Linux基础(day51)

12.13 Nginx防盗链

Nginx防盗链目录概要

  • 配置如下,可以和上面的配置结合起来
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}

Nginx防盗链

  • Nginx防盗链配置需要和不记录日志和过期时间结合在一起,因为都用到了“location”
  1. 打开配置文件 vim /usr/local/nginx/conf/vhost/test.com.conf
  • 注释掉一些配置
   #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    #{
    #      expires      7d;
    #      access_log off;
    #}     

添加一些配置

location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;        //过期时间7天
    valid_referers none blocked server_names  *.test.com ;   //定义一个白名单,referer就是指一些域名
    if ($invalid_referer) {                                        //如果不是白名单里的
        return 403;                                                   //返回403
    }
    access_log off;
}

最后结果如下

[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

server
{
    listen 80;
    server_name test.com test1.com test2.com;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }   
    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    #{
    #      expires      7d;
    #      access_log off;
    #}     
    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
    {   
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }   
    access_log off;
}   
    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }     
    access_log /tmp/test.com.log combined_realip;
}   
保存退出                               
  1. 添加的配置中的 ~* 表示不区分大小写,另外防盗链的配置里面server_names可以不写照样
  2. 检查配置文件语法错误,并重新加载配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hf-01 ~]# 
  1. 测试
[root@hf-01 ~]# curl -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 22:50:02 GMT
Content-Type: image/gif
Content-Length: 8
Last-Modified: Thu, 04 Jan 2018 21:50:34 GMT
Connection: keep-alive
ETag: "5a4ea1aa-8"
Expires: Thu, 11 Jan 2018 22:50:02 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

[root@hf-01 ~]# 
  1. 测试防盗链,使用curl -e
[root@hf-01 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 22:51:54 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@hf-01 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 22:52:22 GMT
Content-Type: image/gif
Content-Length: 8
Last-Modified: Thu, 04 Jan 2018 21:50:34 GMT
Connection: keep-alive
ETag: "5a4ea1aa-8"
Expires: Thu, 11 Jan 2018 22:52:22 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

[root@hf-01 ~]#  
  1. 再访问curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif显示403,而在访问curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif显示200,则表示防盗链配置成功

12.14 Nginx访问控制

Nginx访问控制目录概要

  • 需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:
location /admin/
{
    allow 192.168.74.129;
    allow 127.0.0.1;
    deny all;
}
  • mkdir /data/wwwroot/test.com/admin/
  • echo “test,test”>/data/wwwroot/test.com/admin/1.html
  • -t && -s reload
  • curl -x127.0.0.1:80 test.com/admin/1.html -I
  • curl -x192.168.133.130:80 test.com/admin/1.html -I
  • 可以匹配正则
location ~ .*(abc|image)/.*\.php$
{
        deny all;
}
  • 根据user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}
  • deny all和return 403效果一样

Nginx访问控制

  • Nginx访问控制,在平时运维网站的时候,经常会有一些请求不正常,或者故意的做一些限制,一些重要的内容禁止别人访问,就可以做一个白名单,只允许自己的公网IP或者自己公司内的公网IP去访问
  • 在做Nginx访问控制目录的时候,限制的这个目录下没有index.html文件或者index.php文件,就会默认403
  1. 编辑配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
  • 增加访问控制的代码
location /admin/
{
    allow 192.168.74.129;            //白名单
    allow 127.0.0.1;            //白名单
    deny all;        //全部deny
}

最后结果如下

[root@hanfeng ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

假设访问的目录是admin,做一个限制

server
{   
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
     if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
   # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
  # {     
  #      expires      7d;
  #      access_log off;
  #}
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {                               
    
        return 403;
    }   
    access_log off;
}   
location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }     
    location /admin/
    {
    allow 192.168.74.129;
    allow 127.0.0.1;
    deny all;
    }
    access_log /tmp/test.com.log combined_realip;
}   

