Nginx默认虚拟主机、 Nginx用户认证、Nginx域名重定向、访问日志·····
Ngninx默认虚拟主机
1.vim /usr/local/nginx/conf/nginx.conf //增长
2.include vhost/*.conf
3.mkdir /usr/local/nginx/conf/vhost
4.cd !$; vim default.conf //加入以下内容
server
{
listen 80 default_server; // 有这个标记的就是默认虚拟主机
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}
5.mkdir -p /data/wwwroot/default/
6.echo “This is a default site.”>/data/wwwroot/default/index.html
7./usr/local/nginx/sbin/nginx -t
8./usr/local/nginx/sbin/nginx -s reload
9.curl localhost
10.curl -x127.0.0.1:80 123.com
操做演示:php
[root@xuexi-001 ~]# ls /usr/local/nginx/conf/
fastcgi.conf mime.types scgi_params.default
fastcgi.conf.default mime.types.default uwsgi_params
fastcgi_params nginx.conf uwsgi_params.default
fastcgi_params.default nginx.conf.bak win-utf
koi-utf nginx.conf.default
koi-win scgi_params
[root@xuexi-001 ~]# cd !$
cd /usr/local/nginx/conf/
[root@xuexi-001 conf]# vi nginx.conf
//添加如下内容
include vhost/*.conf;······ 注意在配置文件中这里须要添加分号
[root@xuexi-001 conf]# mkdir vhost
//建立vhost 目录
[root@xuexi-001 conf]# cd vhost/
[root@xuexi-001 vhost]# ls
[root@xuexi-001 vhost]# vi aaa.com.conf
//在vhost目录中建立一个 aaa.com.conf
[root@xuexi-001 vhost]# mkdir /data/wwwroot/default
//建立default 目录
[root@xuexi-001 vhost]# cd /data/wwwroot/default/
[root@xuexi-001 default]# vi index.html
//在default目录中建立一个index.html 文件
添加如下内容:
server
{
listen 80 default_server; // 有这个标记的就是默认虚拟主机
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}
[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -t
//测试配置文件
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
更改完配置文件后,须要测试一下配置文件是否正确
[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -s reload
//从新加载或者 重启
[root@xuexi-001 conf]# /etc/init.d/nginx restart
测试:
[root@xuexi-001 conf]# curl localhost
This is the default site.
[root@xuexi-001 conf]# curl -x127.0.0.1:80 123.com
This is the default site.
[root@xuexi-001 conf]# curl -x127.0.0.1:80 aaa.com
This is the default site.
Nginx用户认证
vim /usr/local/nginx/conf/vhost/test.com.conf//写入以下内容
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
yum install -y httpd
htpasswd -c /usr/local/nginx/conf/htpasswd aming
-t && -s reload //测试配置并从新加载
操做演示:css
[root@xuexi-001 conf]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";//定义用户认证的名字
auth_basic_user_file /usr/local/nginx/conf/htpasswd;//用户名密码文件
}
}
[root@xuexi-001 conf]# yum install -y httpd //若是以前安装过httpd 能够直接使用Apache 的密码文件,若是没有安装过可使用 yum 安装 [root@xuexi-001 conf]# htpasswd -c /usr/local/nginx/conf/htpasswd guo // 生成htppasswd 文件并指定用户为 guo : -c 是生成用户,第一次使用时建立用户,第二次使用就是覆盖了,因此在新生成用户的时候使用 [root@xuexi-001 conf]# /usr/local/apache2/bin/htpasswd -c /usr/local/nginx/conf/htpasswd guo New password: 111111 Re-type new password: 111111 Adding password for user guo // 在安装apache 后能够直接调用Apache 密码生成命令htpasswd [root@xuexi-001 conf]# cat /usr/local/nginx/conf/htpasswd guo:$apr1$Y7bzCOYA$dlpXLo.zp8uvpmFQKim1E0 // 查看生成的密码文件 [root@xuexi-001 conf]# /usr/local/apache2/bin/htpasswd /usr/local/nginx/conf/htpasswd user1 // 若是想再为一个新的用户建立密码文件,这里须要将-c 去掉,若是加上就把原来生成usr/local/nginx/conf/htpasswd覆盖了 New password: Re-type new password: Adding password for user user1 [root@xuexi-001 conf]# cat /usr/local/nginx/conf/htpasswd guo:$apr1$Y7bzCOYA$dlpXLo.zp8uvpmFQKim1E0 user1:$apr1$Vq/C6L7V$mOURmyhpCNbJ5PYgOOWmq. [root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -s reload // 测试并从新加载 测试并从新加载的好处是能够检查配置文件是否有错误,若是有错误从新加载是不会生效的。若是选择从新启动,若是配置文件有问题,有可能从新启动不起来。
测试:html
[root@xuexi-001 conf]# curl -x127.0.0.1:80 test.com -I HTTP/1.1 401 Unauthorized Server: nginx/1.15.1 Date: Wed, 04 Jul 2018 16:22:39 GMT Content-Type: text/html Content-Length: 195 Connection: keep-alive WWW-Authenticate: Basic realm="Auth" //提示错误401 须要指定用户 [root@xuexi-001 conf]# curl -uguo:111111 -x 127.0.0.1:80 test.com -I HTTP/1.1 404 Not Found Server: nginx/1.15.1 Date: Wed, 04 Jul 2018 16:24:29 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive // 为何会提示404,由于去访问index.html ,可是我们尚未建立主目录,test.com这个目录也没有建立。 建立目录: [root@xuexi-001 conf]# mkdir /data/wwwroot/test.com [root@xuexi-001 conf]# echo "test.com" > /data/wwwroot/test.com/index.html [root@xuexi-001 conf]# curl -uguo:111111 -x 127.0.0.1:80 test.com -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Wed, 04 Jul 2018 16:28:09 GMT Content-Type: text/html Content-Length: 9 Last-Modified: Wed, 04 Jul 2018 16:27:56 GMT Connection: keep-alive ETag: "5b3cf58c-9" Accept-Ranges: bytes [root@xuexi-001 conf]# curl -uguo:111111 -x 127.0.0.1:80 test.com test.com
