12.6 Nginx安装
去官网下载最新的稳定版的包。
[root@localhost: ~]# cd /usr/local/src/
[root@localhost: src]# rz
[root@localhost: src]# ls nginx-1.14.0.tar.gz
nginx-1.14.0.tar.gz
解压到src目录,进行源码安装,只需指定安装位置即可。
[root@localhost: nginx-1.14.0]# ./configure --prefix=/usr/local/nginx1.14/
这里我们没有使用特殊的配置,后续我们会根据课程的需求来重新安装nginx,暂且这样使用。
[root@localhost: nginx-1.14.0]# make && make install
conf/下是配置文件,html/是默认的网页样例,logs/存放日志,sbin/下放置核心服务。
[root@localhost: nginx-1.14.0]# cd /usr/local/nginx1.14/
[root@localhost: nginx1.14]# ls
conf html logs sbin
[root@localhost: nginx1.14]# ls conf/
fastcgi.conf koi-utf nginx.conf uwsgi_params
fastcgi.conf.default koi-win nginx.conf.default uwsgi_params.default
fastcgi_params mime.types scgi_params win-utf
fastcgi_params.default mime.types.default scgi_params.default
[root@localhost: nginx1.14]# ls html/
50x.html index.html
[root@localhost: nginx1.14]# ls logs/
[root@localhost: nginx1.14]# ls sbin/
nginx
-t选项依然是检测conf文件的语法。
[root@localhost: nginx1.14]# sbin/nginx -t
nginx: the configuration file /usr/local/nginx1.14//conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx1.14//conf/nginx.conf test is successful编辑配置文件
[root@localhost: nginx1.14]# vim /etc/init.d/nginx
#!/bin/bash
# chkconfig: - 30 21
# description: http service.
# Source Function Library
. /etc/init.d/functions
# Nginx Settings
NGINX_SBIN="/usr/local/nginx1.14/sbin/nginx"
NGINX_CONF="/usr/local/nginx1.14/conf/nginx.conf"
NGINX_PID="/usr/local/nginx1.14/logs/nginx.pid"
RETVAL=0
prog="Nginx"
start()
{
echo -n $"Starting $prog: "
mkdir -p /dev/shm/nginx_temp
daemon $NGINX_SBIN -c $NGINX_CONF
RETVAL=$?
echo
return $RETVAL
}
stop()
{
echo -n $"Stopping $prog: "
killproc -p $NGINX_PID $NGINX_SBIN -TERM
rm -rf /dev/shm/nginx_temp
RETVAL=$?
echo
return $RETVAL
}
reload()
{
echo -n $"Reloading $prog: "
killproc -p $NGINX_PID $NGINX_SBIN -HUP
RETVAL=$?
echo
return $RETVAL
}
restart()
{
stop
start
}
configtest()
{
$NGINX_SBIN -c $NGINX_CONF -t
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
restart
;;
configtest)
configtest
;;
*)
echo $"Usage: $0 {start|stop|reload|restart|configtest}"
RETVAL=1
esac
exit $RETVAL
[root@localhost: nginx1.14]# vim /etc/init.d/nginx
[root@localhost: nginx1.14]# chmod 755 /etc/init.d/nginx
[root@localhost: nginx1.14]# chkconfig --add nginx
[root@localhost: nginx1.14]# chkconfig nginx on注意修改目录到你的安装目录。
nginx的配置文件在conf目录下,默认安装完是有模板的,我们暂时不用,用书上的。
[root@localhost: nginx1.14]# ls conf/nginx.conf
conf/nginx.conf
[root@localhost: nginx1.14]# mv conf/nginx.conf conf/nginx.conf.bak
[root@localhost: nginx1.14]# vim conf/nginx.conf
[root@localhost: nginx1.14]# sbin/nginx -t
nginx: the configuration file /usr/local/nginx1.14//conf/nginx.conf syntax is ok
nginx: [emerg] open() "/usr/local/nginx/logs/nginx.pid" failed (2: No such file or directory)
nginx: configuration file /usr/local/nginx1.14//conf/nginx.conf test failed
配置文件如下。
user nobody nobody;
worker_processes 2;
error_log /usr/local/nginx/logs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 6000;
}
http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 3526;
server_names_hash_max_size 4096;
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
sendfile on;
tcp_nopush on;
