第二十一课预习任务
1.默认虚拟主机
1.1 nginx的默认虚拟主机在用户通过IP访问,或者通过未设置的域名访问(比如有人把他自己的域名指向了你的ip)的时候生效。
1.2 新建虚拟主机的配置文件
//创建一个虚拟配置文件的目录
[root@knightlai conf]# mkdir /usr/local/nginx/conf/vhost
//编辑nginx配置文件加入include vhost/*.conf;
[root@knightlai conf]# vim nginx.conf
http
{
include mime.types;
..............................
postpone_output 1460;
client_max_body_size 10m;
client_body_buffer_size 256k;
client_body_temp_path /usr/local/nginx/client_body_temp;
proxy_temp_path /usr/local/nginx/proxy_temp;
fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
fastcgi_intercept_errors on;
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm
application/xml;
include vhost/*.conf;
//创建一个虚拟主机配置文件
[root@knightlai vhost]# vim test.com.conf
server
{
// 指定监听80端口,并将该虚拟主机设置为默认虚拟主机
listen 80 default_server;
// 设置服务器的名称
server_name aaa.com;
// 设置服务器默认网页
index index.html index.htm index.php;
// 设置服务器的根目录
root /data/www/default;
}
1.3 创建网站数据目录
//创建网站数据目录
[root@knightlai vhost]# mkdir -p /data/wwwroot/test.com
//创建网站首页
[root@knightlai vhost]# vim /data/wwwroot/test.com/index.html
This is a nginx default page!1.4 测试虚拟主机配置是否成功
//检测配置语法是否有问题,并重载配置文件
[root@knightlai vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@knightlai vhost]# /usr/local/nginx/sbin/nginx -s reload
//测试首页是否配置成功,由于是默认的主机,用其它的指向本机的域名也是成功的
[root@knightlai vhost]# curl -x127.0.0.1:80 test.com
This is a nginx default page!
[root@knightlai vhost]# curl -x127.0.0.1:80 www.111.com
This is a nginx default page!
2.Nginx用户认证
2.1编辑虚拟主机配置文件
[root@knightlai vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
location /1.php //定义需要认证的目录或者页面
{
auth_basic "Auth"; 定义用户名
auth_basic_user_file /usr/local/nginx/conf/htpasswd; 用户名密码文件
}
1.这里其实可以配置一个目录进行认证 location /upload 表示对upload进行认证
2.location ~ admin.php 匹配php的访问路径2.2 生成密码文件
//生成密码文件,可以使用Apache自带的htpasswd工具,如果没有就用Yum安装httpd
[root@knightlai vhost]# yum install -y httpd
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 7.7 kB 00:00:00
* base: mirror.vpshosting.com.hk
* epel: mirrors.aliyun.com
* extras: mirror.vpshosting.com.hk
* updates: mirror.vpshosting.com.hk
............................................
