Nginx anti-theft chain, access control, parsing PHP configuration, Agent

Configuring the anti-theft chain

Editing a configuration file

Valid_referers defines a whitelist if it doesn't match 403

Return 403 can also define deny all deny
Nginx access Control

Edit configuration file No match will be continued as long as it matches
Location Definition Directory
Allow allows
Deny All

Test if link is ok

Not allowed 128

Match regular
Edit configuration file Matching Upload|image

Test access to PHP

Access Unlimited 1.txt is possible

Access according to User_agent

Editing a configuration file

Test access to User_agent

If you want to match case matching, add an * number

Test again

Nginx Parsing related configuration

Adding non-loaded access in the configuration file cannot be resolved

After the configuration file is loaded

Sock file path not error 502
Re-access 502 after loading

Viewing the error log

The error message is as follows

No access to sock file file does not exist

To view the file path defined by the php-fpm.conf file

Modify the php file listening IP port

Detect syntax is incorrect

View ports

Error log does not exist

Configuration file test.conf also make the corresponding changes Fastcgi_pass replace the IP and port

Location ~. php$
{
Include Fastcgi_params;

The include statement gets all the text/code/tags that exist in the specified file and is copied to the file that uses the include statement.

   fastcgi_pass unix:/tmp/php-fcgi.sock;

Fastcgi_pass 127.0.0.1:9000; Specifies that the fastcgi server listens to the port and address, which can be native or otherwise:

   fastcgi_index index.php;   fastcgi_param SCRIPT_FILENAME /data/wwwroot/zlw.com$fastcgi_script_name;

Path of the script file request

Detect if PHP files and test.conf files are written consistently when 502 occurs
The root above is consistent with Script_filename.

Join the Monitor sock does not define mode this permission becomes 440
The owner and the group become root

Reload

View Sock file permissions

Configuration file test.com.conf Unix to read sock file

Test access PHP Permission denied

To nobody users to read sock
Modify file owner can access again
Nginx Agent

Write a new configuration file

Proxy_pass the true Web server address
Detecting syntax and reloading files

Test

Nginx Proxy is a proxy server to customize a domain name, which points to more than one IP, and then the user's request through this proxy server to resolve the specified IP corresponding to the Web server, when the domain name points to multiple IPs, You need to use upstream to ensure that users can access each IP properly through a proxy server, which is load balancing

Common 502 Errors
1. Configuration Errors
Because Nginx can not find php-fpm, so error, is generally fastcgi_pass after the path configuration is wrong, the back may be socket or ip:port

2. Resource Exhaustion
LNMP architecture in the processing of PHP, Nginx directly to the back end of the PHP-FPM service, if the Nginx request volume is high, we did not give php-fpm to configure enough child processes, then the PHP-FPM will be depleted resources, Once the resource is exhausted Nginx can not find the PHP-FPM will appear 502 error,

Solution Solutions
To adjust the Pm.max_children value in the php-fpm.conf, so that it increases, but also can not be unlimited, after all, limited resources, general 4G memory machine if run PHP-FPM and Nginx, do not run MySQL can be set to 150,8g for 300 and so on

3. In addition to the above two kinds of errors and other reasons, very few, we can use the Nginx error log to troubleshoot Vim/usr/local/nginx/logs/nginx_error.log we can also define levels for the log vim/usr/local/ nginx/conf/nginx.conf Find Error_log, the default is Crit the most rigorous on the line, can also be changed to debug display the most comprehensive information, but it is easy to burst our disk.

First we need to get the browser to access
Modify Nginx configuration file
[Email protected] ~]# vim/usr/local/nginx/conf/vhosts/111.conf

Server
{
Listen 80;
server_name www.111.com; Domain Address
Index index.html index.htm index.php;
root/data/www/;

Location ~. php$ {
Include Fastcgi_params;
Fastcgi_pass Unix:/tmp/www.sock; Modify Sock
#fastcgi_pass 127.0.0.1:9000;
Fastcgi_index index.php;
Fastcgi_param Script_filename/data/www$fastcgi_script_name;
}

}

Check that the syntax is normal
[Email protected] ~]#/usr/local/nginx/sbin/nginx-t
Reload the configuration file
[Email protected] ~]#/usr/local/nginx/sbin/nginx-s Reload
[Email protected] ~]#/etc/init.d/nginx Reload

Check Nginx is the user running.
[[Email protected] ~]# PS aux |grep nginx
Edit PHP-FPM File
We want to set Nginx user Master in this php-fpm file, with the group so that does not display 502
[Email protected] ~]# vim/usr/local/php/etc/php-fpm.conf

