12.13 Nginx防盜鏈 12.14 Nginx訪問控制 12.15 Nginx解析php相關配置 12.16 Nginx代理
阿新 • • 發佈:2017-10-25
12.13 nginx防盜鏈 12.14 nginx訪問控制 12.15 nginx解析php相關配置 12.16 nginx代理
- 12.13 Nginx防盜鏈 - 12.14 Nginx訪問控制 - 12.15 Nginx解析php相關配置 - 12.16 Nginx代理 - 擴展 - 502問題匯總 http://ask.apelearn.com/question/9109 - location優先級 http://blog.lishiming.net/?p=100 # 12.13 Nginx防盜鏈 - 打開配置文件,添加以下內容 ``` [root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf server { listen 80; server_name test.com test2.com test3.com; index index.html index.htm index.php; root /data/wwwroot/test.com; if ($host != ‘test.com‘ ) { rewrite ^/(.*)$ http://test.com/$1 permanent; } # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ # { # expires 7d; # access_log off; # } location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; if ($invalid_referer) { return 403; } access_log off; } location ~ .*\.(js|css)$ { # expires 12h; :wq [root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf [root@localhost ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# ``` - 下面來做一個測試 ``` [root@localhost ~]# curl -x127.0.0.1:80 -I test.com/2.gif HTTP/1.1 404 Not Found Server: nginx/1.12.1 Date: Thu, 19 Oct 2017 14:27:24 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@localhost ~]# ls /data/wwwroot/test.com/ 1.gif 2.js admin index.html [root@localhost ~]# curl -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 19 Oct 2017 14:27:46 GMT Content-Type: image/gif Content-Length: 14 Last-Modified: Thu, 19 Oct 2017 14:02:00 GMT Connection: keep-alive ETag: "59e8b058-e" Expires: Thu, 26 Oct 2017 14:27:46 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes [root@localhost ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Thu, 19 Oct 2017 14:28:36 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@localhost ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 19 Oct 2017 14:28:45 GMT Content-Type: image/gif Content-Length: 14 Last-Modified: Thu, 19 Oct 2017 14:02:00 GMT Connection: keep-alive ETag: "59e8b058-e" Expires: Thu, 26 Oct 2017 14:28:45 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes [root@localhost ~]# [root@localhost ~]# !cat cat /tmp/test.com.log 127.0.0.1 - [19/Oct/2017:22:02:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [19/Oct/2017:22:03:58 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [19/Oct/2017:22:06:06 +0800] test.com "/2.jslasdflk" 404 "-" "curl/7.29.0" [root@localhost ~]# ``` - 這個說明防盜鏈配置成功了 # 12.14 Nginx訪問控制 - 修改配置文件內容 ``` [root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf server { listen 80; server_name test.com test2.com test3.com; index index.html index.htm index.php; root /data/wwwroot/test.com; if ($host != ‘test.com‘ ) { rewrite ^/(.*)$ http://test.com/$1 permanent; } # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ # { # expires 7d; # access_log off; # } location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; if ($invalid_referer) { return 403; } access_log off; } location ~ .*\.(js|css)$ { # expires 12h; access_log off; } location /admin/ { allow 127.0.0.1; allow 192.168.202.131; deny all; } :wq ``` - 這段配置就是關於訪問配置的,這三個規則加起來 ,只允許前面倆個,一個是127.0.0.1,另一個是 192.168.202.131 其他全部deny ``` location /admin/ { allow 127.0.0.1; allow 192.168.202.131; deny all; } ``` - 檢查語法,重新加載 ``` [root@localhost ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload ``` - 來測試下,/admin/ 沒問題,其他不行 ``` [root@localhost ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.GIFHTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Sat, 21 Oct 2017 12:23:43 