Nginx的基本配置案例-白红宇

Nginx的基本配置案例

阅读量：6831 次

发布时间：2019-06-26

本文共 18789 字，大约阅读时间需要 62 分钟。

　　　　　　　　　　　　　　　　　　　　　　　　Nginx的基本配置案例

　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　作者：尹正杰

一.Nginx配置虚拟主机

1 1.操作系统环境 2 [root@yinzhengjie ~]# cat /etc/redhat-release  3 CentOS release 6.6 (Final) 4 [root@yinzhengjie ~]#  5 [root@yinzhengjie ~]# uname -r 6 2.6.32-504.el6.x86_64 7 [root@yinzhengjie ~]#  8 [root@yinzhengjie ~]# uname -m 9 x86_6410 [root@yinzhengjie ~]# 11 12 2.hosts配置文件13 [root@yinzhengjie ~]# more /etc/hosts | grep yinzhengjie14 127.0.0.1 www.yinzhengjie.org.cn15 127.0.0.1 www.yinzhengjie.com16 [root@yinzhengjie ~]# 17 18 3.Nginx配置19 [root@yinzhengjie conf]# pwd20 /yinzhengjie/application/Nginx/conf21 [root@yinzhengjie conf]# more nginx.conf22 #user  nobody;23 worker_processes  1;24 25 error_log  /yinzhengjie/application/Nginx/log/error.log;26 #error_log  /yinzhengjie/application/Nginx/log/error.log  notice;27 #error_log  /yinzhengjie/application/Nginx/log/error.log  info;28 29 pid        /yinzhengjie/application/Nginx/nginx.pid;30 31 events {32     worker_connections  1024;33 }34 35 36 http {37     include       mime.types;38     default_type  application/octet-stream;39 40     sendfile        on;41     keepalive_timeout  5;42 43 44     server {45         listen       80;46         server_name  www.yinzhengjie.org.cn;47         location / {48             root   /yinzhengjie/application/Nginx/html;49             index  index.html index.htm;50         }51     }52 53     server {54         listen 80 default_server;55         server_name www.yinzhengjie.com;56         root /yinzhengjie/application/Nginx/html/htdocs;57     }58 }59 [root@yinzhengjie conf]# 60 61 4.目录文件检查62 [root@yinzhengjie html]# pwd63 /yinzhengjie/application/Nginx/html64 [root@yinzhengjie html]# more index.html65 This root Directory!
66 [root@yinzhengjie html]# 67 [root@yinzhengjie html]# more htdocs/index.html 68 This is htdocs directory
69 [root@yinzhengjie html]# 70 71 5.重启服务并验证72 [root@yinzhengjie ~]# nginx -t73 nginx: the configuration file /yinzhengjie/application/Nginx/conf/nginx.conf syntax is ok74 nginx: configuration file /yinzhengjie/application/Nginx/conf/nginx.conf test is successful75 [root@yinzhengjie ~]# 76 [root@yinzhengjie ~]# curl www.yinzhengjie.org.cn77 This root Directory!
78 [root@yinzhengjie ~]# 79 [root@yinzhengjie ~]# curl www.yinzhengjie.com80 This is htdocs directory
81 [root@yinzhengjie ~]#

