LNMP架构的优化

常见502问题解决:

    nginx-php fpm 502问题

[root@wangchao ~]# cd /usr/local/nginx/conf/vhosts/

[root@wangchao vhosts]# ls

111.conf  default.conf

[root@wangchao vhosts]# mv 111.conf test.conf

[root@wangchao vhosts]# vim test.conf

server

{

    listen 80;

    server_name www.test.com;

    index index.html index.htm index.php;

    root /data/www;

 

    location ~ \.php$ {

        include fastcgi_params;

        fastcgi_pass unix:/tmp/www.sock;

       # fastcgi_pass 127.0.0.1:9000;

        fastcgi_index index.php;

        fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;

    }

}

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx  -s reload

客户端访问502错误

spacer.gif

[root@wangchao vhosts]# vim ../nginx.conf                     //查看错误日志路径

[root@wangchao vhosts]# cat /usr/local/nginx/logs/nginx_error.log

//查看错误,无权限读

[root@wangchao vhosts]# ls -l /tmp/www.sock

srw-rw----. 1 nobody nobody 0 Jul 20 10:26 /tmp/www.sock

 

[root@wangchao vhosts]# vim /usr/local/php/etc/php-fpm.conf

listen.owner = nobody

listen.group = nobody

[root@wangchao vhosts]# /usr/local/php/sbin/php-fpm -t

[root@wangchao vhosts]# /etc/init.d/php-fpm restart

 

客户端访问正常:

spacer.gif

 

 

 

 

 

 

 

nginx用户认证:

[root@wangchao vhosts]# cd /usr/local/nginx/conf/vhosts/

[root@wangchao vhosts]# ls

default.conf  test.conf

[root@wangchao vhosts]# vim test.conf

server

{

    listen 80;

    server_name www.test.com;

    index index.html index.htm index.php;

    root /data/www;

 

    location ~ .*admin\.php$ {

        auth_basic "AAA";

        auth_basic_user_file /usr/local/nginx/conf/.htpasswd;

        #include fastcgi_params;

        fastcgi_pass unix:/tmp/www.sock;

        fastcgi_index index.php;

        fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;

    }

  

    location ~ \.php$ {

        include fastcgi_params;

        fastcgi_pass unix:/tmp/www.sock;

       # fastcgi_pass 127.0.0.1:9000;

        fastcgi_index index.php;

        fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;

    }

}

[root@wangchao vhosts]# ls /usr/local/apache2/bin/htpasswd

/usr/local/apache2/bin/htpasswd

 

[root@wangchao vhosts]# htpasswd -c /usr/local/nginx/conf/.htpasswd wang

New password:

[root@wangchao vhosts]# cat  /usr/local/nginx/conf/.htpasswd

wang:nmJvT1FOMyjT6

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t

[root@wangchao vhosts]# /etc/init.d/nginx reload

 

客户端访问www.test.com/admin.php需用户认证

spacer.gif

[root@wangchao vhosts]# curl -x127.0.0.1:80 www.test.com/admin.php

<head><title>401 Authorization Required</title></head>           //访问需认证

 

[root@wangchao vhosts]# curl -x127.0.0.1:80 -uwang:123 www.test.com/admin.php  -I

HTTP/1.1 200 OK

 

 

 

 

 

nginx域名跳转

server

{

    listen 80;

    server_name www.test.com www.aaa.com;

    if ($host != 'www.test.com' ) {

        rewrite  ^/(.*)$  http://www.test.com/$1  permanent;

    }

 

 

    index index.html index.htm index.php;

    root /data/www;

 

[root@wangchao vhosts]# curl -x127.0.0.1:80 www.aaa.com/fff -I

HTTP/1.1 301 Moved Permanently

Server: nginx/1.6.2

Date: Mon, 20 Jul 2015 03:23:22 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: http://www.test.com/fff                 //转到www.test.com/fff

 

 

 

nginx不记录指定文件类型日志

[root@wangchao vhosts]# vim ../nginx.conf               //查看日志格式

log_format wang  '$remote_addr $http_x_forwarded_for [$time_local]'

               日志名     远程IP        代理IP            时间

'$host "$request_uri" $status'   '"$http_referer" "$http_user_agent"';

  域名  访问地址  状态码

 

 

[root@wangchao vhosts]# vim test.conf

    index index.html index.htm index.php;

    root /data/www;

    access_log /tmp/access.log wang;

