nginx 的php配置支持php-fpm和Apache,失败后自动切换

其中 error_page 502 = @apache; 是关键!!!

 location ~ .*\.php$
{
        error_page 502 = @apache;
        fastcgi_pass  127.0.0.1:9002;
        fastcgi_index index.php;
        fastcgi_param GATEWAY_INTERFACE CGI/1.1;
        fastcgi_param SERVER_SOFTWARE nginx;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_param REQUEST_METHOD $request_method;
        fastcgi_param CONTENT_TYPE $content_type;
        fastcgi_param CONTENT_LENGTH $content_length;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        fastcgi_param REQUEST_URI $request_uri;
        fastcgi_param DOCUMENT_URI $document_uri;
        fastcgi_param DOCUMENT_ROOT $document_root;
        fastcgi_param SERVER_PROTOCOL $server_protocol;
        fastcgi_param REMOTE_ADDR $remote_addr;
        fastcgi_param REMOTE_PORT $remote_port;
        fastcgi_param SERVER_ADDR $server_addr;
        fastcgi_param SERVER_PORT $server_port;
        fastcgi_param SERVER_NAME $server_name;
        # PHP only, required if PHP was built with --enable-force-cgi-redirect
        fastcgi_param REDIRECT_STATUS 200;
}

 location @apache {
        proxy_pass http://127.0.0.1:88;
        proxy_connect_timeout 30s;
        proxy_send_timeout   90;
        proxy_read_timeout   90;
        proxy_buffer_size    32k;
        proxy_buffers     4 32k;
        proxy_busy_buffers_size 64k;
        proxy_redirect     off;
        proxy_hide_header  Vary;
        proxy_set_header   Accept-Encoding '';
        proxy_set_header   Host   $host;
        proxy_set_header   Referer $http_referer;
        proxy_set_header   Cookie $http_cookie;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
}

nginx的godaddy ssl 证书配置

openssl genrsa -des3 -out server.key 2048
生成server.key

openssl rsa -in server.key -out server.key
去除server.key 里面密码

openssl req -new -key server.key -out server.csr
生成server.csr

提交server.csr 内容到godaddy,审核后下载zip文件
把里面的非gd_bundled的文件和server.key 合并为pem

cat bf5d584ffa226fa6.crt server.key > /etc/nginx/server.pem
cp server.key /etc/nginx/server.key

nginx的配置里面这样写

ssl on;
ssl_certificate /etc/nginx/server.pem;
ssl_certificate_key /etc/nginx/server.key;

nginx location 指令匹配顺序

官方 http://nginx.org/en/docs/http/ngx_http_core_module.html#location
中文有人这样理解 http://www.php100.com/html/program/nginx/2013/0905/5535.html
还有这个 http://blog.sina.com.cn/s/blog_97688f8e0100zws5.html

下面这个理解的不错,
这个 http://blog.chinaunix.net/uid-25196855-id-108805.html

下面的那个 3 是 上尖号和波浪号

摘录如下

nginx-location

nginx 的 substitutions4nginx 在gzip的问题上的处理

nginx 的代理功能不错,但是有些类似小偷的程序,可以利用
substitutions4nginx 来改写目标页面的html代码,
subs_filter www.a.com www.b.com;
但是有时候居然无法匹配 www.a.com ,发现源文件里面是gzip的从而无法匹配
那么只需要修改proxy的指令,告知源,我这里不收取gzip的资料,请发我未压缩的版本
proxy_set_header Accept-Encoding “”;
可以解决
完整的如下

server
{
listen 80;
server_name www.a.com;
location / {
subs_filter www.a.com www.b.com ;
proxy_set_header Accept-Encoding “”;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://www.a.com;
index index.html index.htm;
}
}

 