访问目录时须要用户认证须要更改配置文件 test.com.confpython
[root@xuexi-001 vhost]# vi test.com.conf
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /admin/··· // 在这里添加目录名
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
// 测试配置文件并从新加载
[root@xuexi-001 vhost]# mkdir /data/wwwroot/test.com/admin
//建立admin目录
测试:
[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:36:08 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
输入用户名密码测试:
[root@xuexi-001 ~]# cd /data/wwwroot/test.com/admin/
[root@xuexi-001 admin]# vi index.html
test.admin
[root@xuexi-001 admin]# curl -uguo:111111 -x 127.0.0.1:80 test.com/admin/
test.admin
针对某一个URLmysql
[root@xuexi-001 vhost]# vi test.com.conf
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location ~ admin.php//匹配admin.php的URL
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
//测试配置文件并加载
[root@xuexi-001 test.com]# curl -x 127.0.0.1:80 test.com/admin/
test.admin
//这个时候访问admin就不用输入用户名和密码了
[root@xuexi-001 test.com]# curl -x 127.0.0.1:80 test.com/admin.php -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.15.1
Date: Wed, 04 Jul 2018 16:50:13 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
Nginx域名重定向
更改 test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
}
server_name后面支持写多个域名,这里要和httpd的作一个对比 permanent为永久重定向,状态码为301,若是写redirect则为302nginx
操做演示:web
1.编辑配置文件sql
[root@xuexi-001 ~]# cd /usr/local/nginx/conf/vhost/
[root@xuexi-001 vhost]# ls
aaa.com.conf test.com.conf
[root@xuexi-001 vhost]# vi test.com.conf
添加如下内容:
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
}
在Nginx里“server_name” 支持跟多个域名;可是Apache“server_name”只能跟一个域名,须要跟多个域名,须要使用Alisa;shell
在Nginx的conf配置文件里“server_name ” 设置了多个域名,就会使网站的权重变了,到底须要哪一个域名为主站点,因此须要域名重定向数据库
2.测试配置文件并从新加载
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.测试
使用test2.com 访问,显示301,重定向到了http://test.com/index.html
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test2.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 15:07:27 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/index.html
4.定义不一样的网址测试访问
[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test2.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 15:18:09 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html
5.使用一个没有指定的网址去访问,则会显示404,由于此时访问的是默认的虚拟主机,而不是指定的test.com
[root@xuexi-001 test.com]# curl -x127.0.0.1:80 test4.com/index.html/123345 -I HTTP/1.1 404 Not Found Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 15:10:10 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
Nginx访问日志
日志格式
vim /usr/local/nginx/conf/nginx.conf //搜索log_format
| 字段 | 说明 |
|---|---|
| $remote_addr | 客户端IP(公网IP) |
| $http_x_forwarded_for | 代理服务器的IP |
| $time_local | 服务器本地时间 |
| $host | 访问主机名(域名) |
| $request_uri | 访问的url地址 |
| $status | 状态码 |
| $http_referer | referer |
| $http_user_agent | user_agent |
除了在主配置文件nginx.conf里定义日志格式外,还须要在虚拟主机配置文件中增长
access_log /tmp/test.com.log combined_realip;
这里的combined_realip就是在nginx.conf中定义的日志格式名字
-t && -s reload
curl -x127.0.0.1:80 test.com -I
cat /tmp/test.com.log
1.默认的日志文件是在主配置文件中
打开主配置文件:vi /usr/local/nginx/conf/nginx.conf
搜索/log_format 找到如下内容,就是来定义日志格式的
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
combined_realip 日志格式的名字,能够随便定义,这里定义成什么名字,后面就引用成什么名字,决定了虚拟主机引用日志的类型
nginx配置文件,有一个特色,以 “ ; ” 分号结尾,配置文件一段若是没有 分号结尾,表示这一段尚未结束,就算中间执行了换行。
2.除了在主配置文件nginx.conf里定义日志格式外,还须要在虚拟主机配置文件去定义access_log /tmp/test.com.log aliang;; 来定义访问日志路径
[root@xuexi-001 vhost]# vi test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
access_log /tmp/test.com.log combined_realip;
// 定义访问日志路径及日志格式,若是不定义日志格式那么就会走默认的日志格式。combined_realip可修改,自定义名字。
}
3.检查配置文件并从新加载
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
4.测试
[root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test2.com -I HTTP/1.1 301 Moved Permanently Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 15:57:05 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/ [root@xuexi-001 vhost]# curl -x 127.0.0.1:80 test3.com -I HTTP/1.1 301 Moved Permanently Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 15:57:14 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/ [root@xuexi-001 vhost]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:23:57:05 +0800] test2.com "/" 301 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:23:57:14 +0800] test3.com "/" 301 "-" "curl/7.29.0"