keepalive_timeout 30;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 8 4k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
client_max_body_size 10m;
client_body_buffer_size 256k;
client_body_temp_path /usr/local/nginx/client_body_temp;
proxy_temp_path /usr/local/nginx/proxy_temp;
fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
fastcgi_intercept_errors on;
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm
application/xml;
server
{
listen 80;
server_name localhost;
index index.html index.htm index.php;
root /usr/local/nginx/html;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
}
}
}
语法检查报错是目录错误,需要把配置文件中的路径改为你的路径。
[root@localhost: nginx1.14]# sbin/nginx -t
nginx: the configuration file /usr/local/nginx1.14//conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx1.14//conf/nginx.conf test is successfuluser nobody nobody; php代码写入文件的属主和属组就是进程的用户
worker_processes 2; 子进程的数量
error_log /usr/local/nginx/logs/nginx_error.log crit; 错误日志
pid /usr/local/nginx/logs/nginx.pid; pid
worker_rlimit_nofile 51200; nginx最多可以打开的文件数
events
{
use epoll; 使用epoll模式
worker_connections 6000; 进程的最大连接数
}详情见扩展。
server部分就对应apache的virtual host。
启动脚本
[root@localhost: nginx1.14]# /etc/init.d/nginx start
Starting nginx (via systemctl): [ OK ]
[root@localhost: nginx1.14]# ps aux | grep nginx
root 4350 0.0 0.0 20548 620 ? Ss 00:19 0:00 nginx: master process /usr/local/nginx1.14/sbin/nginx -c /usr/local/nginx1.14/conf/nginx.conf
nobody 4351 0.0 0.3 25076 3516 ? S 00:19 0:00 nginx: worker process
nobody 4352 0.0 0.3 25076 3260 ? S 00:19 0:00 nginx: worker process
root 4359 0.0 0.0 112704 972 pts/0 S+ 00:20 0:00 grep --color=auto nginx
可以看到两个子进程。
这时候就可以访问了。
[root@localhost: nginx1.14]# curl localhost
Welcome to nginx!
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
[root@localhost: nginx1.14]# cat html/index.html
Welcome to nginx!
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
配置文件中也可以解析php
[root@localhost: nginx1.14]# curl localhost/1.php
this is nginx test page : 1.php
[root@localhost: nginx1.14]#
12.7 默认虚拟主机
我们上一小节定义的server其实就是默认的虚拟主机,默认的虚拟主机也可以写在单独的一个配置文件里。
下面我们把配置文件中的server段注释掉,添加一行include
include vhost/*.conf;
# server
# {
# listen 80;
# server_name localhost;
# index index.html index.htm index.php;
# root /usr/local/nginx1.14/html;
# location ~ \.php$
# {
# include fastcgi_params;
# fastcgi_pass unix:/tmp/php-fcgi.sock;
# #fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /usr/local/nginx1.14/html$fastcgi_script_name;
# }
# }这个vhost目录需要手动创建在conf目录下。
server
{
listen 80 default_server; // 有这个标记的就是默认虚拟主机
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}root要指定成你网站的目录。
[root@localhost: nginx1.14]# ls /usr/local/nginx1.14/html/
1.php 50x.html index.html
[root@localhost: nginx1.14]# vim html/index.html
[root@localhost: nginx1.14]#
检查完语法之后测试一下是否可行。
[root@localhost: nginx1.14]# sbin/nginx -s reload不重启服务,重新加载配置文件,
[root@localhost: nginx1.14]# curl localhost
Nginx1.14 default site
[root@localhost: nginx1.14]# curl 127.0.0.1:80 aaa.com
Nginx1.14 default site
^C
[root@localhost: nginx1.14]# curl 127.0.0.1:80 bbb.com
Nginx1.14 default site
^C
[root@localhost: nginx1.14]#
这就是默认的虚拟主机。
include *.conf中第一个就是默认的虚拟主机(如果没有标识的话),这里需要注意。
12.8 Nginx用户认证
首先我们先创立一个虚拟主机。
