分享web开发知识

注册/登录|最近发布|今日推荐

主页 IT知识网页技术软件开发前端开发代码编程运营维护技术分享教程案例
当前位置:首页 > 教程案例

14.Nginx防盗链&Nginx访问控制&Nginx解析php相关配置&Nginx代理

发布时间:2023-09-06 01:45责任编辑:苏小强关键词:配置
[toc]

一、Nginx防盗链:

1. 打开配置文件:

增加如下配置文件:

[root@xavi ~]# cd /usr/local/nginx/conf/vhost/[root@xavi vhost]# vim test.com.conf ???} ??# ?location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ ?# ?{ ?# ???????expires ?????7d; ?# ???????access_log off; ?# ?} ???location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${ ??????expires 7d; ????valid_referers none blocked server_names ?*.haha.com ; ???if ($invalid_referer) { ???????return 403; ???} ???access_log off;
  • 防盗链部分
valid_referers none blocked server_names ?*.test.com ; ???if ($invalid_referer) { ???????return 403; ???}

如上配置文件中匹配以gif,jpg,png结尾的页面,并且设置一个白名单的referer为*.test.com, 其它的($invalid_referer)均403 forbidden!

2. 测试+重载(-t && -s reload)

[root@xavi vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/2.js -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:03:24 GMTContent-Type: application/javascriptContent-Length: 14Last-Modified: Thu, 15 Mar 2018 13:08:00 GMTConnection: keep-aliveETag: "5aaa7030-e"Expires: Fri, 16 Mar 2018 02:03:24 GMTCache-Control: max-age=43200Accept-Ranges: bytes

使用本地主机访问2.js 是没有问题的,指定一个referer,再次测试:

[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gifHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:06:07 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive

二、Nginx访问控制:

有时候在咱们运维一些网站的时候,发现一些访问是不正常的。或者为了提高安全性,我们需要将某些页面加密处理!

1 增加如下配置文件

vim /usr/local/nginx/conf/vhost/test.com.conf

location /admin/{ ???allow 127.0.0.1; ???allow 192.168.72.130; //自己试验虚拟机的网卡 ???deny all;}

==匹配规则为,一旦匹配则后面的均不执行,也就是允许127.0.0.1和192.168.72.130 访问;其它的均拒绝!==

2.测试语法并重载配置

[root@xavi vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload

3.匹配站点后台登录页,进行访问控制!

[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/admin/ -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:24:58 GMTContent-Type: text/htmlContent-Length: 15Last-Modified: Wed, 14 Mar 2018 14:07:17 GMTConnection: keep-aliveETag: "5aa92c95-f"Accept-Ranges: bytes
[root@xavi vhost]# curl -x192.168.72.130:80 -I test.com/admin/HTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:30:46 GMTContent-Type: text/htmlContent-Length: 15Last-Modified: Wed, 14 Mar 2018 14:07:17 GMTConnection: keep-aliveETag: "5aa92c95-f"Accept-Ranges: bytes

查看日志:cat /tmp/test.com.log

4.针对某个可以上传的目录做指定文件(例如:php)不解析:

location ~ .*(upload|image)/.*\.php${ ???????deny all;}
[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.php -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:46:06 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive

任何PHP文件都不解析,而txt文件可以访问

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 200 OK

5.根据user-agent限制:

如果站点被CC攻击了,或者不想被蜘蛛爬自己的网站,我们完全可以根据user-agent去禁止掉:

vim /usr/local/nginx/conf/vhost/test.com.conf 打开添加一下语句

if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘){ ?????return 403;}

测试语法并重加载配置

[root@xavi vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload

加载1.txt测试

[root@xavi vhost]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:58:51 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:58:59 GMTContent-Type: text/plainContent-Length: 6Last-Modified: Thu, 15 Mar 2018 14:47:36 GMTConnection: keep-aliveETag: "5aaa8788-6"Accept-Ranges: bytes

我们发现,当我们修改user-agent为小写的时候,就不生效了。所以我们需要设置忽略大小写:

重新在虚拟机配置文件 test.com.conf下修改配置

if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘){ ?????return 403;}只需要在~添加一个 * 即可!