二.Nginx基于IP配置访问控制（需要用到access模块哟）

1 1.检查本机IP 2 [root@yinzhengjie conf]# ip a | grep inet | grep brd | awk '{print $2}'  | awk -F "/" '{print $1}' 3 172.16.96.211 4 [root@yinzhengjie conf]#  5 2.检查hosts配置文件 6 [root@yinzhengjie conf]# more /etc/hosts | grep yinzhengjie 7 127.0.0.1 www.yinzhengjie.org.cn 8 127.0.0.1 www.yinzhengjie.com 9 [root@yinzhengjie conf]# 10 3.编辑配置文件11 [root@yinzhengjie conf]# more nginx.conf12 #user  nobody;13 worker_processes  1;14 15 error_log  /yinzhengjie/application/Nginx/log/error.log;16 #error_log  /yinzhengjie/application/Nginx/log/error.log  notice;17 #error_log  /yinzhengjie/application/Nginx/log/error.log  info;18 19 pid        /yinzhengjie/application/Nginx/nginx.pid;20 21 events {22     worker_connections  1024;23 }24 25 26 http {27     include       mime.types;28     default_type  application/octet-stream;29 30     sendfile        on;31     keepalive_timeout  5;32 33 34     server {35         listen       80;36         server_name  www.yinzhengjie.org.cn;37         location / {38             root   /yinzhengjie/application/Nginx/html;39             index  index.html index.htm;40             deny 172.16.96.211;        #至上而下依次认证，默认为通过41             allow 172.16.0.0/16;42             deny all;43         }44     }45 46     server {47         listen 80 default_server;48         server_name www.yinzhengjie.com;49         root /yinzhengjie/application/Nginx/html/htdocs;50     }51 }52 [root@yinzhengjie conf]# 53 4.重启服务并验证54 [root@yinzhengjie ~]# nginx -t55 nginx: the configuration file /yinzhengjie/application/Nginx/conf/nginx.conf syntax is ok56 nginx: configuration file /yinzhengjie/application/Nginx/conf/nginx.conf test is successful57 [root@yinzhengjie ~]# 58 [root@yinzhengjie ~]# service nginx restart59 Stop Nginx...                   [OK]60 Starting Nginx...                       [OK]61 [root@yinzhengjie ~]# 62 [root@yinzhengjie ~]# curl -I www.yinzhengjie.org.cn63 HTTP/1.1 403 Forbidden64 Server: nginx/1.12.265 Date: Sun, 05 Nov 2017 10:22:56 GMT66 Content-Type: text/html67 Content-Length: 16968 Connection: keep-alive69 70 [root@yinzhengjie ~]# curl -I  www.yinzhengjie.com71 HTTP/1.1 200 OK72 Server: nginx/1.12.273 Date: Sun, 05 Nov 2017 10:23:02 GMT74 Content-Type: text/html75 Content-Length: 3476 Last-Modified: Sun, 05 Nov 2017 10:02:23 GMT77 Connection: keep-alive78 ETag: "59fee1af-22"79 Accept-Ranges: bytes80 81 [root@yinzhengjie ~]#

三.基于用户配置访问控制（需要用到Auth_Basic模块）

1 1.编辑配置文件 2 [root@yinzhengjie conf]# more nginx.conf 3 #user  nobody; 4 worker_processes  1; 5 error_log  /yinzhengjie/application/Nginx/log/error.log; 6 pid        /yinzhengjie/application/Nginx/nginx.pid; 7 events { 8     worker_connections  1024; 9 }10 http {11     sendfile        on;12     keepalive_timeout  5;13     server {14         listen       80;15         server_name  www.yinzhengjie.org.cn;16 17         location /admin {18             root   /yinzhengjie/application/Nginx/html;19             index  index.html index.htm;20             auth_basic "admin Area";21             auth_basic_user_file /yinzhengjie/application/Nginx/etc/.nginxpasswd;22         }23     }24 }25 [root@yinzhengjie conf]# 26 2.创建需要配置的目录27 [root@yinzhengjie ~]# mkdir -p /yinzhengjie/application/Nginx/html/admin && cd /yinzhengjie/application/Nginx/html/admin28 [root@yinzhengjie admin]# ll29 total 430 -rw-r--r--. 1 root root 29 Nov  5 05:13 index.html31 [root@yinzhengjie admin]# more index.html 32 This is Admin page!
33 [root@yinzhengjie admin]# 34 3.创建需要访问控制的用户名和密码35 [root@yinzhengjie etc]# htpasswd -c -m /yinzhengjie/application/Nginx/etc/.nginxpasswd yinzhengjie        36 New password:             ---->第一次创建的时候需要加“-c”选项。37 Re-type new password: 38 Adding password for user yinzhengjie39 [root@yinzhengjie etc]# 40 [root@yinzhengjie etc]# htpasswd -m /yinzhengjie/application/Nginx/etc/.nginxpasswd yzj41 New password:             ------>第二次创建的时候就不需要加“-c”选项啦。42 Re-type new password: 43 Adding password for user yzj44 [root@yinzhengjie etc]# 45 [root@yinzhengjie etc]# pwd46 /yinzhengjie/application/Nginx/etc47 [root@yinzhengjie etc]# ls -a48 .  ..  .nginxpasswd49 [root@yinzhengjie etc]# more .nginxpasswd50 yinzhengjie:$apr1$CdTqAMYg$vat/BD3jDy7e/JA8XL/hr151 yzj:$apr1$rVOtthqk$dqwjZi4edb22nnZeSDFDw052 [root@yinzhengjie etc]# 53 4.重启Nginx服务54 [root@yinzhengjie etc]# nginx  -t55 nginx: the configuration file /yinzhengjie/application/Nginx/conf/nginx.conf syntax is ok56 nginx: configuration file /yinzhengjie/application/Nginx/conf/nginx.conf test is successful57 [root@yinzhengjie etc]# 58 [root@yinzhengjie etc]# service nginx restart59 Stop Nginx...                   [OK]60 Starting Nginx...                       [OK]61 [root@yinzhengjie etc]# 62 [root@yinzhengjie etc]# ps -ef | grep nginx63 root      12670      1  0 05:23 ?        00:00:00 nginx: master process /yinzhengjie/application/Nginx/sbin/nginx64 nginx     12671  12670  0 05:23 ?        00:00:00 nginx: worker process                    65 root      12673  12556  0 05:23 pts/3    00:00:00 grep nginx66 [root@yinzhengjie etc]# 67 [root@yinzhengjie etc]# lsof -i :8068 COMMAND     PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME69 clock-app  2772  root   22w  IPv4  59382      0t0  TCP node3.yinzhengjie.com:46584->203-69-138-49.HINET-IP.hinet.net:http (ESTABLISHED)70 nginx     12670  root    6u  IPv4  62450      0t0  TCP *:http (LISTEN)71 nginx     12671 nginx    6u  IPv4  62450      0t0  TCP *:http (LISTEN)72 [root@yinzhengjie etc]# 73 5.检查服务器的IP74 [root@yinzhengjie ~]# ip a | grep inet | grep brd | awk '{print $2}'  | awk -F "/" '{print $1}'75 192.168.1.11576 [root@yinzhengjie ~]#

