Nginx常见问题以及解决方案
一、强制跳转https域名
所有的http请求全部都自动重定向为https,只需要在nginx上添加相应配置即可。
使用rewrite方法,https://cloud.tencent.com/developer/article/1599542
server {
listen 80;
server_name www.mysite.com ;
# 强制rewrite
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl http2;
server_name www.mysite.com ;
index index.html;
access_log /var/log/nginx/yapi.log;
error_log /var/log/nginx/yapi.error.log;
ssl on;
ssl_certificate /etc/nginx/conf.d/certs/www.mysite.com.pem;
ssl_certificate_key /etc/nginx/conf.d/certs/www.mysite.com-key.pem;
location / {
proxy_pass http://localhost:3000/;
index index.html;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# 只允许内网访问
allow 182.150.24.163;
}
}
二、缓存静态文件
参考:https://juejin.cn/post/7112826654291918855
下面的代码就是缓存匹配的文件7天,其实就是告诉浏览器缓存,并不是将资源缓存在服务器上。
location ~ .*\.(html|htm|gif|jpg|jpeg|bmp|png|ico|txt|js|css){
root /soft/nginx/static_resources;
# 缓存7天
expires 7d;
}
# 最后解读一下那条location规则:
# location ~ .*\.(html|htm|gif|jpg|jpeg|bmp|png|ico|txt|js|css)
# ~代表匹配时区分大小写
# .*代表任意字符都可以出现零次或多次,即资源名不限制
# \.代表匹配后缀分隔符.
# (html|...|css)代表匹配括号里所有静态资源类型
# 综上所述,简单一句话概述:该配置表示匹配以.html~.css为后缀的所有资源请求。
三、反向代理文件过大出现错误
反向代理时候出现了ERR_CONTENT_LENGTH_MISMATCH错误,导致有部分文件无法访问到;查看了日志,发现是字体文件过大导致的,过大的文件就会尝试使用缓存,但是缓存目录没有权限访问;
查看下nginx的日志:
tail -f /usr/local/var/log/nginx/error.log
显示某些文件没有访问权限;
2020/10/30 10:29:26 [crit] 1949#0: *1582 open() "/usr/local/var/run/nginx/proxy_temp/5/00/0000000005" failed (13: Permission denied) while reading upstream, client: 127.0.0.1, server: 8084.mysite.com, request: "GET /static/media/YSHaoShenTi.43bfc4ce.woff HTTP/1.1", upstream: "http://127.0.0.1:8084/static/media/YSHaoShenTi.43bfc4ce.woff", host: "8084.mysite.com", referrer: "http://8084.mysite.com/"
2020/10/30 10:29:26 [crit] 1949#0: *1580 open() "/usr/local/var/run/nginx/proxy_temp/6/00/0000000006" failed (13: Permission denied) while reading upstream, client: 127.0.0.1, server: 8084.mysite.com, request: "GET /static/media/YSHaoShenTi.5c603163.ttf HTTP/1.1", upstream: "http://127.0.0.1:8084/static/media/YSHaoShenTi.5c603163.ttf", host: "8084.mysite.com", referrer: "http://8084.mysite.com/"
我的解决办法,修改文件夹的访问权限,根据上述报错的路径设置权限:
sudo chmod -R 777 /usr/local/var/run/nginx/proxy_temp/
# M1 Mac可能是这个目录,具体看上面的报错信息
sudo chmod -R 777 /opt/homebrew/var/run/nginx/proxy_temp
四、代理PHP提示“php-fpm:No pool defined”
启动php-fpm服务:
[root@localhost etc]# service php-fpm start
Starting php-fpm [28-Nov-2016 17:13:23] WARNING: Nothing matches the include pattern ‘/usr/local/php/etc/php-fpm.d/*.conf’ from /usr/local/php/etc/php-fpm.conf at line 125.
[28-Nov-2016 17:13:23] ERROR: No pool defined. at least one pool section must be specified in config file
[28-Nov-2016 17:13:23] ERROR: failed to post process the configuration
[28-Nov-2016 17:13:23] ERROR: FPM initialization failed
解决方法:
进入PHP安装目录/etc/php-fpm.d
cp www.conf.default www.conf
五、配置可访问目录内容
默认nginx只会寻找index指定的文件,如果index指定的文件不存在,就会出现错误,有时候我们希望index不存在的时候,查看目录里面的内容,可以进行下面的配置。
location / {
# 索引目录
autoindex on;
# 解决中文乱码
charset utf-8,gbk;
# ...
}
六、路径添加Basic认证
nginx添加basic认证,在访问网站的时候提示输入密码拦截非法访问,参考链接
server {
listen 80;
listen 443 ssl;
server_name sync.mysite.com;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
access_log /var/log/nginx/https_syncthing_access.log;
error_log /var/log/nginx/https_syncthing_error.log;
root /var/www/html;
location / {
proxy_pass http://127.0.0.1:8384/;
client_max_body_size 50m;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass_header Sec-Websocket-Extensions;
index index.html index.htm;
auth_basic "RESTRICTED ACCESS"; # 加密
auth_basic_user_file /etc/nginx/.htpasswd; # 加密文件位置
}
}
添加密码:https://www.openssl.org/docs/man3.0/man1/passwd.html
echo -n '用户名:' >> /etc/nginx/.htpasswd
openssl passwd -apr1 >> /etc/nginx/.htpasswd
七、禁止IP访问,只允许域名访问
参考:http://nginx.org/en/docs/http/server_names.html
server {
listen 80 default_server;
listen 443 ssl default_server;
server_name _;
return 403;
}