LNMP 架构(二)

1.Nginx默认虚拟主机

        在Nginx中也有默认虚拟主机,跟httpd类似,第一个被Nginx加载的虚拟主机就是默认主机,但和httpd不相同的地方是,它还有一个配置用来标记默认虚拟主机,也就是说,如果没有这个标记,第一个虚拟主机为默认虚拟主机。

操作步骤如图:

步骤分解如下:

(1)编辑nginx.conf主配置文件

      进入到:cd /usr/loacl/nginx/conf/   目录

      修改nginx文件。

   完成如下内容修改:把server 这一块代码删除,然后添加如下图所示代码:

(2)创建vhost目录,并新建aaa.com.conf默认虚拟主机配置内容;

在cd /usr/loacl/nginx/conf/  建立vhost 目录:mkdir vhost

建立aaa.com.conf 文件。然后在文件中,设置如下代码内容:

创建默认的网站目录:

在vhost 目录下,建立:/data/wwwroot/default 目录,进入default目录,建立index.html 文件

录入以下内容:

(3)检测语法,重新加载配置文件;测试相关网站;任意的域名,都会指向默认主机的网站名;

完成验证操作如下:

查看主配置文件:

tail /usr/local/nginx/conf/nginx.conf

2.nginx 用户认证。具体的操作参考

(1)返回VHOST目录,另外建立一个默认主机文件

创建用户;

由于nginx没有自带创建用户的工具,因此需要借助httpd工具;假如没有,则用此命令 yum install -y httpd;因为本机已经安装,因此直接执行;

添加用户,设置密码:

继续添加用户,设置密码:

测试

测试前需要检查语法错误,以及重新加载配置文件;

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload

[[email protected] vhost]# curl -x127.0.0.1:80 test.com

<html><head><title>401 Authorization Required</title></head> //出现401码,需要用户认证

<body bgcolor="white"><center><h1>401 Authorization Required</h1></center><hr><center>nginx/1.4.7</center></body></html>

[[email protected] vhost]# curl -x127.0.0.1:80 test.com -I

HTTP/1.1 401 Unauthorized

Server: nginx/1.4.7

Date: Thu, 05 Jul 2018 11:52:40 GMT

Content-Type: text/html

Content-Length: 194

Connection: keep-alive

WWW-Authenticate: Basic realm="Auth"

用户认证测试主机:

[[email protected] vhost]# curl -uying:www123 -x127.0.0.1:80 test.com

<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.4.7</center></body></html>

[[email protected] vhost]# ls /data/wwwroot/test.com

ls: 无法访问/data/wwwroot/test.com: 没有那个文件或目录

[[email protected] vhost]# mkdir /data/wwwroot/test.com

[[email protected] vhost]# echo "test.com" > /data/wwwroot/test.com/index.html

[[email protected] vhost]# curl -uying:www123 -x127.0.0.1:80 test.com

test.com

[[email protected] vhost]# curl -uying:www123 -x127.0.0.1:80 test.com -I

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Thu, 05 Jul 2018 12:02:26 GMT

Content-Type: text/html

Content-Length: 9

Last-Modified: Thu, 05 Jul 2018 11:58:32 GMT

Connection: keep-alive

ETag: "5b3e07e8-9"

Accept-Ranges: bytes

有时候我们需要对某个访问目录或者页面进行认证,而不是全站。所以我们需要对配置文件进行更改:

[[email protected] vhost]# vim test.com.conf

以下为更改的配置内容....

server

{

listen 80;

server_name test.com;

index index.html index.htm index.php;

root /data/wwwroot/test.com;

location /admin/ //注意增加了/admin/目录

{

auth_basic "Auth";

auth_basic_user_file /usr/local/nginx/conf/htpasswd;

}

}

开始测试某个目录:

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload

[[email protected] vhost]# curl -x127.0.0.1:80 test.com

test.com

[[email protected] vhost]# mkdir /data/wwwroot/test.com/admin

[[email protected] vhost]# echo "test.com admin dir" > /data/wwwroot/test.com/admin/index.html

[[email protected] vhost]# curl -uying:www123 -x127.0.0.1:80 test.com/admin/

test.com admin dir

[[email protected] vhost]# vim test.com.conf

以下为更改的配置内容....

server

{

listen 80;

server_name test.com;

index index.html index.htm index.php;

root /data/wwwroot/test.com;

location ~ admin.php //注意:此处有更改;表示根目录下的admin.php文件

{

auth_basic "Auth";

auth_basic_user_file /usr/local/nginx/conf/htpasswd;