6.客户端验证服务

a>.有两种方式访问服务端

第一种，修改“C:\Windows\System32\drivers\etc\HOSTS”配置文件

第二种，就是啥也不修改，直接在浏览器输入ip即可：

b>.浏览器输入用户名和密码

c>.访问成功界面

四.建立下载站点autoindex下载列表

1 1.检查服务环境 2 [root@yinzhengjie ~]# cat /etc/redhat-release  3 CentOS release 6.6 (Final) 4 [root@yinzhengjie ~]# uname -r 5 2.6.32-504.el6.x86_64 6 [root@yinzhengjie ~]# uname -m 7 x86_64 8 [root@yinzhengjie ~]# ip a | grep inet | grep brd | awk '{print $2}'  | awk -F "/" '{print $1}' 9 192.168.1.11510 [root@yinzhengjie ~]# 11 2.编辑配置文件12 [root@yinzhengjie conf]# more nginx.conf13 #user  nobody;14 worker_processes  1;15 error_log  /yinzhengjie/application/Nginx/log/error.log;16 pid        /yinzhengjie/application/Nginx/nginx.pid;17 events {18     worker_connections  1024;19 }20 http {21     sendfile        on;22     keepalive_timeout  5;23     charset utf-8;  #注意，这个是设置web的编码格式，建议用utf-8，用其他编码可能存在乱码哟。24     server {25         listen       80;26         server_name  www.yinzhengjie.org.cn;27         location /admin {28             root   /yinzhengjie/application/Nginx/html;29             index  index.html index.htm;30             auth_basic "admin Area";31             auth_basic_user_file /yinzhengjie/application/Nginx/etc/.nginxpasswd;32         }33 34         location /download/ {35             root   /yinzhengjie/application/Nginx/html;36             autoindex on;37         }38     }39 }40 [root@yinzhengjie conf]# 41 3.创建下载文件42 [root@yinzhengjie conf]# mkdir /yinzhengjie/application/Nginx/html/download43 [root@yinzhengjie conf]# touch /yinzhengjie/application/Nginx/html/download/{
       1..5}.txt44 4.重启服务45 [root@yinzhengjie conf]# nginx -t46 nginx: the configuration file /yinzhengjie/application/Nginx/conf/nginx.conf syntax is ok47 nginx: configuration file /yinzhengjie/application/Nginx/conf/nginx.conf test is successful48 [root@yinzhengjie conf]# 49 [root@yinzhengjie conf]# service nginx restart50 Stop Nginx...                   [OK]51 Starting Nginx...                       [OK]52 [root@yinzhengjie conf]#

