很多人都可以碰到一个陷阱。下面我们列出,我们经常看到的问题,以及解释如何解决这些问题。在Freenode上的#nginx IRC频道这些讨论很频繁。

1、权限

从来不要使用777权限,查看目录的权限

namei -om /path/to/check

2、root设置

BAD:

server {

    server_name www.example.com;

    location / {

        root /var/www/nginx-default/;

        # [...]

      }

    location /foo {

        root /var/www/nginx-default/;

        # [...]

    }

    location /bar {

        root /var/www/nginx-default/;

        # [...]

    }

}

GOOD:

server {

    server_name www.example.com;

    root /var/www/nginx-default/;

    location / {

        # [...]

    }

    location /foo {

        # [...]

    }

    location /bar {

        # [...]

    }

}

3、索引设置

BAD:

http {

    index index.php index.htm index.html;

    server {

        server_name www.example.com;

        location / {

            index index.php index.htm index.html;

            # [...]

        }

    }

    server {

        server_name example.com;

        location / {

            index index.php index.htm index.html;

            # [...]

        }

        location /foo {

            index index.php;

            # [...]

        }

    }

}

GOOD:

http {

    index index.php index.htm index.html;

    server {

        server_name www.example.com;

        location / {

            # [...]

        }

    }

    server {

        server_name example.com;

        location / {

            # [...]

        }

        location /foo {

            # [...]

        }

    }

}

4、Using If

if 是邪恶的 参见 If Is Evil

5、Server Name (If)

BAD:

server {

    server_name example.com *.example.com;

        if ($host ~* ^www\.(.+)) {

            set $raw_domain $1;

            rewrite ^/(.*)$ $raw_domain/$1 permanent;

        }

        # [...]

    }

}

每次都要检测主机头,这是低效的,你应该避免,推荐使用下面的

GOOD:

server {

    server_name www.example.com;

    return 301 $scheme://example.com$request_uri;

}

server {

    server_name example.com;

    # [...]

}

这样方式便于阅读,降低了nginx的处理要求,而且也避免了硬编码(http or https)

6、Check (If) File Exists

使用if来判断是可怕的,你应该使用 try_files

BAD:

server {

    root /var/www/example.com;

    location / {

        if (!-f $request_filename) {

            break;

        }

    }

}

GOOD:

server {

    root /var/www/example.com;

    location / {

        try_files $uri $uri/ /index.html;

    }

}

try_files 意味着你测试一个队列 $uri => $uri/ => index.html,这种方法简单,而且可以避免if

7、Web Apps中的控制器

Drupal, Joomla, etc. to work, just use this:

try_files $uri $uri/ /index.php?q=$uri&$args;

Note - the parameter names are different based on the package you’re using. For example:

  • “q” is the parameter used by Drupal, Joomla, WordPress
  • “page” is used by CMS Made Simple

一些软件不需要 query string, 可以读取 REQUEST_URI (例如,WordPress):

try_files $uri $uri/ /index.php;

如果你不关心目录是否存在,你可以移除 $uri/

8、Passing Uncontrolled Requests to PHP

很多PHP网站中,配置nginx的例子中建议使用 .php (to the PHP interpretet)作为uri的结尾,这例有一个严重的安全问题对于大多数PHP程序,因为它可能允许执行任何第三方代码

The problem section usually looks like this:

location ~* \.php$ {

    fastcgi_pass backend;

    # [...]

}

Here, every request ending in .php will be passed to the FastCGI backend. The issue with this is that the default PHP configuration tries to guess which file you want to execute if the full path does not lead to an actual file on the filesystem.

For instance, if a request is made for /forum/avatar/1232.jpg/file.php which does not exist but if/forum/avatar/1232.jpg does, the PHP interpreter will process /forum/avatar/1232.jpg instead. If this contains embedded PHP code, this code will be executed accordingly.

