第二十一課預習任務
1.預設虛拟主機
1.2 建立虛拟主機的配置檔案
1.3 建立網站資料目錄
1.4 測試虛拟主機配置是否成功
2.Nginx使用者認證
2.1編輯虛拟主機配置檔案
2.2 生成密碼檔案
2.3測試使用者認證是否配置成功
3.Nginx域名重定向
3.1 編輯配置檔案
4.Nginx通路日志
4.2 配置通路日志格式
4.3 測試日志配置是否成功
5.Nginx日志切割
5.2 nginx日志按每分鐘自動切割腳本如下:
5.3 配置任務計劃
6.靜态檔案不記錄日志和過期時間
6.2 編輯配置檔案
6.3 測試靜态配置檔案是否成功
7.Nginx防盜鍊
7.2 編輯配置檔案
7.3 測試配置檔案是否成功
8.Nginx通路控制
8.1 編輯配置檔案根據IP通路控制
8.2 根據user_agent限制
9.Nginx解析php相關配置
9.1編輯配置檔案
9.2 測試nginx解析php是否成功
10. Nginx代理
10.1 編輯配置檔案
10.2 測試代理是否配置成功
1.預設虛拟主機
1.1 nginx的預設虛拟主機在使用者通過IP通路,或者通過未設定的域名通路(比如有人把他自己的域名指向了你的ip)的時候生效。
1.2 建立虛拟主機的配置檔案
//建立一個虛拟配置檔案的目錄
[[email protected] conf]# mkdir /usr/local/nginx/conf/vhost
//編輯nginx配置檔案加入include vhost/*.conf;
[[email protected] conf]# vim nginx.conf
http
{
include mime.types;
..............................
postpone_output 1460;
client_max_body_size 10m;
client_body_buffer_size 256k;
client_body_temp_path /usr/local/nginx/client_body_temp;
proxy_temp_path /usr/local/nginx/proxy_temp;
fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
fastcgi_intercept_errors on;
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm
application/xml;
include vhost/*.conf;
//建立一個虛拟主機配置檔案
[[email protected] vhost]# vim test.com.conf
server
{
// 指定監聽80端口,并将該虛拟主機設定為預設虛拟主機
listen 80 default_server;
// 設定伺服器的名稱
server_name aaa.com;
// 設定伺服器預設網頁
index index.html index.htm index.php;
// 設定伺服器的根目錄
root /data/www/default;
}
1.3 建立網站資料目錄
//建立網站資料目錄
[[email protected] vhost]# mkdir -p /data/wwwroot/test.com
//建立網站首頁
[[email protected] vhost]# vim /data/wwwroot/test.com/index.html
This is a nginx default page!
1.4 測試虛拟主機配置是否成功
//檢測配置文法是否有問題,并重載配置檔案
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
//測試首頁是否配置成功,由于是預設的主機,用其它的指向本機的域名也是成功的
[[email protected] vhost]# curl -x127.0.0.1:80 test.com
This is a nginx default page!
[[email protected] vhost]# curl -x127.0.0.1:80 www.111.com
This is a nginx default page!
2.Nginx使用者認證
2.1編輯虛拟主機配置檔案
[[email protected] vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
location /1.php //定義需要認證的目錄或者頁面
{
auth_basic "Auth"; 定義使用者名
auth_basic_user_file /usr/local/nginx/conf/htpasswd; 使用者名密碼檔案
}
1.這裡其實可以配置一個目錄進行認證 location /upload 表示對upload進行認證
2.location ~ admin.php 比對php的通路路徑
2.2 生成密碼檔案
//生成密碼檔案,可以使用Apache自帶的htpasswd工具,如果沒有就用Yum安裝httpd
[[email protected] vhost]# yum install -y httpd
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 7.7 kB 00:00:00
* base: mirror.vpshosting.com.hk
* epel: mirrors.aliyun.com
* extras: mirror.vpshosting.com.hk
* updates: mirror.vpshosting.com.hk
............................................
