一、配置虚拟主机

更改目录权限

[root@www ~]# chown php-fpm /data/www/data/ -R

配置

[root@www ~]# cd /etc/nginx/

[root@www nginx]# cd vhosts/
[root@www vhosts]# ls
default.conf  test.conf

[root@www vhosts]# vim default.conf     //默认拒绝所有访问

server
{
    listen 80 default;
    server_name localhost;
    index index.html index.htm index.php;
    root /tmp/1234;
    deny all;
}

二、php-fpm配置

[root@www ~]# ls /usr/local/php/etc/php-fpm.conf
/usr/local/php/etc/php-fpm.conf

[root@www ~]# vim /usr/local/php/etc/php-fpm.conf

[global]
pid = /usr/local/php/var/run/php-fpm.pid
error_log = /usr/local/php/var/log/php-fpm.log
[www]
listen = /tmp/www.sock
user = php-fpm
group = php-fpm
listen.owner = nginx
listen.group = nginx
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

slowlog = /tmp/www_slow.log
request_slowlog_timeout = 1
php_admin_value[open_basedir]=/data/www/:/tmp/

[www1]
listen = /tmp/www1.sock
user = php-fpm
group = php-fpm
listen.owner = nginx
listen.group = nginx
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

检查配置

[root@www ~]# /usr/local/php/sbin/php-fpm -t
[20-Dec-2015 14:05:37] NOTICE: configuration file /usr/local/php/etc/php-fpm.conf test is successful

重新加载php-fpm

[root@www ~]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done

三、配置测试网站（discuz）

1、创建虚拟主机文件

[root@www vhosts]# vim test.conf

server
{
    listen 80;
    server_name www.test.com;     //网站域名
    index index.html index.htm index.php;
    root /data/www;       //网站目录

    location ~ \.php$ {
        include fastcgi_params;
       fastcgi_pass unix:/tmp/www.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
    }
}

2、测试访问

[root@sh ~]# curl -x192.168.1.21:80 www.test.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.9.6
Date: Sun, 20 Dec 2015 06:11:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.14
location: forum.php

四、Nginx用户认证

1、虚拟主机增加location配置

[root@www vhosts]# vim test.conf

server
{
    listen 80;
    server_name www.test.com;
    index index.html index.htm index.php;
    root /data/www;

   location ~ .*admin\.php$ {
        auth_basic "huangmingming auth";
        auth_basic_user_file /etc/nginx/conf/.htpasswd;

       include fastcgi_params;                       //php解析配置
        fastcgi_pass unix:/tmp/www.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;

   }

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/www.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
    }
}

[root@www vhosts]# nginx -t

[root@www vhosts]# nginx -s reload

2、创建用户认证文件

[root@www vhosts]# mkdir /etc/nginx/conf

[root@www vhosts]# htpasswd -c /etc/nginx/conf/.htpasswd harry   //创建第一个用户
New password:  
Re-type new password:  
Adding password for user harry
[root@www vhosts]# htpasswd /etc/nginx/conf/.htpasswd ming     //创建第二个用户
[root@www vhosts]# cat /etc/nginx/conf/.htpasswd
harry:$apr1$tLcd/Cpg$1cE3aiuJpmVsebxniuZzr.
ming:$apr1$Ckjy886O$NBiy1emHZmgnJQU6D4SZ01

3、测试访问

[root@www vhosts]# curl -x127.0.0.1:80  www.test.com/admin.php

401 Authorization Required

401 Authorization Required

---

nginx/1.9.6


[root@www vhosts]# curl -x127.0.0.1:80 -uharry:123 www.test.com/admin.php   //正常解析

五、Nginx域名跳转（域名重定向）

[root@www vhosts]# vim test.conf

server
{
    listen 80;
    server_name www.test.com www.aaa.com;
   if ($host != 'www.test.com')
    {
        rewrite ^/(.*)$ http://www.test.com/$1 permanent;
    }

    index index.html index.htm index.php;
    root /data/www;

    location ~ .*admin\.php$ {
        auth_basic "huangmingming auth";
        auth_basic_user_file /etc/nginx/conf/.htpasswd;

        include fastcgi_params;
        fastcgi_pass unix:/tmp/www.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
    }

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/www.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
    }
}

[root@www vhosts]# nginx -t
[root@www vhosts]# nginx -s reload

[root@www vhosts]# curl -x127.0.0.1:80 www.aaa.com -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.9.6
Date: Sun, 20 Dec 2015 06:50:46 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://www.test.com/

[root@www vhosts]# curl -x127.0.0.1:80 www.test.com/111 -I
HTTP/1.1 404 Not Found
Server: nginx/1.9.6
Date: Sun, 20 Dec 2015 06:53:12 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

百度搜索引擎站点统计

site:www.qq.com

六、Nginx不记录指定文件类型日志

1、日志的格式

log_format combined_realip（日志名称） '$remote_addr $http_x_forwarded_for [$time_local]'

