第十二章LNMP架构（中）

12.7 Nginx默认虚拟主机

12.8 Nginx用户认证

12.9 Nginx域名重定向

12.10 Nginx访问日志

12.11 Nginx日志切割

12.12 静态文件不记录日志和过期时间

12.13 Nginx防盗链

12.14 Nginx访问控制

12.15 Nginx解析php相关配置

12.16 Nginx代理

12.17扩展

12.18课堂笔记

12.7 Nginx默认虚拟主机

自定义默认虚拟主机

一、修改nginx配置文件

• vim /usr/local/nginx/conf/nginx.conf

修改内容如下：

1、将http配置server部分删掉

2、在http部分最后添加一句

include vhost/*.conf;

二、创建vhost目录

• mkdir /usr/local/nginx/conf/vhost

三、编辑自定义虚拟主机文件

cd /usr/local/nginx/conf/vhost

• vim aaa.conf

#加入如下内容

server

{

listen 80 default_server; #有这个标记的就是默认虚拟主机

server_name aaa.com;

index index.html index.htm index.php;

root /data/wwwroot/aaa;

}

四、创建指定网站目录

• mkdir -p /data/wwwroot/aaa/

五、测试默认虚拟主机是否配置完成

1、添加内容到/data/wwwroot/default/index.html

• echo “This is a default site.”>/data/wwwroot/aaa/index.html

2、检查配置文件语法并重新加载

• /usr/local/nginx/sbin/nginx -t

• /usr/local/nginx/sbin/nginx -s reload

3、测试

• curl localhost

• curl -x127.0.0.1:80 123.com

[root@xinlinux-03 aaa]# curl localhost

“This is a default site.”

[root@xinlinux-03 aaa]# curl -x127.0.0.1:80 123.com

“This is a default site.”

[root@xinlinux-03 aaa]# curl -x127.0.0.1:80 hdiag.com

“This is a default site.”

两种方法改为默认虚拟主机

1、在vhost目录下第一个.conf的虚拟主机为默认虚拟主机

2、定义虚拟主机时加上“default_server”字段就是默认虚拟主机

12.8 Nginx用户认证

一、自定义一个虚拟主机配置文件

• vim /usr/local/nginx/conf/vhost/test.com.conf

#写入如下内容

server

{

listen 80;

server_name test.com;

index index.html index.htm index.php;

root /data/wwwroot/test.com;

location /

{

auth_basic "Auth";

auth_basic_user_file /usr/local/nginx/conf/htpasswd;

}

二、生成密码文件

• yum install -y httpd

#如果已经安装Apache则不用下载

• /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd xin

#使用htpasswd -c生成密码文件到/usr/local/nginx/conf/htpasswd，并增加用户xin

[root@xinlinux-03 aaa]# /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd xin

New password:

Re-type new password:

Adding password for user xin

三、测试配置并重新加载

• /usr/local/nginx/sbin/nginx-t

/usr/local/nginx/sbin/nginx -s reload

四、创建网站目录test.com

• mkdir /data/wwwroot/test.com

五、测试

• echo “test.com”>/data/wwwroot/test.com/index.html

• curl -x127.0.0.1:80 test.com -I #状态码为401说明需要验证

[root@xinlinux-03 aaa]# curl -x127.0.0.1:80 test.com -I

HTTP/1.1 401 Unauthorized

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 09:12:27 GMT

Content-Type: text/html

Content-Length: 194

Connection: keep-alive

WWW-Authenticate: Basic realm="Auth"

• curl -uxin:1234 -x127.0.0.1:80 test.com

#访问状态码变为200

[root@xinlinux-03 aaa]# curl -uxin:1234 -x127.0.0.1:80 test.com

“test.com”

• 编辑windows的hosts文件，然后在浏览器中访问test.com会有输入用户、密码的弹窗

• 针对目录的用户认证(修改location后面的内容)

location /admin/

{

auth_basic "Auth";

auth_basic_user_file /usr/local/nginx/conf/htpasswd;

}

[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/admin/2.php -I

HTTP/1.1 401 Unauthorized

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 09:23:46 GMT

Content-Type: text/html

Content-Length: 194

Connection: keep-alive

WWW-Authenticate: Basic realm="Auth"