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload

[root@wangchao vhosts]# !curl

curl -x127.0.0.1:80 www.aaa.com/fff -I

[root@wangchao vhosts]# !curl

[root@wangchao vhosts]# ls /tmp/access.log

/tmp/access.log

[root@wangchao vhosts]# cat /tmp/access.log

127.0.0.1 - [20/Jul/2015:12:32:28 +0800]www.aaa.com "/fff" 301"-" "curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

127.0.0.1 - [20/Jul/2015:12:32:37 +0800]www.aaa.com "/fff" 301"-" "curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

 

客户端访问后:

 

[root@wangchao vhosts]# cat /tmp/access.log         //产生很多日志

 

[root@wangchao vhosts]# vim test.conf

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|rar|zip|gz|bz2)$

      {

          access_log off;

       }

     location ~ (static|cache)

      {

          access_log off;

      }

[root@wangchao vhosts]# > /tmp/access.log              //清空日志

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload

客户端访问网站,日志少了很多

[root@wangchao vhosts]# cat /tmp/access.log

192.168.137.1 - [20/Jul/2015:12:43:53 +0800]www.test.com "/forum.php" 200"-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"

 

 

nginx日志切割

[root@wangchao vhosts]# vim /usr/local/sbin/nginx_logrotate.sh

#!/bin/bash

d=`date -d "-1 day" +%F`

[-d /tmp/nginx_log] || mkdir /tmp/nginx_log

mv /tmp/access.log /tmp/nginx_log/$d.log

/etc/init.d/nginx reload > /dev/null

cd /tmp/nginx_log/

gzip -f $d.log

 

 

[root@wangchao vhosts]# sh -x  /usr/local/sbin/nginx_logrotate.sh

[root@wangchao vhosts]# ls /tmp/access.log

/tmp/access.log

[root@wangchao vhosts]# cd /tmp/nginx_log/

[root@wangchao nginx_log]# ls

2015-07-19.log.gz

 

//查看产生日志,将其写入任务计划,即可每日产生日志

 

 

 

 

 

nginx配置静态文件过期时间

[root@wangchao nginx_log]# cd /usr/local/nginx/conf/vhosts/

[root@wangchao vhosts]# vim test.conf

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|rar|zip|gz|bz2)$

      {

          access_log off;

          expires 15d;

       }

     location ~ \.(js|css)

      {

          access_log off;

          expires 2d;

      }

     location ~ (static|cache)

      {

 

          access_log off;

      }

 

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload

[root@wangchao vhosts]# curl -x127.0.0.1:80 'http://www.test.com/static/p_w_picpath/common/logo_88_31.gif' -I

Cache-Control: max-age=1296000          //过期时间为1296000秒,静态缓存配置成功了

 

 

 

 

 

 

 

nginx配置防盗链

[root@wangchao vhosts]# vim test.conf

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|rar|zip|gz|bz2)$

      {

          access_log off;

          expires 15d;

          valid_referers none blocked *.test.com *.aaa.com;

          if ($invalid_referer)

          {

              return 403;

           }

       }

 

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload

[root@wangchao vhosts]# curl -e "http://www.baidu.com/111" -I -x127.0.0.1:80 'http://www.test.com/static/p_w_picpath/common/logo_88_31.gif'

HTTP/1.1 403 Forbidden

 

//该条命令的意思是,http://www.baidu.com/111网站,使用127.0.0.1:80本网站的图片链接,以为配置了防盗链,只有*.test.com *.aaa.com两个网站可使用图片链接,所以返回403错误

 

[root@wangchao vhosts]# curl -I -x127.0.0.1:80  'http://www.test.com/static/p_w_picpath/common/logo_88_31.gif'

HTTP/1.1 200 OK

//可正常访问

[root@wangchao vhosts]# curl -e "http://www.test.com/111" -I -x127.0.0.1:80 'http://www.test.com/static/p_w_picpath/common/logo_88_31.gif'      

HTTP/1.1 200 OK

// www.test.com/111可正常使用图片

 

 

 

 

 

 

 

nginx访问控制:

 

[root@wangchao vhosts]# vim test.conf

location ~ .*admin\.php$ {

         allow 127.0.0.1;

         deny all;

      #  auth_basic "AAA";

      #  auth_basic_user_file /usr/local/nginx/conf/.htpasswd;

      #  include fastcgi_params;

      #  fastcgi_pass unix:/tmp/www.sock;

      #  fastcgi_index index.php;

      #  fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;

    }

 

 

 

 

