nginx配置介绍(二)
虚拟主机定义: 1,基于端口的虚拟主机 cp nginx.conf{,.bak} vim /etc/sbin/nginx/nginx.conf server { listen 8080; server_name www.linuxea.com; root "/web/linuxea"; } [root@www ~]# mkdir /web/linuxea -pv mkdir: created directory `/web' mkdir: created directory `/web/linuxea' [root@www ~]#vim /web/linuxea/index.html
web1
/usr/local/nginx/sbin/nginx -s reload 
2,location定义:
如下:
mkdir /web/{images,text}
vim text/a.txt
vim images/a.txt
vim linuxea/a.txt
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
}
location /images/ {
root "/web/images";
}
#正则表达式模式匹配
location ~* .(txt|text)$ {
root "/web/text";
}
}
在以上三个location中最先匹配的是第三个
对于nginx而言,location是非常关键的,每个location都能使用root,即便不在同一个网站或同一个站点访问,路径的微妙变化可能会导致url映射会到不同的文件中
3,别名-路径映射
alias path;
用于location配置段,定义路径别名
location /images/ {
root "/vhosts/web1";
}
相当于http://www.linuxea.com/images/a.jpg <-- /vhosts/web1/images/a.jpg
location /images/ {
alias "/www/pictures";
}
相当于http://www.linuxea.com/images/a.jpg <-- /www/picuter/a.jpg
注意:root表示指明路径为对应的location "/" URL; alias表示路径映射,即location指令后定义的URL是相对于alias所指明的路径而言;
4,error_page(404)页面定义
error_page code [...] [=code] URI | @name
根据http响应状态码来指明特用的错误页面;
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
error_page 404 =200 /404_customed.html;
#指定错误响应码定义页面,并且将错误404改为200
}
[root@www web]# vim linuxea/404_customed.html #创建404页面文档
wrong,cuoleYaYa
[=code]:以指定的响应码进行响应,而不是默认的原来的响应;默认表示以新资源的响应码为其响应码;
5,基于IP的访问控制
标准模块控制来实现
allow IP/Network; 允许
deny IP/Network; 拒绝
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
deny 172.16.0.1;#拒绝172.16.0.1访问,允许便是allow
#比如,只允许172.16.0.1,其他拒绝:
allow 172.16.0.1/16;
deny all;
}
6,基于用户做认证
auth_basic "";
auth_basic_user_file "/PATH/TO/PASSWORD_FILE"
账号密码文件建议使用htpasswd来创建;
basic, digest;
如:
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
auth_basic "Only for VIPs";
#定义名称
auth_basic_user_file /etc/nginx/users/.htpasswd;
#定义控制用户名的文件路径,为隐藏文件
}
用户认证
[root@www linuxea]# htpasswd -c -m /etc/nginx/users/.htpasswd mark
New password:
Re-type new password:
Adding password for user mark
[root@www linuxea]#
7,ssl,https
[root@www linuxea]# cd /etc/pki/CA/
[root@www CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
........................................................................+++
......................................................................................................................................................................+++
e is 65537 (0x10001)
[root@www CA]# ls -l private/
total 4
-rw-------. 1 root root 1675 May 10 18:49 cakey.pem
[root@www CA]# opensll req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
-bash: opensll: command not found
[root@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:LinuxEA
Organization Name (eg, company) [Default Company Ltd]:LinuxEA
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.linuxea.com
Email Address []:caadmin@linuxea.com
[root@www CA]# touch serial index.txt
[root@www CA]# echo 01 > serial
[root@www CA]#
为NGinx准备密钥证书
[root@www CA]# cd /etc/nginx/
[root@www nginx]# mkdir ssl
[root@www nginx]# cd ssl/
[root@www ssl]# (umask 077;openssl genrsa -out nginx.key 1024)
Generating RSA private key, 1024 bit long modulus
..++++++
....++++++
e is 65537 (0x10001)
[root@www ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:LinuxEA
Organization Name (eg, company) [Default Company Ltd]:LinuxEA
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.linuxea.com
Email Address []:webadmin@linuxea.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@www ssl]#
