配置前先修改一下配置文件

  1. /最后添加一行
  2. [root@lnmp nginx-1.17.8]# vim /usr/local/nginx/conf/nginx.conf
  3. /把server那一段删了,加入这一句 include vhost/*.conf;
  4. user nobody nobody;
  5. worker_processes 2;
  6. error_log /usr/local/nginx/logs/nginx_error.log crit;
  7. pid /usr/local/nginx/logs/nginx.pid;
  8. worker_rlimit_nofile 51200;
  9. events
  10. {
  11. use epoll;
  12. worker_connections 6000;
  13. }
  14. http
  15. {
  16. include mime.types;
  17. default_type application/octet-stream;
  18. server_names_hash_bucket_size 3526;
  19. server_names_hash_max_size 4096;
  20. log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
  21. ' $host "$request_uri" $status'
  22. ' "$http_referer" "$http_user_agent"';
  23. sendfile on;
  24. tcp_nopush on;
  25. keepalive_timeout 30;
  26. client_header_timeout 3m;
  27. client_body_timeout 3m;
  28. send_timeout 3m;
  29. connection_pool_size 256;
  30. client_header_buffer_size 1k;
  31. large_client_header_buffers 8 4k;
  32. request_pool_size 4k;
  33. output_buffers 4 32k;
  34. postpone_output 1460;
  35. client_max_body_size 10m;
  36. client_body_buffer_size 256k;
  37. client_body_temp_path /usr/local/nginx/client_body_temp;
  38. proxy_temp_path /usr/local/nginx/proxy_temp;
  39. fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
  40. fastcgi_intercept_errors on;
  41. tcp_nodelay on;
  42. gzip on;
  43. gzip_min_length 1k;
  44. gzip_buffers 4 8k;
  45. gzip_comp_level 5;
  46. gzip_http_version 1.1;
  47. gzip_types text/plain application/x-javascript text/css text/htm
  48. application/xml;
  49. include vhost/*.conf;
  50. }
  52. [root@lnmp nginx-1.17.8]# mkdir /usr/local/nginx/conf/vhost
  53. [root@lnmp nginx-1.17.8]# cd /usr/local/nginx/conf/vhost/
  55. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
  56. nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
  57. nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
  58. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload

一、默认虚拟主机

1.配置

  1. [root@lnmp vhost]# pwd
  2. /usr/local/nginx/conf/vhost
  3. [root@lnmp vhost]# vim default.conf 
  4. server
  5. {
  6.     listen 80 default_server;
  7.     server_name aaa.com;
  8.     index index.html index.htm index.php;
  9.     root /data/nginx/default;
  10. }

image.png

  1. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
  2. nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
  3. nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
  4. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload

2.测试

  1. [root@lnmp vhost]# mkdir -p /data/nginx/default
  2. [root@lnmp vhost]# echo " default server! " > /data/nginx/default/index.html
  4. # dingyi的为aaa.com
  5. [root@lnmp vhost]# curl -x127.0.0.1:80 bbb.com
  6.  default server! 
  7. [root@lnmp vhost]# curl -x127.0.0.1:80 aaa.com
  8.  default server!

进入网页的效果
image.png

二、用户认证

1、整个域名认证

1.1、配置

  1. [root@lnmp ~]# cd /usr/local/nginx/conf/vhost/
  2. [root@lnmp vhost]# ls
  3. default.conf
  4. [root@lnmp vhost]# vim test.com.conf
  5. server
  6. {
  7.     listen 80;
  8.     server_name test.com;
  9.     index index.html index.htm index.php;
  10.     root /data/nginx/test.com;
  12.     location /
  13.     {
  14.     auth_basic "Auth";
  15.     auth_basic_user_file /usr/local/nginx/conf/htpasswd;
  16.     }
  17. }

image.png

  2. [root@lnmp vhost]# yum install -y httpd
  3. [root@lnmp vhost]# htpasswd -c /usr/local/nginx/conf/htpasswd sxb
  4. New password: 
  5. Re-type new password: 
  6. Adding password for user sxb
  7. [root@lnmp vhost]# 
  8. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload
  9. [root@lnmp vhost]# mkdir /data/nginx/test.com
  10. [root@lnmp vhost]# echo "test.com" > /data/nginx/test.com/index.html

1.2、测试

  1. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
  2. nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
  3. nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
  4. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload

在自己电脑修改hosts文件
C:\Windows\System32\drivers\etc
image.png
网页输入
test.com

  1. [root@lnmp vhost]# curl -x127.0.0.1:80 test.com
  2. <html>
  3. <head><title>401 Authorization Required</title></head>
  4. <body>
  5. <center><h1>401 Authorization Required</h1></center>
  6. <hr><center>nginx/1.17.8</center>
  7. </body>
  8. </html>
  9. [root@lnmp vhost]# curl -usxb -x127.0.0.1:80 test.com
  10. Enter host password for user 'sxb':
  11. <html>
  12. <head><title>403 Forbidden</title></head>
  13. <body>
  14. <center><h1>403 Forbidden</h1></center>
  15. <hr><center>nginx/1.17.8</center>
  16. </body>
  17. </html>
  18. [root@lnmp vhost]#

2、针对目录认证

一般用来保护后台admin目录

2.1配置

针对目录做用户认证要修改location后面的路径

  1. [root@lnmp vhost]# vim test.com.conf
  2. server
  3. {
  4.     listen 80;
  5.     server_name test.com;
  6.     index index.html index.htm index.php;
  7.     root /data/nginx/test.com;
  9. location  /admin/
  10.     {
  11.         auth_basic              "Auth";
  12.         auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
  13. }
  14. }
  15. [root@lnmp vhost]# mkdir /data/nginx/test.com/admin
  16. [root@lnmp vhost]# echo "asdfadmin" > /data/nginx/test.com/admin/index.html
  17. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
  18. nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
  19. nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
  20. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload

2.2测试

网页输入
test.com/admin
image.png

3、URL认证

针对URL做认证,即链接中带了某个关键字

3.1配置

  1. [root@lnmp vhost]# vim test.com.conf 
  2. server
  3. {
  4.     listen 80;
  5.     server_name test.com;
  6.     index index.html index.htm index.php;
  7.     root /data/nginx/test.com;
  9. location  ~ admin.php
  10.     {
  11.         auth_basic              "Auth";
  12.         auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
  13. }
  14. }

3.2测试

  1. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
  2. nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
  3. nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
  4. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload
  5. [root@lnmp vhost]# curl -x127.0.0.1:80 test.com/admin.php
  6. <html>
  7. <head><title>401 Authorization Required</title></head>
  8. <body>
  9. <center><h1>401 Authorization Required</h1></center>
  10. <hr><center>nginx/1.17.8</center>
  11. </body>
  12. </html>

三、域名重定向

1、配置

  1. [root@lnmp vhost]# vim test.com.conf
  2. server
  3. {
  4.     listen 80;
  5.     server_name test.com test2.com test3.com;
  6.     index index.html index.htm index.php;
  7.     root /data/nginx/test.com;
  8.     if ($host != 'test.com' ){
  9.         rewrite ^(.*)$ http://test.com/$1 permanent;
  10. }
  11. }

2、测试

  1. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
  2. nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
  3. nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
  4. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload
  6. /状态码301就是域名重定向
  7. [root@lnmp vhost]# curl -x127.0.0.1:80 test2.com 
  8. <html>
  9. <head><title>301 Moved Permanently</title></head>
  10. <body>
  11. <center><h1>301 Moved Permanently</h1></center>
  12. <hr><center>nginx/1.17.8</center>
  13. </body>
  14. </html>
  15. [root@lnmp vhost]# curl -x127.0.0.1:80 test2.com -I
  16. HTTP/1.1 301 Moved Permanently
  17. Server: nginx/1.17.8
  18. Date: Wed, 11 Aug 2021 10:09:23 GMT
  19. Content-Type: text/html
  20. Content-Length: 169
  21. Connection: keep-alive
  22. Location: http://test.com//

在windows上测试需要将两个域名都写入hosts文件,并使用没有缓存的浏览器。

image.png
image.png
image.png

四、nginx访问日志

1、配置

  1. nginx 默认格式
  2. [root@lnmp vhost]# grep -A2 log_format /usr/local/nginx/conf/nginx.conf
  3. log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
  4. ' $host "$request_uri" $status'
  5. ' "$http_referer" "$http_user_agent"';
  6. # combined_realip为日志格式名字,$remote_addr为网站的用户的出口IP;
  7. # $http_x_forwarded_for 为代理服务器的IP,如果使用了代理,则会记录IP
  8. # $time_local为当前时间;$host为主机名;$request_uri为访问的URL地址
  9. # $status为状态码,$http_referer为referer地址,$http_user_agent为user_agent
  11. [root@lnmp vhost]# vim test.com.conf 
  12. server
  13. {
  14.     listen 80;
  15.     server_name test.com;
  16.     index index.html index.htm index.php;
  17.     root /data/nginx/test.com;
  18.     access_log /tmp/1.log combined_realip;
  19. }

