LNMP环境搭建

mysql安装

将安装包放入到/usrlocal/src中
解压
tar -zxf mysql-5.6.47-linux-glibc2.12-x86_64.tar.gz 
mv mysql-5.6.47-linux-glibc2.12-x86_64 /usr/local/mysql
创建MySQL用户，不可登录。启动需要
 useradd -s /sbin/nologin mysql
 lnmp src]#  cd /usr/local/mysql/
创建存放数据目录；更改权限
[root@lnmp mysql]# mkdir -p /data/mysql
[root@lnmp mysql]# chown -R mysql:mysql /data/mysql/
[root@lnmp mysql]# cd /data/mysql/
[root@lnmp mysql]# yum install -y perl-Module-Install
[root@lnmp mysql]# ./scripts/mysql_install_db --user=mysql --datadir=/data/mysql/

配置mysql

[root@lnmp mysql]# cp support-files/my-default.cnf /etc/my.cnf
cp: overwrite ‘/etc/my.cnf’? y
[root@lnmp mysql]# vim /etc/my.cnf
basedir = /usr/local/mysql
datadir = /data/mysql
port = 3306
server_id = 29
socket = /tmp/mysql.sock
# 配置启动脚本
[root@lnmp mysql]# cp support-files/mysql.server /etc/init.d/mysqld
[root@lnmp mysql]# chmod 777 /etc/init.d/mysqld 
[root@lnmp mysql]# vim /etc/init.d/mysqld
basedir=/usr/local/mysql
datadir=/data/mysql
[root@lnmp mysql]# chkconfig --add mysqld
[root@lnmp mysql]# chkconfig mysqld on
[root@lnmp mysql]# service mysqld start 
Starting MySQL. SUCCESS! 
出现success则为成功

安装php

[root@lnmp src]# cd /usr/local/src/
[root@lnmp src]# ls 
mysql-5.6.47-linux-glibc2.12-x86_64.tar.gz  php-5.6.30.tar.gz
#依赖
[root@lnmp src]# yum install -y gcc libxml2-devel openssl openssl-devel bzip2 bzip2-devel libpng libpng-devel freetype freetype-devel eplel-release libmcrypt-devel libcurl-devel  libjpeg-devel
[root@lnmp src]# tar -zxf php-5.6.30.tar.gz
[root@lnmp src]# cd php-5.6.30
[root@lnmp php-5.6.30]# ./configure --prefix=/usr/local/php-fpm --with-config-file-path=/usr/local/php-fpm/etc --enable-fpm --with-fpm-user=php-fpm --with-fpm-group=php-fpm --with-mysql=/usr/local/mysql --with-mysql-sock=/tmp/mysql.sock --with-libxml-dir --with-gd --with-jpeg-dir --with-png-dir --with-freetype-dir --with-iconv-dir --with-zlib-dir --with-mcrypt --enable-soap --enable-gd-native-ttf --enable-ftp --enable-mbstring --enable-exif --disable-ipv6 --with-pear --with-curl --with-openssl
# yum install -y libmcrypt-devel  yum install -y epel-release 这俩个包不能一起安装需单个安装！！！
[root@lnmp php-5.6.30]# make && make install 
[root@lnmp php-5.6.30]# echo $?
0
出现0表示上一条命令成功

配置php

[root@lnmp php-5.6.30]# cp php.ini-production /usr/local/php-fpm/etc/php.ini
 修改配置文件
[root@lnmp php-5.6.30]# vim /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@lnmp php-5.6.30]# useradd -s /sbin/nologin php-fpm
[root@lnmp php-5.6.30]# /usr/local/php-fpm/sbin/php-fpm -t
带有successful 表示成功。
[09-Aug-2021 21:21:15] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
启动php-fpm
[root@lnmp php-5.6.30]# cp /usr/local/src/php-5.6.30/sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm
[root@lnmp php-5.6.30]# chmod 755 /etc/init.d/php-fpm 
[root@lnmp php-5.6.30]# service php-fpm start
Starting php-fpm  done
[root@lnmp php-5.6.30]# chkconfig php-fpm on
[root@lnmp php-5.6.30]# ps aux |grep php-fpm

安装nginx

[root@lnmp ~]# cd /usr/local/src/
[root@lnmp src]# ls
mysql-5.6.47-linux-glibc2.12-x86_64.tar.gz  php-5.6.30
nginx-1.17.8.tar.gz                         php-5.6.30.tar.gz
[root@lnmp src]# tar zxf nginx-1.17.8.tar.gz 
[root@lnmp src]# cd nginx-1.17.8