[root@localhost: nginx1.14]# vim conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /usr/local/nginx1.14/html/test.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx1.14/conf/htpasswd;
}
}
auth_basic就是用户认证的名字。
生成密码文件我们使用htpasswd服务。
[root@localhost: nginx1.14]# /usr/local/apache2.4/bin/htpasswd -c conf/htpasswd lhy
New password:
Re-type new password:
Adding password for user lhy
如果再次创建就不要-c选项了 否则会被覆盖。
[root@localhost: nginx1.14]# /usr/local/apache2.4/bin/htpasswd conf/htpasswd lhybak
New password:
Re-type new password:
Adding password for user lhybak
[root@localhost: nginx1.14]# cat conf/htpasswd
lhy:$apr1$7GpmTvLX$eizxWrgedEJA5I9ufBnr70
lhybak:$apr1$zHqdyztI$BeG7zIzu8Tos9hVMamfBD0实验一下
[root@localhost: nginx1.14]# sbin/nginx -t
nginx: the configuration file /usr/local/nginx1.14//conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx1.14//conf/nginx.conf test is successful
[root@localhost: nginx1.14]# sbin/nginx -s reload
[root@localhost: nginx1.14]# curl -x 127.0.0.1:80 test.com
401 Authorization Required
401 Authorization Required
nginx/1.14.0
[root@localhost: nginx1.14]# curl -x 127.0.0.1:80 -ulhy:123 test.com
404 Not Found
404 Not Found
nginx/1.14.0
[root@localhost: nginx1.14]#
-s reload的好处就是即使你的配置文件错了,那么你的服务也不会停掉。
[root@localhost: nginx1.14]# mkdir html/test.com
[root@localhost: nginx1.14]# cd !$
cd html/test.com
[root@localhost: test.com]# echo "test.com" > index.html
[root@localhost: test.com]# curl -x 127.0.0.1:80 -ulhy:123 test.com
test.com
当然这个是整个站点都需要认证,我们还是把location改为admin认证最好
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx1.14/conf/htpasswd;
}[root@localhost: test.com]# mkdir admin
[root@localhost: test.com]# echo "admin test.com" > admin/admin.html
[root@localhost: test.com]# curl -x 127.0.0.1:80 test.com
test.com
[root@localhost: test.com]# curl -x 127.0.0.1:80 test.com/admin/admin.html
401 Authorization Required
401 Authorization Required
nginx/1.14.0
[root@localhost: test.com]# curl -x 127.0.0.1:80 -ulhy:123 test.com/admin/admin.html
admin test.com
[root@localhost: test.com]# curl -x 127.0.0.1:80 test.com/1/2/3/admin/admin.html
404 Not Found
404 Not Found
nginx/1.14.0
如果想改为所有的admin都要认证,就用正则匹配。
location ~ /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx1.14/conf/htpasswd;
}[root@localhost: test.com]#
[root@localhost: test.com]# vim /usr/local/nginx1.14/conf/vhost/test.com.conf
[root@localhost: test.com]# /usr/local/nginx1.14/sbin/nginx -t
nginx: the configuration file /usr/local/nginx1.14//conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx1.14//conf/nginx.conf test is successful
[root@localhost: test.com]# /usr/local/nginx1.14/sbin/nginx -s reload
[root@localhost: test.com]# curl -x 127.0.0.1:80 test.com/1/2/3/admin/admin.html
401 Authorization Required
401 Authorization Required
nginx/1.14.0
12.9 Nginx域名重定向
域名重定向的需求在之前apache已经讲过了。
nginx的servername可以有多个,我们为了提高网站的权重,就需要把其他域名跳转到主域名。
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /usr/local/nginx1.14/html/test.com;
if ($host != 'test.com' )
{
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~ /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx1.14/conf/htpasswd;
}
}
这里和apache语法是类似的,也支持正则。
我们新建一个test1,测试一下。这里permanent跳转就是301,redirect就是302。
