Xiaopei's DokuWiki

These are the good times in your life,
so put on a smile and it'll be alright

User Tools

Site Tools


it:nginx

nginx

TIPS

  • yandex/gixy nginx 配置检查,有什么卵用?
    • sudo htpasswd -c /etc/nginx/.htpasswd exampleuser
  • 通过 nginx 配置防机器人(通过nginx配置文件抵御攻击 | WooYun知识库),但可能误杀 spider
  • Module ngx_http_realip_module 可以将 http_x_forwarded_for 转为 remote_addr
  • Fail2ban 是一个自动防火墙的框架,里面有很多预设配置能用来封禁各类协议的恶意访问,也能按其框架编写自定义的封禁脚本(actionbanactionunban)。但我觉得还是太复杂了,且恐怕默认配置会产生副作用,所以没用。
  • 访问日志(access log)中 $upstream_addr 可能包含多个地址
    • 原因是:If several servers were contacted during request processing, their addresses are separated by commas, e.g. “192.168.1.1:80, 192.168.1.2:80, unix:/tmp/sock”.1)
    • 常见于百度搜索带来的流量
  • invalid number of arguments in “root” directive…: root /var/www; 是不是没写分号?
    • 不应用 if, 慢
    • 可以用 try_files $uri $uri/ /index.php?q=$uri&$args;
  • 需要调试配置时, 在 server 级别 + error_log /var/log/nginx/error.log debug;, debug 日志很详细
  • client_max_body_size 200m; (http, server, location)
  • rewrite “没有 . 也没有 / 的地址”, 增加 trailing slash
    rewrite ^([^.]*[^/])$ $1/ permanent;
  • 维护页面
    • /etc/nginx/90-maintenance
      server {
              listen      80;
              root    /var/www/;
       
              location / {
                  if (-f $document_root/maintencance.html) {
                      return 503;
                 }
               }
       
              error_page 503 @maintenance;
              location @maintenance {
                      rewrite ^(.*)$ /maintencance.html break;
              }
      }
    • /var/www/maintencance.html
      <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
      <html xmlns="http://www.w3.org/1999/xhtml">
        <head>
      	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
      	<title>系统正在维护中</title>
      	<style>
      	  h1 {
      	  font-size: 20px;
      	  }
      	</style>
        </head>
        <body>
      	<div id="wrap">
      	  <h1>
      	  系统正在维护中
      	  </h1>
      	  <p>请您稍后再来. 对您造成的不便我们万分抱歉.</p>
      	  <p>如有问题, 请咨询 XXXX: XXX-XXX-XXXX</p>
      	</div>
        </body>
      </html>
  • http proxy
    server {
           server_name ~example.com$;
           location / {
                   proxy_pass http://192.168.0.9:8888;
                   proxy_set_header  X-Real-IP  $remote_addr;
                   proxy_set_header Host $host;
           }
    }
  • 白板页面
    # vi default.conf
    server {
    	listen 80 default_server;
    	listen [::]:80 default_server ipv6only=on;
    
    	server_name localhost;
    
    	return 204;
            # HTTP status code 204 No Content is meant to say 
            # "I've completed the request, but there is no body to return"
    }
  • 域名重定向
    server{
        listen       80;
        server_name  magic.xiaopei.li;
        rewrite .* http://mtg.xiaopei.li permanent;
        # 或者带参数
        # rewrite  ^(.*)    http://www.youdomain.com$1 permanent;
    }
  • 阻止访问 dotfiles
    location ~ /\. {
        deny all;
    }
  • 密码 http basic auth
    # ubuntu
    $ sudo apt-get install apache2-utils
    # centos
    $ sudo yum install -y httpd-tools
     
     
    $ sudo htpasswd -c /etc/nginx/.htpasswd admin
    > 输入密码
     
    $ cat /etc/nginx/.htpasswd
    admin:$apr1$ilgq7ZEO$OarDX15gjKAxuxzv0JTrO/
     
    $ sudo vi /etc/nginx/sites-available/default
    ...
    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
            # Uncomment to enable naxsi on this location
            # include /etc/nginx/naxsi.rules
    +        auth_basic "Private Property";
    +        auth_basic_user_file /etc/nginx/.htpasswd;
    }
    ...

