1.nginx自带模块
[root@web01 ~]$ nginx -V
nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.1.1g FIPS 21 Apr 2020 (running with OpenSSL 1.1.1k FIPS 25 Mar 2021)
TLS SNI support enabled
configure arguments: –prefix=/usr/share/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib64/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –http-client-body-temp-path=/var/lib/nginx/tmp/client_body –http-proxy-temp-path=/var/lib/nginx/tmp/proxy –http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi –http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi –http-scgi-temp-path=/var/lib/nginx/tmp/scgi –pid-path=/run/nginx.pid –lock-path=/run/lock/subsys/nginx –user=nginx –group=nginx –with-compat –with-debug –with-file-aio –with-google_perftools_module –with-http_addition_module –with-http_auth_request_module –with-http_dav_module –with-http_degradation_module –with-http_flv_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_image_filter_module=dynamic –with-http_mp4_module –with-http_perl_module=dynamic –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with-http_slice_module –with-http_ssl_module –with-http_stub_status_module –with-http_sub_module –with-http_v2_module –with-http_xslt_module=dynamic –with-mail=dynamic –with-mail_ssl_module –with-pcre –with-pcre-jit –with-stream=dynamic –with-stream_ssl_module –with-stream_ssl_preread_module –with-threads –with-cc-opt=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic’ –with-ld-opt=’-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E’
2.autoindex目录索引模块
用户访问nginx的时候,可以像使用ftp工具一样,下载网站站点下面的文件
| Syntax | autoindex on | off |
| Default | autoindex off |
| Context | http , server , location |
| Syntax | autoindex_format html | xml | json |jsonp |
| Default | autoindex_format html |
| Context | http , server , location |
| Syntax | autoindex_localtime on | off |
| Default | autoindex_localtime off |
| Context | http , server , location |
使用方法
配置文件
[root@web01 ~]$ cat /etc/nginx/conf.d/auto.nginx.com.conf
server {
listen 80;
server_name auto.nginx.com;
root /code/auto;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
检查语法
[root@web01 ~]$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
重启nginx
[root@web01 ~]$ systemctl reload nginx.service
配置host劫持,通过域名访问网站
windows的hosts文件路径C:\Windows\System32\drivers\etc\hosts
测试
3.nginx状态模块
ngx_http_stub_status_module 显示nginx状态
stub_status
| Syntax | stub_status |
| Default | — |
| Context | server, location |
配置文件
[root@web01 ~]$ cat /etc/nginx/conf.d/dmxsp.qiang.com.conf
server {
listen 80;
server_name dmxsp.qiang.com;
access_log /var/log/nginx/dmxsp.qiang.log main;
location / {
root /code/dmxsp;
index index.html index.php;
}
location /favicon.ico {
access_log off;
}
location /status {
stub_status;
access_log off;
}
}
检查语法
[root@web01 ~]$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
重启nginx
[root@web01 ~]$ systemctl reload nginx.service
测试
[root@web01 ~]$ curl dmxsp.qiang.com/status
Active connections: 4
server accepts handled requests
82 82 583
Reading: 0 Writing: 1 Waiting: 3
nginx状态介绍
Active connections: 4:当前活动连接(已经连接的连接)
server accepts:已经接受的http请求(总数)
handled:已经处理的http请求(总数)
requests:一共向我发送了多少请求(总数)
Reading: 0:当前正在读取用户请求头的数量(实时)
Writing: 1:当前正在发送响应报文的数量(实时)
Waiting: 3:用户的请求,等待服务端数量
4.访问限制-allow-deny
ngx_http_access_module 访问限制模块
allow 准许 某个ip或网段访问
deny 拒绝
使用allow和deny 完成白名单和黑名单功能
白名单: allow,deny常用,用来限制核心目录,文件,禁止外界访问.