然后保存退出
  1. 然后检查配置文件语法错误,然后重新加载配置文件
[root@hanfeng ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanfeng ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hanfeng ~]# 
  1. 测试
[root@hf-01 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 21:04:13 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Wed, 03 Jan 2018 21:43:17 GMT
Connection: keep-alive
ETag: "5a4d4e75-13"
Accept-Ranges: bytes

[root@hf-01 ~]# curl -x192.168.74.150:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 21:06:56 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Wed, 03 Jan 2018 21:43:17 GMT
Connection: keep-alive
ETag: "5a4d4e75-13"
Accept-Ranges: bytes

[root@hf-01 ~]# 
  1. 查看日志文件,会看到访问的192.168.74.150的来源IP也是192.168.74.129,因为它是被允许的,在白名单之内,所以显示状态码为200
[root@hf-01 ~]# cat /tmp/test.com.log
127.0.0.1 - [05/Jan/2018:05:51:37 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [08/Jan/2018:05:04:13 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.74.129 - [08/Jan/2018:05:06:56 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
[root@hf-01 ~]# 
  1. 查看IP,然后给ens36网卡配置IP
  • 先查看ens36网卡是否连接,然后更改连接ens36网卡模式为仅主机连接模式
[root@hf-01 ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.74.129  netmask 255.255.255.0  broadcast 192.168.74.255
        inet6 fe80::20c:29ff:feff:fe93  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ff:fe:93  txqueuelen 1000  (Ethernet)
        RX packets 453  bytes 42359 (41.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 308  bytes 39999 (39.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno16777736:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.74.150  netmask 255.255.255.0  broadcast 192.168.74.255
        ether 00:0c:29:ff:fe:93  txqueuelen 1000  (Ethernet)

ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::20c:29ff:feff:fe9d  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ff:fe:9d  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13  bytes 2334 (2.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@hf-01 ~]# 
  1. 给ens36网卡自动获取IP,然后再来查看ens36的网卡IP地址为192.168.204.128
[root@hf-01 ~]# dhclient ens36
[root@hf-01 ~]# 
  1. 这时再来使用ens36网卡的IP来访问,会看到访问的admin目录为403
[root@hf-01 ~]# curl -x192.168.204.128:80 -I test.com/admin/
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 21:17:39 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@hf-01 ~]# 
  1. 这时再来查看日志文件,会看到来源的IP为192.168.204.128,在配置文件中被没有被允许,所以为403
[root@hf-01 ~]# !cat
cat /tmp/test.com.log
127.0.0.1 - [05/Jan/2018:05:51:37 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [08/Jan/2018:05:04:13 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.74.129 - [08/Jan/2018:05:06:56 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.204.128 - [08/Jan/2018:05:17:39 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
[root@hf-01 ~]# 

针对正则匹配

  • 例子
    • 网站被黑,数据库被盗窃,就是因为上传图片的目录没有做禁止解析php的操作,最终导致上传了一句话木马,php也能解析,所以网站就会被黑
  • 只要能上传的目录,都要禁掉,禁止解析PHP
  • 加以下代码,即可禁掉上传的目录解析PHP
location ~ .*(upload|image)/.*\.php$        //只要匹配upload,然后以php结尾的
{
        deny all;            //都禁掉
}
  1. 打开配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

server
{   
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    #{         
    #      expires      7d;    
    #      access_log off;    #}      
    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$   
    {   
    expires 7d;

    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
    }
    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    location /admin/
    {
    allow 192.168.74.129;
    allow 127.0.0.1;
    deny all;
    }
    location ~ .*(upload|image)/.*\.php$
    {   
        deny all;
    }
    access_log /tmp/test.com.log combined_realip;
} 
保存退出
  1. 检查配置文件语法错误,并重新加载配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hf-01 ~]# 
  1. 测试,首先是访问的那个目录,然后访问的php资源
  2. 创建一个upload目录,然后在创建一个php文件
[root@hf-01 ~]# mkdir /data/wwwroot/test.com/upload
[root@hf-01 ~]# echo "11111" > /data/wwwroot/test.com/upload/1.php
[root@hf-01 ~]# 
  1. 访问upload目录下的1.php文件,会看到是403状态码,被拒绝访问
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@hf-01 ~]# 
  1. 这时再upload目录下创建1.txt,再来测试访问
[root@hf-01 ~]# echo "dasdasdas" >/data/wwwroot/test.com/upload/1.txt
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt
dasdasdas
[root@hf-01 ~]# 
  1. 查看访问日志cat /tmp/test.com.log
[root@hf-01 ~]# cat /tmp/test.com.log

