LNMP架构 (Ⅱ)——nginx相关配置、nginx代理
LNMP架构 (Ⅱ)
6、Nginx默认虚拟主机
在Nginx中也有默认虚拟主机,跟httpd相似,第一个被Nginx加载的虚拟主机就是默认主机,但和httpd不相同的地方是,它还有一个配置用来标记默认虚拟主机,也就是说,若是没有这个标记,第一个虚拟主机为默认虚拟主机。javascript
编辑nginx.conf主配置文件php
[root@ying01 ~]# cd /usr/local/nginx/conf/ [root@ying01 conf]# vim /usr/local/nginx/conf/nginx.conf
具体看下图操做:css
建立vhost目录,并新建aaa.com.conf默认虚拟主机配置内容;html
[root@ying01 conf]# pwd
/usr/local/nginx/conf
[root@ying01 conf]# mkdir vhost //建立vhost目录
[root@ying01 conf]# cd vhost/
[root@ying01 vhost]# ls
[root@ying01 vhost]# vim aaa.com.conf
如下为aaa.com.conf内容:
server
{
listen 80 default_server; //默认虚拟主机服务
server_name aaa.com; //主机名 aaa.com
index index.html index.htm index.php; //定义索引页
root /data/wwwroot/default; //默认虚拟主机网站目录
}
建立默认的网站目录java
[root@ying01 vhost]# mkdir /data/wwwroot/default [root@ying01 vhost]# cd /data/wwwroot/default/ [root@ying01 default]# vim index.html //创建index.html文件 如下为index.html 内容: this is the default site.
检测语法,从新加载配置文件;测试相关网站;任意的域名,都会指向默认主机的网站名;node
[root@ying01 default]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 default]# /usr/local/nginx/sbin/nginx -s reload [root@ying01 default]# curl localhost //访问主机 this is the default site. [root@ying01 default]# curl -x127.0.0.1:80 aaa.com //访问主机名aaa.com this is the default site. [root@ying01 default]# curl -x127.0.0.1:80 ddd.com //任意的域名,都指向主机名 this is the default site. [root@ying01 default]# curl -x127.0.0.1:80 qq.com this is the default site.
查看主配置文件;nginx
[root@ying01 default]# tail /usr/local/nginx/conf/nginx.conf
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm
application/xml;
include vhost/*.conf;
}
最后一行就是包含了默认主机的配置,也能够把默认主机配置内容放置到下面,效果是同样的;web
** include vhost/*.conf** 至关于一个虚拟主机的配置内容的模块,面试
7、Nginx用户认证
[root@ying01 default]# cd -
/usr/local/nginx/conf/vhost
[root@ying01 vhost]# ls
aaa.com.conf
[root@ying01 vhost]# vim test.com.conf
如下为增长的配置内容....
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com; //网站目录
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
建立用户;ajax
因为nginx没有自带建立用户的工具,所以须要借助httpd工具;假如没有,则用此命令 yum install -y httpd;由于本机已经安装,所以直接执行;
[root@ying01 vhost]# /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd ying New password: //设置密码位www123 Re-type new password: Adding password for user ying [root@ying01 vhost]# cat /usr/local/nginx/conf/htpasswd //查看密码生成文件 ying:$apr1$I3caHAA/$wMALhLwm.1FKdqqJQZj0h0 [root@ying01 vhost]# /usr/local/apache2.4/bin/htpasswd /usr/local/nginx/conf/htpasswd feng //继续建立用户 New password: Re-type new password: Adding password for user feng [root@ying01 vhost]# cat /usr/local/nginx/conf/htpasswd //此时有两个密码文件生成 ying:$apr1$JRTvjHxp$idElRt2smV.wCQImpZ04w0 feng:$apr1$7kZQZ4VM$2O8ncLmdmqAsyrcvrZ3tH.
