1.nginx日志

1.日志分离

[root@web02 ~]# vim /etc/nginx/nginx.conf
http {
    ......
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    ......
}

[root@web02 ~]# vim /etc/nginx/conf.d/server1.conf
server {
    listen 80;
    server_name www.server1.com;
    access_log /var/log/nginx/www.server1.com.log main;

    location / {
        root /code;
        index index.html;
    }
}

[root@web02 ~]# vim /etc/nginx/conf.d/server2.conf
server {
    listen 80;
    server_name www.server2.com;
    access_log /var/log/nginx/www.server2.com.log main;

    location / {
        root /code1;
        index index.html;
    }
}

2.日志切割

#epel源安装的日志切割脚本
[root@web02 modules]# cat /etc/logrotate.d/nginx 
/var/log/nginx/*log {
    create 0664 nginx root
    daily
    rotate 10
    missingok
    notifempty
    compress
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
}

#官方源安装的日志切割脚本
[root@nginx conf.d]# cat /etc/logrotate.d/nginx
/var/log/nginx/*.log {
        daily                   # 每天切割日志
        missingok               # 日志丢失忽略
        rotate 52               # 日志保留52天
        compress                # 日志文件压缩
        delaycompress           # 延迟压缩日志
        notifempty              # 不切割空文件
        create 640 nginx adm    # 日志文件权限
        sharedscripts
        postrotate      # 切割日志执行的命令
                if [ -f /var/run/nginx.pid ]; then
                        kill -USR1 `cat /var/run/nginx.pid`
                fi
        endscript
}

2.Nginx 模块

1.nginx目录索引模块 ngx_http_autoindex_module

1）模块语法

Syntax:    autoindex on | off;
Default:autoindex off;
Context:http, server, location

2）配置

server {
    listen 80;
    server_name www.mario.com;
    access_log /var/log/nginx/www.mario.com.log main;
    #配置字符集
    charset 'utf-8';
    location / {
        root /code;
        index index.html;
    }
    location /download {
        root /code;
        #开启目录模块
        autoindex on;
        #显示具体大小   off 显示K\G\M单位   on 单位就是 bytes
        autoindex_exact_size off;
        #显示文件最后修改的准确时间  如果是 off 需要加 8小时
        autoindex_localtime on;
   }
}

2.nginx访问控制模块 ngx_http_access_module

1）模块语法

#允许访问语法
Syntax:    allow address | CIDR | unix: | all;
Default:    —
Context:    http, server, location, limit_except

#拒绝访问语法
Syntax:    deny address | CIDR | unix: | all;
Default:    —
Context:    http, server, location, limit_except

2）访问控制实例

#要求10.0.0.1可以访问我的/download 目录，其他网址不允许
server {
    listen 80;
    server_name www.mario.com;
    access_log /var/log/nginx/www.mario.com.log main;
    charset 'utf-8';
    location / {
        root /code;
        index index.html;
    }
    location /download {
        root /code;
        autoindex on;
        autoindex_exact_size off;
        autoindex_localtime on;
        allow 10.0.0.1;
        deny all;
   }
}

#要求10.0.0.1不可以访问我的/download 目录，其他网址允许
[root@web01 conf.d]# vim mario.conf 
server {
    listen 80;
    server_name www.mario.com;
    access_log /var/log/nginx/www.mario.com.log main;
    charset 'utf-8';
    location / {
        root /code;
        index index.html;
    }
    location /download {
        root /code;
        autoindex on;
        autoindex_exact_size off;
        autoindex_localtime on;
        deny 10.0.0.1;
        allow all;
   }
}

#要求10.0.0.0网段可以访问我的/download 目录，其他网址允许
[root@web01 conf.d]# vim mario.conf 
server {
    listen 80;
    server_name www.mario.com;
    access_log /var/log/nginx/www.mario.com.log main;
    charset 'utf-8';

    location / {
        root /code;
        index index.html;
    }

    location /download {
        root /code;
        autoindex on;
        autoindex_exact_size off;
        autoindex_localtime on;
        allow 10.0.0.0/24;
        deny all;
   }
}

3）一般使用场景

在公司里面，访问我们的后台，只允许在公司内部使用公司的网络访问
拒绝其他地址访问进来，如果需要在家使用其他地址访问，需要使用VPN拨号访问

3.nginx访问认证模块 ngx_http_auth_basic_module

1）模块语法

#注释（没什么卵用）
Syntax:    auth_basic string | off;
Default:    auth_basic off;
Context:    http, server, location, limit_except

#指定认证的文件
Syntax:    auth_basic_user_file file;
Default:    —
Context:    http, server, location, limit_except

2）配置密码认证模块

#创建密码文件需要 htpasswd
[root@web01 conf.d]# htpasswd -c /etc/nginx/conf.d/auth_basic linux
New password: 
Re-type new password: 
Adding password for user linux
[root@web01 conf.d]# 
#或者使用
[root@web01 conf.d]# htpasswd -c -b /etc/nginx/conf.d/auth_basic linux linux
Adding password for user linux
[root@web01 conf.d]# 

[root@web01 conf.d]# vim mario.conf 
server {
    listen 80;
    server_name www.mario.com;
    access_log /var/log/nginx/www.mario.com.log main;
    charset 'utf-8';
    location / {
        root /code;
        index index.html;
    }
    location /download {
        root /code;
        autoindex on;
        autoindex_exact_size off;
        autoindex_localtime on;
        allow 10.0.0.0/24;
        deny all;
        auth_basic "please don't like me!";
        auth_basic_user_file /etc/nginx/conf.d/auth_basic;
   }
}