根据user_agent限制

  • 如果你的网站被cc攻击,或者禁掉某些蜘蛛,如果你的网站想做一个被隐藏的网站,不想被别人搜索到,那么就可以将百度、谷歌、有道等这些蜘蛛封掉,没有任何蜘蛛爬到你的网站,也不将网址告诉任何人,那别人就无法知道你的站点,因为你的网站是被隐藏的。
  • 只需要根据user_agent限制,添加以下代码
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}
  • deny all和return 403效果一样
  1. 打开配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

server
{   
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    #{         #      expires      7d;    #      access_log off;    #}      location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$   
{   
    expires 7d;

    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}
    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    location /admin/
    {
    allow 192.168.74.129;
    allow 127.0.0.1;
    deny all;
    }
    location ~ .*(upload|image)/.*\.php$
    {   
        deny all;
    }
    if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
    {
      return 403;
    }
    access_log /tmp/test.com.log combined_realip;
} 
保存退出
  1. 检查配置文件语法错误,并重新加载配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hf-01 ~]# 
  1. 模拟user_agent,访问测试,会看到显示403
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 22:04:06 GMT
Content-Type: text/plain
Content-Length: 10
Last-Modified: Sun, 07 Jan 2018 21:45:54 GMT
Connection: keep-alive
ETag: "5a529512-a"
Accept-Ranges: bytes

[root@hf-01 ~]# curl -A "Tomatoslfdfsdf"  -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 22:05:21 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@hf-01 ~]# 
  1. deny all和return 403效果一样
  2. 如果访问的时候,改成小写再访问,则状态码为200,因为这个是严格匹配的
[root@hf-01 ~]# curl -A "tomatoslfdfsdf"  -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 22:09:10 GMT
Content-Type: text/plain
Content-Length: 10
Last-Modified: Sun, 07 Jan 2018 21:45:54 GMT
Connection: keep-alive
ETag: "5a529512-a"
Accept-Ranges: bytes

[root@hf-01 ~]# 
  1. 如果想忽略大小写,在配置文件中的匹配符号后加 * 号即可
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

  if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
    {
      return 403;
    }
  1. 在检查配置文件,并重新加载
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 ~]#
  1. 再来测试,会显示403
[root@hf-01 ~]# curl -A "tomatoslfdfsdf"  -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 22:11:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@hf-01 ~]# 

12.15 Nginx解析php相关配置

Nginx解析php相关配置目录概要

  • 配置如下:
location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }
  • fastcgi_pass 用来指定php-fpm监听的地址或者socket

Nginx解析php相关配置

  • 添加以下代码
location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;        //写错这个路径,就会显示502
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }
  1. 打开虚拟主机配置文件,因为现在test.com.conf还不能解析php,加代码添加到配置文件中
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

server
{   
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    #{         #      expires      7d;    #      access_log off;    #}      location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$   
{   
    expires 7d;

    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}
    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    location /admin/
    {
    allow 192.168.74.129;
    allow 127.0.0.1;
    deny all;
    }
    location ~ .*(upload|image)/.*\.php$
    {   
        deny all;
    }
    if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
    {
      return 403;
    }
    location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
     }
    access_log /tmp/test.com.log combined_realip;
} 
保存退出
  1. 生成做一个php文件,在/data/wwwroot/test.com/目录下生成3.php
[root@hf-01 ~]# vim /data/wwwroot/test.com/3.php

<?php
phpinfo();