黑名单:deny, 屏蔽ip地址
| Syntax | allow address | all |
| Default | — |
| Context | http, server, location, limit_except |
| Syntax | deny address | all |
| Default | — |
| Context | http, server, location, limit_except |
白名单
配置文件
[root@web01 ~]$ cat /etc/nginx/conf.d/dmxsp.qiang.com.conf
server {
listen 80;
server_name dmxsp.qiang.com;
access_log /var/log/nginx/dmxsp.qiang.log main;
location / {
root /code/dmxsp;
index index.html index.php;
}
location /favicon.ico {
access_log off;
}
location /status {
stub_status;
access_log off;
allow 172.16.1.0/24;
allow 10.0.0.45;
allow 127.0.0.1;
deny all;
}
}
检查语法
[root@web01 ~]$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
nginx重启
[root@web01 ~]$ systemctl reload nginx.service
测试
[root@web01 ~]$ curl dmxsp.qiang.com/status
Active connections: 1
server accepts handled requests
88 88 603
Reading: 0 Writing: 1 Waiting: 0
为什么页面无法访问,而命令行可以访问
allow 172.16.1.0/24; :只允许172网段的访问
allow 10.0.0.45;:只允许IP是45的访问
allow 127.0.0.1;:本地的
黑名单
用于屏蔽某一个ip地址
配置文件
server {
listen 80;
server_name dmxsp.qiang.com;
access_log /var/log/nginx/dmxsp.qiang.log main;
location / {
root /code/dmxsp;
index index.html index.php;
}
location /favicon.ico {
access_log off;
}
location /status {
stub_status;
deny 10.0.0.1;
}
}
检查语法
[root@web01 ~]$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
nginx重启
[root@web01 ~]$ systemctl reload nginx.service
测试
5.auth_basic_user用户授权模块
ngx_http_auth_basic_module
限制用户访问,访问的时候输入用户名和密码
| auth_basic显示登录提示 | |
| Syntax | auth_basic string | off |
| Default | auth_basic off |
| Context | http, server, location, limit_except |
| auth_basic_user_file指定密码文件 | |
| Syntax | auth_basic_user_file file |
| Default | — |
| Context | http, server, location, limit_except |
创建nginx auth_basic_user_file 需要的密码文件
[root@web01 ~]$ htpasswd -bc /etc/nginx/conf.d/status.pass dmxsp 123456
Adding password for user dmxsp
[root@web01 ~]$ cat /etc/nginx/conf.d/status.pass
dmxsp:$apr1$4qGrCtZx$MJMrXbbnpgxfXrAxqvpU4/
修改文件权限
[root@web01 ~]$ chmod 600 /etc/nginx/conf.d/status.pass
[root@web01 ~]$ ll /etc/nginx/conf.d/status.pass
-rw——- 1 root root 44 Aug 6 20:07 /etc/nginx/conf.d/status.pass
修改用户
[root@web01 ~]$ chown nginx /etc/nginx/conf.d/status.pass
配置文件
[root@web01 ~]$ cat /etc/nginx/conf.d/dmxsp.qiang.com.conf
server {
listen 80;
server_name dmxsp.qiang.com;
access_log /var/log/nginx/dmxsp.qiang.log main;
location / {
root /code/dmxsp;
index index.html index.php;
}
location /status {
stub_status;
auth_basic “password:”;
auth_basic_user_file /etc/nginx/conf.d/status.pass;
}
}
检查语法
[root@web01 ~]$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
重启nginx
[root@web01 ~]$ systemctl reload nginx.service
测试
[root@web01 ~]$ curl -u dmxsp:123456 dmxsp.qiang.com/status
Active connections: 1
server accepts handled requests
32 32 237
Reading: 0 Writing: 1 Waiting: 0
6.限制模块
limit_req 模块 限制请求(http)
limit_conn 模块 限制连接(tcp)
limit_rate core模块 限速速度
limit_req 请求限制模块
limit_req 限制
limit_req_zone 创建空间以及处理的速率
limit_req用于限制每个已定义密钥的请求处理速率,特别是来自单个IP地址的请求的处理速率。限制是使用“漏桶”方法完成的。
| limit_req_zone | |
| Syntax | limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; |
| Default | —— |
| Context | http |
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
$binary_remote_addr:用户ip地址,占用空间更少
zone=One:10m:指定空间名字:大小
rate=1r/s:指定每分钟请求处理速度
客户端IP地址用作密钥。请注意,这里使用的不是$remote_addr,而是$binary_ remote_addr变量。$binary_remote_addr变量的大小对于IPv4地址总是4字节,对于IPv6地址总是16字节
| limit_req | |
| Syntax | limit_req zone=one burst=5 limit_req zone=one burst=5 nodelay |
| Default | —— |
