注释:这时咱们使用浏览器去访问:浏览器的IP是192.168.149.135:;

查看错误日记,发现有访问者IP是192.168.149.135,被403 Forbidden了;

[root@localhost_001 tmp]# tail test.com.log
127.0.0.1 - [16/Oct/2018:19:02:39 +0800] www.test.com "/admin/index.html" 200 "-" "curl/7.29.0"
192.168.149.129 - [16/Oct/2018:19:04:09 +0800] www.test.com "/admin/index.html" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.149.135 - [16/Oct/2018:19:08:59 +0800] www.test.com "/admin/index.html" 403 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"

 

针对正则匹配

网站被黑,数据库信息被盗窃,由于上传图片的目录没有限制php的解析,最终致使悲剧;

注释:只要是能上传的目录,都要禁止解析php才能够;

(1):打开虚拟主机配置文件:/usr/local/nginx/conf/vhost/test.com.conf

注释:在access_log   /tmp/test.com.log    combined_realip;上面添加便可;

location ~ .*(upload|image)/.*\.php$      #只要匹配upload和image的目录,而后以php结尾的;
{
        deny all;              #都禁掉;
}

(2):检测配置文件是否有错误,并从新启动配置文件;

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

(3):建立upload目录,并在其目录下建立一个php的文件; 测试用;

[root@localhost_001 vhost]# mkdir /data/wwwroot/test.com/upload
[root@localhost_001 vhost]# echo "11111" > /data/wwwroot/test.com/upload/1.php
[root@localhost_001 vhost]# echo "11111" > /data/wwwroot/test.com/upload/1.txt

(4):用curl命令来测试;  

[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/upload/1.txt
11111

注释:发现upload目录下的php文件被禁止了,而1.txt是能够访问的;

查看访问日记,发现访问/upload/1.php的被禁止了,而访问1.txt的还能够正常访问;

[root@localhost_001 vhost]# tail /tmp/test.com.log
127.0.0.1 - [17/Oct/2018:10:42:15 +0800] www.test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [17/Oct/2018:10:42:19 +0800] www.test.com "/upload/1.txt" 200 "-" "curl/7.29.0"

 

user_anget限制

你的网站被cc攻击,或者禁掉某些蜘蛛,若是你的网站想作一个被隐藏的网站,不想被别人搜索到,那么就能够将百度、谷歌、有道等这些蜘蛛封掉,没有任何蜘蛛爬到你的网站,也不将网址告诉任何人,那别人就没法知道你的站点,由于你的网站是被隐藏的;

(1):打开虚拟主机配置文件:/usr/local/nginx/conf/vhost/test.com.conf

注释:在access_log   /tmp/test.com.log    combined_realip;上面添加便可;

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}

注释:return  403 和deny   all的功能是同样子的;

(2):检测配置文件是否有错误,并从新启动配置文件;

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

(3):测试,使用curl  -A  “Tomato”模拟user_agent测试;会发现状态码为403;

 

[root@localhost_001 test.com]# curl -x127.0.0.1:80 www.test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 02:53:37 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Wed, 17 Oct 2018 02:41:33 GMT
Connection: keep-alive
ETag: "5bc6a15d-6"
Accept-Ranges: bytes
[root@localhost_001 test.com]# curl -A "Tomato" -x127.0.0.1:80 www.test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 02:53:51 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

注释:由于限制是严格匹配,若是把user_agent改为小写访问,则也显示状态码为200;

若是想忽略大小写,则须要在虚拟配置文件的匹配符号后面加上 *  便可;

[root@localhost_001 vhost]# vim test.com.conf 
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
    {
      return 403;
    }

检测配置文件并从新加载服务;

[root@localhost_001 test.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 test.com]# /usr/local/nginx/sbin/nginx -s reload

再来测试,会看403   Forbidden;

[root@localhost_001 vhost]# !curl
curl -A "tomato" -x127.0.0.1:80 www.test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 02:59:56 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

 

nginx解析php的相关配置

注释:由于如今test.com.conf还不能解析php,加代码添加到配置文件中;

(1):打开虚拟主机配置文件:/usr/local/nginx/conf/vhost/test.com.conf

注释:在access_log   /tmp/test.com.log    combined_realip;上面添加便可;

location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;        ####写错这个路径,就会显示502;
#上表示指定fastcgi的监听端口和地址,能够是socket或者是127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; #脚本文件请求的路径    
    }

(2):在根目录/data/wwwroot/test.com/建立解析的php的文件;

[root@localhost_001 vhost]# vim /data/wwwroot/test.com/2.php
[root@localhost_001 vhost]# cat /data/wwwroot/test.com/2.php 
<?php
phpinfo();
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php
<?php
phpinfo();

测试访问后,出现源码了;没法正常解析

(3):这是检测语法错误,并从新加载服务;

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

(4):再次访问网站根目录下2.php的文件,发现能够正常解析了;

[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php  -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 03:09:18 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