[root@localhost: test.com]# curl -x 127.0.0.1:80 test2.com/ -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 05:24:05 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/
[root@localhost: test.com]# curl -x 127.0.0.1:80 test2.com/asdgags -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 05:24:17 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/asdgags
扩展
nginx.conf 配置详解
http://www.ha97.com/5194.html
http://my.oschina.net/duxuefeng/blog/34880
nginx rewrite四种flag
http://www.netingcn.com/nginx-rewrite-flag.html
http://unixman.blog.51cto.com/10163040/1711943
12.10 Nginx访问日志
nginx也有一个在主配置文件里的log的格式。
[root@localhost: test.com]# cat ../../conf/nginx.conf | grep log_format -A2
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';nginx的配置文件以分号分割。
这里log_format指定log的格式,combined_realip是自定义的这一段配置的别名,可以改为你想要的名字。
| $remote_addr |
客户端IP(公网IP) 这里是出口ip |
| $http_x_forwarded_for |
代理服务器的IP |
| $time_local |
服务器本地时间 |
| $host |
访问主机名(域名) |
| $request_uri |
访问的url地址 |
| $status |
状态码 |
| $http_referer |
referer |
| $http_user_agent |
user_agent |
之后我们在虚拟主机里添加一行指定log的路径和格式。
access_log /tmp/test.com.log combined_realip;
如果不写格式的话,会指定为默认的一个简单的格式。
然后curl访问几次,查看一下日志。
[root@localhost: nginx1.14]# cat /tmp/test.com.log
127.0.0.1 - [16/Aug/2018:14:20:37 +0800] test2.com "/asdgags" 301 "-" "curl/7.29.0"
127.0.0.1 - [16/Aug/2018:14:20:48 +0800] test1.com "/asdgags" 301 "-" "curl/7.29.0"
127.0.0.1 - [16/Aug/2018:14:20:52 +0800] test.com "/asdgags" 404 "-" "curl/7.29.0"
12.11 Nginx日志切割
既然有了日志,那必然就涉及到日志切割,按照日期切割,方便查询。
这里我们用自己的日志切割脚本。
#! /bin/bash
## 假设nginx的日志存放路径为/data/logs/
d=`date -d "-1 day" +%Y%m%d`
logdir="/data/logs"
nginx_pid="/usr/local/nginx1.14/logs/nginx.pid"
cd $logdir
for log in `ls *.log` #通配所有的日志,要求被分割的日志以.log结尾
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
[root@localhost: nginx1.14]# vim /usr/local/sbin/nginx_logrotate.sh
[root@localhost: nginx1.14]# mkdir -p /data/logs
写脚本的时候可以在bash里测试。
[root@localhost: nginx1.14]# sh -x /usr/local/sbin/nginx_logrotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20180815
+ logdir=/data/logs
+ nginx_pid=/usr/local/nginx1.14/logs/nginx.pid
+ cd /data/logs
++ ls '*.log'
ls: cannot access *.log: No such file or directory
++ cat /usr/local/nginx1.14/logs/nginx.pid
+ /bin/kill -HUP 924
-x选项可以显示你的sh文件执行到哪一步了。
过期的日志也需要删除。
每天的凌晨也需要切割。
这一些都可以加入到crontab -e的任务计划中。
12.12 静态文件不记录日志和过期时间
直接在虚拟主机配置文件中添加配置,
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /usr/local/nginx1.14/html/test.com;
if ( $host != 'test.com' )
{
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~ /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx1.14/conf/htpasswd;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 7d;
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
access_log /data/logs/test.com.log combined_realip;
}注意匹配的写法。
[root@localhost: nginx1.14]# /usr/local/nginx1.14/sbin/nginx -t
nginx: the configuration file /usr/local/nginx1.14//conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx1.14//conf/nginx.conf test is successful
[root@localhost: nginx1.14]# /usr/local/nginx1.14/sbin/nginx -s reload
[root@localhost: nginx1.14]# echo "123" > html/test.com/1.gif
[root@localhost: nginx1.14]# echo "123" > html/test.com/2.js
[root@localhost: nginx1.14]# curl -x127.0.0.1:80 test.com/1.gif
123
