环境:
2台虚拟机:
server1:172.25.70.1
server2:172.25.70.2
物理机:
172.25.70.250
一、压缩网页内容
1.制作一个比较大的默认发布页网页
cp /etc/passwd .
mv passwd index.html
vim index.html
2.修改Nginx配置文件,使其可以压缩网页
vim /usr/local/nginx/conf/nginx.conf
======================================
33 gzip on;
34 gzip_min_length 1;
35 gzip_comp_level 2;
36 gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd/php image/jpeg image/gif image/png;
3.重新加载配置文件内容
./nginx -s reload
网页访问172.25.70.1,F12查看
4.将刚才的修改注释,再次重新加载配置文件内容
./nginx -s reload
网页访问172.25.13.1,F12查看
二、制作Nginx的systemd服务快捷方式
1.下载安装httpd
yum install -y httpd
2.复制httpd的systemd服务快捷方式文件,并为Nginx重写
cd /usr/lib/systemd/system/
cp httpd.service /etc/systemd/system/nginx.service
vim nginx.service
====================================================
[Unit]
Description=The Nginx HTTP Server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
PrivateTmp=true
[Install]
WantedBy=multi-user.target
3.测试
systemctl start nginx.service
systemctl status nginx.service
systemctl stop nginx.service
systemctl status nginx.service
三、限制客户端网页访问速度
1.修改Nginx的配置文件
cd /usr/local/nginx/
vim conf/nginx.conf
=====================================================================
37 limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
52 location /search/ {
53 limit_req zone=one burst=5;
54 }
2.新建目录
mkdir html/search
3.重新加载Nginx配置文件内容
systemctl reload nginx.service
4.测试
浏览器输入:http://172.25.70.1/search/vim.jpg
压力测试:
ab -c 1 -n 10 http://172.25.70.1/search/vim.jpg
vim conf/nginx.conf
===================
52 location /search/ {
53 limit_rate 50k;
54 limit_req zone=one burst=5;
55 }
重新加载配置文件
systemctl reload nginx.service
再次测试
ab -c 1 -n 10 http://172.25.70.1/search/vim.jpg
四、Nginx的模块使用:realip、image_filter、http_ssl
1.解决依赖性
yum install -y openssl-devel
yum install -y gd-devel-2.0.35-26.el7.x86_64.rpm
2.编译模块
./configure --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module --with-http_image_filter_module --with-http_ssl_module
=======================================================================================================================================
make
3.查看编译好的Nginx版本
[root@server1 nginx-1.15.9]# ls
auto CHANGES.ru configure html Makefile objs src
CHANGES conf contrib LICENSE man README
[root@server1 nginx-1.15.9]# cd objs/
[root@server1 objs]# ./nginx -V
nginx version: nginx/1.15.9
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module --with-http_image_filter_module --with-http_ssl_module
4.替换二进制执行文件
[root@server1 objs]# cp -f nginx /usr/local/nginx/sbin/
cp: overwrite ‘/usr/local/nginx/sbin/nginx’? y
[root@server1 objs]#
5.修改配置文件
vim /usr/local/nginx/conf/nginx.conf
===============================
127 server {
128 listen 80;
129 server_name server1.example.org;
130 set_real_ip_from 172.25.13.1;
131 real_ip_header X-Forward-For;
132 real_ip_recursive on;
133 location / {
134 return 200 "client real ip: $remote_addr\n"
135 }
136 }
image_filter
1修改配置文件
vim /usr/local/nginx/conf/nginx.conf
53 location /search/ {
54 #limit_rate 50k;
55 limit_req zone=one burst=5;
56 image_filter resize 150 100;
57 }
2.测试
浏览器访问:http://172.25.70.1/search/vim.jpg
ssl加密
1.修改配置文件
vim /usr/local/nginx/conf/nginx.conf
======================================
110 server {
111 listen 443 ssl;
112 server_name www.westos.org;
113
114 ssl_certificate cert.pem;