完成过程:

[root@xavi vhost]# !vimvim /usr/local/nginx/conf/vhost/test.com.conf [root@xavi vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 15 Mar 2018 15:03:22 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive

三、Nginx解析php相关配置

1.增加以下配置:

location ~ \.php$ ?????{ ???????include fastcgi_params; ???????fastcgi_pass unix:/tmp/php-fcgi.sock; ???????fastcgi_index index.php; ???????fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name; ?????}

fastcgi_pass 用来指定php-fpm监听的地址或者socket

完整以配置的内容:

vim /usr/local/nginx/conf/vhost/test.com.conf ??# ???????expires ?????7d; ?# ???????access_log off; ?# ?} ???location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ ???} ???access_log off;} ??location ~ .*\.(js|css)$ ???{ ????????????expires ?????12h; ?????????access_log off; ???} ???location /admin/{ ????????????allow 127.0.0.1; ????allow 192.168.72.130; ???deny all;}location ~ .*(upload|image)/.*\.php${ ??????????deny all;}if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘){ ?????return 403;} ??????location ~ \.php$ ?????{ ???????include fastcgi_params; ???????fastcgi_pass unix:/tmp/php-fcgi.sock; ???????fastcgi_index index.php; ???????fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name; ?????}

2.创建一个测试php文件

[root@xavi vhost]# vim /data/nginx/test.com/3.php>?phpphpinfo();

无法解析,显示源码(编辑的conf文件未完成-t&-s reload配置)

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/3.php<?phpphpinfo();

这里特别注意下配置文件中/data/nginx/test.com,而不是设置www.test.com

-t&-s reload配置后,可以正常解析phpinfo()

3.小结:其中fastcgi_pass用来指定php-fpm的地址,如果php-fpm监听的是一个tcp:port的地址(比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000。这个地址一定要和php-fpm服务监听的地址匹配,否是会报502错误.还有一个地方要注意fastcgi_param SCRIPT_FILENAME 后面跟的路径为该站点的根目录,和前面定义的root那个路径保持一致,如果这里配置不对,访问PHP页面会出现404;还有一种502的现象,如果内存中出现大量的php-fpm进程占据了内存,也会同样导致此问题!

location ~ \.php$ ?????{ ???????include fastcgi_params; ???????fastcgi_pass unix:/tmp/php-fcgi.sock; ???????fastcgi_index index.php; ???????fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name; ?????}

查看php-fpm: vim /usr/local/php-fpm/etc/php-fpm.conf

[global]pid = /usr/local/php-fpm/var/run/php-fpm.piderror_log = /usr/local/php-fpm/var/log/php-fpm.log[www]listen = /tmp/php-fcgi.sock#listen =127.0.0.1:9000listen.mode = 666user = php-fpmgroup = php-fpmpm = dynamicpm.max_children = 50pm.start_servers = 20pm.min_spare_servers = 5pm.max_spare_servers = 35pm.max_requests = 500rlimit_files = 1024

无法查看错误日志

四、Nginx代理

假如一个用户需要访问WEB服务器,但是用户与WEB服务器之间是不通的,WEB服务器在内网,我们需要一个代理服务器来帮助用户访问web,他必须和用户相通,也必须和web服务器相通,在中间起到搭桥的这就是代理服务器。

4.1 原理:

4.2 编辑配置文件

cd /usr/local/nginx/conf/vhostvim proxy.conf
  • 加入如下内容:
server{ ???listen 80; ???server_name ask.apelearn.com; ???location / ???{ ???????proxy_pass ?????http://121.201.9.155/; ???????proxy_set_header Host ??$host; ???????proxy_set_header X-Real-IP ?????$remote_addr; ???????proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ???}}

因为是代理服务器所以不需要访问本地服务器的任何文件; ask.apelearn.com; 定义一个域名;

proxy_pass http://121.201.9.155/;真实WEB服务器的IP地址。

$host; 也就是咱们的server_name

没有重启nginx服务前,先测试一下:

重启nginx之后再次测试

14.Nginx防盗链&Nginx访问控制&Nginx解析php相关配置&Nginx代理

原文地址:http://blog.51cto.com/12995218/2087465

知识推荐

我的编程学习网——分享web前端后端开发技术知识。 垃圾信息处理邮箱 tousu563@163.com 网站地图
icp备案号 闽ICP备2023006418号-8 不良信息举报平台 互联网安全管理备案 Copyright 2023 www.wodecom.cn All Rights Reserved