}

}

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload

[[email protected] vhost]# curl -x127.0.0.1:80 test.com/admin/ //此时不需要用户认证

test.com admin dir

[[email protected] vhost]# curl -x127.0.0.1:80 test.com/admin.php

<html><head><title>401 Authorization Required</title></head> //此时需要用户认证

<body bgcolor="white"><center><h1>401 Authorization Required</h1></center><hr><center>nginx/1.4.7</center></body></html>

 

总结:

  • location /:针对整个目录做认证

也可以针对某一个目录或url做认证,比如:

  • location /admin/:针对admin目录做认证

  • location ~ admin.php:针对某个请求的url做认证

auth_basic_user_file:用户认证文件

 3. nginx 域名重定向

      当我们站点有多个域名的时候,权重降低了,但是之前的域名已经被一部分人所依赖了,也不可能去通知大家新的站点,所以我们就会选择一个主域名其它的直接跳到主域名!

[[email protected] vhost]# vim test.com.conf

以下为更改的配置内容....

server

{

listen 80;

server_name test.com test2.com test3.com;

index index.html index.htm index.php;

root /data/wwwroot/test.com;

if ($host != 'test.com') {

rewrite ^/(.*)$ http://test.com/$1 permanent; //永久跳转

}

}

permanent:永久跳转,也就是301

redirect:临时跳转,302

在修改了配置文件之后,重新启动nginx.报错如下:

通过如下命令,就可解决此问题:

在Nginx配置在,server_name后面可以跟多个域名,permanent为永久重定向,相当于httpd的R=301.另外还有一个常用的redirect,相当于httpd的R=302.

[[email protected] vhost]# curl -x127.0.0.1:80 test2.com/index.html -I

HTTP/1.1 301 Moved Permanently

Server: nginx/1.4.7

Date: Thu, 05 Jul 2018 12:38:40 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: http://test.com/index.html //重定向test

[[email protected] vhost]# curl -x127.0.0.1:80 test3.com/index.html -I

HTTP/1.1 301 Moved Permanently

Server: nginx/1.4.7

Date: Thu, 05 Jul 2018 12:38:40 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: http://test.com/index.html //重定向test

[[email protected] vhost]# curl -x127.0.0.1:80 www.baidu.com/index.html //重定向于默认虚拟主机

重定向测试:

4.Nginx 访问日志

nginx日志的选项:

名词

释义

$remote_addr

客户端ip(公网ip)

$http_x_forwarded_for

代理服务器的ip

$time_local

服务器本地时间

$host

访问主机名(域名)

$request_uri

访问的url地址

$status

状态码

$http_referer

referer

$http_user_agent

user_agent

 

在nginx主配置文件定义日志的,其中combined_realip为日志的名称,这个名称可以自定义,比如这里自定义为 ying

[[email protected] vhost]# vim ../nginx.conf  (vim /usr/local/nginx/conf/nginx.conf)

用到了代理服务器:

在nginx主配置文件里,按下图并定义日志名称

在虚拟主机配置文件里,定义日志目录和格式、名称;

[[email protected] vhost]# vim test.com.conf

以下为更改的配置内容....

server

{

listen 80;

server_name test.com test2.com test3.com;

index index.html index.htm index.php;

root /data/wwwroot/test.com;

if ($host != 'test.com') {

rewrite ^/(.*)$ http://test.com/$1 permanent;

}

access_log /tmp/test.com.log ying; //定义日志格式 和目录

}

检测、加载配置后,进行测试;

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload

[[email protected] vhost]# curl -x127.0.0.1:80 test3.com/index.html -I

HTTP/1.1 301 Moved Permanently

Server: nginx/1.4.7

Date: Thu, 05 Jul 2018 13:02:43 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: http://test.com/index.html

[[email protected] vhost]# curl -x127.0.0.1:80 test2.com/index.html -I

HTTP/1.1 301 Moved Permanently

Server: nginx/1.4.7

Date: Thu, 05 Jul 2018 13:02:47 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: http://test.com/index.html

[[email protected] vhost]# cat /tmp/test.com.log //查看生成的日志

127.0.0.1 - [05/Jul/2018:21:02:43 +0800] test3.com"/index.html" 301 "-" "curl/7.29.0" //依次为日志格式

127.0.0.1 - [05/Jul/2018:21:02:47 +0800] test2.com"/index.html" 301 "-" "curl/7.29.0"