115 ssl_certificate_key cert.pem;
116
117 ssl_session_cache shared:SSL:1m;
118 ssl_session_timeout 5m;
119
120 ssl_ciphers HIGH:!aNULL:!MD5;
121 ssl_prefer_server_ciphers on;
122
123 location / {
124 root /web;
125 index index.html index.htm;
126 }
127 }
2.建立/web目录,编写网页发布文件
[root@server1 conf]# mkdir /web
[root@server1 conf]# vim /web/index.html
3.生成证书
[root@server1 conf]# cd /etc/pki/tls/certs/
[root@server1 certs]# make cert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > cert.pem ; \
echo "" >> cert.pem ; \
cat $PEM2 >> cert.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
.+++
....................................+++
writing new private key to '/tmp/openssl.GT9GkG'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:linux
Organizational Unit Name (eg, section) []:westis
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:root@westos.org
[root@server1 certs]# ls
ca-bundle.crt cert.pem Makefile
ca-bundle.trust.crt make-dummy-cert renew-dummy-cert
4.将证书复制到nginx配置文件目录,重启nginx服务
[root@server1 certs]# cp cert.pem /usr/local/nginx/conf/
[root@server1 certs]# systemctl reload nginx.service
5.测试
浏览器输入:https://172.25.70.1/
realip
环境准备:准备server2:安装nginx用来作负载均衡
#安装必要依赖
[root@server2 ~]# yum install -y gd-devel-2.0.35-26.el7.x86_64.rpm openssl-devel pcre-devel gc
#配置模块
[root@server2 nginx-1.15.9]# ./configure --prefix=/usr/local/nginx --with-http_realip_module --with-http_image_filter_module=dynamic --with-http_ssl_module
#编译安装
[root@server2 nginx-1.15.9]# make && make install
#制作软链接
[root@server2 nginx-1.15.9]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
#建立nginx用户
[root@server2 nginx-1.15.9]# useradd nginx
[root@server2 nginx-1.15.9]# id nginx
uid=1000(nginx) gid=1000(nginx) groups=1000(nginx)
为server2快速配置环境变量
[root@server1 nginx]# cd /etc/systemd/system/
[root@server1 system]# ls | grep nginx
nginx.service
[root@server1 system]# scp nginx.service server2:/etc/systemd/system/
root@server2's password:
nginx.service 100% 251 0.3KB/s 00:00
[root@server1 system]#
1.修改作为web服务器(server1)的nginx配置文件
41 server {
42 listen 80;
43 server_name localhost;
44 set_real_ip_from 172.25.70.2;
45 real_ip_header X-Forwarded-For;
46 real_ip_recursive on;
重新加载配置文件:
[root@server1 nginx]# systemctl reload nginx.service
2.修改用来做反代的nginx配置文件
vim /usr/local/nginx/conf/nginx.conf
===========================================
修改:
2 user nginx nginx;
3 worker_processes auto;
=================================
17 http {
18 include mime.types;
19 default_type application/octet-stream;
20 upstream westos {
21 server 172.25.70.1:80;
22 }
======================================================
98 server { #添加虚拟主机
99 listen 80;
100 server_name www.westos.org;
101
102 location / {
103 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
104 proxy_pass http://westos;
105 }
106 }
3.测试
在客户端写入解析,curl www.westos.org在server1访问日志中查看会发现访问的是代理服务器,但获得的内容是server1
[root@vits Desktop]# curl www.westos.org
在server1的nginx的日志里看到访问信息:
把web服务器的配置文件还原:
重新加载配置后,再用客户端访问,查看日志:
日志会显示是由反向代理服务器GET访问
五、日志记录——对客户端访问本地资源进行监控
21 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
22 '$status $body_bytes_sent "$http_referer" '
23 '"$http_user_agent" "$http_x_forwarded_for"';
24
46 access_log logs/redhat.access.log main;
重启Nginx服务
[root@server1 conf]# vim nginx.conf
