LNMP架构二

阅读量：6619 次

发布时间：2019-06-25

本文共 13154 字，大约阅读时间需要 43 分钟。

LNMP架构二

nginx默认虚拟主机

修改主配置文件nginx.conf ，在结束符号 } 上面加入一行配置

[root[@www](https://my.oschina.net/licomernwater) conf]# cat nginx.conf | tail -n5    gzip_types text/plain application/x-javascript text/css text/htm    application/xml;    include vhost/*.conf;}[root[@www](https://my.oschina.net/licomernwater) conf]#  include vhost/*.conf;   这一行就是你需要加入的配置，意思为所有/usr/local/nginx/conf/vhost/下的所有以.conf结尾的文件都会加载。这样就可以直接把虚拟主机配置文件放入vhost目录里

新建vhost文件夹并配置虚拟主机文件

[root[@www](https://my.oschina.net/licomernwater) conf]# mkdir vhost[root[@www](https://my.oschina.net/licomernwater) conf]# cd vhost[root[@www](https://my.oschina.net/licomernwater) vhost]# vim default.conf[root@www vhost]# cat default.confserver{	listen 80 default_server;	server_name aaa.com;	index index.html index.htm index.php;	root /data/nginx/default;}[root@www vhost]#

检测语法错误

[root@www vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload

创建索引页

[root@www default]# cat index.html lantern.com[root@www default]# curl -x127.0.0.1:80 aaa.com          测试连接aaa.comlantern.com[root@www default]# curl -x127.0.0.1:80 1212.com        访问一个没有定义的域名，也会访问到aaa.comlantern.com [root@www default]#

用户认证

创建一个新的虚拟主机来测试并为期配合内容

[root@www default]# cd /usr/local/nginx/conf/vhost/[root@www vhost]# vim test.conf[root@www vhost]# cat !$cat test.confserver{	listen 80;	server_name test.com;	index index.html index.htm index.php;	root /data/nginx/test;		location  /		{			auth_basic		"Auth";             打开认证			auth_basic_user_file	/usr/local/nginx/conf/htpasswd;     指定用户密码文件		}}[root@www vhost]# 生成用户密码工具需要借助httpd的htpasswd，nginx不会自带这个工具。

创建nginx用户并生成密码

[root@www vhost]# htpasswd -c /usr/local/nginx/conf/htpasswd nginxNew password: Re-type new password: Adding password for user nginx[root@www vhost]#

检测语法错误

[root@www vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload[root@www vhost]#

测试

[root@www vhost]# curl -x127.0.0.1:80 test.com -IHTTP/1.1 401 UnauthorizedServer: nginx/1.8.0Date: Mon, 02 Jul 2018 19:56:06 GMTContent-Type: text/htmlContent-Length: 194Connection: keep-aliveWWW-Authenticate: Basic realm="Auth"[root@www vhost]# 401状态码即为，该网站需要验证。

可以去浏览器上输入网址测试，输入用户名和密码即可访问。

如果需要针对某个目录做用户认证，需要修改location 后面的路径：

location  /  改为  location  /admin/

域名重定向

以 test.conf 作为测试修改配置文件为以下内容

[root@www vhost]# vim test.conf [root@www vhost]# cat !$cat test.confserver{	listen 80;	server_name test.com test1.com test2.com;	index index.html index.htm index.php;	root /data/nginx/test;		if ($host != 'test.com' ){		rewrite ^/(.*)$ http://test.com/$1 permanent;	}	#location  /	#{	#	auth_basic		"Auth";	#	auth_basic_user_file	/usr/local/nginx/conf/htpasswd;	#}}[root@www vhost]# server_name后可以跟随多个域名，permanent为永久重定向，相当于httpd的R=301

检测语法错误

[root@www vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload[root@www vhost]#

