这部分配置需要和不记录日志和过期时间结合在一起，因为都用到了“location”

location~*^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${expires7d;valid_referersnoneblockedserver_names*.test.com;//定义一个白名单if($invalid_referer){//如果不是白名单里的return403;//返回403}access_logoff;}

~*表示不区分大小写

[root@aminglinux-02~]#curl-e"http://www.baidu.com/1.html"-x127.0.0.1:80test.com/1.gif-ihttp/1.1403forbiddenserver:nginx/1.12.1date:mon,14aug201715:34:55gmtcontent-type:text/htmlcontent-length:169connection:keep-alive[root@aminglinux-02~]#curl-e"http://www.test.com/1.html"-x127.0.0.1:80test.com/1.gif-ihttp/1.1200okserver:nginx/1.12.1date:mon,14aug201715:35:20gmtcontent-type:image/gifcontent-length:66last-modified:fri,11aug201717:51:27gmtconnection:keep-aliveetag:"598dee9f-42"expires:mon,21aug201715:35:20gmtcache-control:max-age=604800accept-ranges:bytes

使用www.baidu.com的referer访问，是403；更换为www.test.com，访问就200，便是防盗链设置成功

location/admin/{allow192.168.133.1;//白名单allow127.0.0.1;//白名单denyall;//全部deny}

执行顺序，是逐行匹配；匹配成功第一条，将不继续进行之后的匹配

[root@aminglinux-02~]#curl-x127.0.0.1:80test.com/admin/1.php-ihttp/1.1200okserver:nginx/1.12.1date:mon,14aug201715:54:51gmtcontent-type:application/octet-streamcontent-length:11last-modified:mon,14aug201715:54:48gmtconnection:keep-aliveetag:"5991c7c8-b"accept-ranges:bytes[root@aminglinux-02~]#curl-x127.0.0.2:80test.com/admin/1.php-ihttp/1.1200okserver:nginx/1.12.1date:mon,14aug201715:54:57gmtcontent-type:application/octet-streamcontent-length:11last-modified:mon,14aug201715:54:48gmtconnection:keep-aliveetag:"5991c7c8-b"accept-ranges:bytes[root@aminglinux-02~]#cat/tmp/test.com.log127.0.0.1-[12/aug/2017:01:48:01+0800]test.com"/"200"-""curl/7.29.0"127.0.0.1-[12/aug/2017:01:50:13+0800]test.com"/2.jsfsdfe"404"-""curl/7.29.0"127.0.0.1-[14/aug/2017:23:47:09+0800]test.com"/admin"301"-""curl/7.29.0"127.0.0.1-[14/aug/2017:23:51:10+0800]test.com"/admin"301"-""curl/7.29.0"127.0.0.1-[14/aug/2017:23:51:26+0800]test.com"/admin"301"-""curl/7.29.0"127.0.0.1-[14/aug/2017:23:52:59+0800]test.com"/admin"301"-""curl/7.29.0"127.0.0.1-[14/aug/2017:23:53:08+0800]test.com"/admin/1.php"404"-""curl/7.29.0"127.0.0.1-[14/aug/2017:23:54:51+0800]test.com"/admin/1.php"200"-""curl/7.29.0"127.0.0.1-[14/aug/2017:23:54:57+0800]test.com"/admin/1.php"200"-""curl/7.29.0"

因为跳转的地址都127.0.0.1，所以访问是正常的

为了准确测试，对ens34网卡新增一个ip使用这个ip访问，查看curl情况

[root@aminglinux-02~]#dhclientens34[root@aminglinux-02~]#ifconfigens32:flags=4163mtu1500inet192.168.133.131netmask255.255.255.0broadcast192.168.133.255inet6fe80::6e6a:61ff:f17c:5942prefixlen64scopeid0x20ether00:0c:29:c4:13:b8txqueuelen1000(ethernet)rxpackets19843bytes1420313(1.3mib)rxerrors0dropped0overruns0frame0txpackets4417bytes559642(546.5kib)txerrors0dropped0overruns0carrier0collisions0ens34:flags=4163mtu1500inet192.168.161.128netmask255.255.255.0broadcast192.168.161.255inet6fe80::44fe:e11f:f99c:4de1prefixlen64scopeid0x20ether00:0c:29:c4:13:c2txqueuelen1000(ethernet)rxpackets6bytes1490(1.4kib)rxerrors0dropped0overruns0frame0txpackets3412bytes606434(592.2kib)txerrors0dropped0overruns0carrier0collisions0lo:flags=73mtu65536inet127.0.0.1netmask255.0.0.0inet6::1prefixlen128scopeid0x10looptxqueuelen1(localloopback)rxpackets174bytes14813(14.4kib)rxerrors0dropped0overruns0frame0txpackets174bytes14813(14.4kib)txerrors0dropped0overruns0carrier0collisions0[root@aminglinux-02~]#curl-x192.168.161.128:80test.com/admin/1.php-ihttp/1.1403forbiddenserver:nginx/1.12.1date:mon,14aug201715:59:23gmtcontent-type:text/htmlcontent-length:169connection:keep-alive