[root@localhost: nginx1.14]# curl -x127.0.0.1:80 test.com/2.js
123
[root@localhost: nginx1.14]# curl -x127.0.0.1:80 test.com/index.htm
404 Not Found
404 Not Found
nginx/1.14.0
[root@localhost: nginx1.14]# curl -x127.0.0.1:80 test.com/index.html
test.com
[root@localhost: nginx1.14]# cat /data/logs/test.com.log
127.0.0.1 - [16/Aug/2018:14:46:06 +0800] test.com "/index.htm" 404 "-" "curl/7.29.0"
127.0.0.1 - [16/Aug/2018:14:46:09 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"测试是成功的。
[root@localhost: nginx1.14]# curl -x127.0.0.1:80 test.com/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 06:47:55 GMT
Content-Type: text/html
Content-Length: 9
Last-Modified: Thu, 16 Aug 2018 04:45:51 GMT
Connection: keep-alive
ETag: "5b75017f-9"
Accept-Ranges: bytes
[root@localhost: nginx1.14]# curl -x127.0.0.1:80 test.com/2.js -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 06:48:05 GMT
Content-Type: application/javascript
Content-Length: 4
Last-Modified: Thu, 16 Aug 2018 06:45:16 GMT
Connection: keep-alive
ETag: "5b751d7c-4"
Expires: Thu, 16 Aug 2018 18:48:05 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes可以看到已经出现了过期时间Expires标识。
12.13 Nginx防盗链
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 10d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
这个配置可以和之前的结合。location后面的~*表示不区分大小写。
要注意的话,如果有多个匹配,更精准的匹配会被实现,注意过期时间,下面是测试结果,详见扩展。
[root@localhost: nginx1.14]# echo "123" > html/test.com/4.gif
[root@localhost: nginx1.14]# curl -x127.0.0.1:80 test.com/4.gif -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 07:41:33 GMT
Content-Type: image/gif
Content-Length: 4
Last-Modified: Thu, 16 Aug 2018 07:41:27 GMT
Connection: keep-alive
ETag: "5b752aa7-4"
Expires: Thu, 23 Aug 2018 07:41:33 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[root@localhost: nginx1.14]# fg
vim conf/vhost/test.com.conf
[1]+ Stopped vim conf/vhost/test.com.conf
[root@localhost: nginx1.14]# echo "123" > html/test.com/5.Gif
[root@localhost: nginx1.14]# curl -x127.0.0.1:80 test.com/5.Gif -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 07:43:30 GMT
Content-Type: image/gif
Content-Length: 4
Last-Modified: Thu, 16 Aug 2018 07:43:21 GMT
Connection: keep-alive
ETag: "5b752b19-4"
Expires: Sun, 26 Aug 2018 07:43:30 GMT
Cache-Control: max-age=864000
Accept-Ranges: bytes
[root@localhost: nginx1.14]# curl -e "http://www.baidu.com" -x127.0.0.1:80 test.com/5.Gif -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 07:48:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@localhost: nginx1.14]# curl -e "http://www.test.com" -x127.0.0.1:80 test.com/5.Gif -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 07:48:14 GMT
Content-Type: image/gif
Content-Length: 4
Last-Modified: Thu, 16 Aug 2018 07:43:21 GMT
Connection: keep-alive
ETag: "5b752b19-4"
Expires: Sun, 26 Aug 2018 07:48:14 GMT
Cache-Control: max-age=864000
Accept-Ranges: bytes
[root@localhost: nginx1.14]# curl -e "http://www.baidu.com" -x127.0.0.1:80 test.com/4.gif -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 07:48:32 GMT
Content-Type: image/gif
Content-Length: 4
Last-Modified: Thu, 16 Aug 2018 07:41:27 GMT
Connection: keep-alive
ETag: "5b752aa7-4"
Expires: Thu, 23 Aug 2018 07:48:32 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
