NgInx: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „Kategorie:ServerApplikation = Installation = <pre> sudo apt-get install php5-cli php5-fpm nginx mariadb-server mariadb-client </pre> = Konfiguration =“) |
K (→Konfiguration) |
||
(17 dazwischenliegende Versionen von 3 Benutzern werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
[[Kategorie:ServerApplikation]] | [[Kategorie:ServerApplikation]] | ||
= Links = | |||
* https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms | |||
= Installation = | = Installation = | ||
<pre> | <pre> | ||
apt-get install php5-cli php5-fpm nginx-full mariadb-server mariadb-client php5-mysql | |||
</pre> | </pre> | ||
= Konfiguration = | = Konfiguration = | ||
<pre>server { | |||
listen 80; | |||
server_name emex; | |||
root /home/www/example.org; | |||
index index.php index.html; | |||
location /home/www/example.org { | |||
try_files $uri $uri/ /index.php?q=$uri&$args; | |||
} | |||
location ~ \.php$ { | |||
try_files $uri =404; | |||
#try_files $uri $uri/ /public/index.php?$args; | |||
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |||
fastcgi_pass unix:/var/run/php5.6-fpm.sock; | |||
fastcgi_index index.php; | |||
include fastcgi_params; | |||
} | |||
} | |||
</pre> | |||
* Document-Root nach /public verschieben: | |||
<pre> | |||
location / { | |||
try_files $uri $uri/ @public; | |||
} | |||
location @public { | |||
rewrite ^ /public$request_uri last; | |||
} | |||
location /public { | |||
try_files $uri $uri/ @rewrite; | |||
} | |||
location @rewrite { | |||
rewrite ^(.*)$ /public$1 last; | |||
} | |||
</pre> | |||
* Weiterleitung (reverse proxy): | |||
<pre>server { | |||
listen 443 ssl http2; | |||
# ssl_certificate /etc/ssl/certs/example.org.pem; | |||
# ssl_certificate_key /etc/ssl/private/example.org.key; | |||
server_name example.org www.rete-libera.org; | |||
root /srv/www/example; | |||
access_log /var/log/nginx/a_example.log; | |||
error_log /var/log/nginx/e_example.log; | |||
proxy_ssl_server_name on; | |||
location /.well-known { | |||
alias /srv/www/example/.well-known; | |||
allow all; | |||
} | |||
location / { | |||
proxy_pass https://10.10.10.204; | |||
proxy_set_header Host example.org; | |||
proxy_set_header X-Real-IP $remote_addr; | |||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
#proxy_http_version 1.1; | |||
client_body_in_file_only clean; | |||
client_body_buffer_size 512K; | |||
client_max_body_size 512M; | |||
sendfile on; | |||
send_timeout 600s; | |||
} | |||
} | |||
</pre> | |||
= Neueste Version unter Debian = | |||
<pre>cat <<EOS >/etc/apt/sources.list.d/nginx.list | |||
deb http://ftp.debian.org/debian/ testing main contrib non-free | |||
deb-src http://ftp.debian.org/debian/ testing main contrib non-free | |||
EOS | |||
cat <<EOS >> /etc/apt/preference | |||
Package: nginx | |||
Pin: release a=testing | |||
Pin-Priority: 900 | |||
EOS | |||
apt-get update | |||
# Info ueber verfuegbare Version: | |||
apt-cache policy nginx | |||
apt-get install nginx-full | |||
</pre> | |||
= Tipps = | |||
* Debugging einschalten: Reihenfolge ist entscheidend! | |||
** rewrite_log on; | |||
** error_log xxx debug; | |||
** oder error_log xxx notice; | |||
= Logauswertung = | |||
<pre>#! /bin/bash | |||
DATE=$1 | |||
if [ -z "$DATE" ] ; then | |||
echo "Usage: NgLogTimes <date> <file1> <file2>" | |||
echo "Example NgLogTimes 22/Nov/2017 *.gz" | |||
else | |||
shift | |||
while [ -n "$1" ] ; do | |||
FN=$1 | |||
shift | |||
X=$(file $FN | grep "gzip compressed data") | |||
if [ -n "$X" ] ; then | |||
CMD=zcat | |||
else | |||
CMD=cat | |||
fi | |||
#10.10.10.1 - - [27/Nov/2017:06:31:36 +0100] "GET /index.php?option=com_users&view=registration HTTP/1.0" 200 14652 "http://harmonicbrass.de/index.php?option=com_users&view=registration" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 OPR/43.0.2442.1144" | |||
$CMD $FN | perl -n -e "print \"\$1 Status: \$2\n\" if m!($DATE[0-9:]+).*GET [^\"]+\" ([0-9]+) !;" | |||
done | |||
fi | |||
</pre> | |||
== Reale IP im Logging hinter Inverse Proxy == | |||
=== Auf dem Server mit inversem Proxy === | |||
<pre>#### Test, ob in NGINX freigeschaltet: | |||
nginx -V 2>&1 | grep --only-matching http_realip_module | |||
cat <<'EOS' >/etc/nginx/conf.d/real_ip.conf | |||
