1、nginx防盗链;
编辑虚拟主机配置文件: /usr/local/nginx/conf/vhost/test.com.conf
注释:nginx防盗链配置需要和不记录日记和过期时间结合到一起,因为都用到了location;
[root@localhost_001 vhost]# vim test.com.conf
[root@localhost_001 vhost]# cat !$
cat test.com.conf
server
{
listen 80;
server_name www.test.com bbs.test.com test1.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'www.test.com' ) {
rewrite ^/(.*)$ http://www.test.com/$1 permanent;
}
access_log /tmp/test.com.log combined_realip;
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ #匹配gif|jpg|jpeg|png|bmp|swf 后缀的文件
#{
# expires 7d; #7天后过期
# access_log off; #匹配“.*.(gif|jpg|jpeg|png|bmp|swf) ”关闭记录日志
#}
#新增的配置,用做防盗链;-----------------------------------
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ; #定义白名单的referer是什么?
if ($invalid_referer) { #如果不是白名单里,则返回状态码403;
return 403;
}
access_log off;
}
#防盗链配置这里结束;--------------------------------------------
location ~ .*\.(js|css)$
{
expires 12h; #12个小时后过期
access_log off; #匹配“.*.(js|css) ”关闭记录日志
#新增的配置,用做防盗链;-----------------------------------
valid_referers none blocked server_names *.test.com ; #定义一个白名单,referer就是指一些域名
if ($invalid_referer) { #如果不是白名单里的
return 403; #返回403
}
#防盗链配置这里结束;--------------------------------------------
}
}注释:其实添加的配置文件这里有三行,首先定义一个白名单,用referer指向一些域名,当如果访问过了的域名不在白名单里,则提示403错误;
(2):检测配置文件是否错误,并重新加载配置文件;
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload(3):测试: 用curl命令再用 -e 来指定referer;
[root@localhost_001 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 www.test.com/kaola.jpg -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Tue, 16 Oct 2018 10:44:17 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
[root@localhost_001 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 www.test.com/kaola.jpg -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: image/jpeg
Content-Length: 780831
Last-Modified: Tue, 14 Jul 2009 05:32:31 GMT
Connection: keep-alive
ETag: "4a5c186f-bea1f"
注释:在使用curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 www.test.com/kaola.jpg访问显示403forbidden;
而在使用 curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 www.test.com/kaola.jpg访问状态码显示200 OK,表示防盗链配置成功;
2、nginx访问控制;
要求访问/admin/目录,只允许几个IP地址访问;
(1):编辑虚拟主机配置文件: /usr/local/nginx/conf/vhost/test.com.conf
要增加的访问控制代码;
location /admin/
{
allow 192.168.180.134; #白名单
allow 127.0.0.1; #白名单
deny all; #全部deny
}增加后配置文件内容如下;
[root@localhost_001 vhost]# cat test.com.conf
server
{
listen 80;
server_name www.test.com bbs.test.com test1.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'www.test.com' ) {
rewrite ^/(.*)$ http://www.test.com/$1 permanent;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ #匹配gif|jpg|jpeg|png|bmp|swf 后缀的文件
{
expires 7d; #7天后过期
access_log off; #匹配“.*.(gif|jpg|jpeg|png|bmp|swf) ”关闭记录日志
valid_referers none blocked server_names *.test.com ; #定义一个白名单,referer就是指一些域名
if ($invalid_referer) { #如果不是白名单里的
return 403; #返回403
}
}
location ~ .*\.(js|css)$
{
expires 12h; #12个小时后过期
access_log off; #匹配“.*.(js|css) ”关闭记录日志
valid_referers none blocked server_names *.test.com ; #定义一个白名单,referer就是指一些域名
if ($invalid_referer) { #如果不是白名单里的
return 403; #返回403
}
}
#新增配置访问控制的内容--------------------------------------------
location /admin/
{
allow 192.168.149.130; #白名单
allow 127.0.0.1; #白名单
deny all; #全部deny
}
#配置访问控制的内容结束--------------------------------------------
access_log /tmp/test.com.log combined_realip;
}
(2):检测配置文件语法是否有错误,并重新加载配置文件;
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload(3):创建admin目录及测试文件;
[root@localhost_001 vhost]# mkdir /data/wwwroot/test.com/admin
[root@localhost_001 vhost]# echo "test.test" > /data/wwwroot/test.com/admin/index.html(4):测试;用curl命令测试,不过需要加referer;
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: text/html