配置nginx

[root@lnmp nginx-1.17.8]# ./configure --prefix=/usr/local/nginx
[root@lnmp nginx-1.17.8]# make && make install
[root@lnmp nginx-1.17.8]# echo $?
0
[root@lnmp nginx-1.17.8]# vim /etc/init.d/nginx
#!/bin/bash
# chkconfig: - 30 21
# description: http service.
# Source Function Library
. /etc/init.d/functions
# Nginx Settings
NGINX_SBIN="/usr/local/nginx/sbin/nginx"
NGINX_CONF="/usr/local/nginx/conf/nginx.conf"
NGINX_PID="/usr/local/nginx/logs/nginx.pid"
RETVAL=0
prog="Nginx"
start() 
{
echo -n $"Starting $prog: "
mkdir -p /dev/shm/nginx_temp
daemon $NGINX_SBIN -c $NGINX_CONF
RETVAL=$?
echo
return $RETVAL
}
stop() 
{
echo -n $"Stopping $prog: "
killproc -p $NGINX_PID $NGINX_SBIN -TERM
rm -rf /dev/shm/nginx_temp
RETVAL=$?
echo
return $RETVAL
}
reload()
{
echo -n $"Reloading $prog: "
killproc -p $NGINX_PID $NGINX_SBIN -HUP
RETVAL=$?
echo
return $RETVAL
}
restart()
{
stop
start
}
configtest()
{
$NGINX_SBIN -c $NGINX_CONF -t
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
restart
;;
configtest)
configtest
;;
*)
echo $"Usage: $0 {start|stop|reload|restart|configtest}"
RETVAL=1
esac
exit $RETVAL
[root@lnmp nginx-1.17.8]# chmod 755 /etc/init.d/nginx
[root@lnmp nginx-1.17.8]# chkconfig --add nginx
[root@lnmp nginx-1.17.8]# chkconfig nginx on
[root@lnmp nginx-1.17.8]# > /usr/local/nginx/conf/nginx.conf
[root@lnmp nginx-1.17.8]# vim /usr/local/nginx/conf/nginx.conf
user nobody nobody;
worker_processes 2;
error_log /usr/local/nginx/logs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 6000;
}
http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 3526;
server_names_hash_max_size 4096;
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
sendfile on;
tcp_nopush on;
keepalive_timeout 30;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 8 4k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
client_max_body_size 10m;
client_body_buffer_size 256k;
client_body_temp_path /usr/local/nginx/client_body_temp;
proxy_temp_path /usr/local/nginx/proxy_temp;
fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
fastcgi_intercept_errors on;
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm
application/xml;
server
{
listen 80;
server_name localhost;
index index.html index.htm index.php;
root /usr/local/nginx/html;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
}
}
}
[root@lnmp nginx-1.17.8]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
# 启动服务 
[root@lnmp nginx-1.17.8]# service nginx start 
Starting nginx (via systemctl):                            [  OK  ]
[root@lnmp nginx-1.17.8]# ps aux |grep nginx
root     107675  0.0  0.0  20572   636 ?        Ss   22:46   0:00nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody   107676  0.0  0.1  22968  3188 ?        S    22:46   0:00nginx: worker process
nobody   107677  0.0  0.1  22968  3188 ?        S    22:46   0:00nginx: worker process
root     107680  0.0  0.0 112816   968 pts/0    S+   22:46   0:00 grep --color=auto nginx
[root@lnmp nginx-1.17.8]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      107675/nginx: maste 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1462/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2605/master         
tcp6       0      0 :::3306                 :::*                    LISTEN      7891/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      1462/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      2605/master         
[root@lnmp nginx-1.17.8]# curl localhost
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>

测试

[root@lnmp nginx-1.17.8]# vim /usr/local/nginx/html/1.php
<?php
        echo "test php scripts"
?>
[root@lnmp nginx-1.17.8]# curl localhost/1.php
test php scripts[root@lnmp nginx-1.17.8]# 
# 测试成功。

在网页中输入虚拟机的IP地址

nginx配置

[root@lnmp nginx-1.17.8]# vim /usr/local/nginx/conf/nginx.conf
# 把server那一段删了，加入这一句 include vhost/*.conf;
[root@lnmp nginx-1.17.8]# mkdir /usr/local/nginx/conf/vhost
[root@lnmp nginx-1.17.8]# cd /usr/local/nginx/conf/vhost/
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
出现successful表示成功
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload

默认虚拟机

[root@lnmp vhost]# vim default.conf 
需要在/usr/local/nginx/conf/vhost路径下
server
{
    listen 80 default_server;
    server_name aaa.com;
    index index.html index.htm index.php;
    root /data/nginx/default;
}
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload
测试：
[root@lnmp vhost]# mkdir -p /data/nginx/default
[root@lnmp vhost]# echo " default server! " > /data/nginx/default/index.html
# dingyi的为aaa.com
[root@lnmp vhost]# curl -x127.0.0.1:80 bbb.com
 default server! 
[root@lnmp vhost]# curl -x127.0.0.1:80 aaa.com
 default server!