Nginx日志切割
自定义shell 脚本
vim /usr/local/sbin/nginx_log_rotate.sh//写入以下内容
#! /bin/bash
## 假设nginx的日志存放路径为/data/logs/
d=`date -d "-1 day" +%Y%m%d`
logdir="/data/logs"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
任务计划
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
####操做演示:
Nginx没有自带日志切割工具,只能借助系统的日志切割的工具或者本身写切割的脚本实现
1.写一个日志切割脚本,首先须要建立一个shell脚本:vim /usr/local/sbin/nginx_log_rotate.sh
注意:全部的shell脚本须要放到/usr/local/sbin/目录下
[root@xuexi-001 vhost]# vim /usr/local/sbin/nginx_log_rotate.sh
#! /bin/bash
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
解释说明:
- d=date -d “-1 day” +%Y%m%d // 生成昨天的日期,格式为年月日
- logdir=”/tmp/” // 上一节的时候,定义了日志存放在/tmp/目录下
- nginx_pid="/usr/local/nginx/logs/nginx.pid"//查找nginx的PID,目的是为了执行/bin/kill -HUP cat $nginx_pid ,而这个命令目的和nginx -s reload 是同样的
- cd $logdir //进入“logdir”日志目录下
- for log in `ls .log` //开始语句循环,看有哪些log后缀的文件
- do //执行
- mv $log $log-$d // 将 log更名为《原名字“`date -d “-1 day” +%Y%m%d` ”这个结尾的文件 》
- done //结束
- /bin/kill -HUP cat $nginx_pid // 从新加载,生成一个新的“nginx_pid=”/usr/local/nginx/logs/nginx.pid”
for 循环命令
[root@xuexi-001 vhost]# ls aaa.com.conf test.com.conf [root@xuexi-001 vhost]# for f in `ls `; do ls -l $f ; done -rw-r--r-- 1 root root 142 7月 4 23:17 aaa.com.conf -rw-r--r-- 1 root root 292 7月 5 23:54 test.com.conf
2.执行脚本,并加 -x 选项
-x:查看脚本执行的过程
[root@xuexi-001 vhost]# sh -x /usr/local/sbin/nginx_log_rotate.sh ++ date -d '-1 day' +%Y%m%d + d=20180705 + logdir=/tmp/ + nginx_pid=/usr/local/nginx/logs/nginx.pid + cd /tmp/ ++ ls php_errors.log test.com.log + for log in '`ls *.log`' + mv php_errors.log php_errors.log-20180705 + for log in '`ls *.log`' + mv test.com.log test.com.log-20180705 ++ cat /usr/local/nginx/logs/nginx.pid + /bin/kill -HUP 1024
3.查看日志切割文件,天天都生成一个日志,在天天切割后,过段时间还要按期清理
[root@xuexi-001 vhost]# ls /tmp/ test.com.log test.com.log-20180705
4.删除30天之前的日志文件
[root@xuexi-001 vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm
5.写完脚本后,还要加一个任务计划crontab -e
[root@xuexi-001 vhost]#crontab -e 0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
shell脚本知识点
1.日志时间切割的定义
- 写shell脚本的时候,若是有命令不明白,能够直接把命令运行一下就知道结果了
- 假设这个命令“ d=date -d “-1 day” +%Y%m%d ”不明白意思
- ctrl+z 把当前操做暂停丢到后台
- 执行date -d “-1 day” +%Y%m%d就是时间,并且是昨天的时间,由于目前作的日志切割都是以天为单位,并且,日志须要过了当天23点59分59秒之后到次日的0点0分01秒才切割
2.指定PID路径的意义
- “ nginx_pid=”/usr/local/nginx/logs/nginx.pid” ”这条命令的意思,就是指定nginx的PID 的路径所在
- 若是找不到指定PID的所在,那么下面的“ /bin/kill -HUP cat $nginx_pid ”这个命令也将没有办法继续执行
- “ /bin/kill -HUP cat $nginx_pid ” z这条命令的意思就是从新加载一次nginx服务
- 执行“ /bin/kill -HUP cat $nginx_pid ”这条命令的目的是由于切割日志之后 “mv $log $log-$d ” 会将日志移动位置,若是不使用这条命令从新加载一次nginx服务、从新生成一第二天志文件,那么将会致使服务出错
- 因此,为了保证“ /bin/kill -HUP cat $nginx_pid ”能准确的执行,须要肯定nginx的PID所在
[root@xuexi-001 vhost]# ls /usr/local/nginx/logs/nginx.pid /usr/local/nginx/logs/nginx.pid
3.循环语句理解
- for f in ‘ls ‘ ; do ls -l $f; done
- for 循环开始,f 表示文件,in 表示作什么,‘ls’in执行的东西; do 执行 ls -f $f;done 结束
- 任务计划
- 脚本写完之后,须要写一个计划,让脚本在规定的时间运行。
- crontab -e
- 0 0 * * * /bin/bash /usr/local/sbin/nginx_logrotate.sh
- 长时间累积,会生成大量的日志须要进行清理
- find /tmp/ -type f -name .log- -mtime +30 |xargs rm
###静态文件不记录日志&过时时间 核心配置参数:
[root@xuexi-001 vhost]# vim test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$//匹配文件类型
{
expires 7d;//过时时间为7天
access_log off;//不记录该类型文件的访问日志
}
location ~ .*\.(js|css)$
{
expires 12h;//过时时间为12小时
access_log off;//不记录该类型文件的访问日志
}
access_log /tmp/test.com.log combined_realip;//指定日志位置及格式
}
检测:
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload 访问index.html: [root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com test.com [root@xuexi-001 vhost]# cat /tmp/test.com.log 127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0" 访问baidu.jpg文件: [root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/baidu.jpg -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 16:55:27 GMT Content-Type: image/jpeg Content-Length: 12525 Last-Modified: Thu, 05 Jul 2018 16:54:54 GMT Connection: keep-alive ETag: "5b3e4d5e-30ed" Expires: Thu, 12 Jul 2018 16:55:27 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes 说明:max-age=604800s=7天,即该文件缓存的过时时间为7天! [root@xuexi-001 vhost]# cat /tmp/test.com.log 127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0" 即:无该文件的访问日志!!!
