LNMP Nginx默认虚拟主机 用户认证 域名重定向 访问日志 日志切割 静态文件不记录日志和过期时间 防盗链 访问控件 解析PHP相关 Nginx代理

1、Nginx默认虚拟主机

在Nginx中也有默认虚拟主机，跟httpd类似，第一个被Nginx加载的虚拟主机就是默认主机，但和httpd不相同的地方是，它还有一个配置用来标记默认虚拟主机，也就是说，如果没有这个标记，第一个虚拟主机为默认虚拟主机。

• 首先删除/usr/local/nginx/conf/nginx.conf 中的一部分内容——>目的是修改nginx.cnf配置，删除server后面的内容 ，重新定义虚拟主机配置所在路径

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
http
{
    
#    server
#    {
#        listen 80;
#        server_name localhost;
#        index index.html index.htm index.php;
#        root /usr/local/nginx/html;
#        location ~ \.php$ 
#        {
#            include fastcgi_params;
#            fastcgi_pass unix:/tmp/php-fcgi.sock;
#            fastcgi_index index.php;
#            fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
#        }    
#    }   
     
    include vhost/*.conf; //指定虚拟主机配置文件目录在vhost/ 下
}

• 创建虚拟主机配置文件，一个虚拟主机就有一个配置文件

[root@localhost conf]# mkdir vhost
[root@localhost conf]# cd vhost
[root@localhost vhost]# ls
[root@localhost vhost]# vim aaa.com.conf //aaa.com网站的虚拟主机配置文件
server
{
   listen 80 default_server;  //有default_server标志的，代表是默认虚拟主机，只要访问没有指定的域名过来，就会默认访问aaa.com虚拟主机
   server_name aaa.com;
   index index.html index.php;
   root /data/wwwroot/aaa.com;
}

• 创建目录 mkdir -p /data/wwwroot/aaa.com/，进入目录编辑些内容到vim index.html

[root@localhost ~]# mkdir -p /data/wwwroot/aaa.com/
[root@localhost ~]# cd !$
cd /data/wwwroot/aaa.com/
[root@localhost aaa.com]# vim index.html
This is test default site. 写入内容保存退出。

• 检查配置文件、重新加载配置文件：

[root@localhost aaa.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost aaa.com]# /usr/local/nginx/sbin/nginx -s reload

• 测试访问默认页，出来的就是之前/data/wwwroot/aaa.com/index.html里面定义的内容

[root@localhost aaa.com]# curl localhost
This is a test default site.
[root@localhost aaa.com]# curl -x127.0.0.1:80 bbb.com   因为是默认的虚拟主机，所以其他域名如bbb.com也能访问到aaa.com。
This is a test default site.

• 因为修改了nginx.conf的配置，现在看到的默认索引页，是我们刚刚新增的vhost的虚拟主机的索引页了 定义默认虚拟主机的两种办法：

1. 默认虚拟主机，是根据目录的第一个.conf了进行选择，所以只需要在vhost目录下依次创建就可以了，当然这种方法不太好
2. 只需要在vhost目录的.conf配置文件内，加上一个“default_server ”即可，把当前的这个配置对应的网站设置为第一个默认虚拟主机

2、Nginx用户认证

• 在vhost目录下载增加另外一个虚拟主机配置文件，设置虚拟主机配置文件，加入用户认证配置段：

[root@localhost aaa.com]# cd /usr/local/nginx/conf/vhost/
[root@localhost vhost]# vim test.com.conf   //增加并添加认证配置
server
{
   listen 80;
   server_name test.com;
   index index.html index.php;
   root /data/wwwroot/test.com;
   location /
   {
     auth_basic "Auth";
     auth_basic_user_file /usr/local/nginx/conf/htpasswd;
   }
}

• 用apache的htpasswd工具，生成密码文件

[root@localhost ~]# yum install -y httpd  安装apache密码生成工具
[root@localhost ~]# htpasswd -c /usr/local/nginx/conf/htpasswd aming 创建aming用户（创建第二用户时不需加-c）
New password: 
Re-type new password: 
Adding password for user aming
[root@localhost ~]# cat /usr/local/nginx/conf/htpasswd
aming:$apr1$Z4P7.Rm3$r2bGw1jfz05tJb5jjwNtl1

