1.Nginx default virtual host
In Nginx is also the default virtual host, with similar httpd, the first to be loaded Nginx virtual host is the default host, and httpd but not the same place is, it also has a configuration used to mark the default virtual host, that is, Without this flag, the first virtual host is the default virtual host.
FIG steps:
Step broken down as follows:
(1) The main configuration file editing nginx.conf
To enter: cd / usr / loacl / nginx / conf / directory
Nginx modify the file.
Complete the following modifications: the server code removes this piece, and then add the code shown below:
(2) create vhost directory, and create a new aaa.com.conf default virtual host configuration content;
In cd / usr / loacl / nginx / conf / vhost build directory: mkdir vhost
Establish aaa.com.conf file. Then in the file, the contents of the code is provided as follows:
Create the default Web site directory:
In vhost directory, establish: / data / wwwroot / default directory, enter the default directory, build index.html file
Enter the following:
(3) to detect syntax, reload the configuration file; test-related websites; any domain name will point to the default host name of the Web site;
Verified as follows:
Check the main configuration file:
tail /usr/local/nginx/conf/nginx.conf
2.nginx user authentication. Refer to the specific operation
(1) returns VHOST directory, create a separate default hosts file
Create a user;
Since nginx tool to create user does not own, hence the need for tools httpd; if not, then use this command yum install -y httpd; because the unit has been installed, thus directly executed;
Add user, password:
Continue adding users, setting a password:
test
You need to check syntax errors before testing, and reload the configuration file;
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@ying01 vhost]# curl -x127.0.0.1:80 test.com
<html><head><title>401 Authorization Required</title></head> //出现401码,需要用户认证
<body bgcolor="white"><center><h1>401 Authorization Required</h1></center><hr><center>nginx/1.4.7</center></body></html>
[root@ying01 vhost]# curl -x127.0.0.1:80 test.com -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.4.7
Date: Thu, 05 Jul 2018 11:52:40 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
用户认证测试主机:
[root@ying01 vhost]# curl -uying:www123 -x127.0.0.1:80 test.com
<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.4.7</center></body></html>
[root@ying01 vhost]# ls /data/wwwroot/test.com
ls: 无法访问/data/wwwroot/test.com: 没有那个文件或目录
[root@ying01 vhost]# mkdir /data/wwwroot/test.com
[root@ying01 vhost]# echo "test.com" > /data/wwwroot/test.com/index.html
[root@ying01 vhost]# curl -uying:www123 -x127.0.0.1:80 test.com
test.com
[root@ying01 vhost]# curl -uying:www123 -x127.0.0.1:80 test.com -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 05 Jul 2018 12:02:26 GMT
Content-Type: text/html
Content-Length: 9
Last-Modified: Thu, 05 Jul 2018 11:58:32 GMT
Connection: keep-alive
ETag: "5b3e07e8-9"
Accept-Ranges: bytes
有时候我们需要对某个访问目录或者页面进行认证,而不是全站。所以我们需要对配置文件进行更改:
[root@ying01 vhost]# vim test.com.conf
以下为更改的配置内容....
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /admin/ //注意增加了/admin/目录
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
开始测试某个目录:
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@ying01 vhost]# curl -x127.0.0.1:80 test.com
test.com
[root@ying01 vhost]# mkdir /data/wwwroot/test.com/admin
[root@ying01 vhost]# echo "test.com admin dir" > /data/wwwroot/test.com/admin/index.html
[root@ying01 vhost]# curl -uying:www123 -x127.0.0.1:80 test.com/admin/
test.com admin dir
[root@ying01 vhost]# vim test.com.conf
以下为更改的配置内容....
