2018-09-20筆記
阿新 • • 發佈:2018-12-11
Nginx預設虛擬主機
Nginx預設虛擬主機,其實預設就已經設定了。在Nginx的配置檔案中,server就代表著預設虛擬主機。一般的,你有幾個網站就設定幾個server。 還有另一種設定方式,在配置檔案中不要去設定server,直接重新寫一個虛擬主機配置檔案(vhost/*.conf)
# vim /usr/local/nginx/conf/nginx.conf //將server那段去掉,後面新增一行,配置檔案變為 user nobody nobody; worker_processes 2; error_log /usr/local/nginx/logs/nginx_error.log crit; pid /usr/local/nginx/logs/nginx.pid; worker_rlimit_nofile 51200; events { use epoll; worker_connections 6000; } http { include mime.types; default_type application/octet-stream; server_names_hash_bucket_size 3526; server_names_hash_max_size 4096; log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]' ' $host "$request_uri" $status' ' "$http_referer" "$http_user_agent"'; sendfile on; tcp_nopush on; keepalive_timeout 30; client_header_timeout 3m; client_body_timeout 3m; send_timeout 3m; connection_pool_size 256; client_header_buffer_size 1k; large_client_header_buffers 8 4k; request_pool_size 4k; output_buffers 4 32k; postpone_output 1460; client_max_body_size 10m; client_body_buffer_size 256k; client_body_temp_path /usr/local/nginx/client_body_temp; proxy_temp_path /usr/local/nginx/proxy_temp; fastcgi_temp_path /usr/local/nginx/fastcgi_temp; fastcgi_intercept_errors on; tcp_nodelay on; gzip on; gzip_min_length 1k; gzip_buffers 4 8k; gzip_comp_level 5; gzip_http_version 1.1; gzip_types text/plain application/x-javascript text/css text/htm application/xml; include vhost/*.conf; //此行為新增 }
在/usr/local/nginx/conf/目錄下,建立一個目錄vhost,並在目錄下建立一個新檔案。這個vhost就類似於Apache中的虛擬配置檔案。
# cd /usr/local/nginx/conf/
# mkdir vhost
# cd vhost/
# touch aaa.com.conf
然後編輯新建的檔案
# vim aaa.com.conf server { listen 80 default_server; // 有default_server這個標記的就是預設虛擬主機 server_name aaa.com; index index.html index.htm index.php; root /data/wwwroot/default; }
建立/data/wwwroot/default,並在defualt目錄下編寫index.html檔案
# mkdir /data/wwwroot/default
# cd /data/wwwroot/default/
# vim index.html
# cat index.html
didibibabo
檢測一下配置檔案語法是否正確
# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
重啟Nginx服務或者重新載入
# /usr/local/nginx/sbin/nginx -s reload
注意:一般的,在伺服器跑動的時候,都選擇重新載入配置檔案,而不是重啟服務/etc/init.d/nginx restart,重啟服務會短暫關閉然後在啟動。
# curl localhost
didibibabo
# curl -x127.0.0.1:80 www.abc.com
didibibabo
預設虛擬主機就是隻要你解析過來是這個IP,不管什麼域名,都會訪問到預設虛擬主機。
Nginx使用者認證
做使用者認證就是為了安全,在做httpd的使用者認證時就已經說到過
重新建立一個虛擬主機檔案test.com.conf
# cd /usr/local/nginx/conf/vhost/
# ls
aaa.com.conf
# vim test.com.conf
\\輸入如下內容
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;//使用者名稱密碼檔案
}
}
生成密碼的工具是htpasswd,這個工具在Apache使用者認證時就安裝過了,沒安裝的就用
yum install -y httpd 安裝上。
為其他使用者做使用者認證:
# /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd huhu
New password:
Re-type new password:
Adding password for user huhu
# cat /usr/local/nginx/conf/htpasswd
huhu:$apr1$W/p0AvHO$FO7PxyXhG3RXoUuoOHdLC.