Nginx防盗链
配置以下:
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
Nginx防盗链配置须要和不记录日志和过时时间结合在一块儿,由于都用到了“location”
1.打开配置文件 vim /usr/local/nginx/conf/vhost/test.com.conf
注释掉一些配置
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
添加一些配置
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d; //过时时间7天
valid_referers none blocked server_names *.test.com ; //定义一个白名单,referer就是指一些域名
if ($invalid_referer) { //若是不是白名单里的
return 403; //返回403
}
access_log off;
}
3.检查配置文件及加载文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
4.测试
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 -I test.com/baidu.jpg HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:06:56 GMT Content-Type: image/jpeg Content-Length: 12525 Last-Modified: Thu, 05 Jul 2018 16:54:54 GMT Connection: keep-alive ETag: "5b3e4d5e-30ed" Expires: Thu, 12 Jul 2018 17:06:56 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
5.测试防盗链,使用curl -e
[root@xuexi-001 vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/baidu.jpg HTTP/1.1 403 Forbidden Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:08:10 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@xuexi-001 vhost]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/baidu.jpg HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:09:04 GMT Content-Type: image/jpeg Content-Length: 12525 Last-Modified: Thu, 05 Jul 2018 16:54:54 GMT Connection: keep-alive ETag: "5b3e4d5e-30ed" Expires: Thu, 12 Jul 2018 17:09:04 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
在访问curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif显示403,而在访问curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif显示200,则表示防盗链配置成功
Nginx访问控制
需求:访问/admin/目录的请求,只容许某几个IP访问,配置以下:
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
- mkdir /data/wwwroot/test.com/admin/
- echo “test,test”>/data/wwwroot/test.com/admin/1.html
- -t && -s reload
- curl -x127.0.0.1:80 test.com/admin/1.html -I
- curl -x192.168.133.130:80 test.com/admin/1.html -I
- 能够匹配正则
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
- 根据user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
- deny all和return 403效果同样
Nginx访问控制,在平时运维网站的时候,常常会有一些请求不正常,或者故意的作一些限制,一些重要的内容禁止别人访问,就能够作一个白名单,只容许本身的公网IP或者本身公司内的公网IP去访问
1.编辑配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
增长访问控制的代码
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
2.而后检查配置文件语法错误,而后从新加载配置文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.测试
[root@xuexi-001 vhost]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:19:55 GMT Content-Type: text/html Content-Length: 11 Last-Modified: Wed, 04 Jul 2018 16:41:54 GMT Connection: keep-alive ETag: "5b3cf8d2-b" Accept-Ranges: bytes [root@xuexi-001 vhost]# curl -x192.168.5.130:80 -I test.com/admin/ -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:20:22 GMT Content-Type: text/html Content-Length: 11 Last-Modified: Wed, 04 Jul 2018 16:41:54 GMT Connection: keep-alive ETag: "5b3cf8d2-b" Accept-Ranges: bytes
4.查看日志文件,会看到访问的192.168.5.130的来源IP也是192.168.5.130,由于它是被容许的,在白名单以内,因此显示状态码为200
[root@xuexi-001 vhost]# cat /tmp/test.com.log 127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0" 127.0.0.1 - [06/Jul/2018:01:19:55 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0" 192.168.5.130 - [06/Jul/2018:01:20:22 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
针对正则匹配
- 例子
- 网站被黑,数据库被盗窃,就是由于上传图片的目录没有作禁止解析php的操做,最终致使上传了一句话木马,php也能解析,因此网站就会被黑
- 只要能上传的目录,都要禁掉,禁止解析PHP
- 加如下代码,便可禁掉上传的目录解析PHP
location ~ .*(upload|image)/.*\.php$ //只要匹配upload,而后以php结尾的
{
deny all; //都禁掉
}
1.打开配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@xuexi-001 vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
listen 80;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
access_log /tmp/test.com.log combined_realip;
}
2.检查配置文件语法错误,并从新加载配置文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.测试,首先是访问的那个目录,而后访问的php资源
4.建立一个upload目录,而后在建立一个php文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload [root@xuexi-001 vhost]# mkdir /data/wwwroot/test.com/upload [root@xuexi-001 vhost]# echo "11111" > /data/wwwroot/test.com/upload/1.php