• 检查配置文件、重新加载配置文件：

[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload

• 验证用户认证：

[root@localhost ~]# mkdir -p /data/wwwroot/test.com/
[root@localhost ~]# vim /data/wwwroot/test.com/index.html
test.com  写入内容
[root@localhost ~]# curl -x127.0.0.1:80 test.com -I
HTTP/1.1 401 Unauthorized   //报401错误，提示需要认证
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 13:56:17 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
[root@localhost ~]# curl -uaming:123456 -x127.0.0.1:80 test.com
test.com

认证指定目录： [root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf server { listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com;

location  /admin/ 这里添加admin目录
{
    auth_basic              "Auth";
    auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}

}

root@localhost ~]# curl -x127.0.0.1:80 test.com  //添加目录后访问网址不需要用户认证
test.com
[root@localhost ~]# curl -uaming:123456 -x127.0.0.1:80 test.com/index.html
test.com
[root@localhost ~]# curl -x127.0.0.1:80 test.com/admin/
<html>   //401提示用户认证
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>

[root@localhost ~]# mkdir -p /data/wwwroot/test.com/admin   //创建目录
[root@localhost ~]# echo "test.com admin dir" >  写入内容 /data/wwwroot/test.com/admin/index.html
[root@localhost ~]# curl -x127.0.0.1:80 test.com/admin/
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost ~]# curl -uaming:123456 -x127.0.0.1:80 test.com/admin/
test.com admin dir   
[root@localhost ~]# curl -uaming:123456 -x127.0.0.1:80 test.com/admin/index.html
test.com admin dir

• 认证指定URL [root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf server { listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com;

  location ~ admin.php // 这里添加URL { auth_basic "Auth"; auth_basic_user_file /usr/local/nginx/conf/htpasswd; } }

3、Nginx域名重定向

• 设置虚拟主机配置文件，加入域名重定向配置段;Nginx的域名重定向与httpd类似。

1. 在Nginx里“server_name” 支持跟多个域名；但是Apache“server_name”只能跟一个域名，需要跟多个域名，需要使用Alisa；
2. 在Nginx的conf配置文件里“server_name ” 设置了多个域名，就会使网站的权重变了，到底需要哪个域名为主站点，所以需要域名重定向

[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

server
{
   listen 80;
   server_name test.com test1.com test2.com;  //支持多个域名，与apache不同，所以要域名重定向，跳转到test.com上，不影响他的搜索权重
   index index.html index.php;
   root /data/wwwroot/test.com;
   if ($host != 'test.com')
   {
      rewrite ^/(.*)$ http://test.com/$1 permanent;
   }   //使用rewrite模块实现。permanent为永久重定向，状态码为301;redirect是临时重定向，302状态码。
  # location /
  # {
  #   auth_basic "Auth";
  #   auth_basic_user_file /usr/local/nginx/conf/htpasswd;
  # }
   
}

• if ($host != ‘test.com’ ) //假如域名，“!=”不等于 test.com，将执行下面的脚本

• rewrite ^/(.)$ http://test.com/$1 permanent; // ^/(.)$ 正式写法 http://$host/(.*)$ 这段可以直接省略掉的，同时还可以加上一些规则，

• 检查配置文件、重新加载配置文件：

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload

-验证；定义的test1,test2.com都301；没有定义的刚是200；

[root@localhost ~]# curl -x127.0.0.1:80 test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 15:18:31 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html
[root@localhost ~]# curl -x127.0.0.1:80 test1.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 15:20:58 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html

[root@localhost ~]# curl -x127.0.0.1:80 test3.com/index.html -I
HTTP/1.1 200 OK //没有定义则指向虚拟主机
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 15:21:04 GMT
Content-Type: text/html
Content-Length: 29
Last-Modified: Tue, 03 Jul 2018 13:15:54 GMT
Connection: keep-alive
ETag: "5b3b770a-1d"
Accept-Ranges: bytes
[root@localhost ~]# curl -x127.0.0.1:80 test11111.com/admin/index.html/dadfafaf -I
HTTP/1.1 404 Not Found //没有定义且没有目录则404
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 15:24:31 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

4、Nginx访问日志

• 日志格式
• vim /usr/local/nginx/conf/nginx.conf //搜索log_format

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
    log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
    ' $host "$request_uri" $status'
    ' "$http_referer" "$http_user_agent"';

