标签:nginx
1. 配置第二个虚拟主机
可以在nginx.conf 加一行
include conf/vhosts/*.conf;
这样,我们就可以在 conf/vhosts目录下创建虚拟主机配置文件了。
[root@localhost conf]# pwd
/usr/local/nginx/conf
[root@localhost conf]# mkdir vhosts
[root@localhost conf]# cd vhosts/
[root@localhost vhosts]# touch default.conf
[root@localhost vhosts]# cat default.conf
server
{
listen 80 default;
server_name localhost;
index index.html index.htm index.php;
root /usr/local/nginx/html/;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
}
}
[root@localhost vhosts]# cat discaz.conf
server
{
listen 80;
server_name www.123.com www.aaa.com www.bbb.com;
index index.html index.htm index.php;
root /data/www;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
}
2.用户认证
首先需要安装apache,可以使用yum install httpd 安装
生成密码文件,创建用户
[root@localhost log]# /usr/local/apache2/bin/htpasswd -c /usr/local/nginx/conf/.htpasswd aming // 添加aming用户,第一次添加时需要加-c参数,第二次添加时不需要-c参数
在nginx的配置文件中添加
location / {
root /data/www/uc_server;
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
}
3.域名重定向
if ($host != ‘www.123.com‘ ) {
rewrite ^/(.*)$ http://www.123.com/$1 permanent;
}
[root@localhost ~]# curl -x127.0.0.1:80 www.aaa.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.6.2
Date: Sun, 17 May 2015 18:59:07 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://www.123.com/
[root@localhost ~]# curl -x127.0.0.1:80 www.123.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.6.2
Date: Sun, 17 May 2015 18:59:19 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.4.37
location: forum.php
4.日志相关
日志切割:
编写脚本:
vim /usr/local/sbin/logrotate.sh //加入
#! /bin/bash
d=`date -d "-1 day" +%Y%m%d`
/bin/mv /home/logs/discuz.log /home/logs/discuz_$d.log
/etc/init.d/nginx reload >/dev/null 2>/dev/null
[root@localhost vhosts]# vi /usr/local/nginx/conf/vhosts/discaz.conf //在虚拟机配置文件内添加一下内容
access_log /home/logs/discuz.log combined_realip;
[root@localhost vhosts]# cat /home/logs/discuz_20150517.log
127.0.0.1 - [18/May/2015:03:27:09 +0800]www.123.com "/uc_server/" 302"-" "curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
日志格式
[root@localhost conf]# vi /usr/local/nginx/conf/nginx.conf //在此文件内更改日志的格式
log_format main ‘$remote_addr - $remote_user [$time_local] $request ‘
‘"$status" $body_bytes_sent "$http_referer" ‘
‘"$http_user_agent" "$http_x_forwarded_for"‘;
log_format main1 ‘$proxy_add_x_forwarded_for - $remote_user [$time_local] ‘
‘"$request" $status $body_bytes_sent ‘
‘"$http_referer" "$http_user_agent"‘; //此日志格式为,ip不仅记录代理的ip还记录远程客户端真实IP。
错误日志error_log日志级别
error_log 级别分为 debug, info, notice, warn, error, crit 默认为crit, 该级别在日志名后边定义格式如下:
error_log /your/path/error.log crit;
crit 记录的日志最少,而debug记录的日志最多。如果你的nginx遇到一些问题,比如502比较频繁出现,但是看默认的error_log并没有看到有意义的信息,那么就可以调一下错误日志的级别,当你调成error级别时,错误日志记录的内容会更加丰富。
5.静态文件不记录日志,配置缓存
[root@localhost vhosts]# vi discaz.conf
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$
{
expires 12h;
access_log off;
}
[root@localhost ~]# curl -x127.0.0.1:80 ‘http://www.123.com/static/image/common/logo.png‘ -I
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Sun, 17 May 2015 19:48:54 GMT
Content-Type: image/png
Content-Length: 4425
Last-Modified: Fri, 26 Dec 2014 01:49:42 GMT
Connection: keep-alive
ETag: "549cbeb6-1149"
Expires: Tue, 16 Jun 2015 19:48:54 GMT
Cache-Control: max-age=
Accept-Ranges: bytes2592000
6.防盗链
在 nginx.conf中的server部分中添加如下代码
[root@localhost vhosts]# vi discaz.conf
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
