文章目录
前言
- nginx服务基础
- nginx访问控制
- nginx虚拟主机
防控制列表acl ,逐条匹配,一旦匹配上,就执行,下面不会再看了
一:关于nginx
1.1 一款高性能、轻量级web服务软件
- 稳定性高
- 系统资源消耗低
- 内存资源占用少
- 对http并发连接的处理能力高
- 单台物理服务器可支持30000-50000个并发请求
apache相当于重型坦克,功能多
nginx相当于轻型装甲车
二:nginx编译安装
[root@localhost ~]# mkdir /abc
[root@localhost abc]# mount.cifs //192.168.254.10/linuxs /abc
Password for root@//192.168.254.10/linuxs:
[root@localhost abc]# ls
[root@localhost abc]# cd ..
[root@localhost /]# cd -
/abc
[root@localhost abc]# ls
LNMP-C7
[root@localhost abc]# cd LNMP-C7/
[root@localhost LNMP-C7]# ls
LNMP-C7
[root@localhost LNMP-C7]# cd LNMP-C7/
[root@localhost LNMP-C7]# ls
Discuz_X3.4_SC_UTF8.zip php-7.1.10.tar.bz2
mysql-boost-5.7.20.tar.gz php-7.1.20.tar.bz2
ncurses-5.6.tar.gz php-7.1.20.tar.gz
nginx-1.12.2.tar.gz zend-loader-php5.6-linux-x86_64_update1.tar.gz
php-5.6.11.tar.bz2
[root@localhost LNMP-C7]# tar zxvf nginx-1.12.2.tar.gz -C /opt
2.1 安装支持软件
[root@localhost LNMP-C7]# yum install gcc gcc-c++ zlib-devel pcre* make perl expat-devel -y
作为依赖被安装:
cpp.x86_64 0:4.8.5-39.el7
glibc-devel.x86_64 0:2.17-292.el7
glibc-headers.x86_64 0:2.17-292.el7
kernel-headers.x86_64 0:3.10.0-1062.9.1.el7
libmpc.x86_64 0:1.0.1-3.el7
libstdc++-devel.x86_64 0:4.8.5-39.el7
更新完毕:
make.x86_64 1:3.82-24.el7 perl.x86_64 4:5.16.3-294.el7_6
作为依赖被升级:
glibc.x86_64 0:2.17-292.el7 glibc-common.x86_64 0:2.17-292.el7
libgcc.x86_64 0:4.8.5-39.el7 libgomp.x86_64 0:4.8.5-39.el7
libstdc++.x86_64 0:4.8.5-39.el7 perl-libs.x86_64 4:5.16.3-294.el7_6
zlib.x86_64 0:1.2.7-18.el7
完毕!
2.2 创建运行用户、组
[root@localhost LNMP-C7]# useradd -M -s /sbin/nologin nginx
[root@localhost LNMP-C7]# id nginx
uid=1001(nginx) gid=1001(nginx) 组=1001(nginx)
2.3 编译安装
[root@localhost LNMP-C7]# cd /opt
[root@localhost opt]# ls
nginx-1.12.2 rh
[root@localhost opt]# cd nginx-1.12.2/
[root@localhost nginx-1.12.2]# ls
auto CHANGES.ru configure html man src
CHANGES conf contrib LICENSE README
[root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
[root@localhost nginx-1.12.2]# make && make install
[root@localhost nginx-1.12.2]# cd /usr/local
[root@localhost local]# ls
bin etc games include lib lib64 libexec nginx sbin share src
[root@localhost local]# cd nginx/
[root@localhost nginx]# ls
conf html logs sbin
[root@localhost nginx]# cd html/
[root@localhost html]# ls
50x.html index.html
[root@localhost html]# vim 50x.html //查看里面的内容
[root@localhost html]# vim index.html //查看里面内容,了解一下
[root@localhost html]# cd ..
[root@localhost nginx]# ls
conf html logs sbin
[root@localhost nginx]# cd logs/
[root@localhost logs]# ls
//没有开启服务,日志没有开启
2.4 优化软件
2.4.1 将脚本软连接到/usr/local/sbin中
[root@localhost logs]# cd ..