Options for avoiding this are:

  • Set cgi.fix_pathinfo=0 in php.ini. This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found.
  • Ensure that NGINX only passes specific PHP files for execution:
location ~* (file_a|file_b|file_c)\.php$ {

    fastcgi_pass backend;

    # [...]

}
  • 在上传目录禁止执行任何PHP代码
location /uploaddir {

    location ~ \.php$ {return 403;}

    # [...]

}
  • 使用try_files指令过滤
location ~* \.php$ {

    try_files $uri =404;

    fastcgi_pass backend;

    # [...]

}
  • 使用嵌套位置过滤
location ~* \.php$ {

    location ~ \..*/.*\.php$ {return 404;}

    fastcgi_pass backend;

    # [...]

}

9、FastCGI Path in Script Filename

尽量使用 include fastcgi_params 中的变量,不管什么语言都是一样

GOOD:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;

BAD:

fastcgi_param  SCRIPT_FILENAME    /var/www/yoursite.com/$fastcgi_script_name;

10、Taxing Rewrites

我们应该努力让他们保持整洁。很简单,不添加冗余代码。

BAD:

rewrite ^/(.*)$ http://example.com/$1 permanent;

GOOD:

rewrite ^ http://example.com$request_uri? permanent;

BETTER:

return 301 http://example.com$request_uri;

通过使用内置的变量$ REQUEST_URI,我们可以有效地避免做任何捕获或匹配的。

11、Rewrite Missing http://

很简单,除非你告诉NGINX他们不是重写是相对的。一个重写绝对很简单。添加一个scheme

BAD:

rewrite ^ example.com permanent;

GOOD:

rewrite ^ http://example.com permanent;

添加 http:// 到重写规则内,简单,高效

12、Proxy Everything

BAD:

server {

    server_name _;

    root /var/www/site;

    location / {

        include fastcgi_params;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        fastcgi_pass unix:/tmp/phpcgi.socket;

    }

}

Yucky. In this instance, you pass EVERYTHING to PHP. Why? Apache might do this, you don’t need to. Let me put it this way... The try_files directive exists for an amazing reason. It tries files in a specific order. This means that NGINX can first try to server the static content. If it can’t, then it moves on. This means PHP doesn’t get involved at all. MUCH faster. Especially if you’re serving a 1MB image over PHP a few thousand times versus serving it directly. Let’s take a look at how to do that.

GOOD:

server {

    server_name _;

    root /var/www/site;

    location / {

        try_files $uri $uri/ @proxy;

    }

    location @proxy {

        include fastcgi_params;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        fastcgi_pass unix:/tmp/phpcgi.socket;

    }

}

Also GOOD:

server {

    server_name _;

    root /var/www/site;

    location / {

        try_files $uri $uri/ /index.php;

    }

    location ~ \.php$ {

        include fastcgi_params;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        fastcgi_pass unix:/tmp/phpcgi.socket;

    }

}

It’s easy, right? You see if the requested URI exists and can be served by NGINX. If not, is it a directory that can be served. If not, then you pass it to your proxy. Only when NGINX can’t serve that requested URI directly does your proxy overhead get involved.

Now.. consider how much of your requests are static content, such as images, css, javascript, etc. That’s probably a lot of overhead you just saved.

12、Config Changes Not Reflected

Browser cache. Your configuration may be perfect but you’ll sit there and beat your head against a cement wall for a month. What’s wrong is your browser cache. When you download something, your browser stores it. It also stores how that file was served. If you are playing with a types{} block you’ll encounter this.

The fix:

  • In Firefox press Ctrl+Shift+Delete, check Cache, click Clear Now. In any other browser just ask your favorite search engine. Do this after every change (unless you know it’s not needed) and you’ll save yourself a lot of headaches.
  • Use curl.

13、VirtualBox

If this does not work, and you’re running NGINX on a virtual machine in VirtualBox, it may be sendfile() that is causing the trouble. Simply comment out the sendfile directive or set it to “off”. The directive is most likely found in your nginx.conf file.:

sendfile off;

13、Missing (disappearing) HTTP Headers

If you do not explicitly set underscores_in_headers on, NGINX will silently drop HTTP headers with underscores (which are perfectly valid according to the HTTP standard). This is done in order to prevent ambiguities when mapping headers to CGI variables as both dashes and underscores are mapped to underscores during that process.