5. Nginx日志切割

由于Nginx不像Apache有自己的切割工具,在此我们需要写个脚本完成需求:

[[email protected] vhost]# vim /usr/local/sbin/nginx_logrotate.sh

 

以下为脚本内容:

 

#! /bin/bash

d=`date -d "-1 day" +%Y%m%d`

logdir="/tmp/" //假设nginx的日志存放路径为/tmp/

nginx_pid="/usr/local/nginx/logs/nginx.pid"cd $logdirfor log in `ls *.log`

do

mv $log $log-$ddone

/bin/kill -HUP `cat $nginx_pid`

脚本语句解释:

d=date -d "-1 day" +%Y%m%d;生成昨天的日期

[[email protected] vhost]# date -d "-1 day" +%Y%m%d //执行这个语句,可以得出答案20180704

[[email protected] vhost]# date2018年 07月 05日 星期四 21:07:49 CST

for log in ls *.log

do

mv $log $log-$d

done

这是一个for循环,把ls列举的log文件,执行以日期格式的重命名

nginx_pid=”/usr/local/nginx/logs/nginx.pid”; 就是为了最后一行而设定的。

/bin/kill -HUP cat $nginx_pid

最后一行的意思和之前使用的 -s reload 是一个意思 重载nginx.pid,然后就会再次生成一个新的日志文件。否则不生成日志文件

sh -x 脚本详细执行过程:

[[email protected] vhost]# sh -x /usr/local/sbin/nginx_logrotate.sh

++ date -d '-1 day' +%Y%m%d

+ d=20180704

+ logdir=/tmp/

+ nginx_pid=/usr/local/nginx/logs/nginx.pid

+ cd /tmp/

++ ls php_errors.log test.com.log

+ for log in '`ls *.log`'

+ mv php_errors.log php_errors.log-20180704

+ for log in '`ls *.log`'

+ mv test.com.log test.com.log-20180704

++ cat /usr/local/nginx/logs/nginx.pid

+ /bin/kill -HUP 913

查看生成的test.com日志

[[email protected] vhost]# ls /tmp/

pear

php_errors.log-20180704

php-fcgi.sock

systemd-private-94cc0dd6651e4992848100fb05207857-chronyd.service-1zARDS

systemd-private-94cc0dd6651e4992848100fb05207857-vgauthd.service-0jUT25

systemd-private-94cc0dd6651e4992848100fb05207857-vmtoolsd.service-zegNFj

test.com.log

test.com.log-20180704

日志清理

删除超过一个月的日志(当然这个也可以写在脚本里面)

[[email protected] vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm

创建执行脚本的计划:比如:每天0时0分进行切割

[[email protected] vhost]# crontab -e

no crontab for root - using an empty one

crontab: installing new crontab

以下为创建的crontab内容:

0 0 * * * /usr/local/sbin/nginx_log_rotate.sh //每天的0时0分执行此脚本

扩展:https://www.okay686.cn/524.html

6. 静态文件不记录到日志和过期时间

虚拟主机配置文件location~可以指定对应的静态文件,expires配置过期时间,而access_log 配置为off就可以不记录访问日志了

  • 配置文件

按以下设置虚拟主机配置文件;

[[email protected] vhost]# vim test.com.conf

以下为更改的配置内容....

server

{

listen 80;

server_name test.com test2.com test3.com;

index index.html index.htm index.php;

root /data/wwwroot/test.com;

if ($host != 'test.com') {

rewrite ^/(.*)$ http://test.com/$1 permanent;

}

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ //匹配.gif等格式的静态文件不计入日志

{

expires 7d; //有效期7天

access_log off; //不记录日志

}

location ~ .*\.(js|css)$ //匹配js或者css文件

{

expires 12h; //有效期12小时

access_log off;

}

access_log /tmp/test.com.log ying;

}

  • 测试

在网站test.com目录下,创建gif和css文件

[[email protected] vhost]# cd /data/wwwroot/test.com/

[[email protected] test.com]# ls

admin index.html

[[email protected] test.com]# vim 1.gif

[[email protected] test.com]# vim 2.css

现在开始访问,然后看生成的日志;从下面试验,可以看出日志不记录gif及css文件;

[[email protected] test.com]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[[email protected] test.com]# /usr/local/nginx/sbin/nginx -s reload

