1.作http代理

root@server1 conf]# mkdir /www1
[root@server1 conf]# mkdir /www2
[root@server1 conf]# cd /www1
[root@server1 www1]# vim index.html
www.westos.org---server1
[root@server1 conf]# vim nginx.conf

server {
        listen 80;
        server_name www.westos.org;   域名

        location / {
                        root /www1;     目录
                        index index.html   格式
        }
}

[root@server1 conf]# nginx -s reload

2.使用nginx创建一个集群

[root@server1 conf]# vim nginx.conf

    server {
        listen 443 ssl;
        server_name www.westos.org;
        ssl_certificate         cert.pem;
        ssl_certificate_key     cert.pem;

        ssl_session_cache       shared:SSL:1m;
        ssl_session_timeout     5m;

        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

        location / {
                root www1;
                index index.html index.htm;
        }
    }
server {
        listen 80;
        server_name www.westos.org;

        location / {
                root /www1;
                index index.html;
        }
}

[root@server1 conf]# nginx -t    
[root@server1 conf]# cd /etc/pki/
[root@server1 pki]# cd tls/certs/
[root@server1 certs]# make cert.pem
umask 77 ; \
    PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
    PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
    /usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
    cat $PEM1 >  cert.pem ; \
    echo ""    >> cert.pem ; \
    cat $PEM2 >> cert.pem ; \
    rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
.............................................+++
..........................................................+++
writing new private key to '/tmp/openssl.VIDGfw'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shannxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:root@localhost
[root@server1 certs]# ll cret.pem
ls: cannot access cret.pem: No such file or directory
[root@server1 certs]# ls
ca-bundle.crt  ca-bundle.trust.crt  cert.pem  make-dummy-cert  Makefile  renew-dummy-cert
[root@server1 certs]# ll cert.pem 
-rw------- 1 root root 3088 Aug  7 16:17 cert.pem
[root@server1 certs]# cp cert.pem /usr/local/lnmp/nginx/conf/
[root@server1 certs]# nginx -t
nginx: the configuration file /usr/local/lnmp/nginx//conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/lnmp/nginx//conf/nginx.conf test is successful

3.重定向

第一个小实验：

[root@server1 conf]# vim nginx.conf

server {
        listen 80;
        server_name www.westos.org westos.org;     ##当访问这两个域名时

        rewrite ^(.*)$ https://www.westos.org/$1     ##转到


server {
        listen 80;
        server_name www.westos.org westos.org;

        rewrite ^(.*)$ https://www.westos.org/ permanent;

[root@server1 conf]# nginx -s reload

测试：
[root@foundation24 jar]# curl -I www.westos.org/index.html
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.1
Date: Tue, 07 Aug 2018 09:09:57 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://www.westos.org/

第二个小实验：

server {
        listen 80;
        server_name www.westos.org westos.org;

        rewrite ^(.*)$ https://www.westos.org$1 permanent; 

测试：

oot@foundation24 jar]# curl -I westos.org/index.html
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.1
Date: Tue, 07 Aug 2018 09:11:27 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://www.westos.org/index.html

root@foundation24 jar]# curl -I westos.org/index.xx
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.1
Date: Tue, 07 Aug 2018 09:11:32 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://www.westos.org/index.xx

第三个小实验：

server {
        listen 80;
        server_name www.westos.org westos.org;

        #rewrite ^(.*)$ https://www.westos.org$1 permanent;
        if ($host = "bbs.westos.org"){
        rewrite ^/(.*)$ http://www.westos.org/bbs/$1 permanent;

root@server1 certs]# cd /www1/
[root@server1 www1]# mkdir bbs
[root@server1 www1]# cd bbs/
[root@server1 bbs]# vim index.html
[root@server1 bbs]# cat index.html 
bbs.westos.org

[root@foundation24 jar]# curl -I bbs.westos.org
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.1
Date: Tue, 07 Aug 2018 09:21:35 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://www.westos.org/bbs/