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location ~ admin.php //注意:此处有更改;表示根目录下的admin.php文件
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@ying01 vhost]# curl -x127.0.0.1:80 test.com/admin/ //此时不需要用户认证
test.com admin dir
[root@ying01 vhost]# curl -x127.0.0.1:80 test.com/admin.php
<html><head><title>401 Authorization Required</title></head> //此时需要用户认证
<body bgcolor="white"><center><h1>401 Authorization Required</h1></center><hr><center>nginx/1.4.7</center></body></html>
总结:
location /:针对整个目录做认证
也可以针对某一个目录或url做认证,比如:
location /admin/:针对admin目录做认证
location ~ admin.php:针对某个请求的url做认证
auth_basic_user_file:用户认证文件
3. nginx 域名重定向
当我们站点有多个域名的时候,权重降低了,但是之前的域名已经被一部分人所依赖了,也不可能去通知大家新的站点,所以我们就会选择一个主域名其它的直接跳到主域名!
[root@ying01 vhost]# vim test.com.conf
以下为更改的配置内容....
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent; //永久跳转
}
}
permanent:永久跳转,也就是301
redirect:临时跳转,302
在修改了配置文件之后,重新启动nginx.报错如下:
通过如下命令,就可解决此问题:
在Nginx配置在,server_name后面可以跟多个域名,permanent为永久重定向,相当于httpd的R=301.另外还有一个常用的redirect,相当于httpd的R=302.
[root@ying01 vhost]# curl -x127.0.0.1:80 test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.7
Date: Thu, 05 Jul 2018 12:38:40 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/index.html //重定向test
[root@ying01 vhost]# curl -x127.0.0.1:80 test3.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.7
Date: Thu, 05 Jul 2018 12:38:40 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/index.html //重定向test
[root@ying01 vhost]# curl -x127.0.0.1:80 www.baidu.com/index.html //重定向于默认虚拟主机
重定向测试:
4.Nginx 访问日志
nginx日志的选项:
名词
释义
$remote_addr
客户端ip(公网ip)
$http_x_forwarded_for
代理服务器的ip
$time_local
服务器本地时间
$host
访问主机名(域名)
$request_uri
访问的url地址
$status
状态码
$http_referer
referer
$http_user_agent
user_agent
在nginx主配置文件定义日志的,其中combined_realip为日志的名称,这个名称可以自定义,比如这里自定义为 ying
[root@ying01 vhost]# vim ../nginx.conf (vim /usr/local/nginx/conf/nginx.conf)
用到了代理服务器:
在nginx主配置文件里,按下图并定义日志名称
在虚拟主机配置文件里,定义日志目录和格式、名称;
[root@ying01 vhost]# vim test.com.conf
以下为更改的配置内容....
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
access_log /tmp/test.com.log ying; //定义日志格式 和目录
}
检测、加载配置后,进行测试;
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@ying01 vhost]# curl -x127.0.0.1:80 test3.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.7
Date: Thu, 05 Jul 2018 13:02:43 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/index.html
[root@ying01 vhost]# curl -x127.0.0.1:80 test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.7
Date: Thu, 05 Jul 2018 13:02:47 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/index.html
[root@ying01 vhost]# cat /tmp/test.com.log //查看生成的日志
127.0.0.1 - [05/Jul/2018:21:02:43 +0800] test3.com"/index.html" 301 "-" "curl/7.29.0" //依次为日志格式
127.0.0.1 - [05/Jul/2018:21:02:47 +0800] test2.com"/index.html" 301 "-" "curl/7.29.0"
5. Nginx日志切割
由于Nginx不像Apache有自己的切割工具,在此我们需要写个脚本完成需求:
[root@ying01 vhost]# vim /usr/local/sbin/nginx_logrotate.sh
以下为脚本内容:
#! /bin/bash
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/" //假设nginx的日志存放路径为/tmp/
nginx_pid="/usr/local/nginx/logs/nginx.pid"cd $logdirfor log in `ls *.log`
do
mv $log $log-$ddone