[[email protected] test.com]# curl -x127.0.0.1:80 test.com/1.gif

aaaaaaaa

[[email protected] test.com]# curl -x127.0.0.1:80 test.com/2.css

bbbbbbbbb

[[email protected] test.com]# curl -x127.0.0.1:80 test.com/index.html

test.com

[[email protected] test.com]# cat /tmp/test.com.log

127.0.0.1 - [05/Jul/2018:23:33:01 +0800] test.com"/index.html" 200 "-" "curl/7.29.0"

[[email protected] test.com]# curl -x127.0.0.1:80 test.com/2.css

bbbbbbbbb

[[email protected] test.com]# cat /tmp/test.com.log

127.0.0.1 - [05/Jul/2018:23:33:01 +0800] test.com"/index.html" 200 "-" "curl/7.29.0"

7.Nginx 防盗链

防盗链代码,里面包含过期时间;

location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {

expires 7d;

valid_referers none blocked server_names *.test.com;

if ($invalid_referer) {

return 403;

}

access_log off;

}

把此代码,放入虚拟主机配置中;

[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

server

{

listen 80;

server_name test.com test2.com test3.com;

index index.html index.htm index.php;

root /data/wwwroot/test.com;

if ($host != 'test.com') {

rewrite ^/(.*)$ http://test.com/$1 permanent;

}

location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {

expires 7d; //包含过期时间

valid_referers none blocked server_names *.test.com; //定义白名单

if ($invalid_referer) { //条件语句,是否匹配白名单

return 403; //不符合,无效的引用者,则返回403;

}

access_log off;

}

location ~ .*\.(js|css)$

{

# expires 12h;

access_log off;

}

access_log /tmp/test.com.log ying;

}

检查语句,并加载配置文件

[[email protected] ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload

测试,针对有效referer和无效referer的对比;

[[email protected] ~]# curl -e "http://www.qq.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif

HTTP/1.1 403 Forbidden //无效refer,返回403

Server: nginx/1.4.7

Date: Fri, 06 Jul 2018 00:48:58 GMT

Content-Type: text/html

Content-Length: 168

Connection: keep-alive

[email protected] ~]# curl -e "http://xx.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif

HTTP/1.1 200 OK //白名单的refer

Server: nginx/1.4.7

Date: Fri, 06 Jul 2018 00:51:19 GMT

Content-Type: image/gif

Content-Length: 10

Last-Modified: Thu, 05 Jul 2018 15:29:40 GMT

Connection: keep-alive

ETag: "5b3e3964-a"

Expires: Fri, 13 Jul 2018 00:51:19 GMT

Cache-Control: max-age=604800

Accept-Ranges: bytes

8.Nginx 访问控制

为了提高安全性,我们需要将某些页面加密处理!

1. 针对某个目录设置

访问控制的核心代码;

location /admin/ //在admin目录下操作

{

allow 127.0.0.1;

allow 192.168.112.136;

deny all;

}

把此代码,放入虚拟主机配置中;

[[email protected] ~]# !vim

vim /usr/local/nginx/conf/vhost/test.com.conf

server

{

listen 80;

server_name test.com test2.com test3.com;

index index.html index.htm index.php;

root /data/wwwroot/test.com;

if ($host != 'test.com') {

rewrite ^/(.*)$ http://test.com/$1 permanent;

}

location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {

expires 7d;

valid_referers none blocked server_names *.test.com;

if ($invalid_referer) {

return 403;

}

access_log off;

}

location ~ .*\.(js|css)$

{

# expires 12h;

access_log off;

}

location /admin/

{

#allow 127.0.0.1; //注意不执行,可以测试的时候做对比

allow 192.168.72.130;

deny all;

}

access_log /tmp/test.com.log ying;

}

检查语句,并加载配置文件

[[email protected] ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload

测试,通过允许192.1638.112.136和禁止127.0.0.1来做实验,这两个IP主机都能连接到;

[[email protected] ~]# curl -x127.0.0.1:80 -I test.com/admin/

HTTP/1.1 403 Forbidden //禁止访问,因为这个IP禁止

Server: nginx/1.4.7

Date: Fri, 06 Jul 2018 01:30:37 GMT

Content-Type: text/html

Content-Length: 168

Connection: keep-alive

[[email protected] ~]# curl -x192.168.112.136:80 -I test.com/admin/

HTTP/1.1 200 OK //这个IP可以访问

Server: nginx/1.4.7

Date: Fri, 06 Jul 2018 01:32:18 GMT

Content-Type: text/html

Content-Length: 19

Last-Modified: Thu, 05 Jul 2018 12:09:55 GMT

Connection: keep-alive

ETag: "5b3e0a93-13"

