1.9Nginx配置(二)web部署
一、配置虚拟主机更改目录权限
# chown php-fpm /data/www/data/ -R
配置
# cd /etc/nginx/
# cd vhosts/
# ls
default.conftest.conf
# vim default.conf //默认拒绝所有访问
server
{
listen 80 default;
server_name localhost;
index index.html index.htm index.php;
root /tmp/1234;
deny all;
}
二、php-fpm配置
# ls /usr/local/php/etc/php-fpm.conf
/usr/local/php/etc/php-fpm.conf
# vim /usr/local/php/etc/php-fpm.conf
pid = /usr/local/php/var/run/php-fpm.pid
error_log = /usr/local/php/var/log/php-fpm.log
listen = /tmp/www.sock
user = php-fpm
group = php-fpm
listen.owner = nginx
listen.group = nginx
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
slowlog = /tmp/www_slow.log
request_slowlog_timeout = 1
php_admin_value=/data/www/:/tmp/
listen = /tmp/www1.sock
user = php-fpm
group = php-fpm
listen.owner = nginx
listen.group = nginx
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
检查配置
# /usr/local/php/sbin/php-fpm -t
NOTICE: configuration file /usr/local/php/etc/php-fpm.conf test is successful
重新加载php-fpm
# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpmdone
三、配置测试网站(discuz)
1、创建虚拟主机文件
# vim test.conf
server
{
listen 80;
server_name www.test.com; //网站域名
index index.html index.htm index.php;
root /data/www; //网站目录
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/www.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
}
2、测试访问
# curl -x192.168.1.21:80 www.test.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.9.6
Date: Sun, 20 Dec 2015 06:11:33 GMT
Content-Type: text/html;
Connection: keep-alive
X-Powered-By: PHP/5.6.14
location: forum.php
四、Nginx用户认证
1、虚拟主机增加location配置
# vim test.conf
server
{
listen 80;
server_name www.test.com;
index index.html index.htm index.php;
root /data/www;
location ~ .*admin\.php$ {
auth_basic "huangmingming auth";
auth_basic_user_file /etc/nginx/conf/.htpasswd;
include fastcgi_params; //php解析配置
fastcgi_pass unix:/tmp/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/www.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
}
# nginx -t
# nginx -s> 2、创建用户认证文件
# mkdir /etc/nginx/conf
# htpasswd -c /etc/nginx/conf/.htpasswd harry //创建第一个用户
New password:
Re-type new password:
Adding password for user harry
# htpasswd /etc/nginx/conf/.htpasswd ming //创建第二个用户
# cat /etc/nginx/conf/.htpasswd
harry:$apr1$tLcd/Cpg$1cE3aiuJpmVsebxniuZzr.
ming:$apr1$Ckjy886O$NBiy1emHZmgnJQU6D4SZ01
3、测试访问
# curl -x127.0.0.1:80www.test.com/admin.php
401 Authorization Required
401 Authorization Required
nginx/1.9.6
# curl -x127.0.0.1:80 -uharry:123 www.test.com/admin.php //正常解析
五、Nginx域名跳转(域名重定向)
# vim test.conf
server
{
listen 80;
server_name www.test.com www.aaa.com;
if ($host != 'www.test.com')
{
rewrite ^/(.*)$ http://www.test.com/$1 permanent;
}
index index.html index.htm index.php;
root /data/www;
location ~ .*admin\.php$ {
auth_basic "huangmingming auth";
auth_basic_user_file /etc/nginx/conf/.htpasswd;
include fastcgi_params;
fastcgi_pass unix:/tmp/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/www.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
}
# nginx -t
# nginx -s> # curl -x127.0.0.1:80 www.aaa.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.9.6
Date: Sun, 20 Dec 2015 06:50:46 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://www.test.com/