[root@localhost_001 vhost]# curl -e "http://www.test.com/1.txt" -x192.168.149.129:80 www.test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.4.7T
Content-Type: text/html
Content-Length: 10
(5):查看错误日记,会看到访问者的IP192.168.149.129,因为他是被允许的,在白名单之内,所以显示的状态码是200 OK;
[root@localhost_001 vhost]# tail /tmp/test.com.log
127.0.0.1 - [16/Oct/2018:19:02:39 +0800] www.test.com "/admin/index.html" 200 "-" "curl/7.29.0"
192.168.149.129 - [16/Oct/2018:19:04:09 +0800] www.test.com "/admin/index.html" 200 "http://www.test.com/1.txt" "curl/7.29.0"
注释:这时我们使用浏览器去访问:浏览器的IP是192.168.149.135:;
查看错误日记,发现有访问者IP是192.168.149.135,被403 Forbidden了;
[root@localhost_001 tmp]# tail test.com.log
127.0.0.1 - [16/Oct/2018:19:02:39 +0800] www.test.com "/admin/index.html" 200 "-" "curl/7.29.0"
192.168.149.129 - [16/Oct/2018:19:04:09 +0800] www.test.com "/admin/index.html" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.149.135 - [16/Oct/2018:19:08:59 +0800] www.test.com "/admin/index.html" 403 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
针对正则匹配;
网站被黑,数据库信息被盗窃,因为上传图片的目录没有限制php的解析,最终导致悲剧;
注释:只要是能上传的目录,都要禁止解析php才可以;
(1):打开虚拟主机配置文件:/usr/local/nginx/conf/vhost/test.com.conf
注释:在access_log /tmp/test.com.log combined_realip;上面添加即可;
location ~ .*(upload|image)/.*\.php$ #只要匹配upload和image的目录,然后以php结尾的;
{
deny all; #都禁掉;
}(2):检测配置文件是否有错误,并重新启动配置文件;
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload(3):创建upload目录,并在其目录下创建一个php的文件; 测试用;
[root@localhost_001 vhost]# mkdir /data/wwwroot/test.com/upload
[root@localhost_001 vhost]# echo "11111" > /data/wwwroot/test.com/upload/1.php
[root@localhost_001 vhost]# echo "11111" > /data/wwwroot/test.com/upload/1.txt(4):用curl命令来测试;
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/upload/1.txt
11111注释:发现upload目录下的php文件被禁止了,而1.txt是可以访问的;
查看访问日记,发现访问/upload/1.php的被禁止了,而访问1.txt的还可以正常访问;
[root@localhost_001 vhost]# tail /tmp/test.com.log
127.0.0.1 - [17/Oct/2018:10:42:15 +0800] www.test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [17/Oct/2018:10:42:19 +0800] www.test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
user_anget限制;
你的网站被cc攻击,或者禁掉某些蜘蛛,如果你的网站想做一个被隐藏的网站,不想被别人搜索到,那么就可以将百度、谷歌、有道等这些蜘蛛封掉,没有任何蜘蛛爬到你的网站,也不将网址告诉任何人,那别人就无法知道你的站点,因为你的网站是被隐藏的;
(1):打开虚拟主机配置文件:/usr/local/nginx/conf/vhost/test.com.conf
注释:在access_log /tmp/test.com.log combined_realip;上面添加即可;
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}注释:return 403 和deny all的功能是一样子的;
(2):检测配置文件是否有错误,并重新启动配置文件;
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload(3):测试,使用curl -A “Tomato”模拟user_agent测试;会发现状态码为403;
[root@localhost_001 test.com]# curl -x127.0.0.1:80 www.test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 02:53:37 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Wed, 17 Oct 2018 02:41:33 GMT
Connection: keep-alive
ETag: "5bc6a15d-6"
Accept-Ranges: bytes
[root@localhost_001 test.com]# curl -A "Tomato" -x127.0.0.1:80 www.test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 02:53:51 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
注释:因为限制是严格匹配,如果把user_agent改成小写访问,则也显示状态码为200;
如果想忽略大小写,则需要在虚拟配置文件的匹配符号后面加上 * 即可;
[root@localhost_001 vhost]# vim test.com.conf
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}检测配置文件并重新加载服务;
[root@localhost_001 test.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 test.com]# /usr/local/nginx/sbin/nginx -s reload
再来测试,会看403 Forbidden;
[root@localhost_001 vhost]# !curl
curl -A "tomato" -x127.0.0.1:80 www.test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 02:59:56 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
nginx解析php的相关配置;
注释:因为现在test.com.conf还不能解析php,加代码添加到配置文件中;
(1):打开虚拟主机配置文件:/usr/local/nginx/conf/vhost/test.com.conf
注释:在access_log /tmp/test.com.log combined_realip;上面添加即可;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock; ####写错这个路径,就会显示502;
