LNMP的介绍:
和LAMP不同的是,提供web服务的是Nginx
并且php是作为一个独立服务存在的,这个服务叫做php-fpm
Nginx直接处理静态请求,动态请求会转发给php-fpm
Mysql的安装: 这里参考前面LAMP的mysql的安装
[root@aming01 php-5.6.39]# ls /usr/local/php-fpm/etc/
pear.conf php-fpm.conf.default
[root@aming01 php-5.6.39]# cp php.ini-production /usr/local/php-fpm/etc/php.ini
[root@aming01 php-5.6.39]# cd /usr/local/php-fpm/etc/
[root@aming01 etc]# ls
pear.conf php-fpm.conf.default php.ini
[root@aming01 etc]# vim php-fpm.conf //写入如下的配置文件内容
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
Nginx
Nginx官网 nginx.org,最新版1.13,最新稳定版1.12
Nginx应用场景:web服务、反向代理、负载均衡
Nginx著名分支,淘宝基于Nginx开发的Tengine,使用上和Nginx一致,服务名,配置文件名都一样,和Nginx的最大区别在于Tenging增加了一些定制化模块,在安全限速方面表现突出,另外它支持对js,css合并
Nginx核心+lua相关的组件和模块组成了一个支持lua的高性能web容器openresty,参考http://jinnianshilongnian.iteye.com/blog/2280928
nginx的安装:
cd /usr/local/src
wget http://nginx.org/download/nginx-1.12.1.tar.gz
tar zxf nginx-1.12.1.tar.gz
./configure --prefix=/usr/local/nginx
make && make install
vim /etc/init.d/nginx //复制如下内容(参考https://coding.net/u/aminglinux/p/aminglinux-book/git/blob/master/D15Z/etc_init.d_nginx )
chmod 755 /etc/init.d/nginx
chkconfig --add nginx
chkconfig nginx on
cd /usr/local/nginx/conf/; mv nginx.conf nginx.conf.bak
vim nginx.conf //写入如下内容(参考https://coding.net/u/aminglinux/p/aminglinux-book/git/blob/master/D15Z/nginx.conf)
/usr/local/nginx/sbin/nginx -t
/etc/init.d/nginx start
netstat -lntp |grep 80
[root@aming01 nginx-1.15.5]# vim /etc/init.d/nginx
[root@aming01 nginx-1.15.5]# chmod 755 /etc/init.d/nginx
[root@aming01 nginx-1.15.5]# chkconfig --add nginx
[root@aming01 nginx-1.15.5]# chkconfig nginx on
[root@aming01 nginx-1.15.5]# cd /usr/local/nginx/conf/
[root@aming01 conf]# ls
fastcgi.conf koi-utf nginx.conf uwsgi_params
fastcgi.conf.default koi-win nginx.conf.default uwsgi_params.default
fastcgi_params mime.types scgi_params win-utf
fastcgi_params.default mime.types.default scgi_params.default
[root@aming01 conf]# mv nginx.conf nginx.conf.bak
[root@aming01 conf]# vim nginx.conf
[root@aming01 conf]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 conf]# /etc/init.d/nginx start
Starting nginx (via systemctl): [ 确定 ]
[root@aming01 conf]# ps aux|grep nginx
root 5697 0.0 0.0 20552 628 ? Ss 10:15 0:00 nginx: master process /usr/local/ngin/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody 5701 0.0 0.3 23040 3212 ? S 10:15 0:00 nginx: worker process
nobody 5702 0.0 0.3 23040 3212 ? S 10:15 0:00 nginx: worker process
root 5708 0.0 0.0 112724 988 pts/0 S+ 10:15 0:00 grep --color=auto nginx
[root@aming01 conf]#
测试php的解释:
vi /usr/local/nginx/html/1.php //加入如下内容