[root@xinlinux-03 test.com]# curl -uxin:1234 -x127.0.0.1:80 test.com/admin/2.php -I

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 09:23:10 GMT

Content-Type: application/octet-stream

Content-Length: 4

Last-Modified: Wed, 19 Sep 2018 09:17:52 GMT

Connection: keep-alive

ETag: "5ba21440-4"

Accept-Ranges: bytes

针对URL的用户认证

location ~ admin.php

{

auth_basic "Auth";

auth_basic_user_file /usr/local/nginx/conf/htpasswd;

}

12.9 Nginx域名重定向

更改test.com.conf

server

{

listen 80;

server_name test.com test1.com test2.com;

index index.html index.htm index.php;

root /data/wwwroot/test.com;

if ($host != 'test.com' ) {

rewrite ^/(.*)$ http://test.com/$1 permanent;

}

#if语句表示主域名为test.com，将匹配的其他域名跳转到主域名

}

#server_name后面支持写多个域名，这里要和httpd的做一个对比

#permanent为永久重定向，状态码为301，如果写redirect则为302

[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test1.com/admin/2.php -I

HTTP/1.1 301 Moved Permanently

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 09:27:40 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: http://test.com/admin/2.php

[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test4.com/admin/2.php -I

HTTP/1.1 404 Not Found

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 09:27:47 GMT

Content-Type: text/html

Content-Length: 168

Connection: keep-alive

12.10 Nginx访问日志

配置日志格式也在主配置文件

• vim /usr/local/nginx/conf/nginx.conf

#搜索log_format

日志文件设定参数格式
$remote_addr	客户端IP(公网IP)
$http_x_forwarded_for	代理服务器的IP
$time_local	服务器本地时间
$host	访问主机名（域名）
$request_uri	访问的url地址
$status	状态码
$http_referer	referer
$http_user_agent	user_agent

#除了在主配置文件nginx.conf里定义日志格式外，还需要在虚拟主机配置文件中增加

access_log /tmp/test.com.log combined_realip;

#这里的combined_realip就是在nginx.conf中定义的日志格式名字

/usr/local/nginx/sbin/nginx-t

/usr/local/nginx/sbin/nginx -s reload

curl -x127.0.0.1:80 test.com -I

cat /tmp/test.com.log

[root@xinlinux-03 test.com]# cat /tmp/test.com.log

127.0.0.1 - [19/Sep/2018:17:34:16 +0800] test.com "/" 200 "-" "curl/7.29.0"

12.11 Nginx日志切割

一、定义shell 脚本

• vim /usr/local/sbin/nginx_logrotate.sh

#写入如下内容

#! /bin/bash

# 假设nginx的日志存放路径为/data/logs/

d=`date -d "-1 day" +%Y%m%d`

#日志时间

logdir="/usr/local/nginx/logs"

nginx_pid="/usr/local/nginx/logs/nginx.pid"

cd $logdir

for log in `ls *.log`

mv $log $log-$d

#将日志文件改为后缀加时间

done

/bin/kill -HUP `cat $nginx_pid`

#生成新的日志文件

二、添加一个任务计划

crontab -e

0 0 * * * /bin/bash /usr/local/sbin/nginx_logrotate.sh

12.12 静态文件不记录日志和过期时间

• 配置如下

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

{

expires 7d;

#定义过期时间

access_log off;

#静态文件不记录off

}

location ~ .*\.(js|css)$

{

expires 12h;

access_log off;

}

/usr/local/nginx/sbin/nginx-t

/usr/local/nginx/sbin/nginx -s reload

测试

cd /data/wwwroot/test.com

vim 1.gif

vim 2.js

curl -x127.0.0.1:80 test.com/1.gif

curl -x127.0.0.1:80 test.com/2.js

curl -x127.0.0.1:80 test.com/1.gifhaksdl

[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/1.gif

gahi

[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/2.js

123giouh

[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/1.gifhaksdl

<html>

<head><title>404 Not Found</title></head>

<center><h1>404 Not Found</h1></center>

<hr><center>nginx/1.8.0</center>

</body>

</html>

[root@xinlinux-03 test.com]# cat /tmp/test.com.log

127.0.0.1 - [19/Sep/2018:18:22:42 +0800] test.com "/1.gifhaksdl" 404 "-" "curl/7.29.0"

