LNMP环境配置(2)

php-fpm配置,Nginx配置

Nginx配置

默认虚拟主机

修改主配置文件

# vi  /usr/local/nginx/conf/nginx.conf

 在最后 } 符号上面写入  include vhost/*.conf; 

 设置默认虚拟主机

# mkdir  /usr/local/nginx/conf/vhost

# cd  /usr/local/nginx/conf/vhost

# vi  default.conf

server
    {
        listen  80  default_server;   标记为默认虚拟主机
        server_name  aaa.com;
        index  index.html  index.htm  index.php;
        root  /data/nginx/default;
    }

重新加载配置文件

# /usr/local/nginx/sbin/nginx  -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

# /usr/local/nginx/sbin/nginx  -s  reload

创建索引页

# mkdir  -p  /data/nginx/default/

# echo  "default_server"  >  /data/nginx/default/index.html

测试

 

用户认证

创建一个新的虚拟主机

# cd  /usr/local/nginx/conf/vhost/

# vi  test.com.conf

server
{
        listen  80;
        server_name  test.com;
        index  index.html  index.htm  index.php;
        root  /data/nginx/test.com;
        location  /
        {
                auth_basic      "Auth";    打开认证
                auth_basic_user_file    /usr/local/nginx/conf/htpasswd;   指定用户密码文件
        }
}

安装httpd

# yum  install  -y  httpd

创建用户

# htpasswd  -c  /usr/local/nginx/conf/htpasswd  tuitui

重新加载配置文件

# /usr/local/nginx/sbin/nginx  -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

# /usr/local/nginx/sbin/nginx  -s  reload

测试

# mkdir  /data/nginx/test.com

# echo  "test.com"  >  /data/nginx/test.com/index.html

# curl  -I  -x127.0.0.1:80  test.com

出现状态码401表示该网站需要认证

# systemctl  stop  firewalld  关闭防火墙

编辑Windows的hosts文件,最后一行加入 192.168.89.128  test.com

浏览器访问

 

 如果要对某个目录做用户认证,修改location后面的路径

域名重定向

配置文件

# cd  /usr/local/nginx/conf/vhost/
# vi  test.com.conf
server
{
        listen  80;
        server_name  test.com  test1.com  test2.com;
        index  index.html  index.htm  index.php;
        root  /data/nginx/test.com;
        if  ($host  !=  'test.com'  )
        {
                rewrite  ^/(.*)$  http://test.com/$1  permanent;  永久重定向
        }
}

重新加载配置文件

# /usr/local/nginx/sbin/nginx  -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

# /usr/local/nginx/sbin/nginx  -s  reload

# curl  -x127.0.0.1:80  test1.com/123.txt  -I

Nginx的访问日志

查看日志格式

# grep  -A2  log_format  /usr/local/nginx/conf/nginx.conf

指定访问日志的路径

# vi  test.com.conf
server
{
        listen  80;
        server_name  test.com  test1.com  test2.com;
        index  index.html  index.htm  index.php;
        root  /data/nginx/test.com;
        if  ($host  !=  'test.com'  )
        {
                rewrite  ^/(.*)$  http://test.com/$1  permanent;
        }
        access_log  /tmp/1.log  combined_realip;
}

重新加载配置文件

# /usr/local/nginx/sbin/nginx  -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

# /usr/local/nginx/sbin/nginx  -s  reload

测试

# curl  -x127.0.0.1:80  test.com/111

# cat  /tmp/1.log

日志切割脚本

# vi  /usr/local/sbin/nginx_log_rotate.sh

写入以下内容

#!  /bin/bash
d=`date  -d  "-1 day"  +%Y%m%d`
logdir="/data/logs"
nginx_pid="/usr/local/nginx/logs/nginx.pid"
cd  $logdir
for  log  in  `ls *.log`
do
        mv  $log  $log-$d
done
/bin/kill  -HUP  `cat $nginx_pid`
0  0  *  *  *  /bin/bash  /usr/local/sbin/nginx_log_rotate.sh

配置静态文件不记录日志并添加过期时间

配置文件

# vi  test.com.conf
server
{
        listen  80;
        server_name  test.com  test1.com  test2.com;
        index  index.html  index.htm  index.php;
        root  /data/nginx/test.com;
        if  ($host  !=  'test.com'  )
        {
                rewrite  ^/(.*)$  http://test.com/$1  permanent;
        }
        location  ~  .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
                expires         7d;
                access_log  off;
        }
        location  ~  .*\.(js|css)$
        {
                expires         12h;
                access_log  off;
        }
        access_log  /tmp/1.log  combined_realip;
}