#上表示指定fastcgi的监听端口和地址,可以是socket或者是127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; #脚本文件请求的路径
}(2):在根目录/data/wwwroot/test.com/创建解析的php的文件;
[root@localhost_001 vhost]# vim /data/wwwroot/test.com/2.php
[root@localhost_001 vhost]# cat /data/wwwroot/test.com/2.php
<?php
phpinfo();
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php
<?php
phpinfo();
测试访问后,出现源码了;无法正常解析;
(3):这是检测语法错误,并重新加载服务;
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload(4):再次访问网站根目录下2.php的文件,发现可以正常解析了;
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 03:09:18 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
注释:虚拟主机配置问解析php的相关配置fastcgi_pass unix:/tmp/php-fcgi.sock;写错,会直接显示状态码502,表示sock没找到;
将配置改错一个字母,再来访问2.php,发现显示报错状态码502;
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php -I
HTTP/1.1 502 Bad Gateway
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 03:18:54 GMT
Content-Type: text/html
Content-Length: 172
Connection: keep-alive
查看nginx的错误日记,看到提示说没有这个文件或者目录;
[root@localhost_001 vhost]# cat /usr/local/nginx/logs/nginx_error.log
2018/10/17 11:18:54 [crit] 1522#0: *26 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: www.test.com, request: "HEAD HTTP://www.test.com/2.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "www.test.com"
注释:在遇到nginx报502错误时,需要查看你配置的socket或IP地址是否正确,然后查看错误日记,根据错误日记的提示查看这个文件是否存在;
注释:在nginx的配置文件 /usr/local/php-fpm/etc/php-fpm.conf 里面定义的listen监听方式是什么;那么在nginx的配置中就需要写什么;
[root@localhost_001 vhost]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock #需要和ngin虚拟主机里的路径一致;
listen.mode = 666
user = php-fpm
group = php-fpm
[root@localhost_001 vhost]# vim test.com.conf
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-cgi.sock; #需要和php-fpm配置文件一直;写错这个路径,就会显示502;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
注释;这两个地方必须要一致;不然会包502错误;
502的另一种情况,假设不使用sokcet监听,在使用IP+端口监听的方式;
(1):编辑php-fpm的配置文件 /usr/local/php-fpm/etc/php-fpm.conf
将#listen = /tmp/php-fcgi.sock注释了,然后添加 listen = 127.0.0.1:9000
[root@localhost_001 vhost]# vim /usr/local/php-fpm/etc/php-fpm.conf
[root@localhost_001 vhost]# cat !$
cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
#listen = /tmp/php-fcgi.sock
listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500 (2):检测php-fpm,并重启启动php-fpm(也支持reload重新加载服务);
[root@localhost_001 vhost]# /usr/local/php-fpm/sbin/php-fpm -t
[17-Oct-2018 11:52:52] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@localhost_001 vhost]# service php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
(3):查看监听端口,已经变成IP+端口的监听方式;
[root@localhost_001 vhost]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 831/nginx: master p
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 780/sshd
tcp 0 0 0.0.0.0:56888 0.0.0.0:* LISTEN 780/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 962/master
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1599/php-fpm: maste
tcp6 0 0 :::22 :::* LISTEN 780/sshd
tcp6 0 0 :::56888 :::* LISTEN 780/sshd
tcp6 0 0 ::1:25 :::* LISTEN 962/master
tcp6 0 0 :::3306 :::* LISTEN 1028/mysqld (4):这时候再来访问下2.php文件; 会包502错误;
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>(5):我们查看错误日记,发现还是报错误;
[root@localhost_001 vhost]# tail /usr/local/nginx/logs/nginx_error.log
2018/10/17 11:54:55 [crit] 1541#0: *28 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: www.test.com, request: "GET HTTP://www.test.com/2.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "www.test.com"
6:这是需要修改虚拟主机配置文件/usr/local/nginx/conf/vhost/test.com.conf,注释掉unix,修改为127.0.0.1:9000;
[root@localhost_001 vhost]# vim test.com.conf
在php配置那一块,注释掉unix,添加ip和端口
#fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_pass 127.0.0.1:9000;7:检测语法错误,并重新加载配置文件;