CA已经制作完成,如果是要给别人,就发给谁,这里自己用
[root@www ssl]# ll
total 8
-rw-r--r-- 1 root root 700 May 10 18:57 nginx.csr
-rw------- 1 root root 887 May 10 18:55 nginx.key
[root@www ssl]#
签证
[root@www ssl]# openssl ca -in nginx.csr -out nginx.crt -days 3655
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 10 10:59:59 2015 GMT
Not After : May 12 10:59:59 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = HA
organizationName = LinuxEA
organizationalUnitName = Ops
commonName = www.linuxea.com
emailAddress = webadmin@linuxea.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
12:7A:07:CB:2B:5A:35:80:99:8B:62:27:12:04:63:0D:1E:D1:AE:9F
X509v3 Authority Key Identifier:
keyid:D5:3F:02:F3:B6:03:E9:87:9F:47:24:68:BD:8D:3D:8C:98:0B:9C:A4
Certificate is to be certified until May 12 10:59:59 2025 GMT (3655 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@www ssl]# ll
total 12
-rw-r--r-- 1 root root 3857 May 10 19:00 nginx.crt
-rw-r--r-- 1 root root 700 May 10 18:57 nginx.csr
-rw------- 1 root root 887 May 10 18:55 nginx.key
[root@www ssl]#
nginx配置文件开启
server {
listen 443 ssl;
server_name www.linuxea.com;
ssl_certificate /etc/nginx/ssl/nginx.pem;#指定证书路径
ssl_certificate_key /etc/nginx/ssl/nginx.key;#
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /web/linuxea;#指定网站根路径
index index.html index.htm;
}
}
}
打开浏览器:https://172.16.249.117/提示访问风险,而后安装证书即可。
过程:生成私钥,生成证书签署请求,并获得证书; 
8,状态页,stub_status{on|off}
仅能用于location上下文
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
#error_page 404 =200 /404_customed.html;
auth_basic "Only for VIPs";
auth_basic_user_file /etc/nginx/users/.htpasswd;
}
location /images/ {
root "/web/images";
}
#正则表达式模式匹配
location ~* .(txt|text)$ {
root "/web/text";
}
location /status {
stub_status on;
allow 172.16.0.0/16;
deny all;
}
}
结果示例:
Active connections: 6 #当前所有处于打开状态的连接数
server accepts handled requests
113 113 159
第一个数字,已经接受的链接
第二个数字,已经处理的链接
第三个数字,已经处理的请求
Reading: 0 Writing: 1 Waiting: 5
Reading:正处于接受请求状态的连接数;
Writing:请求已经接受完成,正处于处理请求或发送响应的过程的连接数
Waiting:保持链接模式,且处于活动状态的连接数
9.rewrite regex replacement flag;(URL重写)
例如:
...
rewrite ^/images/(.*.jpg)$ /imgs/$1 break;
http://www.linuxea.com/images/a/b/c/1.jpg --> http://www.linuxea/imgs/a/b/c/1.jpg
当linuxea/images访问到时,先检查rewrite规则,匹配后浏览器在重读,匹配到的linuxea/imgs。而后在进行检查rewrite规则。
死循环!当你规则过多可能会恰巧的出现死循环。这时你可能需要break
rewrite ^/images/(.*.jpg)$ /imgs/$1 break;
rewrite ^/imgs/(.*.jpg)$ /images/$1 break;
....
http://www.linuxea/images/a/b/c/1.jpg --> http://www.linuxea/imgs/a/b/c/1.jpg
flag:
last:一旦此rewrite规则重写完成后,就不再被后面其它的rewrite规则进行处理;而是由User Agent重新对重写后的URL再一次发起请求,并从头开始执行类似的过程
break:一旦此rewrite规则重写完成后,由User Agent对新的URL重新发起请求,且不再会被当前locatrion内的任何rewrite规则所检查;
redirect:以302响应码(临时重定向)返回新的URL;
permanent:以301响应码(永久重定向)返回新的URL;
例如:
任何来自www.linuxea.com/bbs下的任何内容都替换至/forum路径下内容
rewrite ^/bbs(.*)$ /forum/$1 break
任何来自www.linuxea.com/bbs下的任何内容完全定向至https://www.linuxea.com/路径下内容
rewrite ^/bbs(.*)$ https://www.linuxea.com/$1 redirect;
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
#error_page 404 =200 /404_customed.html;
#auth_basic "Only for VIPs";
#auth_basic_user_file /etc/nginx/users/.htpasswd;
rewrite ^/bbs/(.*)$ /forum/$1 break;
这里根本不存在bbs
[root@www ~]# mkdir /web/linuxea/forum/
[root@www ~]# vim /web/linuxea/forum/index.html
New Url forum
[root@www ~]# /usr/local/nginx/sbin/nginx -s reload
[root@www ~]# tail /var/log/nginx/access.log
172.16.250.99 - - [10/May/2015:22:06:03 +0800] "GET /bbs/ HTTP/1.1" 304 0 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