//新建一个knightlai用户用来等一下进行用户认证
[root@knightlai vhost]# htpasswd -c /usr/local/nginx/conf/htpasswd knightlai
New password:
Re-type new password:
Adding password for user knightlai
2.3测试用户认证是否配置成功
//新建一个1.php页面用来进行测试
[root@knightlai vhost]# vim /data/wwwroot/test.com/1.php
//测试语法,并重置配置文件
[root@knightlai vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@knightlai vhost]# /usr/local/nginx/sbin/nginx -s reload
//这里测试出现401出现了需要用户认证
[root@knightlai vhost]# curl -x127.0.0.1:80 test.com/1.php -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 02:01:27 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
//加上用户名测试就可以成功了,说明配置成功
[root@knightlai vhost]# curl -uknightlai:123456 -x127.0.0.1:80 test.com/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 02:03:24 GMT
Content-Type: application/octet-stream
Content-Length: 27
Last-Modified: Tue, 11 Sep 2018 01:58:02 GMT
Connection: keep-alive
ETag: "5b97212a-1b"
Accept-Ranges: bytes
3.Nginx域名重定向
3.1 编辑配置文件
[root@knightlai vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80 default_server;
server_name test.com 111.com ;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
//表示不是test.com的域名来访问,都重定向到test.com
//permanent为永久重定向,状态码为301,如果写redirect则为302
}
}
3.2 测试配置文件是否成功
[root@knightlai vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@knightlai vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@knightlai vhost]# curl -x127.0.0.1:80 test2.com/ -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 02:25:36 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/
4.Nginx访问日志
4.1nginx有一个非常灵活的日志记录模式。每个级别的配置可以有各自独立的访问日志。日志格式通过log_format命令来定义。
4.2 配置访问日志格式
[root@knightlai vhost]# vim /usr/local/nginx/conf/nginx.conf
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
$remote_addr, $http_x_forwarded_for(反向) 记录客户端IP地址
$remote_user 记录客户端用户名称
$request 记录请求的URL和HTTP协议
$status 记录请求状态
$body_bytes_sent 发送给客户端的字节数,不包括响应头的大小; 该变量与Apache模块mod_log_config里的“%B”参数兼容。
$bytes_sent 发送给客户端的总字节数。
$connection 连接的序列号。
$connection_requests 当前通过一个连接获得的请求数量。
$msec 日志写入时间。单位为秒,精度是毫秒。
$pipe 如果请求是通过HTTP流水线(pipelined)发送,pipe值为“p”,否则为“.”。
$http_referer 记录从哪个页面链接访问过来的
$http_user_agent 记录客户端浏览器相关信息
$request_length 请求的长度(包括请求行,请求头和请求正文)。
$request_time 请求处理时间,单位为秒,精度毫秒; 从读入客户端的第一个字节开始,直到把最后一个字符发送给客户端后进行日志写入为止。
$time_iso8601 ISO8601标准格式下的本地时间。
$time_local 通用日志格式下的本地时间。4.3 测试日志配置是否成功
[root@knightlai vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80 default_server;
server_name test.com 111.com ;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
access_log/logs/access.log combined_realip;
//combined_realip这个就是在nginx中配置logformat配置的名字
}
[root@knightlai vhost]# cd /usr/local/nginx/logs
[root@knightlai logs]# ls
access.log error.log nginx_error.log nginx.pid
//查看配置日志是否成功,我们刚刚访问的都记录下来了
[root@knightlai vhost]# tail /usr/local/nginx/logs/access.log
127.0.0.1 - - [10/Sep/2018:21:33:53 -0400] "GET HTTP://www.222.com/ HTTP/1.1" 200 30 "-" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:00:46 -0400] "GET HTTP://test.com/1.php HTTP/1.1" 200 27 "-" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:00:50 -0400] "HEAD HTTP://test.com/1.php HTTP/1.1" 200 0 "-" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:01:27 -0400] "HEAD HTTP://test.com/1.php HTTP/1.1" 401 0 "-" "curl/7.29.0"