测试
测试前须要检查语法错误,以及从新加载配置文件;
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@ying01 vhost]# curl -x127.0.0.1:80 test.com <html> <head><title>401 Authorization Required</title></head> //出现401码,须要用户认证 <body bgcolor="white"> <center><h1>401 Authorization Required</h1></center> <hr><center>nginx/1.4.7</center> </body> </html> [root@ying01 vhost]# curl -x127.0.0.1:80 test.com -I HTTP/1.1 401 Unauthorized Server: nginx/1.4.7 Date: Thu, 05 Jul 2018 11:52:40 GMT Content-Type: text/html Content-Length: 194 Connection: keep-alive WWW-Authenticate: Basic realm="Auth"
用户认证测试主机
[root@ying01 vhost]# curl -uying:www123 -x127.0.0.1:80 test.com <html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.4.7</center> </body> </html> [root@ying01 vhost]# ls /data/wwwroot/test.com ls: 没法访问/data/wwwroot/test.com: 没有那个文件或目录 [root@ying01 vhost]# mkdir /data/wwwroot/test.com [root@ying01 vhost]# echo "test.com" > /data/wwwroot/test.com/index.html [root@ying01 vhost]# curl -uying:www123 -x127.0.0.1:80 test.com test.com [root@ying01 vhost]# curl -uying:www123 -x127.0.0.1:80 test.com -I HTTP/1.1 200 OK Server: nginx/1.4.7 Date: Thu, 05 Jul 2018 12:02:26 GMT Content-Type: text/html Content-Length: 9 Last-Modified: Thu, 05 Jul 2018 11:58:32 GMT Connection: keep-alive ETag: "5b3e07e8-9" Accept-Ranges: bytes
有时候咱们须要对某个访问目录或者页面进行认证,而不是全站。因此咱们须要对配置文件进行更改:
[root@ying01 vhost]# vim test.com.conf
如下为更改的配置内容....
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /admin/ //注意增长了/admin/目录
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
开始测试某个目录
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload [root@ying01 vhost]# curl -x127.0.0.1:80 test.com test.com [root@ying01 vhost]# mkdir /data/wwwroot/test.com/admin [root@ying01 vhost]# echo "test.com admin dir" > /data/wwwroot/test.com/admin/index.html [root@ying01 vhost]# curl -uying:www123 -x127.0.0.1:80 test.com/admin/ test.com admin dir
[root@ying01 vhost]# vim test.com.conf
如下为更改的配置内容....
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location ~ admin.php //注意:此处有更改;表示根目录下的admin.php文件
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload [root@ying01 vhost]# curl -x127.0.0.1:80 test.com/admin/ //此时不须要用户认证 test.com admin dir [root@ying01 vhost]# curl -x127.0.0.1:80 test.com/admin.php <html> <head><title>401 Authorization Required</title></head> //此时须要用户认证 <body bgcolor="white"> <center><h1>401 Authorization Required</h1></center> <hr><center>nginx/1.4.7</center> </body> </html>
总结:
- location /:针对整个目录作认证
也能够针对某一个目录或url作认证,好比:
- location /admin/:针对admin目录作认证
- location ~ admin.php:针对某个请求的url作认证
auth_basic_user_file:用户认证文件
8、Nginx域名重定向
当咱们站点有多个域名的时候,权重下降了,可是以前的域名已经被一部分人所依赖了,也不可能去通知你们新的站点,因此咱们就会选择一个主域名其它的均302跳转过来!
[root@ying01 vhost]# vim test.com.conf
如下为更改的配置内容....
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent; //永久跳转
}
}
permanent:永久跳转,也就是301
redirect:临时跳转,302
在Nginx配置在,server_name后面能够跟多个域名,permanent为永久重定向,至关于httpd的R=301.另外还有一个经常使用的redirect,至关于httpd的R=302.