172.16.250.99 - - [10/May/2015:22:06:03 +0800] "GET /bbs/ HTTP/1.1" 304 0 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
[root@www ~]# 
10、if
语法:if (condition) {...}
应用环境:server, location
condition:
(1) 变量名;
变量值为空串,或者以“0”开始,则为false;其它的均为true;
(2) 以变量为操作数构成的比较表达式
可使用=, !=类似的比较操作符进行测试;
(3) 正则表达式的模式匹配操作
~: 区分大小写的模式匹配检查
~*: 不区分大小写的模式匹配检查
!~和!~*:对上面两种测试取反
(4) 测试路径为文件可能性:-f, !-f
(5) 测试指定路径为目录的可能性:-d, !-d
(6) 测试文件的存在性:-e, !-e
(7) 检查文件是否有执行权限:-x, !-x
例如:内建变量
把msie用户请求的任何内容替换成msie/$1,比如说探测手机版网页等
if ($http_user_agent ~* MSIE) {
rewrite ^(.*)$ /msie/$1 break;
}
11、防盗链
任何用户访问以jpg.gif.jpeg.png资源时,定义www.linuxea.com是合法引用valid_referer的,if ($invalid_referer)这句是说,但凡不被上面引用的,都会被定向至linuxea.com/403.html
注意:网站同时也被访问了一次。
location ~* .(jpg|gif|jpeg|png)$ {
valid_referer none blocked www.linuxea.com;
if ($invalid_referer) {
rewrite ^/ http://www.linuxea.com/403.html;
}
}
12、定制访问日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
注意:此处可用变量为nginx各模块内建变量;
其他几个配置信息记录。
反代服务器时可能会用到!
网络连接相关的配置:
当前端去后端取内容偶尔出现超时,而本地取内容正常,如果tomcat处理和nginx处理的时间过长或者过短,可能会出现这种问题。
1、keepalive_timeout #;
长连接的超时时长,默认75s;
2、keepalive_requests #;
在一个长连接上所能够允许请求的最大资源数;
3、keepalive_disable [msie6|safari|none];
为指定类型的User Agent禁用长连接;
4、tcp_nodelay on|off;合并请求资源
是否对长连接使用TCP_NODELAY选项;
5、client_header_timeout #;
读取http请求报文首部的超时时长;
6、client_body_timeout #;
读取http请求报文body部分的超时时长;
7、send_timeout #;
发送响应报文的超时时长;
fastcgi的相关配置:
LNMP:
nginx和php结合时,php启用fpm模型;
location ~ .php$ {
root html;
fastcgi_pass 127.0.0.1:9000;反向代理,单独主机则是外部网卡
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
[root@www nginx]# vim fastcgi_params
将$query_string;变量值赋至QUERY_STRING 变量,这个变量是在fastcgi的,完成一个映射
fastcgi_param QUERY_STRING $query_string;
2,location定义:
如下:
mkdir /web/{images,text}
vim text/a.txt
vim images/a.txt
vim linuxea/a.txt
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
}
location /images/ {
root "/web/images";
}
#正则表达式模式匹配
location ~* .(txt|text)$ {
root "/web/text";
}
}
在以上三个location中最先匹配的是第三个
对于nginx而言,location是非常关键的,每个location都能使用root,即便不在同一个网站或同一个站点访问,路径的微妙变化可能会导致url映射会到不同的文件中
3,别名-路径映射
alias path;
用于location配置段,定义路径别名
location /images/ {
root "/vhosts/web1";
}
相当于http://www.linuxea.com/images/a.jpg <-- /vhosts/web1/images/a.jpg
location /images/ {
alias "/www/pictures";
}
相当于http://www.linuxea.com/images/a.jpg <-- /www/picuter/a.jpg
注意:root表示指明路径为对应的location "/" URL; alias表示路径映射,即location指令后定义的URL是相对于alias所指明的路径而言;
4,error_page(404)页面定义
error_page code [...] [=code] URI | @name
根据http响应状态码来指明特用的错误页面;
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
error_page 404 =200 /404_customed.html;
#指定错误响应码定义页面,并且将错误404改为200
}
[root@www web]# vim linuxea/404_customed.html #创建404页面文档
wrong,cuoleYaYa
[=code]:以指定的响应码进行响应,而不是默认的原来的响应;默认表示以新资源的响应码为其响应码;
5,基于IP的访问控制
标准模块控制来实现
allow IP/Network; 允许
deny IP/Network; 拒绝
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
deny 172.16.0.1;#拒绝172.16.0.1访问,允许便是allow
#比如,只允许172.16.0.1,其他拒绝:
allow 172.16.0.1/16;
deny all;
}
6,基于用户做认证
auth_basic "";
auth_basic_user_file "/PATH/TO/PASSWORD_FILE"
账号密码文件建议使用htpasswd来创建;
basic, digest;
如:
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
auth_basic "Only for VIPs";
#定义名称
auth_basic_user_file /etc/nginx/users/.htpasswd;
#定义控制用户名的文件路径,为隐藏文件
}
用户认证
[root@www linuxea]# htpasswd -c -m /etc/nginx/users/.htpasswd mark
New password:
Re-type new password:
Adding password for user mark
[root@www linuxea]#
7,ssl,https
[root@www linuxea]# cd /etc/pki/CA/
