nginx禁止ip访问

在server区直接写上

deny ip;

比如:

deny 192.168.0.3;

如果是deny all;就是禁止所有外部访问,一般是对某些目录的设置,比如放置配置文件、框架核心文件、保密文件等目录。

deny 192.168.0.1/255;#禁止整个网段访问。

测试了一下一个天天来抓我日志的博客ip,看看是否有效。。。

try_files和request_filename

之前nginx里判断是否要重写,都是这样写的:

if (!-e $request_filename ) {
 rewrite  ^(.*)$  /index.php/$1  last;
  break; 
}

现在有try_files,可以更简洁

try_files $uri $uri/ /index.php/$uri;

try_files后面的参数除最后一个,其他都是文件和目录列表,如果服务器不存在此系列文件,则最后一个url重写生效,最后一个参数也可以定义区块变量

try_files $uri $uri/ @fallback;

然后单独定义fallback区块

location @fallback {
.....
}

 

nginx反向代理设置

PURGE最新版下载:
http://labs.frickle.com/nginx_ngx_cache_purge/
Tcmalloc 优化Nginx性能
64位操作系统请先安装libunwind库,32位操作系统不要安装。libunwind库为基于64位CPU和操作系统的程序提供了基本的堆栈辗转开解功能,其中包括用于输出堆栈跟踪的API、用于以编程方式辗转开解堆栈的API以及支持C++异常处理机制的API。
tar zxvf libunwind-0.99.tar.gz
cd libunwind-0.99/
CFLAGS=-fPIC ./configure
make CFLAGS=-fPIC
make CFLAGS=-fPIC install
安装google-perftools:

tar zxvf google-perftools-1.7.tar.gz
cd google-perftools-1.7/
./configure
make && make install

echo “/usr/local/lib” > /etc/ld.so.conf.d/usr_local_lib.conf
/sbin/ldconfig

查看是否好用,启动nginx

lsof -n|grep tcmalloc
如果出现下面的就表示成功了
tar zxvf pcre-8.12.tar.gz
cd pcre-8.12/
./configure
make && make install
cd ../
wget http://labs.frickle.com/files/ngx_cache_purge-1.3.tar.gz
tar zxvf ngx_cache_purge-1.3.tar.gz
上传 nginx-static-etags
http://nginx.localdomain.pl/wiki/UpstreamFair
加入负载均衡模块
tar zxvf gnosek-nginx-upstream-fair-2131c73.tar.gz
wget http://nginx.org/download/nginx-1.0.6.tar.gz
tar zxvf nginx-1.0.6.tar.gz
cd nginx-1.0.6/
./configure –user=www –group=www –prefix=/usr/local/webserver/nginx –add-module=../ngx_cache_purge-1.3 –add-module=../gnosek-nginx-upstream-fair-2131c73 –add-module=/usr/local/src/nginx-static-etags –with-http_stub_status_module –with-http_ssl_module –with-google_perftools_module

make && make install
cd ../
/usr/sbin/groupadd www
/usr/sbin/useradd -g www www

mkdir -p /usr/local/webserver/nginx/logs
chmod +w /usr/local/webserver/nginx/logs
chown -R www:www /usr/local/webserver/nginx/logs

mkdir /data/
mkdir /data/proxy_temp
mkdir /data/proxy_cache
ulimit -SHn 65535
#设置Web缓存区名称为cache_one,内存缓存空间大小为200MB,1天没有被访问的内容自动清除,硬盘缓存空间大小为30GB。
proxy_cache_path /data0/proxy_cache_dir levels=1:2 keys_zone=cache_one:200m inactive=1d max_size=30g;
############################################################################################

user www www;

worker_processes 8;

error_log /usr/local/webserver/nginx/logs/nginx_error.log crit;

pid /usr/local/webserver/nginx/nginx.pid;

google_perftools_profiles /var/tmp/tcmalloc;

#Specifies the value for maximum file descriptors that can be opened by this process. 
worker_rlimit_nofile 65535;

events 
{
use epoll;
worker_connections 65535;
}

http 
{
include mime.types;
default_type application/octet-stream;

charset utf-8;

server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 8m;

sendfile on;
tcp_nopush on;

keepalive_timeout 60;

tcp_nodelay on;

fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_intercept_errors on; #404 page

proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffer_size 32k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 1024m;
proxy_ignore_client_abort on;

gzip on;
gzip_proxied any;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 5;
gzip_types text/plain application/x-javascript text/css text/xml;
gzip_vary on;

#limit_zone crawler $binary_remote_addr 10m;

proxy_temp_path /data/proxy_temp;
proxy_cache_path /data/proxy_cache levels=1:2 keys_zone=cache_one:200m inactive=1d max_size=30g;

upstream backend_server {
#重要,代理的服务器ip
server 122.122.122.122:80;
}

server
{
listen 80;
server_name img.doudou.com 192.168.2.200;
index index.htm index.html index.php;

location ~ /purge(/.*)
{
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 124.90.0.0/16;
deny all;
proxy_cache_purge cache_one $host$1$is_args$args;
}

location /
{
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://backend_server;
expires 12h;
}

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico|wav|mid)$
{
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_cache cache_one;
proxy_cache_valid 200 304 12h;
proxy_cache_valid 301 302 1m;
proxy_cache_valid any 1m;
proxy_cache_key $host$uri$is_args$args;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_ignore_headers "Cache-Control" "Expires";
proxy_pass http://backend_server;
expires 30d;
FileETag on;
etag_format "%X%X";

}

location ~ .*\.(js|css)?$
{
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_cache cache_one;
proxy_cache_valid 200 304 12h;
proxy_cache_valid 301 302 1m;
proxy_cache_valid any 1m;
proxy_cache_key $host$uri$is_args$args;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_ignore_headers "Cache-Control" "Expires";
proxy_pass http://backend_server;
expires 7d;
}

location ~ .*\.htm$
{
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_cache cache_one;
proxy_cache_valid 200 304 12h;
proxy_cache_valid 301 302 1m;
proxy_cache_valid any 1m;
proxy_cache_key $host$uri$is_args$args;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_ignore_headers "Cache-Control" "Expires";
proxy_pass http://backend_server;
expires 5d;
}

location ~ .*\.(php|php5)?$
{
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://backend_server;
}

location /doudoustatus
{
stub_status on;
access_log off;
#auth_basic "nginx_status";
#auth_basic_user_file conf/htpasswd;
}

access_log off;
}

}

 

############################################################################################

 

/usr/local/webserver/nginx/sbin/nginx
十二、优化sysctl.conf
################################
# Add
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768

net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2

net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800

#net.ipv4.tcp_fin_timeout = 30
#net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 1024 65535

################################
sysctl -p

新装nginx启动报 libpcre.so.1找不到

error while loading shared libraries: libpcre.so.1: cannot open shared object file: No such file or directory

64位centos,查看一下nginx依赖包

ldd $(which /usr/local/webserver/nginx/sbin/nginx)

发现 libpcre.so.1 not fund,还好就这一个找不到,因为是64位系统,

cd /lib64

#如果是32位,应该在lib目录

ln -s libpcre.so.0.0.1 libpcre.so.1

解决问题

nginx+php-fpm上传文件的大小限制

主要配置在php.ini里

file_uploads,默认应该是开启的,如果是off肯定是不能传了。

upload_max_filesize和post_max_size都是限制上传文件大小的。修改成适当的大小

还有一个很关键的配置,一般人我不告诉他,nginx.conf里还有个配置项client_max_body_size,这个很关键,如果文件大于这个配置,根本就到不了php那边。