Accept-Ranges: bytes

2. 针对目录下的某类文件

这里主要是为了防止上传php文件,以免造成木马文件,影响安全;

在上传目录upload和image,禁止.php的文件;

location ~ .*(upload|image)/.*\.php$

{

deny all;

}

把此代码,放入虚拟主机配置中;

[[email protected] ~]# !vim

vim /usr/local/nginx/conf/vhost/test.com.conf

server

{

listen 80;

server_name test.com test2.com test3.com;

index index.html index.htm index.php;

root /data/wwwroot/test.com;

if ($host != 'test.com') {

rewrite ^/(.*)$ http://test.com/$1 permanent;

}

location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {

expires 7d;

valid_referers none blocked server_names *.test.com;

if ($invalid_referer) {

return 403;

}

access_log off;

}

location ~ .*\.(js|css)$

{

# expires 12h;

access_log off;

}

location /admin/

{

#allow 127.0.0.1;

allow 192.168.72.130;

deny all;

}

location ~ .*(upload|image)/.*\.php$ //匹配.php文件

{

deny all; //禁止

}

access_log /tmp/test.com.log ying;

}

检查语句,并加载配置文件

[[email protected] ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload

测试:在upload目录下,分别创建1.txt和1.php文件,能够访问1.txt,不能够访问1.php;

[[email protected] ~]# echo "1111" > /data/wwwroot/test.com/upload/1.php

[[email protected] ~]# echo "2222" > /data/wwwroot/test.com/upload/1.txt

[[email protected] ~]# curl -x192.168.112.136:80 test.com/upload/1.php

<html>

<head><title>403 Forbidden</title></head>

<body bgcolor="white">

<center><h1>403 Forbidden</h1></center>

<hr><center>nginx/1.4.7</center>

</body>

</html>

[[email protected] ~]# curl -x192.168.112.136:80 test.com/upload/1.txt

2222

3. 根据user-agent限制

不想被蜘蛛爬自己的网站,我们完全可以根据user-agent去禁止掉

禁止相关的user-agent,访问网站;

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')

{

return 403;

}

把此代码,放入虚拟主机配置中;

[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

 

server

{

listen 80;

server_name test.com test2.com test3.com;

index index.html index.htm index.php;

root /data/wwwroot/test.com;

if ($host != 'test.com') {

rewrite ^/(.*)$ http://test.com/$1 permanent;

}

location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {

expires 7d;

valid_referers none blocked server_names *.test.com;

if ($invalid_referer) {

return 403;

}

access_log off;

}

location ~ .*\.(js|css)$

{

# expires 12h;

access_log off;

}

location /admin/

{

#allow 127.0.0.1;

allow 192.168.72.130;

deny all;

}

location ~ .*(upload|image)/.*\.php$

{

deny all;

}

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') //user_agent匹配'Spider/3.0|YoudaoBot|Tomato

{

return 403;

}

access_log /tmp/test.com.log ying;

}

检查语句,并加载配置文件

[[email protected] ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload

测试user_agent,不同值的试验

[[email protected] ~]# curl -A "Tomato" -x192.168.112.136:80 test.com/upload/1.txt -I

HTTP/1.1 403 Forbidden //user_agent为Tomato,禁止访问

Server: nginx/1.4.7

Date: Fri, 06 Jul 2018 02:47:01 GMT

Content-Type: text/html

Content-Length: 168

Connection: keep-alive

[[email protected] ~]# curl -A "Spider/3.0" -x192.168.112.136:80 test.com/upload/1.txt -I

HTTP/1.1 403 Forbidden //user_agent为Spider/3.0,禁止访问

Server: nginx/1.4.7

Date: Fri, 06 Jul 2018 02:47:40 GMT

Content-Type: text/html

Content-Length: 168

Connection: keep-alive

[[email protected] ~]# curl -A "123456" -x192.168.112.136:80 test.com/upload/1.txt -I

HTTP/1.1 200 OK //user_agent为除设置的3个外,任意指定,可以访问

Server: nginx/1.4.7

Date: Fri, 06 Jul 2018 02:47:54 GMT

Content-Type: text/plain

Content-Length: 5

Last-Modified: Fri, 06 Jul 2018 02:31:59 GMT

Connection: keep-alive

ETag: "5b3ed49f-5"