4.下载速度控制

[root@server1 conf]# vim nginx.conf

Include   
Sendfile    on  开启文件的高效传输
Tcp_nopush on ;     防止磁盘和网络的阻塞
Tcp_nodelay on；   这三个一起用。
Keepailve_timeout   超时设置，使客户端和服务端更加高效的工作

Limit conn

#gzip on；
limit_conn_zone $binary_remote_addre zone=addr:10m
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

#access_log  logs/host.access.log  main;

        location / {
             root   html;
             index  index.php index.html index.htm;

        }
        location /download/ {
        limit_conn addr1;
limit_rate 50k;
limit_req zone=one burst=5;

        }

[root@server1 conf]# nginx -s reload

测试：

/usr/local/lnmp/nginx/html/download
[root@server1 download]# ls
apache-tomcat-7.0.90.tar.gz  vim.jpg

[root@foundation24 ~]# time wget http://172.25.24.1/download/apache-tomcat-7.0.90.tar.gz

6.访问控制

 location /admin/ {
                allow 172.25.24.250;    ##接受172.25.24.250
                deny  all;               ##拒绝所有  ；但是一般第一个就判定了，下面就直接拒绝了
        } 

root@server1 admin]# cat index.html
admin gogogo ~
[root@server1 admin]# pwd
/usr/local/lnmp/nginx/html/admin

7.有效期

location /admin/ {
                allow 172.25.24.0/24;
                deny  all;
        }    
        location ~ .*\.(gif|jpg|png)$ {            ##已这几个结尾的文件，有效期为30天
                expires 30d;
        }

测试：

root@foundation24 ~]# curl  -I 172.25.24.1/admin/vim.jpg
HTTP/1.1 200 OK
Server: nginx/1.10.1
Date: Wed, 08 Aug 2018 03:43:11 GMT  ##现在时间
Content-Type: image/jpeg
Content-Length: 453575
Last-Modified: Wed, 08 Aug 2018 02:20:18 GMT
Connection: keep-alive
ETag: "5b6a5362-6ebc7"
Expires: Fri, 07 Sep 2018 03:43:11 GMT   ##到期时间
Cache-Control: max-age=2592000
Accept-Ranges: bytes

8.拒绝访问：

location / {
            #root   html;
            root /usr/local/tomcat/webapps/ROOT;
            index  index.html index.htm;
        }
server {
        listen       80;
        server_name  _;         ##屏蔽所有访问
Return 500;                ##返回500错误

测试：

9.防盗链

怎么盗链：
盗链的主机

[root@server2 ~]# /etc/init.d/httpd start
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 172.25.24.2 for ServerName
                                                           [  OK  ]


root@server2 ~]# cd /var/www/html/
[root@server2 html]# ls
[root@server2 html]# vim index.html
[root@server2 html]# vim index.html 
[root@server2 html]# cat index.html 
<html>
<body>
<img src="http://www.westos.org/iso7.gif">
<body>
<html>

被盗链的主机：

[root@server1 www1]# ls
bbs  index.html
[root@server1 www1]# pwd
/www1
[root@server1 www1]# ls
bbs  index.html  iso7.gif

然后当你再客户端输入盗链主机网址或者IP时，会自动转到被盗链主机的网址上

[root@server1 logs]# cat access.log  ##查看nginx日志发现被盗链
172.25.24.250 - - [08/Aug/2018:15:06:01 +0800] "GET /iso7.gif HTTP/1.1" 200 225325 "http://172.25.24.2/" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0"

防盗链：

 location / {
                root /www1;
                index index.html;
        }
        location ~ \.(gif|jpg|png)$ {   ##如果访问以这些文件结尾的
        valid_referers www.westos.org;      ##除了www.westos.org； 
        if ($inbalid_referer) {                   ##其余都报403的错（看不见图片）
        return 403;
        }
        }