web服务nginx的安装与常用配置 前言{callout color="#f0ad4e"}Nginx (engine x) 是一个高性能的HTTP和反向代理web服务器。其特点是占有内存少，并发能力强，事实上nginx的并发能力确实在同类型的网页服务器中表现较好，使用方面。{/callout}{card-default label="nginx作用" width="75%"}{/card-default}精彩文章: 万字总结，体系化带你全面认识 Nginx ！基本使用安装#安装 yum -y install nginx ## 日志目录 mkdir /data/log/nginx/ && chown -R nginx:nginx /data/log/nginx/ ## 缓存目录 mkdir -p /var/cache/nginx/ && chown -R nginx:nginx /var/cache/nginx/配置文件{message type="success" content="配置文件 /etc/nginx/nginx.conf"/}user nobody; worker_processes auto; #nginx对外提供web服务时的worker进程数 error_log /data/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; #设置可由一个worker进程同时打开的最大连接数 } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /data/log/nginx/access.log main buffer=32k flush=30s; server_tokens off; #关闭在错误页面中的nginx版本数字 client_max_body_size 100m; sendfile on; #可以让sendfile函数发挥作用。sendfile函数可以在磁盘和TCP socket之间互相拷贝数据(或任意两个文件描述符) tcp_nopush on; #告诉nginx在一个数据包里发送所有头文件，而不一个接一个的发送 tcp_nodelay on; #不缓存数据 keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; #ssl 配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=63072000; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; #nginx缓存 fastcgi_cache_path /var/cache/nginx/ levels=1:2 keys_zone=wordpress:10m inactive=30m use_temp_path=off; fastcgi_cache_key $request_method$scheme$host$request_uri; fastcgi_cache_use_stale error timeout invalid_header updating http_500; fastcgi_cache_valid 200 301 302 10h; fastcgi_cache_valid 404 10m; fastcgi_ignore_headers Expires Set-Cookie Vary; #启动gzip gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_comp_level 7; gzip_types text/css text/plain text/javascript application/javascript application/json application/x-javascript application/xml application/xml+rss application/xhtml+xml application/x-font-ttf application/x-font-opentype application/vnd.ms-fontobject image/svg+xml image/x-icon application/rss+xml application/atom_xml image/jpeg image/gif image/png image/icon image/bmp image/jpg; gzip_vary on; # for more information. include /etc/nginx/conf.d/*.conf; } {card-describe title="配置说明"}main 全局配置，对全局生效；events 配置影响 Nginx 服务器与用户的网络连接；http 配置代理，缓存，日志定义等绝大多数功能和第三方模块的配置；server 配置虚拟主机的相关参数，一个 http 块中可以有多个 server 块；location 用于配置匹配的 uri ；upstream 配置后端服务器具体地址，负载均衡配置不可或缺的部分；{/card-describe}{card-default label="层级结构" width="50%"}{/card-default}启动服务systemctl enable --now nginx高级用法泛域名强制跳转{card-describe title="rewrite.conf"}server { listen 80; server_name *.chreagent.com; return 301 https://$http_host$request_uri; } {/card-describe}多级代理获取用户真实IP地址隐藏内容，请前往内页查看详情反向代理配置示例{message type="success" content="包括wss反代配置"/}server { listen 443 ssl http2; server_name mon.itbunan.xyz; server_tokens off; ssl_certificate /etc/nginx/cert/mon.itbunan.xyz_bundle.crt; ssl_certificate_key /etc/nginx/cert/mon.itbunan.xyz.key; ssl_protocols TLSv1.2 TLSv1.3; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; location /ws { proxy_redirect off; proxy_pass http://172.17.0.10:8008; proxy_set_header Host $host; proxy_set_header X-Real_IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr:$remote_port; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection upgrade; } location / { proxy_pass http://172.17.0.10:8008; proxy_set_header Host $host; proxy_set_header Cookie $http_cookie; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_cookie_path / "/; httponly; secure; SameSite=Lax"; proxy_redirect http:// https://; add_header Content-Security-Policy upgrade-insecure-requests; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET,POST,DELETE'; add_header 'Access-Control-Allow-Header' 'Content-Type,*'; } }基于客户端IP做并发访问控制在主配置文件内添加 # 针对原始用户 IP 地址做限制 ## 用户的 IP 地址 $binary_remote_addr 作为 Key，每个 IP 地址最多有 50 个并发连接 ## 你想开 几千个连接 刷死我？ 超过 50 个连接，直接返回 503 错误给你，根本不处理你的请求了 limit_conn_zone $binary_remote_addr zone=TotalConnLimitZone:20m ; limit_conn TotalConnLimitZone 50; limit_conn_log_level notice; ## 针对原始用户 IP 地址做限制 ## 用户的 IP 地址 $binary_remote_addr 作为 Key，每个 IP 地址每秒处理 10 个请求 ## 你想用程序每秒几百次的刷我，没戏，再快了就不处理了，直接返回 503 错误给你 limit_req_zone $binary_remote_addr zone=ConnLimitZone:20m rate=10r/s; #limit_req zone=ConnLimitZone burst=10 nodelay; #如果开启此条规则，burst=10的限制将会在nginx全局生效 limit_req_log_level notice;配置需要限制访问频率的server## 具体服务器配置 server { listen 80; location ~ \.php$ { ## 最多 5 个排队， 由于每秒处理 10 个请求 + 5个排队，你一秒最多发送 15 个请求过来，再多就直接返回 503 错误给你了 limit_req zone=ConnLimitZone burst=5 nodelay; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; } 利用计划任务自动更新#每小时58分更新一次 58 * * * * /usr/bin/sh /opt/scripts/add_blackip_for_ddos.sh > /dev/null 2>&1 #没3分钟更新一次 */3 * * * * /usr/bin/sh /opt/scripts/add_blackip_for_ddos_per_min.sh > /dev/null 2>&1{card-describe title="add_blackip_for_ddos.sh"}#!/bin/bash h_time=`env LC_ALL=en_US.en date '+%e/%b/%G:%H'` zjlog='/data/log/nginx/itbunan_access.log' conf='/www/server/panel/vhost/nginx/blackip.conf' #筛选攻击IP tail -n 5000000 $zjlog | grep "$h_time" |awk '{print $1}'| sort -k 1 | uniq -c | sort -rnk 1 | grep -v '::' > /tmp/zj_blackip.txt cat /tmp/zj_blackip.txt | awk '{if($1>400)print "deny "$2";"}' > $conf{/card-describe}{card-describe title="add_blackip_for_ddos_per_min.sh"}#!/bin/bash h_time=`env LC_ALL=en_US.en date '+%e/%b/%G:%H'` zjlog='/data/log/nginx/itbunan_access.log' conf='/www/server/panel/vhost/nginx/blackip.conf' #筛选攻击IP tail -n 5000000 $zjlog | grep "$h_time" |awk '{print $1}'| sort -k 1 | uniq -c | sort -rnk 1 | grep -v '::' > /tmp/zj_blackip.txt cat /tmp/zj_blackip.txt | awk '{if($1>400)print "deny "$2";"}' > $conf{/card-describe}配置加载nginx -s reload查看当前生效配置nginx -T调试lua脚本{message type="success" content="修改nginx配置文件"/}#error_log /home/wwwlogs/nginx_error.log crit; error_log /home/wwwlogs/nginx_error.log debug;网关全站置灰# 修改配置文件nginx.conf http { sub_filter '</head>' '<style type="text/css">html {-webkit-filter: grayscale(.95);}</style></head>'; sub_filter_once on; ... }FAQ清除缓存rm -rf /var/cache/nginx/*隐藏nginx版本号# 修改配置文件,添加 server_tokens off;

