LNMP架构的优化
常见502问题解决:
nginx-php fpm 502问题
[root@wangchao ~]# cd /usr/local/nginx/conf/vhosts/
[root@wangchao vhosts]# ls
111.conf default.conf
[root@wangchao vhosts]# mv 111.conf test.conf
[root@wangchao vhosts]# vim test.conf
server
{
listen 80;
server_name www.test.com;
index index.html index.htm index.php;
root /data/www;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/www.sock;
# fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
}
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload
客户端访问502错误
[root@wangchao vhosts]# vim ../nginx.conf //查看错误日志路径
[root@wangchao vhosts]# cat /usr/local/nginx/logs/nginx_error.log
//查看错误,无权限读
[root@wangchao vhosts]# ls -l /tmp/www.sock
srw-rw----. 1 nobody nobody 0 Jul 20 10:26 /tmp/www.sock
[root@wangchao vhosts]# vim /usr/local/php/etc/php-fpm.conf
listen.owner = nobody
listen.group = nobody
[root@wangchao vhosts]# /usr/local/php/sbin/php-fpm -t
[root@wangchao vhosts]# /etc/init.d/php-fpm restart
客户端访问正常:
nginx用户认证:
[root@wangchao vhosts]# cd /usr/local/nginx/conf/vhosts/
[root@wangchao vhosts]# ls
default.conf test.conf
[root@wangchao vhosts]# vim test.conf
server
{
listen 80;
server_name www.test.com;
index index.html index.htm index.php;
root /data/www;
location ~ .*admin\.php$ {
auth_basic "AAA";
auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
#include fastcgi_params;
fastcgi_pass unix:/tmp/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/www.sock;
# fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
}
[root@wangchao vhosts]# ls /usr/local/apache2/bin/htpasswd
/usr/local/apache2/bin/htpasswd
[root@wangchao vhosts]# htpasswd -c /usr/local/nginx/conf/.htpasswd wang
New password:
[root@wangchao vhosts]# cat /usr/local/nginx/conf/.htpasswd
wang:nmJvT1FOMyjT6
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t
[root@wangchao vhosts]# /etc/init.d/nginx reload
客户端访问www.test.com/admin.php需用户认证
[root@wangchao vhosts]# curl -x127.0.0.1:80 www.test.com/admin.php
<head><title>401 Authorization Required</title></head> //访问需认证
[root@wangchao vhosts]# curl -x127.0.0.1:80 -uwang:123 www.test.com/admin.php -I
HTTP/1.1 200 OK
nginx域名跳转
server
{
listen 80;
server_name www.test.com www.aaa.com;
if ($host != 'www.test.com' ) {
rewrite ^/(.*)$ http://www.test.com/$1 permanent;
}
index index.html index.htm index.php;
root /data/www;
[root@wangchao vhosts]# curl -x127.0.0.1:80 www.aaa.com/fff -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.6.2
Date: Mon, 20 Jul 2015 03:23:22 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://www.test.com/fff //转到www.test.com/fff下
nginx不记录指定文件类型日志
[root@wangchao vhosts]# vim ../nginx.conf //查看日志格式
log_format wang '$remote_addr $http_x_forwarded_for [$time_local]'
日志名 远程IP 代理IP 时间
'$host "$request_uri" $status' '"$http_referer" "$http_user_agent"';
域名 访问地址 状态码
[root@wangchao vhosts]# vim test.conf
index index.html index.htm index.php;
root /data/www;
access_log /tmp/access.log wang;
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload
[root@wangchao vhosts]# !curl
curl -x127.0.0.1:80 www.aaa.com/fff -I
[root@wangchao vhosts]# !curl
[root@wangchao vhosts]# ls /tmp/access.log
