LNMP架构二

最新推荐文章于 2025-09-05 23:07:29 发布

weixin_33935777

最新推荐文章于 2025-09-05 23:07:29 发布

阅读量72

点赞数

CC 4.0 BY-SA版权

文章标签：运维 php 开发工具

原文链接：https://my.oschina.net/u/3851489/blog/1841145

2019独角兽企业重金招聘Python工程师标准>>>

LNMP架构二

nginx默认虚拟主机

修改主配置文件nginx.conf ，在结束符号 } 上面加入一行配置

[root[@www](https://my.oschina.net/licomernwater) conf]# cat nginx.conf | tail -n5

    gzip_types text/plain application/x-javascript text/css text/htm 

   application/xml;

    include vhost/*.conf;

}

[root[@www](https://my.oschina.net/licomernwater) conf]# 

 include vhost/*.conf;   这一行就是你需要加入的配置，意思为所有/usr/local/nginx/conf/vhost/下的所有以.conf结尾的文件都会加载。这样就可以直接把虚拟主机配置文件放入vhost目录里

新建vhost文件夹并配置虚拟主机文件

[root[@www](https://my.oschina.net/licomernwater) conf]# mkdir vhost

[root[@www](https://my.oschina.net/licomernwater) conf]# cd vhost

[root[@www](https://my.oschina.net/licomernwater) vhost]# vim default.conf

[root@www vhost]# cat default.conf

server

{

	listen 80 default_server;

	server_name aaa.com;

	index index.html index.htm index.php;

	root /data/nginx/default;

}

[root@www vhost]#

检测语法错误

[root@www vhost]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload

创建索引页

[root@www default]# cat index.html 

lantern.com

[root@www default]# curl -x127.0.0.1:80 aaa.com          测试连接aaa.com

lantern.com

[root@www default]# curl -x127.0.0.1:80 1212.com        访问一个没有定义的域名，也会访问到aaa.com

lantern.com 

[root@www default]#

用户认证

创建一个新的虚拟主机来测试并为期配合内容

[root@www default]# cd /usr/local/nginx/conf/vhost/

[root@www vhost]# vim test.conf

[root@www vhost]# cat !$

cat test.conf

server

{

	listen 80;

	server_name test.com;

	index index.html index.htm index.php;

	root /data/nginx/test;

		location  /

		{

			auth_basic		"Auth";             打开认证

			auth_basic_user_file	/usr/local/nginx/conf/htpasswd;     指定用户密码文件

		}

}

[root@www vhost]# 

生成用户密码工具需要借助httpd的htpasswd，nginx不会自带这个工具。

创建nginx用户并生成密码

[root@www vhost]# htpasswd -c /usr/local/nginx/conf/htpasswd nginx

New password: 

Re-type new password: 

Adding password for user nginx

[root@www vhost]#

检测语法错误

[root@www vhost]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload

[root@www vhost]#

测试

[root@www vhost]# curl -x127.0.0.1:80 test.com -I

HTTP/1.1 401 Unauthorized

Server: nginx/1.8.0

Date: Mon, 02 Jul 2018 19:56:06 GMT

Content-Type: text/html

Content-Length: 194

Connection: keep-alive

WWW-Authenticate: Basic realm="Auth"

[root@www vhost]# 

401状态码即为，该网站需要验证。

可以去浏览器上输入网址测试，输入用户名和密码即可访问。

如果需要针对某个目录做用户认证，需要修改location 后面的路径：

location  /  改为  location  /admin/

域名重定向

以 test.conf 作为测试修改配置文件为以下内容

[root@www vhost]# vim test.conf 
[root@www vhost]# cat !$
cat test.conf
server
{
	listen 80;
	server_name test.com test1.com test2.com;
	index index.html index.htm index.php;
	root /data/nginx/test;
	
	if ($host != 'test.com' ){
		rewrite ^/(.*)$ http://test.com/$1 permanent;
	}

	#location  /
	#{
	#	auth_basic		"Auth";
	#	auth_basic_user_file	/usr/local/nginx/conf/htpasswd;
	#}
}
[root@www vhost]# 
server_name后可以跟随多个域名，permanent为永久重定向，相当于httpd的R=301

检测语法错误

[root@www vhost]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload

[root@www vhost]#

测试

[root@www vhost]# curl -x127.0.0.1:80 test1.com/123.txt -I

HTTP/1.1 301 Moved Permanently

Server: nginx/1.8.0

Date: Mon, 02 Jul 2018 20:20:22 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: http://test.com/123.txt

[root@www vhost]#

nginx访问日志

查看nginx日志格式

[root@www vhost]# grep -A2 log_format /usr/local/nginx/conf/nginx.conf

    log_format combined_realip 'remote_addr http_x_forwarded_for [$time_local]'

    ' host "request_uri" $status'

    ' "http_referer" "http_user_agent"';