[root@server1 conf]# systemctl restart nginx.service
客户端访问服务器指定页面
[root@vits ~]# ab -c 1 -n 5 http://172.25.70.1/search/vim.jpg
查看服务器日志文件内容
六、重定向
在我们配置的web服务器(server1)上:
1.临时重定向
[root@server1 conf]# vim ../conf/nginx.conf
===============================================
112 server {
113 listen 443 ssl;
114 server_name localhost;
115
116 ssl_certificate cert.pem;
117 ssl_certificate_key cert.pem;
118
119 ssl_session_cache shared:SSL:1m;
120 ssl_session_timeout 5m;
121
122 ssl_ciphers HIGH:!aNULL:!MD5;
123 ssl_prefer_server_ciphers on;
124
125 location / {
126 root /web;
127 index index.html index.htm;
128 }
129 }
130 server {
131 listen 80;
132 server_name www.westos.com;
133
134 rewrite ^/(.*) https://www.westos.com/$1;
135 }
重新加载配置文件:
[root@server1 nginx]# systemctl reload nginx.service
客户端测试:
要保证客户端有www.westos.com的本地解析
[root@vits Desktop]# curl -I www.westos.org
[root@vits Desktop]# cat /etc/hosts
[root@vits Desktop]# curl -I www.westos.org/index.html
上面的配置可以实现将 www.westos.com 重定向到 https://www.westos.com 。
我们还可以在配置文件中加入一个虚拟主机,完成一台服务器部署两个web服务,对应一个IP地址,在实际生产环境中可以节约资源。
更改配置文件:
[root@server1 conf]# vim nginx.conf
========================================
131 server {
132 listen 80;
133 server_name www.westos.com;
134 rewrite ^/(.*) https://www.westos.com/$1;
135 # set_real_ip_from 172.25.70.1;
136 # real_ip_header X-Forward-For;
137 # real_ip_recursive on;
138 # location / {
139 # return 200 "client real ip: $remote_addr\n" ;
140 # }
141 }
142 server {
143 listen 80;
144 server_name bbs.westos.com;
145
146 location / {
147 root /bbs;
148 index index.html;
149 }
150 }
[root@server1 nginx]# mkdir /bbs
[root@server1 nginx]# vim /bbs/index.html
[root@server1 nginx]# cat /bbs/index.html
bbs.westos.com
[root@server1 nginx]# systemctl reload nginx.service
[root@server1 nginx]#
添加本地解析:
[root@vits Desktop]# vim /etc/hosts
测试:
[root@vits Desktop]# curl -I www.westos.com
[root@vits Desktop]# curl bbs.westos.com
2.永久重定向
修改配置文件:
[root@server1 conf]# vim nginx.conf
=========================================
130 server {
131 listen 80;
132 server_name www.westos.com;
133
134 rewrite ^/(.*) https://www.westos.com/$1 permanent;
135
136 }
137
138 server {
139 listen 80;
140 server_name bbs.westos.com;
141
142 location / {
143 root /bbs;
144 index index.html;
145 }
146 }
重载配置文件
[root@server1 nginx]# systemctl reload nginx.service
客户端测试:
[root@vits Desktop]# curl -I www.westos.com
成功实现永久重定向。
3.设置不同域名的重定向
[root@server1 conf]# vim nginx.conf
====================================
131 server {
132 listen 80;
133 server_name www.westos.com #bbs.westos.com;
134 #rewrite ^/(.*) https://www.westos.com/$1 permanent;
135 rewrite ^/bbs$ http://www.westos.com permanent;
136 #rewrite ^/bbs/(.*) http://www.westos.com/$1 permanent;
137 # set_real_ip_from 172.25.70.1;
138 # real_ip_header X-Forward-For;
139 # real_ip_recursive on;
140 # location / {
141 # return 200 "client real ip: $remote_addr\n" ;
142 # }
143 }
144 server {
145 listen 80;
146 server_name bbs.westos.com;
147
148 location / {
149 root /bbs;
150 index index.html;
151 }
152 }
重新加载配置文件
[root@server1 nginx]# systemctl reload nginx.service
客户端测试:
curl -I www.westos.com/bbs/index.html
[root@vits Desktop]# curl bbs.westos.com
4.设置不同域名访问同一资源
[root@server1 conf]# vim nginx.conf
==========================================
130 server {