测试

[root@www vhost]# curl -x127.0.0.1:80 test1.com/123.txt -IHTTP/1.1 301 Moved PermanentlyServer: nginx/1.8.0Date: Mon, 02 Jul 2018 20:20:22 GMTContent-Type: text/htmlContent-Length: 184Connection: keep-aliveLocation: http://test.com/123.txt[root@www vhost]#

nginx访问日志

查看nginx日志格式

[root@www vhost]# grep -A2 log_format /usr/local/nginx/conf/nginx.conf    log_format combined_realip 'remote_addr http_x_forwarded_for [$time_local]'    ' host "request_uri" $status'    ' "http_referer" "http_user_agent"';[root@www vhost]# 和httpd类似，同样是在主配置文件中定义日志格式combined_realip为日志格式的名称，可调用。

修改配置文件

[root@www vhost]# vim test.conf [root@www vhost]# cat !$cat test.confserver{	listen 80;	server_name test.com test1.com test2.com;	index index.html index.htm index.php;	root /data/nginx/test;		if ($host != 'test.com' ){		rewrite ^/(.*)$ http://test.com/$1 permanent;	}	access_log /root/1.log combined_realip;	#location  /	#{	#	auth_basic		"Auth";	#	auth_basic_user_file	/usr/local/nginx/conf/htpasswd;	#}}[root@www vhost]#

检测语法错误

[root@www vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload

生成错误日志并查看

[root@www vhost]# curl -x127.0.0.1:80 test.com/111404 Not Found
    
     404 Not Found
    
    
    
     nginx/1.8.0
    [root@www vhost]# cat /root/1.log127.0.0.1 - [03/Jul/2018:04:31:17 +0800] test.com "/111" 404 "-" "curl/7.29.0"[root@www vhost]#

日志切割

nginx日志比较简单。不像httpd还有自带的切割工具，想要切割nginx脚本就需要借助系统的切割工具或者自定义脚本。

自定义shell 脚本

[root@www vhost]# vim  /usr/local/sbin/nginx_log_rotate.sh[root@www vhost]# cat !$cat /usr/local/sbin/nginx_log_rotate.sh#!# /bin/bashd=`date -d "-1 day" +%Y+%m+%d`logdir="/data/logs"nginx_pid="/usr/local/nginx/logs/nginx.pid"	cd $logdirfor log in `ls *.log`do	mv $log $log-$ddone/bin/kill -HUP `cat $nginx_pid`[root@www vhost]#

到此为止，这个日志切割脚本内容配置完成，也可以新增一个任务计划

0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh

配置静态文件不记录日志和添加过期时间

修改配置文件为如下：

[root@www vhost]# vim test.conf [root@www vhost]# cat !$cat test.confserver{	listen 80;	server_name test.com test1.com test2.com;	index index.html index.htm index.php;	root /data/nginx/test;		if ($host != 'test.com' ){		rewrite ^/(.*)$ http://test.com/$1 permanent;	}	location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$	{		expires	7d;		access_log off;	}	location ~ .*\.(js|css)$	{		expires	12h;		access_log off;	}	access_log /root/1.log combined_realip;	#location  /	#{	#	auth_basic		"Auth";	#	auth_basic_user_file	/usr/local/nginx/conf/htpasswd;	#}}[root@www vhost]# location ~ 可以指定对应的静态文件，expires配置过期时间，access_log 配置为0ff就可以不访问日志了。

测试语法并新建文件

[root@www vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@www vhost]# echo '11111' > /data/nginx/test/1.js[root@www vhost]# echo '11111' > /data/nginx/test/2.jpg[root@www vhost]# touch /data/nginx/test/1.jss