[root@www vhost]# 

和httpd类似，同样是在主配置文件中定义日志格式

combined_realip为日志格式的名称，可调用。

修改配置文件

[root@www vhost]# vim test.conf 
[root@www vhost]# cat !$
cat test.conf
server
{
	listen 80;
	server_name test.com test1.com test2.com;
	index index.html index.htm index.php;
	root /data/nginx/test;
	
	if ($host != 'test.com' ){
		rewrite ^/(.*)$ http://test.com/$1 permanent;
	}
	access_log /root/1.log combined_realip;
	#location  /
	#{
	#	auth_basic		"Auth";
	#	auth_basic_user_file	/usr/local/nginx/conf/htpasswd;
	#}
}
[root@www vhost]#

检测语法错误

[root@www vhost]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload

生成错误日志并查看

[root@www vhost]# curl -x127.0.0.1:80 test.com/111

<html>

<head><title>404 Not Found</title></head>

<body bgcolor="white">

<center><h1>404 Not Found</h1></center>

<hr><center>nginx/1.8.0</center>

</body>

</html>

[root@www vhost]# cat /root/1.log

127.0.0.1 - [03/Jul/2018:04:31:17 +0800] test.com "/111" 404 "-" "curl/7.29.0"

[root@www vhost]#

日志切割

nginx日志比较简单。不像httpd还有自带的切割工具，想要切割nginx脚本就需要借助系统的切割工具或者自定义脚本。

自定义shell 脚本

[root@www vhost]# vim  /usr/local/sbin/nginx_log_rotate.sh
[root@www vhost]# cat !$
cat /usr/local/sbin/nginx_log_rotate.sh
#!# /bin/bash

d=`date -d "-1 day" +%Y+%m+%d`
logdir="/data/logs"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
	cd $logdir
for log in `ls *.log`
do
	mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
[root@www vhost]#

到此为止，这个日志切割脚本内容配置完成，也可以新增一个任务计划

0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh

配置静态文件不记录日志和添加过期时间

修改配置文件为如下：

[root@www vhost]# vim test.conf 
[root@www vhost]# cat !$
cat test.conf
server
{
	listen 80;
	server_name test.com test1.com test2.com;
	index index.html index.htm index.php;
	root /data/nginx/test;
	
	if ($host != 'test.com' ){
		rewrite ^/(.*)$ http://test.com/$1 permanent;
	}
	location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
	{
		expires	7d;
		access_log off;
	}
	location ~ .*\.(js|css)$
	{
		expires	12h;
		access_log off;
	}
	access_log /root/1.log combined_realip;
	#location  /
	#{
	#	auth_basic		"Auth";
	#	auth_basic_user_file	/usr/local/nginx/conf/htpasswd;
	#}
}
[root@www vhost]# 
location ~ 可以指定对应的静态文件，expires配置过期时间，access_log 配置为0ff就可以不访问日志了。

测试语法并新建文件

[root@www vhost]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@www vhost]# echo '11111' > /data/nginx/test/1.js

[root@www vhost]# echo '11111' > /data/nginx/test/2.jpg

[root@www vhost]# touch /data/nginx/test/1.jss

测试

[root@www vhost]# curl -x127.0.0.1:80 test.com/1.js -I

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Mon, 02 Jul 2018 21:49:58 GMT

Content-Type: application/javascript

Content-Length: 6

Last-Modified: Mon, 02 Jul 2018 21:27:14 GMT

Connection: keep-alive

ETag: "5b3a98b2-6"

Expires: Tue, 03 Jul 2018 09:49:58 GMT

Cache-Control: max-age=43200

Accept-Ranges: bytes

[root@www vhost]# curl -x127.0.0.1:80 test.com/2.jpg -I

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Mon, 02 Jul 2018 21:55:56 GMT

Content-Type: image/jpeg

Content-Length: 6

Last-Modified: Mon, 02 Jul 2018 21:27:22 GMT

Connection: keep-alive

ETag: "5b3a98ba-6"

Expires: Mon, 09 Jul 2018 21:55:56 GMT

Cache-Control: max-age=604800

Accept-Ranges: bytes

[root@www vhost]# curl -x127.0.0.1:80 test.com/1.jss -I

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Mon, 02 Jul 2018 21:56:06 GMT

Content-Type: application/octet-stream

Content-Length: 0

Last-Modified: Mon, 02 Jul 2018 21:27:52 GMT

Connection: keep-alive

ETag: "5b3a98d8-0"

Accept-Ranges: bytes

[root@www vhost]#

Cache-Control 代表 对应时间大小，单位是秒

访问日志

[root@www vhost]# cat /root/1.log 

127.0.0.1 - [03/Jul/2018:05:01:17 +0800] test.com "/111" 404 "-" "curl/7.29.0"

127.0.0.1 - [03/Jul/2018:05:56:06 +0800] test.com "/1.jss" 200 "-" "curl/7.29.0"