[root@localhost nginx]# ls
conf html logs sbin
[root@localhost nginx]# cd sbin/
[root@localhost sbin]# ls
nginx
[root@localhost sbin]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
[root@localhost local]# which nginx
/usr/local/sbin/nginx
三: Nginx运行控制
3.1 检查配置文件
[root@localhost sbin]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
3.2 启动、重载配置、停止Nginx
3.2.1 启动服务
[root@localhost sbin]# nginx
//开启服务
[root@localhost sbin]# netstat -natp | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 43150/nginx: master
tcp 0 0 192.168.247.180:43922 192.168.254.10:445 ESTABLISHED -
3.2.2 关闭防火墙
ot@localhost sbin]# systemctl stop firewalld.service
[root@localhost sbin]# setenforce 0
3.2.3 安装elinks
[root@localhost sbin]# rpm -q elinks
未安装软件包 elinks
[root@localhost sbin]# yum install elinks -y
已安装:
elinks.x86_64 0:0.12-0.37.pre6.el7.0.1
作为依赖被安装:
js.x86_64 1:1.8.5-20.el7 nss_compat_ossl.x86_64 0:0.9.6-8.el7
完毕!
3.2.4 测试网站
[root@localhost sbin]# elinks http://localhost
按q退出来
在客户端访问验证
3.2.5 停止服务 killall -s QUIT nginx
[root@localhost sbin]# killall -s QUIT nginx
//或者-3 也可以关闭服务
[root@localhost sbin]# killall -3 nginx
再次查看时记得清一下缓存,不然会显示之前的信息
此时查看80端口
[root@localhost sbin]# netstat -natp | grep 80
tcp 0 0 192.168.247.181:80 192.168.247.1:54282 TIME_WAIT -
[root@localhost sbin]# netstat -natp | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 43456/nginx: master
[root@localhost sbin]#
3.2.6 重载服务 killall -s HUP nginx
[root@localhost sbin]# killall -s HUP nginx
//或者-1,可以重载服务
[root@localhost sbin]# killall -1 nginx
[root@localhost sbin]# netstat -natp | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 43456/nginx: master
tcp 0 0 192.168.247.181:80 192.168.247.1:54344 ESTABLISHED 43458/nginx: worker
tcp 0 0 192.168.247.181:80 192.168.247.1:54343 FIN_WAIT2 -
3.2.7 Nginx添加为系统服务
[root@localhost sbin]# cd /usr/local/nginx/logs
[root@localhost logs]# ls
access.log error.log nginx.pid
[root@localhost logs]# cat nginx.pid
43569
[root@localhost logs]# netstat -natp | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 43569/nginx: master
[root@localhost logs]#
3.2.7.1 将Nginx添加到service中
[root@localhost logs]# cd /etc/init.d/
[root@localhost init.d]# ls
functions netconsole network README
[root@localhost init.d]# vim nginx
[root@localhost init.d]# vim nginx
#!/bin/bash
# chkconfig: - 99 20
# description:Nginx Service Control Script
PROG="/usr/local/nginx/sbin/nginx"
PIDF="/usr/local/nginx/logs/nginx.pid"
case "$1" in
start)
$PROG
;;
stop)
kill -s QUIT $(cat $PIDF)
;;
restart)
$0 stop
$0 start
;;
reload)
kill -s HUP $(cat $PIDF)
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0
3.2.7.2如果想要服务被system去管理,就需要把服务添加到/etc/systemd中
[root@localhost init.d]# ls
functions netconsole network nginx READM
[root@localhost init.d]# chmod +x nginx
[root@localhost init.d]# ls
functions netconsole network nginx README
[root@localhost init.d]# chkconfig --add nginx
[root@localhost init.d]# chkconfig --list nginx
注:该输出结果只显示 SysV 服务,并不包含
原生 systemd 服务。SysV 配置数据
可能被原生 systemd 配置覆盖。
要列出 systemd 服务,请执行 'systemctl list-unit-files'。
查看在具体 target 启用的服务请执行
'systemctl list-dependencies [target]'。
nginx 0:关 1:关 2:关 3:关 4:关 5:关 6:关
[root@localhost init.d]# chkconfig --level 35 nginx on
[root@localhost init.d]#
[root@localhost init.d]# service nginx stop
[root@localhost init.d]# netstat -natp | grep 80
[root@localhost init.d]# service nginx start
[root@localhost init.d]# netstat -natp | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 44467/nginx: master
[root@localhost init.d]#
[root@localhost init.d]# cd /usr/local/nginx
[root@localhost nginx]# ls
client_body_temp conf fastcgi_temp html logs proxy_temp sbin scgi_temp uwsgi_temp
calhost html]# ls
50x.html index.html
[root@localhost html]#
[root@localhost html]# cd ..
