内容:1、LNMP的搭建2、搭建基于LNMP的discuz论坛(www.hill.com)3、实现https4、实现访问http时自动跳转至https以及防盗链设置、URL重写测试一、LNMP的搭建我们知道,在apache与php的结合方式有三种,而nginx与php的结合目前只有一种是行之有效的:php-fpm
1、yum直接安装快速搭建LNMP,官方下载nginx的预安装包(rpm包),当然也可以编译安装#yum install -y prce-devel zlib-devel openssl-devel php-fpm php-mysql mariadb-server
# yum install nginx-1.10.0-1.el7.ngx.x86_64.rpm 2、添加ngixn虚拟主机[root@localhost pma]# cat /etc/nginx/conf.d/hill.conf server { listen 80; server_name www.hill.com; root /var/www/html/hill; location / { index index.php index.html; } location ~ .*\.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name; include fastcgi_params; } }
3、启动相关服务,添加host文件测试[root@localhost hill]# curl -I www.hill.com HTTP/1.1 200 OK Server: nginx/1.10.0 Date: Mon, 24 Oct 2016 22:17:52 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.4.16
4、测试phpMyAdmin成功
5、安装论坛测试访问发帖成功:
二、nginx的https实现1、搭建根CA服务器(这里在同一台机子上)[root@localhost hill]# (umask 066 ; openssl genrsa -out /etc/pki/CA/) certs/ crl/ newcerts/ private/ [root@localhost hill]# (umask 066 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus …+++ ……………………………………………………………………+++ e is 65537 (0x10001) [root@localhost hill]# openssl req -new -x509 -days 365 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/ certs/ crl/ newcerts/ private/ [root@localhost hill]# openssl req -new -x509 -days 365 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. —– Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:hill.com Organizational Unit Name (eg, section) []:ca Common Name (eg, your name or your servers hostname) []:ca.hill.com Email Address []: [root@localhost hill]#
2、nginx申请证书签署[root@localhost hill]# mkdir -p /etc/nginx/ssl [root@localhost hill]# (umask 066 ; openssl genrsa -out /etc/nginx/ssl/nginx.key 2048) Generating RSA private key, 2048 bit long modulus ….+++ ………………….+++ e is 65537 (0x10001) [root@localhost hill]# openssl req -new -days 365 -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. —– Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJIN Locality Name (eg, city) [Default City]:^C [root@localhost hill]# openssl req -new -days 365 -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. —– Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:hill.com Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your servers hostname) []:www.hill.com Email Address []: Please enter the following extra attributes to be sent with your certificate request A challenge password []: An optional company name []:
3、根CA签署证书[root@localhost CA]# openssl ca -in /etc/nginx/ssl/nginx.csr -out /etc/nginx/ssl/nginx.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 24 22:55:33 2016 GMT Not After : Oct 24 22:55:33 2017 GMT Subject: countryName = CN stateOrProvinceName = BEIJING organizationName = hill.com organizationalUnitName = ops commonName = www.hill.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 06:98:EC:97:95:A6:7A:29:D4:DE:F4:C7:98:ED:D1:01:F9:16:07:8A X509v3 Authority Key Identifier: keyid:F4:2C:6B:72:C4:D0:B5:CF:6F:B8:4E:A5:E1:A6:73:27:6D:6E:88:D3 Certificate is to be certified until Oct 24 22:55:33 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost CA]# [root@localhost CA]# [root@localhost CA]# ll /etc/nginx/ssl/ total 16 -rw-r–r–. 1 root root 4457 Oct 25 06:55 nginx.crt -rw-r–r–. 1 root root 1005 Oct 25 06:54 nginx.csr -rw——-. 1 root root 1679 Oct 25 06:53 nginx.key