5.客户端验证

五.防盗链案例展示

　　你是否遇到过这样的场景：你的web服务器压根就没有被人访问，但是你的web上的某张图片一直被人频繁的访问。而且它访问的时候并没有打开你的主页，这TM的就很尴尬了，这就是传说中的盗链，如何防止呢？一般而言，为了实现防盗链通常要实现两个步骤

第一：定义合规定额引用

　　valid_referers none |blocked |server_names|string ...

　　none ：通过浏览器直接访问我们就允许访问。

　　blocked ：“Referer”首部被清楚，可能通过反向代理或防火墙等设备将request header的“Referer”给清除掉的，通常他们不是以“http：//”或"https://"开头的。这种方式我们是允许访问的。

　　server_names：表示允许访问本网站的主机名，后面可以跟多个主机名。

　　string ：这个就是可以根据通配符来指定可以访问的主机名，例如："*.yinzhengjie.org.cn"，“~\.google\.”;

第二：判断不合规的引用

　　if ($invaild_referer) {

　　　　rewrite ^/.*$ http://wwwyinzhengjie.org.cn/403.html

　　}

1 案例展示： 2 [root@yinzhengjie conf]# more nginx.conf 3 #user  nobody; 4 worker_processes  1; 5 error_log  /yinzhengjie/application/Nginx/log/error.log; 6 pid        /yinzhengjie/application/Nginx/nginx.pid; 7 events { 8     worker_connections  1024; 9 }10 http {11     sendfile        on;12     keepalive_timeout  5;13     server {14         listen       80;15         server_name  www.yinzhengjie.org.cn;16         location /admin {17             root   /yinzhengjie/application/Nginx/html;18             index  index.html index.htm;19             auth_basic "admin Area";20             auth_basic_user_file /yinzhengjie/application/Nginx/etc/.nginxpasswd;21         }22 23         location /download/ {24             root   /yinzhengjie/application/Nginx/html;25             autoindex on;26         }27 28         location ~* \.(jpg|png|gif|jpeg)$ {    #定义如果访问以图片格式结尾的就会匹配这个location。29             root /yinzhengjie/application/Nginx/html/images;30             valid_referers none blocked www.yinzhengjie.gov.cn *.yinzhengjie.com;  #指定可以连接本台服务器的主机31             if ($invalid_referer){        #指定不可用访问到的主机需要执行操作。32                 rewrite ^/  http://www.yinzhengjie.org.cn/403.html;    #不管访问哪些资源，都会进行一个重定向操作。33             }34         }35     }36 }37 [root@yinzhengjie conf]#

扩展知识：

在location中使用if语句可以实现条件判断，其通常有一个return语句，且一般与有着last或break标记的rewrite规则一同使用。但其也可以按照需要使用在多种场景下，需要注意的是，不当的使用可能会导致不可预料的后果。

location / {

　　if ($request_methon == "PUT") {

　　　　proxy_pass https://www.yinzhengjie.org.cn:8080;

　　}

　　if ($request_uri ~ "\.(jpg|gif|jpeg|png)$"){

　　　　proxy_pass https://imageservers;

　　　　break;

　　}

　　if语句中的判断条件分为正则表达式匹配和文件目录匹配判断：

正则表达式匹配：

　　==：等值比较；

　　~：与指定正则表达式模式匹配时返回”真“，判断匹配与否时区分字符大小写；

　　~*：与指定正则表达式模式匹配时返回“真”，判断匹配与否时不区分字符大小写；

　　!~：与指定正则表达式模式不匹配时返回“真”，判断匹配与否时区分字符大小写；

　　!~*：与指定正则表达式模式不匹配是返回“真”，判断匹配与否时不区分字符大小写；

文件及目录匹配判断：

　　-f, ! -f：判断指定路径是否存在且为文件；

　　-d, ! -d：判断指定路径是否存在且为目录；

　　-e, ! -e：判断指定的路径是否存在，文件或目录均可；

　　-x, ! -x：判断指定路径的文件是否存在且可执行；

六.URL rewrite(地址重定向)