重新加载配置文件

# /usr/local/nginx/sbin/nginx  -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

测试过程

创建js文件

# echo  "11111111"  >  /data/nginx/test.com/1.js

创建jpg文件

# echo  "22222222"  >  /data/nginx/test.com/2.jpg

创建一个对比的文件

# touch  /data/nginx/test.com/1.jss

访问js类型的文件,缓存过期时间为12小时

# curl  -I  -x127.0.0.1:80 test.com/1.js

访问jpg类型的文件,缓存过期时间为7小时

# curl  -I  -x127.0.0.1:80 test.com/2.jpg

对比Cache-control对应的时间大小

# curl  -I  -x127.0.0.1:80 test.com/1.jss

查看访问日志

# cat  /tmp/1.log

Nginx防盗链

和日志部分合在一起配置文件

# vi  test.com.conf

server
{
        listen  80;
        server_name  test.com  test1.com  test2.com;
        index  index.html  index.htm  index.php;
        root  /data/nginx/test.com;
        if  ($host  !=  'test.com'  )
        {
                rewrite  ^/(.*)$  http://test.com/$1  permanent;
        }
        location  ~*  ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
        {
                expires         7d;
                valid_referers  none  blocked  server_names  *.test.com;
                if  ($invalid_referer)
                {
                        return  403;
                }
        }
        access_log  off;
}

重新加载配置文件

# /usr/local/nginx/sbin/nginx  -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

# /usr/local/nginx/sbin/nginx  -s  reload

测试

# curl  -x127.0.0.1:80  -I  -e  "http://aaa.com/1.txt"  test.com/2.jpg

# curl  -x127.0.0.1:80  -I  -e  "http://test.com/1.txt"  test.com/2.jpg

同时有过期时间和防盗链功能

访问控制

配置文件

(使能访问admin目录的请求只允许192.168.89.1和127.0.0.1访问)

# vi  test.com.conf

server
{
        listen  80;
        server_name  test.com  test1.com  test2.com;
        index  index.html  index.htm  index.php;
        root  /data/nginx/test.com;
        if  ($host  !=  'test.com'  )
        {
                rewrite  ^/(.*)$  http://test.com/$1  permanent;
        }
        location  /admin/
        {
                allow  192.168.89.1;
                allow  127.0.0.1;
                deny  all;
        }
}

重新加载配置文件

# /usr/local/nginx/sbin/nginx  -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

# /usr/local/nginx/sbin/nginx  -s  reload

测试

# mkdir  /data/nginx/test.com/admin
# echo  "123"  >  /data/nginx/test.com/admin/1.html
# curl  -x127.0.0.1:80  test.com/admin/1.html

# curl  -x192.168.89.128:80  test.com/admin/1.html

 拒绝某几个IP

 

 限制解析PHP

 

限制user_agent

# vi  test.com.conf

server
{
        listen  80;
        server_name  test.com  test1.com  test2.com;
        index  index.html  index.htm  index.php;
        root  /data/nginx/test.com;
        if  ($host  !=  'test.com'  )
        {
                rewrite  ^/(.*)$  http://test.com/$1  permanent;
        }

        if  ($http_user_agent  ~  'Spider/3.0|YoudaoBot|Tomato')
        {
                return  403;
        }
}

重新加载配置文件

# /usr/local/nginx/sbin/nginx  -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

# /usr/local/nginx/sbin/nginx  -s  reload

Nginx解析PHP

配置文件

# vi  test.com.conf

server
{
        listen  80;
        server_name  test.com  test1.com  test2.com;
        index  index.html  index.htm  index.php;
        root  /data/nginx/test.com;
        if  ($host  !=  'test.com'  )
        {
                rewrite  ^/(.*)$  http://test.com/$1  permanent;
        }

         location ~ \.php$
        {
                include  fastcgi_params;
                fastcgi_pass  unix:/tmp/php-fcgi.sock;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /data/nginx/test.com$fastcgi_script_name;
        }
        access_log  /tmp/1.log  combined_realip;
}      

重新加载配置文件

# /usr/local/nginx/sbin/nginx  -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

# /usr/local/nginx/sbin/nginx  -s  reload

Nginx代理

配置文件

# cd  /usr/local/nginx/conf/vhost/

# ping ask.apelearn.com  获取proxy_pass

# vi  proxy.conf

server
{
        listen  80;     
        server_name  ask.apelearn.com;
        location  /
        {
                proxy_pass  http://47.104.7.242/;
                proxy_set_header  Host  $host;
                proxy_set_header  X-Real-IP  $remote_addr;
                proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
        }
}  

重新加载配置文件

# /usr/local/nginx/sbin/nginx  -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

# /usr/local/nginx/sbin/nginx  -s  reload

测试

# curl  -x127.0.0.1:80  ask.apelearn.com  -I

# curl  ask.apelearn.com  -I

负载均衡

# yum  install  -y  bind-utils  安装dig命令

# dig  www.baidu.com   查看域名对应的IP

测试

# curl  -x61.135.169.125:80  www.baidu.com  -I

# curl  -x61.135.169.121:80  www.baidu.com  -I

配置文件

# vi  /usr/local/nginx/conf/vhost/load.conf

upstream  baidu_com
{
        ip_hash;
        server  61.135.169.125:80;
        server  61.135.169.121:80;
}
server
{
        listen  80;
        server_name  www.baidu.com;
        location  /
        {
                proxy_pass   http://baidu_com;
                proxy_set_header  Host  $host;
                proxy_set_header  X-Real-IP  $remote_addr;
                proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
        }
}