2、测试

  1. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -t
  2. nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
  3. nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
  4. [root@lnmp vhost]# /usr/local/nginx/sbin/nginx -s reload
  5. [root@lnmp vhost]# curl -x127.0.0.1:80 test.com
  6. test.com
  7. [root@lnmp vhost]# cat /tmp/1.log
  8. 127.0.0.1 - [06/Sep/2021:14:44:48 +0800] test.com "/" 200 "-" "curl/7.29.0"
  9. [root@lnmp vhost]#

五、nginx日志切割

  1. 自己写一个脚本,
  2. [root@lnmp ~]# vim /usr/local/sbin/nginx_log_rotate.sh 
  3. #!/bin/bash
  4. ##假设nignx的日志存放路径为/data/logs/
  5. d=`date -d "-1 day" +%Y%m%d`
  6. logdir="/tmp/"
  7. nginx_pid="/usr/local/nginx/logs/nginx.pid"
  8. cd $logdir
  9. for log in `ls *.log`
  10. do
  11. mv $log $log-$d
  12. done
  13. /bin/kill -HUP `cat $nginx_pid`
  15. [root@lnmp ~]# chmod 755 /usr/local/sbin/nginx_log_rotate.sh
  17. [root@lnmp ~]# crontab -e
  18. 0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
  20. [root@lnmp ~]# ls /tmp/
  21. 1.log          systemd-private-6caddee1099545f282b31885c5e591f4-chronyd.service-X0RZZJ
  22. mysql.sock     vmware-root_650-2696943027
  23. pear           vmware-root_659-4013788787
  24. php-fcgi.sock
  25. [root@lnmp ~]# sh -x /usr/local/sbin/nginx_log_rotate.sh 
  26. ++ date -d '-1 day' +%Y%m%d
  27. + d=20210816
  28. + logdir=/tmp/
  29. + nginx_pid=/usr/local/nginx/logs/nginx.pid
  30. + cd /tmp/
  31. ++ ls 1.log
  32. + for log in '`ls *.log`'
  33. + mv 1.log 1.log-20210816
  34. ++ cat /usr/local/nginx/logs/nginx.pid
  35. + /bin/kill -HUP 1606
  36. [root@lnmp ~]# ls /tmp/
  37. 1.log
  38. 1.log-20210905
  39. mysql.sock
  40. pear
  41. php-fcgi.sock
  42. systemd-private-6caddee1099545f282b31885c5e591f4-chronyd.service-X0RZZJ
  43. vmware-root_650-2696943027
  44. vmware-root_659-4013788787
  45. [root@lnmp ~]#

