2018-3-1512周4次課 Nginx防盜鏈、訪問控制、配置PHP解析、代理
[root@localhost test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf
~* 表示不區分大小寫
白名單 *.test.com,如果不是白名單,則返回403
[root@localhost test.com]# curl -e "http://www.baidu.com"-x127.0.0.1:80 test.com/1.gif -I HTTP/1.1 403 Forbidden Server: nginx/1.12.2 Date: Wed, 14 Mar 2018 15:07:25 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@localhost test.com]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Wed, 14 Mar 2018 15:08:44 GMT Content-Type: image/gif Content-Length: 20 Last-Modified: Wed, 14 Mar 2018 14:32:47 GMT Connection: keep-alive ETag: "5aa9328f-14" Expires: Wed, 21 Mar 2018 15:08:44 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes [root@localhost test.com]# cat /tmp/test.com.log 127.0.0.1 - [14/Mar/2018:22:33:25 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [14/Mar/2018:22:33:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [14/Mar/2018:22:36:25 +0800] test.com "/2.jsdafafa" 404 "-" "curl/7.29.0"
12.14 Nginx訪問控制
·重要的機密的內容不希望被別人訪問,可以做一個白名單,只允許自己公網ip或公司內部公網ip訪問
·針對目錄:
[root@localhost ~]# /usr/local/nginx/conf/vhost/test.com.conf
配置文件中的allow和deny:
這裏的allow和deny與apache中的order中的allow和deny規則不一樣
在apache中,如果先allow後deny,那麽最終結果是deny;
在nginx中,這裏allow是匹配機制,如果在allow中有能匹配的,那麽將不再執行下面的規則,本例中,如果是127.0.0.1訪問,那麽匹配第一條allow之後,將不會再執行下面的;如果是127.0.0.2,那麽前兩條都沒有匹配到,那麽會自然往下匹配第三條,會被deny。
·針對正則匹配
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# mkdir /data/wwwroot/test.com/upload##創建upload文件夾 [root@localhost ~]# echo "23wewerwer" > /data/wwwroot/test.com/upload/1.php [root@localhost ~]# cat !$##創建1.php,看1.php是否能被解析 cat /data/wwwroot/test.com/upload/1.php 23wewerwer [root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.12.2</center> </body> </html> [root@localhost ~]# echo "23wewerwer" > /data/wwwroot/test.com/upload/1.txt [root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.txt 23wewerwer
(1.php無法被解析,而通一個文件夾下1.txt就可以被解析)
[root@localhost ~]# cat /tmp/test.com.log
·根據user_agent限制:
網站被CC攻擊,或想禁掉某些蜘蛛,或想做隱藏網站不想被人搜到
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# curl -A "Tomatosdafdsf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.2 Date: Thu, 15 Mar 2018 13:26:46 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@localhost ~]# curl -A "tomatosdafdsf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Thu, 15 Mar 2018 13:27:15 GMT Content-Type: text/plain Content-Length: 11 Last-Modified: Thu, 15 Mar 2018 13:07:37 GMT Connection: keep-alive ETag: "5aaa7019-b" Accept-Ranges: bytes
·只要是能匹配到Tomato關鍵字就會限制,因為是精準匹配,因此tomato無法匹配
如果想要忽略大小寫進行匹配,那麽可以在配置文件中 ~ 後加 * ,如下圖
再重新加載後,我們看,小寫開頭已經被限制訪問了
[root@localhost ~]# curl -A "tomatosdafdsf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.2 Date: Thu, 15 Mar 2018 13:31:26 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
12.15 Nginx解析php相關配置
·配置解析php:
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
保存後,暫時不重新加載配置,先創建一個新的php文件,內容如下
[root@localhost ~]# vi /data/wwwroot/test.com/3.php
[root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php <?php phpinfo(); [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php
(內容太多,不詳細列出)
如果配置文件中socket文件位置寫錯的話:
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php