保存退出
  1. 测试访问3.php,会看到无法解析3.php文件,显示出了源码
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();
[root@hf-01 ~]# 
  1. 这时候检查配置文件语法错误,并重新加载配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hf-01 ~]# 
  1. 这时候再来访问3.php,会看到可以正常解析了
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php
  1. 若是解析php相关配置的 fastcgi_pass unix:/tmp/php-fcgi.sock; 这个路径被写错,会直接显示502,因为sock文件没有被找到
  2. 将配置文件改错后,重新加载后,再来访问3.php,会看到显示502状态码
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 
[root@hf-01 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@hf-01 ~]# 
  1. 查看访问日志cat /usr/local/nginx/logs/nginx_error.log,会看到日志文件中会说没有这样的文件或目录
[root@hf-01 ~]# cat /usr/local/nginx/logs/nginx_error.log
2018/01/08 06:42:21 [crit] 3392#0: *22 connect() to unix:/tmp/php-afcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-afcgi.sock:", host: "test.com"
[root@hf-01 ~]# 
  1. 在遇到502的问题时,需要查看你配置的地址是否正确,首先查看错误日志,然后根据错误日志中提示,查看这个文件是否存在,在查看cat /usr/local/php-fpm/etc/php-fpm.conf你定义的sock是什么,那么在nginx的配置文件中写什么
[root@hf-01 ~]# 
[root@hf-01 ~]# ls /tmp/php-afcgi.sock
ls: 无法访问/tmp/php-afcgi.sock: 没有那个文件或目录
[root@hf-01 ~]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@hf-01 ~]# 
  1. 这时再去配置文件中更改回来即可,所以只要配置文件中的 fastcgi_pass unix:/tmp/php-fcgi.sock; 地址错误,就会显示502

502的另一种情况

  1. 假设这时不监听sock,而去监听IP端口
  2. 首先更改配置vim /usr/local/php-fpm/etc/php-fpm.conf
  • 将#listen = /tmp/php-fcgi.sock注释掉,增加listen = 127.0.0.1:9000
[root@hf-01 ~]# vim /usr/local/php-fpm/etc/php-fpm.conf

[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
#listen = /tmp/php-fcgi.sock
listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
保存退出
  1. 重启php 命令为/etc/init.d/php-fpm restart,php重启也支持reload
[root@hf-01 ~]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done
[root@hf-01 ~]# 
  1. 检查php文件是否存在语法错误,重新加载下nginx的配置文件
[root@hf-01 ~]# /usr/local/php-fpm/sbin/php-fpm -t
[08-Jan-2018 07:10:32] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hf-01 ~]# 
  1. 查看监听端口是否为127.0.0.1:9000
[root@hf-01 ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1539/master         
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      3528/php-fpm: maste 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1218/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1191/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1539/master         
tcp6       0      0 :::3306                 :::*                    LISTEN      1566/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      1191/sshd           
[root@hf-01 ~]# 
  1. 这时在来访问3.php,会看到显示为502
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@hf-01 ~]# 
  1. 查看配置文件会提示说文件不存在
  2. 这时候只需要在配置文件中做一个更改,在php配置那一块,注释掉unix,添加ip和端口
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

在php配置那一块,注释掉unix,添加ip和端口
        #fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_pass 127.0.0.1:9000;
保存退出
  1. 检查语法错误,并重新加载配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hf-01 ~]# 
  1. 再来访问3.php文件,会看到正常访问
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 23:23:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

[root@hf-01 ~]# 
  1. 若是出现502,要检查下配置文件中的fastcgi_pass 这块是否nginx与php-fpm中所配置的地址是相匹配的
  • PHP下的listen = /tmp/php-fcgi.sock这段配置很重要,决定了nginx是否能正确解析而不是502
    • 当PHP配置文件 listen 使用sock时,那么对应的nginx配置文件下就必须使用 fastcgi_pass unix:/tmp/php-fcgi.sock;
    • 当PHP配置文件listen 使用 IP加端口“127.0.0.1:9000”的时候,那么对应的nginx就要改成fastcgi_pass 127.0.0.1:9000;
  1. 配置文件中的 fastcgi_param SCRIPT_FILENAME 中的地址路径/data/wwwroot/test.com$fastcgi_script_name;与配置文件最上方的 root /data/wwwroot/test.com; 相对应起来