//建立一個knightlai使用者用來等一下進行使用者認證
[[email protected] vhost]# htpasswd -c /usr/local/nginx/conf/htpasswd knightlai
New password:
Re-type new password:
Adding password for user knightlai
2.3測試使用者認證是否配置成功
//建立一個1.php頁面用來進行測試
[[email protected] vhost]# vim /data/wwwroot/test.com/1.php
//測試文法,并重置配置檔案
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
//這裡測試出現401出現了需要使用者認證
[[email protected] vhost]# curl -x127.0.0.1:80 test.com/1.php -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 02:01:27 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
//加上使用者名測試就可以成功了,說明配置成功
[[email protected] vhost]# curl -uknightlai:123456 -x127.0.0.1:80 test.com/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 02:03:24 GMT
Content-Type: application/octet-stream
Content-Length: 27
Last-Modified: Tue, 11 Sep 2018 01:58:02 GMT
Connection: keep-alive
ETag: "5b97212a-1b"
Accept-Ranges: bytes
3.Nginx域名重定向
3.1 編輯配置檔案
[[email protected] vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80 default_server;
server_name test.com 111.com ;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
//表示不是test.com的域名來通路,都重定向到test.com
//permanent為永久重定向,狀态碼為301,如果寫redirect則為302
}
}
3.2 測試配置檔案是否成功
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
[[email protected] vhost]# curl -x127.0.0.1:80 test2.com/ -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 02:25:36 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/
4.Nginx通路日志
4.1nginx有一個非常靈活的日志記錄模式。每個級别的配置可以有各自獨立的通路日志。日志格式通過log_format指令來定義。
4.2 配置通路日志格式
[[email protected] vhost]# vim /usr/local/nginx/conf/nginx.conf
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
$remote_addr, $http_x_forwarded_for(反向) 記錄用戶端IP位址
$remote_user 記錄用戶端使用者名稱
$request 記錄請求的URL和HTTP協定
$status 記錄請求狀态
$body_bytes_sent 發送給用戶端的位元組數,不包括響應頭的大小; 該變量與Apache子產品mod_log_config裡的“%B”參數相容。
$bytes_sent 發送給用戶端的總位元組數。
$connection 連接配接的序列号。
$connection_requests 目前通過一個連接配接獲得的請求數量。
$msec 日志寫入時間。機關為秒,精度是毫秒。
$pipe 如果請求是通過HTTP流水線(pipelined)發送,pipe值為“p”,否則為“.”。
$http_referer 記錄從哪個頁面連結通路過來的
$http_user_agent 記錄用戶端浏覽器相關資訊
$request_length 請求的長度(包括請求行,請求頭和請求正文)。
$request_time 請求處理時間,機關為秒,精度毫秒; 從讀入用戶端的第一個位元組開始,直到把最後一個字元發送給用戶端後進行日志寫入為止。
$time_iso8601 ISO8601标準格式下的本地時間。
$time_local 通用日志格式下的本地時間。
4.3 測試日志配置是否成功
[[email protected] vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80 default_server;
server_name test.com 111.com ;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
access_log/logs/access.log combined_realip;
//combined_realip這個就是在nginx中配置logformat配置的名字
}
[[email protected] vhost]# cd /usr/local/nginx/logs
[[email protected] logs]# ls
access.log error.log nginx_error.log nginx.pid
//檢視配置日志是否成功,我們剛剛通路的都記錄下來了
[[email protected] vhost]# tail /usr/local/nginx/logs/access.log
127.0.0.1 - - [10/Sep/2018:21:33:53 -0400] "GET HTTP://www.222.com/ HTTP/1.1" 200 30 "-" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:00:46 -0400] "GET HTTP://test.com/1.php HTTP/1.1" 200 27 "-" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:00:50 -0400] "HEAD HTTP://test.com/1.php HTTP/1.1" 200 0 "-" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:01:27 -0400] "HEAD HTTP://test.com/1.php HTTP/1.1" 401 0 "-" "curl/7.29.0"