用户认证

1.整个域名认证

[root@lnmp ~]# cd /usr/local/nginx/conf/vhost/
[root@lnmp vhost]# ls
default.conf
[root@lnmp vhost]# vim test.com.conf
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    location /
    {
    auth_basic "Auth";
    auth_basic_user_file /ust/local/nginx/conf/htpasswd;
    }
}
[root@lnmp vhost]# yum install -y httpd
[root@lnmp vhost]# htpasswd -c /usr/local/nginx/conf/htpasswd wsw
New password: 
Re-type new password: 
Adding password for user wsw
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@lnmp vhost]# mkdir /data/nginx/test.com
[root@lnmp vhost]# echo "test.com" > /data/nginx/test.com/index.html
测试：
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload

2.针对目录认证

一般用来保护后台admin目录
针对目录做用户认证要修改location后面的路径
配置

[root@lnmp vhost]# vim test.com.conf
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
location  /admin/
    {
        auth_basic              "Auth";
        auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}
}
[root@lnmp vhost]# mkdir /data/nginx/test.com/admin
[root@lnmp vhost]# echo "asdfadmin" > /data/nginx/test.com/admin/index.html
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload

3、URL认证

配置

[root@lnmp vhost]# vim test.com.conf 
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
location  ~ admin.php
    {
        auth_basic              "Auth";
        auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}
}

测试

[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@lnmp vhost]# curl -x127.0.0.1:80 test.com/admin.php
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>

域名重定向

配置

[root@lnmp vhost]# vim test.com.conf
server
{
    listen 80;
    server_name test.com test2.com test3.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    if ($host != 'test.com' ){
        rewrite ^(.*)$ http://test.com/$1 permanent;
}
}

测试

[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload
#  状态码301就是域名重定向
[root@lnmp vhost]# curl -x127.0.0.1:80 test2.com 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>
[root@lnmp vhost]# curl -x127.0.0.1:80 test2.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.17.8
Date: Wed, 11 Aug 2021 10:09:23 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://test.com//

nginx访问日志

配置

# nginx 默认格式
[root@lnmp vhost]# grep -A2 log_format /usr/local/nginx/conf/nginx.conf
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
# combined_realip为日志格式名字，$remote_addr为网站的用户的出口IP；
# $http_x_forwarded_for 为代理服务器的IP，如果使用了代理，则会记录IP
# $time_local为当前时间；$host为主机名；$request_uri为访问的URL地址
# $status为状态码，$http_referer为referer地址，$http_user_agent为user_agent

[root@lnmp vhost]# vim test.com.conf 
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    access_log /tmp/1.log combined_realip;
}

测试

[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@lnmp vhost]# curl -x127.0.0.1:80 test.com
test.com
[root@lnmp vhost]# cat /tmp/1.log 
127.0.0.1 - [11/Aug/2021:20:59:49 +0800] test.com "/" 200 "-" "curl/7.29.0"

nginx日志切割

配置

[root@lnmp ~]# vim /usr/local/sbin/nginx_log_rotate.sh 
#!/bin/bash
##假设nignx的日志存放路径为/data/logs/
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`

[root@lnmp ~]# chmod 755 /usr/local/sbin/nginx_log_rotate.sh

[root@lnmp ~]# crontab -e
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
[root@localhost ~]# ls /tmp/
1.log

[root@localhost ~]# sh -x /usr/local/sbin/nginx_log_rotate.sh 
++ date -d '-1 day' +%Y%m%d
+ d=20210905
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls 1.log yum.log
+ for log in '`ls *.log`'
+ mv 1.log 1.log-20210905
+ for log in '`ls *.log`'
+ mv yum.log yum.log-20210905
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 120612
[root@localhost ~]# ls /tmp/
1.log
1.log-20210905