采用flask制作web页面管理nginx配置的IP白名单 前言{callout color="#f0ad4e"}公司内部有一个平时用的测试系统，提供给客户做体验，只有简单的几个页面用来测试功能使用，也没有注册验证。最近发现有人滥用，因为调用的是正式的接口，造成了一定的混乱。于是通过nginx访问配置了IP访问白名单。问题又来了，业务那边每次找我添加白名单IP，更烦人了。于是写了web页面，用来控制nginx配置的白名单。让他们自己去添加，世界清静了...{/callout}{card-default label="添加IP页面" width="80%"}{/card-default}获取项目代码传送门启动tar xvf nginx-etcmanager.tgz -C /opt/nginx-proxy/ cd /opt/nginx-proxy/nginx-etcmanager/ screen python3 main.py设置计划任务每到整点，所有申请的白名单IP全部过期0 * * * * flock -xn /tmp/reset_nginx.lock -c 'cd /opt/nginx-proxy/ && sh reset_nginx.sh'{card-describe title="脚本内容"}#!/bin/bash cd /opt/nginx-proxy/conf/ && /bin/cp -f nginx.conf.bak nginx.conf cd /opt/nginx-proxy/ && /usr/local/bin/docker-compose restart{/card-describe}使用web浏览器访问http://ip:3002 {card-default label="使用" width="75%"}{/card-default}说明核心函数@app.route('/api/addip', methods=['GET']) def add_ip(): """ 更新节点IP函数 """ if request.method == 'GET': info = request.values newip = info.get('newip', False) customer = info.get('customer', False) if not is_ipv4(newip): return jsonify({'msg': '输入IP非法', 'code': 1001}) #获取IP地址列表 h_list = get_ip_history() expired ="{}:00".format((datetime.datetime.now() + datetime.timedelta(hours=+1)).strftime("%Y-%m-%d %H")) for item in h_list: jlist = item.split(",") if newip == item[0] and expired == item[1]: return jsonify({'msg': '当前IP可以直接访问，不用更新！', 'code': 1000}) newip_str = "{},{},{}\n".format(newip, expired, customer) #更新nginx配置 cmd = "sed -i '/allow 127.0.0.1;/i\ \ \ \ allow {};' ../conf/nginx.conf && cd /opt/nginx-proxy/ && docker-compose restart".format(newip) status = os.system(cmd) if status == 0: with open('./data/ip_list', 'a+') as fw: fw.write(newip_str) return jsonify({'msg': '更新成功', 'code': 1000}) return jsonify({'msg': '更新失败', 'code': 1001})

centos7系统下安装nginx+php服务 {card-default label="php测试" width="80%"} {/card-default}前言{callout color="#f0ad4e"}nginx + php 用于运行大部分php开发的网站。前几篇文章，都是是运行与docker下的。如果系统不方便使用docker，直接在系统内配置 nginx+php服务{/callout}安装软件yum install nginx yum install php php-xml php-mysql php-mongo php-redis php-memcache php-intl php-mbstring php-mcrypt php-pecl-swoole php-xcache php-pecl-xhprof php-fpm php-opcache配置php-fpm/etc/php.ini隐藏内容，请前往内页查看详情/etc/php-fpm.confinclude=/etc/php-fpm.d/*.conf [global] pid = /var/run/php-fpm/php-fpm.pid error_log = /var/log/php-fpm/php_error.log/etc/php-fpm.d/www.conf[www] listen = /var/run/php-fpm/php-fpm.sock listen.allowed_clients = 127.0.0.1 listen.owner = nginx listen.group = nginx listen.mode = 0660 listen.backlog = 16384 user = nginx group = nginx pm = static pm.max_children = 20 pm.start_servers = 10 pm.min_spare_servers = 10 pm.max_spare_servers = 35 pm.max_requests = 10000 request_terminate_timeout = 180 request_slowlog_timeout = 30 slowlog = /var/log/php-fpm/www-slow.log ;access.log = /opt/servicelogs/php-fpm/access.$pool.log ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{seconds}d %{megabytes}M %{user}C%%" ;ping.path = /php70fpm-ping ;pm.status_path = /phpfpm70-statusnginx/etc/nginx/nginx.conf隐藏内容，请前往内页查看详情/etc/nginx/conf.d/my-wordpress.com.confserver { listen 80 http2; server_name www.chreagent.com chreagent.com; # 请换成自己的域名 rewrite ^(.