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@localhost ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sat, 21 Oct 2017 12:23:57 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Tue, 17 Oct 2017 14:08:26 GMT Connection: keep-alive ETag: "59e60eda-13" Accept-Ranges: bytes [root@localhost ~]# ``` - 現在來換一個ip,重新測試下 ``` [root@localhost ~]# curl -x192.168.202.131:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sat, 21 Oct 2017 12:25:47 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Tue, 17 Oct 2017 14:08:26 GMT Connection: keep-alive ETag: "59e60eda-13" Accept-Ranges: bytes [root@localhost ~]# ``` - 看下日誌文件,來源ip 是192.168.202.131,因為它是被允許的,是白名單 ``` [root@localhost ~]# cat /tmp/test.com.log 127.0.0.1 - [19/Oct/2017:22:02:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [19/Oct/2017:22:03:58 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [19/Oct/2017:22:06:06 +0800] test.com "/2.jslasdflk" 404 "-" "curl/7.29.0" 127.0.0.1 - [21/Oct/2017:20:23:57 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0" 192.168.202.131 - [21/Oct/2017:20:25:47 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" [root@localhost ~]# ``` - 在這裏我添加一個塊網卡ens37 ``` [root@localhost ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.202.131 netmask 255.255.255.0 broadcast 192.168.202.255 inet6 fe80::ecdd:28b7:612b:cb7 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:2e:28:f2 txqueuelen 1000 (Ethernet) RX packets 959 bytes 90762 (88.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 722 bytes 90139 (88.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.202.151 netmask 255.255.255.0 broadcast 192.168.202.255 ether 00:0c:29:2e:28:f2 txqueuelen 1000 (Ethernet) ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.202.132 netmask 255.255.255.0 broadcast 192.168.202.255 inet6 fe80::707c:946e:3252:cf7f prefixlen 64 scopeid 0x20<link> ether 00:0c:29:2e:28:fc txqueuelen 1000 (Ethernet) RX packets 8 bytes 1048 (1.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 11 bytes 1650 (1.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 117 bytes 10333 (10.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 117 bytes 10333 (10.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost ~]# ``` - 給ens37 自動獲取一個ip地址,地址為192.168.202.132 ``` [root@localhost ~]# dhclient ens37 [root@localhost ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.202.131 netmask 255.255.255.0 broadcast 192.168.202.255 inet6 fe80::ecdd:28b7:612b:cb7 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:2e:28:f2 txqueuelen 1000 (Ethernet) RX packets 1029 bytes 97446 (95.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 772 bytes 97801 (95.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.202.151 netmask 255.255.255.0 broadcast 192.168.202.255 ether 00:0c:29:2e:28:f2 txqueuelen 1000 (Ethernet) ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.202.132 netmask 255.255.255.0 broadcast 192.168.202.255 inet6 fe80::707c:946e:3252:cf7f prefixlen 64 scopeid 0x20<link> ether 00:0c:29:2e:28:fc txqueuelen 1000 (Ethernet) RX packets 18 bytes 2216 (2.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 16 bytes 2796 (2.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 117 bytes 10333 (10.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 117 bytes 10333 (10.