配置静态文件不记录日志并添加过期时间

目的是为了减少记录不必要的日志文件。缓存文件为了下次访问速度变快。

配置

[root@lnmp ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    if ($host != 'test.com' ) {
        rewrite ^/(.*)$ http://test.com/$1 permanent;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
        expires 7d;
        access_log off;
    }
    location ~ .*\.(js|css)$
    {
         expires 12h;
    }
    access_log /tmp/1.log combined_realip;
}


[root@lnmp ~]# echo '111' > /data/nginx/test.com/1.js
[root@lnmp ~]# echo '222' > /data/nginx/test.com/2.jpg
[root@lnmp ~]# touch /data/nginx/test.com/1.jss

[root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload


[root@lnmp ~]# echo > /tmp/1.log
[root@lnmp ~]# curl -I -x127.0.0.1:80 test.com/1.js
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Tue, 17 Aug 2021 10:37:13 GMT
Content-Type: application/javascript
Content-Length: 4
Last-Modified: Tue, 17 Aug 2021 09:46:43 GMT
Connection: keep-alive
ETag: "611b8583-4"
Expires: Tue, 17 Aug 2021 22:37:13 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes

[root@lnmp ~]# curl -I -x127.0.0.1:80 test.com/2.jpg
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Tue, 17 Aug 2021 10:37:23 GMT
Content-Type: image/jpeg
Content-Length: 4
Last-Modified: Tue, 17 Aug 2021 09:47:12 GMT
Connection: keep-alive
ETag: "611b85a0-4"
Expires: Tue, 24 Aug 2021 10:37:23 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

[root@lnmp ~]# curl -I -x127.0.0.1:80 test.com/1.jss
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Tue, 17 Aug 2021 10:37:32 GMT
Content-Type: application/octet-stream
Content-Length: 0
Last-Modified: Tue, 17 Aug 2021 10:02:04 GMT
Connection: keep-alive
ETag: "611b891c-0"
Accept-Ranges: bytes

[root@lnmp ~]# cat /tmp/1.log

127.0.0.1 - [17/Aug/2021:18:37:13 +0800] test.com "/1.js" 200 "-" "curl/7.29.0"
127.0.0.1 - [17/Aug/2021:18:37:32 +0800] test.com "/1.jss" 200 "-" "curl/7.29.0"

Nginx防盗链

配置

[root@lnmp ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    if ($host != 'test.com' ) {
        rewrite ^/(.*)$ http://test.com/$1 permanent;
    }
        location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
        {
         expires 7d;
        valid_referers none blocked server_names  *.test.com ;
         if ($invalid_referer) {
         return 403;
         }
         access_log off;
        }
}
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]#  curl -x127.0.0.1:80 -e "http://aaa.com/1.txt" test.com/2.jpg -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.8
Date: Mon, 06 Sep 2021 07:07:53 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

[root@localhost ~]#  curl -x127.0.0.1:80 -e "http://test.com/1.txt" test.com/2.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Mon, 06 Sep 2021 07:08:01 GMT
Content-Type: image/jpeg
Content-Length: 4
Last-Modified: Mon, 06 Sep 2021 07:03:07 GMT
Connection: keep-alive
ETag: "6135bd2b-4"
Expires: Mon, 13 Sep 2021 07:08:01 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

访问控制

1、针对目录进行访问控制

[root@lnmp ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    access_log /tmp/1.log combined_realip;

location /admin/ {
        allow 192.168.100.38;
        allow 127.0.0.1;
        deny all;
}
}

[root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload

测试

[root@localhost ~]# echo "1234" > /data/nginx/test.com/admin/1.html 
[root@localhost ~]# curl -x192.168.100.38:80 test.com/admin/1.html  
1234
配置文件中删除192.168.100.38网则不允许访问
[root@localhost ~]# curl -x192.168.100.38:80 test.com/admin/1.html
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>
[root@localhost ~]#

Nginx解析PHP

配置

[root@lnmp ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    access_log /tmp/1.log combined_realip;

location ~ \.php$ {
    include fastcgi_params;
    fastcgi_pass unix:/tmp/php-fcgi.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name;
    }
}

[root@lnmp ~]# vim /data/nginx/test.com/3.php 
<?php
phpinfo();
?>

# fastcgi_pass用来指定php-fpm的地址 路径如果错误，则报错502 
# 路径在这个配置文件中
[root@lnmp ~]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
# listen = 127.0.0.1:9000  # 也可以这样配置，但是他们的配置文件要对应。
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