[root@www CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
........................................................................+++
......................................................................................................................................................................+++
e is 65537 (0x10001)
[root@www CA]# ls -l private/
total 4
-rw-------. 1 root root 1675 May 10 18:49 cakey.pem
[root@www CA]# opensll req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
-bash: opensll: command not found
[root@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:LinuxEA
Organization Name (eg, company) [Default Company Ltd]:LinuxEA
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.linuxea.com
Email Address []:caadmin@linuxea.com
[root@www CA]# touch serial index.txt
[root@www CA]# echo 01 > serial
[root@www CA]#
为NGinx准备密钥证书
[root@www CA]# cd /etc/nginx/
[root@www nginx]# mkdir ssl
[root@www nginx]# cd ssl/
[root@www ssl]# (umask 077;openssl genrsa -out nginx.key 1024)
Generating RSA private key, 1024 bit long modulus
..++++++
....++++++
e is 65537 (0x10001)
[root@www ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:LinuxEA
Organization Name (eg, company) [Default Company Ltd]:LinuxEA
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.linuxea.com
Email Address []:webadmin@linuxea.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@www ssl]#
CA已经制作完成,如果是要给别人,就发给谁,这里自己用
[root@www ssl]# ll
total 8
-rw-r--r-- 1 root root 700 May 10 18:57 nginx.csr
-rw------- 1 root root 887 May 10 18:55 nginx.key
[root@www ssl]#
签证
[root@www ssl]# openssl ca -in nginx.csr -out nginx.crt -days 3655
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 10 10:59:59 2015 GMT
Not After : May 12 10:59:59 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = HA
organizationName = LinuxEA
organizationalUnitName = Ops
commonName = www.linuxea.com
emailAddress = webadmin@linuxea.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
12:7A:07:CB:2B:5A:35:80:99:8B:62:27:12:04:63:0D:1E:D1:AE:9F
X509v3 Authority Key Identifier:
keyid:D5:3F:02:F3:B6:03:E9:87:9F:47:24:68:BD:8D:3D:8C:98:0B:9C:A4
Certificate is to be certified until May 12 10:59:59 2025 GMT (3655 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@www ssl]# ll
total 12
-rw-r--r-- 1 root root 3857 May 10 19:00 nginx.crt
-rw-r--r-- 1 root root 700 May 10 18:57 nginx.csr
-rw------- 1 root root 887 May 10 18:55 nginx.key
[root@www ssl]#
nginx配置文件开启
server {
listen 443 ssl;
server_name www.linuxea.com;
ssl_certificate /etc/nginx/ssl/nginx.pem;#指定证书路径
ssl_certificate_key /etc/nginx/ssl/nginx.key;#
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /web/linuxea;#指定网站根路径
index index.html index.htm;
}
}
}
打开浏览器:https://172.16.249.117/提示访问风险,而后安装证书即可。
过程:生成私钥,生成证书签署请求,并获得证书;
8,状态页,stub_status{on|off}
仅能用于location上下文
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
#error_page 404 =200 /404_customed.html;
auth_basic "Only for VIPs";
auth_basic_user_file /etc/nginx/users/.htpasswd;
}
location /images/ {
root "/web/images";
}
#正则表达式模式匹配
location ~* .(txt|text)$ {
root "/web/text";
}
location /status {
stub_status on;
allow 172.16.0.0/16;
deny all;
}
}
结果示例:
Active connections: 6 #当前所有处于打开状态的连接数
server accepts handled requests
113 113 159
第一个数字,已经接受的链接
第二个数字,已经处理的链接
第三个数字,已经处理的请求
Reading: 0 Writing: 1 Waiting: 5
Reading:正处于接受请求状态的连接数;
Writing:请求已经接受完成,正处于处理请求或发送响应的过程的连接数
Waiting:保持链接模式,且处于活动状态的连接数
9.rewrite regex replacement flag;(URL重写)
例如:
...