[Global]
PID =/usr/local/php/var/run/php-fpm.pid
Error_log =/usr/local/php/var/log/php-fpm.log
[WWW]
Listen =/tmp/www.sock
user = PHP-FPM
Group = PHP-FPM
Listen.owner = nobody//definition owner
Listen.group = nobody//define genus Group
PM = dynamic
Pm.max_children = 50
Pm.start_servers = 20
Pm.min_spare_servers = 5
Pm.max_spare_servers = 35
Pm.max_requests = 500
Rlimit_files = 1024

Restart PHP-FPM after configuration is complete
[Email protected] ~]#/etc/init.d/php-fpm restart
PS: To add one, is a lot of students recently encountered problems
In this case, the socket is used, the version above 5.4 (including 5.4) The default listener socket file permission is the owner read-only, the group and other users do not have any permissions. Therefore, Nginx startup user (we configure nobody) there is no way to read the socket file, resulting in 502, the problem can be found in the Nginx error log. The workaround is simple, and there is a configuration in the configuration file above that avoids this problem.
Listen.owner = nobody//definition owner
Listen.group = nobody//define genus Group
These two configurations define who the host and group of sockets are. Besides this, there's another way.
Listen.mode = 777
This allows the nobody to have read access as well.

In Nginx configuration file, location mainly has these kinds of forms:

1. Regular Match location ~/ABC {}

2. Case-insensitive regular match location ~*/abc {}

3. Match path prefix if found stop search location ^~/abc {}

4. Exact match location =/ABC {}

5. Normal path prefix matching LOCATION/ABC {}

First, priority.

4 > 3 > 2 > 1 > 5

Let's explain the various formats.

Location =/{

Exact match/, cannot take any strings after host name

[Configuration A]
}

Location/{

Because all addresses begin with/start, this rule will match to all requests but the regular and longest strings will match first

[Configuration B]
}

location/documents/{

Matches any address that begins with/documents/, matches the match, and continues to search down only the following regular expression does not match, this article will take this one

[Configuration C]
}

Location ~/DOCUMENTS/ABC {

Matches any address that begins with/documents/, matches the match, and continues to search down only the following regular expression does not match, this article will take this one

[Configuration CC]
}

Location ^~/images/{

Matches any address that begins with/images/, matches, stops searching for regular, and uses this one.

[Configuration D]
}

Location ~*. (Gif|jpg|jpeg) $ {

Match all requests ending with gif,jpg or JPEG However, all requests under/images/will be processed by Config D because ^~ cannot reach this regular

[Configuration E]
}

location/images/{

Character matches to/images/, continue down, you will find ^~ exists

[Configuration F]
}

LOCATION/IMAGES/ABC {

The longest character matches to the/IMAGES/ABC, and continues down, it will be found that there is no relationship between the ^~ F and the G's placement order.

[Configuration G]
}

Location ~/images/abc/{

Only the removal of config D is valid: first the longest match the address of the beginning of Config G, continue to search, matching to this regular, using

[Configuration H]
}?

Then analyze the order of execution of the a-h configuration.

1. The following 2 configurations exist at the same time

Location =/{
[Configuration A]
}

Location/{
[Configuration B]
}

At this point a takes effect because the =/priority is higher than/

2. The following 3 configurations exist at the same time

location/documents/{
[Configuration C]
}

Location ~/documents/{

[Configuration CB]

}

Location ~/DOCUMENTS/ABC {
[Configuration CC]
}

When the URL of the access is/documents/abc/1.html, the CC takes effect, first the CB priority is higher than C, and CC takes precedence over CB

3. The following 4 configurations exist at the same time

Location ^~/images/{
[Configuration D]
}

location/images/{
[Configuration F]
}

LOCATION/IMAGES/ABC {
[Configuration G]
}

Location ~/images/abc/{
[Configuration H]
}?

When the link being accessed is/images/abc/123.jpg, D takes effect at this time. Although all 4 rules can be matched, the ^~ priority is the highest.

If ^~ does not exist, H first, because ~/images/>/images/

While/images/and/IMAGES/ABC exist simultaneously, the/IMAGES/ABC priority is higher because the latter is more accurate

4. The following two configurations exist at the same time

Location ~*. (Gif|jpg|jpeg) $ {
[Configuration E]
}

Location ~/images/abc/{

[Configuration H]
}?

When the link visited is/images/abc/123.jpg, E takes effect. Because the rules above are more precise.

Nginx anti-theft chain, access control, parsing PHP configuration, Agent