lnmp基本使用1

3 月 22 日，南京，聊聊生成式 AI 应用构建

关于如何搭建lnmp，请看我的另一篇博文：lnmp搭建教程

以下实验的主机ip:192.168.10.206，已经搭建好lnmp架构。

一、虚拟主机

nginx跟Apache一样有虚拟主机的概念，nginx虚拟机主机使用server{}段定义。server{}段可以定义在nginx的主配置文件nginx.conf中，也可以单独一个用一个或多个文件定义server，然后在nginx.conf使用include包含进去。 例如：定义一个文件名为test1.conf的虚拟主机

server
{
   listen 80;
   server_name test1.com;
   index index.html index.htm index.php;
   root /htdocs/test1;
}

server
{
   listen 80;
   server_name test2.com;
   index index.html index.htm index.php;
   root /htdocs/test2;
   location /
   {
      auth_basic "Auth";
      auth_basic_user_file /usr/local/nginx/conf.d/htpasswd;
   }
}

上面文件定义了两个虚拟主机，网站目录分别是/htdocs/test1、/htdocs/test2。这网站目录不是默认的目录，是自定义的，开启selinux的情况下，必须对自定义的网站目录设置安全上下文标签。设置方法如下：

[root@test2 ~]# semanage fcontext -a -t httpd_sys_content_t /htdocs/test1/
[root@test2 ~]# semanage fcontext -a -t httpd_sys_content_t /htdocs/test2/
[root@test2 ~]# semanage fcontext -a -t httpd_sys_content_t /htdocs/
[root@test2 ~]# restorecon -Rv /htdocs/
[root@test2 ~]# restorecon -Rv /htdocs/test1
[root@test2 ~]# restorecon -Rv /htdocs/test2

创建测试页：
1、test1主机

[root@test2 ~]# vim /htdocs/test1/index.html
<h1>Test1  page...</h1>

2、tes2主机

[root@test2 ~]# vim /htdocs/test2/index.html
<h1>Test2  page...</h1>

windows的C:\Windows\System32\drivers\etc\hosts文件添加以下内容：

192.168.10.206 test1.com  test2.com  test.com

在Windows电脑浏览器打开：test1.com

默认虚拟主机可以有多个，但是一个端口只能有一个默认虚拟主机

二、用户认证

用户认证的虚拟主机设置，就是上面第一步配置文件的内容：

server
{
   listen 80;
   server_name test2.com;
   index index.html index.htm index.php;
   root /htdocs/test2;
   location /
   {
      auth_basic "Auth";
      auth_basic_user_file /usr/local/nginx/conf.d/htpasswd;
   }
}

location /：针对整个目录做认证，也可以针对某一个目录或url做认证，比如

location /admin/：针对admin目录做认证

location ~ admin.php：针对某个请求的url做认证

auth_basic_user_file：用户认证文件。

要想使用用户认证，要用到htpasswd命令，所以要安装httpd或安装 httpd-tools。这里使用yum安装httpd:

[root@test2 ~]# yum install -y httpd

安装完成后，使用htpasswd命令生成用户认证文件：

[root@test2 ~]# htpasswd -c /usr/local/nginx/conf.d/htpasswd  user1
New password: 
Re-type new password: 
Adding password for user user1
[root@test2 ~]# 

-c：用户认证文件
在Windows电脑浏览器打开：test2.com
用户名：user1
密码：123456
输入正确的用户名和密码：

OK，用户认证设置成功。

三、域名重定向

修改前面的虚拟机主机：/usr/local/nginx/conf.d/test1.conf，其内容如下：

[root@test2 ~]# vim /usr/local/nginx/conf.d/test1.conf 
server
{
   listen 80;
   server_name test.com test1.com test3.com;
   index index.html index.htm index.php;
   root /htdocs/test1;
   if($host != 'test.com'){
     rewrite ^/(.*)$ http://test.com/$1 permanent;
}

permanent：永久跳转，也就是301

redirect：临时跳转，302

修改后重新加载配置文件：

[root@test2 ~]# /usr/local/nginx/sbin/nginx -s reload

使用curl测试看看域名是否可以跳转：

[root@test2 ~]# curl -x127.0.0.1:80 test3.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0
Date: Sun, 20 May 2018 11:56:06 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html

