14.Nginx防盗链&Nginx访问控制&Nginx解析php相关配置&Nginx代理
本文共 10522 字,大约阅读时间需要 35 分钟。
[toc]
一、Nginx防盗链:
1. 打开配置文件:
增加如下配置文件:
[root@xavi ~]# cd /usr/local/nginx/conf/vhost/[root@xavi vhost]# vim test.com.conf } # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ # { # expires 7d; # access_log off; # } location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${ expires 7d; valid_referers none blocked server_names *.haha.com ; if ($invalid_referer) { return 403; } access_log off; - 防盗链部分
valid_referers none blocked server_names *.test.com ; if ($invalid_referer) { return 403; } 如上配置文件中匹配以gif,jpg,png结尾的页面,并且设置一个白名单的referer为*.test.com, 其它的($invalid_referer)均403 forbidden!
2. 测试+重载(-t && -s reload)
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
测试
[root@xavi vhost]# curl -x127.0.0.1:80 test.com/2.js -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:03:24 GMTContent-Type: application/javascriptContent-Length: 14Last-Modified: Thu, 15 Mar 2018 13:08:00 GMTConnection: keep-aliveETag: "5aaa7030-e"Expires: Fri, 16 Mar 2018 02:03:24 GMTCache-Control: max-age=43200Accept-Ranges: bytes
使用本地主机访问2.js 是没有问题的,指定一个referer,再次测试:
[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gifHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:06:07 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive
二、Nginx访问控制:
有时候在咱们运维一些网站的时候,发现一些访问是不正常的。或者为了提高安全性,我们需要将某些页面加密处理!
1 增加如下配置文件
vim /usr/local/nginx/conf/vhost/test.com.conf
location /admin/{ allow 127.0.0.1; allow 192.168.72.130; //自己试验虚拟机的网卡 deny all;} 
==匹配规则为,一旦匹配则后面的均不执行,也就是允许127.0.0.1和192.168.72.130 访问;其它的均拒绝!==
2.测试语法并重载配置
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
3.匹配站点后台登录页,进行访问控制!
[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/admin/ -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:24:58 GMTContent-Type: text/htmlContent-Length: 15Last-Modified: Wed, 14 Mar 2018 14:07:17 GMTConnection: keep-aliveETag: "5aa92c95-f"Accept-Ranges: bytes
[root@xavi vhost]# curl -x192.168.72.130:80 -I test.com/admin/HTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:30:46 GMTContent-Type: text/htmlContent-Length: 15Last-Modified: Wed, 14 Mar 2018 14:07:17 GMTConnection: keep-aliveETag: "5aa92c95-f"Accept-Ranges: bytes
查看日志:cat /tmp/test.com.log
4.针对某个可以上传的目录做指定文件(例如:php)不解析:
location ~ .*(upload|image)/.*\.php${ deny all;} 
[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.php -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:46:06 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive
任何PHP文件都不解析,而txt文件可以访问
[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 200 OK
5.根据user-agent限制:
如果站点被CC***了,或者不想被蜘蛛爬自己的网站,我们完全可以根据user-agent去禁止掉:
vim /usr/local/nginx/conf/vhost/test.com.conf 打开添加一下语句
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato'){ return 403;} 测试语法并重加载配置
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
加载1.txt测试
[root@xavi vhost]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:58:51 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:58:59 GMTContent-Type: text/plainContent-Length: 6Last-Modified: Thu, 15 Mar 2018 14:47:36 GMTConnection: keep-aliveETag: "5aaa8788-6"Accept-Ranges: bytes
我们发现,当我们修改user-agent为小写的时候,就不生效了。所以我们需要设置忽略大小写:
重新在虚拟机配置文件 test.com.conf下修改配置
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato'){ return 403;}只需要在~添加一个 * 即可! 
完成过程:
[root@xavi vhost]# !vimvim /usr/local/nginx/conf/vhost/test.com.conf [root@xavi vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 15 Mar 2018 15:03:22 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive
三、Nginx解析php相关配置
1.增加以下配置:
location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name; } fastcgi_pass 用来指定php-fpm监听的地址或者socket
完整以配置的内容:
vim /usr/local/nginx/conf/vhost/test.com.conf # expires 7d; # access_log off; # } location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ } access_log off;} location ~ .*\.(js|css)$ { expires 12h; access_log off; } location /admin/{ allow 127.0.0.1; allow 192.168.72.130; deny all;}location ~ .*(upload|image)/.*\.php${ deny all;}if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato'){ return 403;} location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name; } 
2.创建一个测试php文件
[root@xavi vhost]# vim /data/nginx/test.com/3.php>?phpphpinfo();
无法解析,显示源码(编辑的conf文件未完成-t&-s reload配置)
[root@xavi vhost]# curl -x127.0.0.1:80 test.com/3.php
这里特别注意下配置文件中/data/nginx/test.com,而不是设置www.test.com
-t&-s reload配置后,可以正常解析phpinfo()
3.小结:其中fastcgi_pass用来指定php-fpm的地址,如果php-fpm监听的是一个tcp:port的地址(比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000。这个地址一定要和php-fpm服务监听的地址匹配,否是会报502错误.还有一个地方要注意fastcgi_param SCRIPT_FILENAME 后面跟的路径为该站点的根目录,和前面定义的root那个路径保持一致,如果这里配置不对,访问PHP页面会出现404;还有一种502的现象,如果内存中出现大量的php-fpm进程占据了内存,也会同样导致此问题!