注释:虚拟主机配置问解析php的相关配置fastcgi_pass unix:/tmp/php-fcgi.sock;写错,会直接显示状态码502,表示sock没找到;

将配置改错一个字母,再来访问2.php,发现显示报错状态码502

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php -I
HTTP/1.1 502 Bad Gateway
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 03:18:54 GMT
Content-Type: text/html
Content-Length: 172
Connection: keep-alive

查看nginx的错误日记,看到提示说没有这个文件或者目录

[root@localhost_001 vhost]# cat /usr/local/nginx/logs/nginx_error.log 
2018/10/17 11:18:54 [crit] 1522#0: *26 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: www.test.com, request: "HEAD HTTP://www.test.com/2.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "www.test.com"

注释:在遇到nginx报502错误时,须要查看你配置的socket或IP地址是否正确,而后查看错误日记,根据错误日记的提示查看这个文件是否存在;

注释:在nginx的配置文件 /usr/local/php-fpm/etc/php-fpm.conf 里面定义的listen监听方式是什么;那么在nginx的配置中就须要写什么;

[root@localhost_001 vhost]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]               
pid = /usr/local/php-fpm/var/run/php-fpm.pid                
error_log = /usr/local/php-fpm/var/log/php-fpm.log        
[www]                    
listen = /tmp/php-fcgi.sock  #须要和ngin虚拟主机里的路径一致;      
listen.mode = 666       
user = php-fpm        
group = php-fpm             
[root@localhost_001 vhost]# vim  test.com.conf
    location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-cgi.sock;   #须要和php-fpm配置文件一直;写错这个路径,就会显示502;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }

注释;这两个地方必需要一致;否则会包502错误;

502的另外一种状况,假设不使用sokcet监听,在使用IP+端口监听的方式;

(1):编辑php-fpm的配置文件 /usr/local/php-fpm/etc/php-fpm.conf

将#listen = /tmp/php-fcgi.sock注释了,而后添加 listen = 127.0.0.1:9000

[root@localhost_001 vhost]# vim /usr/local/php-fpm/etc/php-fpm.conf
[root@localhost_001 vhost]# cat !$
cat /usr/local/php-fpm/etc/php-fpm.conf
[global]               
pid = /usr/local/php-fpm/var/run/php-fpm.pid                
error_log = /usr/local/php-fpm/var/log/php-fpm.log        
[www]                    
#listen = /tmp/php-fcgi.sock        
listen = 127.0.0.1:9000
listen.mode = 666       
user = php-fpm        
group = php-fpm             
pm = dynamic                    
pm.max_children = 50            
pm.start_servers = 20                       
pm.min_spare_servers = 5           
pm.max_spare_servers = 35       
pm.max_requests = 500

(2):检测php-fpm,并重启启动php-fpm(也支持reload从新加载服务);

[root@localhost_001 vhost]# /usr/local/php-fpm/sbin/php-fpm -t
[17-Oct-2018 11:52:52] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@localhost_001 vhost]# service php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done

(3):查看监听端口,已经变成IP+端口的监听方式;

[root@localhost_001 vhost]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      831/nginx: master p 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      780/sshd            
tcp        0      0 0.0.0.0:56888           0.0.0.0:*               LISTEN      780/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      962/master          
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      1599/php-fpm: maste 
tcp6       0      0 :::22                   :::*                    LISTEN      780/sshd            
tcp6       0      0 :::56888                :::*                    LISTEN      780/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      962/master          
tcp6       0      0 :::3306                 :::*                    LISTEN      1028/mysqld

(4):这时候再来访问下2.php文件;   会包502错误;

[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>

(5):咱们查看错误日记,发现仍是报错误;

[root@localhost_001 vhost]# tail /usr/local/nginx/logs/nginx_error.log 
2018/10/17 11:54:55 [crit] 1541#0: *28 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: www.test.com, request: "GET HTTP://www.test.com/2.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "www.test.com"

6:这是须要修改虚拟主机配置文件/usr/local/nginx/conf/vhost/test.com.conf,注释掉unix,修改成127.0.0.1:9000

[root@localhost_001 vhost]# vim test.com.conf 
在php配置那一块,注释掉unix,添加ip和端口
        #fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_pass 127.0.0.1:9000;

7:检测语法错误,并从新加载配置文件;

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

8:再次访问2.php,能够看到正常访问了;

</div></body></html>[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 04:00:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

注释:如果出现502,要检查下nginx虚拟主机配置文件中的fastcgi_pass 这块是否与php-fpm中所配置的地址是相匹配的;

注释:文件中的 fastcgi_param SCRIPT_FILENAME 中的地址路径/data/wwwroot/test.com$fastcgi_script_name;与配置文件最上方的 root /data/wwwroot/test.com; 相对应起来;

502的其余状况;php5.4及之后的其余版本,有一个特色;

在其php-ftp的配置文件(/usr/local/php-fpm/sbin/php-fpm.conf)里,有一个listen.mode = 666 的配置,意思是保证全部用户都对socket(/tmp/php-fcgi.sock)这个文件有读写的权限;