/bin/kill -HUP `cat $nginx_pid`
脚本语句解释:
d=date -d "-1 day" +%Y%m%d;生成昨天的日期
[root@ying01 vhost]# date -d "-1 day" +%Y%m%d //执行这个语句,可以得出答案20180704
[root@ying01 vhost]# date2018年 07月 05日 星期四 21:07:49 CST
for log in ls *.log
do
mv $log $log-$d
done
这是一个for循环,把ls列举的log文件,执行以日期格式的重命名
nginx_pid=”/usr/local/nginx/logs/nginx.pid”; 就是为了最后一行而设定的。
/bin/kill -HUP cat $nginx_pid
最后一行的意思和之前使用的 -s reload 是一个意思 重载nginx.pid,然后就会再次生成一个新的日志文件。否则不生成日志文件
sh -x 脚本详细执行过程:
[root@ying01 vhost]# sh -x /usr/local/sbin/nginx_logrotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20180704
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls php_errors.log test.com.log
+ for log in '`ls *.log`'
+ mv php_errors.log php_errors.log-20180704
+ for log in '`ls *.log`'
+ mv test.com.log test.com.log-20180704
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 913
查看生成的test.com日志
[root@ying01 vhost]# ls /tmp/
pear
php_errors.log-20180704
php-fcgi.sock
systemd-private-94cc0dd6651e4992848100fb05207857-chronyd.service-1zARDS
systemd-private-94cc0dd6651e4992848100fb05207857-vgauthd.service-0jUT25
systemd-private-94cc0dd6651e4992848100fb05207857-vmtoolsd.service-zegNFj
test.com.log
test.com.log-20180704
日志清理
删除超过一个月的日志(当然这个也可以写在脚本里面)
[root@ying01 vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm
创建执行脚本的计划:比如:每天0时0分进行切割
[root@ying01 vhost]# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab
以下为创建的crontab内容:
0 0 * * * /usr/local/sbin/nginx_log_rotate.sh //每天的0时0分执行此脚本
扩展:https://www.okay686.cn/524.html
6. 静态文件不记录到日志和过期时间
虚拟主机配置文件location~可以指定对应的静态文件,expires配置过期时间,而access_log 配置为off就可以不记录访问日志了
-
配置文件
按以下设置虚拟主机配置文件;
[root@ying01 vhost]# vim test.com.conf
以下为更改的配置内容....
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ //匹配.gif等格式的静态文件不计入日志
{
expires 7d; //有效期7天
access_log off; //不记录日志
}
location ~ .*\.(js|css)$ //匹配js或者css文件
{
expires 12h; //有效期12小时
access_log off;
}
access_log /tmp/test.com.log ying;
}
-
测试
在网站test.com目录下,创建gif和css文件
[root@ying01 vhost]# cd /data/wwwroot/test.com/
[root@ying01 test.com]# ls
admin index.html
[root@ying01 test.com]# vim 1.gif
[root@ying01 test.com]# vim 2.css
现在开始访问,然后看生成的日志;从下面试验,可以看出日志不记录gif及css文件;
[root@ying01 test.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ying01 test.com]# /usr/local/nginx/sbin/nginx -s reload
[root@ying01 test.com]# curl -x127.0.0.1:80 test.com/1.gif
aaaaaaaa
[root@ying01 test.com]# curl -x127.0.0.1:80 test.com/2.css
bbbbbbbbb
[root@ying01 test.com]# curl -x127.0.0.1:80 test.com/index.html
test.com
[root@ying01 test.com]# cat /tmp/test.com.log
127.0.0.1 - [05/Jul/2018:23:33:01 +0800] test.com"/index.html" 200 "-" "curl/7.29.0"
[root@ying01 test.com]# curl -x127.0.0.1:80 test.com/2.css
bbbbbbbbb
[root@ying01 test.com]# cat /tmp/test.com.log
127.0.0.1 - [05/Jul/2018:23:33:01 +0800] test.com"/index.html" 200 "-" "curl/7.29.0"
7.Nginx 防盗链
防盗链代码,里面包含过期时间;
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
把此代码,放入虚拟主机配置中;
[root@ying01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d; //包含过期时间
valid_referers none blocked server_names *.test.com; //定义白名单
if ($invalid_referer) { //条件语句,是否匹配白名单
