LNMP的搭建及URL重写测试-linux安全运维_跨零代码

跨零代码为大家提供高品质的运维解决方案,请大家多多来访,跨零不胜感激,在此谢过。

[收起] 文章目录

内容:

1、LNMP的搭建

2、搭建基于LNMP的discuz论坛(www.hill.com)

3、实现https

4、实现访问http时自动跳转至https以及防盗链设置、URL重写测试

一、LNMP的搭建

我们知道,在apache与php的结合方式有三种,而nginx与php的结合目前只有一种是行之有效的:php-fpm

1、yum直接安装快速搭建LNMP,官方下载nginx的预安装包(rpm包),当然也可以编译安装

#yum install -y prce-devel zlib-devel openssl-devel php-fpm php-mysql mariadb-server 

 # yum install nginx-1.10.0-1.el7.ngx.x86_64.rpm 

2、添加ngixn虚拟主机

[root@localhost pma]# cat /etc/nginx/conf.d/hill.conf  server { listen 80; server_name www.hill.com; root /var/www/html/hill; location  /  { index index.php index.html; } location ~ .*/.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name; include fastcgi_params; } } 

3、启动相关服务,添加host文件测试

[root@localhost hill]# curl -I www.hill.com HTTP/1.1 200 OK Server: nginx/1.10.0 Date: Mon, 24 Oct 2016 22:17:52 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.4.16 

LNMP的搭建及URL重写测试
4、测试phpMyAdmin成功
LNMP的搭建及URL重写测试
5、安装论坛测试访问发帖成功:
LNMP的搭建及URL重写测试
二、nginx的https实现

1、搭建根CA服务器(这里在同一台机子上)

[root@localhost hill]# (umask 066 ; openssl genrsa -out /etc/pki/CA/) certs/    crl/      newcerts/ private/   [root@localhost hill]# (umask 066 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ...+++ ..............................................................................+++ e is 65537 (0x10001) [root@localhost hill]# openssl req -new -x509 -days 365 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/ certs/    crl/      newcerts/ private/   [root@localhost hill]# openssl req -new -x509 -days 365 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:hill.com   Organizational Unit Name (eg, section) []:ca Common Name (eg, your name or your server's hostname) []:ca.hill.com Email Address []: [root@localhost hill]# 

2、nginx申请证书签署

[root@localhost hill]# mkdir -p /etc/nginx/ssl [root@localhost hill]# (umask 066 ; openssl genrsa -out /etc/nginx/ssl/nginx.key 2048) Generating RSA private key, 2048 bit long modulus ....+++ ......................+++ e is 65537 (0x10001) [root@localhost hill]# openssl req -new -days 365 -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJIN Locality Name (eg, city) [Default City]:^C [root@localhost hill]# openssl req -new -days 365 -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:hill.com Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:www.hill.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 

3、根CA签署证书

[root@localhost CA]# openssl ca -in /etc/nginx/ssl/nginx.csr -out /etc/nginx/ssl/nginx.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details:         Serial Number: 1 (0x1)         Validity             Not Before: Oct 24 22:55:33 2016 GMT             Not After : Oct 24 22:55:33 2017 GMT         Subject:             countryName               = CN             stateOrProvinceName       = BEIJING             organizationName          = hill.com             organizationalUnitName    = ops             commonName                = www.hill.com         X509v3 extensions:             X509v3 Basic Constraints:                  CA:FALSE             Netscape Comment:                  OpenSSL Generated Certificate             X509v3 Subject Key Identifier:                  06:98:EC:97:95:A6:7A:29:D4:DE:F4:C7:98:ED:D1:01:F9:16:07:8A             X509v3 Authority Key Identifier:                  keyid:F4:2C:6B:72:C4:D0:B5:CF:6F:B8:4E:A5:E1:A6:73:27:6D:6E:88:D3 Certificate is to be certified until Oct 24 22:55:33 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost CA]#  [root@localhost CA]#  [root@localhost CA]# ll /etc/nginx/ssl/ total 16 -rw-r--r--. 1 root root 4457 Oct 25 06:55 nginx.crt -rw-r--r--. 1 root root 1005 Oct 25 06:54 nginx.csr -rw-------. 1 root root 1679 Oct 25 06:53 nginx.key 

4、编辑nginx虚拟主机的配置文件

[root@localhost CA]# cat /etc/nginx/conf.d/hill.conf  server { listen 443 ssl; server_name www.hill.com; root /var/www/html/hill; location  /  { index index.php index.html; } location ~ .*/.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name; include fastcgi_params; } ssl on;   ssl_certificate /etc/nginx/ssl/nginx.crt;       ssl_certificate_key /etc/nginx/ssl/nginx.key;      ssl_session_cache shared:sslcache:20m; } [root@localhost CA]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@localhost CA]# nginx -s reload [root@localhost CA]# ss -tanl State       Recv-Q Send-Q               Local Address:Port                              Peer Address:Port               LISTEN      0      128                      127.0.0.1:9000                                         *:*                   LISTEN      0      128                              *:47112                                        *:*                   LISTEN      0      50                               *:3306                                         *:*                   LISTEN      0      128                              *:111                                          *:*                   LISTEN      0      128                              *:22                                           *:*                   LISTEN      0      100                      127.0.0.1:25                                           *:*                   LISTEN      0      128                              *:443                                          *:*                   LISTEN      0      128                             :::111                                         :::*                   LISTEN      0      128                             :::22                                          :::*                   LISTEN      0      100                            ::1:25                                          :::*                   LISTEN      0      128                             :::56155         

