2018-09-20

12.7 默认虚拟主机

[[email?protected] ~]# vim /usr/local/nginx/conf/nginx.conf //增加
include vhost/*.conf;
[[email?protected] ~]# mkdir /usr/local/nginx/conf/vhost
[[email?protected] ~]# cd !$ ; vim default.conf //加入如下内容
server
{
    listen 80 default_server;  // 有这个标记的就是默认虚拟主机
    server_name aaa.com;
    index index.html index.htm index.php;
    root /data/wwwroot/default;
}
[[email?protected] ~]# mkdir -p /data/wwwroot/default/
[[email?protected] ~]# echo “This is a default site.” > /data/wwwroot/default/index.html
[[email?protected] ~]# chcon -R -t httpd_sys_content_t /data/wwwroot/
[[email?protected] ~]# firewall-cmd --permanent --add-service=http
success
[[email?protected] ~]# firewall-cmd --permanent --add-service=https
success
[[email?protected] ~]# firewall-cmd --reload 
success
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -t //测试配置文件有无错误
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -s reload //重新加载配置文件

12.8 Nginx用户认证

[[email?protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    
location  /
    {
        auth_basic              "Auth";
        auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}
}
[[email?protected] ~]# mkdir /data/wwwroot/test.com
[[email?protected] ~]# yum install -y httpd
[[email?protected] ~]# htpasswd -c /usr/local/nginx/conf/htpasswd aming
New password: 
Re-type new password: 
Adding password for user aming
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -t
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -s reload
[[email?protected] ~]# curl -x127.0.0.1:80 test.com -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.15.3
Date: Thu,20 Sep 2018 07:26:53 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"

[[email?protected]ocalhost ~]# curl -uaming:aming -x127.0.0.1:80 test.com -I
HTTP/1.1 200 OK
Server: nginx/1.15.3
Date: Thu,20 Sep 2018 07:27:15 GMT
Content-Type: text/html
Content-Length: 5
Last-Modified: Thu,20 Sep 2018 07:26:17 GMT
Connection: keep-alive
ETag: "5ba34b99-5"
Accept-Ranges: bytes

12.9 Nginx域名重定向

[[email?protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != ‘test.com‘ ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;  //permanent为永久重定向，状态码为301，如果写redirect则为302
    }
}
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -t
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -s reload
[[email?protected] default]# curl -x127.0.0.1:80 test2.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.3
Date: Thu,20 Sep 2018 08:20:36 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/

12.10 Nginx访问日志

[[email?protected] ~]# vim /usr/local/nginx/conf/nginx.conf
...
    log_format combined_realip ‘$remote_addr $http_x_forwarded_for [$time_local]‘
    ‘ $host "$request_uri" $status‘
    ‘ "$http_referer" "$http_user_agent"‘;
...
[[email?protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != ‘test.com‘ ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
    access_log /tmp/test.com.log combined_realip;  //日志格式名称与nginx.conf相对应
}
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -t
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -s reload
[[email?protected] ~]# cat /tmp/test.com.log 
127.0.0.1 - [20/Sep/2018:16:33:55 +0800] test2.com "/" 301 "-" "curl/7.29.0"
127.0.0.1 - [20/Sep/2018:16:35:05 +0800] test2.com "/" 301 "-" "curl/7.29.0"
127.0.0.1 - [20/Sep/2018:16:38:29 +0800] test.com "/" 200 "-" "curl/7.29.0"

12.11 Nginx日志切割

[[email?protected] ~]# vim /usr/local/sbin/nginx_log_rotate.sh//写入如下内容
#! /bin/bash
## 假设nginx的日志存放路径为/data/logs/
d=`date -d "-1 day" +%Y%m%d` 
logdir="/data/logs"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
    mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
[[email?protected] ~]# crontab -e -u root
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh

12.12 静态文件不记录日志和过期时间

[[email?protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != ‘test.com‘ ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
    location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$
    {
          expires      7d;
          access_log off;
    }
    location ~ .*.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    access_log /tmp/test.com.log combined_realip;  //日志格式名称与nginx.conf相对应
}
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -t
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -s reload

12.13 Nginx防盗链

[[email?protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != ‘test.com‘ ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
    location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
    {
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
    }
    location ~ .*.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    access_log /tmp/test.com.log combined_realip;  //日志格式名称与nginx.conf相对应
}
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -t
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -s reload

12.14 Nginx访问控制

[[email?protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
...
location /admin/  //某一目录限制
{
    allow 192.168.31.1;
    allow 127.0.0.1;
    deny all;
}

location ~ .*(upload|image)/.*.php$  //正则匹配限制
{
        deny all;
}

if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘)  //根据user_agent限制
{
      return 403;  //deny all和return 403效果一样
}
...
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -t
[[email?protected] ~]# /usr/local/nginx/sbin/nginx -s reload

12.15 Nginx解析php相关配置

[[email?protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
...
location ~ .php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_dir$fastcgi_script_name;
    }
...

12.16 Nginx代理

[[email?protected] ~]# vim /usr/local/nginx/conf/vhost/proxy.conf
server
{
    listen 80;
    server_name ask.apelearn.com;

    location /
    {
        proxy_pass      http://121.201.9.155/;    //需要连接服务器IP
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

扩展 nginx.conf 配置详解 https://coding.net/u/aminglinux/p/nginx/git/tree/master/3z nginx rewrite四种flag http://unixman.blog.51cto.com/10163040/1711943 https://coding.net/u/aminglinux/p/nginx/git/blob/master/rewrite/break.md 502问题汇总 http://ask.apelearn.com/question/9109 location优先级 https://coding.net/u/aminglinux/p/nginx/git/blob/master/location/priority.md