12.7 默认虚拟主机
1、编辑配置文件,删除 server
[root@arslinux-01 conf]# vim /usr/local/nginx/conf/nginx.conf
删除上图红色区块部分内容
2、增加 include vhost/*.conf,将 server 这部分内容独立到一个配置文件中
3、在 /usr/local/nginx/conf/ 下创建 vhost 目录,进入该目录,编辑 aaa.com.conf
[root@arslinux-01 conf]# mkdir vhost/ [root@arslinux-01 conf]# cd vhost/ [root@arslinux-01 vhost]# vim aaa.com.conf server { listen 80 default_server; server_name aaa.com; index index.html index.htm index.php; root /data/wwwroot/default; }
4、创建 /data/wwwroot/default 目录,在该目录下编辑一个 html 文件
[root@arslinux-01 vhost]# mkdir -p /data/wwwroot/default/ [root@arslinux-01 ~]# cd /data/wwwroot/default/ [root@arslinux-01 default]# vim index.html This is the default site.
5、检查配置文件,重新加载配置
[root@arslinux-01 vhost]# /usr/local/nginx/sbin/nginx -t //检查语法 nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 vhost]# /usr/local/nginx/sbin/nginx -s reload //重新加载配置
6、curl 测试
[root@arslinux-01 default]# curl localhost This is the default site.
之前访问是默认页,现在是编辑的内容
如果有错,请查看nginx.con、aaa.com.conf等配置是否有误
7、无论访问什么域名,只要解析过来,就能访问默认站点
[root@arslinux-01 default]# curl -x127.0.0.1:80 aaa.com This is the default site. [root@arslinux-01 default]# curl -x127.0.0.1:80 bbb.com This is the default site. [root@arslinux-01 default]# curl -x127.0.0.1:80 bbbc.com This is the default site.
指定默认虚拟主机:
1、vhost aaa 或者 0 等顺序
2、conf 里指定 default_server
12.8 Nginx用户认证
1、创建新的虚拟主机,编辑配置文件
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf server { listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com; location / { auth_basic "Auth"; auth_basic_user_file /usr/local/nginx/conf/htpasswd; } }
2、使用 htpasswd 生成用户名密码(如果没装 apache,那么可以 yum 安装 htpasswd,第二个及之后的用户不用加 -c)
[root@arslinux-01 ~]# /usr/local/apache2/bin/htpasswd -c /usr/local/nginx/conf/htpasswd arslinux New password: Re-type new password: Adding password for user arslinux [root@arslinux-01 ~]# cat /usr/local/nginx/conf/htpasswd arslinux:$apr1$jHiTfZoi$UU32/eJf/s4wKGMIkpZ4j/ [root@arslinux-01 ~]# /usr/local/apache2/bin/htpasswd /usr/local/nginx/conf/htpasswd user1 New password: Re-type new password: Adding password for user user1
3、检测语法,重新加载
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload
4、访问
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com -I HTTP/1.1 401 Unauthorized Server: nginx/1.14.2 Date: Wed, 15 May 2019 14:30:43 GMT Content-Type: text/html Content-Length: 195 Connection: keep-alive WWW-Authenticate: Basic realm="Auth" [root@arslinux-01 ~]# curl -uarslinux:7231131 -x127.0.0.1:80 test.com -I HTTP/1.1 404 Not Found Server: nginx/1.14.2 Date: Wed, 15 May 2019 14:30:48 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
5、创建 test.com 目录,目录下创建 index.html,内容自定
[root@arslinux-01 ~]# mkdir /data/wwwroot/test.com [root@arslinux-01 ~]# echo "test.com" > /data/wwwroot/test.com/index.html
6、再次访问
[root@arslinux-01 ~]# curl -uarslinux:7231131 -x127.0.0.1:80 test.com test.com
针对目录限制
·如果需求为访问某个目录才需要认证,那么可以改配置文件
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload
·不加用户名密码,访问测试,可以访问 test.com,但不能访问 test.com/admin/
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com test.com [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/admin/401 Authorization Required 401 Authorization Required
nginx/1.14.2
·创建/admin/目录,并新建测试页 index.html
[root@arslinux-01 ~]# mkdir /data/wwwroot/test.com/admin/ [root@arslinux-01 ~]# echo "test.com admin dir" > /data/wwwroot/test.com/admin/index.html [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/admin/401 Authorization Required 401 Authorization Required