六、配置静态文件不记录日志并添加过期时间

和LAMP一样,配置静态文件不记录日志,并添加过期时间。 目的是为了减少记录不必要的日志文件。缓存文件为了下次访问速度变快。

  1. [root@lnmp ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
  2. server
  3. {
  4.     listen 80;
  5.     server_name test.com test1.com test2.com;
  6.     index index.html index.htm index.php;
  7.     root /data/nginx/test.com;
  8.     if ($host != 'test.com' ) {
  9.         rewrite ^/(.*)$ http://test.com/$1 permanent;
  10.     }
  11.     location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
  12.     {
  13.         expires 7d;
  14.         access_log off;
  15.     }
  16.     location ~ .*\.(js|css)$
  17.     {
  18.          expires 12h;
  19.     }
  20.     access_log /tmp/1.log combined_realip;
  21. }
  24. [root@lnmp ~]# echo '111' > /data/nginx/test.com/1.js
  25. [root@lnmp ~]# echo '222' > /data/nginx/test.com/2.jpg
  26. [root@lnmp ~]# touch /data/nginx/test.com/1.jss
  28. [root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
  29. nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
  30. nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
  31. [root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload
  34. [root@lnmp ~]# echo > /tmp/1.log
  35. [root@lnmp ~]# curl -I -x127.0.0.1:80 test.com/1.js
  36. HTTP/1.1 200 OK
  37. Server: nginx/1.17.8
  38. Date: Tue, 17 Aug 2021 10:37:13 GMT
  39. Content-Type: application/javascript
  40. Content-Length: 4
  41. Last-Modified: Tue, 17 Aug 2021 09:46:43 GMT
  42. Connection: keep-alive
  43. ETag: "611b8583-4"
  44. Expires: Tue, 17 Aug 2021 22:37:13 GMT
  45. Cache-Control: max-age=43200
  46. Accept-Ranges: bytes
  48. [root@lnmp ~]# curl -I -x127.0.0.1:80 test.com/2.jpg
  49. HTTP/1.1 200 OK
  50. Server: nginx/1.17.8
  51. Date: Tue, 17 Aug 2021 10:37:23 GMT
  52. Content-Type: image/jpeg
  53. Content-Length: 4
  54. Last-Modified: Tue, 17 Aug 2021 09:47:12 GMT
  55. Connection: keep-alive
  56. ETag: "611b85a0-4"
  57. Expires: Tue, 24 Aug 2021 10:37:23 GMT
  58. Cache-Control: max-age=604800
  59. Accept-Ranges: bytes
  61. [root@lnmp ~]# curl -I -x127.0.0.1:80 test.com/1.jss
  62. HTTP/1.1 200 OK
  63. Server: nginx/1.17.8
  64. Date: Tue, 17 Aug 2021 10:37:32 GMT
  65. Content-Type: application/octet-stream
  66. Content-Length: 0
  67. Last-Modified: Tue, 17 Aug 2021 10:02:04 GMT
  68. Connection: keep-alive
  69. ETag: "611b891c-0"
  70. Accept-Ranges: bytes
  72. [root@lnmp ~]# cat /tmp/1.log
  74. 127.0.0.1 - [06/Sep/2021:14:52:48 +0800] test.com "/1.js" 200 "-" "curl/7.29.0"
  75. 192.168.100.1 - [06/Sep/2021:14:53:12 +0800] test.com "/1.js" 200 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36 SE 2.X MetaSr 1.0"
  76. 127.0.0.1 - [06/Sep/2021:14:55:17 +0800] test.com "/1.jss" 200 "-" "curl/7.29.0"
  77. 192.168.100.1 - [06/Sep/2021:14:55:28 +0800] test.com "/1.jss" 200 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36 SE 2.X MetaSr 1.0"
  78. [root@lnmp ~]#

image.png
image.png
image.png

七、Nginx防盗链

  1. [root@lnmp ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
  2. server
  3. {
  4.     listen 80;
  5.     server_name test.com test1.com test2.com;
  6.     index index.html index.htm index.php;
  7.     root /data/nginx/test.com;
  8.     if ($host != 'test.com' ) {
  9.         rewrite ^/(.*)$ http://test.com/$1 permanent;
  10.     }
  11.         location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
  12.         {
  13.          expires 7d;
  14.         valid_referers none blocked server_names  *.test.com ;
  15.          if ($invalid_referer) {
  16.          return 403;
  17.          }
  18.          access_log off;
  19.         }
  20. }
  21. [root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
  22. nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
  23. nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
  24. [root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload
  25. [root@lnmp ~]# curl -x127.0.0.1:80 -e "http://aaa.com/1.txt" test.com/2.jpg -I
  26. HTTP/1.1 403 Forbidden
  27. Server: nginx/1.17.8
  28. Date: Mon, 06 Sep 2021 06:58:17 GMT
  29. Content-Type: text/html
  30. Content-Length: 153
  31. Connection: keep-alive
  33. [root@lnmp ~]# curl -x127.0.0.1:80 -e "http://test.com/1.txt" test.com/2.jpg -I
  34. HTTP/1.1 200 OK
  35. Server: nginx/1.17.8
  36. Date: Mon, 06 Sep 2021 06:58:30 GMT
  37. Content-Type: image/jpeg
  38. Content-Length: 4
  39. Last-Modified: Mon, 06 Sep 2021 06:52:04 GMT
  40. Connection: keep-alive
  41. ETag: "6135ba94-4"
  42. Expires: Mon, 13 Sep 2021 06:58:30 GMT
  43. Cache-Control: max-age=604800
  44. Accept-Ranges: bytes
  46. [root@lnmp ~]#