测试

[root@www vhost]# curl -x127.0.0.1:80 test.com/1.js -IHTTP/1.1 200 OKServer: nginx/1.8.0Date: Mon, 02 Jul 2018 21:49:58 GMTContent-Type: application/javascriptContent-Length: 6Last-Modified: Mon, 02 Jul 2018 21:27:14 GMTConnection: keep-aliveETag: "5b3a98b2-6"Expires: Tue, 03 Jul 2018 09:49:58 GMTCache-Control: max-age=43200Accept-Ranges: bytes[root@www vhost]# curl -x127.0.0.1:80 test.com/2.jpg -IHTTP/1.1 200 OKServer: nginx/1.8.0Date: Mon, 02 Jul 2018 21:55:56 GMTContent-Type: image/jpegContent-Length: 6Last-Modified: Mon, 02 Jul 2018 21:27:22 GMTConnection: keep-aliveETag: "5b3a98ba-6"Expires: Mon, 09 Jul 2018 21:55:56 GMTCache-Control: max-age=604800Accept-Ranges: bytes[root@www vhost]# curl -x127.0.0.1:80 test.com/1.jss -IHTTP/1.1 200 OKServer: nginx/1.8.0Date: Mon, 02 Jul 2018 21:56:06 GMTContent-Type: application/octet-streamContent-Length: 0Last-Modified: Mon, 02 Jul 2018 21:27:52 GMTConnection: keep-aliveETag: "5b3a98d8-0"Accept-Ranges: bytes[root@www vhost]#Cache-Control 代表 对应时间大小，单位是秒

访问日志

[root@www vhost]# cat /root/1.log 127.0.0.1 - [03/Jul/2018:05:01:17 +0800] test.com "/111" 404 "-" "curl/7.29.0"127.0.0.1 - [03/Jul/2018:05:56:06 +0800] test.com "/1.jss" 200 "-" "curl/7.29.0"[root@www vhost]# 访问了js.jpg jss 但访问日志里只留下了jss

nginx防盗链

修改配置文件如下：

[root@www vhost]# cat test.confserver{	listen 80;	server_name test.com test1.com test2.com;	index index.html index.htm index.php;	root /data/nginx/test;		if ($host != 'test.com' ){		rewrite ^/(.*)$ http://test.com/$1 permanent;	}	location ~* ^.+\.(gif|jpg|jpeg|png|bmp|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|xls)$	{		expires	7d;		valid_referers none blocked server_names *.test.com ;		if ($invalid_referer){			return 403;		}		access_log off;	}	access_log /root/1.log combined_realip;	#location  /	#{	#	auth_basic		"Auth";	#	auth_basic_user_file	/usr/local/nginx/conf/htpasswd;	#}}[root@www vhost]# 由于和过期时间，不记录日志有部分重合，把两部分合并在一起

测试语法

[root@www vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload[root@www vhost]#

测试

[root@www vhost]# curl -x127.0.0.1:80 -I -e "http://aaa.com/1.txt" test.com/2.jpgHTTP/1.1 403 ForbiddenServer: nginx/1.8.0Date: Mon, 02 Jul 2018 22:09:34 GMTContent-Type: text/htmlContent-Length: 168Connection: keep-alive[root@www vhost]# curl -x127.0.0.1:80 -I -e "http://test.com/1.txt" test.com/2.jpgHTTP/1.1 200 OKServer: nginx/1.8.0Date: Mon, 02 Jul 2018 22:09:47 GMTContent-Type: image/jpegContent-Length: 6Last-Modified: Mon, 02 Jul 2018 21:27:22 GMTConnection: keep-aliveETag: "5b3a98ba-6"Expires: Mon, 09 Jul 2018 22:09:47 GMTCache-Control: max-age=604800Accept-Ranges: bytes[root@www vhost]# 防盗链功能已生效

访问控制

修改配置文件如下

[root@www vhost]# vim test.conf [root@www vhost]# cat !$cat test.confserver{	listen 80;	server_name test.com test1.com test2.com;	index index.html index.htm index.php;	root /data/nginx/test;		if ($host != 'test.com' ){		rewrite ^/(.*)$ http://test.com/$1 permanent;	}	location /admin/	{		allow 192.168.1.180;		allow 127.0.0.1;		deny all;	}指定admin目录请求只允许设置的IP访问nginx匹配规则是  从上往下逐一匹配