5.访问upload目录下的1.php文件,会看到是403状态码,被拒绝访问
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/upload/1.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.15.1</center> </body> </html>
6.这时再upload目录下建立1.txt,再来测试访问
[root@xuexi-001 vhost]# echo "dasdasdas" >/data/wwwroot/test.com/upload/1.txt [root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt dasdasdas
7.查看访问日志cat /tmp/test.com.log
[root@xuexi-001 vhost]# cat /tmp/test.com.log 127.0.0.1 - [06/Jul/2018:00:50:12 +0800] test.com "/" 200 "-" "curl/7.29.0" 127.0.0.1 - [06/Jul/2018:01:19:55 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0" 192.168.5.130 - [06/Jul/2018:01:20:22 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 127.0.0.1 - [06/Jul/2018:01:27:34 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0" 127.0.0.1 - [06/Jul/2018:01:28:23 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
根据user_agent限制
- 若是你的网站被cc攻击,或者禁掉某些蜘蛛,若是你的网站想作一个被隐藏的网站,不想被别人搜索到,那么就能够将百度、谷歌、有道等这些蜘蛛封掉,没有任何蜘蛛爬到你的网站,也不将网址告诉任何人,那别人就没法知道你的站点,由于你的网站是被隐藏的。
- 只须要根据user_agent限制,添加如下代码
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
- deny all和return 403效果同样
操做演示:
1.打开配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@xuexi-001 vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($host != 'test.com' ) {
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
access_log /tmp/test.com.log combined_realip;
}
2.检查配置文件语法错误,并从新加载配置文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.模拟user_agent,访问测试,会看到显示403
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:33:39 GMT Content-Type: text/plain Content-Length: 10 Last-Modified: Thu, 05 Jul 2018 17:28:14 GMT Connection: keep-alive ETag: "5b3e552e-a" Accept-Ranges: bytes [root@xuexi-001 vhost]# curl -A "Tomatoslf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:35:27 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
3.eny all和return 403效果同样
4.若是访问的时候,改为小写再访问,则状态码为200,由于这个是严格匹配的
[root@xuexi-001 vhost]# curl -A "tomatoslf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Thu, 05 Jul 2018 17:36:52 GMT Content-Type: text/plain Content-Length: 10 Last-Modified: Thu, 05 Jul 2018 17:28:14 GMT Connection: keep-alive ETag: "5b3e552e-a" Accept-Ranges: bytes
5.若是想忽略大小写,在配置文件中的匹配符号后加 * 号便可
[root@xuexi-001 vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@xuexi-001 vhost]# curl -A "tomatoslf" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 403 Forbidden
Server: nginx/1.15.1
Date: Thu, 05 Jul 2018 17:38:45 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Nginx解析php的配置
配置以下:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
astcgi_pass 用来指定php-fpm监听的地址或者socket
Nginx解析php相关配置
添加如下代码:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock; //写错这个路径,就会显示502
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
1.打开虚拟主机配置文件,由于如今test.com.conf 还不能解析php,将代码添加到配置文件中
[root@xuexi-001 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
# }
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /tmp/test.com.log combined_realip;
}
2.生成作一个php文件,在/data/wwwroot/test.com/目录下生成3.php
[root@xuexi-001 ~]# vi /data/wwwroot/test.com/3.php <?php phpinfo();
3.测试访问3.php,会看到没法解析3.php文件,显示出了源码
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php <?php phpinfo();
4.检查配置文件语法错误,并从新加载配置文件
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
5.再次访问3.php ,就能够正常解析了
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php
6.如果解析php相关配置的 fastcgi_pass unix:/tmp/php-fcgi.sock; 这个路径被写错,会直接显示502,由于sock文件没有被找到
7.将配置文件改错后,从新加载后,再来访问3.php,会看到显示502状态码
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@xuexi-001 ~]# !curl
curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.15.1</center>
</body>
</html>
8.查看访问日志cat /usr/local/nginx/logs/nginx_error.log,会看到日志文件中会说没有这样的文件或目录
[root@xuexi-001 ~]# cat /usr/local/nginx/logs/nginx_error.log 2018/07/09 09:03:11 [crit] 1608#0: *4 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