<?php
echo "test php scripts.";
?>
curl localhost/1.php
Nginx的默认虚拟主机:
vim /usr/local/nginx/conf/nginx.conf //增加
include vhost/*.conf
mkdir /usr/local/nginx/conf/vhost
cd !$; vim default.conf //加入如下内容
server
{
listen 80 default_server; // 有这个标记的就是默认虚拟主机
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}
mkdir -p /data/wwwroot/default/
echo “This is a default site.”>/data/wwwroot/default/index.html
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload
curl localhost
curl -x127.0.0.1:80 123.com
[root@aming01 conf]# vim nginx.conf
[root@aming01 conf]# pwd
/usr/local/nginx/conf
[root@aming01 conf]# mkdir vhost
[root@aming01 conf]# cd vhost/
[root@aming01 vhost]# vim aaa.conf
[root@aming01 vhost]# vim aaa.com.conf
[root@aming01 vhost]# cat aaa.com.conf
server
{
listen 80 default_server;
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
}
[root@aming01 vhost]# mkdir /data/wwwroot/default/
[root@aming01 vhost]# cd /data/wwwroot/default/
[root@aming01 default]# vim index.html
[root@aming01 default]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 default]# /usr/local/nginx/sbin/nginx -s reload
[root@aming01 default]# curl localhost
This is default site
[root@aming01 default]# curl -x127.0.0.1:80 bbbb.com
This is default site
[root@aming01 default]# curl -x127.0.0.1:80 aaa.com
This is default site
[root@aming01 default]#
nginx的用户认证:
vim /usr/local/nginx/conf/vhost/test.com.conf//写入如下内容
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
yum install -y httpd
htpasswd -c /usr/local/nginx/conf/htpasswd aming
-t && -s reload //测试配置并重新加载
mkdir /data/wwwroot/test.com
echo “test.com”>/data/wwwroot/test.com/index.html
curl -x127.0.0.1:80 test.com -I//状态码为401说明需要验证
curl -uaming:passwd 访问状态码变为200
编辑windows的hosts文件,然后在浏览器中访问test.com会有输入用户、密码的弹窗
针对目录的用户认证
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
[root@aming01 vhost]# vim test.com.conf //编辑配置文件,把配置文件写入到test.com里面
[root@aming01 vhost]# pwd
/usr/local/nginx/conf/vhost
[root@aming01 vhost]# /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd aming//已经安装有apache2.4,直接使用创建用户aming 和密码(密码用户输入)。
New password:
Re-type new password:
Adding password for user aming
[root@aming01 vhost]# cat /usr/local/nginx/conf/htpasswd //看下创建的密码
aming:$apr1$/3ELWASr$O9xJsqwDHbi7WX8ULFRyA1
[root@aming01 vhost]# /usr/local/apache2.4/bin/htpasswd /usr/local/nginx/conf/htpasswd user1
New password:
Re-type new password:
Adding password for user user1
[root@aming01 vhost]# cat /usr/local/nginx/conf/htpasswd
aming:$apr1$/3ELWASr$O9xJsqwDHbi7WX8ULFRyA1
user1:$apr1$KvZYllHb$jTsDW4I7qdu4hSQjGfImC.
