专栏首页运维小白12.14 Nginx访问控制

12.14 Nginx访问控制

Nginx访问控制目录概要

  • 需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:
location /admin/
{
    allow 192.168.74.129;
    allow 127.0.0.1;
    deny all;
}
  • mkdir /data/wwwroot/test.com/admin/
  • echo “test,test”>/data/wwwroot/test.com/admin/1.html
  • -t && -s reload
  • curl -x127.0.0.1:80 test.com/admin/1.html -I
  • curl -x192.168.133.130:80 test.com/admin/1.html -I
  • 可以匹配正则
location ~ .*(abc|image)/.*\.php$
{
        deny all;
}
  • 根据user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}
  • deny all和return 403效果一样

Nginx访问控制

  • Nginx访问控制,在平时运维网站的时候,经常会有一些请求不正常,或者故意的做一些限制,一些重要的内容禁止别人访问,就可以做一个白名单,只允许自己的公网IP或者自己公司内的公网IP去访问
  1. 编辑配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
  • 增加访问控制的代码
location /admin/
{
    allow 192.168.74.129;            //白名单
    allow 127.0.0.1;            //白名单
    deny all;        //全部deny
}

最后结果如下

[root@hanfeng ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

假设访问的目录是admin,做一个限制

server
{   
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
     if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
   # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
  # {     
  #      expires      7d;
  #      access_log off;
  #}
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {                               
    
        return 403;
    }   
    access_log off;
}   
location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }     
    location /admin/
    {
    allow 192.168.74.129;
    allow 127.0.0.1;
    deny all;
    }
    access_log /tmp/test.com.log combined_realip;
}   

然后保存退出
  1. 然后检查配置文件语法错误,然后重新加载配置文件
[root@hanfeng ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanfeng ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hanfeng ~]# 
  1. 测试
[root@hf-01 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 21:04:13 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Wed, 03 Jan 2018 21:43:17 GMT
Connection: keep-alive
ETag: "5a4d4e75-13"
Accept-Ranges: bytes

[root@hf-01 ~]# curl -x192.168.74.150:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 21:06:56 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Wed, 03 Jan 2018 21:43:17 GMT
Connection: keep-alive
ETag: "5a4d4e75-13"
Accept-Ranges: bytes

[root@hf-01 ~]# 
  1. 查看日志文件,会看到访问的192.168.74.150的来源IP也是192.168.74.129,因为它是被允许的,在白名单之内,所以显示状态码为200
[root@hf-01 ~]# cat /tmp/test.com.log
127.0.0.1 - [05/Jan/2018:05:51:37 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [08/Jan/2018:05:04:13 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.74.129 - [08/Jan/2018:05:06:56 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
[root@hf-01 ~]# 
  1. 查看IP,然后给ens36网卡配置IP
  • 先查看ens36网卡是否连接,然后更改连接ens36网卡模式为仅主机连接模式
[root@hf-01 ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.74.129  netmask 255.255.255.0  broadcast 192.168.74.255
        inet6 fe80::20c:29ff:feff:fe93  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ff:fe:93  txqueuelen 1000  (Ethernet)
        RX packets 453  bytes 42359 (41.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 308  bytes 39999 (39.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno16777736:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.74.150  netmask 255.255.255.0  broadcast 192.168.74.255
        ether 00:0c:29:ff:fe:93  txqueuelen 1000  (Ethernet)

ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::20c:29ff:feff:fe9d  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ff:fe:9d  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13  bytes 2334 (2.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@hf-01 ~]# 
  1. 给ens36网卡自动获取IP,然后再来查看ens36的网卡IP地址为192.168.204.128
[root@hf-01 ~]# dhclient ens36
[root@hf-01 ~]# 
  1. 这时再来使用ens36网卡的IP来访问,会看到访问的admin目录为403
[root@hf-01 ~]# curl -x192.168.204.128:80 -I test.com/admin/
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 21:17:39 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@hf-01 ~]# 
  1. 这时再来查看日志文件,会看到来源的IP为192.168.204.128,在配置文件中被没有被允许,所以为403
[root@hf-01 ~]# !cat
cat /tmp/test.com.log
127.0.0.1 - [05/Jan/2018:05:51:37 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [08/Jan/2018:05:04:13 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.74.129 - [08/Jan/2018:05:06:56 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.204.128 - [08/Jan/2018:05:17:39 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
[root@hf-01 ~]# 

针对正则匹配

  • 例子
    • 网站被黑,数据库被盗窃,就是因为上传图片的目录没有做禁止解析php的操作,最终导致上传了一句话木马,php也能解析,所以网站就会被黑
  • 只要能上传的目录,都要禁掉,禁止解析PHP
  • 加以下代码,即可禁掉上传的目录解析PHP
location ~ .*(upload|image)/.*\.php$        //只要匹配upload,然后以php结尾的
{
        deny all;            //都禁掉
}
  1. 打开配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

server
{   
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    #{         #      expires      7d;    #      access_log off;    #}      location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$   
{   
    expires 7d;