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost ~]# ``` - 接下來用這個ip來實驗下 ``` [root@localhost ~]# curl -x192.168.202.132:80 test.com/admin/ <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@localhost ~]# !cat cat /tmp/test.com.log 127.0.0.1 - [19/Oct/2017:22:02:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [19/Oct/2017:22:03:58 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [19/Oct/2017:22:06:06 +0800] test.com "/2.jslasdflk" 404 "-" "curl/7.29.0" 127.0.0.1 - [21/Oct/2017:20:23:57 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0" 192.168.202.131 - [21/Oct/2017:20:25:47 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.202.132 - [21/Oct/2017:20:34:03 +0800] test.com "/admin/" 403 "-" "curl/7.29.0" [root@localhost ~]# ``` - 來源ip 192.168.202.132 並沒有被允許,所以報錯誤403 - 而這個是被允許的,127.0.0.1 ``` [root@localhost ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sat, 21 Oct 2017 12:36:44 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Tue, 17 Oct 2017 14:08:26 GMT Connection: keep-alive ETag: "59e60eda-13" Accept-Ranges: bytes [root@localhost ~]# ``` - 進入配置文件/usr/local/nginx/conf/vhost/test.com.conf,只要是匹配upload的,然後以php結尾的,都給他屏蔽 ``` [root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf location ~ .*\.(js|css)$ { # expires 12h; access_log off; } location /admin/ { allow 127.0.0.1; allow 192.168.202.131; deny all; } location ~ .*(upload|image)/.*\.php$ { deny all; } :wq [root@localhost ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# ``` - 創建一個目錄 upload, 再再下面創建一個1.php 在裏面寫入1111 - 再次訪問下 ``` [root@localhost ~]# mkdir /data/wwwroot/test.com/upload [root@localhost ~]# echo "1111" > /data/wwwroot/test.com/upload/1.php [root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@localhost ~]# ``` - 再訪問下txt 不訪問php,就可以訪問 ``` [root@localhost ~]# echo "1111" > /data/wwwroot/test.com/upload/1.txt [root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.txt 1111 [root@localhost ~]# [root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.php -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Sat, 21 Oct 2017 13:17:44 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@localhost ~]# ``` - 看下日誌 ``` [root@localhost ~]# cat /tmp/test.com.log 127.0.0.1 - [19/Oct/2017:22:02:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [19/Oct/2017:22:03:58 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [19/Oct/2017:22:06:06 +0800] test.com "/2.jslasdflk" 404 "-" "curl/7.29.0" 127.0.0.1 - [21/Oct/2017:20:23:57 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0" 192.168.202.131 - [21/Oct/2017:20:25:47 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.202.132 - [21/Oct/2017:20:34:03 +0800] test.com "/admin/" 403 "-" "curl/7.29.0" 127.0.0.1 - [21/Oct/2017:20:36:44 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0" 127.0.0.1 - [21/Oct/2017:21:14:52 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0" 127.0.0.1 - [21/Oct/2017:21:17:13 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0" 127.0.0.1 - [21/Oct/2017:21:17:44 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0" [root@localhost ~]# ``` - 針對user_agent限制 if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato’) { return 403; } return 403和deny all 效果是一樣的 測試 - 打開配置文件 ``` [root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf server { listen 80; server_name test.com test2.com test3.com; index index.html index.htm index.php; root /data/wwwroot/test.com; if ($host != ‘test.com‘ ) { rewrite ^/(.*)$ http://test.com/$1 permanent; } # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ # { # expires 7d; # access_log off; # } if ($invalid_referer) { return 403; } access_log off; } location ~ .*\.(js|css)$ { # expires 12h; access_log off; } location /admin/ { allow 127.0.0.1; allow 192.168.202.131; deny all; } location ~ .