$remote_addr	客户端IP(公网IP)
$http_x_forwarded_for	代理服务器的IP
$time_local	服务器本地时间
$host	访问主机名（域名）
$request_uri	访问的URL地址
$status	状态码
$http_referer	referer
$http_user_agent	user_agent

1. combined_realip 日志格式的名字，可以随便定义，这里定义成什么名字，后面就引用成什么名字，决定了虚拟主机引用日志的类型
2. nginx配置文件，有一个特点，以 “ ; ” 分号结尾，配置文件一段如果没有 分号结尾，表示这一段还没有结束，就算中间执行了换行。

• 除了在主配置文件nginx.conf里定义日志格式外，还需要在虚拟主机配置文件去定义access_log /tmp/test.com.log combined_realip; 来定义访问日志路径，如果不写日志格式，那就会走默认的日志格式

[root@localhost ~]# cd /usr/local/nginx/conf//vhost/
[root@localhost vhost]# ls
aaa.com.conf  test.com.conf
[root@localhost vhost]# vim test.com.conf

server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
    access_log /tmp/test.com.log combined_realip;

• 检查配置文件、重新加载配置文件：

[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload

-测试

[root@localhost vhost]# curl -x127.0.0.1:80 test1.com/admin/index.html/dadfafaf -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 16:04:57 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/admin/index.html/dadfafaf

[root@localhost vhost]# curl -x127.0.0.1:80 test2.com/admin/index.html/dadfafaf -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 16:05:04 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/admin/index.html/dadfafaf

[root@localhost vhost]# curl -x127.0.0.1:80 test1.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 16:03:00 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html

• 查看日志cat /tmp/test.com.log

[root@localhost vhost]# cat /tmp/test.com.log
127.0.0.1 - [04/Jul/2018:00:03:00 +0800] test1.com "/index.html" 301 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:00:04:57 +0800] test1.com "/admin/index.html/dadfafaf" 301 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:00:05:04 +0800] test2.com "/admin/index.html/dadfafaf" 301 "-" "curl/7.29.0"

5、Nginx日志切割

Nginx不像Apache一样自带有日志切割的工具，我们要编写shell脚本实现日志切割功能

• vim /usr/local/sbin/nginx_log_rotate.sh//写入shell脚本 ：以后为了方便管理，shell脚本统一保存位置/usr/local/sbin/下

[root@localhost vhost]# vim /usr/local/sbin/nginx_log_rotate.sh

#! /bin/bash
## 假设nginx的日志存放路径为/tmp/
d=`date -d "-1 day" +%Y%m%d`  //定义切割时间（切割一天前的日志）
logdir="/tmp"   //此处指定要切割的日志路径（该路径来自虚拟主机配置文件）
nginx_pid="/usr/local/nginx/logs/nginx.pid"  //调用pid的目的是执行命令：/bin/kill -HUP `cat $nginx_pid` ;该命令等价于命令：nginx -s reload（重新加载文件），确保与虚拟主机配置文件变更保持同步;该地址来自nginx配置文件
cd $logdir
for log in `ls *.log`
do
    mv $log $log-$d
done //此处使用通配进行循环，对所有复合条件的日志文件进行切割
/bin/kill -HUP `cat $nginx_pid` //执行此命令进行重载生成新的日志文件来记录新的日志

• d=date -d “-1 day” +%Y%m%d // 生成昨天的日期，格式为年月日

• logdir=”/tmp/” // 上一节的时候，定义了日志存放在/tmp/目录下

• nginx_pid=”/usr/local/nginx/logs/nginx.pid” //查找nginx的PID，目的是为了执行/bin/kill -HUP cat $nginx_pid ，而这个命令目的和nginx -s reload 是一样的

• cd $logdir //进入“logdir”日志目录下

• for log in ls *.log //开始语句循环，看有哪些 log后缀的文件

• do //执行 mv $log $log-$d 改名

• done //结束

• /bin/kill -HUP cat $nginx_pid // 重新加载，生成一个新的“nginx_pid=”/usr/local/nginx/logs/nginx.pid”

• 执行shell脚本，并加-x选项，是为了查看脚本执行的过程

[root@localhost vhost]# sh -x /usr/local/sbin/nginx_log_rotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20180703
+ logdir=/tmp
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp
++ ls test.com.log
+ for log in '`ls *.log`'
+ mv test.com.log test.com.log-20180703
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 950