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload

[root@wangchao vhosts]# curl -x127.0.0.1:80 www.test.com/admin.php -I

HTTP/1.1 200 OK

[root@wangchao vhosts]# curl -x192.168.137.22:80 www.test.com/admin.php -I

HTTP/1.1 403 Forbidden

//做了访问控制后,只有127.0.0.1可访问www.test.com/admin.php

[root@wangchao vhosts]# curl -x192.168.137.22:80 www.test.com -I

HTTP/1.1 301 Moved Permanently

//网站还是正常

 

 

 

server

{

         deny 127.0.0.1;

         deny 1.1.1.1;

                    deny 192.168.137.0/24     //拒绝一个网段写法不写在location中,为全局有效

}

 

 

 

nginx禁止指定user_agent

[root@wangchao vhosts]# vim test.conf

if ($http_user_agent ~ 'curl|baidu|11111')

         {

                 return 403;

         }

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload

 

[root@wangchao vhosts]# curl -x192.168.137.22:80 www.test.com -I

HTTP/1.1 403 Forbidden

[root@wangchao vhosts]# curl -A "baidu"  -x192.168.137.22:80 www.test.com -I

HTTP/1.1 403 Forbidden

[root@wangchao vhosts]# curl -A "222"  -x192.168.137.22:80 www.test.com -I

HTTP/1.1 301 Moved Permanently

//只要user_agentcurlbaidu11111禁止其访问 -A指定user_agent

 

[root@wangchao vhosts]# tail /tmp/access.log         //查看日志

 

 

 

 

 

nginx代理

[root@wangchao vhosts]# ls

[root@wangchao vhosts]# ping www.baidu.com

PING www.a.shifen.com (115.239.211.112) 56(84) bytes of data.

64 bytes from 115.239.211.112: icmp_seq=1 ttl=57 time=4.73 ms

[root@wangchao vhosts]# vim proxy.conf

server {

            listen 80;

            server_name www.baidu.com;

            location / {

                proxy_pass      http://115.239.211.112/;

              #  proxy_set_header Host   $host;

            }

        }

 

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload

[root@wangchao vhosts]# curl -x127.0.0.1:80 www.baidu.com

<!DOCTYPE html><!--STATUS OK--><html><head><meta http-equiv="content-type"

//表示代理成功,通过127.0.0.1访问百度

[root@wangchao vhosts]# yum install bind*

[root@wangchao vhosts]# dig www.baidu.com

www.baidu.com.          380     IN      CNAME   www.a.shifen.com.

www.a.shifen.com.       42      IN      A       115.239.211.112

www.a.shifen.com.       42      IN      A       115.239.210.27

//查看解析的百度解析的两个地址

 

 

如果一个域名,有多个IP,实现负载均衡

[root@wangchao vhosts]# vim proxy.conf

upstream wang

{

            server  115.239.211.112;

            server  115.239.210.27;

}

 

server {

            listen 80;

            server_name www.baidu.com;

 

            location / {

                proxy_pass      http://wang/;

                proxy_set_header Host   $host;

            }

        }

 

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t

[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload

 

 

 

 

 

 

nginx配置文件所有内容

[root@wangchao vhosts]# vim test.conf

server

 

{

    listen 80;

    server_name  www.test.com  www.aaa.com;

 

    if ($host != 'www.test.com' ) {

        rewrite  ^/(.*)$  http://www.test.com/$1  permanent;

    }

 

 

    index index.html index.htm index.php;

    root /data/www;

    access_log /tmp/access.log aming;

 

    #deny 127.0.0.1;

    #deny 1.1.1.1;

    #deny 192.168.137.0/24;

    if ($http_user_agent ~ 'curl|baidu|11111')

    {

          return 403;

    }

 

 

    location  ~ .*admin\.php$ {

    allow 127.0.0.1;

    deny all;

    # auth_basic              "Auth";

    # auth_basic_user_file   /usr/local/nginx/conf/htpasswd;

    # include fastcgi_params;

    # fastcgi_pass unix:/tmp/www.sock;

    # fastcgi_index index.php;

    # fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;

    }

 

 

     location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|rar|zip|gz|bz2)$

      {

          access_log off;

          expires      30d;

          valid_referers none blocked *.test.com *.aaa.com;

          if ($invalid_referer)

          {

              return 403;

           }

       }

     location ~ .*\.(js|css|static|cache)?$

      {

 

          access_log off;

          expires   12h;

      }

 

 

 

    location ~ \.php$ {

        include fastcgi_params;

       fastcgi_pass unix:/tmp/www.sock;

       # fastcgi_pass 127.0.0.1:9000;

        fastcgi_index index.php;

        fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;

    }

}