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -t //检查配置文件。
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -s reload //重新加载nginx
[root@aming01 vhost]# curl -x127.0.0.1:80 test.com //提示401需要用户认证
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.15.5</center>
</body>
</html>
[root@aming01 vhost]# mkdir /data/wwwroot/test.com //创建测试目录
[root@aming01 vhost]# echo "test.com" > /data/wwwroot/test.com/index.html //编辑测试文件index.html
[root@aming01 vhost]# curl -uaming:123456 -x127.0.0.1:80 test.com //用户认证curl 用户名+密码 提示认证成功。
test.com
[root@aming01 vhost]# vim test.com.conf //认证/admin/目录
[root@aming01 vhost]# cat test.com.conf //配置文件修改如下:
server
{
listen 80;
server_name test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location /admin/ //验证目录/admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@aming01 vhost]# curl -x127.0.0.1:80 test.com //test.com直接可以访问了,但是/admin/目录的如下提示需要用户认证
test.com
[root@aming01 vhost]# curl -x127.0.0.1:80 test.com/admin/ //访问/admin/目录的时候需要用户认证。
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.15.5</center>
</body>
</html>
[root@aming01 vhost]# mkdir /data/wwwroot/test.com/admin/ //创建测试目录/data/wwwroot/test.com/admin/
[root@aming01 vhost]# echo "test.com admin directory" > /data/wwwroot/test.com/admin/index.html
[root@aming01 vhost]# curl -x127.0.0.1:80 test.com/admin/ //对/admin/目录进行测试。401需要用户认证
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.15.5</center>
</body>
</html>
[root@aming01 vhost]# curl -uaming:123456 -x127.0.0.1:80 test.com/admin/ //curl加上用户名和密码即可,用户认证成功
test.com admin directory
[root@aming01 vhost]#
对admin.php进行验证:
[root@aming03 vhost]# cat yanzheng.conf
server
{
listen 80;
server_name yanzheng.com;
index index.html index.htm index.php;
root /data/wwwroot/yanzheng;
# location /admin/ ##对目录admin进行用户验证(401)
location ~ admin.php ##对admin.php 进行验证 (401)
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
}
[root@aming03 vhost]# cat /data/wwwroot/yanzheng/admin.php
test_admin.php
[root@aming03 vhost]# curl -x127.0.0.1:80 yanzheng.com/admin.php // 需要用户验证
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.15.5</center>
</body>
</html>
[root@aming03 vhost]# curl -uaming:123456 -x127.0.0.1:80 yanzheng.com/admin.php
test_admin.php
[root@aming03 vhost]#
nginx域名重定向:
更改test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
}
server_name后面支持写多个域名,这里要和httpd的做一个对比
permanent为永久重定向,状态码为301,如果写redirect则为302
[root@aming01 vhost]#
[root@aming01 vhost]# pwd
/usr/local/nginx/conf/vhost
[root@aming01 vhost]# ls
aaa.com.conf test.com.conf
[root@aming01 vhost]# vim test.com.conf
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@aming01 vhost]# curl -x127.0.0.1:80 test2.com/index.html -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 00:52:04 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://test.com/index.html
[root@aming01 vhost]# curl -x127.0.0.1:80 test3.com/admin/index.html/abcnhhdgdghd -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 00:52:14 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://test.com/admin/index.html/abcnhhdgdghd
[root@aming01 vhost]# curl -x127.0.0.1:80 test4.com/admin/index.html/abcnhhdgdghd -I
HTTP/1.1 404 Not Found
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 00:52:22 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
[root@aming01 vhost]#
nginx访问日志:
日志格式
vim /usr/local/nginx/conf/nginx.conf //搜索log_format
$remote_addr 客服端IP(公网IP)
$http_x_forwarded_for 代理服务器的IP
$time_local 服务器本地时间
$host 访问主机名(域名)
$request_uri 访问的url地址
$status 状态码
$http_referer referer
$http_user_agent user_agent
除了在主配置文件nginx.conf里定义日志格式外,还需要在虚拟主机配置文件(test.com.conf)中增加
access_log /tmp/1.log combined_realip; //combined_realip这里要与nginx.conf里面的log_format后面定义的日志格式一致
这里的combined_realip就是在nginx.conf中定义的日志格式名字
-t && -s reload
curl -x127.0.0.1:80 test.com -I
cat /tmp/1.log
[root@aming01 vhost]# vim ../nginx.conf //搜索log_format 定义日志格式
[root@aming01 vhost]# vim test.com.conf //虚拟主机配置文件中定义日志log的存放位置 access_log /tmp/1.log 日志格式的名字;
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: [emerg] open() "/tm/test.com.log" failed (2: No such file or directory)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@aming01 vhost]# vim test.com.conf