| Context | http , server , location |
limit_req zone=one burst=5
zone=one:指定limit_req_zone 创建的空间
burst=5:并发5
平均每秒允许不超过1个请求,突发请求不超过5个
nodelay:默认不加上nodelay,超过并发数后,排队(delay)
nodelay:超过并发数后,报错
准备环境
清华
rsync -avz mirrors.tuna.tsinghua.edu.cn::centos/7.9.2009/os/x86_64/Packages/ /code/auto
挂载光盘 复制里面软件包 到 /code/auto
配置limit_req
limit_req_zone
[root@web01 ~]$ cat /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
配置文件
[root@web01 ~]$ cat /etc/nginx/conf.d/auto.nginx.com.conf
server {
listen 80;
server_name auto.nginx.com;
root /code/auto;
limit_req zone=one burst=100;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
检查语法
[root@web01 ~]$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
重启nginx
[root@web01 ~]$ systemctl reload nginx.service
limit_conn 连接数限制模块
基于ip限制每个ip地址的连接数量
ngx_http_limit_conn模块用于限制每个已定义密钥的连接数,特别是来自单个IP地址的连接数。
并非所有连接都被计算在内。只有当一个连接有一个正在由服务器处理的请求并且整个请求头已经被读取时,它才会被计数
| limit_conn | |
| Syntax | limit_conn zone number limit_conn zone number; limit_conn addr 1 |
| Default | —— |
| Context | http, server, location |
| limit_conn_zone | |
| Syntax | limit_conn_zone key zone=name:size limit_conn_zone key zone=name:size; limit_conn_zone $binary_remote_addr zone=addr:10m |
| Default | —— |
| Context | http |
配置limit_conn_zone
[root@web01 ~]$ cat /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;
limit_conn_zone $binary_remote_addr zone=addr:10m;
配置文件
[root@web01 ~]$ cat /etc/nginx/conf.d/auto.nginx.com.conf
server {
listen 80;
server_name auto.nginx.com;
root /code/auto;
limit_conn addr 1;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
检查语法
[root@web01 ~]$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
重启nginx
[root@web01 ~]$ systemctl reload nginx.service
limit_rate 速率限制
limit_rate 限速
limit_rate_after 下载多少文件后再进行限速
| limit_rate限速 | |
| Syntax | limit_rate rate速度 limit_rate 10k; |
| Default | limit_rate 0 无限制 |
| Context | http, server, location, if in location |
| limit_rate_after | |
| Syntax | limit_rate_after size |
| Default | limit_rate_after 0 |
| Context | http, server, location, if in location |
配置limit_rate
[root@web01 ~]$ cat /etc/nginx/conf.d/auto.nginx.com.conf
server {
listen 80;
server_name auto.nginx.com;
root /code/auto;
limit_rate_after 50m;
limit_rate 10k;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
检查语法
[root@web01 ~]$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
重启nginx
[root@web01 ~]$ systemctl reload nginx.service
7.location 功能
匹配用户请求中的uri
| Syntax | location [ = | ~ | ~* | ^~ ] uri { … } location @name { … } |
| Default | — |
| Context | server, location |
location中可用的特殊符号
location / {}
location = / {}
location ~ /name {}
location ~* /oldboy {}
location ^~ {}
| 匹配符 | 匹配规则 | 优先级 |
| = | 精确匹配uri | 1 |
| ^~ | 匹配uri,不使用正则表达式,高优先级 | 2 |
| ~ | 区分大小写的正则匹配 | 3 |
| ~* | 不区分大小写的正则匹配 | 3 |
| / | 通用匹配,任何请求都会匹配到,其他location匹配失败,默认会匹配location / {} | 4 |
正则: 用符号匹配有规律的内容. ^ $ .* [] []+ | ()
注意:nginx location中不支持 != !~ !~* 写法,这些需要在if中才能使用: if
配置文件
[root@web01 ~]$ cat /etc/nginx/conf.d/location.conf
server {
listen 80;
server_name location.dmxsp.com;
location / {
default_type text/html;
return 200 “location /”;
}
location =/ {
default_type text/html;
return 200 “location =/\n”;
}
location ~ / {
default_type text/html;
return 200 “location ~/”;
}
location ^~ / {
default_type text/html;
return 200 “location ^~”;
}
}
检查语法
[root@web01 ~]$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
重启nginx
[root@web01 ~]$ systemctl reload nginx.service
测试
[root@web01 ~]$ curl -H Host:location.dmxsp.com 10.0.0.45
location =/