测试

[root@www vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload[root@www vhost]# mkdir /data/nginx/test/admin/[root@www vhost]# echo '123' > /data/nginx/test/admin/1.html[root@www vhost]# curl -x127.0.0.1:80 test.com/admin/1.html123[root@www vhost]# curl -x192.168.1.180:80 test.com/admin/1.html123这就是目前设置的可以访问IP[root@www vhost]# curl -x192.168.18.126:80 test.com/admin/1.html403 Forbidden
    
     403 Forbidden 
    
    
    
     nginx/1.8.0

nginx 解析php

在LNMP中，php是以一个服务形式存在的，首先要启动php-fpm服务，然后nginx再和php-fpm通信

配置php相关的内容

location ~ \.php$    {            include fastcgi_params;            fastcgi_pass unix:/tmp/php-fcgi.sock;            fastcgi_index index.php;            fastcgi_param SCRIPT_FILENAME /data/nginx/test$fastcgi_script_name;    }fastcgi_pass 指定php-fpm的地址，如果监听的地址是tcp:port的地址，那么在这里也需要修改为fastcgi_pass 127.0.0.1:9000  这个地址要与pfp-fpm的地址相匹配，否则会包502错误fastcgi_param SCRIPT_FILENAME  后面跟的路径为该站点的根目录，和前面定义的root那个路径保存一致，否则访问php界面会出现404错误

nginx代理

一家公司有很多台服务器，为了节省成本，不能为所有服务器都分配公网IP，而如果一个没有公网ip的服务器要提供web服务，就可以通过代理来实现。

新建一个配置文件，在内输入nginx代理所需要设置的内容

[root@www vhost]# cat proxy.conf server{	listen 80;	server_name ask.apelearn.com;	location /	{		proxy_pass http://223.94.95.10/;		proxy_set_header Host	$host;	}}[root@www vhost]# proxy_pass指定要代理的域名所在的服务器IP  如果不知道IP 可以直接ping 域名得到IP。proxy_set_header  定义发往后端web服务器的请求头，表示后端web服务器的域名和当前配置文件的server_name保存一致。

检测语法错误

[root@www vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

[root@www vhost]# curl -x127.0.0.1:80 ask.apelearn.com -IHTTP/1.1 200 OKServer: nginx/1.8.0Date: Mon, 02 Jul 2018 23:06:42 GMTContent-Type: text/html; charset=UTF-8Connection: keep-aliveX-Powered-By: PHP/5.3.3P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"Set-Cookie: ape__Session=49u6oflcbcl2oi17ceopo95na3; path=/; domain=.apelearn.comExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cachemyheader: web1[root@www vhost]# curl apelearn.com -IHTTP/1.1 200 OKServer: nginxDate: Thu, 05 Jul 2018 17:40:19 GMTContent-Type: text/html; charset=UTF-8Connection: keep-aliveVary: Accept-EncodingX-Powered-By: PHP/5.6.10[root@www vhost]# [root@www vhost]# curl ask.apelearn.com/robots.txt ## robots.txt for MiWen#User-agent: *Disallow: /?/admin/Disallow: /?/people/Disallow: /?/question/Disallow: /account/Disallow: /app/Disallow: /cache/Disallow: /install/Disallow: /models/Disallow: /crond/run/Disallow: /search/Disallow: /static/Disallow: /setting/Disallow: /system/Disallow: /tmp/Disallow: /themes/Disallow: /uploads/Disallow: /url-*Disallow: /views/Disallow: /*/ajax/[root@www vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt ## robots.txt for MiWen#User-agent: *Disallow: /?/admin/Disallow: /?/people/Disallow: /?/question/Disallow: /account/Disallow: /app/Disallow: /cache/Disallow: /install/Disallow: /models/Disallow: /crond/run/Disallow: /search/Disallow: /static/Disallow: /setting/Disallow: /system/Disallow: /tmp/Disallow: /themes/Disallow: /uploads/Disallow: /url-*Disallow: /views/Disallow: /*/ajax/[root@www vhost]# 以上都可见没有问题，代理功能已实现