return 403;也可以写成deny all;
参数说明:
- none “Referer” 为空
- blocked “Referer”不为空,但是里面的值被代理或者防火墙删除了,这些值都不以http://或者https://开头,而是“Referer: XXXXXXX”这种形式
- server_names “Referer”来源头部包含当前的server_names(当前域名)
- arbitrary string 任意字符串,定义服务器名或者可选的URI前缀.主机名可以使用*开头或者结尾,在检测来源头部这个过程中,来源域名中的主机端口将会被忽略掉
- regular expression 正则表达式,~表示排除https://或http://开头的字符串.
注意
通过Referer实现防盗链比较基础,仅可以简单实现方式资源被盗用。构造Referer的请求很容易实现。
12.14 Nginx访问控制
需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:
location ~ /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx1.14/conf/htpasswd;
# allow 192.168.244.128;
allow 127.0.0.1;
deny all;
}
因为127.0.0.0整段都是本机,所以都可以访问,但是192.168.244.128就访问不了了。
[root@localhost: nginx1.14]# /usr/local/nginx1.14/sbin/nginx -s reload
[root@localhost: nginx1.14]# curl -x127.0.0.1:80 test.com/admin/admin.html -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 08:33:31 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
[root@localhost: nginx1.14]# curl -ulhy:123 -x127.0.0.1:80 test.com/admin/admin.html -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 08:33:40 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Thu, 16 Aug 2018 04:49:21 GMT
Connection: keep-alive
ETag: "5b750251-f"
Accept-Ranges: bytes
[root@localhost: nginx1.14]# curl -ulhy:123 -x127.0.0.2:80 test.com/admin/admin.html -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 08:33:46 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Thu, 16 Aug 2018 04:49:21 GMT
Connection: keep-alive
ETag: "5b750251-f"
Accept-Ranges: bytes
[root@localhost: nginx1.14]# curl -ulhy:123 -x192.168.244.128:80 test.com/admin/admin.html -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 08:33:59 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Thu, 16 Aug 2018 04:49:21 GMT
Connection: keep-alive
ETag: "5b750251-f"
Accept-Ranges: bytes
[root@localhost: nginx1.14]# fg
vim conf/vhost/test.com.conf
[1]+ Stopped vim conf/vhost/test.com.conf
[root@localhost: nginx1.14]# /usr/local/nginx1.14/sbin/nginx -s reload
[root@localhost: nginx1.14]# curl -ulhy:123 -x192.168.244.128:80 test.com/admin/admin.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 08:34:22 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
新开一个网卡,重新测试一下,更改ip为192.168.16.100,开放192.168.244.128 。最后说明我们的结果是没有问题的。
[root@localhost: ~]# ifconfig
ens33: flags=4163 mtu 1500
inet 192.168.244.128 netmask 255.255.255.0 broadcast 192.168.244.255
inet6 fe80::8672:7640:d3da:4d8b prefixlen 64 scopeid 0x20
ether 00:0c:29:7a:e1:b0 txqueuelen 1000 (Ethernet)
RX packets 20156 bytes 1696173 (1.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8738 bytes 1260816 (1.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163 mtu 1500
inet 192.168.96.128 netmask 255.255.255.0 broadcast 192.168.96.255
inet6 fe80::4aab:12c8:1809:8a24 prefixlen 64 scopeid 0x20
ether 00:0c:29:7a:e1:ba txqueuelen 1000 (Ethernet)
RX packets 9 bytes 1780 (1.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 2406 (2.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 702 bytes 64716 (63.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 702 bytes 64716 (63.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost: ~]# ifup ens37
/usr/sbin/ifup: configuration for ens37 not found.