八、访问控制
1、针对目录进行访问控制
1.1 配置

  1. [root@lnmp ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
  2. server
  3. {
  4.     listen 80;
  5.     server_name test.com test1.com test2.com;
  6.     index index.html index.htm index.php;
  7.     root /data/nginx/test.com;
  8.     access_log /tmp/1.log combined_realip;
  10. location /admin/ {
  11.         allow 192.168.100.1;
  12.         allow 192.168.100.10;
  13.         allow 127.0.0.1;
  14.         deny all;
  15. }
  16. }
  18. [root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
  19. nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
  20. nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
  21. [root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload


1.2 测试

  1. [root@lnmp ~]# echo "1234" > /data/nginx/test.com/admin/1.html 
  2. # 测试 可以把配置文件改为192.168.100.10允许访问,使用浏览器测试
  3. [root@lnmp ~]# curl -x127.0.0.1:80 test.com/admin/1.html        
  4. 1234
  5. [root@lnmp ~]# curl -x192.168.100.10:80 test.com/admin/1.html -I
  6. HTTP/1.1 200 OK
  7. Server: nginx/1.17.8
  8. Date: Mon, 06 Sep 2021 07:45:45 GMT
  9. Content-Type: text/html
  10. Content-Length: 5
  11. Last-Modified: Mon, 06 Sep 2021 07:29:53 GMT
  12. Connection: keep-alive
  13. ETag: "6135c371-5"
  14. Accept-Ranges: bytes
  16. [root@lnmp ~]#

网页输入
http://test.com/admin/1.html
image.png

九、nginx解析PHP

配置

  1. [root@lnmp ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
  2. server
  3. {
  4.     listen 80;
  5.     server_name test.com test1.com test2.com;
  6.     index index.html index.htm index.php;
  7.     root /data/nginx/test.com;
  8.     access_log /tmp/1.log combined_realip;
  10. location ~ \.php$ {
  11.     include fastcgi_params;
  12.     fastcgi_pass unix:/tmp/php-fcgi.sock;
  13.     fastcgi_index index.php;
  14.     fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name;
  15.     }
  16. }
  18. [root@lnmp ~]# vim /data/nginx/test.com/3.php 
  19. <?php
  20. phpinfo();
  21. ?>
  23. # fastcgi_pass用来指定php-fpm的地址 路径如果错误,则报错502 
  24. # 路径在这个配置文件中
  25. [root@lnmp ~]# cat /usr/local/php-fpm/etc/php-fpm.conf
  26. [global]
  27. pid = /usr/local/php-fpm/var/run/php-fpm.pid
  28. error_log = /usr/local/php-fpm/var/log/php-fpm.log
  29. [www]
  30. listen = /tmp/php-fcgi.sock
  31. # listen = 127.0.0.1:9000  # 也可以这样配置,但是他们的配置文件要对应。
  32. listen.mode = 666
  33. user = php-fpm
  34. group = php-fpm
  35. pm = dynamic
  36. pm.max_children = 50
  37. pm.start_servers = 20
  38. pm.min_spare_servers = 5
  39. pm.max_spare_servers = 35
  40. pm.max_requests = 500
  41. rlimit_files = 1024
  43. # 注意一下这三行的配置文件与nginx配置文件的关系 
  44. listen = /tmp/php-fcgi.sock
  45. # listen = 127.0.0.1:9000  # 也可以这样配置,但是他们的配置文件要对应。
  46. listen.mode = 666

测试

  1. [root@lnmp ~]# curl -x127.0.0.1:80 test.com/3.php
  2. <?php
  3. phpinfo();
  4. ?>
  5. [root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
  6. nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
  7. nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
  8. [root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload

网页输入
test.com/3.php
image.png

十、Nginx代理

一个没有公网IP的服务器要提供web服务,可以通过代理实现。

配置

  1. [root@lnmp ~]# vim /usr/local/nginx/conf/vhost/proxy.conf
  2. server
  3. {
  4.     listen 80;
  5.     server_name ask.apelearn.com;
  7.     location /
  8.     {
  9.         proxy_pass      http://47.104.7.242/;
  10.         proxy_set_header Host   $host;
  11.         proxy_set_header X-Real-IP      $remote_addr;
  12.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  13.     }
  14. }

