12.13 Nginx防盗链 12.14 Nginx访问控制 12.15 Nginx解析php相关配置 12.16 Nginx代理

-12.13Nginx防盗链-12.14Nginx访问控制-12.15Nginx解析php相关配置-12.16Nginx代理-扩展-502问题汇总http://ask.apelearn.com/question/9109-location优先级http://blog.lishiming.net/?p=100#12.13Nginx防盗链-打开配置文件，添加以下内容```[root@localhost~]#vi/usr/local/nginx/conf/vhost/test.com.confserver{listen80;server_nametest.comtest2.comtest3.com;indexindex.htmlindex.htmindex.php;root/data/wwwroot/test.com;if($host!=‘test.com‘){rewrite^/(.*)$http://test.com/$1permanent;}#location~.*\.(gif|jpg|jpeg|png|bmp|swf)$#{#expires7d;#access_logoff;#}location~*^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${expires7d;valid_referersnoneblockedserver_names*.test.com;if($invalid_referer){return403;}access_logoff;}location~.*\.(js|css)${#expires12h;:wq[root@localhost~]#vi/usr/local/nginx/conf/vhost/test.com.conf[root@localhost~]#/usr/local/nginx/sbin/nginx-tnginx:theconfigurationfile/usr/local/nginx/conf/nginx.confsyntaxisoknginx:configurationfile/usr/local/nginx/conf/nginx.conftestissuccessful[root@localhost~]#/usr/local/nginx/sbin/nginx-sreload[root@localhost~]#```-下面来做一个测试```[root@localhost~]#curl-x127.0.0.1:80-Itest.com/2.gifHTTP/1.1404NotFoundServer:nginx/1.12.1Date:Thu,19Oct201714:27:24GMTContent-Type:text/htmlContent-Length:169Connection:keep-alive[root@localhost~]#ls/data/wwwroot/test.com/1.gif2.jsadminindex.html[root@localhost~]#curl-x127.0.0.1:80-Itest.com/1.gifHTTP/1.1200OKServer:nginx/1.12.1Date:Thu,19Oct201714:27:46GMTContent-Type:image/gifContent-Length:14Last-Modified:Thu,19Oct201714:02:00GMTConnection:keep-aliveETag:"59e8b058-e"Expires:Thu,26Oct201714:27:46GMTCache-Control:max-age=604800Accept-Ranges:bytes[root@localhost~]#curl-e"http://www.baidu.com/1.txt"-x127.0.0.1:80-Itest.com/1.gifHTTP/1.1403ForbiddenServer:nginx/1.12.1Date:Thu,19Oct201714:28:36GMTContent-Type:text/htmlContent-Length:169Connection:keep-alive[root@localhost~]#curl-e"http://www.test.com/1.txt"-x127.0.0.1:80-Itest.com/1.gifHTTP/1.1200OKServer:nginx/1.12.1Date:Thu,19Oct201714:28:45GMTContent-Type:image/gifContent-Length:14Last-Modified:Thu,19Oct201714:02:00GMTConnection:keep-aliveETag:"59e8b058-e"Expires:Thu,26Oct201714:28:45GMTCache-Control:max-age=604800Accept-Ranges:bytes[root@localhost~]#[root@localhost~]#!catcat/tmp/test.com.log127.0.0.1-[19/Oct/2017:22:02:53+0800]test.com"/index.html"200"-""curl/7.29.0"127.0.0.1-[19/Oct/2017:22:03:58+0800]test.com"/index.html"200"-""curl/7.29.0"127.0.0.1-[19/Oct/2017:22:06:06+0800]test.com"/2.jslasdflk"404"-""curl/7.29.0"[root@localhost~]#```-这个说明防盗链配置成功了#12.14Nginx访问控制-修改配置文件内容```[root@localhost~]#vi/usr/local/nginx/conf/vhost/test.com.confserver{listen80;server_nametest.comtest2.comtest3.com;indexindex.htmlindex.htmindex.php;root/data/wwwroot/test.com;if($host!=‘test.com‘){rewrite^/(.*)$http://test.com/$1permanent;}#location~.*\.(gif|jpg|jpeg|png|bmp|swf)$#{#expires7d;#access_logoff;#}location~*^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${expires7d;valid_referersnoneblockedserver_names*.test.com;if($invalid_referer){return403;}access_logoff;}location~.*\.