证明配置成功，非第一和第二条的ip访问，无法打开

location~.*(upload|image)/.*.php${denyall;}

为了方便测试，创建所需文件和目录

[root@aminglinux-02~]#mkdir/data/wwwroot/test.com/upload[root@aminglinux-02~]#cd!$cd/data/wwwroot/test.com/upload[root@aminglinux-02upload]#vim1.php[root@aminglinux-02upload]#vim1.jpg[root@aminglinux-02test.com]#curl-x127.0.0.1:80test.com/upload/1.php

if($http_user_agent~'spider/3.0|youdaobot|tomato'){return403;}

return403和denyall效果是一样的

测试

[root@aminglinux-02test.com]#curl-a"tomato"-x127.0.0.1:80test.com/index.html-ihttp/1.1403forbiddenserver:nginx/1.12.1date:mon,14aug201716:23:57gmtcontent-type:text/htmlcontent-length:169connection:keep-alive

因为配置是严格匹配

[root@aminglinux-02test.com]#curl-a"tomato"-x127.0.0.1:80test.com/index.html-ihttp/1.1200okserver:nginx/1.12.1date:mon,14aug201716:24:04gmtcontent-type:text/htmlcontent-length:9last-modified:thu,10aug201717:35:22gmtconnection:keep-aliveetag:"598c995a-9"accept-ranges:bytes

更改为不区分大小写更改前

if($http_user_agent~'spider/3.0|youdaobot|tomato')

更改后

if($http_user_agent~*'spider/3.0|youdaobot|tomato')

测试

[root@aminglinux-02test.com]#curl-a"tomato"-x127.0.0.1:80test.com/index.html-ihttp/1.1403forbiddenserver:nginx/1.12.1date:mon,14aug201716:26:25gmtcontent-type:text/htmlcontent-length:169connection:keep-alive[root@aminglinux-02test.com]#curl-a"tomato"-x127.0.0.1:80test.com/index.html-ihttp/1.1403forbiddenserver:nginx/1.12.1date:mon,14aug201716:26:34gmtcontent-type:text/htmlcontent-length:169connection:keep-alive12.15nginx解析php相关配置解析php

创建phpinfo文件

[root@aminglinux-02test.com]#pwd/data/wwwroot/test.com[root@aminglinux-02test.com]#vim3.php[root@aminglinux-02test.com]#cat3.php

查看系统是否能解析php

[root@aminglinux-02test.com]#curl-x127.0.0.1:80test.com/3.php

直线显示源代码，不能解析

修改配置

[root@aminglinux-02test.com]#!vimvim/usr/local/nginx/conf/vhost/test.com.conflocation~.php${includefastcgi_params;fastcgi_passunix:/tmp/php-fcgi.sock;//写错这个路径，就会显示502fastcgi_indexindex.php;fastcgi_paramscript_filename/data/wwwroot/test.com$fastcgi_script_name;///data/wwwroot/这个路径对应的是配置文件里面设置的root对应路径}

配置完成后检查语法和重新加载服务

-t&&-sreload案例：一、

sock写错导致访问页面出现502

[root@aminglinux-02test.com]#curl-x127.0.0.1:80test.com/3.php

1、查看nginx的错误日志

如果不清楚错误日志的路径，可以在配置nginx.conf查看

[root@aminglinux-02test.com]#cat/usr/local/nginx/logs/nginx_error.log2017/08/1500:41:29[crit]5987#0:*26connect()tounix:/tmp/php-fci.sockfailed(2:nosuchfileordirectory)whileconnectingtoupstream,client:127.0.0.1,server:test.com,request:"gethttp://test.com/3.phphttp/1.1",upstream:"fastcgi://unix:/tmp/php-fci.sock:",host:"test.com"

