nginx預設虛拟主機
設定Nginx預設虛拟主機,其實預設就設定了。在Nginx的配置檔案中,直接添加server就是,一般的,你有幾個網站就設定幾個server。還有另一種設定方式,在配置檔案中不要去設定server,直接重新寫一個虛拟主機配置檔案(vhost/*.conf).,在配置檔案中加上include vhost/ *.conf
編輯配置檔案,把Nginx配置檔案中server段删去,添加一段:
include vhost/*.conf;
在/usr/local/nginx/conf/目錄下,建立一個目錄(vhost),并在目錄下建立一個新檔案。這個vhost就類似于Apache中的虛拟配置檔案。
[[email protected] conf]# mkdir vhost
[[email protected] conf]# cd vhost/
[r[email protected] vhost]# ls
[[email protected] vhost]# vim aaa.com.conf
server
{
listen 80 default_server; // 有這個标記的就是預設虛拟主機
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}
建立/data/wwwroot/default,并在defualt目錄下編寫index.html檔案:
[[email protected] vhost]# mkdir /data/wwwroot/default
[[email protected] vhost]# cd /data/wwwroot/default/
[[email protected] default]# vim index.html
echo “This is a default site.”>/data/wwwroot/default/index.html
檢測一下配置檔案文法
[[email protected] default]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
重新加載配置檔案:
[[email protected] default]# /usr/local/nginx/sbin/nginx -s reload
一般的,在伺服器跑動的時候,都選擇重新加載配置檔案,而不是重新開機服務(/etc/init.d/nginx restart),重新開機服務會短暫關閉然後在啟動。
測試預設主機:
[[email protected] default]# curl localhost
this is a default site
預設虛拟主機就是隻要你解析過來是這個IP,不管什麼域名,都會通路到預設虛拟主機。
[[email protected] default]# curl -x127.0.0.1:80 bbb.com
this is a default site
[[email protected] default]# curl -x127.0.0.1:80 abadsj.com
this is a default site
Nginx使用者認證
做使用者認證就是為了安全,在做httpd的使用者認證時就已經說到過,可以将兩篇文章結合起來看。
http://blog.csdn.net/aoli_shuai/article/details/78854280
使用者認證步驟:
- 确認機器安裝過htpasswd指令(httpd的)
- 沒安裝htpaswdd安裝後,在server中加上配置location,那些站點,目錄,頁面需要使用者認證,密碼檔案的存放
- 通過指令為使用者設定密碼 /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd shuai
建立一個虛拟主機(test.com.conf):
[[email protected] wwwroot]# cd /usr/local/nginx/conf/vhost/
[[email protected] vhost]# ls
aaa.com.conf
[[email protected] vhost]# vim test.com.conf
寫入:
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;//使用者名密碼檔案
}
}
生成密碼的工具是htpasswd,這個工具在Apache使用者認證時就安裝過了,沒安裝的就用yum install -y httpd 安裝上。
為shuai使用者做使用者認證:
[[email protected] vhost]# /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd shuai
New password:
Re-type new password:
Adding password for user shuai
為aoli使用者做認證:
[[email protected] vhost]# /usr/local/apache2.4/bin/htpasswd /usr/local/nginx/conf/htpasswd aoli
New password:
Re-type new password:
Adding password for user aoli
[[email protected] vhost]# cat /usr/local/nginx/conf/htpasswd
shuai:$apr1$V0AiFAbc$CSttuCLed5mA1AMi1mKdw/
aoli:$apr1$OX2YLAuw$z1XF5XGLO/Z15Qw5dFo0V0
檢查配置檔案文法并重新加載配置檔案:
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
測試:
[[email protected] vhost]# curl -x127.0.0.1:80 test.com
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
出現401,需要使用者認證。
[[email protected] vhost]# curl -ushuai:123456 -x127.0.0.1:80 test.com
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
出現404,沒有檔案。
寫一個index.html檔案。
[[email protected] vhost]# mkdir /data/wwwroot/test.com
[[email protected] vhost]# echo "test.com" > /data/wwwroot/test.com/index.html
[[email protected] vhost]# curl -ushuai:123456 -x127.0.0.1:80 test.com
test.com
這個使用者認證時針對整個站點,隻針對某個特定目錄的使用者認證。針對admin目錄。
修改虛拟配置檔案:
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
檢查配置檔案文法并重新加載配置檔案:
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
測試:
通路test.com
[[email protected] vhost]# curl -x127.0.0.1:80 test.com
test.com
通路test.com/admin
[[email protected] vhost]# curl -x127.0.0.1:80 test.com/admin
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
針對某個.php檔案
配置檔案寫成
location ~ admin.php
nginx域名重定向
域名重定向是主機設定多個域名,将通路的請求不是主域名的定向到主域名去
域名重定向步驟
- server_name中設定多個域名
- 配置檔案中加上規則
更改虛拟配置檔案
[[email protected] vhost]# vim test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
這裡多個域名都可以寫到server_name 後面,不像httpd,有server_alias .