proxy_set_header Host $http_host; | |||
proxy_set_header X-Real-IP $remote_addr; | |||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
proxy_set_header X-Forwarded-Proto $scheme; | |||
EOS | |||
systemctl nginx reload | |||
</pre> | |||
== Auf dem Server hinter dem Proxy == | |||
* in /etc/nginx/nginx.conf | |||
<pre> | |||
## | |||
# Logging Settings | |||
## | |||
log_format proxyLog '$remote_addr => $http_x_real_ip - $remote_user [$time_local] ' | |||
'"$request" $status $body_bytes_sent ' | |||
'"$http_referer" "$http_user_agent"'; | |||
</pre> | |||
= location-Block = | |||
Der location-Block bezieht sich immer auf ein Verzeichnis. '/' in regulären Ausdrücken ist also immer falsch. | |||
<pre> | |||
# Kein Flag : x is prefix of path | |||
location /abc {...} | |||
# Flag '=':' passt genau | |||
location = /abc {...} | |||
</pre> | |||
Flags: | |||
* = passt genau | |||
* ~ regulärer Ausdruck, case sensitive | |||
* ~* regulärer Ausdruck, case insensitive | |||
* ^~ inverser regulärer Ausdruck: gewählt, wenn Ausdruck nicht passt | |||
== Wie wertet NGINX die Regeln aus? == | |||
* Generell: Exakt vor längster Übereinstimmung | |||
* Bei reg. Ausdrücken: Reihenfolge: erster gewinnt. NOT-Regel (^~) gewinnt vor normalen | |||
* Prefix-Regel passt: merken stop | |||
* reg. Ausdruck passt '''innerhalb einer Prefix-Regel''': | |||
** Ja: fertig | |||
** nein: gemerkte Prefix-Regel gilt | |||
= Redirection = | |||
<pre> | |||
# Wenn automatisch nach Domain eingesetzt werden soll: | |||
try_files $uri $uri/index.html $uri.html =404; | |||
location / { return 301 https://target.com$uri; } | |||
location /abc { return 301 https://target.com/abc_succ; } | |||
</pre> | |||
= Eigene 404-Seite und eingebaute Seite = | |||
* Es muss folgende Fehlerseite existieren: /media/data/WebApps/monitor.infeos.eu/404.html | |||
<pre>server { | |||
listen 10116; | |||
server_name monitor.infeos.eu; | |||
root /media/data/WebApps/monitor.infeos.eu; | |||
location = /works { | |||
# Es wird nur der Text "works" zurückgegeben: | |||
return 200 "works"; | |||
} | |||
location / { | |||
error_page 404 /404.html; | |||
} | |||
location /404.html { | |||
# verhindert den direkten Aufruf: | |||
internal; | |||
} | |||
} | |||
</pre> |
Aktuelle Version vom 21. Juni 2022, 04:17 Uhr
Links[Bearbeiten]
Installation[Bearbeiten]
apt-get install php5-cli php5-fpm nginx-full mariadb-server mariadb-client php5-mysql
Konfiguration[Bearbeiten]
server { listen 80; server_name emex; root /home/www/example.org; index index.php index.html; location /home/www/example.org { try_files $uri $uri/ /index.php?q=$uri&$args; } location ~ \.php$ { try_files $uri =404; #try_files $uri $uri/ /public/index.php?$args; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5.6-fpm.sock; fastcgi_index index.php; include fastcgi_params; } }
- Document-Root nach /public verschieben:
location / { try_files $uri $uri/ @public; } location @public { rewrite ^ /public$request_uri last; } location /public { try_files $uri $uri/ @rewrite; } location @rewrite { rewrite ^(.*)$ /public$1 last; }
- Weiterleitung (reverse proxy):
server { listen 443 ssl http2; # ssl_certificate /etc/ssl/certs/example.org.pem; # ssl_certificate_key /etc/ssl/private/example.org.key; server_name example.org www.rete-libera.org; root /srv/www/example; access_log /var/log/nginx/a_example.log; error_log /var/log/nginx/e_example.log; proxy_ssl_server_name on; location /.well-known { alias /srv/www/example/.well-known; allow all; } location / { proxy_pass https://10.10.10.204; proxy_set_header Host example.org; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_http_version 1.1; client_body_in_file_only clean; client_body_buffer_size 512K; client_max_body_size 512M; sendfile on; send_timeout 600s; } }
Neueste Version unter Debian[Bearbeiten]
cat <<EOS >/etc/apt/sources.list.d/nginx.list deb http://ftp.debian.org/debian/ testing main contrib non-free deb-src http://ftp.debian.org/debian/ testing main contrib non-free EOS cat <<EOS >> /etc/apt/preference Package: nginx Pin: release a=testing Pin-Priority: 900 EOS apt-get update # Info ueber verfuegbare Version: apt-cache policy nginx apt-get install nginx-full
Tipps[Bearbeiten]
- Debugging einschalten: Reihenfolge ist entscheidend!