*(upload|image)/.*\.php$ { deny all; } if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘) { return 403; } :wq [root@localhost ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# !curl curl -x127.0.0.1:80 test.com/upload/1.php -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Sat, 21 Oct 2017 13:22:47 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sat, 21 Oct 2017 13:23:01 GMT Content-Type: text/plain Content-Length: 5 Last-Modified: Sat, 21 Oct 2017 13:17:00 GMT Connection: keep-alive ETag: "59eb48cc-5" Accept-Ranges: bytes [root@localhost ~]# ``` - 現在要做一個模擬user_agent ``` [root@localhost ~]# curl -A "Tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Sat, 21 Oct 2017 13:24:10 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@localhost ~]# ``` - 如果是小寫就可以 ``` [root@localhost ~]# curl -A "tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sat, 21 Oct 2017 13:24:42 GMT Content-Type: text/plain Content-Length: 5 Last-Modified: Sat, 21 Oct 2017 13:17:00 GMT Connection: keep-alive ETag: "59eb48cc-5" Accept-Ranges: bytes [root@localhost ~]# ``` - 如果想要不區分大小寫,去配置文件裏,改下配置文件 在~ 後面加個* ``` if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘) { return 403; } access_log /tmp/test.com.log aming; } :wq [root@localhost ~]# !curl curl -A "tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Sat, 21 Oct 2017 13:28:09 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@localhost ~]# curl -A "tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Sat, 21 Oct 2017 13:28:22 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@localhost ~]# ``` - 這樣改成小寫也是403錯誤,這就是訪問控制 # 12.15 Nginx解析php相關配置 - 配置如下: ``` location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; } ``` - fastcgi_pass 用來指定php-fpm監聽的地址或者socket - 先打開虛擬主機配置文件,把這段放到配置文件裏去 ``` # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ # { # expires 7d; # access_log off; # } location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; if ($invalid_referer) { return 403; } { # expires 12h; access_log off; } location /admin/ { allow 127.0.0.1; allow 192.168.202.131; deny all; } location ~ .*(upload|image)/.*\.php$ { deny all; } if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘) { return 403; } location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; } :wq ``` - 因為現在,這個虛擬主機配置文件,它還不能夠去解析php,我們先不去重新加載,先來做一個php, ``` [root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf [root@localhost ~]# vi /data/wwwroot/test.com/upload/1. 1.php 1.txt [root@localhost ~]# vi /data/wwwroot/test.com/upload/1. 1.php 1.txt [root@localhost ~]# vi /data/wwwroot/test.com/ 1.gif 2.js admin/ index.html upload/ [root@localhost ~]# vi /data/wwwroot/test.com/3.php <?php phpinfo(); ~ :wq [root@localhost ~]# vi /data/wwwroot/test.com/3.php [root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php <?php phpinfo(); [root@localhost ~]# ``` - 不能解析,直接把源碼給顯示出來了 - 現在重新加載下,再來看下,其實就可了,這既是php.info的頁面,只不過在curl顯示出來的是網頁的源碼,如果把它放到瀏覽器裏面,它就會顯示一個漂亮的表格 ``` [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# </table> <h2>PHP License</h2> <table> <tr class="v"><td> <p> This program is free software; you can redistribute it and/or modify it under the terms of the PHP License as published by the PHP Group and included in the distribution in the file: LICENSE </p> <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. </p> <p>If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact [email protected]. </p> </td></tr> </table> </div></body></html>[root@localhost ~]# ``` - 