4、编辑nginx虚拟主机的配置文件[root@localhost CA]# cat /etc/nginx/conf.d/hill.conf server { listen 443 ssl; server_name www.hill.com; root /var/www/html/hill; location / { index index.php index.html; } location ~ .*\.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name; include fastcgi_params; } ssl on; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:sslcache:20m; } [root@localhost CA]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@localhost CA]# nginx -s reload [root@localhost CA]# ss -tanl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.1:9000 *:* LISTEN 0 128 *:47112 *:* LISTEN 0 50 *:3306 *:* LISTEN 0 128 *:111 *:* LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 *:443 *:* LISTEN 0 128 :::111 :::* LISTEN 0 128 :::22 :::* LISTEN 0 100 ::1:25 :::* LISTEN 0 128 :::56155
5、浏览器打开测试成功
三、实现访问http时自动跳转至https以及防盗链设置、URL重写测试1、http自动跳转https测试:[root@MiWiFi-R3-srv hill]# cat /etc/nginx/conf.d/hill.conf server { listen 443 ssl ; server_name www.hill.com; location / { index index.php index.html; root /var/www/html/hill; valid_referers none block server_names ~hill\.com; if ($invalid_referer) { return 111; } } location ~ .*\.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name; include fastcgi_params; } ssl on; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:sslcache:20m; } server{ listen 80; server_name www.hill.com; rewrite ^(.*)$ https://$host$1 permanent ; }
2、防盗链测试: 添加配置:valid_referers none block server_names ~hill\.com; if ($invalid_referer) { return 111; }
测试正常[root@MiWiFi-R3-srv hill]# cat /etc/nginx/conf.d/hill.conf server { listen 443 ssl ; server_name www.hill.com; location / { index index.php index.html; root /var/www/html/hill; if ($http_user_agent ~* Edge ) { rewrite ^(.*)$ /test1.html break; } if ($http_user_agent ~* Mathon ) { rewrite ^(.*)$ /test2.html break; } if ($http_user_agent ~* firefox ) { rewrite ^(.*)$ /test3.html break; } valid_referers none block server_names ~hill\.com; if ($invalid_referer) { return 111; } } location ~ .*\.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name; include fastcgi_params; } ssl on; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:sslcache:20m; } server{ listen 80; server_name www.hill.com; rewrite ^(.*)$ https://$host$1 permanent ; } [12:36 root@centos6.8~]# curl -I -k -e “www.baidu.com” https://www.hill.com HTTP/1.1 111 Server: nginx/1.10.0 Date: Tue, 25 Oct 2016 10:50:40 GMT Content-Type: application/octet-stream Content-Length: 0 Connection: keep-alive
3、URL重写测试:不同的代理实现不同的效果 添加配置:if ($http_user_agent ~* Edge ) { rewrite ^(.*)$ /test1.html break; } if ($http_user_agent ~* Mathon ) { rewrite ^(.*)$ /test2.html break; } if ($http_user_agent ~* firefox ) { rewrite ^(.*)$ /test3.html break; }
测试成功:[root@MiWiFi-R3-srv hill]# cat /etc/nginx/conf.d/hill.conf server { listen 443 ssl ; server_name www.hill.com; location / { index index.php index.html; root /var/www/html/hill; if ($http_user_agent ~* Edge ) { rewrite ^(.*)$ /test1.html break; } if ($http_user_agent ~* Mathon ) { rewrite ^(.*)$ /test2.html break; } if ($http_user_agent ~* firefox ) { rewrite ^(.*)$ /test3.html break; } valid_referers none block server_names ~hill\.com; if ($invalid_referer) { return 111; } } location ~ .*\.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name; include fastcgi_params; } ssl on; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:sslcache:20m; } server{ listen 80; server_name www.hill.com; rewrite ^(.*)$ https://$host$1 permanent ; }
测试效果有效
附:http核心模块的内置变量:$uri: 当前请求的uri,不带参数; $request_uri: 请求的uri,带完整参数; $host: http请求报文中host首部;如果请求中没有host首部,则以处理此请求的虚拟主机的主机名代替; $hostname: nginx服务运行在的主机的主机名; $remote_addr: 客户端IP $remote_port: 客户端Port $remote_user: 使用用户认证时客户端用户输入的用户名; $request_filename: 用户请求中的URI经过本地root或alias转换后映射的本地的文件路径; $request_method: 请求方法 $server_addr: 服务器地址 $server_name: 服务器名称 $server_port: 服务器端口 $server_protocol: 服务器向客户端发送响应时的协议,如http/1.1, http/1.0 $scheme: 在请求中使用scheme, 如https://www.domain.com/中的https; $http_HEADER: 匹配请求报文中指定的HEADER,$http_host匹配请求报文中的host首部 $sent_http_HEADER: 匹配响应报文中指定的HEADER,例如$http_content_type匹配响应报文中的content-type首部; $document_root:当前请求映射到的root配置;