nginx/1.14.2 [root@arslinux-01 ~]# curl -uarslinux:7231131 -x127.0.0.1:80 test.com/admin/ test.com admin dir
针对 url 限制
·编辑配置文件,匹配 admin.php
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload
·测试,/admin/目录不需要认证,admin.php 需要认证,添加用户认证,可以,只不过文件不存在而以
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/admin/ test.com admin dir [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/admin.php401 Authorization Required 401 Authorization Required
nginx/1.14.2 [root@arslinux-01 ~]# curl -uarslinux:7231131 -x127.0.0.1:80 test.com/admin.php404 Not Found 404 Not Found
nginx/1.14.2
匹配admin.php后,/admin/不做限制,只针对admin.php进行限制
·创建一个 admin.php 文件,再次 curl,不会出现 404 错误
[root@arslinux-01 ~]# vim /data/wwwroot/test.com/admin.php
12.9 Nginx域名重定向
·Ngnix 支持跟多个 server_name
1、编辑 test.com.conf ,增加 server_name ——> test2.com
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload2、增加 rewrite,域名跳转
如果不是test.com,那么重定向到test.com下,permanent是301,redirect是302
3、测试,访问 test2.com/index.html,跳转到了 test.com/index.html
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test2.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:07:02 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/index.html [root@arslinux-01 ~]# curl -x127.0.0.1:80 test2.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:08:48 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html [root@arslinux-01 ~]# curl -x127.0.0.1:80 test3.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:08:58 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html [root@arslinux-01 ~]# curl -x127.0.0.1:80 test4.com/admin/index.html -I HTTP/1.1 404 Not Found Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:09:01 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive·无论后面是什么,重定向之后和重定向之前保持一致,只是 / 之前改变
·test4.com 没有定义在配置文件中,因此无法重定向
12.10 Nginx访问日志
1、在主配置文件中
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/nginx.conf虽然红框中有三行,但以分号为结尾是一行,实际上是一行配置
combined_realip 定义日志格式名字,此处定义成什么,那么后面引用时就要写成什么
·对应字段表示的含义
2、虚拟主机配置文件中
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload3、访问
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test4.com/admin/index.html -I HTTP/1.1 404 Not Found Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:25:16 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@arslinux-01 ~]# curl -x127.0.0.1:80 test3.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:25:18 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html [root@arslinux-01 ~]# curl -x127.0.0.1:80 test2.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:25:22 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html [root@arslinux-01 ~]# cat /tmp/test.com.log 127.0.0.1 - [15/May/2019:23:25:18 +0800] test3.com "/admin/index.html" 301 "-" "curl/7.29.0" 127.0.0.1 - [15/May/2019:23:25:22 +0800] test2.com "/admin/index.html" 301 "-" "curl/7.29.0"
12.11 Nginx日志切割
日志切割,借助于系统工具,或者日志切割的脚本
日志切割脚本
[root@arslinux-01 ~]# vim /usr/local/sbin/nginx_logrotate.sh #! /bin/bash d=`date -d "-1 day" +%Y%m%d` logdir="/tmp/" nginx_pid="/usr/local/nginx/logs/nginx.pid" cd $logdir for log in `ls *.log` do mv $log $log-$d done /bin/kill -HUP `cat $nginx_pid`
d=`date -d "-1 day" +%Y%m%d` 为了生成昨天的日期
logdir="/tmp/" 存放日志的目录
nginx_pid="/usr/local/nginx/logs/nginx.pid" 找pid为了重新加载以便重新写新的日志(日志pid)
cd $logdir 进入到日志文件夹
for log in `ls *.log` 在运行目录logdir下都有哪些文件,每个文件作为一次循环的对象
do
mv $log $log-$d 所有log改名字,以昨天的日期为后缀
/bin/kill -HUP `cat $nginx_pid` 重新加载,生成新的test.com.log
查看脚本执行过程 (sh -x 执行的同时查看执行过程)