- rewrite_log on;
- error_log xxx debug;
- oder error_log xxx notice;
Logauswertung[Bearbeiten]
#! /bin/bash DATE=$1 if [ -z "$DATE" ] ; then echo "Usage: NgLogTimes <date> <file1> <file2>" echo "Example NgLogTimes 22/Nov/2017 *.gz" else shift while [ -n "$1" ] ; do FN=$1 shift X=$(file $FN | grep "gzip compressed data") if [ -n "$X" ] ; then CMD=zcat else CMD=cat fi #10.10.10.1 - - [27/Nov/2017:06:31:36 +0100] "GET /index.php?option=com_users&view=registration HTTP/1.0" 200 14652 "http://harmonicbrass.de/index.php?option=com_users&view=registration" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 OPR/43.0.2442.1144" $CMD $FN | perl -n -e "print \"\$1 Status: \$2\n\" if m!($DATE[0-9:]+).*GET [^\"]+\" ([0-9]+) !;" done fi
Reale IP im Logging hinter Inverse Proxy[Bearbeiten]
Auf dem Server mit inversem Proxy[Bearbeiten]
#### Test, ob in NGINX freigeschaltet: nginx -V 2>&1 | grep --only-matching http_realip_module cat <<'EOS' >/etc/nginx/conf.d/real_ip.conf proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; EOS systemctl nginx reload
Auf dem Server hinter dem Proxy[Bearbeiten]
- in /etc/nginx/nginx.conf
## # Logging Settings ## log_format proxyLog '$remote_addr => $http_x_real_ip - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"';
location-Block[Bearbeiten]
Der location-Block bezieht sich immer auf ein Verzeichnis. '/' in regulären Ausdrücken ist also immer falsch.
# Kein Flag : x is prefix of path location /abc {...} # Flag '=':' passt genau location = /abc {...}
Flags:
- = passt genau
- ~ regulärer Ausdruck, case sensitive
- ~* regulärer Ausdruck, case insensitive
- ^~ inverser regulärer Ausdruck: gewählt, wenn Ausdruck nicht passt
Wie wertet NGINX die Regeln aus?[Bearbeiten]
- Generell: Exakt vor längster Übereinstimmung
- Bei reg. Ausdrücken: Reihenfolge: erster gewinnt. NOT-Regel (^~) gewinnt vor normalen
- Prefix-Regel passt: merken stop
- reg. Ausdruck passt innerhalb einer Prefix-Regel:
- Ja: fertig
- nein: gemerkte Prefix-Regel gilt
Redirection[Bearbeiten]
# Wenn automatisch nach Domain eingesetzt werden soll: try_files $uri $uri/index.html $uri.html =404; location / { return 301 https://target.com$uri; } location /abc { return 301 https://target.com/abc_succ; }
Eigene 404-Seite und eingebaute Seite[Bearbeiten]
- Es muss folgende Fehlerseite existieren: /media/data/WebApps/monitor.infeos.eu/404.html
server { listen 10116; server_name monitor.infeos.eu; root /media/data/WebApps/monitor.infeos.eu; location = /works { # Es wird nur der Text "works" zurückgegeben: return 200 "works"; } location / { error_page 404 /404.html; } location /404.html { # verhindert den direkten Aufruf: internal; } }