[root@localhost nginx]# ls
client_body_temp conf fastcgi_temp html logs proxy_temp sbin scgi_temp uwsgi_temp
[root@localhost nginx]# cd conf/
[root@localhost conf]# ls
fastcgi.conf koi-utf nginx.conf uwsgi_params
fastcgi.conf.default koi-win nginx.conf.default uwsgi_params.default
fastcgi_params mime.types scgi_params win-utf
fastcgi_params.default mime.types.default scgi_params.default
[root@localhost conf]#
四:配置文件 /usr/local/nginx/conf/nginx.conf
[root@localhost nginx]# cp -p conf/nginx.conf conf/nginx.conf.bak
[root@localhost nginx]# grep -v "#" conf/nginx.conf.bak > conf/nginx.conf
把注释文字去掉,最省事,但是为了严谨,还是少这么做
[root@localhost conf]# vim nginx.conf
2 #user nobody;
//指定某个用户
3 worker_processes 1;
//指定开启进程
5 #error_log logs/error.log;
6 #error_log logs/error.log notice;
7 #error_log logs/error.log info;
//指定errorlog的路径
9 #pid logs/nginx.pid;
//指定pid文件路径
12 events {
13 worker_connections 1024;
//支持1024个连接数
14 }
17 http {
//指定类型,默认类型
18 include mime.types;
19 default_type application/octet-stream;
20
21 #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
22 # '$status $body_bytes_sent "$http_referer" '
23 # '"$http_user_agent" "$http_x_forwarded_for"';
24
25 #access_log logs/access.log main;
26
27 sendfile on;
//允许进行下载
28 #tcp_nopush on;
29
30 #keepalive_timeout 0;
31 keepalive_timeout 65;
//保持超时
32
33 #gzip on;
//支持压缩
34
35 server {
36 listen 80;
37 server_name localhost;
//指定监听端口,即网站域名,localhost可以改为www.kgc.com
38
39 #charset koi8-r;
//字符集,中文字符集是utf-8
40
41 #access_log logs/host.access.log main;
//指定访问日志路径,后面的main可以删掉: access_log logs/host.access.log;
42
43 location / {
//此处的根代表站点
44 root html;
//站点目录为html
45 index index.html index.htm;
//站点支持的首页类型
46 }
47
52 error_page 500 502 503 504 /50x.html;
//根据错误的代码,输出指定的网页
53 location = /50x.html {
//页面来源的路径
54 root html;
55 }
五:Nginx的访问状态统计
5.1 启用HTTP_STUB_STATUS状态统计模块
- 配置编译参数时参加–with-http_stub_status_module
- nginx -V 查看已安装的Nginx是否包含HTTP_STUB_STATUS模块
[root@localhost kgc8080]# nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
5.2 修改nginx.conf配置文件
在/下添加功能模块,即在站点目录下添加根的状态
[root@localhost conf]# vim /usr/local/nginx/conf/nginx.conf
43 location / {
44 root html;
45 index index.html index.htm;
46 }
//新增以下内容
47 location ~ /status {
48 stub_status on;
//根站点的状态
49 access_log off;
//访问日志功能关闭
50 }
51 #error_page 404 /404.html;
备注:如果在/内把access_log 关闭,那么就把前面开启的参数给注释掉
41 #access_log logs/host.access.log;
然后就可以保存退出,安装dns域名解析
[root@localhost conf]# yum install bind -y
已安装:
bind.x86_64 32:9.11.4-9.P2.el7
作为依赖被安装:
bind-export-libs.x86_64 32:9.11.4-9.P2.el7
作为依赖被升级:
bind-libs.x86_64 32:9.11.4-9.P2.el7 bind-libs-lite.x86_64 32:9.11.4-9.P2.el7
bind-license.noarch 32:9.11.4-9.P2.el7 bind-utils.x86_64 32:9.11.4-9.P2.el7
dhclient.x86_64 12:4.2.5-77.el7.centos dhcp-common.x86_64 12:4.2.5-77.el7.centos
dhcp-libs.x86_64 12:4.2.5-77.el7.centos
完毕!