[root@aming01 vhost]#
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@aming01 vhost]# curl -x127.0.0.1:80 test4.com/admin/index.html/abcnhhdgdghd -I
HTTP/1.1 404 Not Found
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 02:01:35 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
[root@aming01 vhost]# curl -x127.0.0.1:80 test3.com/admin/index.html/abcnhhdgdghd -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 02:01:52 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://test.com/admin/index.html/abcnhhdgdghd
[root@aming01 vhost]# curl -x127.0.0.1:80 test2.com/admin/index.html/abcnhhdgdghd -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 02:01:59 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://test.com/admin/index.html/abcnhhdgdghd
[root@aming01 vhost]# cat /tmp/test.com.log
127.0.0.1 - [12/Apr/2019:10:01:52 +0800] test3.com "/admin/index.html/abcnhhdgdghd" 301 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:10:01:59 +0800] test2.com "/admin/index.html/abcnhhdgdghd" 301 "-" "curl/7.29.0"
[root@aming01 vhost]# cat /tmp/test.com.log
127.0.0.1 - [12/Apr/2019:10:01:52 +0800] test3.com "/admin/index.html/abcnhhdgdghd" 301 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:10:01:59 +0800] test2.com "/admin/index.html/abcnhhdgdghd" 301 "-" "curl/7.29.0"
[root@aming01 vhost]#
nginx日志切割:
自定义shell 脚本
vim /usr/local/sbin/nginx_log_rotate.sh//写入如下内容
#! /bin/bash
## 假设nginx的日志存放路径为/data/logs/
d=`date -d "-1 day" +%Y%m%d`
logdir="/data/logs"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
任务计划
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh
[root@aming01 vhost]# vim /usr/local/sbin/nginx_logrotate.sh //编辑shell脚本
[root@aming01 vhost]# cat /usr/local/sbin/nginx_logrotate.sh
#!/bin/bash
d=`date -d "-1 day" +%Y%m%d`
logdir="/tmp/"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd $logdir
for log in `ls *.log`
do
mv $log $log-$d
done
/bin/kill -HUP `cat $nginx_pid`
[root@aming01 vhost]# sh -x /usr/local/sbin/nginx_logrotate.sh
++ date -d '-1 day' +%Y%m%d
+ d=20190411
+ logdir=/tmp/
+ nginx_pid=/usr/local/nginx/logs/nginx.pid
+ cd /tmp/
++ ls test.com.log
+ for log in '`ls *.log`'
+ mv test.com.log test.com.log-20190411
++ cat /usr/local/nginx/logs/nginx.pid
+ /bin/kill -HUP 908
[root@aming01 vhost]#
[root@aming01 vhost]# crontab -e //定义任务计划
nginx静态文件不记录日志和过期时间:
配置如下
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 7d;
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
[root@aming01 vhost]# ls
aaa.com.conf test.com.conf
[root@aming01 vhost]# vim test.com.conf //修改配置文件。写入上面配置文件的信息。
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@aming01 vhost]# cd /data/wwwroot/test.com/
[root@aming01 test.com]# ls
admin index.html
[root@aming01 test.com]# touch 1.gif
[root@aming01 test.com]# vim 2.js
[root@aming01 test.com]# curl -x127.0.01:80 test.com/1.gif
[root@aming01 test.com]# curl -x127.0.01:80 test.com/2.js
aajajajhhhhh
[root@aming01 test.com]# curl -x127.0.01:80 test.com/index.html
test.com
[root@aming01 test.com]# cat /tmp/test.com.log
127.0.0.1 - [12/Apr/2019:10:39:23 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
[root@aming01 test.com]#
nginx的防盗链:
配置如下,可以和上面的配置结合起来
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
测试防盗链:
[root@aming01 vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.01:80 test.com/1.gif -I
HTTP/1.1 403 Forbidden
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 02:54:15 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
[root@aming01 vhost]# curl -e "http://www.test.com/1.txt" -x127.0.01:80 test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 02:54:33 GMT
Content-Type: image/gif
Content-Length: 0
Last-Modified: Fri, 12 Apr 2019 02:38:21 GMT
Connection: keep-alive
ETag: "5caffa1d-0"
Expires: Fri, 19 Apr 2019 02:54:33 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[root@aming01 vhost]# !cat
cat /tmp/test.com.log
127.0.0.1 - [12/Apr/2019:10:39:23 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:10:40:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:10:41:01 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