有关apache的proxy时候碰到gzip,看 http://www.zjpro.com/apache-2-4-substitute.html

nginx 支持PATH_INFO 的配置文件

 location ~ \.php {
        fastcgi_pass   127.0.0.1:9000;
        set $path_info "";
        set $real_script_name $fastcgi_script_name;
        if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {                     
        set $real_script_name $1;
        set $path_info $2;
        }
        fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
        fastcgi_param SCRIPT_NAME $real_script_name;
        fastcgi_param PATH_INFO $path_info;

        fastcgi_param GATEWAY_INTERFACE CGI/1.1;
        fastcgi_param SERVER_SOFTWARE nginx;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_param REQUEST_METHOD $request_method;
        fastcgi_param CONTENT_TYPE $content_type;
        fastcgi_param CONTENT_LENGTH $content_length;
        #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        #fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        fastcgi_param REQUEST_URI $request_uri;
        fastcgi_param DOCUMENT_URI $document_uri;
        fastcgi_param DOCUMENT_ROOT $document_root;
        fastcgi_param SERVER_PROTOCOL $server_protocol;
        fastcgi_param REMOTE_ADDR $remote_addr;
        fastcgi_param REMOTE_PORT $remote_port;
        fastcgi_param SERVER_ADDR $server_addr;
        fastcgi_param SERVER_PORT $server_port;
        fastcgi_param SERVER_NAME $server_name;
        # PHP only, required if PHP was built with --enable-force-cgi-redirect
        #fastcgi_param REDIRECT_STATUS 200;
    }

针对对特定user-agent 的apahce,nginx攻击的防护

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} “^特征字符串正则表达式$”
RewriteRule ^(.*)$ http://127.0.0.1

 

nginx 的配置如下

if ( $http_user_agent = “特征串”) { return 444; };
或者
if ( $http_user_agent ~* “特征串”) { return 444; }

注意特征串如果这正则情况下  斜线 / 括号 () 都是要加斜线的

 

nginx的ecshop伪静态配置

nginx 配置 ecshop 伪静态
if (!-e $request_filename)
{
rewrite "^/index\.html" /index.php last;
rewrite "^/category$" /index.php last;
rewrite "^/feed-c([0-9]+)\.xml$" /feed.php?cat=$1 last;
rewrite "^/feed-b([0-9]+)\.xml$" /feed.php?brand=$1 last;
rewrite "^/feed\.xml$" /feed.php last;
rewrite "^/category-([0-9]+)-b([0-9]+)-min([0-9]+)-max([0-9]+)-attr([^-]*)-([0-9]+)-(.+)-([a-zA-Z]+)(.*)\.html$" /category.php?id=$1&brand=$2&price_min=$3&price_max=$4&filter_attr=$5&page=$6&sort=$7&order=$8 last;
rewrite "^/category-([0-9]+)-b([0-9]+)-min([0-9]+)-max([0-9]+)-attr([^-]*)(.*)\.html$" /category.php?id=$1&brand=$2&price_min=$3&price_max=$4&filter_attr=$5 last;
rewrite "^/category-([0-9]+)-b([0-9]+)-([0-9]+)-(.+)-([a-zA-Z]+)(.*)\.html$" /category.php?id=$1&brand=$2&page=$3&sort=$4&order=$5 last;
rewrite "^/category-([0-9]+)-b([0-9]+)-([0-9]+)(.*)\.html$" /category.php?id=$1&brand=$2&page=$3 last;
rewrite "^/category-([0-9]+)-b([0-9]+)(.*)\.html$" /category.php?id=$1&brand=$2 last;
rewrite "^/category-([0-9]+)(.*)\.html$" /category.php?id=$1 last;
rewrite "^/goods-([0-9]+)(.*)\.html" /goods.php?id=$1 last;
rewrite "^/article_cat-([0-9]+)-([0-9]+)-(.+)-([a-zA-Z]+)(.*)\.html$" /article_cat.php?id=$1&page=$2&sort=$3&order=$4 last;
rewrite "^/article_cat-([0-9]+)-([0-9]+)(.*)\.html$" /article_cat.php?id=$1&page=$2 last;
rewrite "^/article_cat-([0-9]+)(.*)\.html$" /article_cat.php?id=$1 last;
rewrite "^/article-([0-9]+)(.*)\.html$" /article.php?id=$1 last;
rewrite "^/brand-([0-9]+)-c([0-9]+)-([0-9]+)-(.+)-([a-zA-Z]+)\.html" /brand.php?id=$1&cat=$2&page=$3&sort=$4&order=$5 last;
rewrite "^/brand-([0-9]+)-c([0-9]+)-([0-9]+)(.*)\.html" /brand.php?id=$1&cat=$2&page=$3 last;
rewrite "^/brand-([0-9]+)-c([0-9]+)(.*)\.html" /brand.php?id=$1&cat=$2 last;
rewrite "^/brand-([0-9]+)(.*)\.html" /brand.php?id=$1 last;
rewrite "^/tag-(.*)\.html" /search.php?keywords=$1 last;
rewrite "^/snatch-([0-9]+)\.html$" /snatch.php?id=$1 last;
rewrite "^/group_buy-([0-9]+)\.html$" /group_buy.php?act=view&id=$1 last;
rewrite "^/auction-([0-9]+)\.html$" /auction.php?act=view&id=$1 last;
rewrite "^/exchange-id([0-9]+)(.*)\.html$" /exchange.php?id=$1&act=view last;
rewrite "^/exchange-([0-9]+)-min([0-9]+)-max([0-9]+)-([0-9]+)-(.+)-([a-zA-Z]+)(.*)\.html$" /exchange.php?cat_id=$1&integral_min=$2&integral_max=$3&page=$4&sort=$5&order=$6 last;
rewrite ^/exchange-([0-9]+)-([0-9]+)-(.+)-([a-zA-Z]+)(.*)\.html$" /exchange.php?cat_id=$1&page=$2&sort=$3&order=$4 last;
rewrite "^/exchange-([0-9]+)-([0-9]+)(.*)\.html$" /exchange.php?cat_id=$1&page=$2 last;
rewrite "^/exchange-([0-9]+)(.*)\.html$" /exchange.php?cat_id=$1 last;
}