127.0.0.1 - knightlai [10/Sep/2018:22:03:24 -0400] "HEAD HTTP://test.com/1.php HTTP/1.1" 200 0 "-" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:23:52 -0400] "HEAD HTTP://test.com/ HTTP/1.1" 200 0 "http://www.abc.com" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:25:30 -0400] "HEAD HTTP://test.com/ HTTP/1.1" 200 0 "-" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:25:36 -0400] "HEAD HTTP://test2.com/ HTTP/1.1" 301 0 "-" "curl/7.29.0"
127.0.0.1 - [10/Sep/2018:22:39:50 -0400] test.com "/" 200 "-" "curl/7.29.0"
127.0.0.1 - [10/Sep/2018:22:39:51 -0400] test.com "/" 200 "-" "curl/7.29.0"
5.Nginx日志切割
5.1nginx日志預設情況下統統寫入到一個檔案中,檔案會變的越來越大,非常不友善檢視分析。以日期來作為日志的切割是比較好的,通常我們是以每日來做統計的。
5.2 nginx日志按每分鐘自動切割腳本如下:
[[email protected] logs]# vim /usr/local/sbin/nginx_log.sh
# /bin/bash
# 日志儲存位置
logdir='/usr/local/nginx/logs'
# 擷取目前年資訊和月資訊
log_path=$(date -d yesterday +"%Y%m")
# 擷取昨天的日資訊
day=$(date -d yesterday +"%d")
# 按年月建立檔案夾
mkdir -p $base_path/$log_path
# 備份昨天的日志到當月的檔案夾
mv $base_path/access.log $base_path/$log_path/access_$day.log
# 輸出備份日志檔案名
# echo $base_path/$log_path/access_$day.log
# 通過Nginx信号量控制重讀日志
kill -HUP `cat /usr/local/nginx/logs/nginx.pid`
5.3 配置任務計劃
crontab –e
59 23 * * * bash /usr/local/sbin/nginx_log.sh #每天23:59分開始執行;
6.靜态檔案不記錄日志和過期時間
6.1在Apache配置的時候介紹了靜态檔案可以設定不記錄日志的,那麼在Nginx裡面同樣也可以把一些靜态檔案忽略掉,不記錄日志。
6.2 編輯配置檔案
[[email protected] logs]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ 比對URL裡面的關鍵詞,括号裡面的|是或者,.\是脫義的意思。
{
expires 7d; 過期時間7天
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
6.3 測試靜态配置檔案是否成功
//建立一個jpg檔案用來測試
[[email protected] logs]# vim /data/wwwroot/test.com/1.jpg
[[email protected] logs]# curl -x127.0.0.1:80 test.com/1.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 03:20:24 GMT
Content-Type: image/jpeg
Content-Length: 18
Last-Modified: Tue, 11 Sep 2018 03:14:51 GMT
Connection: keep-alive
ETag: "5b97332b-12"
Expires: Tue, 18 Sep 2018 03:20:24 GMT
Cache-Control: max-age=604800 //這裡記錄的就是過期時間
Accept-Ranges: bytes
[[email protected] logs]# curl -x127.0.0.1:80 test.com/1.japg -I
HTTP/1.1 404 Not Found
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 03:20:49 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
//測試是否配置成功,通路jpg沒有被記錄
[[email protected] logs]# cat /usr/local/nginx/logs/access.log
127.0.0.1 - - [10/Sep/2018:21:31:12 -0400] "GET HTTP://test.com/ HTTP/1.1" 200 30 "-" "curl/7.29.0"
127.0.0.1 - - [10/Sep/2018:22:25:36 -0400] "HEAD HTTP://test2.com/ HTTP/1.1" 301 0 "-" "curl/7.29.0"
127.0.0.1 - [10/Sep/2018:22:39:50 -0400] test.com "/" 200 "-" "curl/7.29.0"
127.0.0.1 - [10/Sep/2018:22:39:51 -0400] test.com "/" 200 "-" "curl/7.29.0"
127.0.0.1 - [10/Sep/2018:23:20:49 -0400] test.com "/1.japg" 404 "-" "curl/7.29.0"
7.Nginx防盜鍊
7.1 首先,為什麼需要防盜鍊,因為有些資源存在競争對手的關系,比如淘寶的商品圖檔,不會輕易的讓工具來爬蟲爬走收集。但是如果使用防盜鍊,需要知道上一個通路的資源,然後放入名單中進行判斷。那麼如何擷取上一個通路的資源呢,可以通過valid_referers子產品來實作.
7.2 編輯配置檔案
[[email protected] logs]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
valid_referers none blocke server_names *.test.com;
if ($invalid_referer) {
return 404;
}
//valid_referers none blocked *.test.com;
就是白名單,允許檔案鍊出的域名白名單,自行修改成您的域名!*.test.com這個指的是子域名,域名與域名之間使用空格隔開!
