0%

WebServer 基本配置文件

Apache 简单静态网页托管

1
2
3
4
5
6
7
8
9
10
<VirtualHost *:80>
ServerName iitii.me
ServerName mail.iitii.me
ServerAdmin webmaster@localhost
DocumentRoot /var/www/v
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Apache SSL

需要先激活对应 mod,如 ssl,rewrite。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName chat.ccatk.tw
DocumentRoot /var/www/FileList
SSLEngine On
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/chat.ccatk.tw/pub.crt
SSLCertificateKeyFile /etc/ssl/chat.ccatk.tw/private.key
# SSLCertificateChainFile
Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [L,R=301]
DirectoryIndex index.php
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

简单静态网页托管

1
2
3
4
5
6
7
8
9
server { 
listen 80 default_server;
server_name www.example.com;
location / {
root /usr/share/nginx/html;
# alias /usr/share/nginx/html;
index index.html index.htm;
}
}

简单文件目录浏览

  • 中文乱码 -> charset utf-8;
  1. autoindex on; //开启目录浏览功能;
  2. autoindex_exact_size off; //关闭详细文件大小统计,让文件大小显示MB,GB单位,默认为b;
  3. autoindex_localtime on; //开启以服务器本地时区显示文件修改日期!
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    server {
    listen 80 default_server;
    server_name _;
    charset utf-8;
    location / {
    root /movie;
    # alias /usr/share/nginx/html;
    index index.html index.htm;
    autoindex on;
    autoindex_exact_size off;
    autoindex_localtime on;
    }
    }

    https静态页面托管

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
server {
listen 443;
server_name blog.nchu-cn.tw;
ssl on;
root /www/hexo/;
index index.html index.htm;
ssl_certificate /etc/nginx/ssl/_.nchu-cn.tw.pem;
ssl_certificate_key /etc/nginx/ssl/_.nchu-cn.tw.key;
ssl_session_timeout 1h;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_ciphers "AES128+EECDH:AES128+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/nginx/ssl/root_CA_cert_plus_intermediates;
location / {
index index.html index.htm;
try_files $uri $uri/ =404;
}
}
server {
listen 80;
server_name blog.nchu-cn.tw;
rewrite ^(.*)$ https://$host$1 permanent;
}

密码访问

yum install httpd-tools #适用centos
sudo apt-get install apache2-utils #适用ubuntu

  • 重点在于:auth_basic "movie:movie";auth_basic_user_file /movie/.htpasswd;

    用户&密码

    1
    2
    3
    4
    $ htpasswd -c /var/www/html/.htpasswd user1  #回车会要求输入两遍密码,会清除所有用户!
    $ htpasswd -bc /var/www/html/.htpasswd user1 password #不用回车,直接指定user1的密码为password
    $ htpasswd -b /var/www/html/.htpasswd user2 password #添加一个用户,如果用户已存在,则是修改密码
    $ htpasswd -D /var/www/html/.htpasswd user2 #删除用户

    conf

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    server {
    listen 443 ssl;
    server_name movie.iitii.me;
    root /movie/;
    index index.php index.html index.htm index.nginx-debian.html movie.php;

    ssl_certificate /etc/nginx/ssl/movie.iitii.me/pem.pem;
    ssl_certificate_key /etc/nginx/ssl/movie.iitii.me/key.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    error_log /var/log/nginx/movie_error.log debug;
    access_log /var/log/nginx/movie_accss.log;

    location / {
    auth_basic "movie:movie";
    auth_basic_user_file /movie/.htpasswd;
    try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ /\.ht {
    deny all;
    }
    }
    server {
    listen 80;
    server_name movie.iitii.me;
    rewrite ^(.*)$ https://$host$1 permanent;
    }

    PHP 动态网页托管(无 SSL)

    sudo apt-get install php-fpm php-mysql
    vim /etc/php/7.0/fpm/php.ini
    设置 cgi.fix_pathinfo=0
    sudo systemctl restart php7.2-fpm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
server {
listen 80 default_server;
listen [::]:80 default_server;

root /var/www/FileList;
index index.php index.html index.htm index.nginx-debian.html;

server_name mail.iitii.me;

location / {
try_files $uri $uri/ =404;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}

location ~ /\.ht {
deny all;
}
}

PHP + SSL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
server {
listen 443;
server_name mail.iitii.me;
ssl on;
root /var/www/FileList;
index index.php index.html index.htm index.nginx-debian.html;

ssl_certificate /etc/ssl/mail.iitii.me/pem.pem;
ssl_certificate_key /etc/ssl/mail.iitii.me/key.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ =404;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}