# 注意一下这三行的配置文件与nginx配置文件的关系 
listen = /tmp/php-fcgi.sock
# listen = 127.0.0.1:9000  # 也可以这样配置，但是他们的配置文件要对应。
listen.mode = 666

测试

[root@lnmp ~]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();
?>
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload

Nginx代理

一个没有公网IP的服务器要提供web服务，可以通过代理实现。

配置

[root@lnmp ~]# vim /usr/local/nginx/conf/vhost/proxy.conf
server
{
    listen 80;
    server_name ask.apelearn.com;

    location /
    {
        proxy_pass      http://47.104.7.242/;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

测试

[root@localhost ~]#  /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/

负载均衡

一个IP叫做代理，两个以上就叫做负载均衡。

配置

# 安装dig命令
[root@lnmp ~]# yum install -y bind-utils
# 通过dig命令获取相应域名的地址
# 这里是拿百度的做测试
[root@lnmp ~]# dig www.baidu.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23817
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.baidu.com.            IN    A

;; ANSWER SECTION:
www.baidu.com.        33    IN    CNAME    www.a.shifen.com.
www.a.shifen.com.    129    IN    A    220.181.38.149
www.a.shifen.com.    129    IN    A    220.181.38.150

;; Query time: 31 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Wed Aug 18 19:12:15 CST 2021
;; MSG SIZE  rcvd: 101

[root@lnmp ~]# vim /usr/local/nginx/conf/vhost/load.conf 
upstream baidu
{
    ip_hash;
    server 220.181.38.149:80;
    server 220.181.38.150:80;
}
server
{
    listen 80;
    server_name www.baidu.com;
    location /
    {
        proxy_pass      http://baidu;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

#upstream来指定多个web server
# upstream后面的名字要和proxy_pass后面的名字相同

测试

[root@localhost ~]# curl -x127.0.0.1:80 www.baidu.com
 default server! 
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -x127.0.0.1:80 www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下，你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a>&nbsp;京ICP证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
[root@localhost ~]#

SSL

https和ssl证书有关。

[root@localhost ~]# rpm -qa  openssl
openssl-1.0.2k-21.el7_9.x86_64
[root@localhost ~]# cd /usr/local/nginx/conf/
[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
............+++
.......................................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
[root@localhost conf]# openssl rsa -in tmp.key -out aminglinux.key 
Enter pass phrase for tmp.key:
writing RSA key
[root@localhost conf]# ls
aminglinux.key          htpasswd            nginx.conf           uwsgi_params
fastcgi.conf            koi-utf             nginx.conf.default   uwsgi_params.default
fastcgi.conf.default    koi-win             scgi_params          vhost
fastcgi_params          mime.types          scgi_params.default  win-utf
fastcgi_params.default  mime.types.default  tmp.key
[root@localhost conf]# rm -rf tmp.key 
[root@localhost conf]# openssl req -new -key aminglinux.key -out aminglinux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:66
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:cn
Organizational Unit Name (eg, section) []:cn
Common Name (eg, your name or your server's hostname) []:cn
Email Address []:2303046089@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:000000
An optional company name []:000000
[root@localhost conf]#  openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
Signature ok
subject=/C=66/ST=bj/L=bj/O=cn/OU=cn/CN=cn/emailAddress=2303046089@qq.com
Getting Private key

生成ssl密钥

[root@lnmp conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
    listen 443;
    server_name 1234.com;
    index index.html index.php;
    root /data/wwwroot/1234.com;
    ssl on;
    ssl_certificate aminglinux.crt;
    ssl_certificate_key aminglinux.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

[root@lnmp conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

# 重新编译安装nginx
[root@lnmp conf]# cd /usr/local/src/
[root@lnmp src]# ls
mysql-5.6.47-linux-glibc2.12-x86_64.tar.gz  php-5.6.30
nginx-1.17.8                                php-5.6.30.tar.gz
nginx-1.17.8.tar.gz
[root@lnmp src]# cd nginx-1.17.8
[root@lnmp nginx-1.17.8]# ls
auto     CHANGES.ru  configure  html     Makefile  objs    src
CHANGES  conf        contrib    LICENSE  man       README
[root@lnmp nginx-1.17.8]# ./configure --help |grep ssl
  --with-http_ssl_module             enable ngx_http_ssl_module
  --with-mail_ssl_module             enable ngx_mail_ssl_module
  --with-stream_ssl_module           enable ngx_stream_ssl_module
  --with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module
  --with-openssl=DIR                 set path to OpenSSL library sources
  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL
[root@lnmp nginx-1.17.8]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module