测试

  1. [root@lnmp ~]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
  2. <html>
  3. <head><title>404 Not Found</title></head>
  4. <body>
  5. <center><h1>404 Not Found</h1></center>
  6. <hr><center>nginx/1.17.8</center>
  7. </body>
  8. </html>
  9. [root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
  10. nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
  11. nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
  12. [root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload
  13. [root@lnmp ~]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
  14. #
  15. # robots.txt for MiWen
  16. #
  18. User-agent: *
  20. Disallow: /?/admin/
  21. Disallow: /?/people/
  22. Disallow: /?/question/
  23. Disallow: /account/
  24. Disallow: /app/
  25. Disallow: /cache/
  26. Disallow: /install/
  27. Disallow: /models/
  28. Disallow: /crond/run/
  29. Disallow: /search/
  30. Disallow: /static/
  31. Disallow: /setting/
  32. Disallow: /system/
  33. Disallow: /tmp/
  34. Disallow: /themes/
  35. Disallow: /uploads/
  36. Disallow: /url-*
  37. Disallow: /views/
  38. Disallow: /*/ajax/[root@lnmp ~]#

十一、负载均衡

一个IP叫做代理,两个以上就叫做负载均衡。

1、配置

  1. /.安装dig命令
  2. [root@lnmp ~]# yum install -y bind-utils
  4. 通过dig命令获取相应域名的地址
  5. 这里是拿百度的做测试
  6. [root@lnmp ~]# dig www.baidu.com
  8. ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> www.baidu.com
  9. ;; global options: +cmd
  10. ;; Got answer:
  11. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23817
  12. ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
  14. ;; OPT PSEUDOSECTION:
  15. ; EDNS: version: 0, flags:; udp: 512
  16. ;; QUESTION SECTION:
  17. ;www.baidu.com.     IN  A
  19. ;; ANSWER SECTION:
  20. www.baidu.com.    33  IN  CNAME www.a.shifen.com.
  21. www.a.shifen.com. 129 IN  A 220.181.38.149
  22. www.a.shifen.com. 129 IN  A 220.181.38.150
  24. ;; Query time: 31 msec
  25. ;; SERVER: 114.114.114.114#53(114.114.114.114)
  26. ;; WHEN: Wed Aug 18 19:12:15 CST 2021
  27. ;; MSG SIZE  rcvd: 101
  29. [root@lnmp ~]# vim /usr/local/nginx/conf/vhost/load.conf 
  30. upstream baidu
  31. {
  32.     ip_hash;
  33.     server 220.181.38.149:80;
  34.     server 220.181.38.150:80;
  35. }
  36. server
  37. {
  38.     listen 80;
  39.     server_name www.baidu.com;
  40.     location /
  41.     {
  42.         proxy_pass      http://baidu;
  43.         proxy_set_header Host   $host;
  44.         proxy_set_header X-Real-IP      $remote_addr;
  45.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  46.     }
  47. }
  49. upstream来指定多个web server
  50. upstream后面的名字要和proxy_pass后面的名字相同

测试

  1. [root@lnmp ~]# curl -x127.0.0.1:80 www.baidu.com
  2.  default server! 
  3. [root@lnmp ~]# /usr/local/nginx/sbin/nginx -t
  4. nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
  5. nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
  6. [root@lnmp ~]# /usr/local/nginx/sbin/nginx -s reload
  7. [root@lnmp ~]# curl -x127.0.0.1:80 www.baidu.com
  8. <!DOCTYPE html>
  9. <!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a>&nbsp;京ICP证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
  10. [root@lnmp ~]#