1>.用法格式：

　　rewrite regex replacement [flag];

　　案例展示：

　　　　location / {

　　　　　　root /yinzhengjie/application/Nginx/html

　　　　　　rewrite ^/imgages/(.*)$ /imgs/$1 #表示访问“^/imgages”目录下的文件都会被重写去访问“/imgs/(.*)$”。

　　　　}

2>.flag:标志位（用来控制被重写的URL是否重新发起请求进行下一轮的rewrite检查。）

　　last:一旦被当前规则匹配并重写后立即停止检查后续的其他rewrite的规则，而后通过重写后的规则重新发起请求

　　break：一旦被当前规则匹配并重写后立即停止检查后续的其他rewrite的规则，而后继续由nginx进行后续的操作

　　redirect：返回302临时重定向代码

　　permanent：返回301永久重定向

　　注意：一般将rewrite写在location中时都使用break标志，或者将rewrite写在if上下文中，这种方式就为了避免死循环的方式。nginx最多循环10次，超出之后返回500错误。

3.具体配置案例展示：

1 a>.编辑配置文件 2 [root@yinzhengjie conf]# pwd 3 /yinzhengjie/application/Nginx/conf 4 [root@yinzhengjie conf]# more nginx.conf 5 #user  nobody; 6 worker_processes  1; 7 error_log  /yinzhengjie/application/Nginx/log/error.log; 8 pid        /yinzhengjie/application/Nginx/nginx.pid; 9 events {10     worker_connections  1024;11 }12 http {13     sendfile        on;14     keepalive_timeout  5;15     server {16         listen       80;17         server_name  www.yinzhengjie.org.cn;18         location /admin {19             root   /yinzhengjie/application/Nginx/html;20             index  index.html index.htm;21             auth_basic "admin Area";22             auth_basic_user_file /yinzhengjie/application/Nginx/etc/.nginxpasswd;23         }24 25         location /download/ {26             root   /yinzhengjie/application/Nginx/html;27             autoindex on;28             rewrite ^/download/(.*\.(jpg|gif|jpeg|png))$ /images/$1 last;29         }30     }31 }32 [root@yinzhengjie conf]# 33 b>.创建自定义文件34 [root@yinzhengjie ~]# mkdir /yinzhengjie/application/Nginx/html/images -p35 [root@yinzhengjie conf]# ll /yinzhengjie/application/Nginx/html/download/36 total 037 -rw-r--r--. 1 root root 0 Nov  5 05:39 1.txt38 -rw-r--r--. 1 root root 0 Nov  5 05:39 2.txt39 -rw-r--r--. 1 root root 0 Nov  5 05:39 3.txt40 -rw-r--r--. 1 root root 0 Nov  5 05:39 4.txt41 -rw-r--r--. 1 root root 0 Nov  5 05:39 5.txt42 [root@yinzhengjie conf]# 43 [root@yinzhengjie conf]# ll /yinzhengjie/application/Nginx/html/images/44 total 16045 -rw-r--r--. 1 root root 161659 Nov  5 06:48 dzq.jpg        ----->自己再往上随便下载一个图片测试即可。46 [root@yinzhengjie conf]# 47 c>.重启服务48 [root@yinzhengjie conf]# pwd49 /yinzhengjie/application/Nginx/conf50 [root@yinzhengjie conf]# more nginx.conf51 #user  nobody;52 worker_processes  1;53 error_log  /yinzhengjie/application/Nginx/log/error.log;54 pid        /yinzhengjie/application/Nginx/nginx.pid;55 events {56     worker_connections  1024;57 }58 http {59     sendfile        on;60     keepalive_timeout  5;61     server {62         listen       80;63         server_name  www.yinzhengjie.org.cn;64         location /admin {65             root   /yinzhengjie/application/Nginx/html;66             index  index.html index.htm;67             auth_basic "admin Area";68             auth_basic_user_file /yinzhengjie/application/Nginx/etc/.nginxpasswd;69         }70 71         location /download/ {72             root   /yinzhengjie/application/Nginx/html;73             autoindex on;74             rewrite ^/download/(.*\.(jpg|gif|jpeg|png))$ /images/$1 last;75         }76     }77 }78 [root@yinzhengjie conf]# nginx -t79 nginx: the configuration file /yinzhengjie/application/Nginx/conf/nginx.conf syntax is ok80 nginx: configuration file /yinzhengjie/application/Nginx/conf/nginx.conf test is successful81 You have new mail in /var/spool/mail/root82 [root@yinzhengjie conf]# 83 [root@yinzhengjie conf]# service nginx restart84 Stop Nginx...                   [OK]85 Starting Nginx...                       [OK]86 [root@yinzhengjie conf]#

