nginx常用配置-白红宇

nginx常用配置

阅读量：5994 次

发布时间：2019-06-20

本文共 7111 字，大约阅读时间需要 23 分钟。

1. 配置第二个虚拟主机

可以在nginx.conf 加一行

include conf/vhosts/*.conf;

这样，我们就可以在 conf/vhosts目录下创建虚拟主机配置文件了。

[ conf]# pwd

/usr/local/nginx/conf

[ conf]# mkdir vhosts

[ conf]# cd vhosts/

[ vhosts]# touch default.conf

[ vhosts]# cat default.conf

server

{

listen 80 default;

server_name localhost;

index index.html index.htm index.php;

root /usr/local/nginx/html/;

location ~ \.php$ {

include fastcgi_params;

fastcgi_pass 127.0.0.1:9000;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;

}

[ vhosts]# cat discaz.conf

server

{

listen 80;

server_name

index index.html index.htm index.php;

root /data/www;

location ~ \.php$ {

include fastcgi_params;

fastcgi_pass 127.0.0.1:9000;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;

}

2.用户认证

首先需要安装apache，可以使用yum install httpd 安装

生成密码文件，创建用户

[ log]# /usr/local/apache2/bin/htpasswd -c /usr/local/nginx/conf/.htpasswd aming // 添加aming用户，第一次添加时需要加-c参数，第二次添加时不需要-c参数

在nginx的配置文件中添加

location / {

root /data/www/uc_server;

auth_basic "Auth";

auth_basic_user_file /usr/local/nginx/conf/.htpasswd;

}

3.域名重定向

if ($host != 'www.123.com' ) {

rewrite ^/(.*)$ http://www.123.com/$1 permanent;

}

[ ~]# curl -x127.0.0.1:80 -I

HTTP/1.1 301 Moved Permanently

Server: nginx/1.6.2

Date: Sun, 17 May 2015 18:59:07 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location:

[ ~]# curl -x127.0.0.1:80 -I

HTTP/1.1 301 Moved Permanently

Server: nginx/1.6.2

Date: Sun, 17 May 2015 18:59:19 GMT

Content-Type: text/html

Connection: keep-alive

X-Powered-By: PHP/5.4.37

location: forum.php

4.日志相关

日志切割：

编写脚本：

vim /usr/local/sbin/logrotate.sh //加入

#! /bin/bash

d=`date -d "-1 day" +%Y%m%d`

/bin/mv /home/logs/discuz.log /home/logs/discuz_$d.log

/etc/init.d/nginx reload >/dev/null 2>/dev/null

[ vhosts]# vi /usr/local/nginx/conf/vhosts/discaz.conf //在虚拟机配置文件内添加一下内容

access_log /home/logs/discuz.log combined_realip;

[ vhosts]# cat /home/logs/discuz_20150517.log

127.0.0.1 - [18/May/2015:03:27:09 +0800]www.123.com "/uc_server/" 302"-" "curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

日志格式

[ conf]# vi /usr/local/nginx/conf/nginx.conf //在此文件内更改日志的格式

log_format main '$remote_addr - $remote_user [$time_local] $request '

'"$status" $body_bytes_sent "$http_referer" '

'"$http_user_agent" "$http_x_forwarded_for"';

log_format main1 '$proxy_add_x_forwarded_for - $remote_user [$time_local] '

'"$request" $status $body_bytes_sent '

'"$http_referer" "$http_user_agent"'; //此日志格式为，ip不仅记录代理的ip还记录远程客户端真实IP。

错误日志error_log日志级别

error_log 级别分为 debug, info, notice, warn, error, crit 默认为crit, 该级别在日志名后边定义格式如下：

error_log /your/path/error.log crit;

crit 记录的日志最少，而debug记录的日志最多。如果你的nginx遇到一些问题，比如502比较频繁出现，但是看默认的error_log并没有看到有意义的信息，那么就可以调一下错误日志的级别，当你调成error级别时，错误日志记录的内容会更加丰富。

5.静态文件不记录日志，配置缓存

[ vhosts]# vi discaz.conf

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

{

expires 30d;

access_log off;

}

location ~ .*\.(js|css)?$

{

expires 12h;

access_log off;

}

[ ~]# curl -x127.0.0.1:80 'http://www.123.com/static/p_w_picpath/common/logo.png' -I

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Sun, 17 May 2015 19:48:54 GMT

Content-Type: p_w_picpath/png

Content-Length: 4425

Last-Modified: Fri, 26 Dec 2014 01:49:42 GMT

Connection: keep-alive

ETag: "549cbeb6-1149"

Expires: Tue, 16 Jun 2015 19:48:54 GMT

Cache-Control: max-age=

Accept-Ranges: bytes2592000

6.防盗链

在 nginx.conf中的server部分中添加如下代码

[ vhosts]# vi discaz.conf

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ {

valid_referers none blocked server_names *.taobao.com *.baidu.com *.google.com *.google.cn *.soso.com *.123.com *.aaa.com *.bbb.com ; // 对这些域名的网站不进行盗链。

if ($invalid_referer) {

return 403;

rewrite ^/ http://www.example.com/nophoto.gif;