9.在遇到502的问题时,须要查看你配置的地址是否正确,首先查看错误日志,而后根据错误日志中提示,查看这个文件是否存在,在查看cat /usr/local/php-fpm/etc/php-fpm.conf你定义的sock是什么,那么在nginx的配置文件中写什么
502的另外一种状况
1.假设这时不监听sock,而去监听IP端口
2.首先更改配置vim /usr/local/php-fpm/etc/php-fpm.conf
将#listen = /tmp/php-fcgi.sock注释掉,增长listen = 127.0.0.1:9000
[root@xuexi-001 ~]# vi /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] #listen = /tmp/php-fcgi.sock listen = 127.0.0.1:9000 listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024
3.重启php命令为/etc/init.d/php-fpm restart,php也支持reload
[root@xuexi-001 ~]# /etc/init.d/php-fpm restart Gracefully shutting down php-fpm . done Starting php-fpm done
4.检查php文件是否存在语法错误,从新加载下nginx的配置文件
[root@xuexi-001 ~]# /usr/local/php-fpm/sbin/php-fpm -t [09-Jul-2018 09:34:06] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
5.查看监听端口是否为127.0.0.1:9000
[root@xuexi-001 ~]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1005/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 905/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1256/master tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1813/php-fpm: maste tcp6 0 0 :::22 :::* LISTEN 905/sshd tcp6 0 0 ::1:25 :::* LISTEN 1256/master tcp6 0 0 :::3306 :::* LISTEN 1216/mysqld
6.再次访问3.php
[root@xuexi-001 ~]# curl -x 127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.15.1</center> </body> </html>
7.查看配置文件提示文件不存在,这时候须要在配置文件中作一个更改,在php配置那一块,注释掉nix,添加ip和端口
[root@xuexi-001 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.5.130;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
location ~ \.php$
{
include fastcgi_params;
# fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_pass 127.0.0.1:9000;//注释掉unix,添加ip和端口
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /tmp/test.com.log combined_realip;
8.检查语法错误,并从新加载配置文件
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
9.再来访问3.php文件,会看到正常访问
[root@xuexi-001 ~]# curl -x 127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 01:46:17 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.36
10.如果出现502,要检查下配置文件中的fastcgi_pass 这块是否nginx与php-fpm中所配置的地址是相匹配的
-
PHP下的listen = /tmp/php-fcgi.sock这段配置很重要,决定了nginx是否能正确解析而不是502
-
当PHP配置文件 listen 使用sock时,那么对应的nginx配置文件下就必须使用 fastcgi_pass unix:/tmp/php-fcgi.sock;
-
当PHP配置文件listen 使用 IP加端口“127.0.0.1:9000”的时候,那么对应的nginx就要改为fastcgi_pass 127.0.0.1:9000;
11.配置文件中的 fastcgi_param SCRIPT_FILENAME 中的地址路径/data/wwwroot/test.com$fastcgi_script_name;与配置文件最上方的 root /data/wwwroot/test.com; 相对应起来
502的其余状况
在php5.4及之后的其余版本,有一个特色:更改监听为sock,取消监听IP和端口,注释掉listen.mode
1.更改php-fpm的配置文件,取消注释listen = /tmp/php-fcgi.sock,注释掉#listen = 127.0.0.1:9000和#listen.mode = 666
[root@xuexi-001 ~]# vi /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] listen = /tmp/php-fcgi.sock #listen = 127.0.0.1:9000 #listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024
2.从新加载php
[root@xuexi-001 ~]# /etc/init.d/php-fpm reload Reload service php-fpm done
3.查看sock文件的权限为660,属主和属组为root
[root@xuexi-001 ~]# ls -l /tmp/php-fcgi.sock srw-rw---- 1 root root 0 7月 9 09:51 /tmp/php-fcgi.sock
4.更改nginx虚拟主机配置文件,取消 fastcgi_pass unix:/tmp/php-fcgi.sock; 的注释,注释掉#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/tmp/php-fcgi.sock;这一行的配置是为了nginx去读sock文件
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
# fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
5.检测配置文件并从新加载
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
6.访问3.php,依然是502
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.15.1</center> </body> </html>
7.查看错误日志
[root@xuexi-001 ~]# tail /usr/local/nginx/logs/ access.log error.log nginx_error.log nginx.pid [root@xuexi-001 ~]# tail /usr/local/nginx/logs/nginx_error.log 2018/07/09 09:03:11 [crit] 1608#0: *4 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com" 2018/07/09 09:37:07 [crit] 1847#0: *6 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com" 2018/07/09 09:59:38 [crit] 2016#0: *12 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
8.sock文件默认权限使660,root用户能够读,root用户组也是可读的,惟独其余用户不能去读
9.看到是由nobody的身份去读nginx的