rewrite ^/images/(.*.jpg)$ /imgs/$1 break;
http://www.linuxea.com/images/a/b/c/1.jpg --> http://www.linuxea/imgs/a/b/c/1.jpg
当linuxea/images访问到时,先检查rewrite规则,匹配后浏览器在重读,匹配到的linuxea/imgs。而后在进行检查rewrite规则。
死循环!当你规则过多可能会恰巧的出现死循环。这时你可能需要break
rewrite ^/images/(.*.jpg)$ /imgs/$1 break;
rewrite ^/imgs/(.*.jpg)$ /images/$1 break;
....
http://www.linuxea/images/a/b/c/1.jpg --> http://www.linuxea/imgs/a/b/c/1.jpg
flag:
last:一旦此rewrite规则重写完成后,就不再被后面其它的rewrite规则进行处理;而是由User Agent重新对重写后的URL再一次发起请求,并从头开始执行类似的过程
break:一旦此rewrite规则重写完成后,由User Agent对新的URL重新发起请求,且不再会被当前locatrion内的任何rewrite规则所检查;
redirect:以302响应码(临时重定向)返回新的URL;
permanent:以301响应码(永久重定向)返回新的URL;
例如:
任何来自www.linuxea.com/bbs下的任何内容都替换至/forum路径下内容
rewrite ^/bbs(.*)$ /forum/$1 break
任何来自www.linuxea.com/bbs下的任何内容完全定向至https://www.linuxea.com/路径下内容
rewrite ^/bbs(.*)$ https://www.linuxea.com/$1 redirect;
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
#error_page 404 =200 /404_customed.html;
#auth_basic "Only for VIPs";
#auth_basic_user_file /etc/nginx/users/.htpasswd;
rewrite ^/bbs/(.*)$ /forum/$1 break;
这里根本不存在bbs
[root@www ~]# mkdir /web/linuxea/forum/
[root@www ~]# vim /web/linuxea/forum/index.html
New Url forum
[root@www ~]# /usr/local/nginx/sbin/nginx -s reload
[root@www ~]# tail /var/log/nginx/access.log
172.16.250.99 - - [10/May/2015:22:06:03 +0800] "GET /bbs/ HTTP/1.1" 304 0 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
172.16.250.99 - - [10/May/2015:22:06:03 +0800] "GET /bbs/ HTTP/1.1" 304 0 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
[root@www ~]#
10、if
语法:if (condition) {...}
应用环境:server, location
condition:
(1) 变量名;
变量值为空串,或者以“0”开始,则为false;其它的均为true;
(2) 以变量为操作数构成的比较表达式
可使用=, !=类似的比较操作符进行测试;
(3) 正则表达式的模式匹配操作
~: 区分大小写的模式匹配检查
~*: 不区分大小写的模式匹配检查
!~和!~*:对上面两种测试取反
(4) 测试路径为文件可能性:-f, !-f
(5) 测试指定路径为目录的可能性:-d, !-d
(6) 测试文件的存在性:-e, !-e
(7) 检查文件是否有执行权限:-x, !-x
例如:内建变量
把msie用户请求的任何内容替换成msie/$1,比如说探测手机版网页等
if ($http_user_agent ~* MSIE) {
rewrite ^(.*)$ /msie/$1 break;
}
11、防盗链
任何用户访问以jpg.gif.jpeg.png资源时,定义www.linuxea.com是合法引用valid_referer的,if ($invalid_referer)这句是说,但凡不被上面引用的,都会被定向至linuxea.com/403.html
注意:网站同时也被访问了一次。
location ~* .(jpg|gif|jpeg|png)$ {
valid_referer none blocked www.linuxea.com;
if ($invalid_referer) {
rewrite ^/ http://www.linuxea.com/403.html;
}
}
12、定制访问日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
注意:此处可用变量为nginx各模块内建变量;
其他几个配置信息记录。
反代服务器时可能会用到!