502的其他情况

  • 在php5.4及以后的其他版本,有一个特点
  • 更改监听为sock,取消监听IP和端口,注释掉listen.mode
  1. 更改php-fpm的配置文件,取消注释listen = /tmp/php-fcgi.sock,注释掉#listen = 127.0.0.1:9000和#listen.mode = 666
[root@hf-01 ~]# vi /usr/local/php-fpm/etc/php-fpm.conf

[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
#listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
保存退出
  1. 重新加载php
[root@hf-01 ~]# /etc/init.d/php-fpm reload
Reload service php-fpm  done
  1. 查看sock文件的权限为660,属主和属组为root
[root@hf-01 ~]# ls -l /tmp/php-fcgi.sock 
srw-rw---- 1 root root 0 1月   8 07:47 /tmp/php-fcgi.sock
  1. 更改nginx虚拟主机配置文件,取消 fastcgi_pass unix:/tmp/php-fcgi.sock; 的注释,注释掉#fastcgi_pass 127.0.0.1:9000;
  • fastcgi_pass unix:/tmp/php-fcgi.sock;这一行的配置是为了nginx去读sock文件
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
  1. 重新加载nginx配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload
  1. 这时候再来访问3.php,依然还是显示502
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 502 Bad Gateway
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 23:54:07 GMT
Content-Type: text/html
Content-Length: 173
Connection: keep-alive
  1. 查看访问日志文件,显示访问文件,权限被拒绝
[root@hf-01 ~]# !tail
tail /usr/local/nginx/logs/nginx_error.log
2018/01/08 06:42:21 [crit] 3392#0: *22 connect() to unix:/tmp/php-afcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-afcgi.sock:", host: "test.com"
2018/01/08 07:13:39 [crit] 3518#0: *24 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
2018/01/08 07:54:07 [crit] 3790#0: *32 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "HEAD HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
[root@hf-01 ~]# 
  1. sock文件默认权限使660,root用户可以读,root用户组也是可读的,唯独其他用户不能去读
  2. 看到是由nobody的身份去读nginx的
[root@hf-01 ~]# ps aux |grep nginx
root      1218  0.0  0.1  21784  1692 ?        Ss   00:11   0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody    3929  0.0  0.3  23664  3692 ?        S    08:18   0:00 nginx: worker process
nobody    3930  0.0  0.3  23664  3692 ?        S    08:18   0:00 nginx: worker process
root      3932  0.0  0.0 112676   984 pts/0    R+   08:18   0:00 grep --color=auto nginx
[root@hf-01 ~]# 
  1. 这时临时改变权限为nobody
[root@hf-01 ~]# chown nobody /tmp/php-fcgi.sock 
[root@hf-01 ~]# 
  1. 这时再去访问3.php会看到正常访问
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Mon, 08 Jan 2018 00:22:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

[root@hf-01 ~]# 
  1. 这就是因为nobody用户有读的权限,所以可以正常访问
  2. 在php-fpm的配置文件中定义listen.mode,就是为了让任何用户可以读
  3. 再去配置文件中取消listen.mode的注释
[root@hf-01 ~]# vi /usr/local/php-fpm/etc/php-fpm.conf

listen.mode = 666
  1. 然后重启php-fpm的配置文件
[root@hf-01 ~]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done
[root@hf-01 ~]# 
  1. 查看文件的权限
[root@hf-01 ~]# !ls
ls -l /tmp/php-fcgi.sock 
srw-rw-rw- 1 root root 0 1月   8 08:28 /tmp/php-fcgi.sock
[root@hf-01 ~]# 
  1. 访问3.php会看到正常访问
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Mon, 08 Jan 2018 00:30:04 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

[root@hf-01 ~]# 

502的另外情况

  • 就是php-fpm服务,资源耗尽,也会显示502,这时候就需要去优化了

12.16 Nginx代理

Nginx代理目录概要

  • cd /usr/local/nginx/conf/vhost
  • vim proxy.conf //加入如下内容
server
{
    listen 80;
    server_name ask.apelearn.com;

    location /
    {
        proxy_pass      http://121.201.9.155/;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Nginx代理