[root@arslinux-01 ~]# sh -x /usr/local/sbin/nginx_logrotate.sh ++ date -d '-1 day' +%Y%m%d + d=20190515 + logdir=/tmp/ + nginx_pid=/usr/local/nginx/logs/nginx.pid + cd /tmp/ ++ ls test.com.log + for log in '`ls *.log`' + mv test.com.log test.com.log-20190515 ++ cat /usr/local/nginx/logs/nginx.pid + /bin/kill -HUP 7481
·一段时间后删除早前的log文件
find /tmp/ -name *.log-* -type f -mtime +30 | xarge rm
添加任务计划
[root@arslinux-01 ~]# crontab -e
0 0 * * * /bin/bash /usr/local/sbin/nginx_logrotate.sh
12.12 静态文件不记录日志和过期时间
编辑配置文件
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ 精准匹配 任意一个以 .gif或jpg或jpeg或png或bmp或swf 为结尾的文件
expires 配置过期时间
access_log 是否记录访问日志
由于配置过期时间不同,因此分开写上下两段,js|css和上面分开
·在 /data/wwwroot/test.com/ 下创建 1.gif 和 2.js 文件,然后访问他们
[root@arslinux-01 ~]# echo "lkhlkjdahlfjkahd" > /data/wwwroot/test.com/1.gif [root@arslinux-01 ~]# echo "ddfafafaddfdeerr" > /data/wwwroot/test.com/2.js [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/1.gif lkhlkjdahlfjkahd [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/2.js ddfafafaddfdeerr [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/index.html test.com [root@arslinux-01 ~]# cat /tmp/test.com.log 127.0.0.1 - [16/May/2019:20:47:45 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/index.html test.com [root@arslinux-01 ~]# cat /tmp/test.com.log 127.0.0.1 - [16/May/2019:20:47:45 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:20:48:24 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
访问 .gif 和 .js 文件时不会记录日志
·如果js后面跟一些其他字符,那么久无法匹配规则,因此会被记录
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/2.jsdfsfs404 Not Found 404 Not Found
nginx/1.14.2 [root@arslinux-01 ~]# cat /tmp/test.com.log 127.0.0.1 - [16/May/2019:20:47:45 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:20:48:24 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:20:51:19 +0800] test.com "/2.jsdfsfs" 404 "-" "curl/7.29.0"
·信息中 Cache-Control:max-age=43200,如果在配置文件中去掉 expires,将不会有过期时间
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/2.js -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 12:50:41 GMT Content-Type: application/javascript Content-Length: 17 Last-Modified: Thu, 16 May 2019 12:46:43 GMT Connection: keep-alive ETag: "5cdd5bb3-11" Expires: Fri, 17 May 2019 00:50:41 GMT Cache-Control: max-age=43200 Accept-Ranges: bytes
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/2.js -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 12:54:38 GMT Content-Type: application/javascript Content-Length: 17 Last-Modified: Thu, 16 May 2019 12:46:43 GMT Connection: keep-alive ETag: "5cdd5bb3-11" Accept-Ranges: bytes
已经没有了过期时间 max-age
12.13 Nginx防盗链
编辑配置文件
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; if ($invalid_referer) { return 403; } access_log off; }
~* 表示不区分大小写
url 是以()中的为结尾
过期时间 7 天
访问日志是不记录
设置白名单,如果不匹配,直接 return 403
测试
[root@arslinux-01 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I HTTP/1.1 403 Forbidden Server: nginx/1.14.2 Date: Thu, 16 May 2019 13:09:24 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@arslinux-01 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 13:09:30 GMT Content-Type: image/gif Content-Length: 17 Last-Modified: Thu, 16 May 2019 12:46:21 GMT Connection: keep-alive ETag: "5cdd5b9d-11" Expires: Thu, 23 May 2019 13:09:30 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
防盗链配置成功
12.14 Nginx访问控制
1、针对目录
编辑配置文件,设置访问控制
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
{ allow 127.0.0.1; allow 192.168.194.130; deny all; }
配置文件中的allow和deny:
这里的 allow 和 deny 与 apache 中的 order 中的 allow 和 deny 规则不一样
在 apache 中,如果先 allow 后 deny,那么最终结果是 deny;
在 nginx 中,这里 allow 是匹配机制,如果在 allow 中有能匹配的,那么将不再执行下面的规则,
本例中,如果是 127.0.0.1 访问,那么匹配第一条 allow 之后,将不会再执行下面的;如果是127.0.0.2,