d>.客户端验证

4.rewrite_log on|off

　　是否将重写过程记录在错误日志中，默认为notice级别；默认为off，如果在一台比较繁忙的服务器上不建议开启，一般用于调试使用，调试完毕记得将其关闭即可，配置展示如下：

1 a>.编辑配置文件 2 [root@yinzhengjie conf]# more nginx.conf 3 #user  nobody; 4 worker_processes  1; 5 error_log  /yinzhengjie/application/Nginx/log/error.log notice;  #将日志级别设置为notice。 6 pid        /yinzhengjie/application/Nginx/nginx.pid; 7 events { 8     worker_connections  1024; 9 }10 http {11     sendfile        on;12     keepalive_timeout  5;13     server {14         listen       80;15         server_name  www.yinzhengjie.org.cn;16         location /admin {17             root   /yinzhengjie/application/Nginx/html;18             index  index.html index.htm;19             auth_basic "admin Area";20             auth_basic_user_file /yinzhengjie/application/Nginx/etc/.nginxpasswd;21         }22 23         location /download/ {24             root   /yinzhengjie/application/Nginx/html;25             autoindex on;26             rewrite ^/download/(.*\.(jpg|gif|jpeg|png))$ /images/$1 last;27             rewrite_log on;28         }29     }30 }31 [root@yinzhengjie conf]# 32 b>.重启服务33 [root@yinzhengjie conf]# nginx -t34 nginx: the configuration file /yinzhengjie/application/Nginx/conf/nginx.conf syntax is ok35 nginx: configuration file /yinzhengjie/application/Nginx/conf/nginx.conf test is successful36 [root@yinzhengjie conf]# 37 [root@yinzhengjie conf]# 38 [root@yinzhengjie conf]# service nginx restart39 Stop Nginx...                   [OK]40 Starting Nginx...                       [OK]41 [root@yinzhengjie conf]# 42 c>.监听日志信息43 [root@yinzhengjie conf]# > /yinzhengjie/application/Nginx/log/error.log         ---->情况日志

5.return code：

　　用于结束rewrite规则，并且为客户返回状态码：可以使用的状态码有204，400，402-406，500-504等。

七.配置nginx的https

　　其实在nginx的配置文件以及有案例了，我们直接拿默认的配置文件进行说明

1    # HTTPS server 2     # 3     #server { 4     #    listen       443 ssl;                    #设置监听的端口 5     #    server_name  localhost;            #定义主机名 6  7     #      ssl                on                #启用ssl功能 8     #    ssl_certificate      cert.pem;            #当前服务器的证书文件 9     #    ssl_certificate_key  cert.key;            #证书中匹配的私钥文件10 11     #      ssl_protocols    SSLv2 SSLv3 TLSv1    #支持的SSL协议版本12     #    ssl_session_cache    shared:SSL:1m;13     #    ssl_session_timeout  5m;            #ssl会话的超时时间默认为5分钟14 15     #    ssl_ciphers  HIGH:!aNULL:!MD5;        #加密方法16     #    ssl_prefer_server_ciphers  on;        #让服务器端确定加密算法17 18     #    location / {19     #        root   html;20     #        index  index.html index.htm;21     #    }22     #

八.压缩：

　　gzip

　　gzip on|off

　　gzip_buffer 使用的缓存大小

　　gzip_comp_level 压缩的级别

　　gzip_disable 不压缩的类型或浏览器

　　gzip_min_length 最少压缩的大小

　　gzip_http_version 压缩完成以后发送http的版本

　　gzip_types：只压缩的格式