其實這部分配置就是用來解析php的 vi /usr/local/nginx/conf/vhost/test.com.conf ``` location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; } access_log /tmp/test.com.log aming; } ``` - 假如故意把它寫錯,少了一個f , fastcgi_pass unix:/tmp/php-cgi.sock, - 再去訪問,它會變成502,為什麽呢,因為它找不到你的那個socket ``` location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; } access_log /tmp/test.com.log aming; } :wq [root@localhost ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# !curl curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@localhost ~]# ``` - 咱們可以看看nginx的錯誤日誌 ``` [root@localhost ~]# tail /usr/local/nginx/logs/ access.log error.log nginx_error.log nginx.pid [root@localhost ~]# tail /usr/local/nginx/logs/error.log 2017/10/19 21:11:27 [notice] 2322#0: signal process started 2017/10/19 22:00:49 [notice] 2399#0: signal process started 2017/10/19 22:11:14 [notice] 2435#0: signal process started 2017/10/19 22:24:28 [notice] 2447#0: signal process started 2017/10/21 20:21:18 [notice] 2323#0: signal process started 2017/10/21 21:12:48 [notice] 2748#0: signal process started 2017/10/21 21:22:41 [notice] 2781#0: signal process started 2017/10/21 21:28:03 [notice] 2870#0: signal process started 2017/10/21 21:46:59 [notice] 2966#0: signal process started 2017/10/21 21:51:59 [notice] 2997#0: signal process started [root@localhost ~]# vi /usr/local/nginx/conf/nginx.conf user nobody nobody; worker_processes 2; error_log /usr/local/nginx/logs/nginx_error.log crit; pid /usr/local/nginx/logs/nginx.pid; worker_rlimit_nofile 5120 ``` - 把級別改下,改成debug ``` [root@localhost ~]# vi /usr/local/nginx/conf/nginx.conf user nobody nobody; worker_processes 2; error_log /usr/local/nginx/logs/nginx_error.log debug; ``` - 然後再重啟下 ``` [root@localhost ~]# vi /usr/local/nginx/conf/nginx.conf [root@localhost ~]# /etc/init.d/nginx restart Restarting nginx (via systemctl): [ 確定 ] [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# !curl curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@localhost ~]# ``` - 依然是502錯誤 - 再看下日誌 ``` [root@localhost ~]# tail /usr/local/nginx/logs/nginx_error.log 2017/10/21 21:57:38 [notice] 3082#0: nginx/1.12.1 2017/10/21 21:57:38 [notice] 3082#0: built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 2017/10/21 21:57:38 [notice] 3082#0: OS: Linux 3.10.0-514.el7.x86_64 2017/10/21 21:57:38 [notice] 3082#0: getrlimit(RLIMIT_NOFILE): 1024:4096 2017/10/21 21:57:38 [notice] 3083#0: start worker processes 2017/10/21 21:57:38 [notice] 3083#0: start worker process 3084 2017/10/21 21:57:38 [notice] 3083#0: start worker process 3085 2017/10/21 21:58:01 [notice] 3085#0: *1 "Spider/3.0|YoudaoBot|Tomato" does not match "curl/7.29.0", client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", host: "test.com" 2017/10/21 21:58:01 [crit] 3085#0: *1 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com" 2017/10/21 21:58:01 [info] 3085#0: *1 client 127.0.0.1 closed keepalive connection [root@localhost ~]# [root@localhost ~]# ls /tmp/php-cgi.sock ls: 無法訪問/tmp/php-cgi.sock: 沒有那個文件或目錄 [root@localhost ~]# cat /usr/local/php-fpm/etc/php cat: /usr/local/php-fpm/etc/php: 沒有那個文件或目錄 [root@localhost ~]# cat /usr/local/php-fpm/etc/php php-fpm.conf php-fpm.conf.default php.ini [root@localhost ~]# cat /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] listen = /tmp/php-fcgi.sock #listen = 127.0.0.1:9000 listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024 [root@localhost ~]# ``` - 對比過後 發現文件名出錯,這時在去看nginx下的conf配置是否正確 發現就是虛擬主機配置文件出錯,修改回正確的sock名字就恢復正常 - 再進入配置文件,把地址寫對 fastcgi_pass