首页 > 代码库 > 配置Nginx全过程
配置Nginx全过程
状态码:
200:表示正常
301:表示域名跳转
401:表示需要输入用户名和密码
403:表示可能被禁止访问
302、404:表示输入的路径可能有错
500:表示php脚本有问题
502:配置错误nginx用sock或者IP+port,还有就是资源耗尽,nginx属主
写个nginx启动脚本
vim /etc/init.d/nginx
#!/bin/bash
# chkconfig: - 30 21
# description: http service.
# Source Function Library
. /etc/init.d/functions
# Nginx Settings
NGINX_SBIN="/usr/local/nginx/sbin/nginx"
NGINX_CONF="/usr/local/nginx/conf/nginx.conf"
NGINX_PID="/usr/local/nginx/logs/nginx.pid"
RETVAL=0
prog="Nginx"
start() {
echo -n$"Starting $prog: "
mkdir -p/dev/shm/nginx_temp
daemon$NGINX_SBIN -c $NGINX_CONF
RETVAL=$?
echo
return$RETVAL
}
stop() {
echo -n$"Stopping $prog: "
killproc-p $NGINX_PID $NGINX_SBIN -TERM
rm -rf/dev/shm/nginx_temp
RETVAL=$?
echo
return$RETVAL
}
reload(){
echo -n$"Reloading $prog: "
killproc-p $NGINX_PID $NGINX_SBIN -HUP
RETVAL=$?
echo
return$RETVAL
}
restart(){
stop
start
}
configtest(){
$NGINX_SBIN -c $NGINX_CONF -t
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
restart
;;
configtest)
configtest
;;
*)
echo$"Usage: $0 {start|stop|reload|restart|configtest}"
RETVAL=1
esac
exit $RETVAL
chmod 755 /etc/init.d/nginx
chkconfig --add nginx
chkconfig nginx on
整理nginx配置文件
#清空原来的配置
vim /usr/local/nginx/conf/nginx.conf
user nobody nobody;
worker_processes 2;
error_log/usr/local/nginx/logs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 6000;
}
http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 3526;
server_names_hash_max_size 4096;
log_format combined_realip ‘$remote_addr $http_x_forwarded_for[$time_local]‘
‘$host "$request_uri" $status‘
‘"$http_referer" "$http_user_agent"‘;
sendfile on;
tcp_nopush on;
keepalive_timeout 30;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size1k;
large_client_header_buffers 8 4k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
client_max_body_size 10m;
client_body_buffer_size 256k;
client_body_temp_path /usr/local/nginx/client_body_temp;
proxy_temp_path /usr/local/nginx/proxy_temp;
fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
fastcgi_intercept_errors on;
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htmapplication/xml;
include vhosts/*.conf; #虚拟主机
}
添加虚拟主机
#默认虚拟主机独立一个文件
mkdir /usr/local/nginx/conf/vhosts
vim/usr/local/nginx/conf/vhosts/default.conf #默认虚拟主机多了个default
server
{
listen 80 default;
server_name localhost;
index index.html index.htm index.php;
root /data/abc;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/abc$fastcgi_script_name;
}
}
#设置个空目录,让它403
#第二虚拟主机独立一个文件
vim /usr/local/nginx/conf/vhosts/123.conf #第二个虚拟主机
server
{
listen 80;
server_name www.123.com;
index index.html index.htm index.php;
root /data/www;
location ~ \.php$ {
include fastcgi_params;
#fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
}
#只能用域名访问,nginx通过fastcgi的端口加IP的形式把php交给php-fpm处理,最后返回给nginx代理
#虚拟主机的根目录为/data/www
Nginx用户认证
#独立一段添加
#工具apache的htpasswd,限制后台admin.php
vim /usr/local/nginx/conf/vhosts/123.conf