[root@test2 ~]# curl -x127.0.0.1:80 test1.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0
Date: Sun, 20 May 2018 11:56:11 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/index.html
[root@test2 ~]# curl -x127.0.0.1:80 test1.com/haha/hello/123/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0
Date: Sun, 20 May 2018 11:57:33 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://test.com/haha/hello/123/index.html

[root@test2 ~]# 

结果显示，域名重定向设置成功。

四、nginx日志

nginx日志的选项：

• $remote_addr 客户端ip（公网ip）
• $http_x_forwarded_for 代理服务器的ip
• $time_local 服务器本地时间
• $host 访问主机名（域名）
• $request_uri 访问的url地址
• $status 状态码
• $http_referer referer
• $http_user_agent user_agent 在nginx主配置文件定义日志的，其中combined_realip为日志的名称：

log_format combined_realip '$remote_addr $http_x_forwarded_fof [$time_local]'
    ' $host "$request_uri" $status'
    ' "$http_referer" "$http_user_agent"';

主配置文件已经配置了日志，那么在虚拟主机中，就可以使用主配置文件的日志：

server {
    listen       80;
    server_name  localhost;
    access_log /tmp/phpinfo.log combined_realip;
    location / {
        root   /usr/local/nginx/html;
        index  index.php index.html index.htm;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/local/nginx/html;
    }
    location ~ \.php$ {
        root           /usr/local/nginx/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME   /usr/local/nginx/html$fastcgi_script_name;
        include        fastcgi_params;
    }

}

重新加载配置文件：

[root@test2 ~]# /usr/local/nginx/sbin/nginx -s reload

浏览器打开：192.168.10.206，刷新几次，查看日志：

[root@test2 ~]# cat /tmp/phpinfo.log 
192.168.10.1 - [20/May/2018:22:45:20 +0800] 192.168.10.206 "/" 200 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.10.1 - [20/May/2018:22:45:20 +0800] 192.168.10.206 "/favicon.ico" 404 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.10.1 - [20/May/2018:22:45:21 +0800] 192.168.10.206 "/" 200 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.10.1 - [20/May/2018:22:45:22 +0800] 192.168.10.206 "/" 200 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

返回参数设置：

$uri $document_uri $request_uri $agrs $host

location{
   rerurn 200 "$uri $document_uri $request_uri $agrs $host";
}

五、日志切割

1、自定义一个日志切割脚本：

[root@test2 ~]# vim /usr/local/sbin/nginx_log_rotate.sh
#!/bin/bash
##假设nginx的日志存放路径为/tmp/
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
   mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`

给此脚本添加可执行权限：

[root@test2 ~]# chmod +x /usr/local/sbin/nginx_log_rotate.sh

2、创建一个任务，比如每天的0时0分执行此脚本

[root@test2 ~]# crontab -e
0 0 * * * /usr/local/sbin/nginx_log_rotate.sh

六、静态文件不记录到日志和过期时间

静态文件不记录到日志和过期时间功能：

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
     expires 7d;
     access_log off;
   }
   location ~ .*\.(js|css)$ {
     expires 12h;
     access_log off;
   }

在虚拟主机设置如下：

[root@test2 ~]# vim /usr/local/nginx/conf.d/test1.conf
server
{
   listen 80;
   server_name test.com test1.com test3.com;
   index index.html index.htm index.php;
   root /htdocs/test1;
   if ($host != 'test.com') {
     rewrite ^/(.*)$ http://test.com/$1 permanent;
   }
   location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
     expires 7d;
     access_log off;
   }
   location ~ .*\.(js|css)$ {
     expires 12h;
     access_log off;
   }
}

七、防盗链

比如对图片、文档等做防盗链，代码如下：

location ~* ^.*(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
      expires 7d;
      valid_referers none blocked server_names *.test.com;
      if ($invalid_refere) {
          return 403;
      }
      access_log off;
   }

在test1虚拟主机中设置防盗链：

[root@test2 ~]# vim /usr/local/nginx/conf.d/test1.conf
server
{
   listen 80;
   server_name test.com test1.com test3.com;
   index index.html index.htm index.php;
   root /htdocs/test1;
   if ($host != 'test.com') {
     rewrite ^/(.*)$ http://test.com/$1 permanent;
   }
#   location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
#     expires 7d;
#     access_log off;
#   }
   location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
      expires 7d;
      valid_referers none blocked server_names *.test.com;
      if ($invalid_referer) {
          return 403;
      }
      access_log off;
   }
  location ~ .*\.(js|css)$ {
     expires 12h;
     access_log off;
   }
}

保存退出，重新加载配置文件：

[root@test2 nginx]# /usr/local/nginx/sbin/nginx -s reload

测试：

[root@test2 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.jpg
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Mon, 21 May 2018 23:07:55 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@test2 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.jpg
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Mon, 21 May 2018 23:08:42 GMT
Content-Type: image/jpeg
Content-Length: 93004
Last-Modified: Sun, 20 May 2018 09:33:54 GMT
Connection: keep-alive
ETag: "5b014102-16b4c"
Expires: Mon, 28 May 2018 23:08:42 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

OK，防盗链配置成功。

八、nginx访问控制

前面test1虚拟机主机中admin目录只供某些ip访问，设置如下：

[root@test2 ~]# mkdir /htdocs/test1/admin/
[root@test2 ~]# echo "admin page" >/htdocs/test1/admin/index.html
[root@test2 ~]# vim /usr/local/nginx/conf.d/test1.conf
server
{
   listen 80;
   server_name test.com test1.com test3.com;
   index index.html index.htm index.php;
   root /htdocs/test1;
   if ($host != 'test.com') {
     rewrite ^/(.*)$ http://test.com/$1 permanent;
   }
#   location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
#     expires 7d;
#     access_log off;
#   }
   location /admin/ {
      allow 192.168.0.0/24;
      deny all;
   }
   location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {
      expires 7d;
      valid_referers none blocked server_names *.test.com;
      if ($invalid_referer) {
          return 403;
      }
      access_log off;
   }
  location ~ .*\.(js|css)$ {
     expires 12h;
     access_log off;
   }
}

保存退出后，重新加载配置文件：

[root@test2 ~]# /usr/local/nginx/sbin/nginx -t
[root@test2 ~]# /usr/local/nginx/sbin/nginx -s reload

测试：

[root@test2 ~]# curl -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Mon, 21 May 2018 23:24:47 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@test2 ~]# 

九、nginx解析PHP

nginx解析php的代码如下：

location ~ \.php$ {
        root           /usr/local/nginx/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME   /usr/local/nginx/html$fastcgi_script_name;
        include        fastcgi_params;
    }

此代码在nginx的主配置文件中有样例。

完成的虚拟主机解析php代码如下：

server {
    listen       80;
    server_name  localhost;
    access_log /tmp/phpinfo.log combined_realip;
    location / {
        root   /usr/local/nginx/html;
        index  index.php index.html index.htm;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/local/nginx/html;
    }
    location ~ \.php$ {
        root           /usr/local/nginx/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME   /usr/local/nginx/html$fastcgi_script_name;
        include        fastcgi_params;
    }

}

十、nginx代理

代理的代码如下：

         proxy_pass http://172.96.16.245;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

在虚拟主机中设置如下：

server {
    listen       80;
    server_name  localhost;
    access_log /tmp/phpinfo.log combined_realip;
    location / {
    #    root   /usr/local/nginx/html;
    #    index  index.php index.html index.htm;   
         proxy_pass http://172.96.16.245;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/local/nginx/html;
    }
   # location ~ \.php$ {
   #     root           /usr/local/nginx/html;
   #     fastcgi_pass   127.0.0.1:9000;
   #     fastcgi_index  index.php;
  #      fastcgi_param  SCRIPT_FILENAME   /usr/local/nginx/html$fastcgi_script_name;
   #     include        fastcgi_params;
  #  }

}

扩展：

https://coding.net/u/aminglinux/p/nginx/git/blob/master/rewrite/break.md

nginx.conf 配置详解 http://www.ha97.com/5194.html

http://my.oschina.net/duxuefeng/blog/34880

nginx rewrite四种flag http://www.netingcn.com/nginx-rewrite-flag.html

http://unixman.blog.51cto.com/10163040/1711943

502问题汇总 http://ask.apelearn.com/question/9109

location优先级 http://blog.lishiming.net/?p=100