12.13 Nginx防盗链

•配置如下，可以和上面的配置结合起来

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

{

expires 7d;

valid_referers none blocked server_names *.test.com ;

#设置*.test.com的网站为白名单

if ($invalid_referer) {

return 403;

}

access_log off;

}

/usr/local/nginx/sbin/nginx-t

/usr/local/nginx/sbin/nginx -s reload

测试

curl -e "http://www.baidu.com" -x127.0.0.1:80 -I test.com/1.gif

[root@xinlinux-03 test.com]# curl -e "http://www.baidu.com" -x127.0.0.1:80 -I test.com/1.gif

HTTP/1.1 403 Forbidden

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 10:26:48 GMT

Content-Type: text/html

Content-Length: 168

Connection: keep-alive

curl -e "http://www.test.com" -x127.0.0.1:80 -I test.com/1.gif

[root@xinlinux-03 test.com]# curl -e "http://www.test.com" -x127.0.0.1:80-I test.com/1.gif

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 10:26:55 GMT

Content-Type: image/gif

Content-Length: 5

Last-Modified: Wed, 19 Sep 2018 09:42:00 GMT

Connection: keep-alive

ETag: "5ba219e8-5"

Expires: Wed, 26 Sep 2018 10:26:55 GMT

Cache-Control: max-age=604800

Accept-Ranges: bytes

12.14 Nginx访问控制

•需求：访问/admin/目录的请求，只允许某几个IP访问

一、编辑主配置文件 /usr/local/nginx/conf/nginx.conf

配置如下：

location /admin/

{

allow 192.168.233.150;

allow 127.0.0.1;

deny all;

#没有order顺序

}

二、测试

1、创建amdin目录并添加内容到admin/1.html

• mkdir /data/wwwroot/test.com/admin/

• echo “test,test”>/data/wwwroot/test.com/admin/1.html

/usr/local/nginx/sbin/nginx-t

/usr/local/nginx/sbin/nginx -s reload

• curl -x127.0.0.1:80 test.com/admin/1.html -I

•curl -x192.168.233.150:80 test.com/admin/1.html -I

•可以匹配正则（这段配置将/upload/目录下所有.php结尾的deny掉）

location ~ .*(upload|image)/.*\.php$

{

deny all;

}

[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/upload/2.php -I

HTTP/1.1 403 Forbidden

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 10:41:36 GMT

Content-Type: text/html

Content-Length: 168

Connection: keep-alive

[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/admin.php -I

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 10:42:00 GMT

Content-Type: application/octet-stream

Content-Length: 0

Last-Modified: Wed, 19 Sep 2018 09:17:19 GMT

Connection: keep-alive

ETag: "5ba2141f-0"

Accept-Ranges: bytes

•根据user_agent限制

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')

#~加上一个*号"~*"可以忽略大小写

{

return 403;

}

#deny all和return 403效果一样

/usr/local/nginx/sbin/nginx-t

/usr/local/nginx/sbin/nginx -s reload

curl -A "Tomatoafghra" -x127.0.0.1:80 test.com -I

[root@xinlinux-03 test.com]# curl -A "Tomatoafghra" -x127.0.0.1:80 test.com

<html>

<head><title>403 Forbidden</title></head>

<center><h1>403 Forbidden</h1></center>

<hr><center>nginx/1.8.0</center>

</body>

</html>

12.15 Nginx解析php相关配置

配置虚拟主机配置文件

• 配置如下：

location ~ \.php$

{

include fastcgi_params;

fastcgi_pass unix:/tmp/php-fcgi.sock;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;

}

#fastcgi_pass 用来指定php-fpm监听的地址或者socket，php-fpm定义的是什么，nginx配置文件就要些什么;如果路径写错会出现502状态

#如果路径改成fastcgi_pass 127.0.0.1:9000则变成监听端口

/usr/local/nginx/sbin/nginx-t

/usr/local/nginx/sbin/nginx -s reload

vim /data/wwwroot/test.com/1.php

<?php

echo "123456";