[root@www vhost]# 

访问了js.jpg jss 但访问日志里只留下了jss

nginx防盗链

修改配置文件如下：

[root@www vhost]# cat test.conf
server
{
	listen 80;
	server_name test.com test1.com test2.com;
	index index.html index.htm index.php;
	root /data/nginx/test;
	
	if ($host != 'test.com' ){
		rewrite ^/(.*)$ http://test.com/$1 permanent;
	}
	location ~* ^.+\.(gif|jpg|jpeg|png|bmp|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|xls)$
	{
		expires	7d;
		valid_referers none blocked server_names *.test.com ;
		if ($invalid_referer){
			return 403;
		}
		access_log off;
	}
	access_log /root/1.log combined_realip;
	#location  /
	#{
	#	auth_basic		"Auth";
	#	auth_basic_user_file	/usr/local/nginx/conf/htpasswd;
	#}
}
[root@www vhost]# 
由于和过期时间，不记录日志有部分重合，把两部分合并在一起

测试语法

[root@www vhost]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload

[root@www vhost]#

测试

[root@www vhost]# curl -x127.0.0.1:80 -I -e "http://aaa.com/1.txt" test.com/2.jpg

HTTP/1.1 403 Forbidden

Server: nginx/1.8.0

Date: Mon, 02 Jul 2018 22:09:34 GMT

Content-Type: text/html

Content-Length: 168

Connection: keep-alive

[root@www vhost]# curl -x127.0.0.1:80 -I -e "http://test.com/1.txt" test.com/2.jpg

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Mon, 02 Jul 2018 22:09:47 GMT

Content-Type: image/jpeg

Content-Length: 6

Last-Modified: Mon, 02 Jul 2018 21:27:22 GMT

Connection: keep-alive

ETag: "5b3a98ba-6"

Expires: Mon, 09 Jul 2018 22:09:47 GMT

Cache-Control: max-age=604800

Accept-Ranges: bytes

[root@www vhost]# 

防盗链功能已生效

访问控制

修改配置文件如下

[root@www vhost]# vim test.conf 
[root@www vhost]# cat !$
cat test.conf
server
{
	listen 80;
	server_name test.com test1.com test2.com;
	index index.html index.htm index.php;
	root /data/nginx/test;
	
	if ($host != 'test.com' ){
		rewrite ^/(.*)$ http://test.com/$1 permanent;
	}
	location /admin/
	{
		allow 192.168.1.180;
		allow 127.0.0.1;
		deny all;
	}
指定admin目录请求只允许设置的IP访问
nginx匹配规则是  从上往下逐一匹配

测试

[root@www vhost]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload

[root@www vhost]# mkdir /data/nginx/test/admin/

[root@www vhost]# echo '123' > /data/nginx/test/admin/1.html

[root@www vhost]# curl -x127.0.0.1:80 test.com/admin/1.html

123

[root@www vhost]# curl -x192.168.1.180:80 test.com/admin/1.html

123

这就是目前设置的可以访问IP

[root@www vhost]# curl -x192.168.18.126:80 test.com/admin/1.html

<html>

<head><title>403 Forbidden</title></head>

<body bgcolor="write">

<center><h1>403 Forbidden </h1></center>

<hr><center>nginx/1.8.0</center>

</body>

</html>

nginx 解析php

在LNMP中，php是以一个服务形式存在的，首先要启动php-fpm服务，然后nginx再和php-fpm通信

配置php相关的内容

    location ~ \.php$
    {
            include fastcgi_params;
            fastcgi_pass unix:/tmp/php-fcgi.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME /data/nginx/test$fastcgi_script_name;
    }

fastcgi_pass 指定php-fpm的地址，如果监听的地址是tcp:port的地址，那么在这里也需要修改为fastcgi_pass 127.0.0.1:9000  这个地址要与pfp-fpm的地址相匹配，否则会包502错误

fastcgi_param SCRIPT_FILENAME  后面跟的路径为该站点的根目录，和前面定义的root那个路径保存一致，否则访问php界面会出现404错误

nginx代理

一家公司有很多台服务器，为了节省成本，不能为所有服务器都分配公网IP，而如果一个没有公网ip的服务器要提供web服务，就可以通过代理来实现。

新建一个配置文件，在内输入nginx代理所需要设置的内容

[root@www vhost]# cat proxy.conf 
server
{
	listen 80;
	server_name ask.apelearn.com;

	location /
	{
		proxy_pass http://223.94.95.10/;
		proxy_set_header Host	$host;
	}
}
[root@www vhost]# 
proxy_pass指定要代理的域名所在的服务器IP  如果不知道IP 可以直接ping 域名得到IP。
proxy_set_header  定义发往后端web服务器的请求头，表示后端web服务器的域名和当前配置文件的server_name保存一致。

检测语法错误

[root@www vhost]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@www vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

[root@www vhost]# curl -x127.0.0.1:80 ask.apelearn.com -I

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Mon, 02 Jul 2018 23:06:42 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

X-Powered-By: PHP/5.3.3

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Set-Cookie: ape__Session=49u6oflcbcl2oi17ceopo95na3; path=/; domain=.apelearn.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

myheader: web1

[root@www vhost]# curl apelearn.com -I

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 05 Jul 2018 17:40:19 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.6.10

[root@www vhost]# 

[root@www vhost]# curl ask.apelearn.com/robots.txt 
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/
[root@www vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt 
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@www vhost]# 

以上都可见没有问题，代理功能已实现