14、Not Using Standard Document Root Locations

Some directories in any file system should never be used for hosting data from. Some of these include / androot. You should never use these as your document root.

Doing this leaves you open to a request outside of your expected area returning private data.

NEVER DO THIS!!! (yes, we have seen this)

server {

    root /;

    location / {

        try_files /web/$uri $uri @php;

    }

    location @php {

        [...]

    }

}

When a request is made for /foo, the request is passed to php because the file isn’t found. This can appear fine, until a request in made for /etc/passwd. Yup, you just gave us a list of all users on that server. In some cases, the NGINX server is even set up run workers as root. Yup, we now have your user list as well as password hashes and how they’ve been hashed. We now own your box.

The Filesystem Hierarchy Standard defines where data should exist. You should definitely read it. The short version is that you want your web content to exist in either /var/www//srv/usr/share/www.

15、Using the Default Document Root

NGINX packages that exist in Ubuntu, Debian, or other operating systems, as an easy-to-install package will often provide a ‘default’ configuration file as an example of configuration methods, and will often include a document root to hold a basic HTML file.

Most of these packaging systems do not check to see if files are modified or exist within the default document root, which can result in code loss when the packages are upgraded. Experienced system administrators know that there is no expectation of the data inside the default document root to remain untouched during upgrades.

You should not use the default document root for any site-critical files. There is no expectation that the default document root will be left untouched by the system and there is an extremely high possibility that your site-critical data may be lost upon updates and upgrades to the NGINX packages for your operating system.

16、Using a Hostname to Resolve Addresses

BAD:

upstream {

    server http://someserver;

}

server {

    listen myhostname:80;

    # [...]

}

You should never use a hostname in a listen directive. While this may work, it will come with a large number of issues. One such issue being that the hostname may not resolve at boot time or during a service restart. This can cause NGINX to be unable to bind to the desired TCP socket which will prevent NGINX from starting at all.

A safer practice is to know the IP address that needs to be bound to and use that address instead of the hostname. This prevents NGINX from needing to look up the address and removes dependencies on external and internal resolvers.

This same issue applies to upstream locations. While it may not always be possible to avoid using a hostname in an upstream block, it is bad practice and will require careful considerations to prevent issues.

GOOD:

upstream {

    server http://10.48.41.12;

}

server {

    listen 127.0.0.16:80;

    # [...]

}

17、Using SSLv3 with HTTPS

由于SSLv3的POODLE 漏洞,建议使用在SSL网站禁用,仅仅使用TLS协议代替

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 

原文:https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/

【nginx】常见的陷阱和错误的更多相关文章

  1. nginx常见内部参数,错误总结

    1.日志简介 nginx日志主要有两种:访问日志和错误日志.访问日志主要记录客户端访问nginx的每一个请求,格式可以自定义:错误日志主要记录客户端访问nginx出错时的日志,格式不支持自定义.两种日 ...

  2. Nginx常见错误与问题之解决方法技术指南

      Nginx常见错误与问题之解决方法技术指南. 安装环境: 系统环境:redhat enterprise 6.5 64bit 1.Nginx 常见启动错误 有的时候初次安装nginx的时候会报这样的 ...

  3. Java 中最常见的 5 个错误

    在编程时,开发者经常会遭遇各式各样莫名错误.近日,Sushil Das 在 Geek On Java上列举了 Java 开发中常见的 5 个错误,与君共「免」. 原文链接:Top 5 Common M ...

  4. Nginx详解二十五:Nginx架构篇之Nginx常见的问题

    Nginx常见的问题 1.相同server_name多个虚拟主机优先级访问,是按读取文件的优先级来排序 在/opt/app/下准备3个code文件夹,下面放入3个html文件,里面的内容分别是code ...

  5. Nginx常见的安装方式

    Nginx常见的安装方式 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.Nginx概述 Nginx的安装版本分为开发版.稳定版和过期版, Nginx安装可以使用yum或源码安装 ...