ecshop 的nginx 伪静态配置

nginx 配置 ecshop 伪静态
if (!-e $request_filename)
{
rewrite "^/index\.html" /index.php last;
rewrite "^/category$" /index.php last;
rewrite "^/feed-c([0-9]+)\.xml$" /feed.php?cat=$1 last;
rewrite "^/feed-b([0-9]+)\.xml$" /feed.php?brand=$1 last;
rewrite "^/feed\.xml$" /feed.php last;
rewrite "^/category-([0-9]+)-b([0-9]+)-min([0-9]+)-max([0-9]+)-attr([^-]*)-([0-9]+)-(.+)-([a-zA-Z]+)(.*)\.html$" /category.php?id=$1&brand=$2&price_min=$3&price_max=$4&filter_attr=$5&page=$6&sort=$7&order=$8 last;
rewrite "^/category-([0-9]+)-b([0-9]+)-min([0-9]+)-max([0-9]+)-attr([^-]*)(.*)\.html$" /category.php?id=$1&brand=$2&price_min=$3&price_max=$4&filter_attr=$5 last;
rewrite "^/category-([0-9]+)-b([0-9]+)-([0-9]+)-(.+)-([a-zA-Z]+)(.*)\.html$" /category.php?id=$1&brand=$2&page=$3&sort=$4&order=$5 last;
rewrite "^/category-([0-9]+)-b([0-9]+)-([0-9]+)(.*)\.html$" /category.php?id=$1&brand=$2&page=$3 last;
rewrite "^/category-([0-9]+)-b([0-9]+)(.*)\.html$" /category.php?id=$1&brand=$2 last;
rewrite "^/category-([0-9]+)(.*)\.html$" /category.php?id=$1 last;
rewrite "^/goods-([0-9]+)(.*)\.html" /goods.php?id=$1 last;
rewrite "^/article_cat-([0-9]+)-([0-9]+)-(.+)-([a-zA-Z]+)(.*)\.html$" /article_cat.php?id=$1&page=$2&sort=$3&order=$4 last;
rewrite "^/article_cat-([0-9]+)-([0-9]+)(.*)\.html$" /article_cat.php?id=$1&page=$2 last;
rewrite "^/article_cat-([0-9]+)(.*)\.html$" /article_cat.php?id=$1 last;
rewrite "^/article-([0-9]+)(.*)\.html$" /article.php?id=$1 last;
rewrite "^/brand-([0-9]+)-c([0-9]+)-([0-9]+)-(.+)-([a-zA-Z]+)\.html" /brand.php?id=$1&cat=$2&page=$3&sort=$4&order=$5 last;
rewrite "^/brand-([0-9]+)-c([0-9]+)-([0-9]+)(.*)\.html" /brand.php?id=$1&cat=$2&page=$3 last;
rewrite "^/brand-([0-9]+)-c([0-9]+)(.*)\.html" /brand.php?id=$1&cat=$2 last;
rewrite "^/brand-([0-9]+)(.*)\.html" /brand.php?id=$1 last;
rewrite "^/tag-(.*)\.html" /search.php?keywords=$1 last;
rewrite "^/snatch-([0-9]+)\.html$" /snatch.php?id=$1 last;
rewrite "^/group_buy-([0-9]+)\.html$" /group_buy.php?act=view&id=$1 last;
rewrite "^/auction-([0-9]+)\.html$" /auction.php?act=view&id=$1 last;
rewrite "^/exchange-id([0-9]+)(.*)\.html$" /exchange.php?id=$1&act=view last;
rewrite "^/exchange-([0-9]+)-min([0-9]+)-max([0-9]+)-([0-9]+)-(.+)-([a-zA-Z]+)(.*)\.html$" /exchange.php?cat_id=$1&integral_min=$2&integral_max=$3&page=$4&sort=$5&order=$6 last;
rewrite ^/exchange-([0-9]+)-([0-9]+)-(.+)-([a-zA-Z]+)(.*)\.html$" /exchange.php?cat_id=$1&page=$2&sort=$3&order=$4 last;
rewrite "^/exchange-([0-9]+)-([0-9]+)(.*)\.html$" /exchange.php?cat_id=$1&page=$2 last;
rewrite "^/exchange-([0-9]+)(.*)\.html$" /exchange.php?cat_id=$1 last;
}