location ~ .*admin\.php$ {
auth_basic "tingshi";
auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
touch /usr/local/nginx/conf/.htpasswd
htpasswd -c /usr/local/nginx/conf/.htpasswdaming #通过htpasswd工具创建用户
#每个动态网页都需要php解析
域名重定向
#外部添加
listen 80;
server_name www.123.com www.abc.com;
if ($host != ‘www.123.com‘)
{
rewrite ^/(.*)$http://www.123.com/$1 permanent;
}
index index.html index.htm index.php;
root /data/www;
#支持多个域名重定向,在外层设置重定向
/usr/local/nginx/sbin/nginx -s reload
不记录指定文件类型日志/配置静态文件过期时间
#独立一段添加
access_log /tmp/access.log aming; #这在全局设置
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
#在设置access_log之前要打开mginx配置文件vim/usr/local/nginx/conf/nginx.conf
其中定好日志的格式log_format aming aming就是格式,被access_log引用,其它两个location在外面定义
expires 30d #配置静态文件的过期时间
日志切割
vim /usr/local/sbin/nginx_logroate.sh
#!/bin/bash
d=`date -d "-1 day" +%F`
[ -d /tmp/nginx_log ] || mkdir/tmp/nginx_log
mv /tmp/access.log /tmp/nginx_log/$d.log
/etc/init.d/nginx reload > /dev/null
cd /tmp/nginx_log
gzip -f $d.log
crontab –e #加入到计划任务
0 0 * * * /bin/bash /usr/local/sbin/nginx_logroate.sh
#每天的0点执行
静态文件的过期时间
#内部添加
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
access_log off;
}
expires 30d #配置静态文件的过期时间
配置防盗链
#防止某张图片或者某些东西被另一个网站盗用,内部添加
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|rar|zip|bz2)$
{
expires 30d;
access_log off;
valid_referersnone blocked *.123.com *.abc.com;
if ($invalid_referer)
{
return 403;
}
}
#测试
curl -e"http://www.baidu.com/123" -x127.0.0.1:80‘http://www.123.com/static/image/common/titlebg.png‘ –I #返回403
curl -e "http://www.123.com/123"-x127.0.0.1:80 ‘http://www.123.com/static/image/common/titlebg.png‘ –I #返回200
指定referer的时候就应该带上 http://
访问控制
#限制某些IP,外部添加限定整个根目录,内部添加限制某些文件,定义了匹配对象的时候优先匹配
server
{
listen 80;
server_name www.123.com www.abc.com;
if ($host != ‘www.123.com‘)
{
rewrite ^/(.*)$ http://www.123.com/$1 permanent;
}
index index.html index.htm index.php;
root /data/www;
access_log /tmp/access.log aming;
deny 127.0.0.1;
location ~ .*admin\.php$ {
allow 127.0.0.1;
deny all;
#auth_basic "tingshi";
#auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
curl -x127.0.0.1:80 www.123.com/admin.php-I
curl -x127.0.0.1:80 www.123.com/forum.php-I
curl -x192.168.134.132:80www.123.com/admin.php -I
当定义了匹配对象的时候优先匹配,也就是越精准越优先,当没有定义匹配对象的时候屎从上到下逐条匹配。
禁止指定user_agent
#禁止某些搜索引擎,在外部配置
if ($http_user_agent ~* ‘curl|baidu|youdao‘)
{
return 403;
}
}
curl -A "qwewbaiduq"-x127.0.0.1:80 www.123.com/admin.php -I
curl -x 127.0.0.1:80 www.123.com/admin.php-I
nginx代理
#代理百度的IP,独立一个文件
upstream bbb
{
server 14.215.177.38;
server 14.215.177.38;
}
server {
listen 80;
server_name www.baidu.com;
location / {
proxy_pass http://bbb/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;
}
access_log /home/logs/bb_access.log combined;
}
curl -x127.0.0.1:80 www.baidu.com -I
本文出自 “11736718” 博客,请务必保留此出处http://11746718.blog.51cto.com/11736718/1876249
配置Nginx全过程