unix:/tmp/php-fcgi.sock; ``` location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; } access_log /tmp/test.com.log aming; } -- INSERT -- ``` - 假如現在我不監聽socket ,監聽ip端口,來改下配置文件 ``` [root@localhost ~]# vi /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] #listen = /tmp/php-fcgi.sock listen = 127.0.0.1:9000 listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024 ~ ~ :wq [root@localhost ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# ``` - 重啟php ``` [root@localhost ~]# /etc/init.d/php-fpm reload Reload service php-fpm done [root@localhost ~]# ``` - 再來看下監聽端口,12.7.0.0.1 在監聽 ``` [root@localhost ~]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3083/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1331/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2060/master tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 3279/php-fpm: maste tcp6 0 0 :::3306 :::* LISTEN 1975/mysqld tcp6 0 0 :::22 :::* LISTEN 1331/sshd tcp6 0 0 ::1:25 :::* LISTEN 2060/master [root@localhost ~]# ``` - 再來curl看看,還是502 ,看下日誌,一樣的提示 不存在 ``` [root@localhost ~]# !curl curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@localhost ~]# [root@localhost ~]# !tail tail /usr/local/nginx/logs/nginx_error.log 2017/10/21 22:25:34 [notice] 3219#0: gracefully shutting down 2017/10/21 22:25:34 [notice] 3219#0: exiting 2017/10/21 22:25:34 [notice] 3219#0: exit 2017/10/21 22:25:34 [notice] 3083#0: signal 17 (SIGCHLD) received 2017/10/21 22:25:34 [notice] 3083#0: worker process 3218 exited with code 0 2017/10/21 22:25:34 [notice] 3083#0: worker process 3219 exited with code 0 2017/10/21 22:25:34 [notice] 3083#0: signal 29 (SIGIO) received 2017/10/21 22:27:39 [notice] 3304#0: *3 "Spider/3.0|YoudaoBot|Tomato" does not match "curl/7.29.0", client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", host: "test.com" 2017/10/21 22:27:39 [crit] 3304#0: *3 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com" 2017/10/21 22:27:39 [info] 3304#0: *3 client 127.0.0.1 closed keepalive connection [root@localhost ~]# ``` - 既然知道了它監聽的是ip 和端口,所以在配置文件中做一個更改 ``` location ~ \.php$ { include fastcgi_params; # fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; } access_log /tmp/test.com.log aming; :wq nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost ~]# /etc/init.d/php-fpm reload Reload service php-fpm done [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# [root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php <p>If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact [email protected]. </p> </td></tr> </table> </div></body></html>[root@localhost ~]# ``` - 以後出現502 檢查配置文件裏的 nginx 和php-fpm裏面所配置額ip地址是不是一樣的, - 還有一個是一個路徑/data/wwwroot/test.com 要寫對 - 關於502錯誤還有一個地方,需要說下 ``` [root@localhost ~]# vi /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] listen = /tmp/php-fcgi.sock #listen = 127.0.0.1:9000 #listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024 ~ :wq [root@localhost ~]# vi /usr/local/php-fpm/etc/php-fpm.conf [root@localhost ~]# /etc/init.d/php-fpm reload Reload service php-fpm done [root@localhost ~]# ls -l /tmp/php-fcgi.sock srw-rw----. 