shopex 在nginx 环境开启伪静态

core/admin/controller/sale/ctl.tools.php
搜索 test_fake_html 后面加两行如下

 $svinfo->test_fake_html(false,$msg);
 $this->system->setConf('system.seo.emuStatic','true');
 return true;

nginx 的配置文件里面

location / { 
if (!-e $request_filename) { 
rewrite ^/(.+\.(html|xml|json|htm|php|jsp|asp|shtml))$ /index.php?$1 last; 
# 下面这行也可以
#rewrite ^(.*)/(.+\.(html|xml|json|htm|php|jsp|asp|shtml))$ $1/index.php?$2 last;
         } 
} 
  

flv 自由拖动的几点注意事项,nginx 伪流服务器

编译 nginx 指出 flv module

参考 http://wiki.nginx.org/HttpFlvModule

./configure –with-http_flv_module  –其他参数

配置文件里面加入

location ~ \.flv$ {
  flv;
}

然后 如果是 jwplayer 的 播放器 ,注意参数

startparam: "start",

如果是 ckplayer 的播放器 ,注意参数

h:’0′,//播放http视频流时采用何种拖动方法,=0不使用任意拖动,=1是使用按关键帧,=2是按时间点,=3是自动判断按什么(如果视频格式是.mp4就按关键帧,.flv就按关键时间),=4也是自动判断(只要包含字符mp4就按mp4来,只要包含字符flv就按flv来)

q:”,//视频流拖动时参考函数,默认是start

 

参考资料

http://www.longtailvideo.com/support/jw-player/28855/pseudo-streaming-in-flash

 

nginx的discuzx伪静态

discuz X 的 nginx 伪静态规则

rewrite ^([^\.]*)/topic-(.+)\.html$ $1/portal.php?mod=topic&topic=$2 last;
rewrite ^([^\.]*)/article-([0-9]+)-([0-9]+)\.html$ $1/portal.php?mod=view&aid=$2&page=$3 last;
rewrite ^([^\.]*)/forum-(\w+)-([0-9]+)\.html$ $1/forum.php?mod=forumdisplay&fid=$2&page=$3 last;
rewrite ^([^\.]*)/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=viewthread&tid=$2&extra=page%3D$4&page=$3 last;
rewrite ^([^\.]*)/group-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=group&fid=$2&page=$3 last;
rewrite ^([^\.]*)/space-(username|uid)-(.+)\.html$ $1/home.php?mod=space&$2=$3 last;
rewrite ^([^\.]*)/blog-([0-9]+)-([0-9]+)\.html$ $1/home.php?mod=space&uid=$2&do=blog&id=$3 last;
rewrite ^([^\.]*)/(fid|tid)-([0-9]+)\.html$ $1/index.php?action=$2&value=$3 last;
rewrite ^([^\.]*)/([a-z]+[a-z0-9_]*)-([a-z0-9_\-]+)\.html$ $1/plugin.php?id=$2:$3 last;
if (!-e $request_filename) {
        return 404;
}

