【Nginx】03、nginx常用模块详解
一、nginx虚拟主机
nginx的虚拟机功能是ngx_http_core_module(http核心模块)实现
1、准备站点页面文件
# mkdir -pv /www/{a.com,b.org}
mkdir: created directory `/www/a.com'
mkdir: created directory `/www/b.org'
# vim /www/a.com/index.html
# vim /www/b.org/index.html
# cat /www/b.org/index.html
bbb.org
# cat /www/a.com/index.html
aaa.com
# cat /www/b.org/index.html
bbb.org
2、修改配置文件/etc/nginx/nginx.conf
1)基于主机名
server {
listen 80 ;
server_namewww.a.com a.com;
location / {
root /www/a.com/;
indexindex.html index.htm;
}
}
server {
listen 80 default_server;
server_name www.b.org b.org;
root /www/b.org/;
}
如果没有指定default_server那么定义在前面虚拟主机响应
2)基于ip
server {
listen 192.168.10.7:80 ;
server_namewww.a.com a.com;
location / {
root /www/a.com/;
indexindex.html index.htm;
}
}
server {
listen 192.168.100.16:80 default_server;
server_name www.b.org b.org;
root /www/b.org/;
}
3)基于port
server {
listen 80 ;
server_namewww.a.com a.com;
location / {
root /www/a.com/;
indexindex.html index.htm;
}
}
server {
listen 8080 default_server;
server_name www.b.org b.org;
root /www/b.org/;
}
虚拟主机的配置和httpd完全一样,也可以随意混用,nginx的区别就是没有中心主机
二、访问控制
nginx的访问控制功能是ngx_http_access_module和ngx_http_auth_baisc_module模块实现,和http2.4版本之前的访问控制一样可以使用基于来源地址和用户认证两种方式来控制
1、基于来源地址访问控制
ngx_http_access_module模块实现
allow
deny
至上而下依次检查,默认为通过(被上面的匹配到了就直接允许或拒绝,下面的规则就不会检查了)
location / {
deny192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
denyall;
}
Syntax:allow address | CIDR | unix: | all;Default:—Context:http, server, location, limit_exceptSyntax:deny address | CIDR | unix: | all;Default:—Context:http, server, location, limit_except 2、基于用户认证
ngx_http_auth_baisc_module模块实现
Example Configuration:
location /admin { # /admin对哪些路径进行用户认证
auth_basic "closed site"; # 提示语
auth_basic_user_file conf/htpasswd; # 密码的存放位置
}
Syntax:auth_basic string | off;Default:auth_basic off;Context:http, server, location, limit_exceptSyntax:auth_basic_user_file file;Default:—Context:http, server, location, limit_except 需要使用htpasswd命令创建密码(要安装httpd-tools)
实例:
修改配置文件:我定义在www.b.org这个虚拟主机中
server {
listen 80 default_server;
server_name www.b.org b.org;
root /www/b.org/;
}
location /admin {
auth_basic "admin area";
auth_baisc_user_file /etc/nginx/.htpasswd;
}
创建密码文件:
# yum install httpd-tools
# htpasswd -c -m .htpasswd xj
New password:
Re-type new password:
Adding password for user xj
# ls .htpasswd
.htpasswd
# cat .htpasswd
xj:$apr1$7Bn7MeQ5$6GtxQmWOSQJhHxWPba9FJ/
# htpasswd -m .htpasswd tom
New password:
Re-type new password:
Adding password for user tom
# cat .htpasswd
xj:$apr1$yJdRdOLf$nDvwhCQJfo8FNHBld8YeO1
tom:$apr1$WlKEmEGC$HoVO2gOl2AoS2Ji/fJTNa0
注意:
如果在配置文件中配置了使用用户认证,而没有配置文件(或指定错了密码文件的路径),那么所有用户都没有权限访问admin目录下的文件
可以看出nginx的认证配置起来比httpd简洁多了
三、建立下载站点
由ngx_http_autoindex_module模块实现
Syntax:autoindex on | off;Default:autoindex off;Context:http, server, location Enables or disables the directory listing output.
Syntax:autoindex_exact_size on | off;Default:autoindex_exact_size on;Context:http, server, locationSyntax:autoindex_format html | xml | json | jsonp;Default:autoindex_format html;Context:http, server, location This directive appeared in version 1.7.9.