檢查配置檔案語法並重新載入配置檔案:
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
# /usr/local/nginx/sbin/nginx -s reload
測試:
[[email protected] vhost]# curl -x127.0.0.1:80 test.com
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
//出現401,需要使用者認證。
[[email protected] vhost]# curl -uhuhu:qwe123 -x127.0.0.1:80 test.com
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
出現404,因為我們還沒有test.com這個檔案。
寫一個index.html,再次測試
[[email protected]2zef1im6qv29viqhtk3qz vhost]# mkdir /data/wwwroot/test.com
[[email protected] vhost]# echo "test.com" > /data/wwwroot/test.com/index.html
[[email protected] vhost]# curl -uhuhu:qwe123 -x127.0.0.1:80 test.com
test.com
這個使用者認證時針對整個站點,只針對某個特定目錄的使用者認證。針對admin目錄。
修改虛擬配置檔案:
#vim test.com.conf
//修改如下
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
檢查配置檔案語法並重新載入配置檔案:
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
測試:
[[email protected] vhost]# curl -x127.0.0.1:80 test.com
test.com
[[email protected] vhost]# curl -x127.0.0.1:80 test.com/admin
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
針對某個.php檔案
配置檔案寫成location ~ admin.php
\\修改配置檔案
[[email protected] vhost]# vim test.com.conf
\\檢查配置檔案是否正確
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
\\重新載入
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
\\訪問test.com,正常
[[email protected] vhost]# curl -x127.0.0.1:80 test.com
test.com
\\訪問test.com/admin,提示404,因為我們沒有寫這個檔案
[[email protected] vhost]# curl -x127.0.0.1:80 test.com/admin
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
\\訪問test.com/admin.php,提示401,需要使用者驗證
[[email protected] vhost]# curl -x127.0.0.1:80 test.com/admin.php
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
\\訪問test.com/admin.php,提示404,因為我們沒有寫這個檔案
[[email protected] vhost]# curl -uhuhu:qwe123 -x127.0.0.1:80 test.com/admin.php
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
nginx域名重定向
更改虛擬配置檔案
# vim test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com test3.com; //設定域名
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) { //如果主域名是test.com時,則其他域名都跳轉過來, permanent為301
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
這裡多個域名都可以寫到server_name 後面,不像httpd,需要寫到server_alias裡
檢查並重新載入
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
測試:
[[email protected] vhost]# curl -x127.0.0.1:80 test.com/index.html
test.com
[[email protected] vhost]# curl -x127.0.0.1:80 test3.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 13:39:33 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/index.html
[[email protected] vhost]# curl -x127.0.0.1:80 test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 13:39:43 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/index.html
[[email protected] vhost]# curl -x127.0.0.1:80 test34.com/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 13:39:52 GMT
Content-Type: text/html
Content-Length: 11
Last-Modified: Wed, 19 Sep 2018 11:36:59 GMT
Connection: keep-alive
ETag: "5ba234db-b"
Accept-Ranges: bytes
Nginx訪問日誌
Nginx的日誌格式是在Nginx的主配置檔案中/usr/local/nginx/conf/nginx.conf
在配置檔案中找到
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
在這裡可以修改一下日誌的格式名稱,將combined_realip修改為huhu
log_format huhu '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
下面是日誌欄位含義
主配置檔案中定義日誌的格式,在虛擬主機配置檔案中定義日誌路徑。
開啟虛擬主機配置檔案,新增一行
server
{
listen 80;
server_name test.com test1.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
access_log /tmp/test.com.log huhu; \\新增此行定義日誌路徑以及格式,記得加;
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
~
檢查配置檔案語法並重新載入配置檔案
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
檢測:
[[email protected] vhost]# curl -x127.0.0.1:80 test3.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 14:01:16 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/index.html
[[email protected] vhost]# curl -x127.0.0.1:80 test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 14:01:20 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://test.com/index.html
\\檢視日誌
[[email protected] vhost]# cat /tmp/test.com.log
127.0.0.1 - [19/Sep/2018:22:01:16 +0800] test3.com "/index.html" 301 "-" "curl/7.29.0"
127.0.0.1 - [19/Sep/2018:22:01:20 +0800] test2.com "/index.html" 301 "-" "curl/7.29.0"
Nginx日誌切割
nginx由於沒有自帶的日誌切割工具,在切割日誌時,需要藉助於系統帶的日誌切割工具,或者是自己寫一個日誌切割指令碼。
指令碼統一儲存/usr/local/sbin/目錄下
自己定義一個日誌切割指令碼
# vim /usr/local/sbin/nginx_log_rotate.sh
\\寫入如下內容,註釋內容可不寫
#! /bin/bash
## 假設nginx的日誌存放路徑為/tmp/
d=`date -d "-1 day" +%Y%m%d`
#定義切割時間(切割一天前的日誌)
logdir="/tmp/"
#此處指定要切割的日誌路徑(該路徑來自虛擬主機配置檔案)
nginx_pid="/usr/local/nginx/logs/nginx.pid"
#呼叫pid的目的是執行命令:/bin/kill -HUP `cat $nginx_pid`
#該命令等價於命令:nginx -s reload(重新載入檔案),確保與虛擬主機配置檔案變更保持同步
#該地址來自nginx配置檔案
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
#此處使用通配進行迴圈,並改名字(切割是每天產生的日誌重新命名)
/bin/kill -HUP `cat $nginx_pid`
#執行此命令進行過載生成新的日誌檔案來記錄新的日誌
執行指令碼:
[[email protected] vhost]# sh -x /usr/local/sbin/nginx_log_rotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20180918
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls test.com.log
+ for log in '`ls *.log`'
+ mv test.com.log test.com.log-20180918
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 972
[[email protected] vhost]# ls /tmp/
Aegis-<Guid(5A2C30A2-A87D-490A-9281-6765EDAD7CBA)> systemd-private-ecdbc26ef480489bb909d22e927e3845-ntpd.service-oWmtff
hsperfdata_root test.com.log
pear test.com.log-20180918
php-fcgi.sock
- -x : 作用是顯示指令碼執行過程
注意: 這只是對日誌進行了切割,對日誌進行刪除需要結合任務計劃cron使用。切割也得配合cron使用
也可以使用find命令定期自己刪除
刪除/tmp/目錄下30天以前的日誌檔案
[[email protected] vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm
rm: missing operand
Try 'rm --help' for more information.
