分类: LINUX
2018-08-14 09:52:40
12.6 Nginx安装
12.7 默认虚拟主机
12.8 Nginx用户认证
12.9 Nginx域名重定向
Nginx的默认虚拟主机:
server {
listen 80;
server_name www.baotao.com;
location / {
root /data/wwwroot/default;
index index.html;
}
}
server {
listen 80 default_server; /指定默认虚拟主机。不指定则为第一个虚拟主机
server_name www.baidu.com;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
Nginx用户认证:
修改主配置文件:
location / {
root html;
index index.html index.htm;
auth_basic "Only vip";
auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
}
[root@localhost nginx]# yum -y install httpd
[root@localhost nginx]# htpasswd -c /usr/local/nginx/conf/.htpasswd zhangsan
New password:
Re-type new password:
Adding password for user zhangsan
[root@localhost nginx]# ./sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost nginx]# ./sbin/nginx -s reload
然后访问测试。
Nginx域名重定向:
server {
listen 80 default_server;
server_name www.baidu.com www1.baidu.com www2.baidu.com; //配置多个域名,那么权重不确定,无法确定主域名。或者应用于网站修改了域名,但又需要重新推广的情况
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html/abc;
index index.html index.htm;
if ($host != 'abc') {
rewrite ^/(.*)$ http://www.baidu.com/$1 permanent; //’^’代表以什么开头,还可以用 http://$host/(.*)$ 代替前半部分。$1=(.*)。Permanent是301。302是redirect
}
}
}
[root@localhost nginx]# curl -x127.0.0.1:80 www2.baidu.com/abc –I #
HTTP/1.1 301 Moved Permanently
Server: nginx/1.6.0
Date: Thu, 24 May 2018 23:15:14 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://www.baidu.com/abc
[root@localhost nginx]# curl -x127.0.0.1:80 www6.baidu.com/abc -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.6.0
Date: Thu, 24 May 2018 23:16:27 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://www.baidu.com/ //这里依旧能访问到,是因为默认的虚拟主机就是www.baidu.com所以依旧能访问到。如果将默认虚拟主机修改看结果则不同
取消指定的默认虚拟主机
[root@localhost nginx]# curl -x127.0.0.1:80 www6.baidu.com/abc -I
HTTP/1.1 404 Not Found
Server: nginx/1.6.0
Date: Thu, 24 May 2018 23:18:20 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
Nginx访问日志:
定义日志格式:
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
main 是日志格式的名称,可以修改的如果修改了,那么后面引用就写什么。
日志看起来好像换行了,但是对于nginx来说,有分号才是一行的结束,所以这里的日志是一行
HTTP Referer是header的一部分,当浏览器向web服务器发送请求的时候,一般会带上Referer,告诉服务器我是从哪个页面链接过来的,服务器基此可以获得一些信息用于处理。
HTTP_USER_AGENT是用来检查浏览页面的访问者在用什么操作系统(包括版本号)浏览器(包括版本号)和用户个人偏好的代码。
time_local 本地时间戳
host 请求host地址
remote_addr 远程请求地址
request 请求uri
request_time 整个请求的总时间
body_bytes_sent 请求文件内容大小
status http请求状态
upstream_addr 后台提供服务的地址(即转发处理的目标地址)
upstream_reponse_time 请求时,upstream的响应时间
upstream_status upstream状态
http_refer url跳转来源
http_user_agent 用户终端浏览器的UserAgent
我们自己定义一个日志格式:
注意日志格式定义要放在server{} 块内。
log_format main '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "http_user_agent"';
server {
listen 80;
server_name www.baotao.com;
access_log /tmp/taobao.com.log main;
location / {
root /data/wwwroot/default;
index index.html;
}
}
然后访问,再查看日志
[root@localhost nginx]# curl -x127.0.0.1:80 www.taobao.com -I
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 24 May 2018 23:34:53 GMT
Content-Type: text/html
Content-Length: 8
Last-Modified: Thu, 24 May 2018 15:58:14 GMT
Connection: keep-alive
ETag: "5b06e116-8"
Accept-Ranges: bytes
[root@localhost nginx]# vim /tmp/taobao.com.log
Nginx日志切割:
[root@localhost nginx]# vim /usr/local/sbin/nginx_logretate.sh
#!/bin/bash
#nginx_log_path=/tmp/
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
解析:假设日志文件存放路径
date -d "-1 day" +%Y%m%d:生成昨天的日期,年月日
nginx_pid="/usr/local/nginx/logs/nginx.pid":获取pid文件,为了最后一步HUP准备。
/bin/kill -HUP `cat $nginx_pid` = nginx –s reload 因为前一步将日志mv到其他地方了或者是改名字了,如果不做任何修改,那么它还是在原来的位置写内容,所以不许重新加载一下,写一个新的日志。
for循环语句还可以通过一行来实现:
[root@localhost ~]# for f in `ls `; do ls -l $f; done
脚本中的for循环是:将一天的日志通过mv为独立文件。每天在凌晨00:00执行,那么就是一天的日志。
[root@localhost nginx]# sh -x /usr/local/sbin/nginx_logretate.sh