    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}
    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    location /admin/
    {
    allow 192.168.74.129;
    allow 127.0.0.1;
    deny all;
    }
    location ~ .*(upload|image)/.*\.php$
    {   
        deny all;
    }
    access_log /tmp/test.com.log combined_realip;
} 
保存退出
  1. 检查配置文件语法错误,并重新加载配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hf-01 ~]# 
  1. 测试,首先是访问的那个目录,然后访问的php资源
  2. 创建一个upload目录,然后在创建一个php文件
[root@hf-01 ~]# mkdir /data/wwwroot/test.com/upload
[root@hf-01 ~]# echo "11111" > /data/wwwroot/test.com/upload/1.php
[root@hf-01 ~]# 
  1. 访问upload目录下的1.php文件,会看到是403状态码,被拒绝访问
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@hf-01 ~]# 
  1. 这时再upload目录下创建1.txt,再来测试访问
[root@hf-01 ~]# echo "dasdasdas" >/data/wwwroot/test.com/upload/1.txt
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt
dasdasdas
[root@hf-01 ~]# 
  1. 查看访问日志cat /tmp/test.com.log
[root@hf-01 ~]# cat /tmp/test.com.log

根据user_agent限制

  • 如果你的网站被cc攻击,或者禁掉某些蜘蛛,如果你的网站想做一个被隐藏的网站,不想被别人搜索到,那么就可以将百度、谷歌、有道等这些蜘蛛封掉,没有任何蜘蛛爬到你的网站,也不将网址告诉任何人,那别人就无法知道你的站点,因为你的网站是被隐藏的。
  • 只需要根据user_agent限制,添加以下代码
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}
  • deny all和return 403效果一样
  1. 打开配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

server
{   
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    #{         #      expires      7d;    #      access_log off;    #}      location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$   
{   
    expires 7d;

    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}
    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    location /admin/
    {
    allow 192.168.74.129;
    allow 127.0.0.1;
    deny all;
    }
    location ~ .*(upload|image)/.*\.php$
    {   
        deny all;
    }
    if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
    {
      return 403;
    }
    access_log /tmp/test.com.log combined_realip;
} 
保存退出
  1. 检查配置文件语法错误,并重新加载配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hf-01 ~]# 
  1. 模拟user_agent,访问测试,会看到显示403
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 22:04:06 GMT
Content-Type: text/plain
Content-Length: 10
Last-Modified: Sun, 07 Jan 2018 21:45:54 GMT
Connection: keep-alive
ETag: "5a529512-a"
Accept-Ranges: bytes

[root@hf-01 ~]# curl -A "Tomatoslfdfsdf"  -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 22:05:21 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@hf-01 ~]# 
  1. deny all和return 403效果一样
  2. 如果访问的时候,改成小写再访问,则状态码为200,因为这个是严格匹配的
[root@hf-01 ~]# curl -A "tomatoslfdfsdf"  -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 22:09:10 GMT
Content-Type: text/plain
Content-Length: 10
Last-Modified: Sun, 07 Jan 2018 21:45:54 GMT
Connection: keep-alive
ETag: "5a529512-a"
Accept-Ranges: bytes

[root@hf-01 ~]# 
  1. 如果想忽略大小写,在配置文件中的匹配符号后加 * 号即可
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

  if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
    {
      return 403;
    }
  1. 在检查配置文件,并重新加载
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 ~]#
  1. 再来测试,会显示403
[root@hf-01 ~]# curl -A "tomatoslfdfsdf"  -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 22:11:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@hf-01 ~]# 

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • Linux基础(day29)

    sed扩展 一. 打印某行到某行之间的内容 打印某一行到某一行之间的内容 需求: 例如:有个文件test的内容如下: ert fff ** [abcfd] 1...

    运维小白
  • 2.6 相对和绝对路径

    每一个文件都会有一个从根开始的文件 所有的文件都有一个自己的路径 从根开始的都是绝对路径,不管你是在哪个目录下,都可以通过路径找到文件的路径为绝对路径 不是由根...

    运维小白
  • 9.5 sed(下)

    sed工具 sed '1'd test.txt sed '1,3'd test.txt sed '/oot/'d test.txt sed '1,2s/ot/t...

    运维小白
  • nginx平滑升级

     随着网站并发访问量越来越高,nginx web 服务器也越来越流行,nginx 版本换代越来越频繁,1.16.2版本的nginx更新了许多新功能,生产环境中版...

    萧晚歌
  • 对Java代码进行简单的内存分析

    今天还是写Java啊,毕竟js不知道写什么,主要是最近没做什么项目,也没什么新的技术引进来,即使有新的技术引入,自己没学明白之前也不敢写博客,不是误人子弟吗,哈...

    何处锦绣不灰堆
  • python中resample函数实现重采样和降采样代码

    我们看看上面代码,就是先给出一个1-30号的series,l然后聚合成左闭右开的5个区间[1,8),[8,15),[15,22),[22-29),[29-5(下...

    砸漏
  • linux中权限管理命令详解(chmod/chown/chgrp/unmask)

    Linux操作系统对多用户的管理,是非常繁琐的,所以用组的概念来管理用户就变得简单,每个用户可以在一个独立的组,每个组也可以有零个用户或者多个用户。本文给大家介...

    砸漏
  • 借网站日记分析~普及一下Pandas基础

    对网站日记分析其实比较常见,今天模拟演示一下一些应用场景,也顺便说说Pandas,图示部分也简单分析了下

    逸鹏
  • 机房收费系统——用DateDiff函数计算两个日期之间的时间差

    版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/huyuyang6688/article/...

    DannyHoo
  • 中国地质大学继Nature撤稿后又遭Science撤稿!新冠竟成了“背锅侠”?

    昨日,Science正式发文,撤下中国地质大学(武汉)宋怀兵及东南大学朱斌共同发表在Science上的研究论文!

    百味科研芝士

扫码关注云+社区

领取腾讯云代金券