[root@ying01 vhost]# curl -x127.0.0.1:80 test2.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.4.7 Date: Thu, 05 Jul 2018 12:38:40 GMT Content-Type: text/html Content-Length: 184 Connection: keep-alive Location: http://test.com/index.html //重定向test [root@ying01 vhost]# curl -x127.0.0.1:80 test3.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.4.7 Date: Thu, 05 Jul 2018 12:38:47 GMT Content-Type: text/html Content-Length: 184 Connection: keep-alive Location: http://test.com/index.html //重定向test [root@ying01 vhost]# curl -x127.0.0.1:80 www.baidu.com/index.html //重定向于默认虚拟主机
9、Nginx日志
9.1 Nginx访问日志
nginx日志的选项:
名词 释义 $remote_addr 客户端ip(公网ip) $http_x_forwarded_for 代理服务器的ip $time_local 服务器本地时间 $host 访问主机名(域名) $request_uri 访问的url地址 $status 状态码 $http_referer referer $http_user_agent user_agent
在nginx主配置文件定义日志的,其中combined_realip为日志的名称,这个名称能够自定义,好比这里自定义为 ying
[root@ying01 vhost]# vim ../nginx.conf
在nginx主配置文件里,按下图并定义日志名称
在虚拟主机配置文件里,定义日志目录和格式、名称;
[root@ying01 vhost]# vim test.com.conf
如下为更改的配置内容....
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
access_log /tmp/test.com.log ying; //定义日志格式 和目录
}
检测、加载配置后,进行测试;
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload [root@ying01 vhost]# curl -x127.0.0.1:80 test3.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.4.7 Date: Thu, 05 Jul 2018 13:02:43 GMT Content-Type: text/html Content-Length: 184 Connection: keep-alive Location: http://test.com/index.html [root@ying01 vhost]# curl -x127.0.0.1:80 test2.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.4.7 Date: Thu, 05 Jul 2018 13:02:47 GMT Content-Type: text/html Content-Length: 184 Connection: keep-alive Location: http://test.com/index.html [root@ying01 vhost]# cat /tmp/test.com.log //查看生成的日志 127.0.0.1 - [05/Jul/2018:21:02:43 +0800] test3.com "/index.html" 301 "-" "curl/7.29.0" //依次为日志格式 127.0.0.1 - [05/Jul/2018:21:02:47 +0800] test2.com "/index.html" 301 "-" "curl/7.29.0" [root@ying01 vhost]#
9.2 Nginx日志切割
因为Nginx不像Apache有本身的切割工具,在此咱们须要写个脚本完成需求:
[root@ying01 vhost]# vim /usr/local/sbin/nginx_logrotate.sh
如下为脚本内容:
#! /bin/bash
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/" //假设nginx的日志存放路径为/tmp/
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
脚本语句解释:
d=date -d "-1 day" +%Y%m%d;生成昨天的日期
[root@ying01 vhost]# date -d "-1 day" +%Y%m%d //执行这个语句,能够得出答案 20180704 [root@ying01 vhost]# date 2018年 07月 05日 星期四 21:07:49 CSTfor log in ls *.log do mv $log $log-$d done
这是一个for循环,把ls列举的log文件,执行以日期格式的重命名
nginx_pid=”/usr/local/nginx/logs/nginx.pid”; 就是为了最后一行而设定的。
/bin/kill -HUP cat $nginx_pid
最后一行的意思和以前使用的 -s reload 是一个意思 重载nginx.pid,而后就会再次生成一个新的日志文件。不然不生成日志文件
sh -x 脚本详细执行过程:
[root@ying01 vhost]# sh -x /usr/local/sbin/nginx_logrotate.sh ++ date -d '-1 day' +%Y%m%d + d=20180704 + logdir=/tmp/ + nginx_pid=/usr/local/nginx/logs/nginx.pid + cd /tmp/ ++ ls php_errors.log test.com.log + for log in '`ls *.log`' + mv php_errors.log php_errors.log-20180704 + for log in '`ls *.log`' + mv test.com.log test.com.log-20180704 ++ cat /usr/local/nginx/logs/nginx.pid + /bin/kill -HUP 913
查看生成的test.com日志
[root@ying01 vhost]# ls /tmp/ pear php_errors.log-20180704 php-fcgi.sock systemd-private-94cc0dd6651e4992848100fb05207857-chronyd.service-1zARDS systemd-private-94cc0dd6651e4992848100fb05207857-vgauthd.service-0jUT25 systemd-private-94cc0dd6651e4992848100fb05207857-vmtoolsd.service-zegNFj test.com.log test.com.log-20180704
日志清理
删除超过一个月的日志(固然这个也能够写在脚本里面)
[root@ying01 vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm
建立执行脚本的计划:好比:天天0时0分进行切割
[root@ying01 vhost]# crontab -e no crontab for root - using an empty one crontab: installing new crontab 如下为建立的crontab内容: 0 0 * * * /usr/local/sbin/nginx_log_rotate.sh //天天的0时0分执行此脚本
扩展:日志的切割
9.3 静态文件不记录到日志和过时时间
虚拟主机配置文件location~能够指定对应的静态文件,expires配置过时时间,而access_log 配置为off就能够不记录访问日志了
- 配置文件
按如下设置虚拟主机配置文件;
[root@ying01 vhost]# vim test.com.conf
如下为更改的配置内容....