/tmp/access.log
[root@wangchao vhosts]# cat /tmp/access.log
127.0.0.1 - [20/Jul/2015:12:32:28 +0800]www.aaa.com "/fff" 301"-" "curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
127.0.0.1 - [20/Jul/2015:12:32:37 +0800]www.aaa.com "/fff" 301"-" "curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
客户端访问后:
[root@wangchao vhosts]# cat /tmp/access.log //产生很多日志
[root@wangchao vhosts]# vim test.conf
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|rar|zip|gz|bz2)$
{
access_log off;
}
location ~ (static|cache)
{
access_log off;
}
[root@wangchao vhosts]# > /tmp/access.log //清空日志
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload
客户端访问网站,日志少了很多
[root@wangchao vhosts]# cat /tmp/access.log
192.168.137.1 - [20/Jul/2015:12:43:53 +0800]www.test.com "/forum.php" 200"-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
nginx日志切割
[root@wangchao vhosts]# vim /usr/local/sbin/nginx_logrotate.sh
#!/bin/bash
d=`date -d "-1 day" +%F`
[-d /tmp/nginx_log] || mkdir /tmp/nginx_log
mv /tmp/access.log /tmp/nginx_log/$d.log
/etc/init.d/nginx reload > /dev/null
cd /tmp/nginx_log/
gzip -f $d.log
[root@wangchao vhosts]# sh -x /usr/local/sbin/nginx_logrotate.sh
[root@wangchao vhosts]# ls /tmp/access.log
/tmp/access.log
[root@wangchao vhosts]# cd /tmp/nginx_log/
[root@wangchao nginx_log]# ls
2015-07-19.log.gz
//查看产生日志,将其写入任务计划,即可每日产生日志
nginx配置静态文件过期时间
[root@wangchao nginx_log]# cd /usr/local/nginx/conf/vhosts/
[root@wangchao vhosts]# vim test.conf
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|rar|zip|gz|bz2)$
{
access_log off;
expires 15d;
}
location ~ \.(js|css)
{
access_log off;
expires 2d;
}
location ~ (static|cache)
{
access_log off;
}
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload
[root@wangchao vhosts]# curl -x127.0.0.1:80 'http://www.test.com/static/p_w_picpath/common/logo_88_31.gif' -I
Cache-Control: max-age=1296000 //过期时间为1296000秒,静态缓存配置成功了
nginx配置防盗链
[root@wangchao vhosts]# vim test.conf
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|rar|zip|gz|bz2)$
{
access_log off;
expires 15d;
valid_referers none blocked *.test.com *.aaa.com;
if ($invalid_referer)
{
return 403;
}
}
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload
[root@wangchao vhosts]# curl -e "http://www.baidu.com/111" -I -x127.0.0.1:80 'http://www.test.com/static/p_w_picpath/common/logo_88_31.gif'
HTTP/1.1 403 Forbidden
//该条命令的意思是,http://www.baidu.com/111网站,使用127.0.0.1:80本网站的图片链接,以为配置了防盗链,只有*.test.com *.aaa.com两个网站可使用图片链接,所以返回403错误
[root@wangchao vhosts]# curl -I -x127.0.0.1:80 'http://www.test.com/static/p_w_picpath/common/logo_88_31.gif'
HTTP/1.1 200 OK
//可正常访问
[root@wangchao vhosts]# curl -e "http://www.test.com/111" -I -x127.0.0.1:80 'http://www.test.com/static/p_w_picpath/common/logo_88_31.gif'
HTTP/1.1 200 OK
// www.test.com/111可正常使用图片
nginx访问控制:
[root@wangchao vhosts]# vim test.conf
location ~ .*admin\.php$ {
allow 127.0.0.1;
deny all;
# auth_basic "AAA";
# auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
# include fastcgi_params;
# fastcgi_pass unix:/tmp/www.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload
[root@wangchao vhosts]# curl -x127.0.0.1:80 www.test.com/admin.php -I