}

说明：如果前面配置中已经加了

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

{

expires 30d;

access_log off;

}

那么会和这一部分重复，这时候上面的生效，所以，我们需要把两者合在一起。如下：

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

{

expires 30d;

valid_referers none blocked server_names *.taobao.com *.baidu.com *.google.com *.google.cn *.soso.com *.123.com *.aaa.com *.bbb.com; // 对这些域名的网站不进行盗链。

if ($invalid_referer) {

return 403;

rewrite ^/ http://www.example.com/nophoto.gif;

}

access_log off;

}

[root@localhost vhosts]# curl -x127.0.0.1:80 -e "http://dawe.com/sfawe" 'http://www.123.com/static/p_w_picpath/common/logo.png' -I

HTTP/1.1 403 Forbidden

Server: nginx/1.6.2

Date: Sun, 17 May 2015 20:02:37 GMT

Content-Type: text/html

Content-Length: 168

Connection: keep-alive

7.访问控制

限制只让某个ip访问

deny 127.0.0.1;

allow all;

[ ~]# curl -x127.0.0.1:80 -I

HTTP/1.1 403 Forbidden

Server: nginx/1.6.2

Date: Mon, 18 May 2015 18:57:30 GMT

Content-Type: text/html

Content-Length: 168

Connection: keep-alive

[ ~]# vi /usr/local/nginx/conf/vhosts/discaz.conf //限制某个目录的访问

location /uc_server/ {

allow 192.168.1.119;

deny all;

location ~ \.php$ {

include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/
}

}

[ uc_server]# curl -x127.0.0.1:80 -I

HTTP/1.1 403 Forbidden

Server: nginx/1.6.2

Date: Mon, 18 May 2015 19:26:23 GMT

Content-Type: text/html

Content-Length: 168

Connection: keep-alive

有时候会根据目录来限制php解析：

{

deny all;

}

[ uc_server]# curl -x127.0.0.1:80 -I

HTTP/1.1 403 Forbidden

Server: nginx/1.6.2

Date: Mon, 18 May 2015 19:43:59 GMT

Content-Type: text/html

Content-Length: 168

Connection: keep-alive

在实验中我发现在虚拟主机配置文件中若将php解析文件的配置放在限制前会报错为404，可见今后在配置时需要多注意逻辑顺序

[ uc_server]# curl -x127.0.0.1:80 -I

HTTP/1.1 404 Not Found

Server: nginx/1.6.2

Date: Mon, 18 May 2015 19:42:43 GMT

Content-Type: text/html

Connection: keep-alive

X-Powered-By: PHP/5.4.37

使用 user_agent 控制客户端访问

location /

{

if ($http_user_agent ~ 'bingbot/2.0|MJ12bot/v1.4.2|Spider/3.0|YoudaoBot|Tomato|Gecko/20100315'){

return 403;

}

8.伪静态

rewrite ^([^\.]*)/topic-(.+)\.html$ $1/portal.php?mod=topic&topic=$2 last;

rewrite ^([^\.]*)/forum-(\w+)-([0-9]+)\.html$ $1/forum.php?mod=forumdisplay&fid=$2&page=$3 last;

rewrite ^([^\.]*)/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=viewthread&tid=$2&extra=page%3D$4&page=$3 last;

rewrite ^([^\.]*)/group-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=group&fid=$2&page=$3 last;

rewrite ^([^\.]*)/space-(username|uid)-(.+)\.html$ $1/home.php?mod=space&$2=$3 last;

rewrite ^([^\.]*)/(fid|tid)-([0-9]+)\.html$ $1/index.php?action=$2&value=$3 last;

9.nginx 代理

server {

listen 80;

server_name aaa.com;

location / {

proxy_pass

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

# access_log /home/logs/aaa_access.log combined;

}

如果后端的机器有多台

upstream bbb

{

server 1.2.3.1:80;

server 1.2.3.4:80;

}

server {

listen 80;

server_name bbb.com;

location / {

proxy_pass http://bbb/;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

# access_log /home/logs/bb_access.log combined;

}

扩展学习：

根据访问的目录来区分后端的web

针对请求的uri来代理

转载于:https://blog.51cto.com/cuchadanfan/1652604

你可能感兴趣的文章

mkdir用法

查看>>

如何禁止远程桌面时使用本地administrator登录

《High Performance Django》阅读笔记

[20170628]11g修改用户名.txt

【Lv1-Lesson006】Basic Phone Language

查看>>

python 爬取<a>标签内href的方法及遇到的问题

查看>>

07.LoT.UI 前后台通用框架分解系列之——轻巧的文本编辑器

查看>>

VS中的快捷键（转载）

查看>>