[root@aming01 vhost]#
nginx的访问控制:
需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:
location /admin/
{
allow 192.168.133.1;
allow 127.0.0.1;
deny all;
}
mkdir /data/wwwroot/test.com/admin/
echo “test,test”>/data/wwwroot/test.com/admin/1.html
-t && -s reload
curl -x127.0.0.1:80 test.com/admin/1.html -I
curl -x192.168.133.130:80 test.com/admin/1.html -I
可以匹配正则
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
根据user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
deny all和return 403效果一样
[root@aming01 vhost]# vim test.com.conf
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@aming01 vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 03:17:21 GMT
Content-Type: text/html
Content-Length: 25
Last-Modified: Wed, 10 Apr 2019 15:12:58 GMT
Connection: keep-alive
ETag: "5cae07fa-19"
Accept-Ranges: bytes
[root@aming01 vhost]# curl -x192.168.88.128:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.15.5
Date: Fri, 12 Apr 2019 03:18:09 GMT
Content-Type: text/html
Content-Length: 25
Last-Modified: Wed, 10 Apr 2019 15:12:58 GMT
Connection: keep-alive
ETag: "5cae07fa-19"
Accept-Ranges: bytes
[root@aming01 vhost]# cat /tmp/test.com.log
127.0.0.1 - [12/Apr/2019:10:39:23 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:10:40:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:10:41:01 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:11:14:53 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
127.0.0.1 - [12/Apr/2019:11:17:21 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.88.128 - [12/Apr/2019:11:18:09 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
[root@aming01 vhost]#
正则访问控制测试:
根据user_agetn禁止访问控制
nginx解释php的相关配置:
配置如下:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
fastcgi_pass 用来指定php-fpm监听的地址或者socket
如果出现502错误,要注意排查。nginx的配置文件和php-fpm的配置文件信息的核对排查。
Nginx的代理和负载均衡:
cd /usr/local/nginx/conf/vhost
vim proxy.conf //加入如下内容
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://121.201.9.155/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
vim /usr/local/nginx/conf/vhost/load.conf // 写入如下内容
upstream qq_com
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
upstream来指定多个web server
SSL的工作原理:
浏览器发送一个https的请求给服务器;
服务器要有一套数字证书,可以自己制作(后面的操作就是阿铭自己制作的证书),也可以向组织申请,区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出>提示页面,这套证书其实就是一对公钥和私钥;
服务器会把公钥传输给客户端;
客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密;
客户端把加密后的随机字符串传输给服务器;
服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起,这样除非知道私钥,否则无法获取数据内容);
服务器把加密后的数据传输给客户端;
客户端收到数据后,再用自己的私钥也就是那个随机字符串解密
SSL密钥对:
cd /usr/local/nginx/conf
openssl genrsa -des3 -out tmp.key 2048//key文件为私钥
openssl rsa -in tmp.key -out aminglinux.key //转换key,取消密码
rm -f tmp.key
openssl req -new -key aminglinux.key -out aminglinux.csr//生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件
openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
这里的aminglinux.crt为公钥
[root@aming01 ~]# cd /usr/local/nginx/conf/
[root@aming01 conf]# rpm -qf `which openssl`
openssl-1.0.2k-16.el7_6.1.x86_64
[root@aming01 conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
...................+++
.........................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
[root@aming01 conf]# openssl rsa -in tmp.key -out aminglinux.key //生成ssl的证书文件
Enter pass phrase for tmp.key:
writing RSA key
[root@aming01 conf]# rm -f tmp.key
[root@aming01 conf]# openssl req -new -key aminglinux.key -out aminglinux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:china
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:11
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:guangzhou
Organizational Unit Name (eg, section) []:gungzhou
Common Name (eg, your name or your server's hostname) []:aming
Email Address []:admin@ruichao.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234567
An optional company name []:ruichao
[root@aming01 conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt ///这里的aminglinux.crt为公钥
Signature ok
subject=/C=11/ST=Guangdong/L=guangzhou/O=guangzhou/OU=gungzhou/CN=aming/emailAddress=admin@ruichao.com
Getting Private key
[root@aming01 conf]# ls aminglinux.