[root@www vhosts]# vim test.conf

 1 server
  2 {
  3     listen 80;
  4     server_name www.test.com www.aaa.com www.bbb.com;
  5     if ($host != 'www.test.com')
  6     {
  7         rewrite ^/(.*)$ http://www.test.com/$1 permanent;
  8     }
  9
 10     index index.html index.htm index.php;
 11     root /data/www;
12     access_log /tmp/nginx_access.log combined_realip;     //指定日志类型及存储目录

[root@www vhosts]# cat /tmp/nginx
nginx/            nginx_access.log  
[root@www vhosts]# cat /tmp/nginx_access.log
127.0.0.1 - [20/Dec/2015:15:16:35 +0800]www.bbb.com "/" 301"-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
127.0.0.1 - [20/Dec/2015:15:16:40 +0800]www.test.com "/" 301"-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
127.0.0.1 - [20/Dec/2015:15:16:48 +0800]www.aaa.com "/111" 301"-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
192.168.1.103 - [20/Dec/2015:15:16:53 +0800]www.test.com "/forum.php" 200"-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
192.168.1.103 - [20/Dec/2015:15:16:53 +0800]www.test.com "/home.php?mod=misc&ac=sendmail&rand=1450595813" 200"http://www.test.com/forum.php" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
[root@www vhosts]#

2、配置不记录指定类型日志

14     location ~ .*admin\.php$ {
 15         auth_basic "huangmingming auth";
 16         auth_basic_user_file /etc/nginx/conf/.htpasswd;
 17
 18         include fastcgi_params;
 19         fastcgi_pass unix:/tmp/www.sock;
 20         fastcgi_index index.php;
 21         fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
 22     }
23     location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
 24     {
 25         access_log off;    //off，不记录
 26     }
27     location ~ (static|cache)
 28     {
 29         access_log off;
 30     }
31
 32     location ~ \.php$ {
 33         include fastcgi_params;
 34         fastcgi_pass unix:/tmp/www.sock;
 35         #fastcgi_pass 127.0.0.1:9000;
 36         fastcgi_index index.php;
 37         fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
 38     }
 39 }

验证

[root@www vhosts]# > /tmp/nginx_access.log

[root@www vhosts]# nginx -s reload
[root@www vhosts]# cat /tmp/nginx_access.log

七、Nginx日志切割

[root@www vhosts]# vim /usr/local/sbin/nginx_logrotate.sh    //指定日志脚本存储位置
#!/bin/bash
d=`date -d "-1 day" +%F`
[ -d /tmp/nginx_log ] || mkdir /tmp/nginx_log
mv /tmp/nginx_access.log /tmp/nginx_log/$d.log
/etc/init.d/nginx reload > /dev/null
cd /tmp/nginx_log/
gzip -f $d.log

[root@www nginx_log]# sh -x /usr/local/sbin/nginx_logrotate.sh
++ date -d '-1 day' +%F
+ d=2015-12-19
+ '[' -d /tmp/nginx_log ']'
+ mv /tmp/nginx_access.log /tmp/nginx_log/2015-12-19.log
+ /etc/init.d/nginx reload
+ cd /tmp/nginx_log/
+ gzip -f 2015-12-19.log

[root@www ~]# cd /tmp/nginx_log/
[root@www nginx_log]# ls
2015-12-19.log.gz
[root@www nginx_log]# cat /tmp/nginx_access.log

八、Nginx配置静态文件过期时间（静态缓存）

[root@www ~]# vim /etc/nginx/vhosts/test.conf

23     location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
 24     {
25         access_log off;
 26         expires 15d;    //15天过期
 27     }
 28     location ~ \.(js|css)
 29     {
30         access_log off;
 31         expires 2h;    //2小时过期
 32     }
 33
 34     location ~ (static|cache)
 35     {
 36         access_log off;
 37     }

九、Nginx防盗链配置

[root@www ~]# vim /etc/nginx/vhosts/test.conf

23     location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|rar|zip|gz|bz2)$
 24     {
 25         access_log off;
 26         expires 15d;
27         valid_referers none blocked *.test.com *.aaa.com *.bbb.com;
 28         if ($invalid_referer)
 29         {
 30            return 403;
 31         }
 32     }

[root@www ~]# nginx -t
[root@www ~]# nginx -s reload
测试
[root@www ~]# curl -e "http://www.baidu.com/111" -I -x127.0.0.1:80 'http://www.test.com/data/attachment/forum/201512/15/040601ei6r33uxki0gunlr.jpg'

HTTP/1.1 403 Forbidden

[root@www ~]# curl -I -x127.0.0.1:80 'http://www.test.com/data/attachment/forum/201512/15/040601ei6r33uxki0gunlr.jpg'
HTTP/1.1 200 OK
Server: nginx/1.9.6