重新加载配置文件

# /usr/local/nginx/sbin/nginx  -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

# /usr/local/nginx/sbin/nginx  -s  reload

测试

# curl  -x127.0.0.1:80  www.baidu.com  -I

Nginx配置SSL

生成自定义的SSL证书

生成私钥

# openssl  genrsa  -des3  -out  tmp.key  2048

 

 

删除密码

# openssl  rsa  -in  tmp.key  -out  aminglinux.key

 

 

生成证书请求文件

# openssl  req  -new  -key  aminglinux.key  -out  aminglinux.csr

 

 

 生成GRT证书文件

# openssl  x509  -req  -days  365  -in  aminglinux.csr  -signkey  aminglinux.key  -out  aminglinux.crt

 

 

 

编译Nginx

# cd  /usr/local/src/nginx-1.10.3

# ./configure  --prefix=/usr/local/nginx/  --with-http_ssl_module

# make

# make install

配置文件

# vi  /usr/local/nginx/conf/vhost/ssl.conf

server
{
        listen  443;
        server_name  aming.com;
        index  index.html  index.php;
        root  /data/nginx/aming.com;
        ssl  on;
        ssl_certificate  aminglinux.crt;
        ssl_certificate_key  aminglinux.key;
        ssl_protocols  TLSv1  TLSv1.1  TLSv1.2;
        location  ~  \.php$
        {
                include  fastcgi_params;
                fastcgi_pass  unix:/tmp/php-fcgi.sock;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /data/nginx/aming.com$fastcgi_script_name;
        }
        access_log  /tmp/1.log  combined_realip;
}

重新加载配置文件

# /usr/local/nginx/sbin/nginx  -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

# /usr/local/nginx/sbin/nginx  -s  reload

创建对应的目录和测试文件

 

# mkdir  /data/nginx/aming.com

# echo  "<?php phpinfo();  ?>"  >  /data/nginx/aming.com/1.php

# /etc/init.d/nginx  restart

 

测试

到真实电脑上修改hosts,把网站域名指向Linux机器

在最下面增加一行 192.168.89.128 aming.com

用浏览器访问https://aming.com/1.php

php-fpm配置

php-fpm的pool

修改配置文件

# vi  /usr/local/php-fpm/etc/php-fpm.conf

创建配置文件目录和子配置文件

# mkdir  /usr/local/php-fpm/etc/php-fpm.d

# cd  /usr/local/php-fpm/etc/php-fpm.d

# vi  www.conf

[www]
listen=/tmp/www.sock
listen.mode=666
user=php-fpm
group=php-fpm
pm=dynamic     定义php-fpm的子进程启动模式,dynamic为动态模式
pm.max_children=50
pm.start_servers=20     定义php-fpm服务在启动服务时产生的子进程数量
pm.min_spare_servers=5    定义在空闲时段子进程数的最少数量
pm.max_spare_servers=35   定义在空闲时段子进程数的最大值
pm.max_requests=500    定义一个子进程最多处理的请求数
rlimit_files=1024

# vi  aming.conf

[aming]
listen=/tmp/aming.sock
listen.mode=666
user=php-fpm
group=php-fpm
pm=dynamic
pm.max_children=50
pm.start_servers=20
pm.min_spare_servers=5
pm.max_spare_servers=35
pm.max_requests=500
rlimit_files=1024

两个pool互不影响

检验配置

# /usr/local/php-fpm/sbin/php-fpm  -t
[20-Dec-2019 09:19:12] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful 

重启服务

# /etc/init.d/php-fpm  restart

查看sock文件

# ls  /tmp/*.sock

php-fpm的慢执行日志

编辑配置文件

# vi  /usr/local/php-fpm/etc/php-fpm.d/www.conf

在最后加

request_slowlog_timeout=1
slowlog=/usr/local/php-fpm/var/log/www-slow.log

检验配置

# /usr/local/php-fpm/sbin/php-fpm  -t
[20-Dec-2019 09:19:12] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful 

php-fpm定义open_basedir

编辑配置文件

# vi  /usr/local/php-fpm/etc/php-fpm.d/www.conf

在最后加

php_admin_value[open_basedir]=/data/www/:/tmp/

检验配置

# /usr/local/php-fpm/sbin/php-fpm  -t
[20-Dec-2019 09:19:12] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful 

posted @ 2020-01-07 08:13  腿腿腿长一米八  阅读(159)  评论(0编辑  收藏  举报