[root@localhost conf]# vim /etc/named.conf
[root@localhost conf]# vim /etc/named.rfc1912.zones
zone "kgc.com" IN {
type master;
file "kgc.com.zone";
allow-update { none; };
};
[root@localhost conf]# cd /var/named/
[root@localhost named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@localhost named]# cp -p named.localhost kgc.com.zone
[root@localhost named]# vim kgc.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
www IN A 192.168.247.181
[root@localhost named]# systemctl start named
然后开一台客户机
验证语法
[root@localhost named]# service nginx stop
[root@localhost named]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost named]# service nginx start
5.3 查看当前的状态统计信息
不断刷新,会自动统计
六:基于授权的访问控制
6.1 配置步骤与apache基本一致
6.1.1 生成用户密码认证文件
6.1.2 修改主配置文件对相应目录,添加认证配置项
6.1.3 重启服务,访问测试
6.2 在location / 中去设置
[root@localhost named]# vim /usr/local/nginx/conf/nginx.conf
43 location / {
44 auth_basic "secret";
//增加
45 auth_basic_user_file /usr/local/nginx/passwd.db;
//增加,这个数据库文件需要htpasswd 工具,这个工具是apache自带的工具,需要额外安装apache组件
46 root html;
47 index index.html index.htm;
[root@localhost named]# yum install httpd-tools -y
已安装:
httpd-tools.x86_64 0:2.4.6-90.el7.centos
作为依赖被安装:
apr.x86_64 0:1.4.8-5.el7 apr-util.x86_64 0:1.5.2-6.el7
完毕!
[root@localhost named]# htpasswd -c /usr/local/nginx/passwd.db gsy
New password:
Re-type new password:
Adding password for user gsy
[root@localhost named]# cat /usr/local/nginx/passwd.db
gsy:$apr1$VftgRPyk$RPLF.85dzGUXDCT4YRryJ/
6.3 修改主配置文件对相应目录,添加认证配置项
6.4 在客户机,清空缓存,去查看
[root@localhost named]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost named]# service nginx stop
[root@localhost named]# service nginx start
[root@localhost named]# netstat -natp | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 46162/nginx: master
tcp 0 0 192.168.247.180:53 0.0.0.0:* LISTEN 45146/named
输入账号密码
这个是针对location生效的,看写的位置,把两条参数写在哪个location当中,就对哪个location生效,每个location相当于一个目录站点。目录页;
可以在一个目录站点包含多个目录页。多个子目录
可以定点对子目录进行管理控制
七:基于客户端的访问控制
7.1 通过客户端IP地址,决定是否允许对页面访问
7.2 配置规则
- deny IP/IP段:仅拒绝某个IP或IP段的客户端访问
- allow IP/IP段:仅允许某个IP或IP段的客户端访问
- 规则从上往下执行,如果匹配则停止,不再往下匹配
备注:deny和allow都是仅拒绝/允许的关系
7.3 配置步骤
7.3.1 修改主配置文件nginx.conf,添加相应配置项
- 除主机自身ip地址之外允许其他客户端访问
7.3.2 访问测试
八:nginx虚拟主机应用
8.1 nginx支持的虚拟主机有三种
- 基于域名的虚拟主机
- 基于IP的虚拟主机
- 基于端口的虚拟主机
8.1.1 通过“server{}”配置段实现
8.2 基于域名的虚拟主机创建
8.2.1 关闭防火墙
[root@localhost named]# systemctl stop firewalld.service
[root@localhost named]# setenforce 0
8.2.2 配置dns服务
[root@localhost named]# vim /etc/named.rfc1912.zones
//增加
zone "accp.com" IN {
type master;
file "accp.com.zone";
allow-update { none; };
};
[root@localhost named]# cp -p kgc.com.zone accp.com.zone
[root@localhost named]# systemctl restart named
8.2.3 创建域名的网站站点和首页
[root@localhost named]# mkdir -p /var/www/html/accp
[root@localhost named]# mkdir -p /var/www/html/kgc
[root@localhost named]# cd /var/www/html/
[root@localhost html]# ls
accp kgc
[root@localhost html]# echo "this is accp web" > accp/index.html
[root@localhost html]# echo "this is kgc web" > kgc/index.html
[root@localhost html]# ls accp/
index.html
[root@localhost html]# ls kgc/
index.html
[root@localhost html]# cd /usr/local/nginx
[root@localhost nginx]# ls
client_body_temp conf fastcgi_temp html logs passwd.db proxy_temp sbin scgi_temp uwsgi_temp
[root@localhost nginx]#
8.2.4 修改配置文件
服务器当中的配置
此时可以使用不同的域名去访问同一个默认的首页
[root@localhost nginx]# vim /etc/nginx.conf
35 server {
36 listen 80;
37 server_name www.kgc.com;
38
39 charset utf-8;
40
41 # access_log logs/host.access.log;
42
43 location / {
44 root /var/www/html/kgc;
45 index index.html index.htm;
46 }
47 }
把上面的14yy,然后后站点,设置另一个网站
48 server {
49 listen 80;
50 server_name www.accp.com;
51
52 charset utf-8;
53
54 # access_log logs/host.access.log;
55
56 location / {
57 root /var/www/html/accp;
58 index index.html index.htm;
59 }
60 }
8.2.5 验证语法
[root@localhost nginx]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost nginx]# service nginx restart
8.2.6 测试
8.2.7 改配置文件需要注意三个地方
监听端口、域名、网页站点
8.3 基于端口的虚拟主机创建
8.3.1 创建网站站点和首页
[root@localhost init.d]# cd /var/www/html/
[root@localhost html]# mkdir kgc8080
[root@localhost html]# echo "this is kgc8080 web" > kgc8080/index.html
[root@localhost html]# cd /usr/local/nginx/
[root@localhost nginx]# ls
client_body_temp fastcgi_temp logs sbin uwsgi_temp
conf html proxy_temp scgi_temp
[root@localhost nginx]# cd logs/
[root@localhost logs]# mkdir kgc8080
8.3.2 修改配置文件,验证语法
[root@localhost kgc8080]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 192.168.247.187:80;
server_name www.kgc.com;
location / {
root /var/www/html/kgc;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 192.168.247.187:8080;
server_name www.kgc.com:8080;
//域名后面不写:8080也可以
access_log logs/kgc8080/www.kgc8080.com.access.log;
location / {
root /var/www/html/kgc8080;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
[root@localhost kgc8080]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
8.3.3 重启服务
[root@localhost kgc8080]# service nginx restart
[root@localhost kgc8080]# netstat -natp | grep 80
tcp 0 0 192.168.247.187:8080 0.0.0.0:* LISTEN 7532/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7532/nginx: master
8.3.4 测试验证
最初的单独的80指的是任意网段的80端口启用
[root@localhost kgc8080]# ls
www.kgc8080.com.access.log
8.4 基于IP地址的虚拟主机创建
一个域名对应一个IP
8.4.1 添加网卡
[root@localhost kgc8080]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.247.187 netmask 255.255.255.0 broadcast 192.168.247.255
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.247.186 netmask 255.255.255.0 broadcast 192.168.247.255
8.4.2 修改bind
[root@localhost kgc8080]# vim /var/named/accp.com.zone
[root@localhost kgc8080]# cat /var/named/accp.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
www IN A 192.168.247.186
[root@localhost kgc8080]# systemctl restart named
8.4.3 修改配置文件
[root@localhost kgc8080]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 192.168.247.186:80;
server_name www.accp.com;
location / {
root /var/www/html/accp;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
[root@localhost kgc8080]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
8.4.4 测试