*) https://$server_name$1 permanent; } server { listen 80 http2; listen 443 ssl http2; server_name www.my-wordpress.com my-wordpress.com; charset utf-8; ssl_certificate "/etc/nginx/ssl/server.crt"; ssl_certificate_key "/etc/nginx/ssl/server.key"; set $host_path "/var/www/html/chreagent"; error_log /var/log/nginx/error_chreagent.log; access_log /var/log/nginx/acc_chreagent.log; root $host_path; # 缓存标记 set $skip_cache 0; if ($query_string != "") { set $skip_cache 1; } if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|sitemap(_index)?.xml") { set $skip_cache 1; } # 登录用户或发表评论者 if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { set $skip_cache 1; } location = / { index index.php index.html; try_files /index.php?$args /index.php?$args; } location / { index index.php index.html; try_files $uri $uri/ /index.php?$args; } location ~ ^/\.user\.ini { deny all; } location ~ \.php$ { try_files $uri =404; fastcgi_index index.php; fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_cache wordpress; fastcgi_cache_valid 200 301 302 30m; fastcgi_cache_valid 404 10m; fastcgi_cache_bypass $skip_cache; fastcgi_no_cache $skip_cache; fastcgi_cache_lock on; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; #fastcgi_param PHP_VALUE "open_basedir=$document_root:/tmp/"; include fastcgi_params; } location ~ \.(js|css|png|jpg|gif|swf|ico|pdf|mov|fla|zip|rar|jpeg)$ { expires max; access_log off; try_files $uri =404; } }启动systemctl enable --now php-fpm systemctl enable --now nginx

利用goaccess做web服务的访问日志分析 前言{callout color="#f0ad4e"}nginx是我比较常用的web服务器，网站架设成功后，某天访问量激增。将日志文件下载下来，分析访问来源等情况。记录分析过程。正在用caddy代替nginx。{/callout}{card-default label="goaccess" width="80%"}{/card-default}手动分析日志提取日志cat access.log | grep '29/Mar/2022' > /tmp/n.log总请求数cat /tmp/n.log | wc -l按IP请求分布cat /tmp/n.log | awk '{ print $1 }' | sort -k 1 | uniq -c | sort -rnk 1{card-default label="按IP请求分布" width="75%"}{/card-default}每小时访问情况分布cat /tmp/n.log | awk -F'[' '{print $2}' |awk -F':' '{print $1":"$2}'| sort -k 1 | uniq -c | sort -rnk 1{card-default label="每小时访问情况分布" width="75%"}{/card-default}按访问状态码统计cat /tmp/n.log | awk '{print $9}' | sort -k 1 | uniq -c | sort -rnk 1 {card-default label="按访问状态码统计" width="75%"}{/card-default}按接口请求分布cat /tmp/n.log | awk '{print $7}' | sort -k 1 | uniq -c | sort -rnk 1 {card-default label="按接口请求分布" width="75%"}{/card-default}goaccess分析安装# yum安装 yum install -y goaccess # 编译安装最新版 yum install ncurses-devel -y wget https://tar.goaccess.io/goaccess-1.7.tar.gz tar -xzvf goaccess-1.7.tar.gz cd goaccess-1.7/ ./configure --enable-utf8 make make install # 查看版本 /usr/local/bin/goaccess -V配置# 默认版本 vim /etc/goaccess/goaccess.conf # 编译版本 vim /usr/local/etc/goaccess/goaccess.conf{card-describe title="nginx"}log-format %h %^[%d:%t %^] "%r" %s %b "%R" "%u" date-format %d/%b/%Y time-format %H:%M:%S{/card-describe}{card-describe title="caddy"}time-format %s date-format %s log-format CADDY{/card-describe}终端分析# 编译版本 /usr/local/bin/goaccess -p /usr/local/etc/goaccess/goaccess.conf -f /var/log/vlive/caddy/n.log{card-default label="结果" width="80%"}{/card-default}web分析# 默认安装版本 goaccess -f /tmp/n.log -p /etc/goaccess/goaccess.conf -o /opt/project/myblog/app/typecho/log.html # 编译版本 /usr/local/bin/goaccess -p /usr/local/etc/goaccess/goaccess.conf -o /opt/vlive/app/v/log.html -f /var/log/vlive/caddy/n.log 访问结果https://v.webzhan.xyz/log.html {card-default label="结果" width="80%"}{/card-default}