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ //匹配.gif等格式的静态文件不计入日志
{
expires 7d; //有效期7天
access_log off; //不记录日志
}
location ~ .*\.(js|css)$ //匹配js或者css文件
{
expires 12h; //有效期12小时
access_log off;
}
access_log /tmp/test.com.log ying;
}
- 测试
在网站test.com目录下,建立gif和css文件
[root@ying01 vhost]# cd /data/wwwroot/test.com/ [root@ying01 test.com]# ls admin index.html [root@ying01 test.com]# vim 1.gif [root@ying01 test.com]# vim 2.css
如今开始访问,而后看生成的日志;从下面试验,能够看出日志不记录gif及css文件;
[root@ying01 test.com]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 test.com]# /usr/local/nginx/sbin/nginx -s reload [root@ying01 test.com]# curl -x127.0.0.1:80 test.com/1.gif aaaaaaaa [root@ying01 test.com]# curl -x127.0.0.1:80 test.com/2.css bbbbbbbbb [root@ying01 test.com]# curl -x127.0.0.1:80 test.com/index.html test.com [root@ying01 test.com]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:23:33:01 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" [root@ying01 test.com]# curl -x127.0.0.1:80 test.com/2.css bbbbbbbbb [root@ying01 test.com]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:23:33:01 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
10、Nginx防盗链
防盗链代码,里面包含过时时间;
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_refere) {
return 403;
}
access_log off;
}
把此代码,放入虚拟主机配置中;
[root@ying01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d; //包含过时时间
valid_referers none blocked server_names *.test.com; //定义白名单
if ($invalid_referer) { //条件语句,是否匹配白名单
return 403; //不符合,无效的引用者,则返回403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
access_log /tmp/test.com.log ying;
}
检查语句,并加载配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
测试,针对有效referer和无效referer的对比;
[root@ying01 ~]# curl -e "http://www.qq.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 403 Forbidden //无效refer,返回403 Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 00:48:58 GMT Content-Type: text/html Content-Length: 168 Connection: keep-alive root@ying01 ~]# curl -e "http://xx.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 200 OK //白名单的refer Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 00:51:19 GMT Content-Type: image/gif Content-Length: 10 Last-Modified: Thu, 05 Jul 2018 15:29:40 GMT Connection: keep-alive ETag: "5b3e3964-a" Expires: Fri, 13 Jul 2018 00:51:19 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
11、Nginx访问控制
为了提升安全性,咱们须要将某些页面加密处理!