1 root root 0 10月 22 00:05 /tmp/php-fcgi.sock [root@localhost ~]# ``` - 現在取改下配置文件 - fastcgi_pass unix:/tmp/php-fcgi.sock; 這一行配置是讓nginx 去讀sock的文件 ``` location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; # fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; } access_log /tmp/test.com.log aming; } :wq [root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# !curl curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@localhost ~]# ``` - 再去訪問的時候依然會報502 - 查看下日誌 Permission denied 權限被拒絕了 臨時以nobody用戶去讀 ``` [root@localhost ~]# tail /usr/local/nginx/logs/nginx_error.log 2017/10/22 00:08:17 [crit] 3506#0: *25 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com" [root@localhost ~]# [root@localhost ~]# ps aux |grep nginx root 1306 0.0 0.1 21288 1696 ? Ss 10月21 0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf nobody 3505 0.0 0.3 23168 3456 ? S 00:08 0:00 nginx: worker process nobody 3506 0.0 0.3 23168 3960 ? S 00:08 0:00 nginx: worker process root 3513 0.0 0.0 112680 976 pts/1 R+ 00:11 0:00 grep --color=auto nginx [root@localhost ~]# ``` - 可以把phpsock文件改下 改成nobody,再來訪問就不會502了,因為nobody用戶有讀權限 ``` [root@localhost ~]# chown nobody /tmp/php-fcgi.sock [root@localhost ~]# [root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. </p> <p>If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact [email protected]. </p> </td></tr> </table> </div></body></html>[root@localhost ~]# ``` - 進入php-fpm配置文件 ``` [root@localhost ~]# vi /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] listen = /tmp/php-fcgi.sock #listen = 127.0.0.1:9000 listen.mode = 444 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024 ~ :wq [root@localhost ~]# vi /usr/local/php-fpm/etc/php-fpm.conf [root@localhost ~]# /etc/init.d/php-fpm reload Reload service php-fpm done [root@localhost ~]# ls -l /tmp/php-fcgi.sock srw-rw----. 1 nobody root 0 10月 22 00:05 /tmp/php-fcgi.sock [root@localhost ~]# /etc/init.d/php-fpm restart Gracefully shutting down php-fpm . done Starting php-fpm [22-Oct-2017 00:17:50] NOTICE: PHP message: PHP Deprecated: Comments starting with ‘#‘ are deprecated in Unknown on line 1 in Unknown on line 0 done [root@localhost ~]# ls -l /tmp/php-fcgi.sock sr--r--r--. 1 root root 0 10月 22 00:17 /tmp/php-fcgi.sock [root@localhost ~]# !curl curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> ``` - 因為nginx默認訪問php服務的用戶的nobody,而且660權限,因為文件所屬主、組是root,只能root用戶訪問,nobody用戶去調用 sock的時候,將出現錯誤,最終返回502 # 12.16 Nginx代理 ![mark](http://oqxf7c508.bkt.clouddn.com/blog/20171023/194944781.png?imageslim) ``` [root@localhost ~]# cd /usr/local/nginx/conf/vhost [root@localhost vhost]# vi proxy.conf server { { listen 80; server_name ask.apelearn.com; location / { proxy_pass http://121.201.9.155/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } :wq [root@localhost vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload [root@localhost vhost]# ``` - 測試下 ``` [root@localhost vhost]# curl ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/[root@localhost vhost]# [root@localhost vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/[root@localhost vhost]# ``` - 正常情況下如果不配置代理,你怎麽可能通過本地訪問到遠程的站點,這就是一個代理,這個代理服務器就是我的虛擬機,web服務器就是一個論壇 - 首先是域名,定義遠程服務端,也就是你的web服務器,它的ip寫在這裏就可以,這就是nginx的代理 ``` Disallow: /*/ajax/[root@localhost vhost]# cat proxy.conf server { listen 80; server_name ask.apelearn.com; location / { proxy_pass http://121.201.9.155/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } [root@localhost vhost]# ``` - 擴展 - 502問題匯總 http://ask.apelearn.com/question/9109 常見的502錯誤 1.配置錯誤 因為nginx找不到php-fpm了,所以報錯,一般是fastcgi_pass後面的路徑配置錯誤了,後面可以是socket或者是ip:port 2.資源耗盡 lnmp架構在處理php時,nginx直接調取後端的php-fpm服務,如果nginx的請求量偏高,我們又沒有給php-fpm配置足夠的子進程,那麽php-fpm就會資源耗盡,一旦資源耗盡nginx找不到php-fpm就會出現502錯誤, 解決方案 去調整php-fpm.conf中的pm.max_children數值,使其增加,但是也不能無限增加,畢竟資源有限,一般4G內存機器如果跑php-fpm和nginx,不跑mysql可以設置為150,8G為300以此類推 3.除了上面的兩種錯誤還有其他的原因,很少有,我們可以借助nginx的錯誤日誌來進行排查vim /usr/local/nginx/logs/nginx_error.log 我們也可以給日誌定義級別vim/usr/local/nginx/conf/nginx.conf 找到error_log,默認是crit最嚴謹的就行,也可以改成debug顯示的信息最全面,但是很容易撐爆我們的磁盤。 