[[email protected] vhost]# find /tmp/ -name *.log-* -type f
/tmp/test.com.log-20180918
因為現在還沒有符合條件的日誌,所以不會刪除。
設定執行計劃
# crontab -e
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
設定為每天0點0分,執行此條指令碼。
靜態檔案不記錄日誌和過期時間
在test.com.conf中新增一段配置
server
{
listen 80;
server_name test.com test1.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
access_log /tmp/test.com.log huhu;
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
\\新增下面內容
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 7d;
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
}
- location ~ 匹配檔案型別
- expires 過期時間
- access_log 是否記錄該型別檔案的訪問日誌
檢查配置檔案語法並重新載入配置檔案
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
新建幾個檔案
[[email protected] vhost]# cd /data/wwwroot/test.com/
[[email protected] test.com]# ls
index.html
[[email protected] test.com]# vim 1.gif
[[email protected] test.com]# vim 2.js
[[email protected] test.com]# cat 1.gif
sdfsddfvf
[[email protected] test.com]# cat 2.js
fdfgcfbdcv
測試
[[email protected] test.com]# curl -x127.0.0.1:80 test.com/1.gif
sdfsddfvf
[[email protected] test.com]# curl -x127.0.0.1:80 test.com/2.js
fdfgcfbdcv
[[email protected] test.com]# curl -x127.0.0.1:80 test.com/index.html
test.com
[[email protected] test.com]# curl -x127.0.0.1:80 test.com/2.jssdf
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
[[email protected] test.com]# cat /tmp/test.com.log
127.0.0.1 - [19/Sep/2018:23:05:49 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [19/Sep/2018:23:09:59 +0800] test.com "/2.jssdf" 404 "-" "curl/7.29.0"
- 說明訪問gif和js的時候不會記錄日誌,和我們上面定義的配置檔案一樣。
- 配置檔案只定義了js結尾的檔案,所以2.jssdf依然會記錄日誌
我們也可以檢視一下過期時間
[[email protected] test.com]# curl -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 15:07:28 GMT
Content-Type: image/gif
Content-Length: 10
Last-Modified: Wed, 19 Sep 2018 15:04:09 GMT
Connection: keep-alive
ETag: "5ba26569-a"
Expires: Wed, 26 Sep 2018 15:07:28 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
- Cache-Control: max-age=604800 就代表著過期時間,前面我們定義的gif過期時間是7天 如果註釋掉前面配置檔案裡的expires,則此處不會顯示。
Nginx防盜鏈
Nginx防盜鏈也是使用location板塊,和不記錄靜態檔案和過期時間寫在一起
開啟配置檔案,把之前設定的關於GIF的location註釋掉,新增一段配置
# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
access_log /tmp/test.com.log huhu;
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
//新增如下內容,刪除//註釋內容
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ; //定義白名單
if ($invalid_referer) { //如果不是白名單的referer ,返回403
return 403;
}
access_log off;
}
}
注意:location ~ ^.+.這裡匹配到的後面的內容是不區分大小寫。*
檢查配置檔案並且重新載入
[[email protected] test.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] test.com]# /usr/local/nginx/sbin/nginx -s reload
測試
//當referer為qq.com,不在白名單時,返回403
[[email protected] ~]# curl -e "http://www.qq.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 15:27:20 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
//當referer為test.com,在白名單時,返回200
[[email protected] ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Wed, 19 Sep 2018 15:27:33 GMT
Content-Type: image/gif
Content-Length: 10
Last-Modified: Wed, 19 Sep 2018 15:04:09 GMT
Connection: keep-alive
ETag: "5ba26569-a"
Expires: Wed, 26 Sep 2018 15:27:33 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
//依然不顯示日誌,access_log off;
[[email protected] ~]# cat /tmp/test.com.log
127.0.0.1 - [19/Sep/2018:23:05:49 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [19/Sep/2018:23:09:59 +0800] test.com "/2.jssdf" 404 "-" "curl/7.29.0"