网络连接相关的配置:
当前端去后端取内容偶尔出现超时,而本地取内容正常,如果tomcat处理和nginx处理的时间过长或者过短,可能会出现这种问题。
1、keepalive_timeout #;
长连接的超时时长,默认75s;
2、keepalive_requests #;
在一个长连接上所能够允许请求的最大资源数;
3、keepalive_disable [msie6|safari|none];
为指定类型的User Agent禁用长连接;
4、tcp_nodelay on|off;合并请求资源
是否对长连接使用TCP_NODELAY选项;
5、client_header_timeout #;
读取http请求报文首部的超时时长;
6、client_body_timeout #;
读取http请求报文body部分的超时时长;
7、send_timeout #;
发送响应报文的超时时长;
fastcgi的相关配置:
LNMP:
nginx和php结合时,php启用fpm模型;
location ~ .php$ {
root html;
fastcgi_pass 127.0.0.1:9000;反向代理,单独主机则是外部网卡
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
[root@www nginx]# vim fastcgi_params
将$query_string;变量值赋至QUERY_STRING 变量,这个变量是在fastcgi的,完成一个映射
fastcgi_param QUERY_STRING $query_string;
7,ssl,https
[root@www linuxea]# cd /etc/pki/CA/
[root@www CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
........................................................................+++
......................................................................................................................................................................+++
e is 65537 (0x10001)
[root@www CA]# ls -l private/
total 4
-rw-------. 1 root root 1675 May 10 18:49 cakey.pem
[root@www CA]# opensll req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
-bash: opensll: command not found
[root@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:LinuxEA
Organization Name (eg, company) [Default Company Ltd]:LinuxEA
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.linuxea.com
Email Address []:caadmin@linuxea.com
[root@www CA]# touch serial index.txt
[root@www CA]# echo 01 > serial
[root@www CA]#
为NGinx准备密钥证书
[root@www CA]# cd /etc/nginx/
[root@www nginx]# mkdir ssl
[root@www nginx]# cd ssl/
[root@www ssl]# (umask 077;openssl genrsa -out nginx.key 1024)
Generating RSA private key, 1024 bit long modulus
..++++++
....++++++
e is 65537 (0x10001)
[root@www ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:LinuxEA
Organization Name (eg, company) [Default Company Ltd]:LinuxEA
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.linuxea.com
Email Address []:webadmin@linuxea.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@www ssl]#
CA已经制作完成,如果是要给别人,就发给谁,这里自己用
[root@www ssl]# ll
total 8
-rw-r--r-- 1 root root 700 May 10 18:57 nginx.csr
-rw------- 1 root root 887 May 10 18:55 nginx.key
[root@www ssl]#
签证
[root@www ssl]# openssl ca -in nginx.csr -out nginx.crt -days 3655
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 10 10:59:59 2015 GMT
Not After : May 12 10:59:59 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = HA
organizationName = LinuxEA
organizationalUnitName = Ops
commonName = www.linuxea.com
emailAddress = webadmin@linuxea.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
12:7A:07:CB:2B:5A:35:80:99:8B:62:27:12:04:63:0D:1E:D1:AE:9F
X509v3 Authority Key Identifier:
keyid:D5:3F:02:F3:B6:03:E9:87:9F:47:24:68:BD:8D:3D:8C:98:0B:9C:A4
Certificate is to be certified until May 12 10:59:59 2025 GMT (3655 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@www ssl]# ll
total 12
-rw-r--r-- 1 root root 3857 May 10 19:00 nginx.crt
-rw-r--r-- 1 root root 700 May 10 18:57 nginx.csr
-rw------- 1 root root 887 May 10 18:55 nginx.key
[root@www ssl]#
nginx配置文件开启
server {
listen 443 ssl;
server_name www.linuxea.com;
ssl_certificate /etc/nginx/ssl/nginx.pem;#指定证书路径
ssl_certificate_key /etc/nginx/ssl/nginx.key;#
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /web/linuxea;#指定网站根路径
index index.html index.htm;
}
}
}
打开浏览器:https://172.16.249.117/提示访问风险,而后安装证书即可。
过程:生成私钥,生成证书签署请求,并获得证书;
8,状态页,stub_status{on|off}
仅能用于location上下文
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
#error_page 404 =200 /404_customed.html;
auth_basic "Only for VIPs";
auth_basic_user_file /etc/nginx/users/.htpasswd;
}
location /images/ {
root "/web/images";
}
#正则表达式模式匹配
location ~* .(txt|text)$ {
root "/web/text";
}
location /status {
stub_status on;
allow 172.16.0.0/16;
deny all;
}
}
结果示例:
Active connections: 6 #当前所有处于打开状态的连接数
server accepts handled requests
113 113 159
第一个数字,已经接受的链接
第二个数字,已经处理的链接
第三个数字,已经处理的请求
Reading: 0 Writing: 1 Waiting: 5
Reading:正处于接受请求状态的连接数;
Writing:请求已经接受完成,正处于处理请求或发送响应的过程的连接数
Waiting:保持链接模式,且处于活动状态的连接数
9.rewrite regex replacement flag;(URL重写)
例如:
...
