状态码:

200:表示正常

301:表示域名跳转

401:表示需要输入用户名和密码

403:表示可能被禁止访问

302404:表示输入的路径可能有错

500:表示php脚本有问题

502:配置错误nginxsock或者IP+port,还有就是资源耗尽,nginx属主

 

写个nginx启动脚本

vim /etc/init.d/nginx

 

#!/bin/bash
# chkconfig: - 30 21
# description: http service.
# Source Function Library
. /etc/init.d/functions
# Nginx Settings

NGINX_SBIN="/usr/local/nginx/sbin/nginx"
NGINX_CONF="/usr/local/nginx/conf/nginx.conf"
NGINX_PID="/usr/local/nginx/logs/nginx.pid"
RETVAL=0
prog="Nginx"

start() {
        echo -n$"Starting $prog: "
        mkdir -p/dev/shm/nginx_temp
        daemon$NGINX_SBIN -c $NGINX_CONF
        RETVAL=$?
        echo
        return$RETVAL
}

stop() {
        echo -n$"Stopping $prog: "
        killproc-p $NGINX_PID $NGINX_SBIN -TERM
        rm -rf/dev/shm/nginx_temp
        RETVAL=$?
        echo
        return$RETVAL
}

reload(){
        echo -n$"Reloading $prog: "
        killproc-p $NGINX_PID $NGINX_SBIN -HUP
        RETVAL=$?
        echo
        return$RETVAL
}

restart(){
        stop
        start
}

configtest(){
    $NGINX_SBIN -c $NGINX_CONF -t
    return 0
}

case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  reload)
        reload
        ;;
  restart)
        restart
        ;;
  configtest)
        configtest
        ;;
  *)
        echo$"Usage: $0 {start|stop|reload|restart|configtest}"
        RETVAL=1
esac
exit $RETVAL

 

 

 

chmod 755 /etc/init.d/nginx

chkconfig --add nginx

chkconfig nginx on

 

整理nginx配置文件

#清空原来的配置

vim /usr/local/nginx/conf/nginx.conf

user nobody nobody;

worker_processes 2;

error_log/usr/local/nginx/logs/nginx_error.log crit;

pid /usr/local/nginx/logs/nginx.pid;

worker_rlimit_nofile 51200;

events

{

   use epoll;

   worker_connections 6000;

}

http

 

{

   include mime.types;

   default_type application/octet-stream;

   server_names_hash_bucket_size 3526;

   server_names_hash_max_size 4096;

   log_format combined_realip '$remote_addr $http_x_forwarded_for[$time_local]'

    '$host "$request_uri" $status'

   '"$http_referer" "$http_user_agent"';

   sendfile on;

   tcp_nopush on;

   keepalive_timeout 30;

   client_header_timeout 3m;

   client_body_timeout 3m;

   send_timeout 3m;

   connection_pool_size 256;

    client_header_buffer_size1k;

   large_client_header_buffers 8 4k;

   request_pool_size 4k;

   output_buffers 4 32k;

   postpone_output 1460;

   client_max_body_size 10m;

   client_body_buffer_size 256k;

   client_body_temp_path /usr/local/nginx/client_body_temp;

   proxy_temp_path /usr/local/nginx/proxy_temp;

   fastcgi_temp_path /usr/local/nginx/fastcgi_temp;

   fastcgi_intercept_errors on;

   tcp_nodelay on;

   gzip on;

   gzip_min_length 1k;

   gzip_buffers 4 8k;

   gzip_comp_level 5;

    gzip_http_version 1.1;

   gzip_types text/plain application/x-javascript text/css text/htmapplication/xml;

   include vhosts/*.conf;    #虚拟主机

}

 

 

 

添加虚拟主机

#默认虚拟主机独立一个文件

mkdir /usr/local/nginx/conf/vhosts

vim/usr/local/nginx/conf/vhosts/default.conf                                    #默认虚拟主机多了个default

server

 

{

   listen 80 default;

   server_name localhost;

   index index.html index.htm index.php;

   root /data/abc;

 

   location ~ \.php$ {

       include fastcgi_params;

       fastcgi_pass unix:/tmp/php-fcgi.sock;

       fastcgi_index index.php;

       fastcgi_param SCRIPT_FILENAME /data/abc$fastcgi_script_name;

    }

}

#设置个空目录,让它403

 

#第二虚拟主机独立一个文件

vim /usr/local/nginx/conf/vhosts/123.conf              #第二个虚拟主机

server

 

{

   listen 80;

   server_name www.123.com;

   index index.html index.htm index.php;

   root /data/www;

 

   location ~ \.php$ {

       include fastcgi_params;

       #fastcgi_pass unix:/tmp/php-fcgi.sock;

       fastcgi_pass 127.0.0.1:9000;

       fastcgi_index index.php;

       fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;

    }

}

#只能用域名访问,nginx通过fastcgi的端口加IP的形式把php交给php-fpm处理,最后返回给nginx代理

#虚拟主机的根目录为/data/www

 

 

