默认虚拟主机,Nginx用户认证,Nginx解析php相关配置,Nginx代理

Nginx 默认虚拟主机

先编辑nginx.conf 里面把server下面的全删了

vim /usr/local/nginx/conf/nginx.conf

*下面的要删除掉*
server

{
listen 80;
server_name localhost;
index index.html index.htm index.php;
root /usr/local/nginx/html;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
}
}

之后在下面增加一行include vhost/*.conf;

gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm
application/xml;
*需要增加*
include vhost/*.conf;

}

创建vhost目录 mkdir /usr/local/nginx/conf/vhost

然后进去创建 aaa.com.conf

[root@aminglinux-01 conf]# cd vhost/
[root@aminglinux-01 vhost]# vim aaa.com.conf

编辑 aaa.com.conf

server
{
listen 80 default_server;  // 有这个标记的就是默认虚拟主机
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}

创建/data/wwwroot/default，并写一些东西

[root@aminglinux-01 vhost]# mkdir -p  /data/wwwroot/default
[root@aminglinux-01 vhost]# cd /data/wwwroot/default/

vim index.html 写入 This is the default site.

检查有没有语法错误 /usr/local/nginx/sbin/nginx -t

[root@aminglinux-01 default]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aminglinux-01 default]#

重新加载 /usr/local/nginx/sbin/nginx -s reload

测试 curl localhost 正确如下：

[root@aminglinux-01 conf]# curl localhost
This is the default site.

Nginx用户认证

vim /usr/local/nginx/conf/vhost/test.com.conf//写入如下内容

server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;

location  /
{
auth_basic              "Auth";
auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}
}

然后安装生成密码的文件 yum install -y httpd

生成密码

[root@aminglinux-01 vhost]# htpasswd -c /usr/local/nginx/conf/htpasswd aming
New password:
Re-type new password:
Adding password for user aming
[root@aminglinux-01 vhost]#

-t 测试 ,重新加载

测试

[root@aminglinux-01 vhost]# curl -x192.168.245.130:80 test.com
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
[root@aminglinux-01 vhost]#

401 说明拒绝访问，再用用户名密码试一次 curl -uaming:123456 -x192.168.245.130:80 test.com

[root@aminglinux-01 vhost]# curl -uaming:123456 -x192.168.245.130:80 test.com
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
[root@aminglinux-01 vhost]#

404 是因为还没有创建test.com 的主目录

[root@aminglinux-01 vhost]# mkdir /data/wwwroot/test.com
[root@aminglinux-01 vhost]# echo "test.com" > /data/wwwroot/test.com/index.html
[root@aminglinux-01 vhost]# curl -uaming:123456 -x192.168.245.130:80 test.com
test.com
[root@aminglinux-01 vhost]#

如果想针对个别文件目录进行用户认证，需要编辑vhost 下test.com.conf文件

location  /admin/      这个后面直接加上想限制的文件或者目录就可以了。
{
auth_basic              "Auth";
auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}

Nginx域名重定向

更改test.com.conf

server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite  ^/(.*)$  http://test.com/$1  permanent;
}
}

server_name后面支持写多个域名，这里要和httpd的做一个对比

permanent为永久重定向，状态码为301，如果写redirect则为302

^/(.*)$ ：前面的^代表着域名，

/(.*)$后面代表着域名后面的内容

Nginx 访问日志

日志格式

vim /usr/local/nginx/conf/nginx.conf //搜索log_format

$remote_addr                客户端IP(公网IP)
$http_x_forwarded_for       代理服务器的IP
$time_local                 服务器本地时间
$host                       访问主机名（域名）
$request_uri                访问的url地址
$status                     状态码
$http_referer               referer
$http_user_agent            user_agent

除了在主配置文件nginx.conf里定义日志格式外，还需要在虚拟主机配置文件中增加 access_log /tmp/1.log combined_realip;

server
{
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;

location  /
{
auth_basic              "Auth";
auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}
access_log /tmp/1.log combined_realip;

}

这里的combined_realip就是在nginx.conf中定义的日志格式名字

检查，重新加载 -t && -s reload

测试：curl -x192.168.245.130:80 test.com -I

cat /tmp/1.log

[root@aminglinux-01 vhost]# curl -x192.168.245.130:80 test.com -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.8.0
Date: Sat, 21 Oct 2017 01:25:36 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"

[root@aminglinux-01 vhost]# cat /tmp/1.log
192.168.245.130 - [21/Oct/2017:09:25:36 +0800] test.com "/" 401 "-" "curl/7.29.0"
[root@aminglinux-01 vhost]#

Nginx 日志切割

因为nginx没有自带的切割工具，所以需要写一个shell脚本

写入如下内容 vim /usr/loacal/sbin/nginx_logrotate.sh

#! /bin/bash
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
~

运行测试

[root@aminglinux-01 vhost]# sh -x /usr/local/sbin/nginx_logrotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20171020
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls 1.log
+ for log in '`ls *.log`'
+ mv 1.log 1.log-20171020
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 850
+ /root
/usr/local/sbin/nginx_logrotate.sh:行11: /root: 是一个目录

[root@aminglinux-01 vhost]# ls /tmp/
1.log  1.log-20171020  mysql.sock  pear  php-fcgi.sock  systemd-private-b9931a4a12de47bfa443a28713c6f410-vmtoolsd.service-Fu8IIH
[root@aminglinux-01 vhost]#

静态文件不记录日志和过期时间

配置文件[root@aminglinux-01 vhost]# vim test.com.conf 下面写入如下配置

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires      7d;
access_log off;
}
location ~ .*\.(js|css)$
{
expires      12h;
access_log off;
}

Nginx防盗链

编辑 vi /usr/local/nginx/conf/vhost/test.com.conf

先注释掉之前的配置

#    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#    {
#          expires      7d;
#          access_log off;
#    }

增加防盗链配置

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names  *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}

Nginx访问控制

需求：访问/admin/目录的请求，只允许某几个IP访问，配置如下：

增加配置

location /admin/
{
allow 127.0.0.1;
allow 192.168.245.130;
deny all;
}

只有allow，才能通过访问。其他都会被拒绝。

[root@aminglinux-01 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
[root@aminglinux-01 ~]# mkdir /data/wwwroot/test.com/admin/
[root@aminglinux-01 ~]# echo “test,test”>/data/wwwroot/test.com/admin/1.html
[root@aminglinux-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aminglinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@aminglinux-01 ~]# curl -x192.168.245.130:80 test.com/admin/1.html -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 24 Oct 2017 04:21:33 GMT
Content-Type: text/html
Content-Length: 16
Last-Modified: Tue, 24 Oct 2017 04:19:08 GMT
Connection: keep-alive
ETag: "59eebf3c-10"
Accept-Ranges: bytes

禁用能上传目录的php解析功能。

加上这一条配置

location ~ .*(abc|image)/.*\.php$
{
deny all;
}

限制user_agent

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')

{
return 403;
}

Nginx解析php相关配置

配置解析php如下：

vi /usr/local/nginx/conf/vhost/test.com.conf 加入

location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}

Nginx代理

配置如下内容，就可以通过本机来访问ask.apelearn.com

server
{
listen 80;
server_name ask.apelearn.com;

location /
{
proxy_pass      http://121.201.9.155/; proxy_set_header Host   $host;
proxy_set_header X-Real-IP      $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}