aminglinux.crt aminglinux.csr aminglinux.key
Nginx配置SSL:
vim /usr/local/nginx/conf/vhost/ssl.conf//加入如下内容
server
{
listen 443;
server_name aming.com;
index index.html index.php;
root /data/wwwroot/aming.com;
ssl on;
ssl_certificate aminglinux.crt;
ssl_certificate_key aminglinux.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
-t && -s reload //若报错unknown directive “ssl” ,需要重新编译nginx,加上--with-http_ssl_module
mkdir /data/wwwroot/aming.com
echo “ssl test page.”>/data/wwwroot/aming.com/index.html
编辑hosts,增加127.0.0.1 aming.com
curl https://aming.com/
[root@aming01 conf]# ls aminglinux.
aminglinux.crt aminglinux.csr aminglinux.key
[root@aming01 conf]# cd vhost/
[root@aming01 vhost]# mkdir /data/wwwroot/aming.com
[root@aming01 vhost]# vim ssl.conf
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@aming01 vhost]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.15.5
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
configure arguments: --prefix=/usr/local/nginx
[root@aming01 vhost]# cd /usr/local/src/nginx-1.15.5/
[root@aming01 nginx-1.15.5]# ./configure --help |grep -i ssl
--with-http_ssl_module enable ngx_http_ssl_module
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-stream_ssl_module enable ngx_stream_ssl_module
--with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
[root@aming01 nginx-1.15.5]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@aming01 nginx-1.15.5]# make && make install
[root@aming01 nginx-1.15.5]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.15.5
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
[root@aming01 nginx-1.15.5]# /usr/local/nginx/sbin/nginx -t
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aming01 nginx-1.15.5]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 确定 ]
[root@aming01 nginx-1.15.5]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4497/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 894/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 981/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4497/nginx: master
tcp6 0 0 :::22 :::* LISTEN 894/sshd
tcp6 0 0 ::1:25 :::* LISTEN 981/master
[root@aming01 nginx-1.15.5]# cd /data/wwwroot/aming.com/
[root@aming01 aming.com]# vim index.html
[root@aming01 aming.com]# vim /etc/hosts
[root@aming01 aming.com]# cat !$
cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 aming.com
[root@aming01 aming.com]# curl https://aming.com/ //访问证书
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@aming01 aming.com]#
php-fpm的pool池:
vim /usr/local/php/etc/php-fpm.conf//在[global]部分增加
include = etc/php-fpm.d/*.conf
mkdir /usr/local/php/etc/php-fpm.d/
cd /usr/local/php/etc/php-fpm.d/
vim www.conf //内容如下
[www]
listen = /tmp/www.sock
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@aming01 ~]# cd /usr/local/php-fpm/etc/
[root@aming01 etc]# ls
pear.conf php-fpm.conf php-fpm.conf.default php.ini
[root@aming01 etc]# cat php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@aming01 etc]#
[root@aming01 etc]# vim !$ //增加一个[xian.com]的pool
vim php-fpm.conf
[root@aming01 etc]# /usr/local/php-fpm/sbin/php-fpm -t
[24-Apr-2019 10:25:48] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@aming01 etc]# /etc/init.d/php-fpm restart //重新加载php-fpm
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@aming01 etc]# ps aux|grep php-fpm //将会看到2个pool(多了一个增加的xian pool池)