  • 需求:
    • 用户需要访问web服务器,但用户因为各种原因没办法访问或者访问很慢(私网无访问、境内访问国外服务器),所以,就需要一个能访问web服务器的代理者,让用户通过代理服务器访问
  • 解决方法
    • 创建代理服务器
  1. 首先切换目录cd /usr/local/nginx/conf/vhost
[root@hanfeng ~]# cd /usr/local/nginx/conf/vhost
[root@hanfeng vhost]# 
  1. 新建一个配置文件vim proxy.conf
[root@hanfeng vhost]# vim proxy.conf

加入以下内容
server
{
    listen 80;
    server_name ask.apelearn.com;                       //定义域名,论坛的网站
    location /
    {
        proxy_pass      http://121.201.9.155/;         //定义域名,论坛的IP
        proxy_set_header Host   $host;                   //定义访问的域名 为 $host =server_name ask.apelearn.com
        proxy_set_header X-Real-IP      $remote_addr; 
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
保存退出
  1. 配置文件中,没有了root,因为这是一个代理服务器,它不需要访问本地服务器上的任何文件
  2. 在配置完成后,这台虚拟机就可以访问ask.apelearn.com论坛了
  3. 检查配置文件语法错误,并重新加载配置文件
[root@hanfeng vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanfeng vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@hanfeng vhost]# 
  1. robots是针对蜘蛛的索引的一个列表,一般网站都会有robots
[root@hanfeng vhost]# curl ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@hanfeng vhost]# 
[root@hanfeng vhost]# 
  1. 测试代理是否成功,指定本机的IP,也能去访问
[root@hanfeng vhost]# curl -x127.0.0.1:80  ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@hanfeng vhost]# 
  1. 正常情况下,不去配置这个代理,是不可能通过本地访问到远程的站点的

扩展

  1. 502问题汇总
  2. location优先级

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏沈唁志

PHP中常用的header头

27830
来自专栏coding

win10下配置linux子系统

20870
来自专栏数据库新发现

Robots.txt指南

当搜索引擎访问一个网站时,它首先会检查该网站的根域下是否有一个叫做robots.txt的纯文本文件。Robots.txt文件用于限定搜索引擎对其网站的访问范围,...

21820
来自专栏Samego开发资源

让Nginx支持ThingPHP的rewrite路由模式

57150
来自专栏Laoqi's Linux运维专列

Apache访问日志+不记录静态文件

Apache访问日志 : 访问日志:顾名思义就是当有人访问咱们的站点,就会被记录些信息!其实这个还是蛮重要,尤其是站点受到攻击,直接命令的日志可以让我们迅速找到...

37550
来自专栏较真的前端

客户端会话级存储:session Storage与session Cookie的区别

24740
来自专栏开心的学习之路

Fedora27搭建GPU版TensorFlow

主机:华硕(ASUS)G11飞行堡垒 显卡:GeForce 1070 原操作系统为win10,准备安装Fedora 27,从零开始搭建GPU版TensorF...

37370
来自专栏微服务生态

好玩的Raft动画演示,原理秒懂

关于Raft原理,许多朋友也许不是很明白原理,下面的地址是一个好玩的Raft动画,看完后能够很快的掌握Raft原理:

26150
来自专栏数据之美

使用 django-blog-zinnia 搭建个人博客

django-blog-zinnia 虽然小巧,但是具备了个人博客应用的全部基础功能,且具有很高的拓展性,并且开箱即用。以下是官方列出的一些特性: 评论 站...

34090
来自专栏乐沙弥的世界

基于CentOS 7配置Nginx正向代理

Nginx是一款以轻量级、低内存开销、支持缓存、支持反向代理,负载均衡,电子邮件服务而著称。对于鲜为人知的是,它还可以作为一个简单易用的正向代理服务器。本文简要...

37750

扫码关注云+社区

领取腾讯云代金券