Accept-Ranges: bytes

9.Nginx 解析PHP相关配置

先创建一个3.php文件;

[[email protected] ~]# vim /data/wwwroot/test.com/3.php

<?php

phpinfo();

测试这个3.php文件,此时不能够解析;

[[email protected] ~]# curl -x192.168.112.136:80 test.com/3.php

<?php

phpinfo();

解析php文件的配置文件

location ~ \.php$

{

include fastcgi_params;

fastcgi_pass unix:/tmp/php-fcgi.sock;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;

}

把此代码,放入虚拟主机配置中;

[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

server

{

listen 80;

server_name test.com test2.com test3.com;

index index.html index.htm index.php;

root /data/wwwroot/test.com;

if ($host != 'test.com') {

rewrite ^/(.*)$ http://test.com/$1 permanent;

}

location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {

expires 7d;

valid_referers none blocked server_names *.test.com;

if ($invalid_referer) {

return 403;

}

access_log off;

}

location ~ .*\.(js|css)$

{

# expires 12h;

access_log off;

}

location /admin/

{

#allow 127.0.0.1;

allow 192.168.72.130;

deny all;

}

location ~ .*(upload|image)/.*\.php$

{

deny all;

}

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')

{

return 403;

}

location ~ \.php$

{

include fastcgi_params;

fastcgi_pass unix:/tmp/php-fcgi.sock;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;

}

access_log /tmp/test.com.log ying;

}

检查语句,并加载配置文件

[[email protected] ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload

由于用curl测试,篇幅过长,在浏览器测试:从下图可以看出能够解析php

解析php代码释义:

其中fastcgi_pass用来指定php-fpm的地址,如果php-fpm监听的是一个tcp:port的地址(比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000。这个地址一定要和php-fpm服务监听的地址匹配,否是会报502错误.还有一个地方要注意fastcgi_param SCRIPT_FILENAME 后面跟的路径为该站点的根目录,和前面定义的root那个路径保持一致,如果这里配置不对,访问PHP页面会出现404;还有一种502的现象,如果内存中出现大量的php-fpm进程占据了内存,也会同样导致此问题!

原理:Nginx代理是一种反向代理。反向代理(Reverse Proxy)方式是指以代理服务器来接受Internet上的连接请求,然后将请求转发给内部网络上的服务器;并将从服务器上得到的结果返回给Internet上请求连接的客户端,此时代理服务器对外就表现为一个服务器。

10.Nginx代理

假如这家公司有很多台服务器,为了节省成本,不能为所有的服务器都分配公网IP,而如果一个没有公网的IP的复为其要提供web服务,就可以通过代理来实现,这就是 Nginx比httpd越来越受欢迎的原因

创建proxy.conf配置文件,写入以下代码;

[[email protected] ~]# cd /usr/local/nginx/conf/vhost

[[email protected] vhost]# vim proxy.conf

server

{

listen 80;

server_name ask.apelearn.com;

location /

{

proxy_pass http://47.104.7.242/;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

}

因为是代理服务器所以不需要访问本地服务器的任何文件; ask.apelearn.com; 定义一个域名;

proxy_pass http://47.104.7.242/;真实WEB服务器的IP地址。

$host; 也就是咱们的server_name

检查语句,并加载配置文件

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload

开始测试:127.0.0.1就是自己的代理机,访问论坛

[[email protected] vhost]# curl -x127.0.0.1:80 ask.apelearn.com -I

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Fri, 06 Jul 2018 03:50:53 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

X-Powered-By: PHP/5.3.3

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Set-Cookie: ape__Session=tki4271fdrd4nup0jbdco33b63; path=/; domain=.apelearn.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

myheader: web1

测试网站的robots

[[email protected] vhost]# curl ask.apelearn.com/robots.txt

#

# robots.txt for MiWen

#

User-agent: *

Disallow: /?/admin/

Disallow: /?/people/

Disallow: /?/question/

Disallow: /account/

Disallow: /app/

Disallow: /cache/

Disallow: /install/

Disallow: /models/

Disallow: /crond/run/

Disallow: /search/

Disallow: /static/

Disallow: /setting/

Disallow: /system/

Disallow: /tmp/

Disallow: /themes/

Disallow: /uploads/

Disallow: /url-*

Disallow: /views/

Disallow: /*/ajax/[[email protected] vhost]#

 

猜你喜欢

转载自blog.csdn.net/weixin_40876986/article/details/90285901
0条评论
添加一条新回复