[root@xuexi-001 ~]# ps aux |grep nginx root 1005 0.0 0.0 21348 1696 ? Ss 08:38 0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf nobody 2015 0.0 0.1 23272 3452 ? S 09:57 0:00 nginx: worker process nobody 2016 0.0 0.2 23272 3952 ? S 09:57 0:00 nginx: worker process root 2080 0.0 0.0 112724 972 pts/0 S+ 10:03 0:00 grep --color=autonginx
10.这时须要临时改变权限为nobody
[root@xuexi-001 ~]# chown nobody /tmp/php-fcgi.sock
11.这时再去访问3.php会看到正常访问
[root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 02:09:35 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.36
12.这就是由于nobody用户有读的权限,因此能够正常访问
13.在php-fpm的配置文件中定义listen.mode,就是为了让任何用户能够读
14.再去配置文件中取消listen.mode的注释
listen.mode = 666
15:重启php-fpm的配置文件,查看文件权限,并测试访问
[root@xuexi-001 ~]# /etc/init.d/php-fpm restart Gracefully shutting down php-fpm . done Starting php-fpm done [root@xuexi-001 ~]# ls -l /tmp/php-fcgi.sock srw-rw-rw- 1 root root 0 7月 9 10:12 /tmp/php-fcgi.sock [root@xuexi-001 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 02:13:39 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.36
502还有另一种状况,就是php-fpm服务,资源耗尽,也会显示502,这时候就须要去优化了
Nginx代理
用户访问web服务器不能直接访问,须要找一个中间者,这个中间者能够跟web服务器相通,也能够跟用户相通。还有就是用户访问web服务器能够访问,就是比较慢,也可使用nginx代理
在nginx虚拟主机下建立一个新的文件 proxy.conf
- cd /usr/local/nginx/conf/vhost
- vim proxy.conf
添加如下内容:
server
{
listen 80;
server_name ask.apelearn.com; //定义用户访问的域名
location /
{
proxy_pass http://121.201.9.155/; //告诉nginx真正的ip在这里(web服务器ip)
proxy_set_header Host $host; //$host 等于 上面的 server_name
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
尚未设置代理文件,测试访问www.baidu.com/robots.txt
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I HTTP/1.1 404 Not Found Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 03:02:14 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
设置代理服务器:
- 建立文件并添加配置文件内容
[root@xuexi-001 ~]# cd /usr/local/nginx/conf/vhost/
[root@xuexi-001 vhost]# vi proxy.conf
server
{
listen 80;
server_name www.baidu.com;
location /
{
proxy_pass http://119.75.216.20/; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
2.测试配置文件并从新加载文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.不使用代理测试,访问成功
[root@xuexi-001 vhost]# curl www.baidu.com/robots.txt -I HTTP/1.1 200 OK Accept-Ranges: bytes Connection: Keep-Alive Content-Length: 2754 Content-Type: text/plain Date: Mon, 09 Jul 2018 03:07:38 GMT Etag: "ac2-5563e2ac212b7" Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT P3p: CP=" OTI DSP COR IVA OUR IND COM " Server: Apache Set-Cookie: BAIDUID=C30CA25B16D70C6E28ADB714EB6A80BC:FG=1; expires=Tue, 09-Jul-19 03:07:38 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1 Vary: Accept-Encoding,User-Agent
- 使用代理测试
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 03:07:56 GMT Content-Type: text/plain Content-Length: 2754 Connection: keep-alive Accept-Ranges: bytes Etag: "ac2-5563e2ab4b400" Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT P3p: CP=" OTI DSP COR IVA OUR IND COM " Set-Cookie: BAIDUID=D904E71FD19FBCAEB64951864689F629:FG=1; expires=Tue, 09-Jul-19 03:07:56 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1 Vary: Accept-Encoding,User-Agent
curl -x127.0.0.1:80 www.baidu.com/robots.txt -I //指定本机, 也能访问, 正常状况不配置代理, 本地不可能访问到远程的站点, 代理服务器就是配置代理的这个虚拟机, web服务器就是论坛
Nginx代理是在一台代理服务器中自定义一个域名,该域名指向一个或多个IP,而后将用户的请求经过这台代理服务器解析指定的IP所对应的web服务器;
当该域名指向多个IP时,须要使用upstream保证用户能够经过代理服务器正常访问每一个IP,即为负载均衡。
Nginx代理
用户访问web服务器不能直接访问,须要找一个中间者,这个中间者能够跟web服务器相通,也能够跟用户相通。还有就是用户访问web服务器能够访问,就是比较慢,也可使用nginx代理
在nginx虚拟主机下建立一个新的文件 proxy.conf
- cd /usr/local/nginx/conf/vhost
- vim proxy.conf
添加如下内容:
server
{
listen 80;
server_name ask.apelearn.com; //定义用户访问的域名
location /
{
proxy_pass http://121.201.9.155/; //告诉nginx真正的ip在这里(web服务器ip)
proxy_set_header Host $host; //$host 等于 上面的 server_name
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
尚未设置代理文件,测试访问www.baidu.com/robots.txt
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I HTTP/1.1 404 Not Found Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 03:02:14 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