127.0.0.1 - knightlai [10/Sep/2018:22:03:24 -0400] "HEAD HTTP://test.com/1.php HTTP/1.1" 200 0 "-" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:23:52 -0400] "HEAD HTTP://test.com/ HTTP/1.1" 200 0 "http://www.abc.com" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:25:30 -0400] "HEAD HTTP://test.com/ HTTP/1.1" 200 0 "-" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:25:36 -0400] "HEAD HTTP://test2.com/ HTTP/1.1" 301 0 "-" "curl/7.29.0"
127.0.0.1 - [10/Sep/2018:22:39:50 -0400] test.com "/" 200 "-" "curl/7.29.0"
127.0.0.1 - [10/Sep/2018:22:39:51 -0400] test.com "/" 200 "-" "curl/7.29.0"
5.Nginx日志切割
5.1nginx日志默认情况下统统写入到一个文件中,文件会变的越来越大,非常不方便查看分析。以日期来作为日志的切割是比较好的,通常我们是以每日来做统计的。
5.2 nginx日志按每分钟自动切割脚本如下:
[root@knightlai logs]# vim /usr/local/sbin/nginx_log.sh
# /bin/bash
# 日志保存位置
logdir='/usr/local/nginx/logs'
# 获取当前年信息和月信息
log_path=$(date -d yesterday +"%Y%m")
# 获取昨天的日信息
day=$(date -d yesterday +"%d")
# 按年月创建文件夹
mkdir -p $base_path/$log_path
# 备份昨天的日志到当月的文件夹
mv $base_path/access.log $base_path/$log_path/access_$day.log
# 输出备份日志文件名
# echo $base_path/$log_path/access_$day.log
# 通过Nginx信号量控制重读日志
kill -HUP `cat /usr/local/nginx/logs/nginx.pid`5.3 配置任务计划
crontab –e
59 23 * * * bash /usr/local/sbin/nginx_log.sh #每天23:59分开始执行;6.静态文件不记录日志和过期时间
6.1在Apache配置的时候介绍了静态文件可以设置不记录日志的,那么在Nginx里面同样也可以把一些静态文件忽略掉,不记录日志。
6.2 编辑配置文件
[root@knightlai logs]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ 匹配URL里面的关键词,括号里面的|是或者,.\是脱义的意思。
{
expires 7d; 过期时间7天
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}6.3 测试静态配置文件是否成功
//创建一个jpg文件用来测试
[root@knightlai logs]# vim /data/wwwroot/test.com/1.jpg
[root@knightlai logs]# curl -x127.0.0.1:80 test.com/1.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 03:20:24 GMT
Content-Type: image/jpeg
Content-Length: 18
Last-Modified: Tue, 11 Sep 2018 03:14:51 GMT
Connection: keep-alive
ETag: "5b97332b-12"
Expires: Tue, 18 Sep 2018 03:20:24 GMT
Cache-Control: max-age=604800 //这里记录的就是过期时间
Accept-Ranges: bytes
[root@knightlai logs]# curl -x127.0.0.1:80 test.com/1.japg -I
HTTP/1.1 404 Not Found
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 03:20:49 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
//测试是否配置成功,访问jpg没有被记录
[root@knightlai logs]# cat /usr/local/nginx/logs/access.log
127.0.0.1 - - [10/Sep/2018:21:31:12 -0400] "GET HTTP://test.com/ HTTP/1.1" 200 30 "-" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:25:36 -0400] "HEAD HTTP://test2.com/ HTTP/1.1" 301 0 "-" "curl/7.29.0"
127.0.0.1 - [10/Sep/2018:22:39:50 -0400] test.com "/" 200 "-" "curl/7.29.0"
127.0.0.1 - [10/Sep/2018:22:39:51 -0400] test.com "/" 200 "-" "curl/7.29.0"
127.0.0.1 - [10/Sep/2018:23:20:49 -0400] test.com "/1.japg" 404 "-" "curl/7.29.0"
7.Nginx防盗链
7.1 首先,为什么需要防盗链,因为有些资源存在竞争对手的关系,比如淘宝的商品图片,不会轻易的让工具来爬虫爬走收集。但是如果使用防盗链,需要知道上一个访问的资源,然后放入名单中进行判断。那么如何获取上一个访问的资源呢,可以通过valid_referers模块来实现.
7.2 编辑配置文件
[root@knightlai logs]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
valid_referers none blocke server_names *.test.com;
if ($invalid_referer) {
return 404;
}
//valid_referers none blocked *.test.com;
就是白名单,允许文件链出的域名白名单,自行修改成您的域名!*.test.com这个指的是子域名,域名与域名之间使用空格隔开!