Syntax:autoindex_localtime on | off;Default:autoindex_localtime off;Context:http, server, location For the HTML format, specifies whether times in the directory listing should be output in the local time zone or UTC.
autoindex_exact_size off;
默认为on,显示出文件的确切大小,单位是bytes。改为off后,显示出文件的大概大小,单位是kB或者MB或者GB。
autoindex_localtime on;
默认为off,显示的文件时间为GMT时间。改为on后,显示的文件时间为文件的服务器时间。
实例:
我直接定义在http段中
#keepalive_timeout65;
#gzipon;
deny 192.168.10.5;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
四、定义访问日志格式
由ngx_http_log_module实现
Example Configuration
log_format compression '$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
access_log /spool/logs/nginx-access.log compression buffer=32k;
指令:
Syntax:log_format name string ...;Default:log_format combined "...";Context:httpSyntax:access_log path [format size] level]] time] condition]]; access_log off;
Default:access_log logs/access.log combined;Context:http, server, location, if in location, limit_exceptSyntax:open_log_file_cache max=N time] N] time]; open_log_file_cache off;
Default:open_log_file_cache off;Context:http, server, location 实例:
log_formatmain'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log/var/log/nginx/access.logmain;
生成的访问日志格式:
# tail /var/log/nginx/access.log
192.168.10.10 - - "GET /download/ HTTP/1.1" 200 596 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36" "-"
192.168.10.10 - - "GET / HTTP/1.1" 200 8 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36" "-"
五、URL rewrite
由ngx_http_rewrite_module实现
指令:
Syntax:if (condition) { ... }Default:—Context:server, location if判断语句
if语句可以实现条件判断,其通常有一个return语句,且一般与有着last或break标记的rewrite规则一同使用。但其也可以按需要使用在多种场景下,需要注意的是,不当的使用可能会导致不可预料的后果。
location / {
if ($request_method == “PUT”) {
proxy_pass http://upload.magedu.com:8080;
}
if ($request_uri ~ "\.(jpg|gif|jpeg|png)$") {
proxy_pass http://imageservers;
break;
}
}
upstream imageservers {
server 172.16.100.8:80 weight 2;
server 172.16.100.9:80 weight 3;
}
if语句中的判断条件
正则表达式匹配:
==: 等值比较;
~:与指定正则表达式模式匹配时返回“真”,判断匹配与否时区分字符大小写;
~*:与指定正则表达式模式匹配时返回“真”,判断匹配与否时不区分字符大小写;
!~:与指定正则表达式模式不匹配时返回“真”,判断匹配与否时区分字符大小写;
!~*:与指定正则表达式模式不匹配时返回“真”,判断匹配与否时不区分字符大小写;
文件及目录匹配判断:
-f, !-f:判断指定的路径是否为存在且为文件;
-d, !-d:判断指定的路径是否为存在且为目录;
-e, !-e:判断指定的路径是否存在,文件或目录均可;
-x, !-x:判断指定路径的文件是否存在且可执行;
注意:
if语句在使用中,很容易出现问题,
Syntax:rewrite regex replacement [flag];Default:—Context:server, location, ifSyntax:break;Default:—Context:server, location, ifSyntax:return code [text]; return code URL;
return URL;
Default:—Context:server, location, ifSyntax:rewrite_log on | off;Default:rewrite_log off;Context:http, server, location, if rewrite regex replacement ;
原理就是使用正则表达式查找替换
flag:标志位
last:
一旦被当前规则匹配并重写后,立即停止检查后续的其他rewrite的规则,而后通过重写后的url重新发起请求(如果有多个rewrite规则时,可能会造成死循环)
break:一旦被当前规则匹配并重写后,立即停止检查后续的其他rewrite的规则,而后继续由nginx进行后续的操作(不需要再通过其它的rewrite规则检查 )
redirect:返回302临时重定向代码
permanent:返回301永久重定向
注意:
nginx最多循环10次,超出之后返回500错误
一般将rewrite写在location中时都使用break标志,或者将rewrite写在if上下文中
rewrite_log on|off; # 繁忙的服务器中不建议打开
是否将重写过程记录在错误日志中,默认为notice级别;默认为off
return code:
用于结束rewrite规则,并且为客户返回状态码:可以使用的状态码有204,400,402-406,500-504等
例子:
server {
...
rewrite ^(/download/.*)/media/(.*)\..*$ $1/mp3/$2.mp3 last;
rewrite ^(/download/.*)/audio/(.*)\..*$ $1/mp3/$2.rabreak;
return403;
...
}
实例:
准备相应的文件:
# mkdir images
# cd images
# ls
1.jpg
修改配置:
server {
listen 80 default_server;
server_name www.b.org b.org;
root /www/b.org/;
location /admin {
auth_basic "admin area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location /download/ {
rewrite ^/download/(.*\.(jpg|gif|jpeg|png))$ /images/$1 break;
}
}
测试 :
可以看到访问的是url是/download/1.jpg,(download这个目录下是没有图片的)被重写至/images/1.jpg,url重写就和路径别名的功能想相似
六、防盗链
由ngx_http_referer_module实现
Example Configuration:
valid_referers none blocked server_names
*.example.com example.* www.example.org/galleries/
~\.google\.;
if ($invalid_referer) {
return 403;
}
指令:
Syntax:referer_hash_bucket_size size;Default:referer_hash_bucket_size 64;Context:server, locationSyntax:referer_hash_max_size size;Default:referer_hash_max_size 2048;Context:server, locationSyntax:valid_referers none | blocked | server_names | string ...;Default:—Context:server, location 1、定义合规引用
valid_referers none |block |server_names|string ...