valid_referers none blocked server_names *.taobao.com *.baidu.com *.google.com *.google.cn *.soso.com *.123.com *.aaa.com *.bbb.com ; // 对这些域名的网站不进行盗链。
if ($invalid_referer) {
return 403;
rewrite ^/ http://www.example.com/nophoto.gif;
}
}
说明:如果前面配置中已经加了
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
access_log off;
}
那么会和这一部分重复,这时候上面的生效,所以,我们需要把两者合在一起。如下:
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 30d;
valid_referers none blocked server_names *.taobao.com *.baidu.com *.google.com *.google.cn *.soso.com *.123.com *.aaa.com *.bbb.com; // 对这些域名的网站不进行盗链。
if ($invalid_referer) {
return 403;
rewrite ^/ http://www.example.com/nophoto.gif;
}
access_log off;
}
[root@localhost vhosts]# curl -x127.0.0.1:80 -e "http://dawe.com/sfawe" ‘http://www.123.com/static/image/common/logo.png‘ -I
HTTP/1.1 403 Forbidden
Server: nginx/1.6.2
Date: Sun, 17 May 2015 20:02:37 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
7.访问控制
限制只让某个ip访问
deny 127.0.0.1;
allow all;
[root@localhost ~]# curl -x127.0.0.1:80 www.123.com -I
HTTP/1.1 403 Forbidden
Server: nginx/1.6.2
Date: Mon, 18 May 2015 18:57:30 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
[root@localhost ~]# vi /usr/local/nginx/conf/vhosts/discaz.conf //限制某个目录的访问
location /uc_server/ {
allow 192.168.1.119;
deny all;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
}
[root@localhost uc_server]# curl -x127.0.0.1:80 www.123.com/uc_server/ -I
HTTP/1.1 403 Forbidden
Server: nginx/1.6.2
Date: Mon, 18 May 2015 19:26:23 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
有时候会根据目录来限制php解析:
location ~ .*(diy|template|attachments|forumdata|attachment|image)/.*\.php$
{
deny all;
}
[root@localhost uc_server]# curl -x127.0.0.1:80 www.123.com/sfweagf/image/ssfas.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.6.2
Date: Mon, 18 May 2015 19:43:59 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
在实验中我发现在虚拟主机配置文件中若将php解析文件的配置放在限制前会报错为404,可见今后在配置时需要多注意逻辑顺序
[root@localhost uc_server]# curl -x127.0.0.1:80 www.123.com/sfweagf/image/ssfas.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.6.2
Date: Mon, 18 May 2015 19:42:43 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.4.37
使用 user_agent 控制客户端访问
location /
{
if ($http_user_agent ~ ‘bingbot/2.0|MJ12bot/v1.4.2|Spider/3.0|YoudaoBot|Tomato|Gecko/20100315‘){
return 403;
}
}
8.伪静态
rewrite ^([^\.]*)/topic-(.+)\.html$ $1/portal.php?mod=topic&topic=$2 last;
rewrite ^([^\.]*)/forum-(\w+)-([0-9]+)\.html$ $1/forum.php?mod=forumdisplay&fid=$2&page=$3 last;
rewrite ^([^\.]*)/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=viewthread&tid=$2&extra=page%3D$4&page=$3 last;
rewrite ^([^\.]*)/group-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=group&fid=$2&page=$3 last;
rewrite ^([^\.]*)/space-(username|uid)-(.+)\.html$ $1/home.php?mod=space&$2=$3 last;
rewrite ^([^\.]*)/(fid|tid)-([0-9]+)\.html$ $1/index.php?action=$2&value=$3 last;
9.nginx 代理
server {
listen 80;
server_name aaa.com;
location / {
proxy_pass http://2.2.2.2/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# access_log /home/logs/aaa_access.log combined;
}
如果后端的机器有多台
upstream bbb
{
server 1.2.3.1:80;
server 1.2.3.4:80;
}
server {
listen 80;
server_name bbb.com;
location / {
proxy_pass http://bbb/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# access_log /home/logs/bb_access.log combined;
}
扩展学习:
根据访问的目录来区分后端的web http://www.lishiming.net/thread-920-1-1.html
针对请求的uri来代理 http://www.lishiming.net/thread-1049-1-1.html
标签:nginx
原文地址:http://9950284.blog.51cto.com/9940284/1652604