11.1 针对某个目录设置
访问控制的核心代码;
location /admin/ //在admin目录下操做
{
allow 127.0.0.1;
allow 192.168.112.136;
deny all;
}
把此代码,放入虚拟主机配置中;
[root@ying01 ~]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
location /admin/
{
#allow 127.0.0.1; //注意不执行,能够测试的时候作对比
allow 192.168.72.130;
deny all;
}
access_log /tmp/test.com.log ying;
}
检查语句,并加载配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
测试,经过容许192.1638.112.136和禁止127.0.0.1来作实验,这两个IP主机都能链接到;
[root@ying01 ~]# curl -x127.0.0.1:80 -I test.com/admin/ HTTP/1.1 403 Forbidden //禁止访问,由于这个IP禁止 Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 01:30:37 GMT Content-Type: text/html Content-Length: 168 Connection: keep-alive [root@ying01 ~]# curl -x192.168.112.136:80 -I test.com/admin/ HTTP/1.1 200 OK //这个IP能够访问 Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 01:32:18 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Thu, 05 Jul 2018 12:09:55 GMT Connection: keep-alive ETag: "5b3e0a93-13" Accept-Ranges: bytes
11.2 针对目录下的某类文件
这里主要是为了防止上传php文件,以避免形成木马文件,影响安全;
在上传目录upload和image,禁止.php的文件;
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
把此代码,放入虚拟主机配置中;
[root@ying01 ~]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
location /admin/
{
#allow 127.0.0.1;
allow 192.168.72.130;
deny all;
}
location ~ .*(upload|image)/.*\.php$ //匹配.php文件
{
deny all; //禁止
}
access_log /tmp/test.com.log ying;
}
检查语句,并加载配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
测试:在upload目录下,分别建立1.txt和1.php文件,可以访问1.txt,不可以访问1.php;
[root@ying01 ~]# echo "1111" > /data/wwwroot/test.com/upload/1.php [root@ying01 ~]# echo "2222" > /data/wwwroot/test.com/upload/1.txt [root@ying01 ~]# curl -x192.168.112.136:80 test.com/upload/1.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.4.7</center> </body> </html> [root@ying01 ~]# curl -x192.168.112.136:80 test.com/upload/1.txt 2222
11.3 根据user-agent限制
不想被蜘蛛爬本身的网站,咱们彻底能够根据user-agent去禁止掉
禁止相关的user-agent,访问网站;
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
把此代码,放入虚拟主机配置中;
[root@ying01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
location /admin/
{
#allow 127.0.0.1;
allow 192.168.72.130;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') //user_agent匹配'Spider/3.0|YoudaoBot|Tomato
{
return 403;
}
access_log /tmp/test.com.log ying;
}
检查语句,并加载配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
测试user_agent,不一样值的试验
[root@ying01 ~]# curl -A "Tomato" -x192.168.112.136:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden //user_agent为Tomato,禁止访问 Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 02:47:01 GMT Content-Type: text/html Content-Length: 168 Connection: keep-alive [root@ying01 ~]# curl -A "Spider/3.0" -x192.168.112.136:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden //user_agent为Spider/3.0,禁止访问 Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 02:47:40 GMT Content-Type: text/html Content-Length: 168 Connection: keep-alive [root@ying01 ~]# curl -A "123456" -x192.168.112.136:80 test.com/upload/1.txt -I HTTP/1.1 200 OK //user_agent为除设置的3个外,任意指定,能够访问 Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 02:47:54 GMT Content-Type: text/plain Content-Length: 5 Last-Modified: Fri, 06 Jul 2018 02:31:59 GMT Connection: keep-alive ETag: "5b3ed49f-5" Accept-Ranges: bytes
12、Nginx解析php相关配置
先建立一个3.php文件;
[root@ying01 ~]# vim /data/wwwroot/test.com/3.php <?php phpinfo();
测试这个3.php文件,此时不可以解析;
[root@ying01 ~]# curl -x192.168.112.136:80 test.com/3.php <?php phpinfo();
解析php文件的配置文件
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
把此代码,放入虚拟主机配置中;
[root@ying01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
location /admin/
{
#allow 127.0.0.1;
allow 192.168.72.130;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /tmp/test.com.log ying;
}
检查语句,并加载配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
因为用curl测试,篇幅过长,在浏览器测试:从下图能够看出可以解析php
解析php代码释义:
其中fastcgi_pass用来指定php-fpm的地址,若是php-fpm监听的是一个tcp:port的地址(好比127.0.0.1:9000),那么也须要在这里改为fastcgi_pass 127.0.0.1:9000。这个地址必定要和php-fpm服务监听的地址匹配,否是会报502错误.还有一个地方要注意fastcgi_param SCRIPT_FILENAME 后面跟的路径为该站点的根目录,和前面定义的root那个路径保持一致,若是这里配置不对,访问PHP页面会出现404;还有一种502的现象,若是内存中出现大量的php-fpm进程占据了内存,也会一样致使此问题!