[root@lnmp nginx-1.17.8]# make && make install


[root@lnmp nginx-1.17.8]# /etc/init.d/nginx restart 
Restarting nginx (via systemctl):                          [  OK  ]
[root@lnmp nginx-1.17.8]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5609/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1102/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2439/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5609/nginx: master  
tcp6       0      0 :::3306                 :::*                    LISTEN      2437/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      1102/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      2439/master         

[root@lnmp nginx-1.17.8]# mkdir -p /data/nginx/1234.com
[root@lnmp nginx-1.17.8]# echo "ssl test" > /data/nginx/1234.com/index.html

在hosts中加入镜像

php-fpm

php-fpm的pool

Nginx可以配置多个主机，php-fpm也可以配置多个pool
配置多个pool可以隔离开各个网站，例如一个网站有问题，把PHP资源耗尽了，那其他网站和这个网站使用的是同一个pool 那也会受到影响，所以我们可以给每个站点都配置一个pool。网站报错502一般和PHP有关。

给不同的站点分别配置不同的pool

[root@localhost ~]# ps -ef | grep php
root       8206   8186  0 22:21 pts/3    00:00:00 grep --color=auto php
root     117906      1  0 18:11 ?        00:00:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
  p-fpm  117907 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117908 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117909 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117910 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117911 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117912 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117913 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117914 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117915 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117916 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117917 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117918 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117919 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117920 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117921 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117922 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117923 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117924 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117925 117906  0 18:11 ?        00:00:00 php-fpm: pool www
php-fpm  117926 117906  0 18:11 ?        00:00:00 php-fpm: pool www
[root@localhost ~]# cd /usr/local/php-fpm/
[root@localhost php-fpm]# cd etc/
[root@localhost etc]# ls
pear.conf  php-fpm.conf  php-fpm.conf.default  php.ini
[root@localhost etc]# cat php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@localhost etc]# vim php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

[123.com]
listen = /tmp/123.sock
#listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024                                                                                                                       
"php-fpm.conf" 29L, 594C written                            
[root@localhost etc]# /usr/local/php-fpm/sbin/php-fpm -t
[06-Sep-2021 22:26:11] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@localhost etc]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done
[root@localhost etc]# ps -aux |grep php
root       8220  0.0  0.5 231956  5064 ?        Ss   22:27   0:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm    8221  0.0  0.4 231896  4800 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8222  0.0  0.4 231896  4804 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8223  0.0  0.4 231896  4804 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8224  0.0  0.4 231896  4804 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8225  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8226  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8227  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8228  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8229  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8230  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8231  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8232  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8233  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8234  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8235  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8236  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8237  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8238  0.0  0.4 231896  4812 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8239  0.0  0.4 231896  4812 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8240  0.0  0.4 231896  4812 ?        S    22:27   0:00 php-fpm: pool www
php-fpm    8241  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8242  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: poo  123.com
php-fpm    8243  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8244  0.0  0.4 231896  4808 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8245  0.0  0.4 231896  4812 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8246  0.0  0.4 231896  4812 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8247  0.0  0.4 231896  4812 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8248  0.0  0.4 231896  4812 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8249  0.0  0.4 231896  4812 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8250  0.0  0.4 231896  4812 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8251  0.0  0.4 231896  4812 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8252  0.0  0.4 231896  4812 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8253  0.0  0.4 231896  4812 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8254  0.0  0.4 231896  4816 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8255  0.0  0.4 231896  4816 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8256  0.0  0.4 231896  4816 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8257  0.0  0.4 231896  4816 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8258  0.0  0.4 231896  4816 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8259  0.0  0.4 231896  4816 ?        S    22:27   0:00 php-fpm: pool 123.com
php-fpm    8260  0.0  0.4 231896  4816 ?        S    22:27   0:00 php-fpm: pool 123.com
root       8262  0.0  0.0 112816   976 pts/3    S+   22:27   0:00 grep --color=auto php
[root@localhost etc]# cd /usr/local/nginx/conf/vhost/
[root@localhost vhost]# vim default.conf 
server
{
    listen 80 default_server;
    server_name aaa.com;
    index index.html index.htm index.php;
    root /data/nginx/default;
    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/123.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name;
    }
}

fastcgi_pass unix:/tmp/123.sock; 主要就是修改这一行配置文件选择不同的pool。

[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload

配置拆分多个pool

在nginx.conf这个配置文件下有一行配置文件为 include vhost/*.conf; 他的作用为识别指定目录下以conf为结尾的配置文件，让每个站点为一个配置文件。