會顯示502的錯誤
[root@localhost ~]# tail /usr/local/nginx/logs/nginx_error.log 2018/03/15 21:59:34 [crit] 1627#0: *10 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
可以看出是 .sock 文件位置不正確,我們去查看php-fpm.conf的配置文件來查看.sock文件地址
[root@localhost ~]# cat /usr/local/php-fpm/etc/php-fpm.conf
將vhost配置文件裏解析php相關配置更改後,就可以正常訪問了
·監聽ip端口
如果php-fpm的監聽,不去監聽socket,而是去監聽端口,如下圖
[root@localhost ~]# vim /usr/local/php-fpm/etc/php-fpm.conf
[root@localhost ~]# /usr/local/php-fpm/sbin/php-fpm -t ##檢查 [15-Mar-2018 22:13:07] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload ##重新加載 [root@localhost ~]# netstat -lntp ##監聽端口9000
[root@localhost ~]# !curl ##依然是502錯誤 curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.12.2</center> </body> </html> [root@localhost ~]# !tail tail /usr/local/nginx/logs/nginx_error.log 2018/03/15 21:59:34 [crit] 1627#0: *10 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com" 2018/03/15 22:15:43 [crit] 1821#0: *12 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
把原先fastcgi_pass註釋掉,添加127.0.0.1:9000
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost ~]# /usr/local/php-fpm/sbin/php-fpm -t [15-Mar-2018 22:24:19] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# /etc/init.d/php-fpm reload Reload service php-fpm done [root@localhost ~]# !curl curl -x127.0.0.1:80 test.com/3.php
已經可以解析php了
(因此php-fpm中配置裏,和虛擬主機配置裏要一一對應,sock對應sock,端口對應端口)
★配置文件中的SCRIPT_FILENAME一定要和配置文件最上方的 root 對應的路徑一致:
·php-fpm.conf的配置中,listen.mode為nginx的執行權限,讓nginx去讀/tmp/php-fcgi.sock
[root@localhost ~]# vim /usr/local/php-fpm/etc/php-fpm.conf
·如果沒有這個權限,那麽php-fcgi.sock的默認權限為440,屬主和屬組都是root,而nginx屬主是nobody,無法讀取,因此會報錯,我們下面來試驗一下
虛擬主機改回php-fcgi.sock,對應php-fpm.conf
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.12.2</center> </body> </html>
(502錯誤,正式因為權限問題)
而錯誤日誌中,也是Permission denied的錯誤了
[root@localhost ~]# cat /usr/local/nginx/logs/nginx_error.log[object Object]
[root@localhost ~]# ll /tmp/php-fcgi.sock srw-rw---- 1 root root 0 3月 15 22:48 /tmp/php-fcgi.sock [root@localhost ~]# ps aux |grep nginx[object Object]
nginx屬主為nobody,對php-fcgi.sock沒有讀權限,所以會502錯誤,如果想正常訪問,那麽至少需要可讀可寫
臨時將/tmp/php-fcgi.sock屬主改為nobody,此時訪問不會出現502錯誤
[root@localhost ~]# chown nobody /tmp/php-fcgi.sock [root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Thu, 15 Mar 2018 15:00:42 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.30
因此,我們在/usr/local/php-fpm/etc/php-fpm.conf配置中的listen.mode要的權限要讓所有人對文件/tmp/php-fcgi.sock可讀可寫
·php-fpm資源耗盡也會出現502錯誤,此時需要去優化
12.16 Nginx代理
1,用戶不能直接訪問Web服務器,Web服務器只有私網ip
2,雖然用戶可以訪問Web服務器,但是訪問速度太慢
和用戶、web服務器互通都可以互通,作為中間代理者,幫助用戶訪問,訪問完之後把結果返回用戶
[root@localhost ~]# cd /usr/local/nginx/conf/vhost/ [root@localhost vhost]# vim proxy.conf
proxy_pass Web服務器IP地址
proxy_set_header Host 訪問的主機名/域名 ($HOST也就是server_name)
proxy_set_header X-Real-IP 指定IP的
[root@localhost vhost]# curl ask.apelearn.com/robots.txt
[root@localhost vhost]# curl -x 127.0.0.1:80 ask.apelearn.com/robots.txt
錯誤總結:
在curl -x 127.0.0.1:80 ask.apelearn.com/robots.txt時報錯502,查找配置文件發現並無錯誤,後來想到可能是ask.apelearn.com網址的ip不對,因此用host命令去查看網址的ip,發現已經更新了,所以重新改proxy.conf配置文件中proxy_pass的ip
如有錯誤,歡迎指正,互相學習,共同進步!!!
2018-3-1512周4次課 Nginx防盜鏈、訪問控制、配置PHP解析、代理