return 403; //不符合,无效的引用者,则返回403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
access_log /tmp/test.com.log ying;
}
检查语句,并加载配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
测试,针对有效referer和无效referer的对比;
[root@ying01 ~]# curl -e "http://www.qq.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden //无效refer,返回403
Server: nginx/1.4.7
Date: Fri, 06 Jul 2018 00:48:58 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
root@ying01 ~]# curl -e "http://xx.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK //白名单的refer
Server: nginx/1.4.7
Date: Fri, 06 Jul 2018 00:51:19 GMT
Content-Type: image/gif
Content-Length: 10
Last-Modified: Thu, 05 Jul 2018 15:29:40 GMT
Connection: keep-alive
ETag: "5b3e3964-a"
Expires: Fri, 13 Jul 2018 00:51:19 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
8.Nginx 访问控制
为了提高安全性,我们需要将某些页面加密处理!
1. 针对某个目录设置
访问控制的核心代码;
location /admin/ //在admin目录下操作
{
allow 127.0.0.1;
allow 192.168.112.136;
deny all;
}
把此代码,放入虚拟主机配置中;
[root@ying01 ~]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
location /admin/
{
#allow 127.0.0.1; //注意不执行,可以测试的时候做对比
allow 192.168.72.130;
deny all;
}
access_log /tmp/test.com.log ying;
}
检查语句,并加载配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
测试,通过允许192.1638.112.136和禁止127.0.0.1来做实验,这两个IP主机都能连接到;
[root@ying01 ~]# curl -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 403 Forbidden //禁止访问,因为这个IP禁止
Server: nginx/1.4.7
Date: Fri, 06 Jul 2018 01:30:37 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
[root@ying01 ~]# curl -x192.168.112.136:80 -I test.com/admin/
HTTP/1.1 200 OK //这个IP可以访问
Server: nginx/1.4.7
Date: Fri, 06 Jul 2018 01:32:18 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Thu, 05 Jul 2018 12:09:55 GMT
Connection: keep-alive
ETag: "5b3e0a93-13"
Accept-Ranges: bytes
2. 针对目录下的某类文件
这里主要是为了防止上传php文件,以免造成木马文件,影响安全;
在上传目录upload和image,禁止.php的文件;
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
把此代码,放入虚拟主机配置中;
[root@ying01 ~]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
location /admin/
{
#allow 127.0.0.1;
allow 192.168.72.130;
deny all;
}
location ~ .*(upload|image)/.*\.php$ //匹配.php文件
{
deny all; //禁止
}
access_log /tmp/test.com.log ying;
}
检查语句,并加载配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
测试:在upload目录下,分别创建1.txt和1.php文件,能够访问1.txt,不能够访问1.php;
[root@ying01 ~]# echo "1111" > /data/wwwroot/test.com/upload/1.php
[root@ying01 ~]# echo "2222" > /data/wwwroot/test.com/upload/1.txt
[root@ying01 ~]# curl -x192.168.112.136:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>
[root@ying01 ~]# curl -x192.168.112.136:80 test.com/upload/1.txt
2222
3. 根据user-agent限制
不想被蜘蛛爬自己的网站,我们完全可以根据user-agent去禁止掉
禁止相关的user-agent,访问网站;
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
把此代码,放入虚拟主机配置中;
[root@ying01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
location /admin/
{
#allow 127.0.0.1;
allow 192.168.72.130;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') //user_agent匹配'Spider/3.0|YoudaoBot|Tomato
{
return 403;
}
access_log /tmp/test.com.log ying;
}
检查语句,并加载配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
测试user_agent,不同值的试验