设置代理服务器:
- 建立文件并添加配置文件内容
[root@xuexi-001 ~]# cd /usr/local/nginx/conf/vhost/
[root@xuexi-001 vhost]# vi proxy.conf
server
{
listen 80;
server_name www.baidu.com;
location /
{
proxy_pass http://119.75.216.20/; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
2.测试配置文件并从新加载文件
[root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
3.不使用代理测试,访问成功
[root@xuexi-001 vhost]# curl www.baidu.com/robots.txt -I HTTP/1.1 200 OK Accept-Ranges: bytes Connection: Keep-Alive Content-Length: 2754 Content-Type: text/plain Date: Mon, 09 Jul 2018 03:07:38 GMT Etag: "ac2-5563e2ac212b7" Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT P3p: CP=" OTI DSP COR IVA OUR IND COM " Server: Apache Set-Cookie: BAIDUID=C30CA25B16D70C6E28ADB714EB6A80BC:FG=1; expires=Tue, 09-Jul-19 03:07:38 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1 Vary: Accept-Encoding,User-Agent
- 使用代理测试
[root@xuexi-001 vhost]# curl -x127.0.0.1:80 www.baidu.com/robots.txt -I HTTP/1.1 200 OK Server: nginx/1.15.1 Date: Mon, 09 Jul 2018 03:07:56 GMT Content-Type: text/plain Content-Length: 2754 Connection: keep-alive Accept-Ranges: bytes Etag: "ac2-5563e2ab4b400" Last-Modified: Tue, 08 Aug 2017 13:44:48 GMT P3p: CP=" OTI DSP COR IVA OUR IND COM " Set-Cookie: BAIDUID=D904E71FD19FBCAEB64951864689F629:FG=1; expires=Tue, 09-Jul-19 03:07:56 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1 Vary: Accept-Encoding,User-Agent
curl -x127.0.0.1:80 www.baidu.com/robots.txt -I //指定本机, 也能访问, 正常状况不配置代理, 本地不可能访问到远程的站点, 代理服务器就是配置代理的这个虚拟机, web服务器就是论坛
Nginx代理是在一台代理服务器中自定义一个域名,该域名指向一个或多个IP,而后将用户的请求经过这台代理服务器解析指定的IP所对应的web服务器;
当该域名指向多个IP时,须要使用upstream保证用户能够经过代理服务器正常访问每一个IP,即为负载均衡。
Nginx负载均衡
Nginx负载均衡即为当代理服务器将自定义的域名解析到多个指定IP时,经过upstream来保证用户能够经过代理服务器正常访问各个IP。
负载均衡配置:
vim /usr/local/nginx/conf/vhost/load.conf // 写入以下内容
upstream qq.com·····qq.com这里这个名字能够自定义
{
ip_hash;·····使同一个用户始终保持在同一个机器上
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
upstream来指定多个web server
操做演示:
1.使用dig命令查看域名的解析地址,若是没有使用yum -y install bind-utils
[root@xuexi-001 ~]# dig qq.com ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> qq.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22029 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;qq.com. IN A ;; ANSWER SECTION: qq.com. 246 IN A 111.161.64.40 qq.com. 246 IN A 111.161.64.48 // 返回两个IP地址 ;; Query time: 10 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: 二 7月 10 23:22:25 CST 2018 ;; MSG SIZE rcvd: 67
2.可使用解析到的两个IP能够制做负载均衡
3.在默认的虚拟机里面新建一个文件load.conf ,并添加如下内容
[root@xuexi-001 ~]# vim /usr/local/nginx/conf/vhost/load.conf
upstream qq_com
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;····定义监听端口的域名
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
正常状况下使用本机访问www.qq.com 会显示默认页
[root@xuexi-001 ~]# curl -x 127.0.0.1:80 www.qq.com This is the default site.
4.检测配置文件及从新加载
[root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xuexi-001 ~]# /usr/local/nginx/sbin/nginx -s reload
5.从新加载配置文件后在测试,会出现qq.com的网页的代码
相关文章
- 1. LNMP(2)Nginx默认虚拟主机、Nginx用户认证、Nginx域名重定向、Nginx访问日志、
- 2. nginx默认虚拟主机、用户认证、域名重定向
- 3. Nginx安装、默认虚拟主机、Nginx用户认证、Nginx域名重定向
- 4. Nginx安装&默认虚拟主机&Nginx用户认证&Nginx域名重定向
- 5. Nginx安装、默认虚拟主机、 Nginx用户认证、Nginx域名重定向
- 6. Nginx安装, 默认虚拟主机,Nginx用户认证,Nginx域名重定向
- 7. Nginx安装,默认虚拟主机,Nginx用户认证,Nginx域名重定向
- 8. Nginx安装-默认虚拟主机-Nginx用户认证-Nginx域名重定向
- 9. Nginx安装 默认虚拟主机 Nginx用户认证 Nginx域名重定向
- 10. Nginx安装,默认虚拟主机,Nginx用户认证和域名重定向
- 更多相关文章...
- • Docker 安装 Nginx - Docker教程
- • MySQL默认值(DEFAULT) - MySQL教程
- • 漫谈MySQL的锁机制
- • PHP Ajax 跨域问题最佳解决方案
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
相关文章
- 1. LNMP(2)Nginx默认虚拟主机、Nginx用户认证、Nginx域名重定向、Nginx访问日志、
- 2. nginx默认虚拟主机、用户认证、域名重定向
- 3. Nginx安装、默认虚拟主机、Nginx用户认证、Nginx域名重定向
- 4. Nginx安装&默认虚拟主机&Nginx用户认证&Nginx域名重定向
- 5. Nginx安装、默认虚拟主机、 Nginx用户认证、Nginx域名重定向
- 6. Nginx安装, 默认虚拟主机,Nginx用户认证,Nginx域名重定向
- 7. Nginx安装,默认虚拟主机,Nginx用户认证,Nginx域名重定向
- 8. Nginx安装-默认虚拟主机-Nginx用户认证-Nginx域名重定向
- 9. Nginx安装 默认虚拟主机 Nginx用户认证 Nginx域名重定向
- 10. Nginx安装,默认虚拟主机,Nginx用户认证和域名重定向