其他的建议去看
http://www.vpser.net/manage/nginx-rewrite.html

nginx 针对一类特定referer 屏蔽,可能对某些攻击有效

一个客户服务最近受到攻击,通过查看nginx的log发现规律是 referer地址来自相同的字符串
于是乎用下面的屏蔽代码

if ($http_referer ~* "来源字串里面包含的特定字串"){return 403;}

下面是一些资料  详细英文的解释在 http://wiki.nginx.org/HttpCoreModule#location

~ 匹配,区分大小写
~* 不区分大小写的匹配
!~ 不匹配
!~* 不匹配
^~ 常用于location 语法中,后边是一个字符串。它的意思是,在这个字符串匹配后停止进行正则表达式的匹配。
如: location ^~ /images/,你希望对/images/这个目录进行一些特别的操作,如增加expires头,防盗链等,但是你又想把除了这个目录的图片外的所有图片只进行增加expires头的操作,这个操作可能会用到另外一个location,例如:location ~* \.(gif|jpg|jpeg)$,这样,如果有请求/images/1.jpg,nginx如何决定去进行哪个location中的操作呢?结果取决于标识符^~,如果你这样写:location /images/,这样nginx会将1.jpg匹配到location ~* \.(gif|jpg|jpeg)$这个location中,这并不是你需要的结果,而增加了^~这个标识符后,它在匹配了/images/这个字符串后就停止搜索其它带正则的location。
= 表示精确的查找地址,如location = /它只会匹配uri为/的请求,如果请求为/index.html,将查找另外的location,而不会匹配这个,当然可以写两个location,location = /和location /,这样/index.html将匹配到后者,如果你的站点对/的请求量较大,可以使用这个方法来加快请求的响应速度。
@ 表示为一个location进行命名,即自定义一个location,这个location不能被外界所访问,只能用于Nginx产生的子请求,主要为error_page和try_files。

参考资料来源

http://hi.baidu.com/jidongxx/item/de0f7e519980eeddd48bac38
http://ourlinux.blog.51cto.com/274624/850470

QQ截图20130418090527

 

另外 参见 /?p=198

nginx php 在 daemontools 下运行, 永不当机配置

以下均为Linux 平台配置

1. 首先假设你已经可以使 nginx + php 在 fastcgi 模式下运行 (如果不会,请参考nginx 资料)
2. 安装djb daemontools
脚本如下

mkdir -p /package
chmod 1755 /package/
cd /package/
wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
tar xzf daemontools-0.76.tar.gz
wget http://www.qmail.org/moni.csi.hu/pub/glibc-2.3.1/daemontools-0.76.errno.patch
cd admin/daemontools-0.76
patch -p1 < ../../daemontools-0.76.errno.patch
rm ../../daemontools-0.76.errno.patch ../../daemontools-0.76.tar.gz
./package/install

3. 配置 nginx在 daemontools下运行
脚本如下
修改nginx.conf  加入 daemon off; (在 worker_processes 前面!!)
mkdir -p /srv/nginx
vi /srv/nginx/run  内容为
#!/bin/sh
exec /usr/local/nginx/sbin/nginx
4. php fastcgi 在 daemontools 下运行 (最关键的 -n )
#! /bin/sh
exec /usr/local/lighttpd/bin/spawn-fcgi  -n -a 127.0.0.1 -p 9999 -C 30  -u nobody -g nobody  -f /usr/local/php/bin/php-cgi

5. 配置svscan 监控
ln -s /srv/nginx  /service
ln -s /srv/phpfcgi /service

手动停止 你的 nginx  和 php-cgi 进程看看,是不是  php-cgi  和 nginx 自动启动了。呵呵
6. 学习如何手动停止 nginx  和 php-cgi
svc -d /service/nginx  停止 nginx
svc -u /service/nginx  启动 nginx
svc -d /service/phpfcgi 停止phpfcgi
svc -u /service/phpfcgi 启动phpfcgi

That’s all !

补充,php 可以打 fpm补丁后不用此方法