# curl -x127.0.0.1:80 www.test.com/111 -I
HTTP/1.1 404 Not Found
Server: nginx/1.9.6
Date: Sun, 20 Dec 2015 06:53:12 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
百度搜索引擎站点统计
site:www.qq.com
六、Nginx不记录指定文件类型日志
1、日志的格式
log_format combined_realip(日志名称) '$remote_addr $http_x_forwarded_for [$time_local]'
# vim test.conf
1 server
2 {
3 listen 80;
4 server_name www.test.com www.aaa.com www.bbb.com;
5 if ($host != 'www.test.com')
6 {
7 rewrite ^/(.*)$ http://www.test.com/$1 permanent;
8 }
9
10 index index.html index.htm index.php;
11 root /data/www;
12 access_log /tmp/nginx_access.log combined_realip; //指定日志类型及存储目录
# cat /tmp/nginx
nginx/ nginx_access.log
# cat /tmp/nginx_access.log
127.0.0.1 - www.bbb.com "/" 301"-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
127.0.0.1 - www.test.com "/" 301"-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
127.0.0.1 - www.aaa.com "/111" 301"-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
192.168.1.103 - www.test.com "/forum.php" 200"-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
192.168.1.103 - www.test.com "/home.php?mod=misc&ac=sendmail&rand=1450595813" 200"http://www.test.com/forum.php" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
#
2、配置不记录指定类型日志
14 location ~ .*admin\.php$ {
15 auth_basic "huangmingming auth";
16 auth_basic_user_file /etc/nginx/conf/.htpasswd;
17
18 include fastcgi_params;
19 fastcgi_pass unix:/tmp/www.sock;
20 fastcgi_index index.php;
21 fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
22 }
23 location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
24 {
25 access_log off; //off,不记录
26 }
27 location ~ (static|cache)
28 {
29 access_log off;
30 }
31
32 location ~ \.php$ {
33 include fastcgi_params;
34 fastcgi_pass unix:/tmp/www.sock;
35 #fastcgi_pass 127.0.0.1:9000;
36 fastcgi_index index.php;
37 fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
38 }
39 }
验证
# > /tmp/nginx_access.log
# nginx -s> # cat /tmp/nginx_access.log
七、Nginx日志切割
# vim /usr/local/sbin/nginx_logrotate.sh //指定日志脚本存储位置
#!/bin/bash
d=`date -d "-1 day" +%F`
[ -d /tmp/nginx_log ] || mkdir /tmp/nginx_log
mv /tmp/nginx_access.log /tmp/nginx_log/$d.log
/etc/init.d/nginx> cd /tmp/nginx_log/
gzip -f $d.log
# sh -x /usr/local/sbin/nginx_logrotate.sh
++ date -d '-1 day' +%F
+ d=2015-12-19
+ '[' -d /tmp/nginx_log ']'
+ mv /tmp/nginx_access.log /tmp/nginx_log/2015-12-19.log
+ /etc/init.d/nginx> + cd /tmp/nginx_log/
+ gzip -f 2015-12-19.log
# cd /tmp/nginx_log/
# ls
2015-12-19.log.gz
# cat /tmp/nginx_access.log
八、Nginx配置静态文件过期时间(静态缓存)
# vim /etc/nginx/vhosts/test.conf
23 location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
24 {
25 access_log off;
26 expires 15d; //15天过期
27 }
28 location ~ \.(js|css)
29 {
30 access_log off;
31 expires 2h; //2小时过期
32 }
33
34 location ~ (static|cache)
35 {
36 access_log off;
37 }
九、Nginx防盗链配置
# vim /etc/nginx/vhosts/test.conf
23 location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|rar|zip|gz|bz2)$
24 {
25 access_log off;
26 expires 15d;
27 valid_referers none blocked *.test.com *.aaa.com *.bbb.com;
28 if ($invalid_referer)
29 {
30 return 403;
31 }
32 }
# nginx -t
# nginx -s> 测试
# curl -e "http://www.baidu.com/111" -I -x127.0.0.1:80 'http://www.test.com/data/attachment/forum/201512/15/040601ei6r33uxki0gunlr.jpg'
HTTP/1.1 403 Forbidden