[root@www ~]# curl -e "http://www.aaa.com/111" -I -x127.0.0.1:80 'http://www.test.com/data/attachment/forum/201512/15/040601ei6r33uxki0gunlr.jpg'
HTTP/1.1 200 OK

[root@www ~]# curl -e "http://www.bbb.com/111" -I -x127.0.0.1:80 'http://www.test.com/data/attachment/forum/201512/15/040601ei6r33uxki0gunlr.jpg'
HTTP/1.1 200 OK

[root@www ~]# curl -e "http://www.bbb1.com/111" -I -x127.0.0.1:80 'http://www.test.com/data/attachment/forum/201512/15/040601ei6r33uxki0gunlr.jpg'
HTTP/1.1 403 Forbidden

十、Nginx访问控制

1、针对某一个目录

[root@www ~]# vim /etc/nginx/vhosts/test.conf

15     location ~ .*admin\.php$ {
16         allow 127.0.0.1;
 17         deny all;
 18         include fastcgi_params;
 19         fastcgi_pass unix:/tmp/www.sock;
 20         fastcgi_index index.php;
 21         fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
 22     }

2、全局配置
[root@www ~]# vim /etc/nginx/vhosts/test.conf

 1 server
  2 {
  3     listen 80;
  4     server_name www.test.com www.aaa.com www.bbb.com;
  5     if ($host != 'www.test.com')
  6     {  
  7         rewrite ^/(.*)$ http://www.test.com/$1 permanent;
  8     }
  9
 10     index index.html index.htm index.php;
 11     root /data/www;
 12     access_log /tmp/nginx_access.log combined_realip;
13     deny 192.168.1.218;     //
14     deny 192.168.1.0/24;    //针对一个网段

3、测试

[root@www ~]# curl -x127.0.0.1:80 www.test.com/admin.php -I
HTTP/1.1 200 OK
[root@www ~]# curl -x192.168.1.21:80 www.test.com/admin.php -I
HTTP/1.1 403 Forbidden
[root@www ~]# curl -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 200 OK

十一、nginx禁止指定user_agent

 1 server
  2 {
  3     listen 80;
  4     server_name www.test.com www.aaa.com www.bbb.com;
  5     if ($host != 'www.test.com')
  6     {  
  7         rewrite ^/(.*)$ http://www.test.com/$1 permanent;
  8     }
  9
 10     index index.html index.htm index.php;
 11     root /data/www;
 12     access_log /tmp/nginx_access.log combined_realip;
 13     deny 192.168.1.218;
 14
15     if ($http_user_agent ~* 'curl|baidu|111111')   //  *表示不区分大小写
 16         {
 17                 return 403;
 18         }

[root@www ~]# curl -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 403 Forbidden

[root@www ~]# curl -A "2121" -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 200 OK

[root@www ~]# curl -A "baidu11" -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 403 Forbidden

[root@www ~]# curl -A "baid11" -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 200 OK

[root@www ~]# curl -A "111111" -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 403 Forbidden

[root@www ~]# curl -A "111" -x192.168.1.21:80 www.test.com/forum.php -I
HTTP/1.1 200 OK

十二、Nginx代理

1、代理指定域名

[root@www ~]# vim /etc/nginx/vhosts/proxy.conf

server {
    listen 80;
    server_name www.baidu.com;

    location / {
        proxy_pass http://14.215.177.38/;    //百度IP地址
        #proxy_set_header Host $host;
    }
}

测试

[root@www ~]# curl -x192.168.1.21:80 www.baidu.com

[root@www ~]# curl -x192.168.1.21:80 www.baidu.com -I
HTTP/1.1 200 OK

[root@www ~]# curl -x127.0.0.1:80 www.baidu.com -I
HTTP/1.1 200 OK

dig工具

[root@www ~]# dig www.baidu.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37398
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.baidu.com.            IN    A

;; ANSWER SECTION:
www.baidu.com.        600    IN    CNAME    www.a.shifen.com.
www.a.shifen.com.    600    IN    A    14.215.177.37
www.a.shifen.com.    600    IN    A    14.215.177.38

;; Query time: 23 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Dec 20 18:51:24 2015
;; MSG SIZE  rcvd: 90

2、一个域名对应多个IP代理

[root@www ~]# vim /etc/nginx/vhosts/proxy.conf

upstream ming{      //指定名称
    server 14.215.177.37:80;
    server 14.215.177.38:80;
}
server {
    listen 80;
    server_name www.baidu.com;

    location / {
        proxy_pass http://ming/;
        proxy_set_header Host $host;
        #proxy_set_header X-Real-IP $remote-addr;
    }
}

[root@www ~]# nginx -t
[root@www ~]# nginx -s reload

[root@www ~]# curl -x192.168.1.21:80 www.baidu.com -I
HTTP/1.1 200 OK

本文转自 HMLinux 51CTO博客，原文链接:http://blog.51cto.com/7424593/1728434