7.3 测试配置文件是否成功
//只有来自白名单的可以成功访问
[root@knightlai logs]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/1.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 03:47:24 GMT
Content-Type: image/jpeg
Content-Length: 18
Last-Modified: Tue, 11 Sep 2018 03:14:51 GMT
Connection: keep-alive
ETag: "5b97332b-12"
Expires: Tue, 18 Sep 2018 03:47:24 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
//如果不是白名单的就会出现404错误
[root@knightlai logs]# curl -e "http://www.aaa.com/1.txt" -x127.0.0.1:80 test.com/1.jpg -I
HTTP/1.1 404 Not Found
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 03:47:45 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
8.Nginx访问控制
8.1 编辑配置文件根据IP访问控制
//编辑配置文件
[root@knightlai logs]# vim /usr/local/nginx/conf/vhost/test.com.conf
location /admin/
{
allow 192.168.139.168;
allow 127.0.0.1;
deny all;
}
[root@knightlai logs]# mkdir /data/wwwroot/test.com/admin
[root@knightlai logs]# vim /data/wwwroot/test.com/admin/1.html
//测试一下白名单里面的网站是可以访问
[root@knightlai logs]# curl -x127.0.0.1:80 test.com/admin/1.html -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 04:11:42 GMT
Content-Type: text/html
Content-Length: 21
Last-Modified: Tue, 11 Sep 2018 04:08:34 GMT
Connection: keep-alive
ETag: "5b973fc2-15"
Accept-Ranges: bytes
[root@knightlai logs]# curl -x192.168.139.168:80 test.com/admin/1.html -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 04:12:04 GMT
Content-Type: text/html
Content-Length: 21
Last-Modified: Tue, 11 Sep 2018 04:08:34 GMT
Connection: keep-alive
ETag: "5b973fc2-15"
Accept-Ranges: bytes
//其它的就不可以访问
[root@knightlai logs]# curl -x192.168.1.3:80 test.com/admin/1.html -I
HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 19 Sep 2018 08:31:29 GMT
8.2 根据user_agent限制
[root@knightlai logs]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
//模拟来自于Tomato的访问网站是出现4.3错误的
[root@knightlai logs]# curl --user-agent "Tomato" -x127.0.0.1:80 test.com/admin/1.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 04:23:02 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
[root@knightlai logs]# url --user-agent "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36" -x127.0.0.1:80 test.com/admin/1.html -I
-bash: url: command not found
[root@knightlai logs]# curl --user-agent "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36" -x127.0.0.1:80 test.com/admin/1.html -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 04:21:59 GMT
Content-Type: text/html
Content-Length: 21
Last-Modified: Tue, 11 Sep 2018 04:08:34 GMT
Connection: keep-alive
ETag: "5b973fc2-15"
Accept-Ranges: bytes
9.Nginx解析php相关配置
9.1编辑配置文件
[root@knightlai logs]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
fastcgi_pass 用来指定php-fpm监听的地址或者socket
9.2 测试nginx解析php是否成功
[root@knightlai logs]# curl -x127.0.0.1:80 test.com/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 04:29:22 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.32
[root@knightlai logs]# cat /data/wwwroot/test.com/1.php
<?php
echo "I am 1.php"
?>
//我们这里测试访问成功
[root@knightlai logs]# curl -x127.0.0.1:80 test.com/1.php
I am 1.php10. Nginx代理
10.1 编辑配置文件
//新建一个代理配置文件并写入参数
[root@knightlai logs]# cd /usr/local/nginx/conf/vhost/
[root@knightlai vhost]# vim proxy.conf
server
{
listen 80;
server_name www.linuxidc.com;
location / {
proxy_pass http://www.linuxidc.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}10.2 测试代理是否配置成功
[root@knightlai vhost]# curl -x127.0.0.1:80 www.linuxidc.com -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 04:46:54 GMT
Content-Type: text/html
Content-Length: 30
Last-Modified: Tue, 11 Sep 2018 01:28:22 GMT
Connection: keep-alive
ETag: "5b971a36-1e"
Accept-Ranges: bytes
//如果把代理拿掉就会出现这个
[root@knightlai vhost]# curl -x127.0.0.1:80 www.linuxidc.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 05:05:12 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://www.linuxidc.com/
X-Via-JSL: 301d0ef,-
Set-Cookie: __jsluid=61c9945ab89155ecb9abe24c40864b07; max-age=31536000; path=/; HttpOnly
X-Cache: error