[root@ying01 ~]# curl -A "Tomato" -x192.168.112.136:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden //user_agent为Tomato,禁止访问
Server: nginx/1.4.7
Date: Fri, 06 Jul 2018 02:47:01 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
[root@ying01 ~]# curl -A "Spider/3.0" -x192.168.112.136:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden //user_agent为Spider/3.0,禁止访问
Server: nginx/1.4.7
Date: Fri, 06 Jul 2018 02:47:40 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
[root@ying01 ~]# curl -A "123456" -x192.168.112.136:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK //user_agent为除设置的3个外,任意指定,可以访问
Server: nginx/1.4.7
Date: Fri, 06 Jul 2018 02:47:54 GMT
Content-Type: text/plain
Content-Length: 5
Last-Modified: Fri, 06 Jul 2018 02:31:59 GMT
Connection: keep-alive
ETag: "5b3ed49f-5"
Accept-Ranges: bytes
9.Nginx 解析PHP相关配置
先创建一个3.php文件;
[root@ying01 ~]# vim /data/wwwroot/test.com/3.php
<?php
phpinfo();
测试这个3.php文件,此时不能够解析;
[root@ying01 ~]# curl -x192.168.112.136:80 test.com/3.php
<?php
phpinfo();
解析php文件的配置文件
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
把此代码,放入虚拟主机配置中;
[root@ying01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com') {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 7d;
valid_referers none blocked server_names *.test.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
location /admin/
{
#allow 127.0.0.1;
allow 192.168.72.130;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /tmp/test.com.log ying;
}
检查语句,并加载配置文件
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ying01 ~]# /usr/local/nginx/sbin/nginx -s reload
由于用curl测试,篇幅过长,在浏览器测试:从下图可以看出能够解析php
解析php代码释义:
其中fastcgi_pass用来指定php-fpm的地址,如果php-fpm监听的是一个tcp:port的地址(比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000。这个地址一定要和php-fpm服务监听的地址匹配,否是会报502错误.还有一个地方要注意fastcgi_param SCRIPT_FILENAME 后面跟的路径为该站点的根目录,和前面定义的root那个路径保持一致,如果这里配置不对,访问PHP页面会出现404;还有一种502的现象,如果内存中出现大量的php-fpm进程占据了内存,也会同样导致此问题!
原理:Nginx代理是一种反向代理。反向代理(Reverse Proxy)方式是指以代理服务器来接受Internet上的连接请求,然后将请求转发给内部网络上的服务器;并将从服务器上得到的结果返回给Internet上请求连接的客户端,此时代理服务器对外就表现为一个服务器。
10.Nginx代理
假如这家公司有很多台服务器,为了节省成本,不能为所有的服务器都分配公网IP,而如果一个没有公网的IP的复为其要提供web服务,就可以通过代理来实现,这就是 Nginx比httpd越来越受欢迎的原因
创建proxy.conf配置文件,写入以下代码;
[root@ying01 ~]# cd /usr/local/nginx/conf/vhost
[root@ying01 vhost]# vim proxy.conf
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://47.104.7.242/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
因为是代理服务器所以不需要访问本地服务器的任何文件; ask.apelearn.com; 定义一个域名;
proxy_pass http://47.104.7.242/;真实WEB服务器的IP地址。
$host; 也就是咱们的server_name
检查语句,并加载配置文件
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ying01 vhost]# /usr/local/nginx/sbin/nginx -s reload
开始测试:127.0.0.1就是自己的代理机,访问论坛
[root@ying01 vhost]# curl -x127.0.0.1:80 ask.apelearn.com -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 06 Jul 2018 03:50:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ape__Session=tki4271fdrd4nup0jbdco33b63; path=/; domain=.apelearn.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
myheader: web1
测试网站的robots
[root@ying01 vhost]# curl ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#
User-agent: *
Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@ying01 vhost]#