十二、SSL

我们通常访问的网站有http和https 其中https就是和ssl证书有关。

SSL工作流程

十二、SSL

我们通常访问的网站有http和https 其中https就是和ssl证书有关。

SSL工作流程

image.png
image.png
image.png

生成ssl密钥对

  1. [root@lnmp ~]# rpm -qa  openssl
  2. openssl-1.0.2k-21.el7_9.x86_64
  3. [root@lnmp ~]# cd /usr/local/nginx/conf/
  4. [root@lnmp conf]# openssl genrsa -des3 -out tmp.key 2048
  5. Generating RSA private key, 2048 bit long modulus
  6. .....................................................................................+++
  7. ..............................+++
  8. e is 65537 (0x10001)
  9. Enter pass phrase for tmp.key:
  10. Verifying - Enter pass phrase for tmp.key:
  11. [root@lnmp conf]# openssl rsa -in tmp.key -out aminglinux.key 
  12. Enter pass phrase for tmp.key:
  13. writing RSA key
  14. [root@lnmp conf]# ls
  15. aminglinux.key          koi-win              tmp.key
  16. fastcgi.conf            mime.types           uwsgi_params
  17. fastcgi.conf.default    mime.types.default   uwsgi_params.default
  18. fastcgi_params          nginx.conf           vhost
  19. fastcgi_params.default  nginx.conf.default   win-utf
  20. htpasswd                scgi_params
  21. koi-utf                 scgi_params.default
  22. [root@lnmp conf]# rm -rf tmp.key 
  23. [root@lnmp conf]# openssl req -new -key aminglinux.key -out aminglinux.csr
  24. You are about to be asked to enter information that will be incorporated
  25. into your certificate request.
  26. What you are about to enter is what is called a Distinguished Name or a DN.
  27. There are quite a few fields but you can leave some blank
  28. For some fields there will be a default value,
  29. If you enter '.', the field will be left blank.
  30. -----
  31. Country Name (2 letter code) [XX]:66
  32. State or Province Name (full name) []:bj
  33. Locality Name (eg, city) [Default City]:bj
  34. Organization Name (eg, company) [Default Company Ltd]:cn
  35. Organizational Unit Name (eg, section) []:cn
  36. Common Name (eg, your name or your server's hostname) []:cn
  37. Email Address []:sxb@163.com
  39. Please enter the following 'extra' attributes
  40. to be sent with your certificate request
  41. A challenge password []:123456
  42. An optional company name []:123456
  43. [root@lnmp conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
  44. Signature ok
  45. subject=/C=66/ST=bj/L=bj/O=cn/OU=cn/CN=cn/emailAddress=wsw@163.com
  46. Getting Private key

配置SSL

  1. [root@lnmp conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
  2. server
  3. {
  4.     listen 443;
  5.     server_name 1234.com;
  6.     index index.html index.php;
  7.     root /data/wwwroot/1234.com;
  8.     ssl on;
  9.     ssl_certificate aminglinux.crt;
  10.     ssl_certificate_key aminglinux.key;
  11.     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  12. }
  14. [root@lnmp conf]# /usr/local/nginx/sbin/nginx -t
  15. nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
  16. nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
  18. # 重新编译安装nginx
  19. [root@lnmp conf]# cd /usr/local/src/
  20. [root@lnmp src]# ls
  21. mysql-5.6.47-linux-glibc2.12-x86_64.tar.gz  php-5.6.30
  22. nginx-1.17.8                                php-5.6.30.tar.gz
  23. nginx-1.17.8.tar.gz
  24. [root@lnmp src]# cd nginx-1.17.8
  25. [root@lnmp nginx-1.17.8]# ls
  26. auto     CHANGES.ru  configure  html     Makefile  objs    src
  27. CHANGES  conf        contrib    LICENSE  man       README
  28. [root@lnmp nginx-1.17.8]# ./configure --help |grep ssl
  29.   --with-http_ssl_module             enable ngx_http_ssl_module
  30.   --with-mail_ssl_module             enable ngx_mail_ssl_module
  31.   --with-stream_ssl_module           enable ngx_stream_ssl_module
  32.   --with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module
  33.   --with-openssl=DIR                 set path to OpenSSL library sources
  34.   --with-openssl-opt=OPTIONS         set additional build options for OpenSSL
  35. [root@lnmp nginx-1.17.8]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
  37. [root@lnmp nginx-1.17.8]# make && make install
  39. [root@lnmp nginx-1.17.8]# /etc/init.d/nginx restart 
  40. Restarting nginx (via systemctl):                          [  确定  ]
  41. [root@lnmp nginx-1.17.8]# netstat -ntlp
  42. Active Internet connections (only servers)
  43. Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
  44. tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      30052/nginx: master 
  45. tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      941/sshd            
  46. tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1188/master         
  47. tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      30052/nginx: master 
  48. tcp6       0      0 :::3306                 :::*                    LISTEN      25697/mysqld        
  49. tcp6       0      0 :::22                   :::*                    LISTEN      941/sshd            
  50. tcp6       0      0 ::1:25                  :::*                    LISTEN      1188/master         
  51. [root@lnmp nginx-1.17.8]# 
  52. [root@lnmp nginx-1.17.8]# mkdir -p /data/nginx/1234.com
  53. [root@lnmp nginx-1.17.8]# echo "ssl test" > /data/nginx/1234.com/index.html

在hosts
文件中加入 对应的域名 测试
image.png
image.png