# 进入配置文件目录
[root@lnmp vhost]# cd  /usr/local/php-fpm/etc/
# 加入一行include
[root@lnmp etc]# vim php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
include = etc/php-fpm.d/*.conf

# 创建存放配置文件的目录
[root@lnmp etc]# mkdir php-fpm.d
[root@lnmp etc]# cd php-fpm.d/
[root@lnmp php-fpm.d]# vim 123.conf 
[123.com]
listen = /tmp/123.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@lnmp php-fpm.d]# vim www.conf 
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

[root@lnmp php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[19-Aug-2021 07:40:02] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf 
test is successful
# 重启服务
[root@lnmp php-fpm.d]# /etc/init.d/php-fpm restart 
Gracefully shutting down php-fpm . done
Starting php-fpm  done
# 查看一下sock文件
[root@lnmp php-fpm.d]# ls /tmp/*.sock
/tmp/123.sock  /tmp/mysql.sock  /tmp/php-fcgi.sock
[root@lnmp php-fpm.d]# ps -ef |grep php
root       3075      1  0 07:40 ?        00:00:00 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm    3076   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3077   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3078   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3079   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3080   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3081   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3082   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3083   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3084   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3085   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3086   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3087   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3088   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3089   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3090   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3091   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3092   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3093   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3094   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3095   3075  0 07:40 ?        00:00:00 php-fpm: pool 123.com
php-fpm    3096   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3097   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3098   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3099   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3100   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3101   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3102   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3103   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3104   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3105   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3106   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3107   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3108   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3109   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3110   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3111   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3112   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3113   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3114   3075  0 07:40 ?        00:00:00 php-fpm: pool www
php-fpm    3115   3075  0 07:40 ?        00:00:00 php-fpm: pool www
root       3118   2900  0 07:40 pts/1    00:00:00 grep --color=auto php

php-fpm查看慢执行日志

通过配置慢执行日志，可以让我们清晰的了解到PHP脚本在哪里执行时间长，可以定位到哪一行。

# 添加两行配置文件
[root@lnmp php-fpm.d]# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf 
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log

[root@lnmp php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[19-Aug-2021 10:09:00] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf 
test is successful
# 重载PHP服务
[root@lnmp php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm  done

# 可以看到我们配置的路径已经多了一个
[root@lnmp php-fpm.d]# ls /usr/local/php-fpm/var/log/
php-fpm.log  www-slow.log
# 现在的www-slow.log还是一个空文件。只会记录执行时间大于1s的日志
[root@lnmp php-fpm.d]# cat /usr/local/php-fpm/var/log/www-slow.log 

# 测试 写一个慢执行文件
[root@lnmp php-fpm.d]# vim  /data/nginx/test.com/sleep.php
<?php
echo "test slow log";
sleep(2);
echo "done";
?>

# 
# 执行这个脚本的时候可以明显看到慢了一下。
[root@lnmp php-fpm.d]# curl -x127.0.0.1:80 test.com/sleep.php
test slow logdone[root@lnmp php-fpm.d]# 

# 可以看到日志多出一行。说哪个文件，第三行 sellp（）问题。
[root@lnmp php-fpm.d]# cat /usr/local/php-fpm/var/log/www-slow.log 

[19-Aug-2021 10:27:09]  [pool www] pid 3243
script_filename = /data/nginx/test.com/sleep.php
[0x00007feda8c3c288] sleep() /data/nginx/test.com/sleep.php:3

期间需要修改/usr/local/nginx/conf/vhosts中的test.com.conf文件加一个解析php

server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/nginx/test.com;
    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/123.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name;
    }
}

地址解析是需要查看www.com中的地址再改名字不可直接写上www

php-fpm定义open_basedir

open_basedir目的就是安全，httpd可以针对每个虚拟机设置一个open_basedir
php-fpm同样也可以对不同的pool设置的不同的open_basedir

# 修改配置文件，特意配置为错误路径
# 添加一行配置文件，其中test.com的路径为错误路径
[root@lnmp php-fpm.d]# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf 
php_admin_value[open_basedir]=/data/nginx/wwwtest.com:/tmp/
[root@lnmp php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done