# curl -I -x127.0.0.1:80 'http://www.test.com/data/attachment/forum/201512/15/040601ei6r33uxki0gunlr.jpg'
HTTP/1.1 200 OK
Server: nginx/1.9.6
# curl -e "http://www.aaa.com/111" -I -x127.0.0.1:80 'http://www.test.com/data/attachment/forum/201512/15/040601ei6r33uxki0gunlr.jpg'
HTTP/1.1 200 OK
# curl -e "http://www.bbb.com/111" -I -x127.0.0.1:80 'http://www.test.com/data/attachment/forum/201512/15/040601ei6r33uxki0gunlr.jpg'
HTTP/1.1 200 OK
# curl -e "http://www.bbb1.com/111" -I -x127.0.0.1:80 'http://www.test.com/data/attachment/forum/201512/15/040601ei6r33uxki0gunlr.jpg'
HTTP/1.1 403 Forbidden
十、Nginx访问控制
1、针对某一个目录
# vim /etc/nginx/vhosts/test.conf
15 location ~ .*admin\.php$ {
16 allow 127.0.0.1;
17 deny all;
18 include fastcgi_params;
19 fastcgi_pass unix:/tmp/www.sock;
20 fastcgi_index index.php;
21 fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
22 }
2、全局配置
# vim /etc/nginx/vhosts/test.conf
1 server
2 {
3 listen 80;
4 server_name www.test.com www.aaa.com www.bbb.com;
5 if ($host != 'www.test.com')
6 {
7 rewrite ^/(.*)$ http://www.test.com/$1 permanent;
8 }
9
10 index index.html index.htm index.php;
11 root /data/www;
12 access_log /tmp/nginx_access.log combined_realip;
13 deny 192.168.1.218; //
14 deny 192.168.1.0/24; //针对一个网段
3、测试
# curl -x127.0.0.1:80 www.test.com/admin.php -I
HTTP/1.1 200 OK
# curl -x192.168.1.21:80 www.test.com/admin.php -I
HTTP/1.1 403 Forbidden
# curl -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 200 OK
十一、nginx禁止指定user_agent
1 server
2 {
3 listen 80;
4 server_name www.test.com www.aaa.com www.bbb.com;
5 if ($host != 'www.test.com')
6 {
7 rewrite ^/(.*)$ http://www.test.com/$1 permanent;
8 }
9
10 index index.html index.htm index.php;
11 root /data/www;
12 access_log /tmp/nginx_access.log combined_realip;
13 deny 192.168.1.218;
14
15 if ($http_user_agent ~* 'curl|baidu|111111') //*表示不区分大小写
16 {
17 return 403;
18 }
# curl -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 403 Forbidden
# curl -A "2121" -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 200 OK
# curl -A "baidu11" -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 403 Forbidden
# curl -A "baid11" -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 200 OK
# curl -A "111111" -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 403 Forbidden
# curl -A "111" -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 200 OK
十二、Nginx代理
1、代理指定域名
# vim /etc/nginx/vhosts/proxy.conf
server {
listen 80;
server_name www.baidu.com;
location / {
proxy_pass http://14.215.177.38/; //百度IP地址
#proxy_set_header Host $host;
}
}
测试
# curl -x192.168.1.21:80 www.baidu.com
# curl -x192.168.1.21:80 www.baidu.com -I
HTTP/1.1 200 OK
# curl -x127.0.0.1:80 www.baidu.com -I
HTTP/1.1 200 OK
dig工具
# dig www.baidu.com
;DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER 2、一个域名对应多个IP代理
# vim /etc/nginx/vhosts/proxy.conf
upstream ming{ //指定名称
server 14.215.177.37:80;
server 14.215.177.38:80;
}
server {
listen 80;
server_name www.baidu.com;
location / {
proxy_pass http://ming/;
proxy_set_header Host $host;
#proxy_set_header X-Real-IP $remote-addr;
}
}
# nginx -t
# nginx -s> # curl -x192.168.1.21:80 www.baidu.com -I
HTTP/1.1 200 OK
页:
[1]