一、nginx配置用户认证
首先需要安装apache,可以使用yum install httpd 安装;或者在其他机器创建好.htpasswd文件,拷贝到服务器;
创建用户,并生成密码文件:
/usr/local/apache2/bin/htpasswd -c /usr/local/nginx/conf/.htpasswd test
// 添加test用户,第一次添加时需要加-c参数,第二次添加时不需要-c参数;
访问指定目录配置用户认证:
在nginx的default配置文件中添加,红色的部分是指定在哪个目录设置用户认证。
location /a/ {
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
}
实验测试,使用curl 解析/a/目录下的index.html为401未认证;使用-u 用户名密码登录之后为200 OK;
[root@localhost vhosts]# curl -x127.0.0.1:80 192.168.20.30/a/index.html -I HTTP/1.1 401 Unauthorized Server: nginx/1.6.2 Date: Thu, 14 May 2015 09:48:18 GMT Content-Type: text/html Content-Length: 194 Connection: keep-alive WWW-Authenticate: Basic realm="Auth" [root@localhost vhosts]# curl -utest:1234 -x127.0.0.1:80 192.168.20.30/a/index.html -I HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Thu, 14 May 2015 09:48:26 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Thu, 14 May 2015 09:27:34 GMT Connection: keep-alive ETag: "55546a86-264" Accept-Ranges: bytes
访问admin.php后台,设置用户认证;设置认证的代码要写在匹配php的前面,并且也要加入解析php的代码;
[root@localhost vhosts]# cat default.conf server { listen 80 default; server_name localhost; index index.html index.htm index.php; root /usr/local/nginx/html; location ~ admin\.php { auth_basic "Auth"; auth_basic_user_file /usr/local/nginx/conf/.htpasswd; include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name; } location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name; } }
网页测试登录admin.php页面弹出认证对话框,输入用户名密码才可以访问。
如不指定root目录,直接使用认证的话,打开首页弹出对话框进行认证;
location / {
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
二、配置域名重定向
nginx默认虚拟主机配置加入下面的代码:
server_name 11.com 22.com www.111.com;
if ($host != 'www.111.com' ) {
rewrite ^/(.*)$ http://www.111.com/$1 permanent;
}
permanent 永久重定向301;
试验测试:访问11.com 22.com 都会跳转到location:www.111.com;
[root@localhost vhosts]# curl -x127.0.0.1:80 11.com -I HTTP/1.1 301 Moved Permanently Server: nginx/1.6.2 Date: Thu, 14 May 2015 22:15:16 GMT Content-Type: text/html Content-Length: 184 Connection: keep-alive Location: http://www.111.com/ [root@localhost vhosts]# curl -x127.0.0.1:80 22.com -I HTTP/1.1 301 Moved Permanently Server: nginx/1.6.2 Date: Thu, 14 May 2015 22:15:21 GMT Content-Type: text/html Content-Length: 184 Connection: keep-alive Location: http://www.111.com/
三、配置日志记录
日志格式,main为定义的日志格式名;日志格式需加入到nginx.conf主配置文件http段中;
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format main1 '$proxy_add_x_forwarded_for - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
//此日志格式为,ip不仅记录代理的ip还记录远程客户端真实IP。
添加访问日志的格式,写到default.conf最后一行;
server { listen 80 default; server_name localhost; index index.html index.htm index.php; root /usr/local/nginx/html; location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name; } access_log /home/logs/xxx.log combined_realip; }
combined_realip为nginx.conf 定义的日志格式的名字。
使用curl测试之后,产生新的log;
[root@localhost vhosts]# curl -x127.0.0.1:80 192.168.20.30/index.html -I [root@localhost vhosts]# cat /home/logs/xxx.log 127.0.0.1 - [15/May/2015:15:13:49 +0800]192.168.20.30 "/index.html" 200"-" "curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
错误日志error_log日志级别:
error_log 级别分为 debug, info, notice, warn, error, crit 默认为crit, 该级别在日志名后边定义格式如下:error_log /your/path/error.log crit;
crit 记录的日志最少,而debug记录的日志最多。如果你的nginx遇到一些问题,比如502比较频繁出现,但是看默认的error_log并没有看到有意义的信息,那么就可以调一下错误日志的级别,当你调成error级别时,错误日志记录的内容会更加丰富。
四、静态文件(图片、flash、js、css)不记录日志,并配置缓存;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$
{
expires 12h;
access_log off;
}
expires 定义缓存时间;
access_log off 不记录日志;
试验测试:touch 1.jpg 2.js文件,使用curl测试cache-control为缓存时间;
[root@localhost vhosts]# touch /usr/local/nginx/html/1.jpg
[root@localhost vhosts]# curl -x127.0.0.1:80 www.111.com/1.jpg -I HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Thu, 14 May 2015 22:11:45 GMT Content-Type: p_w_picpath/jpeg Content-Length: 0 Last-Modified: Thu, 14 May 2015 22:11:41 GMT Connection: keep-alive ETag: "55551d9d-0" Expires: Sat, 13 Jun 2015 22:11:45 GMT Cache-Control: max-age=2592000 Accept-Ranges: bytes
[root@localhost vhosts]# touch /usr/local/nginx/html/2.js [root@localhost vhosts]# curl -x127.0.0.1:80 www.111.com/2.js -I HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Thu, 14 May 2015 22:11:00 GMT Content-Type: application/javascript Content-Length: 0 Last-Modified: Thu, 14 May 2015 22:10:53 GMT Connection: keep-alive ETag: "55551d6d-0" Expires: Fri, 15 May 2015 10:11:00 GMT Cache-Control: max-age=43200 Accept-Ranges: bytes
五、防盗链
在nginx默认主机default.conf中的server部分中添加如下代码:
// 对taobao、baidu、google、soso这些域名的网站不进行盗链。如果不是规定的域名,返回403错误;或者跳转到一个自定义的图片上;
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
valid_referers none blocked server_names *.taobao.com *.baidu.com *.google.com *.google.cn *.soso.com;
if ($invalid_referer) {
return 403;
#rewrite ^/ http://www.example.com/nophoto.gif;
}
}
~* 代表不区分大小写的匹配;
如同一个配置文件中都有~ 匹配的话,只匹配最上面的;把图片文件的缓存和不记录日志代码,放到一个~匹配中都生效;
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
expires 10d;
valid_referers none blocked server_names *.1.com *.a.com *.b.com *.baidu.com\
*.google.com *.google.cn *.soso.com ;
if ($invalid_referer) {
return 403;
#rewrite ^/ http://www.example.com/nophoto.gif;
}
access_log off;
}
使用curl -e测试,需要加http:// 使用qq.com访问图片显示403错误,使用1.com是200 OK;验证防盗链成功;
[root@localhost vhosts]# curl -x127.0.0.1:80 -e "http://www.qq.com" 192.168.20.30/1.jpg -I HTTP/1.1 403 Forbidden Server: nginx/1.6.2 Date: Fri, 15 May 2015 08:28:07 GMT Content-Type: text/html Content-Length: 168 Connection: keep-alive [ root@localhost vhosts]# curl -x127.0.0.1:80 -e "http://www.1.com" 192.168.20.30/1.jpg -I HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Fri, 15 May 2015 08:28:16 GMT Content-Type: p_w_picpath/jpeg Content-Length: 0 Last-Modified: Fri, 15 May 2015 07:55:55 GMT Connection: keep-alive ETag: "5555a68b-0" Accept-Ranges: bytes