none:“-”,空,通过浏览器直接访问
blocked:请求报文中有referers字段但被清空
such values are strings that do not start with “http://” or “https://”;
server_names:
the “Referer” request header field contains one of the server names;
请求报文中"Referer"字段包含以下服务器名称;
2、判断不合规的引用
ngx_http_referer_module引入了$invalid_referer变量,$valid_referer是一个布尔值,表示不被valid_referer匹配到都是不合规的引用$invalid_referer
if ($invaild_referer) {
rewrite ^/.*$ http://www.a.com/403.html
}
实例:
在www.b.org中设置:只允许自己站点引用images目录下的图片
server {
listen 80 default_server;
server_name www.b.org b.org;
root /www/b.org/;
location /admin {
auth_basic "admin area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location /download/ { # 此时这个location就失效了
rewrite ^/download/(.*\.(jpg|gif|jpeg|png))$ /images/$1 break;
}
location ~* \.(jpg|png|gif|jgeg)$ {
root /www/b.org/;
valid_referers none blocked www.b.org *.b.org;
if ($invalid_referer) {
#return 555; # 使用return和rewrite都可以
rewrite ^/ http://www.b.org/403.html;
}
}
}
在www.a.com中设置引用b.org中images的图片:
# cat /www/a.com/index.html
aaa.com
测试:
此时的访问日志信息:
192.168.10.10 - - "GET / HTTP/1.1" 200 50 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36" "-"
192.168.10.10 - - "GET /images/1.jpg HTTP/1.1" 555 0 "http://www.a.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36" "-"
七、状态页
由status模块实现
Syntax:status;Default:—Context:locationSyntax:status_format json; status_format jsonp [callback];
Default:status_format json;Context:http, server, locationSyntax:status_zone zone;Default:—Context:serverlocation /status{
stub_status on;
access_log off;
allow 192.168.10.0/24
deny all;
}
页面解释:
当下处于活动状态的连接
接受的总数 已经建立和处理的总数 请求的总数
正在接受的请求个数,正在读取或发往客户端的请求 ,长连接中的处于活动状态的值
八、压缩
gzip模块实现
Example Configuration
gzip on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain application/xml;
指令:
Syntax:gzip on | off;Default:gzip off;Context:http, server, location, if in locationSyntax:gzip_buffers number size;Default:gzip_buffers 32 4k|16 8k;Context:http, server, locationSyntax:gzip_comp_level level;Default:gzip_comp_level 1;Context:http, server, location Sets a gzip compression level of a response. Acceptable values are in the range from 1 to 9.
Syntax:gzip_disable regex ...;Default:—Context:http, server, location Disables gzipping of responses for requests with “User-Agent” header fields matching any of the specified regular expressions.
The special mask “msie6” (0.7.12) corresponds to the regular expression “MSIE \.”, but works faster. Starting from version 0.8.11, “MSIE 6.0; ... SV1” is excluded from this mask. IE6浏览器不支持压缩
Syntax:gzip_min_length length;Default:gzip_min_length 20;Context:http, server, location Sets the minimum length of a response that will be gzipped. The length is determined only from the “Content-Length” response header field.
Syntax:gzip_http_version 1.0 | 1.1;Default:gzip_http_version 1.1;Context:http, server, location Sets the minimum HTTP version of a request required to compress a response.
Syntax:gzip_proxied off | expired | no-cache | no-store | private | no_last_modified | no_etag | auth |any ...;Default:gzip_proxied off;Context:http, server, locationSyntax:gzip_types mime-type ...;Default:gzip_types text/html;Context:http, server, location Enables gzipping of responses for the specified MIME types in addition to “text/html”. The special value “*” matches any MIME type (0.8.29). Responses with the “text/html” type are always compressed.
Syntax:gzip_vary on | off;Default:gzip_vary off;Context:http, server, location gzip on|off
gzip_buffer 使用的缓存大小
gzip_comp_level 压缩的级别
gzip_disable 不压缩的类型或浏览器
gzip_min_length 最少压缩的大小
gzip_http_version 压缩完成以后发送http的版本
gzip_types: 只压缩的格式
nginx将响应报文发送至客户端之前可以启用压缩功能,这能够有效地节约带宽,并提高响应至客户端的速度。通常编译nginx默认会附带gzip压缩的功能,因此,可以直接启用之。
例子:
http {
gzip on;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/json;
gzip_disable msie6;
}
gzip_proxied指令可以定义对客户端请求哪类对象启用压缩功能,如“expired”表示对由于使用了expire首部定义而无法缓存的对象启用压缩功能,其它可接受的值还有“no-cache”、“no-store”、“private”、“no_last_modified”、“no_etag”和“auth”等,而“off”则表示关闭压缩功能。
测试:
到此我们学习完了nginx作为静态web服务器的配置,后面将继续学习nginx实现代理、负载均衡、缓存等功能。
页:
[1]