首先我們需要讓瀏覽器進行訪問 修改nginx的配置文件 ``` [root@wqslinux ~]# vim/usr/local/nginx/conf/vhosts/111.conf server { listen 80; server_name www.111.com; //域名地址 index index.html index.htm index.php; root /data/www/; location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/www.sock; //修改sock #fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name; } } 檢查語法是否正常 [root@wqslinux ~]#/usr/local/nginx/sbin/nginx -t 重新加載配置文件 [root@wqslinux ~]# /usr/local/nginx/sbin/nginx-s reload [root@wqslinux ~]# /etc/init.d/nginx reload 檢查nginx是那個用戶跑的 [root@wqslinux ~]# ps aux |grep nginx 編輯php-fpm文件 我們要在這個php-fpm文件裏面設置nginx的用戶主,跟組這樣才不會顯示502 [root@wqslinux ~]# vim/usr/local/php/etc/php-fpm.conf [global] pid = /usr/local/php/var/run/php-fpm.pid error_log =/usr/local/php/var/log/php-fpm.log [www] listen = /tmp/www.sock user = php-fpm group = php-fpm listen.owner = nobody //定義屬主 listen.group = nobody //定義屬組 pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024 ``` - 配置完之後重啟php-fpm [root@wqslinux ~]# /etc/init.d/php-fpm restart ps: 再補充一個,是近期很多同學遇到的問題 - 這種情況下,使用的是socket,版本高於5.4(含5.4) 默認監聽的socket文件權限是所有者只讀,屬組和其他用戶沒有任何權限。所以,nginx的啟動用戶(咱們配置的是nobody)就沒有辦法去讀這個socket文件,最終導致502,這個問題可以在nginx的錯誤日誌中發現。解決辦法很簡單,上面給出的配置文件中就有避免這個問題的配置。 listen.owner = nobody //定義屬主 listen.group = nobody //定義屬組 - 這兩個配置就是定義socket的屬主和屬組是誰。除了這個還有一種方法 listen.mode = 777 這樣nobody也可以有讀取權限了。 - location優先級 http://blog.lishiming.net/?p=100 在nginx配置文件中,location主要有這幾種形式: 1. 正則匹配 location ~ /abc { } 2. 不區分大小寫的正則匹配 location ~* /abc { } 3. 匹配路徑的前綴,如果找到停止搜索 location ^~ /abc { } 4. 精確匹配 location = /abc { } 5.普通路徑前綴匹配 location /abc { } 先說優先級 4 > 3 > 2 > 1 > 5 再來解釋一下各個格式 ``` location = / { # 精確匹配 / ,主機名後面不能帶任何字符串 [ configuration A ] } location / { # 因為所有的地址都以 / 開頭,所以這條規則將匹配到所有請求 # 但是正則和最長字符串會優先匹配 [ configuration B ] } location /documents/ { # 匹配任何以 /documents/ 開頭的地址,匹配符合以後,還要繼續往下搜索 # 只有後面的正則表達式沒有匹配到時,這一條才會采用這一條 [ configuration C ] } location ~ /documents/Abc { # 匹配任何以 /documents/ 開頭的地址,匹配符合以後,還要繼續往下搜索 # 只有後面的正則表達式沒有匹配到時,這一條才會采用這一條 [ configuration CC ] } location ^~ /images/ { # 匹配任何以 /images/ 開頭的地址,匹配符合以後,停止往下搜索正則,采用這一條。 [ configuration D ] } location ~* \.(gif|jpg|jpeg)$ { # 匹配所有以 gif,jpg或jpeg 結尾的請求 # 然而,所有請求 /images/ 下的圖片會被 config D 處理,因為 ^~ 到達不了這一條正則 [ configuration E ] } location /images/ { # 字符匹配到 /images/,繼續往下,會發現 ^~ 存在 [ configuration F ] } location /images/abc { # 最長字符匹配到 /images/abc,繼續往下,會發現 ^~ 存在 # F與G的放置順序是沒有關系的 [ configuration G ] } location ~ /images/abc/ { # 只有去掉 config D 才有效:先最長匹配 config G 開頭的地址,繼續往下搜索,匹配到這一條正則,采用 [ configuration H ] } 再來分析一下A-H配置的執行順序。 1. 下面2個配置同時存在時 location = / { [ configuration A ] } location / { [ configuration B ] } 此時A生效,因為=/優先級高於/ 2. 下面3個配置同時存在時 location /documents/ { [ configuration C ] } location ~ /documents/ { [configuration CB] } location ~ /documents/abc { [ configuration CC ] } 當訪問的url為/documents/abc/1.html,此時CC生效,首先CB優先級高於C,而CC更優先於CB 3. 下面4個配置同時存在時 location ^~ /images/ { [ configuration D ] } location /images/ { [ configuration F ] } location /images/abc { [ configuration G ] } location ~ /images/abc/ { [ configuration H ] } 當訪問的鏈接為/images/abc/123.jpg時,此時D生效。雖然4個規則都能匹配到,但^~優先級是最高的。 若^~不存在時,H優先,因為~/images/ > /images/ 而/images/和/images/abc同時存在時,/images/abc優先級更高,因為後者更加精準 4. 下面兩個配置同時存在時 location ~* \.(gif|jpg|jpeg)$ { [ configuration E ] } location ~ /images/abc/ { [ configuration H ] } ``` 當訪問的鏈接為/images/abc/123.jpg時,E生效。因為上面的規則更加精準。
12.13 Nginx防盜鏈 12.14 Nginx訪問控制 12.15 Nginx解析php相關配置 12.16 Nginx代理