Nginx用户认证

#独立一段添加

#工具apachehtpasswd,限制后台admin.php

vim /usr/local/nginx/conf/vhosts/123.conf

 

location ~ .*admin\.php$ {

        auth_basic "tingshi";

       auth_basic_user_file /usr/local/nginx/conf/.htpasswd;

       include fastcgi_params;

       fastcgi_pass unix:/tmp/php-fcgi.sock;

       fastcgi_index index.php;

       fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;

}

 

touch /usr/local/nginx/conf/.htpasswd

htpasswd -c /usr/local/nginx/conf/.htpasswdaming                        #通过htpasswd工具创建用户

#每个动态网页都需要php解析

 

域名重定向

#外部添加

   listen 80;

   server_name www.123.com www.abc.com;

    if ($host != 'www.123.com')

    {

        rewrite ^/(.*)$http://www.123.com/$1 permanent;

    }

   index index.html index.htm index.php;

   root /data/www;

#支持多个域名重定向,在外层设置重定向

/usr/local/nginx/sbin/nginx -s reload

 

 

 

 

不记录指定文件类型日志/配置静态文件过期时间

#独立一段添加

access_log /tmp/access.log aming;                                    #这在全局设置

   location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

       {

                expires      30d;

                access_log off;

       }

 

   location ~ .*\.(js|css)$

       {

                expires      12h;

                access_log off;

       }

#在设置access_log之前要打开mginx配置文件vim/usr/local/nginx/conf/nginx.conf

其中定好日志的格式log_format aming       aming就是格式,被access_log引用,其它两个location在外面定义

expires     30d                                        #配置静态文件的过期时间

日志切割

vim /usr/local/sbin/nginx_logroate.sh

 

#!/bin/bash

d=`date -d "-1 day" +%F`

[ -d /tmp/nginx_log ] || mkdir/tmp/nginx_log

mv /tmp/access.log /tmp/nginx_log/$d.log

/etc/init.d/nginx reload > /dev/null

cd /tmp/nginx_log

gzip -f $d.log

 

crontab –e                                    #加入到计划任务

0 0 * * * /bin/bash /usr/local/sbin/nginx_logroate.sh

#每天的0点执行

 

静态文件的过期时间

#内部添加

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

       {

                expires      30d;

                access_log off;

       }

expires     30d                                        #配置静态文件的过期时间

 

 

配置防盗链

#防止某张图片或者某些东西被另一个网站盗用,内部添加

   location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|rar|zip|bz2)$

       {

                expires      30d;

                access_log off;

                valid_referersnone blocked *.123.com *.abc.com;

                if ($invalid_referer)

                {

                    return 403;

                }

       }

#测试

curl -e"http://www.baidu.com/123" -x127.0.0.1:80'http://www.123.com/static/p_w_picpath/common/titlebg.png' –I             #返回403

curl -e "http://www.123.com/123"-x127.0.0.1:80 'http://www.123.com/static/p_w_picpath/common/titlebg.png' –I                 #返回200

指定referer的时候就应该带上 http://

 

访问控制

#限制某些IP,外部添加限定整个根目录,内部添加限制某些文件,定义了匹配对象的时候优先匹配

server

 

{

   listen 80;

   server_name www.123.com www.abc.com;

   if ($host != 'www.123.com')

    {

       rewrite ^/(.*)$ http://www.123.com/$1 permanent;

    }

   index index.html index.htm index.php;

   root /data/www;

   access_log /tmp/access.log aming;

    deny 127.0.0.1;

 

   location ~ .*admin\.php$ {

       allow 127.0.0.1;

        deny all;

       #auth_basic "tingshi";

       #auth_basic_user_file /usr/local/nginx/conf/.htpasswd;

       include fastcgi_params;

       fastcgi_pass unix:/tmp/php-fcgi.sock;

       fastcgi_index index.php;

       fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;

}

 

curl -x127.0.0.1:80 www.123.com/admin.php-I

curl -x127.0.0.1:80 www.123.com/forum.php-I

curl -x192.168.134.132:80www.123.com/admin.php -I

当定义了匹配对象的时候优先匹配,也就是越精准越优先,当没有定义匹配对象的时候屎从上到下逐条匹配。

 

禁止指定user_agent

#禁止某些搜索引擎,在外部配置

if ($http_user_agent  ~* 'curl|baidu|youdao')

       {

           return 403;

        }

}

 

curl -A "qwewbaiduq"-x127.0.0.1:80 www.123.com/admin.php -I

curl -x 127.0.0.1:80 www.123.com/admin.php-I

 

nginx代理

#代理百度的IP,独立一个文件

upstream bbb

{

           server  14.215.177.38;

           server  14.215.177.38;

}

 

server {

       listen 80;

       server_name www.baidu.com;

 

       location / {

                proxy_pass      http://bbb/;

                proxy_set_header Host   $host;

                proxy_set_header X-Real-IP      $remote_addr;

                proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;

       }

           access_log /home/logs/bb_access.log combined;

}

curl -x127.0.0.1:80 www.baidu.com -I