而nginx的用户的是nobody,nginx要结合php使用,要保证nobody对socket文件有读写的权限.若是把这个文件注释掉,其默认权限为440,对普通用户没有执行权限,也是就是nobody就没法读取这个文件,全部会显示502错误;以下;

1:首先在php的配置文件(/usr/local/php-fpm/etc/php-ftpm.etc)文件里注释掉 listen.mode = 666;(基于socket在tmp/php-fcgi.sock)

[root@localhost_001 vhost]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]               
pid = /usr/local/php-fpm/var/run/php-fpm.pid                
error_log = /usr/local/php-fpm/var/log/php-fpm.log        
[www]                    
listen = /tmp/php-fcgi.sock        
#listen = 127.0.0.1:9000
#listen.mode = 666       
user = php-fpm        
group = php-fpm             
pm = dynamic                    
pm.max_children = 50            
pm.start_servers = 20                       
pm.min_spare_servers = 5           
pm.max_spare_servers = 35       
pm.max_requests = 500        
rlimit_files = 1024

(2);检测并从新加载php-ftpm;

[root@localhost_001 vhost]# /usr/local/php-fpm/sbin/php-fpm -t
[17-Oct-2018 12:22:32] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@localhost_001 vhost]# service php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done

(3):查看tmp目录下php-fcgi.sock文件,其所属主组是root,权限是666;

[root@localhost_001 vhost]# ls -la /tmp/php-fcgi.sock 
srw-rw---- 1 root root 0 10月 17 12:29 /tmp/php-fcgi.sock

(4):这时候访问2.php,会提示状态码502错误;

[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>

(5):查看nginx的错误日记,提示权限不够(Permission denied);

[root@localhost_001 vhost]# tail /usr/local/nginx/logs/nginx_error.log 
2018/10/17 12:30:46 [crit] 1753#0: *40 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: www.test.com, request: "GET HTTP://www.test.com/2.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "www.test.com"

注释:sock文件默认权限是660,root用户能够读,root用户所在的组也能够读,惟独普通用户不能够读;

注释:由于nginx结合php使用,使用用nginx的用户去读/tmp/php-fcgi.sock文件,咱们来看看nginx是有那个用户运行的;

[root@localhost_001 vhost]# ps aux |grep nginx
root        831  0.0  0.0  25636  1824 ?        Ss   10:23   0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody     1752  0.0  0.1  27328  3588 ?        S    12:28   0:00 nginx: worker process
nobody     1753  0.0  0.2  27328  3840 ?        S    12:28   0:00 nginx: worker process
root       1799  0.0  0.0 112720   972 pts/0    R+   12:33   0:00 grep --color=auto nginx

注释:如上,nginx服务时由nobody用户去运行的;而nobody做为普通用户对/tmp/php-fcgi.sock是没有权限的;

(6):这时临时修改/tmp/php-fcgi.sock文件的权限;让nobody有可读可写的权限;

[root@localhost_001 vhost]# chown nobody /tmp/php-fcgi.sock 
[root@localhost_001 vhost]# ls -al /tmp/php-fcgi.sock 
srw-rw---- 1 nobody root 0 10月 17 12:29 /tmp/php-fcgi.sock

(7):再次测试访问;如今状态码  200 OK;

[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 04:37:50 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

注释:这是由于nobody有读写的权限,因此能够访问/tmp/php-fcgi.sock文件;

nginx代理功能;

用户访问web服务器,但用户由于各类缘由没办法访问或者访问很慢(私网或境外访问),因此就须要一台能访问web服务器的代理者,让用户经过袋里服务器去访问;

(1):首先在/usr/local/nginx/conf/vhost/目录下建立一个文件;

[root@localhost_001 vhost]# vim proxy.conf
server
{
    listen 80;
    server_name ask.apelearn.com;                       #定义域名,要论坛的网站
    location /
    {
        proxy_pass      http://121.201.9.155/;         #定义域名,要论坛的IP
        proxy_set_header Host   $host;                   #定义访问的域名 为 $host =server_name ask.apelearn.com
        proxy_set_header X-Real-IP      $remote_addr; 
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

注释:在配置文件中,没有了root,由于这是一个代理服务器,它不须要访问本地服务器上的任何文件;

配置完成后,这台虚拟机就能够访问ask.apelearn.com了;

(2):检测配置文件是否有错误并从新加载配置文件;

[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload

(3):指定是否代理成功,指定本地的IP地址去访问;

[root@localhost_001 vhost]# curl -x127.0.0.1:80  ask.apelearn.com/robots.txt
User-agent: *
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/

注释:robots是针对蜘蛛的索引的一个列表,通常网站都会有robots;

注释:正常状况下,不去配置这个代理,是不可能经过本地访问到远程的站点的;

相关文章
相关标签/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公众号
   欢迎关注本站公众号,获取更多信息
联系我们 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程