location ~ /\.ht {
deny all;
}
}
server {
listen 80;
server_name mail.iitii.me;
rewrite ^(.*)$ https://$host$1 permanent;
}
  • Another way
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/www.realyoung.cc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.realyoung.cc/privkey.pem;
server_name www.realyoung.cc;
access_log /data/wwwlogs/www.realyoung.cc_nginx.log combined;
index index.html index.htm index.php;

root /data/wwwroot/www.realyoung.cc;

include /usr/local/nginx/conf/rewrite/wordpress.conf;
#error_page 404 /404.html;
#error_page 502 /502.html;
if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
if ($host != "www.realyoung.cc") {

rewrite ^/(.*)$ https://www.realyoung.cc/$1 permanent;
break;
}

location ~ [^/]\.php(/|$) {
#fastcgi_pass remote_php_ip:9000;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ /\.ht {
deny all;
}
}

nginx 反代 node.js (负载均衡)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
upstream node {
server 127.0.0.1:3000;
}
server {
listen 80 default_server;
server_name _;
#root /xxx/xxx/hxxydexx/;

#set $my_server_name $scheme://$server_name;

#if ( $my_server_name != https://$server_name ) {
# rewrite ^ https://$server_name$request_uri? permanent;
#}

error_log /var/log/nginx/hyde_error.log error;
#access_log /var/log/nginx/hyde_accss.log main;

location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Nginx-Proxy true;
proxy_http_version 1.1;
proxy_set_header Connection "";

# 配置upstream节点
proxy_pass http://node;
}

error_page 404 /404.html;
location = /xxx/xxx/40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /xxx/xxx/50x.html {
}
}

nginx 反代 node.js (反代 HTTP 类型网站 + 负载均衡 + ssl)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
upstream node {
server 127.0.0.1:3000;
}
server {
listen 443 ssl default_server;
server_name dl.iitii.me;


#set $my_server_name $scheme://$server_name;

#if ( $my_server_name != https://$server_name ) {
# rewrite ^ https://$server_name$request_uri? permanent;
#}
ssl_certificate /etc/nginx/ssl/dl.iitii.me/dl.pem;
ssl_certificate_key /etc/nginx/ssl/dl.iitii.me/dl.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

error_log /var/log/nginx/RemoteDl_error.log error;
access_log /var/log/nginx/RemoteDl_accss.log;

location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Nginx-Proxy true;
proxy_http_version 1.1;
proxy_set_header Connection "";

# 配置upstream节点
proxy_pass http://node;
}

# error_page 404 /404.html;
# location = /xxx/xxx/40x.html {
# }

# error_page 500 502 503 504 /50x.html;
# location = /xxx/xxx/50x.html {
# }

}
server {
listen 80;
server_name dl.iitii.me;
rewrite ^(.*)$ https://$host$1 permanent;
}

HTTPS 反代 (反代 HTTPS 类型网站 + 负载均衡 + ssl)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
upstream iitii {
server openwrt.iitii.me:443;
}
server {
listen 80 default_server;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443 ssl;
server_name china.iitii.me;
ssl on;
ssl_certificate /etc/nginx/ssl/china.iitii.me/pem.pem;
ssl_certificate_key /etc/nginx/ssl/china.iitii.me/key.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#error_log /var/log/nginx/RemoteDl_error.log error;
#access_log /var/log/nginx/RemoteDl_accss.log;
location / {
proxy_pass https://iitii;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Accept-Encoding '';
proxy_buffering off;
}
}

HTTP 负载均衡

1
2
3
4
5
6
7
8
9
upstream backend { 
server 10.10.12.45:80 weight=1;
server app.example.com:80 weight=2;
}
server {
location / {
proxy_pass http://backend;
}
}

TCP负载平衡,如MySQL查询

1
2
3
4
5
6
7
8
9
10
11
stream { 
upstream mysql_read {
server read1.example.com:3306 weight=5;
server read2.example.com:3306;
server 10.10.12.34:3306 backup;
}
server {
listen 3306;
proxy_pass mysql_read;
}
}

UDP负载平衡,如DNS查询

1
2
3
4
5
6
7
8
9
10
stream { 
upstream ntp {
server ntp1.example.com:123 weight=2;
server ntp2.example.com:123;
}
server {
listen 123 udp;
proxy_pass ntp;
}
}

通过geoIP来获取客户端的粗略地理位置

apt install nginx-module-geoip

1
2
3
4
5
6
load_module "/usr/lib64/nginx/modules/ngx_http_geoip_module.so"; 
http {
geoip_country /etc/nginx/geoip/GeoIP.dat;
geoip_city /etc/nginx/geoip/GeoLiteCity.dat;
...
}