5、浏览器打开测试成功

LNMP的搭建及URL重写测试
三、实现访问http时自动跳转至https以及防盗链设置、URL重写测试

1、http自动跳转https测试:

[root@MiWiFi-R3-srv hill]# cat /etc/nginx/conf.d/hill.conf  server { listen 443 ssl ; server_name www.hill.com; location  /  { index index.php index.html; root /var/www/html/hill; valid_referers none block server_names ~hill/.com; if ($invalid_referer) { return 111; } } location ~ .*/.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name; include fastcgi_params; } ssl on;   ssl_certificate /etc/nginx/ssl/nginx.crt;       ssl_certificate_key /etc/nginx/ssl/nginx.key;      ssl_session_cache shared:sslcache:20m; } server{ listen 80; server_name www.hill.com; rewrite ^(.*)$  https://$host$1 permanent ; } 

2、防盗链测试:
添加配置:

valid_referers none block server_names ~hill/.com; if ($invalid_referer) { return 111; } 

测试正常

[root@MiWiFi-R3-srv hill]# cat /etc/nginx/conf.d/hill.conf  server { listen 443 ssl ; server_name www.hill.com; location  /  { index index.php index.html; root /var/www/html/hill; if ($http_user_agent ~* Edge ) { rewrite ^(.*)$ /test1.html break; } if ($http_user_agent ~* Mathon ) { rewrite ^(.*)$ /test2.html break; } if ($http_user_agent ~* firefox ) { rewrite ^(.*)$ /test3.html break; } valid_referers none block server_names ~hill/.com; if ($invalid_referer) { return 111; } } location ~ .*/.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name; include fastcgi_params; } ssl on;   ssl_certificate /etc/nginx/ssl/nginx.crt;       ssl_certificate_key /etc/nginx/ssl/nginx.key;      ssl_session_cache shared:sslcache:20m; } server{ listen 80; server_name www.hill.com; rewrite ^(.*)$  https://$host$1 permanent ; }   [12:36 root@centos6.8~]# curl -I -k -e "www.baidu.com" https://www.hill.com HTTP/1.1 111  Server: nginx/1.10.0 Date: Tue, 25 Oct 2016 10:50:40 GMT Content-Type: application/octet-stream Content-Length: 0 Connection: keep-alive 

3、URL重写测试:不同的代理实现不同的效果
添加配置:

if ($http_user_agent ~* Edge ) { rewrite ^(.*)$ /test1.html break; } if ($http_user_agent ~* Mathon ) { rewrite ^(.*)$ /test2.html break; } if ($http_user_agent ~* firefox ) { rewrite ^(.*)$ /test3.html break; } 

测试成功:

[root@MiWiFi-R3-srv hill]# cat /etc/nginx/conf.d/hill.conf  server { listen 443 ssl ; server_name www.hill.com; location  /  { index index.php index.html; root /var/www/html/hill; if ($http_user_agent ~* Edge ) { rewrite ^(.*)$ /test1.html break; } if ($http_user_agent ~* Mathon ) { rewrite ^(.*)$ /test2.html break; } if ($http_user_agent ~* firefox ) { rewrite ^(.*)$ /test3.html break; } valid_referers none block server_names ~hill/.com; if ($invalid_referer) { return 111; } } location ~ .*/.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /var/www/html/hill$fastcgi_script_name; include fastcgi_params; } ssl on;   ssl_certificate /etc/nginx/ssl/nginx.crt;       ssl_certificate_key /etc/nginx/ssl/nginx.key;      ssl_session_cache shared:sslcache:20m; } server{ listen 80; server_name www.hill.com; rewrite ^(.*)$  https://$host$1 permanent ; } 

测试效果有效
LNMP的搭建及URL重写测试
LNMP的搭建及URL重写测试
附:http核心模块的内置变量:

$uri: 当前请求的uri,不带参数; $request_uri: 请求的uri,带完整参数; $host: http请求报文中host首部;如果请求中没有host首部,则以处理此请求的虚拟主机的主机名代替; $hostname: nginx服务运行在的主机的主机名; $remote_addr: 客户端IP $remote_port: 客户端Port $remote_user: 使用用户认证时客户端用户输入的用户名; $request_filename: 用户请求中的URI经过本地root或alias转换后映射的本地的文件路径; $request_method: 请求方法 $server_addr: 服务器地址 $server_name: 服务器名称 $server_port: 服务器端口 $server_protocol: 服务器向客户端发送响应时的协议,如http/1.1, http/1.0 $scheme: 在请求中使用scheme, 如https://www.domain.com/中的https; $http_HEADER: 匹配请求报文中指定的HEADER,$http_host匹配请求报文中的host首部 $sent_http_HEADER: 匹配响应报文中指定的HEADER,例如$http_content_type匹配响应报文中的content-type首部; $document_root:当前请求映射到的root配置; 




//下面这个css和插件后台设置的主题有关系,如果需要换样式,则需要修改以下CSS名称

从零到一,创造未来!跨零代码综合IT问题解决服务站,欢迎你的到来。运维教程 只为你绽放。

本文固定链接: http://kua0.com/2019/02/08/lnmp的搭建及url重写测试-linux安全运维_跨零代码/

为您推荐

发表评论

电子邮件地址不会被公开。 必填项已用*标注