4.nginx状态模块 ngx_http_stub_status_module

1）模块语法

Syntax:    stub_status;
Default:    —
Context:    server, location

2）配置

    location /nginx_status {
        stub_status;
    }

3）nginx七种状态

Active connections: 2         
server accepts handled requests
         2         2         2 
Reading: 0 Writing: 1 Waiting: 1

Active connections         # 活跃的连接数
accepts                    # 当前的总连接数TCP
handled                    # 成功的TCP连接数
requests                # 总的http请求数

Reading                    # 读取请求头部
Writing                    # 返回给客户端的头部
Waiting                    # 等待的请求数，开启了keepalive

# 注意, 一次TCP的连接，可以发起多次http的请求, 如下参数可配置进行验证
keepalive_timeout  0;   # 类似于关闭长连接
keepalive_timeout  65;  # 65s没有活动则断开连接

5.nginx连接限制模块 ngx_http_limit_conn_module

1）模块语法

#设置限制的内存空间/条件
         #  调用模块      空间里面存的内容   空间=空间名字:空间大小
Syntax:     limit_conn_zone    key          zone=name:size;
Default: —
Context: http

#调用上面的内存空间
Syntax:    limit_conn zone number;
Default:    —
Context:    http, server, location

2）配置

http{
    ......
    limit_conn_zone $remote_addr zone=conn_zone:10m;
    ......
}

server{
    ......
    limit_conn conn_zone 1;
    ......
}

6.nginx限制请求模块

1）模块语法

##设置限制的内存空间/条件
        #   使用模块    空间保存内容  空间=空间名字：大小   速率=1r/s
Syntax:     limit_req_zone key zone=name:size rate=rate;
Default: —
Context: http

#调用上面的模块
Syntax:    limit_req zone number [burst=number] [nodelay];
Default: —
Context: http, server, location

2）配置

[root@web01 conf.d]# cat /etc/nginx/conf.d/mario.conf 
#配置限制请求模块
limit_req_zone $remote_addr zone=req_zone:10m rate=1r/s;

server {
    listen 80;
    server_name www.mario.com;
    access_log /var/log/nginx/www.mario.com.log main;
    charset 'utf-8';
    location / {
        root /code;
        index index.html;
    }
    location /download {
        root /code;
        autoindex on;
        autoindex_exact_size off;
        autoindex_localtime on;
        allow 10.0.0.0/24;
        deny all;
        auth_basic "please don't like me!";
        auth_basic_user_file /etc/nginx/conf.d/auth_basic;
        #调用限制请求模块
        limit_req zone=req_zone burst=5 nodelay;
    }  

    location /nginx_status {
        stub_status;
        allow 127.0.0.1;
        deny all;    
    }
}

3）验证请求限制

#使用ab命令
[root@web01 conf.d]# ab -n 20 -c 2 http://www.mario.com/download/
Server Software:        nginx/1.16.1
Server Hostname:        www.mario.com
Server Port:            80
Document Path:          /download/
Document Length:        179 bytes
Concurrency Level:      2
Time taken for tests:   0.002 seconds
Complete requests:      20
Failed requests:        19
   (Connect: 0, Receive: 0, Length: 19, Exceptions: 0)

#配置延时请求之后
[root@web01 code]# ab -n 20 -c 2 http://www.mario.com/download/
Server Software:        nginx/1.16.1
Server Hostname:        www.mario.com
Server Port:            80
Document Path:          /download/
Document Length:        179 bytes
Concurrency Level:      2
Time taken for tests:   0.002 seconds
Complete requests:      20
Failed requests:        14
   (Connect: 0, Receive: 0, Length: 14, Exceptions: 0)

Nginx Location

1.location语法

Syntax:    location [ = | ~ | ~* | ^~ | / ] uri { ... }
        location @name { ... }
Default:    —
Context:    server, location

2.location验证

[root@Nginx conf.d]# cat testserver.conf 
server {
    listen 80;
    server_name www.server.com;
    location / {
        default_type text/html;
        return 200 "location /";
    }

    location =/ {
        default_type text/html;
        return 200 "location =/";
    }

    location ~ / {
        default_type text/html;
        return 200 "location ~/";
    }

    # location ^~ / {
    #   default_type text/html;
    #   return 200 "location ^~";
    # }
}

3.location 优先级

4.验证

[root@web01 conf.d]# cat testserver.conf 
server {
    listen 80;
    server_name www.server.com;
    location / {
        root /code;
    }

    location ~ \.php$ {
        root /php;
    }

    location ~ \.jsp$ {
        root /jsp;
    }

    location ~* .*\.(jpg|gif|png|js|css)$ {
        root /pic;
    }

    location ~* "\.(sql|bak|tgz|tar.gz|.git)$" {
        root /package;
    }      

}

5.location扩展

[root@web01 conf.d]# cat mario.conf 
limit_req_zone $remote_addr zone=req_zone:10m rate=1r/s;

server {
    listen 80;
    server_name www.mario.com;
    access_log /var/log/nginx/www.mario.com.log main;
    charset 'utf-8';

    location / {
    root /code;
    index index.html;
    }

    location /download {
    root /code;
    autoindex on;
    autoindex_exact_size off;
    autoindex_localtime on;
    allow 10.0.0.0/24;
    deny all;
    auth_basic "please don't like me!";
    auth_basic_user_file /etc/nginx/conf.d/auth_basic;
    limit_req zone=req_zone;
    #访问错误页面，报错跳转指定页面
    error_page 503 /404.html;
    }  

    location /nginx_status {
    stub_status;
    allow 127.0.0.1;
    deny all;    
    }
}