rewrite ^/images/(.*.jpg)$ /imgs/$1 break;
http://www.linuxea.com/images/a/b/c/1.jpg --> http://www.linuxea/imgs/a/b/c/1.jpg
当linuxea/images访问到时,先检查rewrite规则,匹配后浏览器在重读,匹配到的linuxea/imgs。而后在进行检查rewrite规则。
死循环!当你规则过多可能会恰巧的出现死循环。这时你可能需要break
rewrite ^/images/(.*.jpg)$ /imgs/$1 break;
rewrite ^/imgs/(.*.jpg)$ /images/$1 break;
....
http://www.linuxea/images/a/b/c/1.jpg --> http://www.linuxea/imgs/a/b/c/1.jpg
flag:
last:一旦此rewrite规则重写完成后,就不再被后面其它的rewrite规则进行处理;而是由User Agent重新对重写后的URL再一次发起请求,并从头开始执行类似的过程
break:一旦此rewrite规则重写完成后,由User Agent对新的URL重新发起请求,且不再会被当前locatrion内的任何rewrite规则所检查;
redirect:以302响应码(临时重定向)返回新的URL;
permanent:以301响应码(永久重定向)返回新的URL;
例如:
任何来自www.linuxea.com/bbs下的任何内容都替换至/forum路径下内容
rewrite ^/bbs(.*)$ /forum/$1 break
任何来自www.linuxea.com/bbs下的任何内容完全定向至https://www.linuxea.com/路径下内容
rewrite ^/bbs(.*)$ https://www.linuxea.com/$1 redirect;
server {
listen 8080;
server_name www.linuxea.com;
location / {
root "/web/linuxea";
#error_page 404 =200 /404_customed.html;
#auth_basic "Only for VIPs";
#auth_basic_user_file /etc/nginx/users/.htpasswd;
rewrite ^/bbs/(.*)$ /forum/$1 break;
这里根本不存在bbs
[root@www ~]# mkdir /web/linuxea/forum/
[root@www ~]# vim /web/linuxea/forum/index.html
New Url forum
[root@www ~]# /usr/local/nginx/sbin/nginx -s reload
[root@www ~]# tail /var/log/nginx/access.log
172.16.250.99 - - [10/May/2015:22:06:03 +0800] "GET /bbs/ HTTP/1.1" 304 0 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
172.16.250.99 - - [10/May/2015:22:06:03 +0800] "GET /bbs/ HTTP/1.1" 304 0 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
[root@www ~]#
10、if
语法:if (condition) {...}
应用环境:server, location
condition:
(1) 变量名;
变量值为空串,或者以“0”开始,则为false;其它的均为true;
(2) 以变量为操作数构成的比较表达式
可使用=, !=类似的比较操作符进行测试;
(3) 正则表达式的模式匹配操作
~: 区分大小写的模式匹配检查
~*: 不区分大小写的模式匹配检查
!~和!~*:对上面两种测试取反
(4) 测试路径为文件可能性:-f, !-f
(5) 测试指定路径为目录的可能性:-d, !-d
(6) 测试文件的存在性:-e, !-e
(7) 检查文件是否有执行权限:-x, !-x
例如:内建变量
把msie用户请求的任何内容替换成msie/$1,比如说探测手机版网页等
if ($http_user_agent ~* MSIE) {
rewrite ^(.*)$ /msie/$1 break;
}
11、防盗链
任何用户访问以jpg.gif.jpeg.png资源时,定义www.linuxea.com是合法引用valid_referer的,if ($invalid_referer)这句是说,但凡不被上面引用的,都会被定向至linuxea.com/403.html
注意:网站同时也被访问了一次。
location ~* .(jpg|gif|jpeg|png)$ {
valid_referer none blocked www.linuxea.com;
if ($invalid_referer) {
rewrite ^/ http://www.linuxea.com/403.html;
}
}
12、定制访问日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
注意:此处可用变量为nginx各模块内建变量;
其他几个配置信息记录。
反代服务器时可能会用到!