[root@aming01 etc]#
[root@aming01 etc]# vim php-fpm.conf 编辑配置文件
[root@aming01 etc]# cat php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
include=etc/php-fpm.d/*.conf
[root@aming01 etc]# mkdir php-fpm.d
[root@aming01 etc]# mv www.conf xian.conf php-fpm.d/
[root@aming01 etc]# ls
pear.conf php-fpm.conf php-fpm.conf.default php-fpm.d php.ini
[root@aming01 etc]# ls php-fpm.d/
www.conf xian.conf
[root@aming01 etc]#
php-fpm慢执行日志
vim /usr/local/php-fpm/etc/php-fpm.d/www.conf//加入如下内容
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
配置nginx的虚拟主机test.com.conf,把unix:/tmp/php-fcgi.sock改为unix:/tmp/www.sock
重新加载nginx服务
vim /data/wwwroot/test.com/sleep.php//写入如下内容
<?php echo “test slow log”;sleep(2);echo “done”;?>
curl -x127.0.0.1:80 test.com/sleep.php
cat /usr/local/php-fpm/var/log/www-slow.log
操作如下:
[root@aming01 php-fpm.d]# pwd
/usr/local/php-fpm/etc/php-fpm.d
[root@aming01 php-fpm.d]# ls
www.conf xian.conf
[root@aming01 php-fpm.d]# vim www.conf //编辑配置文件,增加最后2行是设置。
[www]
listen = /tmp/www.sock
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout=1 //超过1秒的语句将会被记录
slowlog=/usr/local/php-fpm/var/log/www-slow.log
[root@aming01 php-fpm.d]# vim www.conf
[root@aming01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t //检查配置文件
[25-Apr-2019 22:39:41] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@aming01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@aming01 php-fpm.d]# cat www.conf
[www]
listen = /tmp/php-fcgi.sock //此处如果写错了,后面就会报502网关错误
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout=1
slowlog=/usr/local/php-fpm/var/log/www-slow.log
[root@aming01 php-fpm.d]# ls /usr/local/php-fpm/var/log/ //重启后生成了慢查询日志。
php-fpm.log www-slow.log
[root@aming01 vhost]# !curl //实验测试的时候 报网关错误(实际结果是输出sleep.php的信息)
curl -x127.0.0.1:80 test.com/sleep.php
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.15.5</center>
</body>
</html>
[root@aming01 php-fpm.d]# cat www.conf
[www]
listen = /tmp/php-fcgi.sock //更正这里即可正常
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
#php_admin_value[open_basedir] = /data/wwwroot/test.com:/tmp/
open_basedir 限定到某个目录
vim /usr/local/php-fpm/etc/php-fpm.d/aming.conf//加入如下内容
php_admin_value[open_basedir]=/data/wwwroot/aming.com:/tmp/
创建测试php脚本,进行测试
再次更改aming.conf,修改路径,再次测试
配置错误日志
再次测试
查看错误日志
pm = dynamic //动态进程管理,也可以是static
pm.max_children = 50 //最大子进程数,ps aux可以查看
pm.start_servers = 20 //启动服务时会启动的进程数
pm.min_spare_servers = 5 //定义在空闲时段,子进程数的最少数量,如果达到这个数值时,php-fpm服务会自动派生新的子进程。
pm.max_spare_servers = 35 //定义在空闲时段,子进程数的最大值,如果高于这个数值就开始清理空闲的子进程。
pm.max_requests = 500 //定义一个子进程最多处理的请求数,也就是说在一个php-fpm的子进程最多可以处理这么多请求,当达到这个数值时,它会自动退出。
扩展
nginx.conf 配置详解
https://coding.net/u/aminglinux/p/nginx/git/tree/master/3z
nginx rewrite四种flag
http://unixman.blog.51cto.com/10163040/1711943
https://coding.net/u/aminglinux/p/nginx/git/blob/master/rewrite/break.md
502问题汇总 http://ask.apelearn.com/question/9109
location优先级https://coding.net/u/aminglinux/p/nginx/git/blob/master/location/priority.md
ssl相关
https://coding.net/u/aminglinux/p/nginx/git/blob/master/ssl/ca.md
https://coding.net/u/aminglinux/p/nginx/git/blob/master/ssl/ssl.md
负载均衡
https://coding.net/u/aminglinux/p/nginx/git/blob/master/proxy/lb.md
nginx算法分析https://blog.whsir.com/post-1482.html
root和alias
http://www.ttlsa.com/nginx/nginx-root_alias-file-path-configuration/