7.3 測試配置檔案是否成功
//隻有來自白名單的可以成功通路
[[email protected] logs]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/1.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 03:47:24 GMT
Content-Type: image/jpeg
Content-Length: 18
Last-Modified: Tue, 11 Sep 2018 03:14:51 GMT
Connection: keep-alive
ETag: "5b97332b-12"
Expires: Tue, 18 Sep 2018 03:47:24 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
//如果不是白名單的就會出現404錯誤
[[email protected] logs]# curl -e "http://www.aaa.com/1.txt" -x127.0.0.1:80 test.com/1.jpg -I
HTTP/1.1 404 Not Found
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 03:47:45 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
8.Nginx通路控制
8.1 編輯配置檔案根據IP通路控制
//編輯配置檔案
[[email protected] logs]# vim /usr/local/nginx/conf/vhost/test.com.conf
location /admin/
{
allow 192.168.139.168;
allow 127.0.0.1;
deny all;
}
[[email protected] logs]# mkdir /data/wwwroot/test.com/admin
[[email protected] logs]# vim /data/wwwroot/test.com/admin/1.html
//測試一下白名單裡面的網站是可以通路
[[email protected] logs]# curl -x127.0.0.1:80 test.com/admin/1.html -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 04:11:42 GMT
Content-Type: text/html
Content-Length: 21
Last-Modified: Tue, 11 Sep 2018 04:08:34 GMT
Connection: keep-alive
ETag: "5b973fc2-15"
Accept-Ranges: bytes
[[email protected] logs]# curl -x192.168.139.168:80 test.com/admin/1.html -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 04:12:04 GMT
Content-Type: text/html
Content-Length: 21
Last-Modified: Tue, 11 Sep 2018 04:08:34 GMT
Connection: keep-alive
ETag: "5b973fc2-15"
Accept-Ranges: bytes
//其它的就不可以通路
[[email protected] logs]# curl -x192.168.1.3:80 test.com/admin/1.html -I
HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 19 Sep 2018 08:31:29 GMT
8.2 根據user_agent限制
[[email protected] logs]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
//模拟來自于Tomato的通路網站是出現4.3錯誤的
[[email protected] logs]# curl --user-agent "Tomato" -x127.0.0.1:80 test.com/admin/1.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 04:23:02 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
[[email protected] logs]# url --user-agent "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36" -x127.0.0.1:80 test.com/admin/1.html -I
-bash: url: command not found
[[email protected] logs]# curl --user-agent "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36" -x127.0.0.1:80 test.com/admin/1.html -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 04:21:59 GMT
Content-Type: text/html
Content-Length: 21
Last-Modified: Tue, 11 Sep 2018 04:08:34 GMT
Connection: keep-alive
ETag: "5b973fc2-15"
Accept-Ranges: bytes
9.Nginx解析php相關配置
9.1編輯配置檔案
[[email protected] logs]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
fastcgi_pass 用來指定php-fpm監聽的位址或者socket
9.2 測試nginx解析php是否成功
[[email protected] logs]# curl -x127.0.0.1:80 test.com/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 04:29:22 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.32
[[email protected] logs]# cat /data/wwwroot/test.com/1.php
<?php
echo "I am 1.php"
?>
//我們這裡測試通路成功
[[email protected] logs]# curl -x127.0.0.1:80 test.com/1.php
I am 1.php
10. Nginx代理
10.1 編輯配置檔案
//建立一個代理配置檔案并寫入參數
[[email protected] logs]# cd /usr/local/nginx/conf/vhost/
[[email protected] vhost]# vim proxy.conf
server
{
listen 80;
server_name www.linuxidc.com;
location / {
proxy_pass http://www.linuxidc.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
10.2 測試代理是否配置成功
[[email protected] vhost]# curl -x127.0.0.1:80 www.linuxidc.com -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 04:46:54 GMT
Content-Type: text/html
Content-Length: 30
Last-Modified: Tue, 11 Sep 2018 01:28:22 GMT
Connection: keep-alive
ETag: "5b971a36-1e"
Accept-Ranges: bytes
//如果把代理拿掉就會出現這個
[[email protected] vhost]# curl -x127.0.0.1:80 www.linuxidc.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Tue, 11 Sep 2018 05:05:12 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://www.linuxidc.com/
X-Via-JSL: 301d0ef,-
Set-Cookie: __jsluid=61c9945ab89155ecb9abe24c40864b07; max-age=31536000; path=/; HttpOnly
X-Cache: error
![第二十五課預習任務1.NFS介紹2.NFS服務端安裝配置3.NFS配置選項4.exportfs指令5.NFS用戶端問題6.FTP介紹 7.使用vsftpd搭建ftp8.xshell使用xftp傳輸檔案9.使用pure-ftpd搭建ftp服務[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)