内容:

1、LNMP的搭建

2、搭建基于LNMP的discuz论坛(www.hill.com)

3、实现https

4、实现访问http时自动跳转至https以及防盗链设置、URL重写测试


一、LNMP的搭建

        我们知道,在apache与php的结合方式有三种,而nginx与php的结合目前只有一种是行之有效的:php-fpm

        1、yum直接安装快速搭建LNMP,官方下载nginx的预安装包(rpm包),当然也可以编译安装

#yum install -y prce-devel zlib-devel openssl-devel php-fpm php-mysql mariadb-server
  # yum install nginx-1.10.0-1.el7.ngx.x86_64.rpm

        

        2、添加ngixn虚拟主机

[root@localhost pma]# cat /etc/nginx/conf.d/hill.conf 
server {
listen 80;
server_name www.hill.com;
root /var/www/html/hill;
location  /  {
index index.php index.html;
}
location ~ .*\.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name;
include fastcgi_params;
}
}

      

          3、启动相关服务,添加host文件测试

[root@localhost hill]# curl -I www.hill.com
HTTP/1.1 200 OK
Server: nginx/1.10.0
Date: Mon, 24 Oct 2016 22:17:52 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.4.16

LNMP的搭建及URL重写测试_第1张图片

        4、测试phpMyAdmin成功


LNMP的搭建及URL重写测试_第2张图片



        5安装论坛测试访问发帖成功:

LNMP的搭建及URL重写测试_第3张图片




二、nginx的https实现

        1、搭建根CA服务器(这里在同一台机子上)

[root@localhost hill]# (umask 066 ; openssl genrsa -out /etc/pki/CA/)
certs/    crl/      newcerts/ private/  
[root@localhost hill]# (umask 066 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...+++
..............................................................................+++
e is 65537 (0x10001)
[root@localhost hill]# openssl req -new -x509 -days 365 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/
certs/    crl/      newcerts/ private/  
[root@localhost hill]# openssl req -new -x509 -days 365 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:hill.com  
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:ca.hill.com
Email Address []:
[root@localhost hill]#


        2、nginx申请证书签署

[root@localhost hill]# mkdir -p /etc/nginx/ssl
[root@localhost hill]# (umask 066 ; openssl genrsa -out /etc/nginx/ssl/nginx.key 2048)
Generating RSA private key, 2048 bit long modulus
....+++
......................+++
e is 65537 (0x10001)
[root@localhost hill]# openssl req -new -days 365 -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJIN
Locality Name (eg, city) [Default City]:^C
[root@localhost hill]# openssl req -new -days 365 -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:hill.com
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.hill.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


    3、根CA签署证书

[root@localhost CA]# openssl ca -in /etc/nginx/ssl/nginx.csr -out /etc/nginx/ssl/nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct 24 22:55:33 2016 GMT
            Not After : Oct 24 22:55:33 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BEIJING
            organizationName          = hill.com
            organizationalUnitName    = ops
            commonName                = www.hill.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                06:98:EC:97:95:A6:7A:29:D4:DE:F4:C7:98:ED:D1:01:F9:16:07:8A
            X509v3 Authority Key Identifier: 
                keyid:F4:2C:6B:72:C4:D0:B5:CF:6F:B8:4E:A5:E1:A6:73:27:6D:6E:88:D3
Certificate is to be certified until Oct 24 22:55:33 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]# 
[root@localhost CA]# 
[root@localhost CA]# ll /etc/nginx/ssl/
total 16
-rw-r--r--. 1 root root 4457 Oct 25 06:55 nginx.crt
-rw-r--r--. 1 root root 1005 Oct 25 06:54 nginx.csr
-rw-------. 1 root root 1679 Oct 25 06:53 nginx.key


    4、编辑nginx虚拟主机的配置文件

[root@localhost CA]# cat /etc/nginx/conf.d/hill.conf 
server {
listen 443 ssl;
server_name www.hill.com;
root /var/www/html/hill;
location  /  {
index index.php index.html;
}
location ~ .*\.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name;
include fastcgi_params;
}
ssl on;
  ssl_certificate /etc/nginx/ssl/nginx.crt;  
    ssl_certificate_key /etc/nginx/ssl/nginx.key; 
    ssl_session_cache shared:sslcache:20m;
}
[root@localhost CA]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@localhost CA]# nginx -s reload
[root@localhost CA]# ss -tanl
State       Recv-Q Send-Q               Local Address:Port                              Peer Address:Port              
LISTEN      0      128                      127.0.0.1:9000                                         *:*                  
LISTEN      0      128                              *:47112                                        *:*                  
LISTEN      0      50                               *:3306                                         *:*                  
LISTEN      0      128                              *:111                                          *:*                  
LISTEN      0      128                              *:22                                           *:*                  
LISTEN      0      100                      127.0.0.1:25                                           *:*                  
LISTEN      0      128                              *:443                                          *:*                  
LISTEN      0      128                             :::111                                         :::*                  
LISTEN      0      128                             :::22                                          :::*                  
LISTEN      0      100                            ::1:25                                          :::*                  
LISTEN      0      128                             :::56155                                       :::*