-x:查看脚本执行过程
脚本测试执行。
[root@localhost nginx]# sh -x /usr/local/sbin/nginx_logretate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20180524
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls taobao.com.log
+ for log in '`ls *.log`'
+ mv taobao.com.log taobao.com.log-20180524
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 29470
[root@localhost nginx]# ls /tmp/taobao.com.log*
/tmp/taobao.com.log /tmp/taobao.com.log-20180524
当然还可以对这类日志做清理
[root@localhost nginx]# find /tmp/ -name *.log-* -type f -mtime +30 | xargs rm
筛选出30天以前的文件,然后删除。
关于xargs的更加具体的:http://man.linuxde.net/xargs
脚本写完,还需要制定任务计划:
[root@localhost nginx]# crontab -e
0 0 * * * /bin/bash /usr/local/sbin/nginx_logrotate.sh
Nginx静态文件不记录日志和过期时间:
server {
listen 80;
server_name www.baotao.com;
access_log /tmp/taobao.com.log main;
location / {
root /data/wwwroot/default;
index index.html;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 7d;
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
}
反斜杠:脱义。正则匹配
Expires:过期时间。缓存到浏览器中。
测试:
[root@localhost nginx]# cd /data/wwwroot/default/
[root@localhost default]# ls
index.html
[root@localhost default]# vim 1.gif
[root@localhost default]# ls
1.gif index.html
[root@localhost default]# vim a.js
[root@localhost nginx]# curl -x127.0.0.1:80 www.taobao.com/1.gif
seaqefiajwoeiajf;ahi
[root@localhost nginx]# curl -x127.0.0.1:80 www.taobao.com/a.js
jsjsjsjsjsjsjsjsjsj
[root@localhost nginx]# curl -x127.0.0.1:80 www.taobao.com/index.html
kgc.com
[root@localhost nginx]# vim
/tmp/taobao.com.log
[root@localhost nginx]# cat
/tmp/taobao.com.log
127.0.0.1 - [25/May/2018:08:14:24 +0800]
www.taobao.com "/index.html" 200 "-"
"http_user_agent"
访问js的时候,你记录日志。
[root@localhost nginx]#
curl -x127.0.0.1:80
404 Not
Found
[root@localhost nginx]# cat
/tmp/taobao.com.log
127.0.0.1 - [25/May/2018:08:14:24 +0800]
www.taobao.com "/index.html" 200 "-"
"http_user_agent"
127.0.0.1 -
[25/May/2018:08:16:43 +0800] www.taobao.com "/a.jsaaaaaaa" 404
"-" "http_user_agent"
[root@localhost nginx]# curl -x127.0.0.1:80
www.taobao.com/a.js -I
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Fri, 25 May 2018 00:18:12 GMT
Content-Type: application/javascript
Content-Length: 20
Last-Modified: Fri, 25 May 2018 00:09:36
GM
Connection: keep-alive
ETag: "5b075440-14"
Expires: Fri, 25 May 2018 12:18:12 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
max-age=43200:保留时间。如果不设置保留时间,访问则没有该选项。
Nginx防盗链:
可以跟不记录日志跟过期时间相结合:
server {
listen 80;
server_name www.taobao.com www1.taobao.com www2.taobao.com;
root /data/wwwroot/default;
location ~*
^.+\.(gif|jpg|jpeg|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocded
server_names *.taobao.com;
if ($invalid_referer) {
return 403;
}
access_log off;
}
}
~*:不区分大小写
[root@localhost nginx]# curl -x127.0.0.1:80 www.taobao.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Fri, 25 May 2018 00:30:27 GMT
Content-Type: image/gif
Content-Length: 21
Last-Modified: Fri, 25 May 2018 00:09:18
GMT
Connection: keep-alive
ETag: "5b07542e-15"
Expires: Fri, 01 Jun 2018 00:30:27 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[root@localhost nginx]# curl -e
"http://www.baidu.com/1.txt" -x127.0.0.1:80 www.taobao.com/1.gif -I
HTTP/1.1 403 Forbidden
Server: nginx/1.6.0
Date: Fri, 25 May 2018 00:30:46 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
[root@localhost nginx]# curl -e "http://www.taobao.com/1.txt" -x127.0.0.1:80 www.taobao.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Fri, 25 May 2018 00:30:59 GMT
Content-Type: image/gif
Content-Length: 21
Last-Modified: Fri, 25 May 2018 00:09:18
GMT
Connection: keep-alive
ETag: "5b07542e-15"
Expires: Fri, 01 Jun 2018 00:30:59 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
http://man.linuxde.net/curl //其中-e是指定来源网址。也就是referer.
