nginx默认的虚拟主机允许用户经过IP访问,或者经过未设置的域名访问(假如有人把他的域名指向了你的ip)。
默认情况下,只要将域名解析到服务器的IP上,就可以访问。
要避免这种情况的出现,可以修改nginx.conf,将默认的虚拟主机修改为如下即可屏蔽未绑定域名的访问:
listen 80 default;
return 500;
}
如果想这些流量收集起来,导进到自己的网站,只需做以下跳转设置即可:
listen 80 default;
rewrite ^(.*) http:// permanent;
}
如果想禁止通过IP访问,这样写:
listen 80 default;
server_name _;
return 500;
}
运行nginx时总报错:
nginx: [warn] the "log_format" directive may be used only on "http" level in xxx/nginx.conf:95
虽然只是warning,不过还是决定仔细看看它的结构。
example:
log_format gzip'$remote_addr - $remote_user [$time_local] ''"$request" $status $bytes_sent ''"$http_referer" "$http_user_agent" "$gzip_ratio"';
access_log /spool/logs/nginx-access.log gzip buffer=32k;
access_log
Syntax: access_log path [ format [ buffer = size ]]
access_log off
Default: logs/access.log combined
Context: http
server
location
if in location
limit_except
Reference: access_log
The access_log directive sets the path, format and buffer size for the access log file. Using "off" as the only parameter clears all access_log directives for the current level. If the format is not indicated, it defaults to "combined". The size of buffer must not exceed the size of the atomic record for writing into the disk file. This size is not limited for FreeBSD 3.0-6.0.
The log file path can contain variables (version >=0.7.4) but such logs have some limitations:
worker user must have permission to create files in;
buffering does not work;
for each log entry, the file is opened and immediately closed after writing the record. However, descriptors of frequently used files may be stored in open_log_file_cache . Regarding log rotation, it must be kept in mind that over time (which is set by the parameter valid of directive open_log_file_cache), logging can be still continue to the old file.
Nginx supports powerful access log separation per location. Accesses can also be output to more than one log at the same time. For more details, see the Multiple access_log directives in different contexts thread on the mailing list.
log_format
Syntax: log_format name string ...
Default: combined "..."
Context: http
Reference: log_format
The log_format directive describes the format of a log entry. You can use general variables in the format, as well as variables which exist only at the moment of writing into the log:
$body_bytes_sent, the number of bytes, transmitted to client minus the response headers. This variable is compatible with the %B parameter of Apache's mod_log_config (this was called $apache_bytes_sent, before version 0.3.10)
$bytes_sent, the number of bytes transmitted to client
$connection, the number of connection
$msec, the current time at the moment of writing the log entry (microsecond accuracy)
$pipe, "p" if request was pipelined
$request_length, the length of the body of the request
$request_time, the time it took nginx to work on the request, in seconds with millisecond precision (just seconds for versions older than 0.5.19)
$status, status of answer
$time_iso8601, time in ISO 8601 format, e. g. 2011-03-21T18:52:25+03:00 (added in 0.9.6)
$time_local, local time into common log format.
The headers, transmitted to client, begin from the prefix "sent_http_", for example, $sent_http_content_range.
Note that variables produced by other modules can also be logged. For example you can log upstream response headers with the prefix "upstream_http_", see upstream .
There is a predefined log format called "combined":
log_format combined '$remote_addr - $remote_user [$time_local] ''"$request" $status $body_bytes_sent ''"$http_referer" "$http_user_agent"';
参考文档:http://wiki.nginx.org/NginxHttpLogModule#open_log_file_cache
解决方法:
将/usr/local/nginx/conf/nginx.conf 里server段里的下面代码移出放到该server段的前面即可。
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for';
如果有其的虚拟主机开启了日志,也按上面的要求移出server段放在server段的前面即可。
再/usr/local/nginx/sbin/nginx -t 测试一下,没有warn警告信息了。
nginx提示的很明显了,要放到 http 层,而不是server层里。
有关nginx的缓存功能cache的介绍,供大家学习参考。
1、传统缓存之一(404)
这个办法是把nginx的404错误定向到后端,然后用proxy_store把后端返回的页面保存。
配置:
root /home/html/;#主目录
expires 1d;#网页的过期时间
error_page 404 =200 /fetch$request_uri;#404定向到/fetch目录下
}
location /fetch/ {#404定向到这里
internal;#指明这个目录不能在外部直接访问到
expires 1d;#网页的过期时间
alias /home/html/;#虚拟目录文件系统地址要和locaion /一致,proxy_store会将文件保存到这目录下
proxy_pass Accept-Encoding '';#让后端不要返回压缩(gzip或deflate)的内容,保存压缩后的内容会引发乱子。
proxy_store on;#指定nginx将代理返回的文件保存
proxy_temp_path /home/tmp;#临时目录,这个目录要和/home/html在同一个硬盘分区内
}
使用的时候还有要注意是nginx要有权限往/home/tmp和/home/html下有写入文件的权限,在linux下nginx一般会配置成nobody用户运行,这样这两个目录就要chown nobody,设成nobody用户专用,当然也可以chmod 777,不过所有有经验的系统管理员都会建议不要随便使用777。
2、传统缓存之二(!-e)
原理和404跳转基本一致,但更简洁一些:
root /home/html/;
proxy_store on;
proxy_set_header Accept-Encoding '';
proxy_temp_path /home/tmp;
if ( !-f $request_filename )
{
proxy_pass ?id=1
,因为nginx只保存文件名,所以这个链接只在文件系统下保存为read.php,这样用户访问read.php?id=2时会返回不正确的结果。同时不支持-o size=2500M -o nr_inodes=480000 -o noatime,nodiratime -o remount /dev/shm
上面的命令在一台有3G内存的机器上使用,因为/dev/shm默认最大内存是系统内存的一半就是1500M,这条命令将其调大成2500M,同时shm系统inode数量默认情况下可能是不够用的,但有趣的是它可以随意调节,这里调节为480000保守了点,但也基本够用了。
3、基于memcached的缓存
nginx对memcached有所支持,但是功能并不是特别之强,性能上还是非常之优秀。
if ( $uri ~ "^/mem/([0-9A-Za-z_]*)$" )
{
set $memcached_key "$1";
memcached_pass 192.168.1.2:11211;
}
expires 70;
}
这个配置会将/path/to/cache levels=1:2 keys_zone=NAME:10m inactive=5m max_size=2m clean_time=1m;
注意这个配置是在server标签外,levels指定该缓存空间有两层hash目录,第一层目录是1个字母,第二层为2个字母,保存的文件名就会类似/path/to/cache/c/29/b7f54b2df7773722d382f4809d65029c;keys_zone为这个空间起个名字,10m指空间大小为10MB;inactive的5m指缓存默认时长5分钟;max_size的2m是指单个文件超过2m的就不缓存;clean_time指定一分钟清理一次缓存。
proxy_pass NAME;#使用NAME这个keys_zone
proxy_cache_valid 200 302 1h;#200和302状态码保存1小时
proxy_cache_valid 301 1d;#301状态码保存一天
proxy_cache_valid any 1m;#其它的保存一分钟
}