location /admin/
{
allow 192.168.74.129;
allow 127.0.0.1;
deny all;
}
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
location /admin/
{
allow 192.168.74.129; //白名单
allow 127.0.0.1; //白名单
deny all; //全部deny
}
最后结果如下
[root@hanfeng ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
假设访问的目录是admin,做一个限制
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
#}
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.74.129;
allow 127.0.0.1;
deny all;
}
access_log /tmp/test.com.log combined_realip;
}
然后保存退出
[root@hanfeng ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanfeng ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hanfeng ~]#
[root@hf-01 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 21:04:13 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Wed, 03 Jan 2018 21:43:17 GMT
Connection: keep-alive
ETag: "5a4d4e75-13"
Accept-Ranges: bytes
[root@hf-01 ~]# curl -x192.168.74.150:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 21:06:56 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Wed, 03 Jan 2018 21:43:17 GMT
Connection: keep-alive
ETag: "5a4d4e75-13"
Accept-Ranges: bytes
[root@hf-01 ~]#
[root@hf-01 ~]# cat /tmp/test.com.log
127.0.0.1 - [05/Jan/2018:05:51:37 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [08/Jan/2018:05:04:13 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.74.129 - [08/Jan/2018:05:06:56 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
[root@hf-01 ~]#
[root@hf-01 ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.74.129 netmask 255.255.255.0 broadcast 192.168.74.255
inet6 fe80::20c:29ff:feff:fe93 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ff:fe:93 txqueuelen 1000 (Ethernet)
RX packets 453 bytes 42359 (41.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 308 bytes 39999 (39.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno16777736:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.74.150 netmask 255.255.255.0 broadcast 192.168.74.255
ether 00:0c:29:ff:fe:93 txqueuelen 1000 (Ethernet)
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::20c:29ff:feff:fe9d prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ff:fe:9d txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13 bytes 2334 (2.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@hf-01 ~]#
[root@hf-01 ~]# dhclient ens36
[root@hf-01 ~]#
[root@hf-01 ~]# curl -x192.168.204.128:80 -I test.com/admin/
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 21:17:39 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@hf-01 ~]#
[root@hf-01 ~]# !cat
cat /tmp/test.com.log
127.0.0.1 - [05/Jan/2018:05:51:37 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [08/Jan/2018:05:04:13 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0"
192.168.74.129 - [08/Jan/2018:05:06:56 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.204.128 - [08/Jan/2018:05:17:39 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
[root@hf-01 ~]#
location ~ .*(upload|image)/.*\.php$ //只要匹配upload,然后以php结尾的
{
deny all; //都禁掉
}
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#{ # expires 7d; # access_log off; #} location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.74.129;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
access_log /tmp/test.com.log combined_realip;
}
保存退出
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hf-01 ~]#
[root@hf-01 ~]# mkdir /data/wwwroot/test.com/upload
[root@hf-01 ~]# echo "11111" > /data/wwwroot/test.com/upload/1.php
[root@hf-01 ~]#
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@hf-01 ~]#
[root@hf-01 ~]# echo "dasdasdas" >/data/wwwroot/test.com/upload/1.txt
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt
dasdasdas
[root@hf-01 ~]#
[root@hf-01 ~]# cat /tmp/test.com.log
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#{ # expires 7d; # access_log off; #} location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.74.129;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
access_log /tmp/test.com.log combined_realip;
}
保存退出
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hf-01 ~]#
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 22:04:06 GMT
Content-Type: text/plain
Content-Length: 10
Last-Modified: Sun, 07 Jan 2018 21:45:54 GMT
Connection: keep-alive
ETag: "5a529512-a"
Accept-Ranges: bytes
[root@hf-01 ~]# curl -A "Tomatoslfdfsdf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 22:05:21 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@hf-01 ~]#
[root@hf-01 ~]# curl -A "tomatoslfdfsdf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 22:09:10 GMT
Content-Type: text/plain
Content-Length: 10
Last-Modified: Sun, 07 Jan 2018 21:45:54 GMT
Connection: keep-alive
ETag: "5a529512-a"
Accept-Ranges: bytes
[root@hf-01 ~]#
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 ~]#
[root@hf-01 ~]# curl -A "tomatoslfdfsdf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Sun, 07 Jan 2018 22:11:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@hf-01 ~]#