131 listen 80;
132 server_name www.westos.com bbs.westos.com;
133
134 #rewrite ^/(.*) https://www.westos.com/$1 permanent;
135 rewrite ^/bbs$ http://bbs.westos.com permanent;
136 rewrite ^/bbs/(.*)$ http://bbs.westos.com/$1 permanent;
137
138 if ($host = "bbs.westos.com") {
139 rewrite ^/(.*)$ http://www.westos.com/$1 permanent;
140 }
141 location / {
142 root /web;
143 index index.html;
144 }
145 }
重新加载配置文件,客户端测试:
[root@vits Desktop]# curl -I bbs.westos.com
[root@vits Desktop]# curl -I bbs.westos.com/index.html
七、防盗链
- server1:172.25.70.1 被盗链的服务器
- server2:172.25.70.2 盗链服务器
1.模拟盗链
1.在server2上:
[root@server2 ~]# vim /usr/local/nginx/conf/nginx.conf
============================================================
118 server {
119 listen 80;
120 server_name daolian.westos.com;
121 charset utf-8;
122 location / {
123 root /web;
124 index index.html;
125 }
126 }
创建资源:
[root@server2 ~]# mkdir /web
[root@server2 ~]# vim /web/index.html
=========================================
<html>
<body>
<br>盗链图片</br>
<img src="http://www.westos.com/vim.jpg">
</body>
</html>
2.在server1上创建被盗链的资源:
[root@server1 html]# vim ../conf/nginx.conf
server {
listen 80;
server_name www.westos.com bbs.westos.com;
#rewrite ^/(.*) https://www.westos.com/$1 permanent;
rewrite ^/bbs$ http://bbs.westos.com permanent;
rewrite ^/bbs/(.*)$ http://bbs.westos.com/$1 permanent;
if ($host = "bbs.westos.com") {
rewrite ^/(.*)$ http://www.westos.com/$1 permanent;
}
location / {
root /web;
index index.html;
}
}
[root@server1 html]# ls
50x.html vim.jpg index.html search
[root@server1 html]# cp vim.jpg /web/
[root@server1 html]# cd /web
[root@server1 web]# ls
vim.jpg index.html
3.重启server1、server2上的nginx服务,在客户端增加本地解析并测试
- server1:
[root@server1 search]# systemctl reload nginx.service
- server2:
[root@server2 nginx]# systemctl reload nginx.service
客户端:
vim /etc/hosts
======================
172.25.70.1 server1 www.westos.com bbs.westos.com
172.25.70.2 server2 www.westos.org daolian.westos.com
测试:
盗链成功
2.防止盗链
1.在我们的server1上编辑配置文件:
[root@server1 html]# vim ../conf/nginx.conf
================================================
131 server {
132 listen 80;
133 server_name www.westos.com #bbs.westos.com;
134 #rewrite ^/(.*) https://www.westos.com/$1 permanent;
135 rewrite ^/bbs$ http://bbs.westos.com permanent;
136 rewrite ^/bbs/(.*)$ http://bbs.westos.com/$1 permanent;
137 # set_real_ip_from 172.25.70.1;
138 # real_ip_header X-Forward-For;
139 # real_ip_recursive on;
140 # location / {
141 # return 200 "client real ip: $remote_addr\n" ;
142 # }
143 if ($host = "bbs.westos.com") {
144 rewrite ^/(.*)$ http://www.westos.com/$1 permanent;
145 }
146 location / {
147 root /web;
148 index index.html;
149 }
150 location ~* \.(gif|jpg|png|jpeg)$ {
151 root /web;
152 valid_referers none blocked www.westos.com;
153 if ($invalid_referer) {
154 rewrite ^/ http://bbs.westos.com/daolian.jpg;
155 }
156 }
157 }
158 server {
159 listen 80;
160 server_name bbs.westos.com;
161
162 location / {
163 root /bbs;
164 index index.html;
165 }
166 }
167
168 }
2.创建检测到盗链后,重定向的资源:
[root@server1 ~]# cd /bbs/
[root@server1 bbs]# ls
daolian.jpg index.html
3.重新加载配置文件后,在客户端测试:
[root@server1 nginx]# systemctl reload nginx.service
测试:
daolian.westos.com
被盗链的服务器将盗链请求给重定向!
扫一扫
463
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
