内容:
1、LNMP的搭建
2、搭建基于LNMP的discuz论坛(www.hill.com)
3、实现https
4、实现访问http时自动跳转至https以及防盗链设置、URL重写测试
一、LNMP的搭建
我们知道,在apache与php的结合方式有三种,而nginx与php的结合目前只有一种是行之有效的:php-fpm
1、yum直接安装快速搭建LNMP,官方下载nginx的预安装包(rpm包),当然也可以编译安装
#yum install -y prce-devel zlib-devel openssl-devel php-fpm php-mysql mariadb-server
# yum install nginx-1.10.0-1.el7.ngx.x86_64.rpm
2、添加ngixn虚拟主机
[root@localhost pma]# cat /etc/nginx/conf.d/hill.conf
server {
listen 80;
server_name www.hill.com;
root /var/www/html/hill;
location / {
index index.php index.html;
}
location ~ .*\.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name;
include fastcgi_params;
}
}
3、启动相关服务,添加host文件测试
[root@localhost hill]# curl -I www.hill.com HTTP/1.1 200 OK Server: nginx/1.10.0 Date: Mon, 24 Oct 2016 22:17:52 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.4.16
4、测试phpMyAdmin成功
5安装论坛测试访问发帖成功:
二、nginx的https实现
1、搭建根CA服务器(这里在同一台机子上)
[root@localhost hill]# (umask 066 ; openssl genrsa -out /etc/pki/CA/) certs/ crl/ newcerts/ private/ [root@localhost hill]# (umask 066 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ...+++ ..............................................................................+++ e is 65537 (0x10001) [root@localhost hill]# openssl req -new -x509 -days 365 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/ certs/ crl/ newcerts/ private/ [root@localhost hill]# openssl req -new -x509 -days 365 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:hill.com Organizational Unit Name (eg, section) []:ca Common Name (eg, your name or your server‘s hostname) []:ca.hill.com Email Address []: [root@localhost hill]#
2、nginx申请证书签署
[root@localhost hill]# mkdir -p /etc/nginx/ssl [root@localhost hill]# (umask 066 ; openssl genrsa -out /etc/nginx/ssl/nginx.key 2048) Generating RSA private key, 2048 bit long modulus ....+++ ......................+++ e is 65537 (0x10001) [root@localhost hill]# openssl req -new -days 365 -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJIN Locality Name (eg, city) [Default City]:^C [root@localhost hill]# openssl req -new -days 365 -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:hill.com Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server‘s hostname) []:www.hill.com Email Address []: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []:
3、根CA签署证书
[root@localhost CA]# openssl ca -in /etc/nginx/ssl/nginx.csr -out /etc/nginx/ssl/nginx.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 24 22:55:33 2016 GMT Not After : Oct 24 22:55:33 2017 GMT Subject: countryName = CN stateOrProvinceName = BEIJING organizationName = hill.com organizationalUnitName = ops commonName = www.hill.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 06:98:EC:97:95:A6:7A:29:D4:DE:F4:C7:98:ED:D1:01:F9:16:07:8A X509v3 Authority Key Identifier: keyid:F4:2C:6B:72:C4:D0:B5:CF:6F:B8:4E:A5:E1:A6:73:27:6D:6E:88:D3 Certificate is to be certified until Oct 24 22:55:33 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost CA]# [root@localhost CA]# [root@localhost CA]# ll /etc/nginx/ssl/ total 16 -rw-r--r--. 1 root root 4457 Oct 25 06:55 nginx.crt -rw-r--r--. 1 root root 1005 Oct 25 06:54 nginx.csr -rw-------. 1 root root 1679 Oct 25 06:53 nginx.key
4、编辑nginx虚拟主机的配置文件
[root@localhost CA]# cat /etc/nginx/conf.d/hill.conf
server {
listen 443 ssl;
server_name www.hill.com;
root /var/www/html/hill;
location / {
index index.php index.html;
}
location ~ .*\.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name;
include fastcgi_params;
}
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_cache shared:sslcache:20m;
}
[root@localhost CA]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@localhost CA]# nginx -s reload