Usage: ifup
[root@localhost: ~]# echo $?
1
[root@localhost: ~]# ifconfig ens37 192.168.16.100/24
[root@localhost: ~]# ifconfig
ens33: flags=4163 mtu 1500
inet 192.168.244.128 netmask 255.255.255.0 broadcast 192.168.244.255
inet6 fe80::8672:7640:d3da:4d8b prefixlen 64 scopeid 0x20
ether 00:0c:29:7a:e1:b0 txqueuelen 1000 (Ethernet)
RX packets 20308 bytes 1708127 (1.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8812 bytes 1270158 (1.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163 mtu 1500
inet 192.168.16.100 netmask 255.255.255.0 broadcast 192.168.16.255
inet6 fe80::4aab:12c8:1809:8a24 prefixlen 64 scopeid 0x20
ether 00:0c:29:7a:e1:ba txqueuelen 1000 (Ethernet)
RX packets 9 bytes 1780 (1.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 2406 (2.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 702 bytes 64716 (63.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 702 bytes 64716 (63.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost: ~]# curl -x127.0.0.1:80 www.baidu.com
Nginx1.14 default site
[root@localhost: ~]# curl -x192.168.244.128:80 www.baidu.com
Nginx1.14 default site
[root@localhost: ~]# curl -x192.168.16.100:80 www.baidu.com
Nginx1.14 default site
[root@localhost: ~]# curl -ulhy:123 -x192.168.16.100:80 test.com/admin/admin.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 08:46:38 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@localhost: ~]# fg
-bash: fg: current: no such job
[root@localhost: ~]# vim /usr/local/nginx1.14/conf/vhost/test.com.conf
[1]+ Stopped vim /usr/local/nginx1.14/conf/vhost/test.com.conf
[root@localhost: ~]# /usr/local/nginx1.14/sbin/nginx -s reload
[root@localhost: ~]# curl -ulhy:123 -x192.168.16.100:80 test.com/admin/admin.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 08:47:16 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@localhost: ~]# curl -ulhy:123 -x192.168.244.128:80 test.com/admin/admin.html -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 16 Aug 2018 08:47:28 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Thu, 16 Aug 2018 04:49:21 GMT
Connection: keep-alive
ETag: "5b750251-f"
Accept-Ranges: bytes
可以看一下访问日志
192.168.244.128 - [16/Aug/2018:16:33:59 +0800] test.com "/admin/admin.html" 200 "-" "curl/7.29.0"
192.168.244.128 - [16/Aug/2018:16:34:22 +0800] test.com "/admin/admin.html" 403 "-" "curl/7.29.0"
192.168.16.100 - [16/Aug/2018:16:46:38 +0800] test.com "/admin/admin.html" 403 "-" "curl/7.29.0"
192.168.16.100 - [16/Aug/2018:16:47:16 +0800] test.com "/admin/admin.html" 403 "-" "curl/7.29.0"
192.168.244.128 - [16/Aug/2018:16:47:28 +0800] test.com "/admin/admin.html" 200 "-" "curl/7.29.0"同样,也可以针对目录设置。
可以匹配正则
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
根据user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
这里deny和403的效果是一样的。
12.15 Nginx解析php相关配置
配置文件如下
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx1.14/html/test.com$fastcgi_script_name;
}
如果没有这个,php是不能解析的。
[root@localhost: ~]# vim /usr/local/nginx1.14/html/test.com/3.php
[root@localhost: ~]# cat !$
cat /usr/local/nginx1.14/html/test.com/3.php
[root@localhost: ~]# curl -x127.0.0.1:80 test.com/3.php | head
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0