    5、浏览器打开测试成功 

    

LNMP的搭建及URL重写测试_第4张图片


更多文章请关注 我的博客

四、实现访问http时自动跳转至https以及防盗链设置、URL重写测试


        1、http自动跳转https测试:

[root@MiWiFi-R3-srv hill]# cat /etc/nginx/conf.d/hill.conf 
server {
listen 443 ssl ;
server_name www.hill.com;
location  /  {
index index.php index.html;
root /var/www/html/hill;
valid_referers none block server_names ~hill\.com;
if ($invalid_referer)
{
return 111;
}
}
location ~ .*\.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name;
include fastcgi_params;
}
ssl on;
  ssl_certificate /etc/nginx/ssl/nginx.crt;  
    ssl_certificate_key /etc/nginx/ssl/nginx.key; 
    ssl_session_cache shared:sslcache:20m;
}
server{
listen 80;
server_name www.hill.com;
rewrite ^(.*)$  https://$host$1 permanent ;
}

   


        2、防盗链测试:

        添加配置:


valid_referers none block server_names ~hill\.com;
if ($invalid_referer)
{
return 111;
}

     

        测试正常

[root@MiWiFi-R3-srv hill]# cat /etc/nginx/conf.d/hill.conf 
server {
listen 443 ssl ;
server_name www.hill.com;
location  /  {
index index.php index.html;
root /var/www/html/hill;
if ($http_user_agent ~* Edge )
{
rewrite ^(.*)$ /test1.html break;
}
if ($http_user_agent ~* Mathon )
{
rewrite ^(.*)$ /test2.html break;
}
if ($http_user_agent ~* firefox )
{
rewrite ^(.*)$ /test3.html break;
}
valid_referers none block server_names ~hill\.com;
if ($invalid_referer)
{
return 111;
}
}
location ~ .*\.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name;
include fastcgi_params;
}
ssl on;
  ssl_certificate /etc/nginx/ssl/nginx.crt;  
    ssl_certificate_key /etc/nginx/ssl/nginx.key; 
    ssl_session_cache shared:sslcache:20m;
}
server{
listen 80;
server_name www.hill.com;
rewrite ^(.*)$  https://$host$1 permanent ;
}

[12:36 [email protected]~]# curl -I -k -e "www.baidu.com" https://www.hill.com
HTTP/1.1 111 
Server: nginx/1.10.0
Date: Tue, 25 Oct 2016 10:50:40 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive


        3、URL重写测试:不同的代理实现不同的效果

        添加配置:


if ($http_user_agent ~* Edge )
{
rewrite ^(.*)$ /test1.html break;
}
if ($http_user_agent ~* Mathon )
{
rewrite ^(.*)$ /test2.html break;
}
if ($http_user_agent ~* firefox )
{
rewrite ^(.*)$ /test3.html break;
}


         测试成功:


[root@MiWiFi-R3-srv hill]# cat /etc/nginx/conf.d/hill.conf 
server {
listen 443 ssl ;
server_name www.hill.com;
location  /  {
index index.php index.html;
root /var/www/html/hill;
if ($http_user_agent ~* Edge )
{
rewrite ^(.*)$ /test1.html break;
}
if ($http_user_agent ~* Mathon )
{
rewrite ^(.*)$ /test2.html break;
}
if ($http_user_agent ~* firefox )
{
rewrite ^(.*)$ /test3.html break;
}
valid_referers none block server_names ~hill\.com;
if ($invalid_referer)
{
return 111;
}
}
location ~ .*\.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name;
include fastcgi_params;
}
ssl on;
  ssl_certificate /etc/nginx/ssl/nginx.crt;  
    ssl_certificate_key /etc/nginx/ssl/nginx.key; 
    ssl_session_cache shared:sslcache:20m;
}
server{
listen 80;
server_name www.hill.com;
rewrite ^(.*)$  https://$host$1 permanent ;
}

        

        测试效果有效

LNMP的搭建及URL重写测试_第5张图片

LNMP的搭建及URL重写测试_第6张图片




        附:http核心模块的内置变量

$uri: 当前请求的uri,不带参数;
$request_uri: 请求的uri,带完整参数;
$host: http请求报文中host首部;如果请求中没有host首部,则以处理此请求的虚拟主机的主机名代替;
$hostname: nginx服务运行在的主机的主机名;
$remote_addr: 客户端IP
$remote_port: 客户端Port
$remote_user: 使用用户认证时客户端用户输入的用户名;
$request_filename: 用户请求中的URI经过本地root或alias转换后映射的本地的文件路径;
$request_method: 请求方法
$server_addr: 服务器地址
$server_name: 服务器名称
$server_port: 服务器端口
$server_protocol: 服务器向客户端发送响应时的协议,如http/1.1, http/1.0
$scheme: 在请求中使用scheme, 如https://www.domain.com/中的https;
$http_HEADER: 匹配请求报文中指定的HEADER,$http_host匹配请求报文中的host首部
$sent_http_HEADER: 匹配响应报文中指定的HEADER,例如$http_content_type匹配响应报文中的content-type首部;
$document_root:当前请求映射到的root配置;

更多文章请关注 我的博客