[root@localhost CA]# ss -tanl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:9000 *:*
LISTEN 0 128 *:47112 *:*
LISTEN 0 50 *:3306 *:*
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 128 :::56155 :::*5、浏览器打开测试成功
四、实现访问http时自动跳转至https以及防盗链设置、URL重写测试
1、http自动跳转https测试:
[root@MiWiFi-R3-srv hill]# cat /etc/nginx/conf.d/hill.conf
server {
listen 443 ssl ;
server_name www.hill.com;
location / {
index index.php index.html;
root /var/www/html/hill;
valid_referers none block server_names ~hill\.com;
if ($invalid_referer)
{
return 111;
}
}
location ~ .*\.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name;
include fastcgi_params;
}
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_cache shared:sslcache:20m;
}
server{
listen 80;
server_name www.hill.com;
rewrite ^(.*)$ https://$host$1 permanent ;
}
2、防盗链测试:
添加配置:
valid_referers none block server_names ~hill\.com;
if ($invalid_referer)
{
return 111;
}
测试正常
[root@MiWiFi-R3-srv hill]# cat /etc/nginx/conf.d/hill.conf
server {
listen 443 ssl ;
server_name www.hill.com;
location / {
index index.php index.html;
root /var/www/html/hill;
if ($http_user_agent ~* Edge )
{
rewrite ^(.*)$ /test1.html break;
}
if ($http_user_agent ~* Mathon )
{
rewrite ^(.*)$ /test2.html break;
}
if ($http_user_agent ~* firefox )
{
rewrite ^(.*)$ /test3.html break;
}
valid_referers none block server_names ~hill\.com;
if ($invalid_referer)
{
return 111;
}
}
location ~ .*\.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name;
include fastcgi_params;
}
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_cache shared:sslcache:20m;
}
server{
listen 80;
server_name www.hill.com;
rewrite ^(.*)$ https://$host$1 permanent ;
}
[12:36 root@centos6.8~]# curl -I -k -e "www.baidu.com" https://www.hill.com
HTTP/1.1 111
Server: nginx/1.10.0
Date: Tue, 25 Oct 2016 10:50:40 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive3、URL重写测试:不同的代理实现不同的效果
添加配置:
if ($http_user_agent ~* Edge )
{
rewrite ^(.*)$ /test1.html break;
}
if ($http_user_agent ~* Mathon )
{
rewrite ^(.*)$ /test2.html break;
}
if ($http_user_agent ~* firefox )
{
rewrite ^(.*)$ /test3.html break;
}测试成功:
[root@MiWiFi-R3-srv hill]# cat /etc/nginx/conf.d/hill.conf
server {
listen 443 ssl ;
server_name www.hill.com;
location / {
index index.php index.html;
root /var/www/html/hill;
if ($http_user_agent ~* Edge )
{
rewrite ^(.*)$ /test1.html break;
}
if ($http_user_agent ~* Mathon )
{
rewrite ^(.*)$ /test2.html break;
}
if ($http_user_agent ~* firefox )
{
rewrite ^(.*)$ /test3.html break;
}
valid_referers none block server_names ~hill\.com;
if ($invalid_referer)
{
return 111;
}
}
location ~ .*\.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name;
include fastcgi_params;
}
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_cache shared:sslcache:20m;
}
server{
listen 80;
server_name www.hill.com;
rewrite ^(.*)$ https://$host$1 permanent ;
}
测试效果有效
附:http核心模块的内置变量:
$uri: 当前请求的uri,不带参数; $request_uri: 请求的uri,带完整参数; $host: http请求报文中host首部;如果请求中没有host首部,则以处理此请求的虚拟主机的主机名代替; $hostname: nginx服务运行在的主机的主机名; $remote_addr: 客户端IP $remote_port: 客户端Port $remote_user: 使用用户认证时客户端用户输入的用户名; $request_filename: 用户请求中的URI经过本地root或alias转换后映射的本地的文件路径; $request_method: 请求方法 $server_addr: 服务器地址 $server_name: 服务器名称 $server_port: 服务器端口 $server_protocol: 服务器向客户端发送响应时的协议,如http/1.1, http/1.0 $scheme: 在请求中使用scheme, 如https://www.domain.com/中的https; $http_HEADER: 匹配请求报文中指定的HEADER,$http_host匹配请求报文中的host首部 $sent_http_HEADER: 匹配响应报文中指定的HEADER,例如$http_content_type匹配响应报文中的content-type首部; $document_root:当前请求映射到的root配置;
本文出自 “6638225” 博客,转载请与作者联系!
原文:http://6638225.blog.51cto.com/6628225/1865327