# 测试发现这些PHP文件都无法访问，就是因为php open_basedir做了限制。
[root@lnmp php-fpm.d]# ls /data/nginx/test.com/
1.js  1.jss  2.jpg  2.js  3.php  admin  index.html  sleep.php
[root@lnmp php-fpm.d]# curl -x127.0.0.1:80 test.com/sleep.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.17.8
Date: Thu, 19 Aug 2021 02:51:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
[root@lnmp php-fpm.d]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.17.8
Date: Thu, 19 Aug 2021 02:51:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30


## 把配置文件改为正确的
## 发现可以正常使用
[root@lnmp php-fpm.d]# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf 
php_admin_value[open_basedir]=/data/nginx/test.com:/tmp/

[root@lnmp php-fpm.d]# /etc/init.d/php-fpm restart 
Gracefully shutting down php-fpm . done
Starting php-fpm  done
[root@lnmp php-fpm.d]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Thu, 19 Aug 2021 02:57:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

[root@lnmp php-fpm.d]# curl -x127.0.0.1:80 test.com/sleep.php -I
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Thu, 19 Aug 2021 02:58:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

配置错误日志

配置记录php执行错误的日志

# 配置 
[root@lnmp php-fpm.d]# vim /usr/local/php-fpm/etc/php.ini 
display_errors = Off
log_errors = On
error_log = /usr/local/php-fpm/var/log/php_error.log
;error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
error_reporting = E_ALL

# 再次将php的配置文件改错
[root@lnmp php-fpm.d]# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf 
php_admin_value[open_basedir]=/data/nginx/wwwtest.com:/tmp/
重启配置文件
/etc/init.d/php-fpm restart 
# 这个日志文件不会自动生成，所以我们自己创建一个，并授权。
[root@lnmp php-fpm.d]# touch /usr/local/php-fpm/var/log/php_error.log
[root@lnmp php-fpm.d]# chmod 777 /usr/local/php-fpm/var/log/php_error.log 
[root@lnmp php-fpm.d]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.17.8
Date: Thu, 19 Aug 2021 03:21:22 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

[root@lnmp php-fpm.d]# curl -x127.0.0.1:80 test.com/sleep.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.17.8
Date: Thu, 19 Aug 2021 03:21:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

[root@lnmp php-fpm.d]# curl -x127.0.0.1:80 test.com/sleep.php 
No input file specified.

# 查看错误日志，显示open_basedir限制生效，目录不能访问
[root@lnmp php-fpm.d]# cat /usr/local/php-fpm/var/log/php_error.log 
[19-Aug-2021 03:21:22 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/data/nginx/test.com/3.php) is not within the allowed path(s): (/data/nginx/wwwtest.com:/tmp/) in Unknown on line 0
[19-Aug-2021 03:21:22 UTC] PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[19-Aug-2021 03:21:32 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/data/nginx/test.com/sleep.php) is not within the allowed path(s): (/data/nginx/wwwtest.com:/tmp/) in Unknown on line 0
[19-Aug-2021 03:21:32 UTC] PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[19-Aug-2021 03:21:45 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/data/nginx/test.com/sleep.php) is not within the allowed path(s): (/data/nginx/wwwtest.com:/tmp/) in Unknown on line 0
[19-Aug-2021 03:21:45 UTC] PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0




# 再次将配置文件修改回来
[root@lnmp php-fpm.d]# cat /usr/local/php-fpm/etc/php-fpm.d/www.conf 
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
php_admin_value[open_basedir]=/data/nginx/test.com:/tmp/

# 重启服务，可以正常使用，也没有产生错误日志。
[root@lnmp php-fpm.d]# /etc/init.d/php-fpm restart 
Gracefully shutting down php-fpm . done
Starting php-fpm  done
[root@lnmp php-fpm.d]# curl -x127.0.0.1:80 test.com/sleep.php -I
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Thu, 19 Aug 2021 03:25:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

[root@lnmp php-fpm.d]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Thu, 19 Aug 2021 03:25:50 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

php-fpm进程管理

pm = dynamic //动态进程管理，也可以是static 如果是静态的，会直接启动最大子进程数
pm.max_children = 50 //最大子进程数，ps aux可以查看
pm.start_servers = 20 //启动服务时会启动的进程数
pm.min_spare_servers = 5 //定义在空闲时段，子进程数的最少数量，如果达到这个数值时，php-fpm服务会自动派生新的子进程。
pm.max_spare_servers = 35 //定义在空闲时段，子进程数的最大值，如果高于这个数值就开始清理空闲的子进程。
pm.max_requests = 500 //定义一个子进程最多处理的请求数，也就是说在一个php-fpm的子进程最多可以处理这么多请求，当达到这个数值时，它会自动退出。