  6. Nginx提示502和504错误的解决方案

    一.错误提示说明: Nginx 502 Bad Gateway的含义是请求的PHP-CGI已经执行,但是由于某种原因(一般是读取资源的问题)没有执行完毕而导致PHP-CGI进程终止. Nginx 50 ...

  7. mysql 常见的几个错误问题

    Mysql常见的几个错误问题及解决方法: 1.问题: mysql DNS反解:skip-name-resolve 错误日志有类似警告: 点击(此处)折叠或打开 120119 16:26:04 [War ...

  8. SEO中最常见的几个错误

    昨天答应给放点干活的,今天如约而来! SEO中最常见的几个错误: 1.关键词   人们往往想当然的选择自己喜欢的keyword,但用户在搜索时,根本不会使用它们.比方说,你选择"优化果酱&q ...

  9. Nginx的500,502,504错误解决方法

    Nginx的500,502,504错误解决方法 一.解决500错误: 1.500错误指的是服务器内部错误,也就是服务器遇到意外情况,而无法履行请求. 2.500错误一般有几种情况: (1)web脚本错 ...

随机推荐

  1. SQL实现分组查询取前几条记录

    我要实现的功能是统计订单日志表中每一个订单的前三条日志记录,表结构如下: 一个订单在定点杆日志表中有多条记录,要根据时间查询出每一个订单的前三条日志记录,sql如下: select b.OrderNu ...

  2. MySQL中自己不太常用的命令

    一 更改表的信息 alter table students add primary key (stunum); 为已经创建好的表添加主键. alter语句不仅可以添加主键,还可以对已经创建好的表修改一 ...

  3. 四则运算APP(BUG发掘)

    BUG: 1.有几率会出现一样的题目. 2.题目会出现两个一样的答案. 3.做题结束后不能返回主界面或者重新开始. 感想: 1.题目应该按年级分类出题. 2.主界面可以添加更多功能 如自己输入题目数, ...

  4. 前端自动化工具 -- Gulp 使用简介

    gulp是基于流的前端自动化构建工具. 之前也谈到了 grunt的用法,grunt其实就是配置+配置的形式. 而gulp呢,是基于stream流的形式,也就是前一个函数(工厂)制造出结果,提供后者使用 ...

  5. LeetCode - 31. Next Permutation

    31. Next Permutation Problem's Link ---------------------------------------------------------------- ...

  6. macbook装双系统多分区其实很简单,你只要把macbook当作一台普通pc就可以了!

    macbook装双系统多分区其实很简单,你只要把macbook当作一台普通pc就可以了! 不用理会苹果官网的警告,苹果官网警告你只能用bootcamp安装且不能多分区,把人吓得不轻.其实不用过多担心, ...

  7. ANT自动打包U3D安卓项目研究笔记

    概述 因项目使用Atlassian Stash作为项目源码管理端,且其支持Ant命令自动编译,可使其根据最新的代码自动打包,故产生该研究Ant打包的任务.在此将研究过程及一些相关知识整理记录在此. 本 ...

  8. WPF 实际国际化多语言界面

    前段时候写了一个WPF多语言界面处理,个人感觉还行,分享给大家.使用合并字典,静态绑定,动态绑定.样式等东西 效果图 定义一个实体类LanguageModel,实际INotifyPropertyCha ...

  9. 【OpenCV】OpenCV中GPU模块使用

    CUDA基本使用方法 在介绍OpenCV中GPU模块使用之前,先回顾下CUDA的一般使用方法,其基本步骤如下: 1.主机代码执行:2.传输数据到GPU:3.确定grid,block大小: 4.调用内核 ...

  10. 优化磁盘I/O

    管理I/O,避免过度地寻道可以让硬盘更快.顺序I/O和随机I/O之间的性能差异随便就可以达到40:1,可能更多.这在数据库服务器中尤其重要,因为数据库的日志是以顺序格式写的.选择合适的硬件,合理地配置 ...