十3、Nginx代理
原理:Nginx代理是一种反向代理。反向代理(Reverse Proxy)方式是指以代理服务器来接受Internet上的链接请求,而后将请求转发给内部网络上的服务器;并将从服务器上获得的结果返回给Internet上请求链接的客户端,此时代理服务器对外就表现为一个服务器。
假如这家公司有不少台服务器,为了节省成本,不能为全部的服务器都分配公网IP,而若是一个没有公网的IP的复为其要提供web服务,就能够经过代理来实现,这就是 Nginx比httpd愈来愈受欢迎的缘由
建立proxy.conf配置文件,写入如下代码;
[root@ying01 ~]# cd /usr/local/nginx/conf/vhost
[root@ying01 vhost]# vim proxy.conf
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://47.91.145.78/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
由于是代理服务器因此不须要访问本地服务器的任何文件; ask.apelearn.com; 定义一个域名;
proxy_pass http://47.91.145.78/;真实WEB服务器的IP地址。
$host; 也就是我们的server_name
检查语句,并加载配置文件
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload
开始测试:127.0.0.1就是本身的代理机,访问论坛
[root@ying01 vhost]# curl -x127.0.0.1:80 ask.apelearn.com -I HTTP/1.1 200 OK Server: nginx/1.4.7 Date: Fri, 06 Jul 2018 03:50:53 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.3 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: ape__Session=tki4271fdrd4nup0jbdco33b63; path=/; domain=.apelearn.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache myheader: web1
测试网站的robots
[root@ying01 vhost]# curl ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/[root@ying01 vhost]#
相关文章
- 1. LNMP架构——Nginx解析PHP相关配置,Nginx代理
- 2. LNMP---nginx反向代理、nginx负载均衡、配置nginx的ssl
- 3. Lnmp架构之Nginx
- 4. Nginx 相关配置
- 5. nginx 相关配置
- 6. Nginx相关配置
- 7. 【LNMP】Nginx防盗链、Nginx访问控制、Nginx解析php相关配置和Nginx代理
- 8. Nginx防盗链 Nginx访问控制 Nginx解析php相关配置 Nginx代理
- 9. Nginx防盗链&Nginx访问控制&Nginx解析php相关配置&Nginx代理
- 10. Nginx防盗链,Nginx访问控制,,Nginx解析php相关配置,Nginx代理
- 更多相关文章...
- • Docker 安装 Nginx - Docker教程
- • XML 相关技术 - XML 教程
- • NewSQL-TiDB相关
- • IntelliJ IDEA 代码格式化配置和快捷键
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
相关文章
- 1. LNMP架构——Nginx解析PHP相关配置,Nginx代理
- 2. LNMP---nginx反向代理、nginx负载均衡、配置nginx的ssl
- 3. Lnmp架构之Nginx
- 4. Nginx 相关配置
- 5. nginx 相关配置
- 6. Nginx相关配置
- 7. 【LNMP】Nginx防盗链、Nginx访问控制、Nginx解析php相关配置和Nginx代理
- 8. Nginx防盗链 Nginx访问控制 Nginx解析php相关配置 Nginx代理
- 9. Nginx防盗链&Nginx访问控制&Nginx解析php相关配置&Nginx代理
- 10. Nginx防盗链,Nginx访问控制,,Nginx解析php相关配置,Nginx代理