[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/1.php

<?php

echo "123456";

[root@xinlinux-03 test.com]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@xinlinux-03 test.com]# /usr/local/nginx/sbin/nginx -s reload

[root@xinlinux-03 test.com]# !curl

curl -x127.0.0.1:80 test.com/1.php

123456[root@xinlinux-03 test.com]#

实验：将虚拟主机配置文件sock路径写错漏了fc

1、-t并重载

/usr/local/nginx/sbin/nginx-t

/usr/local/nginx/sbin/nginx -s reload

2、curl -x127.0.0.1:80 test.com/1.php -I

[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/1.php -I

HTTP/1.1 502 Bad Gateway

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 10:55:10 GMT

Content-Type: text/html

Content-Length: 172

Connection: keep-alive

3、查看错误日志

tail /usr/local/nginx/logs/nginx_error.log

2018/09/19 18:55:10 [crit] 1400#0: *49 connect() to unix:/tmp/php-gi.sockfailed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "HEAD HTTP://test.com/1.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-gi.sock:", host: "test.com"

#发现提示找不到socket文件

4、更正虚拟主机配置的sock路径，与php_fpm的sock路径保持一致，然后在重试一次

[root@xinlinux-03 test.com]# !curl

curl -x127.0.0.1:80 test.com/1.php -I

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 11:00:56 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

X-Powered-By: PHP/5.6.32

#另一种502状态

vim /usr/local/php-fpm/etc/php-fpm.conf

#如果监听socket没有在php配置文件定义sock文件的权限666，则会变成默认660权限，状态也会出现502

测试前：

[root@xinlinux-03 test.com]# ll /tmp/php-fcgi.sock

srw-rw-rw- 1 root root 0 9月 19 16:59 /tmp/php-fcgi.sock

修改权限后：

[root@xinlinux-03 test.com]# ll /tmp/php-fcgi.sock

srw-rw---- 1 root root 0 9月 19 19:20 /tmp/php-fcgi.sock

测试：

1、将php-fpm的sock文件权限去掉，-t并重载

/usr/local/pgp-fpm/sbin/php-fpm -t

/etc/init.d/php-fpm restart

2、curl -x127.0.0.1:80 test.com/1.php -I

[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/1.php -I

HTTP/1.1 502 Bad Gateway

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 11:25:57 GMT

Content-Type: text/html

Content-Length: 172

Connection: keep-alive

3、查看sock文件属性

[root@xinlinux-03 test.com]# ll /tmp/php-fcgi.sock

srw-rw---- 1 root root 0 9月 19 19:20 /tmp/php-fcgi.sock

#由nginx的配置文件可以知道是nobody用户启动nginx的

[root@xinlinux-03 test.com]# chown nobody /tmp/php-fcgi.sock

[root@xinlinux-03 test.com]# ll /tmp/php-fcgi.sock

srw-rw---- 1 nobody root 0 9月 19 19:32 /tmp/php-fcgi.sock

[root@xinlinux-03 test.com]# !curl

curl -x127.0.0.1:80 test.com/1.php -I

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 11:34:36 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

X-Powered-By: PHP/5.6.32

4、将权限改回去，-t并重载

/usr/local/pgp-fpm/sbin/php-fpm -t

/etc/init.d/php-fpm restart

5、curl -x127.0.0.1:80 test.com/1.php -I

[root@xinlinux-03 test.com]# curl -x127.0.0.1:80 test.com/1.php -I

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Wed, 19 Sep 2018 11:30:19 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

X-Powered-By: PHP/5.6.32

12.16 Nginx代理

• cd /usr/local/nginx/conf/vhost

• vim proxy.conf

#加入如下内容

server

{

listen 80;

server_name ask.apelearn.com;

location /

{

proxy_pass http://121.201.9.155/;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

/usr/local/nginx/sbin/nginx-t

/usr/local/nginx/sbin/nginx -s reload

curl -x127.0.0.1:80 ask.apelearn.com/roots.txt

第十二章LNMP架构（中）

猜你喜欢