• 查看日志切割文件，每天都生成一个日志，在每天切割后，过段时间还要定期清理

[root@localhost vhost]# ls /tmp/
mysql.sock
pear
php-fcgi.sock
systemd-private-48961cd994ed4ec596b20e16054c856a-chronyd.service-UdCTFK
systemd-private-48961cd994ed4ec596b20e16054c856a-vgauthd.service-wiV5Ul
systemd-private-48961cd994ed4ec596b20e16054c856a-vmtoolsd.service-Q76tJX
test.com.log
test.com.log-20180703

• 删除30天以前的日志文件

[root@localhost vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm
rm: 缺少操作数
Try 'rm --help' for more information. //无符合条件，没有操作

• 写完脚本后，还要加一个任务计划定期进行切割和清理：crontab -e

[root@localhost vhost]# crontab -e
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh

6、静态文件不记录日志和过期时间

• 开虚拟主机配置文件vim /usr/local/nginx/conf/vhost/test.com.conf

[root@localhost vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$    //匹配gif|jpg|jpeg|png|bmp|swf 后缀的文件
    {
          expires      7d;        //7天后过期
          access_log off;        //匹配“.*.(gif|jpg|jpeg|png|bmp|swf) ”关闭记录日志
    }
location ~ .*\.(js|css)$
    {
          expires      12h;        //12个小时后过期
          access_log off;        //匹配“.*.(js|css) ”关闭记录日志
    }

• 检查配置文件语法错误，并重新加载配置文件

[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload

• 测试

[root@localhost vhost]# cd /data/wwwroot/test.com/
[root@localhost test.com]# ls
1.txt  admin  index.html
[root@localhost test.com]# vim 1.gif
[root@localhost test.com]# vim 2.js
[root@localhost test.com]# curl -x127.0.0.1:80 test.com/1.gif
1234567890
[root@localhost test.com]# curl -x127.0.0.1:80 test.com/2.js
0987654321
[root@localhost test.com]# curl -x127.0.0.1:80 test.com/index.html
test.com

• 查看日志

[root@localhost test.com]# cat /tmp/test.com.log
127.0.0.1 - [04/Jul/2018:01:09:50 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"

• 测试过期时间，加上-I参数

[root@localhost test.com]# curl -x127.0.0.1:80 test.com/2.js -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Tue, 03 Jul 2018 17:13:16 GMT
Content-Type: application/javascript
Content-Length: 11
Last-Modified: Tue, 03 Jul 2018 17:08:58 GMT
Connection: keep-alive
ETag: "5b3badaa-b"
Expires: Wed, 04 Jul 2018 05:13:16 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes

max-age=43200 过期时间；如果去掉配置文件中的expires，则不会显示max-age过期时间

7、Nginx防盗链

• 防盗链，可以和不记录访问日志、过期时间的配置段一起设置

进入目录配置防盗链

[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~* ^(.+)\.(gif|jpg|jpeg|png|bmp|swf)$   //匹配url
   {
     expires 7d;
     access_log off;
     valid_referers none blocked server_names *.test.com;  //设定referers白名单
     if ($invalid_referer)   //如果不是白名单referer
     {
         return 403;   //就返回403拒绝访问
     }
   }

• 检查配置文件、重新加载配置文件：

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload

• 测试

[root@localhost ~]# ls /data/wwwroot/test.com/
1.gif  1.txt  2.js  admin  index.html
[root@localhost ~]# curl -x127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 04 Jul 2018 10:07:10 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Tue, 03 Jul 2018 17:08:35 GMT
Connection: keep-alive
ETag: "5b3bad93-b"
Expires: Wed, 11 Jul 2018 10:07:10 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

[root@localhost ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 04 Jul 2018 10:08:50 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@localhost ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 04 Jul 2018 10:09:15 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Tue, 03 Jul 2018 17:08:35 GMT
Connection: keep-alive
ETag: "5b3bad93-b"
Expires: Wed, 11 Jul 2018 10:09:15 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

• 查看日志

root@localhost ~]# !cat
cat /tmp/test.com.log
127.0.0.1 - [04/Jul/2018:01:09:50 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jul/2018:18:05:54 +0800] test.com "/2.js" 200 "-" "curl/7.29.0"

