我试图从FreeBSD 9.2上的php-fpm从Apache主机解决scheme切换到nginx。
我正在改写我的脚本,现在创buildvHosts和nginx的东西,并获得403状态,当我尝试访问vHost。
我正在挣扎几个小时,不能不知道要设置的权限。 你有什么想法?
这是我的createvhost.sh:
#!/usr/local/bin/bash DOMAIN="example.com" PHP_USER="chris_www" PHP_GROUP="$PHP_USER" NGINX_USER="www" NGINX_GROUP="$NGINX_USER" ADMIN_EMAIL="[email protected]" NGINX_CONF_FOLER="/usr/local/etc/nginx" PHP_FPM_CONF_FOLDER="/usr/local/etc/php-fpm.d" WEBROOT="/www/vhosts" IP="10.0.0.4" VHOST_PORT=9000 source $WEBROOT/config/vhost_port.conf ## Create user and add it to $NGINX_GROUP echo "Creating user and adding it to group $NGINX_GROUP" pw user add $PHP_USER -s /sbin/nologin pw group mod $PHP_GROUP -m $NGINX_GROUP echo "Creating neccessary folders" mkdir -p $WEBROOT/$DOMAIN/{conf,www,log,tmp,certs,sessions} chown root:$PHP_USER $WEBROOT/$DOMAIN chmod 750 $WEBROOT/$DOMAIN chown $PHP_USER:$PHP_USER $WEBROOT/$DOMAIN/* chown -R $PHP_USER:$PHP_USER $WEBROOT/$DOMAIN/www/* chmod 755 $WEBROOT/$DOMAIN/* chmod 550 $WEBROOT/$DOMAIN/conf ## Create template for ssl cert creation cat > $WEBROOT/$DOMAIN/conf/ssleay.cnf $NGINX_CONF_FOLER/sites-avaliable/$DOMAIN.conf $PHP_FPM_CONF_FOLDER/$DOMAIN.conf $WEBROOT/config/vhost_port.conf echo "Restarting nginx" /usr/local/etc/rc.d/nginx restart echo "Restarting php-fpm" /usr/local/etc/rc.d/php-fpm restart echo "Finished." 这是我的nginx.conf:
user www www; worker_processes 8; pid /var/run/nginx.pid; worker_rlimit_nofile 8192; events { use kqueue; worker_connections 8192; } http { #set_real_ip_from xxx.xxx.xxx.xxx; real_ip_header 'X-Forwarded-For'; # Logging log_format main '$remote_addr - $remote_user [$time_local] $status "$request" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; access_log off; error_log /var/log/nginx-error.log crit; # MIME-Types include mime.types; default_type application/octet-stream; # Allgemeines index index.php index.htm; server_tokens on; client_header_timeout 5; client_body_timeout 10; client_max_body_size 16m; ignore_invalid_headers on; send_timeout 10; # Performance-Tuning sendfile on; server_names_hash_bucket_size 128; tcp_nodelay on; tcp_nopush on; aio sendfile; keepalive_timeout 5; # DDoS-Bekämpfung limit_req_zone $binary_remote_addr zone=antiddos:10m rate=1r/s; # GZIP gzip on; gzip_min_length 1000; gzip_vary on; gzip_http_version 1.1; gzip_comp_level 6; gzip_proxied any; gzip_buffers 16 8k; gzip_types text/plain text/css application/x-javascript text/xml application/xml text/javascript; gzip_disable "MSIE [1-6]\."; # SSL ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:RC41RSA:1HIGH:!kEDH; # vHost-Konfigurationen include /usr/local/etc/nginx/sites-enabled/*.conf; # Leerer vHost (Default) server { server_name _; listen 80 default; access_log off; error_log off; root /www/vhosts/defaulthost/www; # Error-Pages #include error_pages.conf; location / { index index.htm; rewrite ^ index.htm; } limit_req zone=antiddos burst=5 nodelay; } }
这里是ls -ARl / www /
ls -ARl /www/ total 2 drwxr-xr-x 5 www www 5 20 Dez 00:48 vhosts /www/vhosts: total 5 drwxr-xr-x 2 root wheel 3 20 Dez 00:10 config drwxr-x--- 8 root www 8 20 Dez 00:48 defaulthost drwxr-x--- 8 chris_www chris_www 8 20 Dez 00:09 example.com /www/vhosts/config: total 1 -rw-r--r-- 1 root wheel 16 20 Dez 00:10 vhost_port.conf /www/vhosts/defaulthost: total 9 drwxr-x--- 2 root www 2 20 Dez 00:50 certs drwxr-x--- 2 root www 2 20 Dez 00:48 conf drwxr-x--- 2 root www 2 20 Dez 00:50 log drwxr-x--- 2 root www 2 20 Dez 00:48 sessions drwxr-x--- 2 root www 2 20 Dez 00:48 tmp drwxr-x--- 2 root www 3 20 Dez 00:48 www /www/vhosts/defaulthost/certs: total 0 /www/vhosts/defaulthost/conf: total 0 /www/vhosts/defaulthost/log: total 0 /www/vhosts/defaulthost/sessions: total 0 /www/vhosts/defaulthost/tmp: total 0 /www/vhosts/defaulthost/www: total 1 -rwxr-x--- 1 root www 24 20 Dez 00:48 index.htm /www/vhosts/example.com: total 9 drwxr-x--- 2 chris_www chris_www 5 20 Dez 00:10 certs drwxr-x--- 2 chris_www chris_www 2 20 Dez 00:09 conf drwxr-x--- 2 chris_www chris_www 5 20 Dez 00:10 log drwxr-x--- 2 chris_www chris_www 2 20 Dez 00:09 sessions drwxr-x--- 2 chris_www chris_www 2 20 Dez 00:09 tmp drwxr-x--- 2 chris_www chris_www 3 20 Dez 00:42 www /www/vhosts/example.com/certs: total 5 -rwxr-x--- 1 chris_www chris_www 757 20 Dez 00:10 example.com.crt -rwxr-x--- 1 chris_www chris_www 603 20 Dez 00:10 example.com.csr -rwxr-x--- 1 chris_www chris_www 887 20 Dez 00:10 example.com.key /www/vhosts/example.com/conf: total 0 /www/vhosts/example.com/log: total 65 -rwxr-x--- 1 chris_www chris_www 23432 20 Dez 01:11 nginx.access.log -rwxr-x--- 1 chris_www chris_www 40968 20 Dez 01:11 nginx.error.log -rwxr-x--- 1 chris_www chris_www 0 20 Dez 00:10 php-fpmslow.log /www/vhosts/example.com/sessions: total 0 /www/vhosts/example.com/tmp: total 0 /www/vhosts/example.com/www: total 1 -rwxr-x--- 1 chris_www chris_www 24 20 Dez 00:34 index.htm
这个:
user www www; worker_processes 8;
和这个:
/www/vhosts: total 5 drwxr-xr-x 2 root wheel 3 20 Dez 00:10 config drwxr-x--- 8 root www 8 20 Dez 00:48 defaulthost drwxr-x--- 8 chris_www chris_www 8 20 Dez 00:09 example.com
没有进一步看,我认为你的意图是让nginx从/www/vhosts/example.com服务example.com 。
但是,如果没有读/执行权限,它怎么可能这样做呢?
您必须确保用户和/或组www可以访问所有通往他们应该服务的内容的目录。
如果您不想将www用户添加到chris_www组,并且假设您也不想将+ x标志添加到example.com,则可以考虑使用FreeBSD对UFS的访问控制列表(ACL)支持。 最近我写了一些小文章: http : //pgib.me/blog/2014/01/06/freebsd-acls-ftw/