14.Nginx防盜鏈&Nginx訪問控制&Nginx解析php相關配置&Nginx代理
一、Nginx防盜鏈:
1. 打開配置文件:
增加如下配置文件:
[root@xavi ~]# cd /usr/local/nginx/conf/vhost/ [root@xavi vhost]# vim test.com.conf } # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ # { # expires 7d; # access_log off; # } location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.haha.com ; if ($invalid_referer) { return 403; } access_log off;
- 防盜鏈部分
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
如上配置文件中匹配以gif,jpg,png結尾的頁面,並且設置一個白名單的referer為*.test.com, 其它的($invalid_referer)均403 forbidden!
2. 測試+重載(-t && -s reload)
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
測試
[root@xavi vhost]# curl -x127.0.0.1:80 test.com/2.js -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 15 Mar 2018 14:03:24 GMT Content-Type: application/javascript Content-Length: 14 Last-Modified: Thu, 15 Mar 2018 13:08:00 GMT Connection: keep-alive ETag: "5aaa7030-e" Expires: Fri, 16 Mar 2018 02:03:24 GMT Cache-Control: max-age=43200 Accept-Ranges: bytes
使用本地主機訪問2.js 是沒有問題的,指定一個referer,再次測試:
[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:06:07 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
二、Nginx訪問控制:
有時候在咱們運維一些網站的時候,發現一些訪問是不正常的。或者為了提高安全性,我們需要將某些頁面加密處理!
1 增加如下配置文件
vim /usr/local/nginx/conf/vhost/test.com.conf
location /admin/
{
allow 127.0.0.1;
allow 192.168.72.130; //自己試驗虛擬機的網卡
deny all;
}
==匹配規則為,一旦匹配則後面的均不執行,也就是允許127.0.0.1和192.168.72.130 訪問;其它的均拒絕!==
2.測試語法並重載配置
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
3.匹配站點後臺登錄頁,進行訪問控制!
[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:24:58 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Wed, 14 Mar 2018 14:07:17 GMT
Connection: keep-alive
ETag: "5aa92c95-f"
Accept-Ranges: bytes
[root@xavi vhost]# curl -x192.168.72.130:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:30:46 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Wed, 14 Mar 2018 14:07:17 GMT
Connection: keep-alive
ETag: "5aa92c95-f"
Accept-Ranges: bytes
查看日誌:cat /tmp/test.com.log
4.針對某個可以上傳的目錄做指定文件(例如:php)不解析:
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:46:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
任何PHP文件都不解析,而txt文件可以訪問
[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
5.根據user-agent限制:
如果站點被CC攻擊了,或者不想被蜘蛛爬自己的網站,我們完全可以根據user-agent去禁止掉:
vim /usr/local/nginx/conf/vhost/test.com.conf 打開添加一下語句
if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘)
{
return 403;
}
測試語法並重加載配置
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
加載1.txt測試
[root@xavi vhost]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:58:51 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:58:59 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Thu, 15 Mar 2018 14:47:36 GMT
Connection: keep-alive
ETag: "5aaa8788-6"
Accept-Ranges: bytes
我們發現,當我們修改user-agent為小寫的時候,就不生效了。所以我們需要設置忽略大小寫:
重新在虛擬機配置文件 test.com.conf下修改配置
if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘)
{
return 403;
}
只需要在~添加一個 * 即可!
完成過程:
[root@xavi vhost]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 15:03:22 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
三、Nginx解析php相關配置
1.增加以下配置:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;
}
fastcgi_pass 用來指定php-fpm監聽的地址或者socket
完整以配置的內容:
vim /usr/local/nginx/conf/vhost/test.com.conf
# expires 7d;
# access_log off;
# }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 127.0.0.1;
allow 192.168.72.130;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘)
{
return 403;
}
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;
}
2.創建一個測試php文件
[root@xavi vhost]# vim /data/nginx/test.com/3.php
>?php
phpinfo();
無法解析,顯示源碼(編輯的conf文件未完成-t&-s reload配置)
[root@xavi vhost]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();
這裏特別註意下配置文件中/data/nginx/test.com,而不是設置www.test.com
-t&-s reload配置後,可以正常解析phpinfo()
3.小結:其中fastcgi_pass用來指定php-fpm的地址,如果php-fpm監聽的是一個tcp:port的地址(比如127.0.0.1:9000),那麽也需要在這裏改成fastcgi_pass 127.0.0.1:9000。這個地址一定要和php-fpm服務監聽的地址匹配,否是會報502錯誤.還有一個地方要註意fastcgi_param SCRIPT_FILENAME 後面跟的路徑為該站點的根目錄,和前面定義的root那個路徑保持一致,如果這裏配置不對,訪問PHP頁面會出現404;還有一種502的現象,如果內存中出現大量的php-fpm進程占據了內存,也會同樣導致此問題!
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name;
}
查看php-fpm: vim /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen =127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
無法查看錯誤日誌
四、Nginx代理
假如一個用戶需要訪問WEB服務器,但是用戶與WEB服務器之間是不通的,WEB服務器在內網,我們需要一個代理服務器來幫助用戶訪問web,他必須和用戶相通,也必須和web服務器相通,在中間起到搭橋的這就是代理服務器。
4.1 原理:
4.2 編輯配置文件
cd /usr/local/nginx/conf/vhost
vim proxy.conf
- 加入如下內容:
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://121.201.9.155/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
因為是代理服務器所以不需要訪問本地服務器的任何文件; ask.apelearn.com; 定義一個域名;
proxy_pass http://121.201.9.155/;真實WEB服務器的IP地址。
$host; 也就是咱們的server_name
沒有重啟nginx服務前,先測試一下:
重啟nginx之後再次測試
14.Nginx防盜鏈&Nginx訪問控制&Nginx解析php相關配置&Nginx代理