2、根据这句语句nosuchfileordirectory可以了解到“没有这样的文件或目录”，可以尝试查找看看php-fci.sock这个文件

[root@aminglinux-02test.com]#ls/tmp/php-fci.sockls:无法访问/tmp/php-fci.sock:没有那个文件或目录

3、结果还是没有文件或者目录，这就需要查看一下，配置的地址是否正确

[root@aminglinux-02test.com]#cat/usr/local/php-fpm/etc/php-fpm.conf[global]pid=/usr/local/php-fpm/var/run/php-fpm.piderror_log=/usr/local/php-fpm/var/log/php-fpm.log[www]listen=/tmp/php-fcgi.sock//查看这一段，定义的文件和缺少的文件是否一样listen.mode=666user=php-fpmgroup=php-fpmpm=dynamicpm.max_children=50pm.start_servers=20pm.min_spare_servers=5pm.max_spare_servers=35pm.max_requests=500rlimit_files=1024

对比过后发现文件名出错，这时在去看nginx下的conf配置是否正确发现就是虚拟主机配置文件出错，修改回正确的sock名字就恢复正常

fastcgi_passunix:/tmp/php-fcgi.sock;

ps：php下的listen=/tmp/php-fcgi.sock这段配置很重要，决定了nginx是否能正确解析而不是502

php配置文件下的listen.mode=666这一项如果不做定义，默认用的是660，使用默认的权限，将会影响nginx访问产生502

[global]pid=/usr/local/php-fpm/var/run/php-fpm.piderror_log=/usr/local/php-fpm/var/log/php-fpm.log[www]listen=/tmp/php-fcgi.sock#listen.mode=666user=php-fpmgroup=php-fpmpm=dynamicpm.max_children=50pm.start_servers=20pm.min_spare_servers=5pm.max_spare_servers=35pm.max_requests=500rlimit_files=1024[root@aminglinux-02test.com]#/etc/init.d/php-fpmrestartgracefullyshuttingdownphp-fpm.donestartingphp-fpmdone

因为nginx默认访问php服务的用户的nobody，而且660权限,因为文件所属主、组是root，只能root用户访问，nobody用户去调用sock的时候，将出现错误，最终返回502

[root@aminglinux-02test.com]#!lsls-lhtr/tmp/php-fcgi.socksrw-rw----1rootroot08月1501:28/tmp/php-fcgi.sock[root@aminglinux-02test.com]#!curlcurl-x127.0.0.1:80test.com/3.php

所以在配置php-fpm的时候，默认将listen.mode=设置为666，为的就是让所有用户都可以访问和读

php-fpm资源耗尽的时候，也会502

需求：用户需要访问web服务器，但用户因为各种原因没办法访问或者访问很慢（私网无访问、境内访问国外服务器），所以，就需要一个能访问web服务器的代理者，让用户通过代理服务器访问

解决办法创建代理服务器

[root@aminglinux-02test.com]#cd/usr/local/nginx/conf/vhost[root@aminglinux-02vhost]#pwd/usr/local/nginx/conf/vhost[root@aminglinux-02vhost]#vimproxy.conf//加入以下内容server{listen80;server_nameask.apelearn.com;//定义域名location/{proxy_passhttp://121.201.9.155/;//定义域名proxy_set_headerhost$host;//定义访问的域名为$host=server_nameask.apelearn.comproxy_set_headerx-real-ip$remote_addr;proxy_set_headerx-forwarded-for$proxy_add_x_forwarded_for;}}

代理服务器配置，没有root，因为是代理服务器，所以不需要访问本地服务器上的任务文件

配置完成后检查语法和重新加载服务

-t&&-sreload

[root@aminglinux-02vhost]#/usr/local/nginx/sbin/nginx-tnginx:theconfigurationfile/usr/local/nginx/conf/nginx.confsyntaxisoknginx:configurationfile/usr/local/nginx/conf/nginx.conftestissuccessful[root@aminglinux-02vhost]#/usr/local/nginx/sbin/nginx-sreload

测试

[root@aminglinux-02vhost]#curl-x127.0.0.1:80ask.apelearn.com/robots.txt##robots.txtformiwen#user-agent:*disallow:/?/admin/disallow:/?/people/disallow:/?/question/disallow:/account/disallow:/app/disallow:/cache/disallow:/install/disallow:/models/disallow:/crond/run/disallow:/search/disallow:/static/disallow:/setting/disallow:/system/disallow:/tmp/disallow:/themes/disallow:/uploads/disallow:/url-*disallow:/views/disallow:/*/ajax/[root@aminglinux-02vhost]#