技术资料 > 正文

nginx防盗链,访问控制,解析php相关配置,nginx代理

nginx防盗链
  • 配置如下,可以和不记录静态文件配置结合起来
    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
    {
    expires 7d;
    valid_referers none blocked server_names  *.test.com ; #设置白名单
    if ($invalid_referer) {
        return 403;          #不过不是白名单的refer就403
    }
    access_log off;
    }
  • 测试
    [root@akuilinux01 test.com]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I
    HTTP/1.1 403 Forbidden
    Server: nginx/1.14.0
    Date: Sat, 16 Jun 2018 03:27:15 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    [root@akuilinux01 test.com]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I
    HTTP/1.1 200 OK
    Server: nginx/1.14.0
    Date: Sat, 16 Jun 2018 03:27:23 GMT
    Content-Type: image/gif
    Content-Length: 9
    Last-Modified: Sat, 16 Jun 2018 03:04:17 GMT
    Connection: keep-alive
    ETag: "5b247e31-9"
    Expires: Sat, 23 Jun 2018 03:27:23 GMT
    Cache-Control: max-age=604800
    Accept-Ranges: bytes
    nginx的访问控制
    1. 控制访问目录/admin/,只允许某几个ip访问,配置如下
      location /admin/
      {
      allow 192.168.21.128;
      allow 127.0.0.1;
      deny all;
      }
      这里的allow和deny没有先执行后执行的顺序,执行完allow匹配后,就不会执行下面的
  • 测试
    [root@akuilinux01 test.com]# mkdir /data/wwwroot/test.com/admin
    [root@akuilinux01 test.com]# echo "admin" >/data/wwwroot/test.com/admin/1.html
    [root@akuilinux01 test.com]# curl -x127.0.0.1:80 test.com/admin/1.html -I
    HTTP/1.1 200 OK
    Server: nginx/1.14.0
    Date: Sat, 16 Jun 2018 03:59:22 GMT
    Content-Type: text/html
    Content-Length: 6
    Last-Modified: Sat, 16 Jun 2018 03:58:46 GMT
    Connection: keep-alive
    ETag: "5b248af6-6"
    Accept-Ranges: bytes
    [root@akuilinux01 test.com]# curl -x192.168.21.128:80 test.com/admin/1.html -I
    HTTP/1.1 200 OK
    Server: nginx/1.14.0
    Date: Sat, 16 Jun 2018 04:01:33 GMT
    Content-Type: text/html
    Content-Length: 6
    Last-Modified: Sat, 16 Jun 2018 03:58:46 GMT
    Connection: keep-alive
    ETag: "5b248af6-6"
    Accept-Ranges: bytes
    [root@akuilinux01 test.com]# dhclient ens37
    [root@akuilinux01 test.com]# ifconfig 
    ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.110.128  netmask 255.255.255.0  broadcast 192.168.110.255
        inet6 fe80::c559:4a92:72f1:b448  prefixlen 64  scopeid 0x20<link>
    [root@akuilinux01 test.com]# curl -x192.168.110.128:80 test.com/admin/1.html -I
    HTTP/1.1 403 Forbidden
    Server: nginx/1.14.0
    Date: Sat, 16 Jun 2018 04:05:10 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    1. 匹配正则,限制php解析
      location ~ .*(upload|image)/.*\.php$
      {
      deny all;
      }
  • 测试
    [root@akuilinux01 test.com]# mkdir /data/wwwroot/test.com/upload
    [root@akuilinux01 test.com]# echo "11111" >/data/wwwroot/test.com/upload/1.php
    [root@akuilinux01 test.com]# echo "11111" >/data/wwwroot/test.com/upload/1.txt
    [root@akuilinux01 test.com]# curl -x127.0.0.1:80 test.com/upload/1.txt
    11111
    [root@akuilinux01 test.com]# curl -x127.0.0.1:80 test.com/upload/1.php
    <html>
    <head><title>403 Forbidden</title></head>
    <body bgcolor="white">
    <center><h1>403 Forbidden</h1></center>
    <hr><center>nginx/1.14.0</center>
    </body>
    </html>
    1. 根据user_agent限制
      if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
      {
      return 403;
      }
      #deny all和return 403效果一样,~*匹配可以忽略大小写
  • 测试
    [root@akuilinux01 test.com]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.txt
    <html>
    <head><title>403 Forbidden</title></head>
    <body bgcolor="white">
    <center><h1>403 Forbidden</h1></center>
    <hr><center>nginx/1.14.0</center>
    </body>
    </html>
    [root@akuilinux01 test.com]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt
    11111
    解析php相关配置
  • nginx解析php配置如下
    location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock; 
        #这个路径要与php里对应
       #fastcgi_pass 127.0.0.1:9000
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
        #这里的要与上面的root对应
    }
  • 这里的fastcgi_pass也有两种模式要和php里面的对应,不然会导致502
    [root@akuilinux01 ~]# vim /usr/local/php-fpm/etc/php-fpm.conf
    [global]
    pid = /usr/local/php-fpm/var/run/php-fpm.pid
    error_log = /usr/local/php-fpm/var/log/php-fpm.log
    [www]
    listen = /tmp/php-fcgi.sock
    #listen = 127.0.0.1:9000
    listen.mode = 666 #这里的权限必须是666,不然socket文件不能读取写入也会导致502
    user = php-fpm
    group = php-fpm
    pm = dynamic
    pm.max_children = 50
    pm.start_servers = 20
    pm.min_spare_servers = 5
    pm.max_spare_servers = 35
    pm.max_requests = 500
    rlimit_files = 1024
    nginx代理
  • 当一个web服务器只有私网Ip时,和它想通的具有外网ip的服务器就可以是代理服务器。为了快速访问美国的服务器,可以在香港设置一个代理服务器
  • 这里可以设置一个虚拟机为代理服务器,配置如下

    server
    {
    listen 80;
    server_name ask.apelearn.com;
    
    location /
    {
        proxy_pass      http://121.201.9.155/;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    }
    #定义的域名一般和被代理ip的域名保持一致
    #这里已知的猿课的web服务器地址
    #$host就是前面定义的域名
  • 设置代理前后,可以看到效果
    [root@akuilinux01 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt -I
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.14.0
    Date: Mon, 18 Jun 2018 13:07:58 GMT
    Content-Type: text/html
    Content-Length: 185
    Connection: keep-alive
    Location: http://test.com/robots.txt
    [root@akuilinux01 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt -I
    HTTP/1.1 302 Found
    Server: nginx/1.14.0
    Date: Mon, 18 Jun 2018 13:13:06 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Location: http://121.201.80.216:9000
    #后的302应该是web服务器设置的跳转
    扩展
  • 502问题汇总
  • location优先级
  • 声明:本文内容由互联网用户自发贡献自行上传,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任。如果您发现有涉嫌版权的内容,欢迎发送邮件至:4051308@qq.com 进行举报,并提供相关证据,工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。