location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name; } 查看php-fpm: vim /usr/local/php-fpm/etc/php-fpm.conf
[global]pid = /usr/local/php-fpm/var/run/php-fpm.piderror_log = /usr/local/php-fpm/var/log/php-fpm.log[www]listen = /tmp/php-fcgi.sock#listen =127.0.0.1:9000listen.mode = 666user = php-fpmgroup = php-fpmpm = dynamicpm.max_children = 50pm.start_servers = 20pm.min_spare_servers = 5pm.max_spare_servers = 35pm.max_requests = 500rlimit_files = 1024
无法查看错误日志
[root@xavi ~]# cd /usr/local/nginx/logs/[root@xavi logs]# lsaccess.log error.log nginx_error.log nginx.pid
[root@xavi logs]# cat error.log2018/03/14 00:05:58 [emerg] 124460#0: unknown directive "er" in /usr/local/nginx/conf/nginx.conf:12018/03/14 21:06:14 [notice] 5737#0: signal process started2018/03/14 21:41:27 [notice] 6234#0: signal process started2018/03/14 21:59:27 [notice] 6446#0: signal process started2018/03/14 22:16:03 [notice] 6668#0: signal process started2018/03/14 22:38:58 [emerg] 6947#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/torreid.com.conf:32018/03/14 22:40:17 [emerg] 6962#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/torreid.com.conf:32018/03/14 22:44:22 [emerg] 7015#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/test.com.conf:42018/03/14 22:55:13 [emerg] 7151#0: unknown directive "//有这个default_server标记的就是默认虚拟主机" in /usr/local/nginx/conf/vhost/aaa.com.conf:42018/03/14 22:56:55 [emerg] 7173#0: "location" directive is not allowed here in /usr/local/nginx/conf/vhost/atorreid.com.conf:122018/03/14 22:58:57 [emerg] 7197#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/bcd.com.conf:32018/03/14 23:01:46 [warn] 7251#0: conflicting server name "test.com" on 0.0.0.0:80, i
四、Nginx代理
假如一个用户需要访问WEB服务器,但是用户与WEB服务器之间是不通的,WEB服务器在内网,我们需要一个代理服务器来帮助用户访问web,他必须和用户相通,也必须和web服务器相通,在中间起到搭桥的这就是代理服务器。这样当你下载好一个安装包后,别的同事也可以在内网里共享你的下载,节约资源.
4.1 原理:
Nginx代理是一种反向代理。反向代理(Reverse Proxy)方式是指以代理服务器来接受Internet上的连接请求,然后将请求转发给内部网络上的服务器;并将从服务器上得到的结果返回给Internet上请求连接的客户端,此时代理服务器对外就表现为一个服务器。
假如这家公司有很多台服务器,为了节省成本,不能为所有的服务器都分配公网IP,而如果一个没有公网的IP的复为其要提供web服务,就可以通过代理来实现,这就是 Nginx比httpd越来越受欢迎的原因
graph LR
用户–>代理服务器 代理服务器–>用户 代理服务器–>web服务器 web服务器–>代理服务器
4.2 编辑配置文件
cd /usr/local/nginx/conf/vhostvim proxy.conf
- 加入如下内容:
server{ listen 80; server_name ask.apelearn.com;# 定义域名(一般和被代理ip的域名保持一致) location / { proxy_pass http://47.91.145.78/; //用window的cmd去ping这个网址的IP# 指定被代理(被访问)的IP(web服务器IP) proxy_set_header Host $host;# $host指的是代理服务器的servername(也是被代理IP的域名) proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }} 因为是代理服务器所以不需要访问本地服务器的任何文件; ask.apelearn.com; 定义一个域名;
proxy_pass 。
$host; 也就是咱们的server_name
重启nginx之后再次测试,127.0.0.1就是自己的代理机,访问的论坛
[root@xavi vhost]# curl -x127.0.0.1:80 ask.apelearn.com -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Sun, 18 Mar 2018 08:51:31 GMTContent-Type: text/htmlConnection: keep-aliveVary: Accept-EncodingX-Powered-By: PHP/5.3.29P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"Set-Cookie: ape__Session=kgp331gk94i16pcv9jti0qgd65; path=/; domain=.apelearn.comExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cache
测试网站的robots
[root@xavi vhost]# curl ask.apelearn.com/robots.txt## robots.txt for MiWen#User-agent: *Disallow: /?/admin/Disallow: /?/people/Disallow: /?/question/Disallow: /account/Disallow: /app/Disallow: /cache/Disallow: /install/Disallow: /models/Disallow: /crond/run/Disallow: /search/Disallow: /static/Disallow: /setting/Disallow: /system/Disallow: /tmp/Disallow: /themes/Disallow: /uploads/Disallow: /url-*Disallow: /views/Disallow: /*/ajax/
转载于:https://blog.51cto.com/12995218/2087465
你可能感兴趣的文章
区块链100讲:区块链的跨链技术
查看>>
ganache
查看>>
WebSocket
查看>>
IP网络配置
查看>>
Eureka微服务云架构源码分析
查看>>
COMMTIMEOUTS主要用于串口超时参数设置
查看>>
基于智能家居场景的POALRDB性能体验
查看>>
JAVA核心技术学习笔记 | 备考
查看>>
IOS人脸识别开发入门教程--人脸检测篇
查看>>
VC编译连接选项详解
查看>>
ZooKeeper学习第六期--ZooKeeper管理分布式环境中的数据
查看>>
JAVA springboot微服务b2b2c电子商务系统(七)springboot开启声明式事务
查看>>
JAVA局部变量
查看>>
来,带你鸟瞰 Java 中4款常用的并发框架!
查看>>
MySQL5.7安装部署
查看>>
经典排序算法python回顾之五 归并排序
查看>>
JAVA监测tomcat是否宕机,控制重启
查看>>
ForkJoinPool
查看>>
Python转换dict到object
查看>>
Java8 默认方法
查看>>