HTTP/1.1 200 OK
[root@wangchao vhosts]# curl -x192.168.137.22:80 www.test.com/admin.php -I
HTTP/1.1 403 Forbidden
//做了访问控制后,只有127.0.0.1可访问www.test.com/admin.php
[root@wangchao vhosts]# curl -x192.168.137.22:80 www.test.com -I
HTTP/1.1 301 Moved Permanently
//网站还是正常
server
{
deny 127.0.0.1;
deny 1.1.1.1;
deny 192.168.137.0/24 //拒绝一个网段写法不写在location中,为全局有效
}
nginx禁止指定user_agent
[root@wangchao vhosts]# vim test.conf
if ($http_user_agent ~ 'curl|baidu|11111')
{
return 403;
}
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload
[root@wangchao vhosts]# curl -x192.168.137.22:80 www.test.com -I
HTTP/1.1 403 Forbidden
[root@wangchao vhosts]# curl -A "baidu" -x192.168.137.22:80 www.test.com -I
HTTP/1.1 403 Forbidden
[root@wangchao vhosts]# curl -A "222" -x192.168.137.22:80 www.test.com -I
HTTP/1.1 301 Moved Permanently
//只要user_agent含curl、baidu、11111禁止其访问 -A指定user_agent
[root@wangchao vhosts]# tail /tmp/access.log //查看日志
nginx代理
[root@wangchao vhosts]# ls
[root@wangchao vhosts]# ping www.baidu.com
PING www.a.shifen.com (115.239.211.112) 56(84) bytes of data.
64 bytes from 115.239.211.112: icmp_seq=1 ttl=57 time=4.73 ms
[root@wangchao vhosts]# vim proxy.conf
server {
listen 80;
server_name www.baidu.com;
location / {
proxy_pass http://115.239.211.112/;
# proxy_set_header Host $host;
}
}
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload
[root@wangchao vhosts]# curl -x127.0.0.1:80 www.baidu.com
<!DOCTYPE html><!--STATUS OK--><html><head><meta http-equiv="content-type"
//表示代理成功,通过127.0.0.1访问百度
[root@wangchao vhosts]# yum install bind*
[root@wangchao vhosts]# dig www.baidu.com
www.baidu.com. 380 IN CNAME www.a.shifen.com.
www.a.shifen.com. 42 IN A 115.239.211.112
www.a.shifen.com. 42 IN A 115.239.210.27
//查看解析的百度解析的两个地址
如果一个域名,有多个IP,实现负载均衡
[root@wangchao vhosts]# vim proxy.conf
upstream wang
{
server 115.239.211.112;
server 115.239.210.27;
}
server {
listen 80;
server_name www.baidu.com;
location / {
proxy_pass http://wang/;
proxy_set_header Host $host;
}
}
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -t
[root@wangchao vhosts]# /usr/local/nginx/sbin/nginx -s reload
nginx配置文件所有内容
[root@wangchao vhosts]# vim test.conf
server
{
listen 80;
server_name www.test.com www.aaa.com;
if ($host != 'www.test.com' ) {
rewrite ^/(.*)$ http://www.test.com/$1 permanent;
}
index index.html index.htm index.php;
root /data/www;
access_log /tmp/access.log aming;
#deny 127.0.0.1;
#deny 1.1.1.1;
#deny 192.168.137.0/24;
if ($http_user_agent ~ 'curl|baidu|11111')
{
return 403;
}
location ~ .*admin\.php$ {
allow 127.0.0.1;
deny all;
# auth_basic "Auth";
# auth_basic_user_file /usr/local/nginx/conf/htpasswd;
# include fastcgi_params;
# fastcgi_pass unix:/tmp/www.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|rar|zip|gz|bz2)$
{
access_log off;
expires 30d;
valid_referers none blocked *.test.com *.aaa.com;
if ($invalid_referer)
{
return 403;
}
}
location ~ .*\.(js|css|static|cache)?$
{
access_log off;
expires 12h;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/www.sock;
# fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
}