8、Nginx访问控制

• 对网站目录进行访问控制，限制来源ip：

进入目录配置文件

[root@localhost ~]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf
location /admin/
    {
        allow 127.0.0.1;  //允许本机访问
        allow 192.168.222.112;  // nginx不像Apache，没有order顺序的概念，如果匹配了ip就执行，后面则不再匹配相同的ip。
        deny all;  //禁止其他所有ip
    }

• 检查配置文件、重新加载配置文件：

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]#

• 测试对目录admin的访问：

[root@localhost ~]# mkdir -p /data/wwwroot/test.com/admin
[root@localhost ~]# curl -x192.168.222.112:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 04 Jul 2018 10:34:00 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Tue, 03 Jul 2018 14:27:38 GMT
Connection: keep-alive
ETag: "5b3b87da-13"
Accept-Ranges: bytes

[root@localhost ~]# curl -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 04 Jul 2018 10:36:27 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Tue, 03 Jul 2018 14:27:38 GMT
Connection: keep-alive
ETag: "5b3b87da-13"
Accept-Ranges: bytes

访问控制——正则匹配，添加正则配置文件

location ~ .(upload|image)/..php$ //禁止访问upload或者image目录下的php文件 {
deny all; }

• 检查配置文件、重新加载配置文件：

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload

• 创建upload目录并添加1.php测试

[root@localhost ~]# mkdir /data/wwwroot/test.com/upload
[root@localhost ~]# ls /data/wwwroot/test.com/
1.gif  1.txt  2.js  admin  index.html  upload
[root@localhost ~]# echo "1111" > /data/wwwroot/test.com/upload/1.php
[root@localhost ~]# ls /data/wwwroot/test.com/upload
1.php

[root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>

• 访问控制——user_agent限制，添加正则配置文件

if ($http_user_agent ~* 'spider/3.0|YoudaoBot|Tomato') //匹配user_agent，为黑名单，禁止访问
{
   return 403;
}

• 检查配置文件、重新加载配置文件：

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload

• 测试

[root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@localhost ~]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>

注： deny all和return 403效果一样

9、Nginx解析PHP相关配置

进入目录添加配置文件

[root@localhost ~]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf
location ~\.php$
{
    include fastcgi_params;  //
	//php的监听sock, 如果php-fpm配置文件里是监听的127.0.0.1:9000,那么这里改为fastcgi_pass 127.0.0.1:9000
    //如果写错了sock路径，会报502
	fastcgi_pass unix:/tmp/php-fcgi.sock;  
    fastcgi_index index.php;  //主页
    fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; //
}
//php-fpm配置文件
[root@nginx test.com]# vim /usr/local/php-fpm/etc/php-fpm.conf

[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock 
listen.mode = 666  //上面监听的是sock，这里必须加权限为666，否则502。因为Nginx进程的运行用户是nobody，没有权限读取sock的话，就报错。
user = php-fpm
group = php-fpm

• 检查配置文件、重新加载配置文件：

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload

• 测试 注： 在此注意两点，fastcgi_pass有两种格式，但是无论使用哪种格式都有保证Nginx和php-fpm中格式一致，否则会报错502；fastcgi _param SCRIPT _FILENAME所在行的路径要和root路径一致！

10、Nginx代理

• 用户访问一个网站的时候，那个网站是在私有网内的，外网用户无法访问，可以通过一个能够访问私有网络的代理服务器来间接访问网站。
• 通过代理服务器，也能够提高网站的访问速度。如大陆用户通过香港的代理服务器访问美国的网站，能够提高访问速度。
• 在代理服务器上安装Nginx，并进行配置：vhost下新建一个 proxy.conf

[root@localhost ~]# cd /usr/local/nginx/conf/vhost
[root@localhost vhost]# vim proxy.conf

server
{
   listen 80;  //监听80端口
   server_name ask.apelearn.com; //访问的域名

   location /
   {
     proxy_pass http://121.201.9.155;   //代理的web服务器的ip
     proxy_set_header Host $Host;   //主机名
     proxy_set_header X-Real-IP $remote_addr;   //客户端ip
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; // 代理服务器ip 
   }
}

• 检查配置文件、重新加载配置文件：

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload

• 测试