Nginx访问控制:
需求,访问/admin/目录的请求,只允许几个IP访问
location /admin/ {
allow 127.0.0.1;
deny all;
}
[root@localhost nginx]# curl -I -x127.0.0.1:80 www.taobao.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Fri, 25 May 2018 00:40:25 GMT
Content-Type: text/html
Content-Length: 6
Last-Modified: Fri, 25 May 2018 00:35:20 GMT
Connection: keep-alive
ETag: "5b075a48-6"
Accept-Ranges: bytes
[root@localhost nginx]# vim conf/nginx.conf
[root@localhost nginx]# ./sbin/nginx -s reload
[root@localhost nginx]# curl -I -x192.168.10.11:80 www.taobao.com/admin/
HTTP/1.1 403 Forbidden
Server: nginx/1.6.0
Date: Fri, 25 May 2018 00:40:54 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
[root@localhost nginx]# cat /tmp/taobao.com.log
127.0.0.1 - [25/May/2018:08:40:25 +0800] www.taobao.com "/admin/" 200 "-" "http_user_agent"
192.168.10.11 - [25/May/2018:08:40:54 +0800] www.taobao.com "/admin/" 403 "-" "http_user_agent"
看来源IP
Nginx代理:
server {
listen 80;
server_name ;
location / {
proxy_pass ;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
不需要访问本地的任何目录。
通过访问本地,访问到远端的服务器。
Nginx实现SSL
生成ssl密钥对
首先要有openssl工具:
[root@localhost nginx]# rpm -qf `which
openssl `
openssl-1.0.1e-15.el6.x86_64
[root@localhost nginx]# cd conf/
[root@localhost conf]# openssl genrsa -des3
-out tmp.key 2048 //key文件为私钥
Generating RSA private key, 2048 bit long modulus
......................+++
......................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key: //输入密码123456
[root@localhost conf]# openssl rsa -in
tmp.key -out kgc.key //转换key,取消密码。-in:指定转换密钥,-out指定输出
Enter pass phrase for tmp.key:
writing RSA key
[root@localhost conf]# rm -rf tmp.key
[root@localhost conf]# openssl req -new -key kgc.key -out kgc.csr //生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件。
……
Country Name (2 letter code) [XX]:CN
State or Province Name (full name)
[]:BeiJing
Locality Name (eg, city) [Default
City]:BeiJing
Organization Name (eg, company) [Default
Company Ltd]:kgc
Organizational Unit Name (eg, section)
[]:kgc
Common Name (eg, your name or your server's
hostname) []:ca.kgc.com
Email Address []:admin@kgc.com
Please enter the following 'extra'
attributes
to be sent with your certificate request
A challenge password []:
An optional company name []
Signature ok
Getting Private key
crt是公钥证书,key是私钥,CSR 是即证书签名请求,X.509 是一种证书格式.对X.509证书来说,认证者总是CA或由CA指定的人,一份X.509证书是一些标准字段的集合,这些字段包含有关用户或设备及其相应公钥的信息。
Nginx配置ssl
ssl模块需要在编译的时候添加。
[root@localhost nginx-1.6.0]# ./configure --help | grep -i ssl
--with-http_ssl_module enable ngx_http_ssl_module
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
[root@localhost nginx-1.6.0]# yum -y install openssl-devel
173 cd /usr/src/nginx-1.6.0/
179 yum -y install openssl-devel
180 ./configure --prefix=/usr/local/nginx --with-http_ssl_module --user=nginx --group=nginx --with-http_stub_status_module
181 make
182 make install
183 /usr/local/nginx/sbin/nginx -V
184 cd /usr/local/nginx/
[root@localhost nginx]# ./sbin/nginx restart