配置(v.0.7.67)

检查配置:

$ nginx -t

配置结构

 
/etc/nginx$ tree
.
├── conf.d
├── fastcgi_params
├── koi-utf
├── koi-win
├── mime.types
├── nginx.conf # 主配置
├── sites-available
│   ├── default
│   └── dokuwiki
├── sites-enabled
│   ├── default -> /etc/nginx/sites-available/default
│   └── dokuwiki -> ../sites-available/dokuwiki
└── win-utf

主配置示例

# 用户和组
user www-data;
 
# 工作子进程数, 一般为 CPU 核数的一倍至两倍
worker_processes  1;
 
error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;
 
# linux 用 epoll
# freebsd 用 kqueue
events {
    # 允许的连接数
    worker_connections  1024;
    # multi_accept on;
}
 
http {
    include       /etc/nginx/mime.types;
 
    access_log	/var/log/nginx/access.log;
 
    sendfile        on;
    #tcp_nopush     on;
 
    #keepalive_timeout  0;
    keepalive_timeout  65;
    tcp_nodelay        on;
 
    gzip  on;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";
 
    # 主配置没有 document-root
    # 默认站点也是一个 server{}, 在 sites-enabled/default
 
    # 导入其他 http 配置
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}
 
# 别忘了 nginx 还可以做邮件服务器
# mail {
#     # See sample authentication script at:
#     # http://wiki.nginx.org/NginxImapAuthenticateWithApachePhpScript
# 
#     # auth_http localhost/auth.php;
#     # pop3_capabilities "TOP" "USER";
#     # imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#     server {
#         listen     localhost:110;
#         protocol   pop3;
#         proxy      on;
#     }
# 
#     server {
#         listen     localhost:143;
#         protocol   imap;
#         proxy      on;
#     }
# }

server 配置

# You may add here your
# server {
#	...
# }
# statements for each of your virtual hosts
 
server {
 
	listen   80; ## listen for ipv4
	listen   [::]:80 default ipv6only=on; ## listen for ipv6
 
	server_name  localhost;
 
	access_log  /var/log/nginx/localhost.access.log;
 
	location / {
		root   /var/www;
		index  index.html index.htm;
	}
 
	location /doc {
		root   /usr/share;
		autoindex on;
		allow 127.0.0.1;
		deny all;
	}
 
	location /images {
		root   /usr/share;
		autoindex on;
	}
 
	#error_page  404  /404.html;
 
	# redirect server error pages to the static page /50x.html
	#
	#error_page   500 502 503 504  /50x.html;
	#location = /50x.html {
	#	root   /var/www/nginx-default;
	#}
 
	# proxy the PHP scripts to Apache listening on 127.0.0.1:80
	#
	#location ~ \.php$ {
		#proxy_pass   http://127.0.0.1;
	#}
 
	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	location ~ \.php$ {
		fastcgi_pass   127.0.0.1:9000;
		fastcgi_index  index.php;
 
		# 1. 把 php 都定向到 /scripts 目录下, 访问 http://localhost/info.php 会运行 /scripts/info.php
		fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
		# $fastcgi_script_name 自带前导 /
 
		# 2. 以下配置功能相同
		# root /scripts
		# fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
 
		include fastcgi_params;
	}
 
	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
		#deny  all;
	#}
}
 
 
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
#listen   8000;
#listen   somename:8080;
#server_name  somename  alias  another.alias;
 
#location / {
#root   html;
#index  index.html index.htm;
#}
#}
 
 
# HTTPS server
#
#server {
#listen   443;
#server_name  localhost;
 
#ssl  on;
#ssl_certificate  cert.pem;
#ssl_certificate_key  cert.key;
 
#ssl_session_timeout  5m;
 
#ssl_protocols  SSLv3 TLSv1;
#ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
#ssl_prefer_server_ciphers   on;
 
#location / {
#root   html;
#index  index.html index.htm;
#}
#}
it/nginx.txt · Last modified: 2017/07/17 16:24 by admin