那么前两条都没有匹配到,那么会自然往下匹配第三条,会被deny。
[root@arslinux-01 ~]# curl -x192.168.194.130:80 test.com/admin/ -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 13:23:49 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Wed, 15 May 2019 14:40:08 GMT Connection: keep-alive ETag: "5cdc24c8-13" Accept-Ranges: bytes
2、针对正则匹配
配置文件
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
} location ~ .*(upload|image)/.*\.php$ deny all; }
测试
[root@arslinux-01 ~]# mkdir /data/wwwroot/test.com/upload/ [root@arslinux-01 ~]# echo "1111" > /data/wwwroot/test.com/upload/1.php [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.php403 Forbidden 403 Forbidden
nginx/1.14.2 [root@arslinux-01 ~]# echo "1111" > /data/wwwroot/test.com/upload/1.txt [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt 1111 [root@arslinux-01 ~]# cat /tmp/test.com.log 127.0.0.1 - [16/May/2019:20:47:45 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:20:48:24 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:20:51:19 +0800] test.com "/2.jsdfsfs" 404 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:21:23:38 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.194.130 - [16/May/2019:21:23:49 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:21:33:28 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:21:34:10 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
upload 下,1.txt 可以访问,但是 1.php 被禁止访问
3、根据 user_agent 限制
网站被CC***,或想禁掉某些蜘蛛,或想做隐藏网站不想被人搜到
编辑配置文件
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') { return 403; }
deny all 和 return 403 效果一样
测试
[root@arslinux-01 ~]# curl -A "YoudaoBot" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.14.2 Date: Thu, 16 May 2019 13:42:16 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@arslinux-01 ~]# curl -A "youdaoBotsdfsfs" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 13:43:25 GMT Content-Type: text/plain Content-Length: 5 Last-Modified: Thu, 16 May 2019 13:34:06 GMT Connection: keep-alive ETag: "5cdd66ce-5" Accept-Ranges: bytes
匹配了关键词就会限制
·如果想忽略大小写,那么将 ~ 改为 ~*·
[root@arslinux-01 ~]# curl -A "youdaoBotsdfsfs" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.14.2 Date: Thu, 16 May 2019 13:45:30 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
小写开头的也被限制了
12.15 Nginx解析php相关配置
配置 php 解析
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
·保存后,暂时不重新加载配置,先创建一个新的php文件,内容自定,然后测试连接
[root@arslinux-01 ~]# vim /data/wwwroot/test.com/3.php
·如果配置文件中socket文件位置写错的话,会显示502的错误
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 502 Bad Gateway Server: nginx/1.14.2 Date: Thu, 16 May 2019 14:16:53 GMT Content-Type: text/html Content-Length: 173 Connection: keep-alive·查看错误日志:
[root@arslinux-01 ~]# tail /usr/local/nginx/logs/nginx_error.log 2019/05/16 22:16:53 [crit] 8261#0: *23 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "HEAD HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"--可以看出是 .sock 文件位置不正确
--我们去查看php-fpm.conf的配置文件来查看.sock文件地址
[root@arslinux-01 ~]# cat /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] listen = /tmp/php-fcgi.sock listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024在 /tmp/php-fcgi.sock 下
·监听 ip 和端口
--在php-fpm 配置中将监听 socket 改为 监听 ip 和端口