這裡的permanent表示301跳轉。
redirect 表示302
檢查配置檔案文法并重新加載配置檔案:
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
測試:
[[email protected] vhost]# curl -x127.0.0.1:80 test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.2
Date: Mon, 08 Jan 2018 11:16:30 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html
[[email protected] vhost]# curl -x127.0.0.1:80 test3.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.2
Date: Mon, 08 Jan 2018 11:16:42 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html
[[email protected] vhost]# curl -x127.0.0.1:80 test4.com/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Mon, 08 Jan 2018 11:16:49 GMT
Content-Type: text/html
Content-Length: 23
Last-Modified: Mon, 08 Jan 2018 07:52:14 GMT
Connection: keep-alive
ETag: "5a53232e-17"
Accept-Ranges: bytes
測試test2.com test3.com 都是301重定向,test4.com 時,通路就是預設虛拟主機。
nginx rewrite四種flag http://www.netingcn.com/nginx-rewrite-flag.html
Nginx的通路日志
Nginx的日志格式是在Nginx的主配置檔案中(/usr/local/nginx/conf/nginx.conf)
[[email protected] vhost]# vim /usr/local/nginx/conf/nginx.conf
可以将日志格式名稱改一下,改為shaui
Nginx日志字段的含義
在主配置檔案中定義日志的格式,在虛拟主機配置檔案中定義日志路徑。
打開虛拟主機配置檔案
[[email protected] vhost]# vim test.com.conf
access_log /tmp/test.com.log shuai;
注意,Nginx配置檔案寫完一行要加“;”,不然就是錯誤。
檢查配置檔案文法并重新加載配置檔案
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
檢測:
[[email protected] vhost]# curl -x127.0.0.1:80 test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.2
Date: Mon, 08 Jan 2018 12:41:20 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html
[[email protected] vhost]# curl -x127.0.0.1:80 test3.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.2
Date: Mon, 08 Jan 2018 12:41:26 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html
[[email protected] vhost]# cat /tmp/test.com.log
127.0.0.1 - [08/Jan/2018:20:41:20 +0800] test2.com "/index.html" 301 "-" "curl/7.29.0"
127.0.0.1 - [08/Jan/2018:20:41:26 +0800] test3.com "/index.html" 301 "-" "curl/7.29.0"
Nginx日志切割
nginx由于沒有自帶的日志切割工具,在切割日志時,需要借助于系統帶的日志切割工具,或者是自己寫一個日志切割腳本。
自己寫一個日志切割腳本。腳本統一儲存/usr/local/sbin/
先自定義一個腳本:
[[email protected] vhost]# vim /usr/local/sbin/nginx_logrotate.sh
#! /bin/bash
## 假設nginx的日志存放路徑為/tmp/
d=`date -d "-1 day" +%Y%m%d`
#定義切割時間(切割一天前的日志)
logdir="/tmp/"
#此處指定要切割的日志路徑(該路徑來自虛拟主機配置檔案)
nginx_pid="/usr/local/nginx/logs/nginx.pid"
#調用pid的目的是執行指令:/bin/kill -HUP `cat $nginx_pid`
#該指令等價于指令:nginx -s reload(重新加載檔案),確定與虛拟主機配置檔案變更保持同步
#該位址來自nginx配置檔案
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
#此處使用通配進行循環,并改名字(切割是每天産生的日志重命名)
/bin/kill -HUP `cat $nginx_pid`
#執行此指令進行重載生成新的日志檔案來記錄新的日志
執行腳本:
[[email protected] vhost]# sh -x /usr/local/sbin/nginx_logrotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20180108
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls test.com.log
+ for log in '`ls *.log`'
+ mv test.com.log test.com.log-20180108
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 1513
-x : 作用是顯示腳本執行過程
注意:
這隻是對日志進行了切割,對日志進行删除需要結合任務計劃cron使用。切割也得配合cron使用。
切割之後,将大于一個月的日志檔案删除:
[[email protected] test.log]# find /usr/local/nginx/logs/test.log/ -type f -name *.log-* -mtime +30 |xargs rm
靜态檔案不記錄日志和過期時間
在配置檔案中加上配置:
打開配置檔案:
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 7d;
access_log off;
}
location ~.*\.(js|css)$
{
expires 12h;
