1.作http代理
root@server1 conf]# mkdir /www1
[root@server1 conf]# mkdir /www2
[root@server1 conf]# cd /www1
[root@server1 www1]# vim index.html
www.westos.org---server1
[root@server1 conf]# vim nginx.conf
server {
listen 80;
server_name www.westos.org; 域名
location / {
root /www1; 目录
index index.html 格式
}
}
[root@server1 conf]# nginx -s reload
2.使用nginx创建一个集群
[root@server1 conf]# vim nginx.conf
server {
listen 443 ssl;
server_name www.westos.org;
ssl_certificate cert.pem;
ssl_certificate_key cert.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root www1;
index index.html index.htm;
}
}
server {
listen 80;
server_name www.westos.org;
location / {
root /www1;
index index.html;
}
}
[root@server1 conf]# nginx -t
[root@server1 conf]# cd /etc/pki/
[root@server1 pki]# cd tls/certs/
[root@server1 certs]# make cert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > cert.pem ; \
echo "" >> cert.pem ; \
cat $PEM2 >> cert.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
.............................................+++
..........................................................+++
writing new private key to '/tmp/openssl.VIDGfw'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shannxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:root@localhost
[root@server1 certs]# ll cret.pem
ls: cannot access cret.pem: No such file or directory
[root@server1 certs]# ls
ca-bundle.crt ca-bundle.trust.crt cert.pem make-dummy-cert Makefile renew-dummy-cert
[root@server1 certs]# ll cert.pem
-rw------- 1 root root 3088 Aug 7 16:17 cert.pem
[root@server1 certs]# cp cert.pem /usr/local/lnmp/nginx/conf/
[root@server1 certs]# nginx -t
nginx: the configuration file /usr/local/lnmp/nginx//conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/lnmp/nginx//conf/nginx.conf test is successful
3.重定向
第一个小实验:
[root@server1 conf]# vim nginx.conf
server {
listen 80;
server_name www.westos.org westos.org; ##当访问这两个域名时
rewrite ^(.*)$ https://www.westos.org/$1 ##转到
server {
listen 80;
server_name www.westos.org westos.org;
rewrite ^(.*)$ https://www.westos.org/ permanent;
[root@server1 conf]# nginx -s reload
测试:
[root@foundation24 jar]# curl -I www.westos.org/index.html
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.1
Date: Tue, 07 Aug 2018 09:09:57 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://www.westos.org/
第二个小实验:
server {
listen 80;
server_name www.westos.org westos.org;
rewrite ^(.*)$ https://www.westos.org$1 permanent;
测试:
oot@foundation24 jar]# curl -I westos.org/index.html
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.1
Date: Tue, 07 Aug 2018 09:11:27 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://www.westos.org/index.html
root@foundation24 jar]# curl -I westos.org/index.xx
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.1
Date: Tue, 07 Aug 2018 09:11:32 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://www.westos.org/index.xx
第三个小实验:
server {
listen 80;
server_name www.westos.org westos.org;
#rewrite ^(.*)$ https://www.westos.org$1 permanent;
if ($host = "bbs.westos.org"){
rewrite ^/(.*)$ http://www.westos.org/bbs/$1 permanent;
root@server1 certs]# cd /www1/
[root@server1 www1]# mkdir bbs
[root@server1 www1]# cd bbs/
[root@server1 bbs]# vim index.html
[root@server1 bbs]# cat index.html
bbs.westos.org
[root@foundation24 jar]# curl -I bbs.westos.org
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.1
Date: Tue, 07 Aug 2018 09:21:35 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://www.westos.org/bbs/
4.下载速度控制
[root@server1 conf]# vim nginx.conf
Include
Sendfile on 开启文件的高效传输
Tcp_nopush on ; 防止磁盘和网络的阻塞
Tcp_nodelay on; 这三个一起用。
Keepailve_timeout 超时设置,使客户端和服务端更加高效的工作
Limit conn
#gzip on;
limit_conn_zone $binary_remote_addre zone=addr:10m
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
#access_log logs/host.access.log main;
location / {
root html;
index index.php index.html index.htm;
}
location /download/ {
limit_conn addr1;
limit_rate 50k;
limit_req zone=one burst=5;
}
[root@server1 conf]# nginx -s reload
测试:
/usr/local/lnmp/nginx/html/download
[root@server1 download]# ls
apache-tomcat-7.0.90.tar.gz vim.jpg
[root@foundation24 ~]# time wget http://172.25.24.1/download/apache-tomcat-7.0.90.tar.gz
6.访问控制
location /admin/ {
allow 172.25.24.250; ##接受172.25.24.250
deny all; ##拒绝所有 ;但是一般第一个就判定了,下面就直接拒绝了
}
root@server1 admin]# cat index.html
admin gogogo ~
[root@server1 admin]# pwd
/usr/local/lnmp/nginx/html/admin
7.有效期
location /admin/ {
allow 172.25.24.0/24;
deny all;
}
location ~ .*\.(gif|jpg|png)$ { ##已这几个结尾的文件,有效期为30天
expires 30d;
}
测试:
root@foundation24 ~]# curl -I 172.25.24.1/admin/vim.jpg
HTTP/1.1 200 OK
Server: nginx/1.10.1
Date: Wed, 08 Aug 2018 03:43:11 GMT ##现在时间
Content-Type: image/jpeg
Content-Length: 453575
Last-Modified: Wed, 08 Aug 2018 02:20:18 GMT
Connection: keep-alive
ETag: "5b6a5362-6ebc7"
Expires: Fri, 07 Sep 2018 03:43:11 GMT ##到期时间
Cache-Control: max-age=2592000
Accept-Ranges: bytes
8.拒绝访问:
location / {
#root html;
root /usr/local/tomcat/webapps/ROOT;
index index.html index.htm;
}
server {
listen 80;
server_name _; ##屏蔽所有访问
Return 500; ##返回500错误
测试:
9.防盗链
怎么盗链:
盗链的主机
[root@server2 ~]# /etc/init.d/httpd start
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 172.25.24.2 for ServerName
[ OK ]
root@server2 ~]# cd /var/www/html/
[root@server2 html]# ls
[root@server2 html]# vim index.html
[root@server2 html]# vim index.html
[root@server2 html]# cat index.html
<html>
<body>
<img src="http://www.westos.org/iso7.gif">
<body>
<html>
被盗链的主机:
[root@server1 www1]# ls
bbs index.html
[root@server1 www1]# pwd
/www1
[root@server1 www1]# ls
bbs index.html iso7.gif
然后当你再客户端输入盗链主机网址或者IP时,会自动转到被盗链主机的网址上
[root@server1 logs]# cat access.log ##查看nginx日志发现被盗链
172.25.24.250 - - [08/Aug/2018:15:06:01 +0800] "GET /iso7.gif HTTP/1.1" 200 225325 "http://172.25.24.2/" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0"
防盗链:
location / {
root /www1;
index index.html;
}
location ~ \.(gif|jpg|png)$ { ##如果访问以这些文件结尾的
valid_referers www.westos.org; ##除了www.westos.org;
if ($inbalid_referer) { ##其余都报403的错(看不见图片)
return 403;
}
}