[global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] listen = 127.0.0.1:9000 listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@arslinux-01 ~]# /usr/local/php-fpm/sbin/php-fpm -t [16-May-2019 22:29:01] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [root@arslinux-01 ~]# /etc/init.d/php-fpm reload Reload service php-fpm done[root@arslinux-01 ~]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 8507/php-fpm: maste tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7497/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7477/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 7803/master tcp6 0 0 :::3306 :::* LISTEN 7733/mysqld tcp6 0 0 :::22 :::* LISTEN 7477/sshd tcp6 0 0 ::1:25 :::* LISTEN 7803/master127.0.0.1:9000 已经被监听
--curl 依然是 502,查看错误日志发现,还是 socket 不存在的问题
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 502 Bad Gateway Server: nginx/1.14.2 Date: Thu, 16 May 2019 14:49:54 GMT Content-Type: text/html Content-Length: 173 Connection: keep-alive [root@arslinux-01 ~]# tail /usr/local/nginx/logs/nginx_error.log 2019/05/16 22:16:53 [crit] 8261#0: *23 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "HEAD HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com" 2019/05/16 22:49:54 [crit] 8495#0: *27 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "HEAD HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
--将原先 socket 的位置改为 127.0.0.1:9000,重新加载后再 curl
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 14:53:55 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.39已经可以解析php了
(因此 php-fpm 中配置里,和虚拟主机配置里要一一对应,sock 对应 sock,端口对应端口)
★配置文件中的SCRIPT_FILENAME一定要和配置文件最上方的 root 对应的路径一致:
·php-fpm.conf的配置中,listen.mode为nginx的执行权限,让nginx去读/tmp/php-fcgi.sock
·如果没有这个权限,那么php-fcgi.sock的默认权限为440,属主和属组都是root,而nginx属主是nobody,无法读取,因此会报错,我们下面来试验一下
·将php-fpm.conf 和 test.com.conf 都改为监听 socket
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 502 Bad Gateway Server: nginx/1.14.2 Date: Thu, 16 May 2019 15:09:45 GMT Content-Type: text/html Content-Length: 173 Connection: keep-alive502错误,正式因为权限问题
--而错误日志中,也是Permission denied的错误了
[root@arslinux-01 ~]# tail -1 /usr/local/nginx/logs/nginx_error.log 2019/05/16 23:09:45 [crit] 8772#0: *43 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "HEAD HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com" [root@arslinux-01 ~]# ll /tmp/php-fcgi.sock srw-rw---- 1 root root 0 5月 16 23:08 /tmp/php-fcgi.socknginx属主为nobody,对php-fcgi.sock没有读权限,所以会502错误,如果想正常访问,那么至少需要可读可写
--临时将/tmp/php-fcgi.sock属主改为nobody,此时访问不会出现502错误
[root@arslinux-01 ~]# chown nobody /tmp/php-fcgi.sock [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 15:12:20 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.39因此,我们在/usr/local/php-fpm/etc/php-fpm.conf配置中的listen.mode要的权限要让所有人对文件/tmp/php-fcgi.sock可读可写
·php-fpm资源耗尽也会出现502错误,此时需要去优化
参考:http://10717334.blog.51cto.com/10707334/169841
12.16 Nginx代理
1,用户不能直接访问Web服务器,Web服务器只有私网ip
2,虽然用户可以访问Web服务器,但是访问速度太慢
编辑代理服务器配置文件
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/proxy.conf server { listen 80; server_name ask.apelearn.com; location / { proxy_pass http://223.94.95.10/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
proxy_pass Web服务器IP地址
proxy_set_header Host 访问的主机名/域名 ($HOST也就是server_name)
proxy_set_header X-Real-IP 指定IP的
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@arslinux-01 ~]# curl ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/[root@arslinux-01 ~]#
[root@arslinux-01 ~]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/[root@arslinux-01 ~]#
正常情况下,不配置代理,本地是无法访问远程站点的
而配置了代理之后,就可以本地访问 web服务器
扩展
nginx.conf 配置详解
https://coding.net/u/aminglinux/p/nginx/git/tree/master/3z
nginx rewrite四种flag
http://unixman.blog.51cto.com/10163040/1711943
https://coding.net/u/aminglinux/p/nginx/git/blob/master/rewrite/break.md
502问题汇总 http://ask.apelearn.com/question/9109
location优先级 https://coding.net/u/aminglinux/p/nginx/git/blob/master/location/priority.md