acces_log off;
}
[[email protected] vhost]# vim test.com.conf
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#比對檔案類型
{
expires 7d;
#過期時間為7天
access_log off;
#不記錄該類型檔案的通路日志
}
location ~ .*\.(js|css)$
{
expires 12h;
#過期時間為12小時
access_log off;
#不記錄該類型檔案的通路日志
}
檢查配置檔案文法并重新加載配置檔案:
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
測試:
[[email protected] test.com]# curl -x127.0.0.1:80 test.com/1.gif
shjdkjhkasb
[[email protected] test.com]# curl -x127.0.0.1:80 test.com/2.js
ajkfdchb
[[email protected] test.com]# curl -x127.0.0.1:80 test.com/index.html
test.com
[[email protected] test.com]# cat /tmp/test.com.log
127.0.0.1 - [09/Jan/2018:00:39:45 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
Nginx防盜鍊
Nginx防盜鍊也是使用location闆塊,和不記錄靜态檔案和過期時間寫在一起。
防盜鍊的步驟:
- 設定referer白名單
- 将不是白名單的referer全部拒絕
打開虛拟主機配置檔案
[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
#定義白名單
if ($invalid_referer) {
return 403;
}
#不是白名單的referer ,傳回403
access_log off;
}
注意:location ~* ^.+.這裡比對到的後面的内容是不區分大小寫。
測查配置檔案文法并重新加載:
[[email protected] ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload
測試:
[[email protected] ~]# curl -e "http://www.qq.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Tue, 09 Jan 2018 11:00:19 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[[email protected] ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 09 Jan 2018 11:01:15 GMT
Content-Type: image/gif
Content-Length: 12
Last-Modified: Mon, 08 Jan 2018 16:38:47 GMT
Connection: keep-alive
ETag: "5a539e97-c"
Expires: Tue, 16 Jan 2018 11:01:15 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
Nginx的通路控制
關于做防盜鍊和通路控制的原因我在httpd做通路控制和防盜鍊時已經說得比較清楚了。
http://blog.csdn.net/aoli_shuai/article/details/78895746
通路控制的步驟:
- 設定IP白名單
需求:通路/admin/目錄,隻允許那幾個IP進行通路。
打開虛拟主機配置檔案
location /admin/
{
allow 127.0.0.1;
allow 192.168.176.135;
deny all;
}
這裡Nginx設定通路控制和Apache是有很大的不同,關于這個allow,deny。Apache是有一個順序的,Nginx沒有。
測查配置檔案文法并重新加載:
[[email protected] ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload
檢測:
[[email protected] ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 09 Jan 2018 11:23:23 GMT
Content-Type: text/html
Content-Length: 5
Last-Modified: Tue, 09 Jan 2018 11:23:20 GMT
Connection: keep-alive
ETag: "5a54a628-5"
Accept-Ranges: bytes
[[email protected] ~]# curl -x192.168.176.135:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 09 Jan 2018 11:25:02 GMT
Content-Type: text/html
Content-Length: 5
Last-Modified: Tue, 09 Jan 2018 11:23:20 GMT
Connection: keep-alive
ETag: "5a54a628-5"
Accept-Ranges: bytes
針對PHP解析做的通路控制(不讓使用者傳上來的PHP檔案做解析):
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
針對user_agent進行限制:
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
return 403 和deny all 效果是一樣的。
Nginx解析PHP的相關配置
核心配置:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
# fastcgi_pass 127.0.0.1:9000; 如果php-fpm配置監聽配置的是IP就寫這個
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
Nginx要想解析PHP就要将這段核心配置寫入配置檔案中去。
fastcgi_pass 用來指定php-fpm監聽的位址或者socket
如果是用的sock那麼一定要放開php配置中的listen.mode=666(sock的權限位一定要有寫的權限)
unix:/tmp/php-fcgi.sock這裡的sock檔案是php-fpm.conf中定義的
cat /usr/local/php-fpm/etc/php-fpm.conf配置檔案中寫什麼就定義什麼
如果php監聽的是ip和端口,nginx中的配置檔案就要改成
fastcgi_pass 127.0.0.1:9000;
fastcgi_param 中的路徑也需要跟上面對應起來
Nginx502問題出現及解決方法: