LNMP

原创
2019/05/15 13:53
阅读数 116

 LNMP的介绍:

和LAMP不同的是,提供web服务的是Nginx
 并且php是作为一个独立服务存在的,这个服务叫做php-fpm
 Nginx直接处理静态请求,动态请求会转发给php-fpm

Mysql的安装:  这里参考前面LAMP的mysql的安装

[root@aming01 php-5.6.39]# ls /usr/local/php-fpm/etc/
pear.conf  php-fpm.conf.default
[root@aming01 php-5.6.39]# cp php.ini-production  /usr/local/php-fpm/etc/php.ini
[root@aming01 php-5.6.39]# cd /usr/local/php-fpm/etc/
[root@aming01 etc]# ls
pear.conf  php-fpm.conf.default  php.ini
[root@aming01 etc]# vim php-fpm.conf       //写入如下的配置文件内容

[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

 

Nginx

Nginx官网 nginx.org,最新版1.13,最新稳定版1.12
 Nginx应用场景:web服务、反向代理、负载均衡
 Nginx著名分支,淘宝基于Nginx开发的Tengine,使用上和Nginx一致,服务名,配置文件名都一样,和Nginx的最大区别在于Tenging增加了一些定制化模块,在安全限速方面表现突出,另外它支持对js,css合并
 Nginx核心+lua相关的组件和模块组成了一个支持lua的高性能web容器openresty,参考http://jinnianshilongnian.iteye.com/blog/2280928

nginx的安装:

 cd /usr/local/src
 wget http://nginx.org/download/nginx-1.12.1.tar.gz
 tar zxf nginx-1.12.1.tar.gz
 ./configure --prefix=/usr/local/nginx
 make &&  make install
 vim /etc/init.d/nginx //复制如下内容(参考https://coding.net/u/aminglinux/p/aminglinux-book/git/blob/master/D15Z/etc_init.d_nginx )

 chmod 755 /etc/init.d/nginx
 chkconfig --add nginx
 chkconfig nginx on
 cd /usr/local/nginx/conf/; mv nginx.conf nginx.conf.bak
 vim nginx.conf //写入如下内容(参考https://coding.net/u/aminglinux/p/aminglinux-book/git/blob/master/D15Z/nginx.conf)
 /usr/local/nginx/sbin/nginx -t
 /etc/init.d/nginx  start
 netstat -lntp |grep 80

[root@aming01 nginx-1.15.5]# vim /etc/init.d/nginx
[root@aming01 nginx-1.15.5]# chmod 755 /etc/init.d/nginx
[root@aming01 nginx-1.15.5]# chkconfig --add nginx
[root@aming01 nginx-1.15.5]# chkconfig nginx on
[root@aming01 nginx-1.15.5]# cd /usr/local/nginx/conf/
[root@aming01 conf]# ls
fastcgi.conf            koi-utf             nginx.conf           uwsgi_params
fastcgi.conf.default    koi-win             nginx.conf.default   uwsgi_params.default
fastcgi_params          mime.types          scgi_params          win-utf
fastcgi_params.default  mime.types.default  scgi_params.default
[root@aming01 conf]# mv nginx.conf  nginx.conf.bak
[root@aming01 conf]# vim nginx.conf
[root@aming01 conf]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 conf]# /etc/init.d/nginx  start
Starting nginx (via systemctl):                            [  确定  ]
[root@aming01 conf]# ps aux|grep nginx
root       5697  0.0  0.0  20552   628 ?        Ss   10:15   0:00 nginx: master process /usr/local/ngin/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody     5701  0.0  0.3  23040  3212 ?        S    10:15   0:00 nginx: worker process
nobody     5702  0.0  0.3  23040  3212 ?        S    10:15   0:00 nginx: worker process
root       5708  0.0  0.0 112724   988 pts/0    S+   10:15   0:00 grep --color=auto nginx
[root@aming01 conf]#

测试php的解释:

 vi /usr/local/nginx/html/1.php //加入如下内容
 <?php
    echo "test php scripts.";
?>
 curl localhost/1.php

Nginx的默认虚拟主机:

 vim /usr/local/nginx/conf/nginx.conf //增加
 include vhost/*.conf
 mkdir /usr/local/nginx/conf/vhost
 cd !$;  vim default.conf //加入如下内容
server
{
    listen 80 default_server;  // 有这个标记的就是默认虚拟主机
    server_name aaa.com;
    index index.html index.htm index.php;
    root /data/wwwroot/default;
}
 mkdir -p /data/wwwroot/default/
 echo “This is a default site.”>/data/wwwroot/default/index.html
 /usr/local/nginx/sbin/nginx -t
 /usr/local/nginx/sbin/nginx -s reload
 curl localhost
 curl -x127.0.0.1:80 123.com

[root@aming01 conf]# vim nginx.conf
[root@aming01 conf]# pwd
/usr/local/nginx/conf
[root@aming01 conf]# mkdir vhost
[root@aming01 conf]# cd vhost/
[root@aming01 vhost]# vim aaa.conf
[root@aming01 vhost]# vim aaa.com.conf
[root@aming01 vhost]# cat aaa.com.conf
server
{
    listen 80 default_server;  
    server_name aaa.com;
    index index.html index.htm index.php;
    root /data/wwwroot/default;
}
[root@aming01 vhost]# mkdir  /data/wwwroot/default/
[root@aming01 vhost]# cd /data/wwwroot/default/
[root@aming01 default]# vim index.html
[root@aming01 default]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 default]# /usr/local/nginx/sbin/nginx  -s reload
[root@aming01 default]# curl  localhost
This is default site
[root@aming01 default]# curl -x127.0.0.1:80 bbbb.com
This is default site
[root@aming01 default]# curl -x127.0.0.1:80 aaa.com
This is default site
[root@aming01 default]#

nginx的用户认证:

 vim /usr/local/nginx/conf/vhost/test.com.conf//写入如下内容
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    
location  /
    {
        auth_basic              "Auth";
        auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}
}
 yum install -y httpd
 htpasswd -c /usr/local/nginx/conf/htpasswd aming
 -t &&  -s reload //测试配置并重新加载

 mkdir /data/wwwroot/test.com
 echo “test.com”>/data/wwwroot/test.com/index.html
 curl -x127.0.0.1:80 test.com -I//状态码为401说明需要验证
 curl -uaming:passwd 访问状态码变为200
 编辑windows的hosts文件,然后在浏览器中访问test.com会有输入用户、密码的弹窗
 针对目录的用户认证
location  /admin/
    {
        auth_basic              "Auth";
        auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}

[root@aming01 vhost]# vim test.com.conf    //编辑配置文件,把配置文件写入到test.com里面
[root@aming01 vhost]# pwd
/usr/local/nginx/conf/vhost
[root@aming01 vhost]# /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd aming//已经安装有apache2.4,直接使用创建用户aming 和密码(密码用户输入)。
New password:
Re-type new password:
Adding password for user aming
[root@aming01 vhost]# cat /usr/local/nginx/conf/htpasswd   //看下创建的密码
aming:$apr1$/3ELWASr$O9xJsqwDHbi7WX8ULFRyA1
[root@aming01 vhost]# /usr/local/apache2.4/bin/htpasswd   /usr/local/nginx/conf/htpasswd user1
New password:
Re-type new password:
Adding password for user user1
[root@aming01 vhost]# cat /usr/local/nginx/conf/htpasswd
aming:$apr1$/3ELWASr$O9xJsqwDHbi7WX8ULFRyA1
user1:$apr1$KvZYllHb$jTsDW4I7qdu4hSQjGfImC.
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -t     //检查配置文件。
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -s reload    //重新加载nginx
[root@aming01 vhost]# curl -x127.0.0.1:80 test.com         //提示401需要用户认证
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.15.5</center>
</body>
</html>
[root@aming01 vhost]# mkdir  /data/wwwroot/test.com    //创建测试目录
[root@aming01 vhost]# echo "test.com" > /data/wwwroot/test.com/index.html  //编辑测试文件index.html
[root@aming01 vhost]# curl -uaming:123456 -x127.0.0.1:80 test.com       //用户认证curl 用户名+密码  提示认证成功。
test.com

[root@aming01 vhost]# vim test.com.conf            //认证/admin/目录

[root@aming01 vhost]# cat test.com.conf            //配置文件修改如下:
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    
location  /admin/                                      //验证目录/admin/
    {
        auth_basic              "Auth";
        auth_basic_user_file   /usr/local/nginx/conf/htpasswd;
}
}
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -s reload
[root@aming01 vhost]# curl -x127.0.0.1:80 test.com      //test.com直接可以访问了,但是/admin/目录的如下提示需要用户认证
test.com
[root@aming01 vhost]# curl -x127.0.0.1:80 test.com/admin/      //访问/admin/目录的时候需要用户认证。
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.15.5</center>
</body>
</html>

[root@aming01 vhost]# mkdir /data/wwwroot/test.com/admin/                //创建测试目录/data/wwwroot/test.com/admin/
[root@aming01 vhost]# echo "test.com admin directory" > /data/wwwroot/test.com/admin/index.html
[root@aming01 vhost]# curl -x127.0.0.1:80 test.com/admin/        //对/admin/目录进行测试。401需要用户认证
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.15.5</center>
</body>
</html>
[root@aming01 vhost]# curl -uaming:123456 -x127.0.0.1:80 test.com/admin/  //curl加上用户名和密码即可,用户认证成功
test.com admin directory
[root@aming01 vhost]#

对admin.php进行验证:

[root@aming03 vhost]# cat yanzheng.conf
server
{
    listen 80;
    server_name yanzheng.com;
    index index.html index.htm index.php;
    root /data/wwwroot/yanzheng;
    
   # location /admin/     ##对目录admin进行用户验证(401)
     location  ~ admin.php   ##对admin.php 进行验证 (401)
        {
          auth_basic               "Auth";
          auth_basic_user_file     /usr/local/nginx/conf/htpasswd;

     }
}

[root@aming03 vhost]# cat  /data/wwwroot/yanzheng/admin.php
test_admin.php
[root@aming03 vhost]# curl  -x127.0.0.1:80 yanzheng.com/admin.php   // 需要用户验证
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.15.5</center>
</body>
</html>
[root@aming03 vhost]# curl -uaming:123456 -x127.0.0.1:80 yanzheng.com/admin.php
test_admin.php
[root@aming03 vhost]#

 

nginx域名重定向:

 更改test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
}
 server_name后面支持写多个域名,这里要和httpd的做一个对比
 permanent为永久重定向,状态码为301,如果写redirect则为302

[root@aming01 vhost]#
[root@aming01 vhost]# pwd
/usr/local/nginx/conf/vhost
[root@aming01 vhost]# ls
aaa.com.conf  test.com.conf
[root@aming01 vhost]# vim test.com.conf
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -s reload
[root@aming01 vhost]# curl -x127.0.0.1:80  test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 00:52:04 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://test.com/index.html

[root@aming01 vhost]# curl -x127.0.0.1:80  test3.com/admin/index.html/abcnhhdgdghd -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 00:52:14 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://test.com/admin/index.html/abcnhhdgdghd

[root@aming01 vhost]# curl -x127.0.0.1:80  test4.com/admin/index.html/abcnhhdgdghd -I
HTTP/1.1 404 Not Found
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 00:52:22 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

[root@aming01 vhost]#

nginx访问日志:

 日志格式
 vim /usr/local/nginx/conf/nginx.conf //搜索log_format

$remote_addr                         客服端IP(公网IP)

$http_x_forwarded_for           代理服务器的IP

$time_local                             服务器本地时间

$host                                       访问主机名(域名)

$request_uri                           访问的url地址

$status                                    状态码

$http_referer                           referer

$http_user_agent                    user_agent

除了在主配置文件nginx.conf里定义日志格式外,还需要在虚拟主机配置文件(test.com.conf)中增加
 access_log /tmp/1.log   combined_realip;     //combined_realip这里要与nginx.conf里面的log_format后面定义的日志格式一致
 这里的combined_realip就是在nginx.conf中定义的日志格式名字
 -t && -s reload
 curl -x127.0.0.1:80 test.com -I
 cat /tmp/1.log

[root@aming01 vhost]# vim  ../nginx.conf   //搜索log_format 定义日志格式
[root@aming01 vhost]# vim test.com.conf        //虚拟主机配置文件中定义日志log的存放位置   access_log /tmp/1.log  日志格式的名字; 
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: [emerg] open() "/tm/test.com.log" failed (2: No such file or directory)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@aming01 vhost]# vim test.com.conf
[root@aming01 vhost]#
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -s reload
[root@aming01 vhost]# curl -x127.0.0.1:80  test4.com/admin/index.html/abcnhhdgdghd -I
HTTP/1.1 404 Not Found
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 02:01:35 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

[root@aming01 vhost]# curl -x127.0.0.1:80  test3.com/admin/index.html/abcnhhdgdghd -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 02:01:52 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://test.com/admin/index.html/abcnhhdgdghd

[root@aming01 vhost]# curl -x127.0.0.1:80  test2.com/admin/index.html/abcnhhdgdghd -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 02:01:59 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://test.com/admin/index.html/abcnhhdgdghd

[root@aming01 vhost]# cat /tmp/test.com.log
127.0.0.1 - [12/Apr/2019:10:01:52 +0800] test3.com "/admin/index.html/abcnhhdgdghd" 301 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:10:01:59 +0800] test2.com "/admin/index.html/abcnhhdgdghd" 301 "-" "curl/7.29.0"
[root@aming01 vhost]# cat /tmp/test.com.log
127.0.0.1 - [12/Apr/2019:10:01:52 +0800] test3.com "/admin/index.html/abcnhhdgdghd" 301 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:10:01:59 +0800] test2.com "/admin/index.html/abcnhhdgdghd" 301 "-" "curl/7.29.0"
[root@aming01 vhost]#

nginx日志切割:

自定义shell 脚本
 vim /usr/local/sbin/nginx_log_rotate.sh//写入如下内容
#! /bin/bash
## 假设nginx的日志存放路径为/data/logs/
d=`date -d "-1 day" +%Y%m%d`
logdir="/data/logs"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
    mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
 任务计划
 0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh

 


[root@aming01 vhost]# vim /usr/local/sbin/nginx_logrotate.sh  //编辑shell脚本
[root@aming01 vhost]# cat  /usr/local/sbin/nginx_logrotate.sh
#!/bin/bash
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log  in `ls  *.log`
  do
     mv $log  $log-$d
  done
/bin/kill -HUP `cat  $nginx_pid`
[root@aming01 vhost]# sh -x  /usr/local/sbin/nginx_logrotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20190411
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls test.com.log
+ for log in '`ls  *.log`'
+ mv test.com.log test.com.log-20190411
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 908
[root@aming01 vhost]#
[root@aming01 vhost]# crontab -e     //定义任务计划

nginx静态文件不记录日志和过期时间:

 配置如下
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
          expires      7d;
          access_log off;
    }
location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }

[root@aming01 vhost]# ls
aaa.com.conf  test.com.conf
[root@aming01 vhost]# vim test.com.conf    //修改配置文件。写入上面配置文件的信息。
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -s reload
[root@aming01 vhost]# cd /data/wwwroot/test.com/
[root@aming01 test.com]# ls
admin  index.html
[root@aming01 test.com]# touch 1.gif
[root@aming01 test.com]# vim 2.js
[root@aming01 test.com]# curl -x127.0.01:80 test.com/1.gif
[root@aming01 test.com]# curl -x127.0.01:80 test.com/2.js
aajajajhhhhh
[root@aming01 test.com]# curl -x127.0.01:80 test.com/index.html
test.com
[root@aming01 test.com]# cat /tmp/test.com.log
127.0.0.1 - [12/Apr/2019:10:39:23 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
[root@aming01 test.com]#

nginx的防盗链:

 配置如下,可以和上面的配置结合起来
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}

测试防盗链:

[root@aming01 vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.01:80 test.com/1.gif -I
HTTP/1.1 403 Forbidden
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 02:54:15 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

[root@aming01 vhost]# curl -e "http://www.test.com/1.txt" -x127.0.01:80 test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 02:54:33 GMT
Content-Type: image/gif
Content-Length: 0
Last-Modified: Fri, 12 Apr 2019 02:38:21 GMT
Connection: keep-alive
ETag: "5caffa1d-0"
Expires: Fri, 19 Apr 2019 02:54:33 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

[root@aming01 vhost]# !cat
cat /tmp/test.com.log
127.0.0.1 - [12/Apr/2019:10:39:23 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:10:40:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:10:41:01 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
[root@aming01 vhost]#

nginx的访问控制:

 需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:
location /admin/
{
    allow 192.168.133.1;
    allow 127.0.0.1;
    deny all;
}
 mkdir /data/wwwroot/test.com/admin/
 echo “test,test”>/data/wwwroot/test.com/admin/1.html
 -t && -s reload
 curl -x127.0.0.1:80 test.com/admin/1.html -I
 curl -x192.168.133.130:80 test.com/admin/1.html -I

 可以匹配正则
location ~ .*(abc|image)/.*\.php$
{
        deny all;
}
根据user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}
 deny all和return 403效果一样

[root@aming01 vhost]# vim test.com.conf
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -s reload
[root@aming01 vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 03:17:21 GMT
Content-Type: text/html
Content-Length: 25
Last-Modified: Wed, 10 Apr 2019 15:12:58 GMT
Connection: keep-alive
ETag: "5cae07fa-19"
Accept-Ranges: bytes

[root@aming01 vhost]# curl -x192.168.88.128:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 03:18:09 GMT
Content-Type: text/html
Content-Length: 25
Last-Modified: Wed, 10 Apr 2019 15:12:58 GMT
Connection: keep-alive
ETag: "5cae07fa-19"
Accept-Ranges: bytes

[root@aming01 vhost]# cat /tmp/test.com.log
127.0.0.1 - [12/Apr/2019:10:39:23 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:10:40:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:10:41:01 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:11:14:53 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:11:17:21 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.88.128 - [12/Apr/2019:11:18:09 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
[root@aming01 vhost]#

正则访问控制测试:

根据user_agetn禁止访问控制

 

nginx解释php的相关配置:

 配置如下:
location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }
 fastcgi_pass 用来指定php-fpm监听的地址或者socket

如果出现502错误,要注意排查。nginx的配置文件和php-fpm的配置文件信息的核对排查

 

Nginx的代理和负载均衡:

 cd /usr/local/nginx/conf/vhost
 vim proxy.conf //加入如下内容
server
{
    listen 80;
    server_name ask.apelearn.com;

    location /
    {
        proxy_pass      http://121.201.9.155/;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

 

 vim /usr/local/nginx/conf/vhost/load.conf // 写入如下内容
upstream qq_com
{
    ip_hash;
    server 61.135.157.156:80;
    server 125.39.240.113:80;
}
server
{
    listen 80;
    server_name www.qq.com;
    location /
    {
        proxy_pass      http://qq_com;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
 upstream来指定多个web server

 

SSL的工作原理:

 浏览器发送一个https的请求给服务器;
 服务器要有一套数字证书,可以自己制作(后面的操作就是阿铭自己制作的证书),也可以向组织申请,区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出>提示页面,这套证书其实就是一对公钥和私钥;
 服务器会把公钥传输给客户端;
 客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密;
 客户端把加密后的随机字符串传输给服务器;
 服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起,这样除非知道私钥,否则无法获取数据内容);
 服务器把加密后的数据传输给客户端;
 客户端收到数据后,再用自己的私钥也就是那个随机字符串解密

SSL密钥对:

 cd /usr/local/nginx/conf
 openssl genrsa -des3 -out tmp.key 2048//key文件为私钥
 openssl rsa -in tmp.key -out aminglinux.key //转换key,取消密码
 rm -f tmp.key
 openssl req -new -key aminglinux.key -out aminglinux.csr//生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件
 openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
 这里的aminglinux.crt为公钥

[root@aming01 ~]# cd /usr/local/nginx/conf/
[root@aming01 conf]# rpm  -qf `which openssl`
openssl-1.0.2k-16.el7_6.1.x86_64
[root@aming01 conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
...................+++
.........................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
[root@aming01 conf]# openssl rsa -in tmp.key -out aminglinux.key  //生成ssl的证书文件
Enter pass phrase for tmp.key:
writing RSA key
[root@aming01 conf]# rm -f tmp.key
[root@aming01 conf]# openssl req -new -key aminglinux.key -out aminglinux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:china
string is too long, it needs to be less than  2 bytes long
Country Name (2 letter code) [XX]:11
State or Province Name (full name) []:Guangdong          
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:guangzhou
Organizational Unit Name (eg, section) []:gungzhou
Common Name (eg, your name or your server's hostname) []:aming
Email Address []:admin@ruichao.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234567
An optional company name []:ruichao
[root@aming01 conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt     ///这里的aminglinux.crt为公钥

Signature ok
subject=/C=11/ST=Guangdong/L=guangzhou/O=guangzhou/OU=gungzhou/CN=aming/emailAddress=admin@ruichao.com
Getting Private key
[root@aming01 conf]# ls  aminglinux.
aminglinux.crt  aminglinux.csr  aminglinux.key  

Nginx配置SSL:

 vim /usr/local/nginx/conf/vhost/ssl.conf//加入如下内容
server
{
    listen 443;
    server_name aming.com;
    index index.html index.php;
    root /data/wwwroot/aming.com;
    ssl on;
    ssl_certificate aminglinux.crt;
    ssl_certificate_key aminglinux.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
 -t && -s reload //若报错unknown directive “ssl” ,需要重新编译nginx,加上--with-http_ssl_module
 mkdir /data/wwwroot/aming.com
 echo “ssl test page.”>/data/wwwroot/aming.com/index.html
 编辑hosts,增加127.0.0.1 aming.com
 curl https://aming.com/

 

[root@aming01 conf]# ls  aminglinux.
aminglinux.crt  aminglinux.csr  aminglinux.key  
[root@aming01 conf]# cd vhost/
[root@aming01 vhost]# mkdir /data/wwwroot/aming.com
[root@aming01 vhost]# vim ssl.conf
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx  -V
nginx version: nginx/1.15.5
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
configure arguments: --prefix=/usr/local/nginx
[root@aming01 vhost]# cd /usr/local/src/nginx-1.15.5/
[root@aming01 nginx-1.15.5]# ./configure  --help |grep -i ssl
  --with-http_ssl_module             enable ngx_http_ssl_module
  --with-mail_ssl_module             enable ngx_mail_ssl_module
  --with-stream_ssl_module           enable ngx_stream_ssl_module
  --with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module
  --with-openssl=DIR                 set path to OpenSSL library sources
  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL
[root@aming01 nginx-1.15.5]# ./configure  --prefix=/usr/local/nginx  --with-http_ssl_module 

[root@aming01 nginx-1.15.5]#   make  && make install 

[root@aming01 nginx-1.15.5]# /usr/local/nginx/sbin/nginx  -V
nginx version: nginx/1.15.5
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
[root@aming01 nginx-1.15.5]# /usr/local/nginx/sbin/nginx  -t
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 nginx-1.15.5]# /etc/init.d/nginx  restart
Restarting nginx (via systemctl):                          [  确定  ]
[root@aming01 nginx-1.15.5]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4497/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      894/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      981/master          
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4497/nginx: master  
tcp6       0      0 :::22                   :::*                    LISTEN      894/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      981/master          

[root@aming01 nginx-1.15.5]# cd /data/wwwroot/aming.com/
[root@aming01 aming.com]# vim index.html
[root@aming01 aming.com]# vim /etc/hosts
[root@aming01 aming.com]# cat !$
cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1  aming.com
[root@aming01 aming.com]# curl https://aming.com/    //访问证书
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[root@aming01 aming.com]#

php-fpm的pool池:

 vim /usr/local/php/etc/php-fpm.conf//在[global]部分增加
 include = etc/php-fpm.d/*.conf
 mkdir /usr/local/php/etc/php-fpm.d/
 cd /usr/local/php/etc/php-fpm.d/
 vim www.conf //内容如下
[www]
listen = /tmp/www.sock
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

 

[root@aming01 ~]# cd /usr/local/php-fpm/etc/
[root@aming01 etc]# ls
pear.conf  php-fpm.conf  php-fpm.conf.default  php.ini
[root@aming01 etc]# cat php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@aming01 etc]#
[root@aming01 etc]# vim !$        //增加一个[xian.com]的pool
vim php-fpm.conf
[root@aming01 etc]# /usr/local/php-fpm/sbin/php-fpm  -t
[24-Apr-2019 10:25:48] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@aming01 etc]# /etc/init.d/php-fpm   restart     //重新加载php-fpm
Gracefully shutting down php-fpm . done
Starting php-fpm  done
[root@aming01 etc]# ps aux|grep php-fpm  //将会看到2个pool(多了一个增加的xian  pool池)

[root@aming01 etc]#
[root@aming01 etc]# vim php-fpm.conf   编辑配置文件
[root@aming01 etc]# cat  php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
include=etc/php-fpm.d/*.conf
[root@aming01 etc]# mkdir php-fpm.d
[root@aming01 etc]# mv www.conf   xian.conf   php-fpm.d/
[root@aming01 etc]# ls
pear.conf  php-fpm.conf  php-fpm.conf.default  php-fpm.d  php.ini
[root@aming01 etc]# ls  php-fpm.d/
www.conf  xian.conf
[root@aming01 etc]#

php-fpm慢执行日志

 vim /usr/local/php-fpm/etc/php-fpm.d/www.conf//加入如下内容
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
 配置nginx的虚拟主机test.com.conf,把unix:/tmp/php-fcgi.sock改为unix:/tmp/www.sock
 重新加载nginx服务
 vim /data/wwwroot/test.com/sleep.php//写入如下内容
 <?php echo “test slow log”;sleep(2);echo “done”;?>
 curl -x127.0.0.1:80 test.com/sleep.php
 cat /usr/local/php-fpm/var/log/www-slow.log

操作如下:

[root@aming01 php-fpm.d]# pwd
/usr/local/php-fpm/etc/php-fpm.d
[root@aming01 php-fpm.d]# ls
www.conf  xian.conf
[root@aming01 php-fpm.d]# vim www.conf   //编辑配置文件,增加最后2行是设置。

[www]
listen = /tmp/www.sock
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout=1    //超过1秒的语句将会被记录
slowlog=/usr/local/php-fpm/var/log/www-slow.log

[root@aming01 php-fpm.d]# vim www.conf
[root@aming01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm   -t   //检查配置文件
[25-Apr-2019 22:39:41] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@aming01 php-fpm.d]# /etc/init.d/php-fpm  reload
Reload service php-fpm  done
[root@aming01 php-fpm.d]# cat www.conf
[www]
listen = /tmp/php-fcgi.sock   //此处如果写错了,后面就会报502网关错误
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout=1
slowlog=/usr/local/php-fpm/var/log/www-slow.log
[root@aming01 php-fpm.d]# ls  /usr/local/php-fpm/var/log/       //重启后生成了慢查询日志。
php-fpm.log  www-slow.log

 

[root@aming01 vhost]# !curl   //实验测试的时候 报网关错误(实际结果是输出sleep.php的信息)
curl -x127.0.0.1:80  test.com/sleep.php  
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.15.5</center>
</body>
</html>
[root@aming01 php-fpm.d]# cat www.conf
[www]
listen = /tmp/php-fcgi.sock    //更正这里即可正常
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
#php_admin_value[open_basedir] = /data/wwwroot/test.com:/tmp/

 

open_basedir     限定到某个目录

 vim /usr/local/php-fpm/etc/php-fpm.d/aming.conf//加入如下内容
php_admin_value[open_basedir]=/data/wwwroot/aming.com:/tmp/
 创建测试php脚本,进行测试
 再次更改aming.conf,修改路径,再次测试
 配置错误日志
 再次测试
 查看错误日志

 

 pm = dynamic  //动态进程管理,也可以是static
 pm.max_children = 50 //最大子进程数,ps aux可以查看
 pm.start_servers = 20 //启动服务时会启动的进程数
 pm.min_spare_servers = 5 //定义在空闲时段,子进程数的最少数量,如果达到这个数值时,php-fpm服务会自动派生新的子进程。
 pm.max_spare_servers = 35 //定义在空闲时段,子进程数的最大值,如果高于这个数值就开始清理空闲的子进程。
 pm.max_requests = 500  //定义一个子进程最多处理的请求数,也就是说在一个php-fpm的子进程最多可以处理这么多请求,当达到这个数值时,它会自动退出。

 

 

 

 

 

 

 

 

 

扩展

nginx.conf 配置详解  

https://coding.net/u/aminglinux/p/nginx/git/tree/master/3z

nginx rewrite四种flag  

http://unixman.blog.51cto.com/10163040/1711943

https://coding.net/u/aminglinux/p/nginx/git/blob/master/rewrite/break.md

502问题汇总  http://ask.apelearn.com/question/9109

location优先级https://coding.net/u/aminglinux/p/nginx/git/blob/master/location/priority.md

 

 

ssl相关

https://coding.net/u/aminglinux/p/nginx/git/blob/master/ssl/ca.md

https://coding.net/u/aminglinux/p/nginx/git/blob/master/ssl/ssl.md

负载均衡

https://coding.net/u/aminglinux/p/nginx/git/blob/master/proxy/lb.md

nginx算法分析https://blog.whsir.com/post-1482.html

root和alias

http://www.ttlsa.com/nginx/nginx-root_alias-file-path-configuration/

展开阅读全文
打赏
0
0 收藏
分享
加载中
更多评论
打赏
0 评论
0 收藏
0
分享
返回顶部
顶部