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload8:再次访问2.php,可以看到正常访问了;
</div></body></html>[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 04:00:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30注释:若是出现502,要检查下nginx虚拟主机配置文件中的fastcgi_pass 这块是否与php-fpm中所配置的地址是相匹配的;
注释:文件中的 fastcgi_param SCRIPT_FILENAME 中的地址路径/data/wwwroot/test.com$fastcgi_script_name;与配置文件最上方的 root /data/wwwroot/test.com; 相对应起来;
502的其他情况;php5.4及以后的其他版本,有一个特点;
在其php-ftp的配置文件(/usr/local/php-fpm/sbin/php-fpm.conf)里,有一个listen.mode = 666 的配置,意思是保证所有用户都对socket(/tmp/php-fcgi.sock)这个文件有读写的权限;
而nginx的用户的是nobody,nginx要结合php使用,要保证nobody对socket文件有读写的权限.如果把这个文件注释掉,其默认权限为440,对普通用户没有执行权限,也是就是nobody就无法读取这个文件,所有会显示502错误;如下;
1:首先在php的配置文件(/usr/local/php-fpm/etc/php-ftpm.etc)文件里注释掉 listen.mode = 666;(基于socket在tmp/php-fcgi.sock)
[root@localhost_001 vhost]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
#listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024(2);检测并重新加载php-ftpm;
[root@localhost_001 vhost]# /usr/local/php-fpm/sbin/php-fpm -t
[17-Oct-2018 12:22:32] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@localhost_001 vhost]# service php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
(3):查看tmp目录下php-fcgi.sock文件,其所属主组是root,权限是666;
[root@localhost_001 vhost]# ls -la /tmp/php-fcgi.sock
srw-rw---- 1 root root 0 10月 17 12:29 /tmp/php-fcgi.sock(4):这时候访问2.php,会提示状态码502错误;
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>(5):查看nginx的错误日记,提示权限不够(Permission denied);
[root@localhost_001 vhost]# tail /usr/local/nginx/logs/nginx_error.log
2018/10/17 12:30:46 [crit] 1753#0: *40 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: www.test.com, request: "GET HTTP://www.test.com/2.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "www.test.com"
注释:sock文件默认权限是660,root用户可以读,root用户所在的组也可以读,唯独普通用户不可以读;
注释:因为nginx结合php使用,使用用nginx的用户去读/tmp/php-fcgi.sock文件,我们来看看nginx是有那个用户运行的;
[root@localhost_001 vhost]# ps aux |grep nginx
root 831 0.0 0.0 25636 1824 ? Ss 10:23 0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody 1752 0.0 0.1 27328 3588 ? S 12:28 0:00 nginx: worker process
nobody 1753 0.0 0.2 27328 3840 ? S 12:28 0:00 nginx: worker process
root 1799 0.0 0.0 112720 972 pts/0 R+ 12:33 0:00 grep --color=auto nginx
注释:如上,nginx服务时由nobody用户去运行的;而nobody作为普通用户对/tmp/php-fcgi.sock是没有权限的;
(6):这时临时修改/tmp/php-fcgi.sock文件的权限;让nobody有可读可写的权限;
[root@localhost_001 vhost]# chown nobody /tmp/php-fcgi.sock
[root@localhost_001 vhost]# ls -al /tmp/php-fcgi.sock
srw-rw---- 1 nobody root 0 10月 17 12:29 /tmp/php-fcgi.sock(7):再次测试访问;现在状态码 200 OK;
[root@localhost_001 vhost]# curl -x127.0.0.1:80 www.test.com/2.php -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Wed, 17 Oct 2018 04:37:50 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30注释:这是因为nobody有读写的权限,所以可以访问/tmp/php-fcgi.sock文件;
nginx代理功能;
用户访问web服务器,但用户因为各种原因没办法访问或者访问很慢(私网或境外访问),所以就需要一台能访问web服务器的代理者,让用户通过袋里服务器去访问;
(1):首先在/usr/local/nginx/conf/vhost/目录下创建一个文件;
[root@localhost_001 vhost]# vim proxy.conf
server
{
listen 80;
server_name ask.apelearn.com; #定义域名,要论坛的网站
location /
{
proxy_pass http://121.201.9.155/; #定义域名,要论坛的IP
proxy_set_header Host $host; #定义访问的域名 为 $host =server_name ask.apelearn.com
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
注释:在配置文件中,没有了root,因为这是一个代理服务器,它不需要访问本地服务器上的任何文件;
配置完成后,这台虚拟机就可以访问ask.apelearn.com了;
(2):检测配置文件是否有错误并重新加载配置文件;
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost_001 vhost]# /usr/local/nginx/sbin/nginx -s reload(3):指定是否代理成功,指定本地的IP地址去访问;
[root@localhost_001 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
User-agent: *
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/注释:robots是针对蜘蛛的索引的一个列表,一般网站都会有robots;
注释:正常情况下,不去配置这个代理,是不可能通过本地访问到远程的站点的;
来源:oschina
链接:https://my.oschina.net/u/3711371/blog/2248012