网络连接相关的配置:
当前端去后端取内容偶尔出现超时,而本地取内容正常,如果tomcat处理和nginx处理的时间过长或者过短,可能会出现这种问题。
1、keepalive_timeout #;
长连接的超时时长,默认75s;
2、keepalive_requests #;
在一个长连接上所能够允许请求的最大资源数;
3、keepalive_disable [msie6|safari|none];
为指定类型的User Agent禁用长连接;
4、tcp_nodelay on|off;合并请求资源
是否对长连接使用TCP_NODELAY选项;
5、client_header_timeout #;
读取http请求报文首部的超时时长;
6、client_body_timeout #;
读取http请求报文body部分的超时时长;
7、send_timeout #;
发送响应报文的超时时长;
fastcgi的相关配置:
LNMP:
nginx和php结合时,php启用fpm模型;
location ~ .php$ {
root html;
fastcgi_pass 127.0.0.1:9000;反向代理,单独主机则是外部网卡
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
[root@www nginx]# vim fastcgi_params
将$query_string;变量值赋至QUERY_STRING 变量,这个变量是在fastcgi的,完成一个映射
fastcgi_param QUERY_STRING $query_string;
10、if
语法:if (condition) {...}
应用环境:server, location
condition:
(1) 变量名;
变量值为空串,或者以“0”开始,则为false;其它的均为true;
(2) 以变量为操作数构成的比较表达式
可使用=, !=类似的比较操作符进行测试;
(3) 正则表达式的模式匹配操作
~: 区分大小写的模式匹配检查
~*: 不区分大小写的模式匹配检查
!~和!~*:对上面两种测试取反
(4) 测试路径为文件可能性:-f, !-f
(5) 测试指定路径为目录的可能性:-d, !-d
(6) 测试文件的存在性:-e, !-e
(7) 检查文件是否有执行权限:-x, !-x
例如:内建变量
把msie用户请求的任何内容替换成msie/$1,比如说探测手机版网页等
if ($http_user_agent ~* MSIE) {
rewrite ^(.*)$ /msie/$1 break;
}
11、防盗链
任何用户访问以jpg.gif.jpeg.png资源时,定义www.linuxea.com是合法引用valid_referer的,if ($invalid_referer)这句是说,但凡不被上面引用的,都会被定向至linuxea.com/403.html
注意:网站同时也被访问了一次。
location ~* .(jpg|gif|jpeg|png)$ {
valid_referer none blocked www.linuxea.com;
if ($invalid_referer) {
rewrite ^/ http://www.linuxea.com/403.html;
}
}
12、定制访问日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
注意:此处可用变量为nginx各模块内建变量;
其他几个配置信息记录。
反代服务器时可能会用到!
网络连接相关的配置:
当前端去后端取内容偶尔出现超时,而本地取内容正常,如果tomcat处理和nginx处理的时间过长或者过短,可能会出现这种问题。
1、keepalive_timeout #;
长连接的超时时长,默认75s;
2、keepalive_requests #;
在一个长连接上所能够允许请求的最大资源数;
3、keepalive_disable [msie6|safari|none];
为指定类型的User Agent禁用长连接;
4、tcp_nodelay on|off;合并请求资源
是否对长连接使用TCP_NODELAY选项;
5、client_header_timeout #;
读取http请求报文首部的超时时长;
6、client_body_timeout #;
读取http请求报文body部分的超时时长;
7、send_timeout #;
发送响应报文的超时时长;
fastcgi的相关配置:
LNMP:
nginx和php结合时,php启用fpm模型;
location ~ .php$ {
root html;
fastcgi_pass 127.0.0.1:9000;反向代理,单独主机则是外部网卡
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
[root@www nginx]# vim fastcgi_params
将$query_string;变量值赋至QUERY_STRING 变量,这个变量是在fastcgi的,完成一个映射
fastcgi_param QUERY_STRING $query_string; 