(js|css)${#expires12h;access_logoff;}location/admin/{allow127.0.0.1;allow192.168.202.131;denyall;}:wq```-这段配置就是关于访问配置的,这三个规则加起来，只允许前面俩个，一个是127.0.0.1，另一个是192.168.202.131其他全部deny```location/admin/{allow127.0.0.1;allow192.168.202.131;denyall;}```-检查语法，重新加载```[root@localhost~]#/usr/local/nginx/sbin/nginx-tnginx:theconfigurationfile/usr/local/nginx/conf/nginx.confsyntaxisoknginx:configurationfile/usr/local/nginx/conf/nginx.conftestissuccessful[root@localhost~]#/usr/local/nginx/sbin/nginx-sreload```-来测试下,/admin/没问题，其他不行```[root@localhost~]#curl-e"http://www.baidu.com/1.txt"-x127.0.0.1:80-Itest.com/1.GIFHTTP/1.1403ForbiddenServer:nginx/1.12.1Date:Sat,21Oct201712:23:43GMTContent-Type:text/htmlContent-Length:169Connection:keep-alive[root@localhost~]#curl-e"http://www.baidu.com/1.txt"-x127.0.0.1:80-Itest.com/admin/HTTP/1.1200OKServer:nginx/1.12.1Date:Sat,21Oct201712:23:57GMTContent-Type:text/htmlContent-Length:19Last-Modified:Tue,17Oct201714:08:26GMTConnection:keep-aliveETag:"59e60eda-13"Accept-Ranges:bytes[root@localhost~]#```-现在来换一个ip，重新测试下```[root@localhost~]#curl-x192.168.202.131:80-Itest.com/admin/HTTP/1.1200OKServer:nginx/1.12.1Date:Sat,21Oct201712:25:47GMTContent-Type:text/htmlContent-Length:19Last-Modified:Tue,17Oct201714:08:26GMTConnection:keep-aliveETag:"59e60eda-13"Accept-Ranges:bytes[root@localhost~]#```-看下日志文件，来源ip是192.168.202.131，因为它是被允许的，是白名单```[root@localhost~]#cat/tmp/test.com.log127.0.0.1-[19/Oct/2017:22:02:53+0800]test.com"/index.html"200"-""curl/7.29.0"127.0.0.1-[19/Oct/2017:22:03:58+0800]test.com"/index.html"200"-""curl/7.29.0"127.0.0.1-[19/Oct/2017:22:06:06+0800]test.com"/2.jslasdflk"404"-""curl/7.29.0"127.0.0.1-[21/Oct/2017:20:23:57+0800]test.com"/admin/"200"http://www.baidu.com/1.txt""curl/7.29.0"192.168.202.131-[21/Oct/2017:20:25:47+0800]test.com"/admin/"200"-""curl/7.29.0"[root@localhost~]#```-在这里我添加一个块网卡ens37```[root@localhost~]#ifconfigens33:flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500inet192.168.202.131netmask255.255.255.0broadcast192.168.202.255inet6fe80::ecdd:28b7:612b:cb7prefixlen64scopeid0x20<link>ether00:0c:29:2e:28:f2txqueuelen1000(Ethernet)RXpackets959bytes90762(88.6KiB)RXerrors0dropped0overruns0frame0TXpackets722bytes90139(88.0KiB)TXerrors0dropped0overruns0carrier0collisions0ens33:0:flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500inet192.168.202.151netmask255.255.255.0broadcast192.168.202.255ether00:0c:29:2e:28:f2txqueuelen1000(Ethernet)ens37:flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500inet192.168.202.132netmask255.255.255.0broadcast192.168.202.255inet6fe80::707c:946e:3252:cf7fprefixlen64scopeid0x20<link>ether00:0c:29:2e:28:fctxqueuelen1000(Ethernet)RXpackets8bytes1048(1.0KiB)RXerrors0dropped0overruns0frame0TXpackets11bytes1650(1.6KiB)TXerrors0dropped0overruns0carrier0collisions0lo:flags=73<UP,LOOPBACK,RUNNING>mtu65536inet127.0.0.1netmask255.0.0.0inet6::1prefixlen128scopeid0x10<host>looptxqueuelen1(LocalLoopback)RXpackets117bytes10333(10.0KiB)RXerrors0dropped0overruns0frame0TXpackets117bytes10333(10.0KiB)TXerrors0dropped0overruns0carrier0collisions0[root@localhost~]#```-给ens37自动获取一个ip地址,地址为192.168.202.132```[root@localhost~]#dhclientens37[root@localhost~]#ifconfigens33:flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500inet192.168.202.131netmask255.255.255.0broadcast192.168.202.255inet6fe80::ecdd:28b7:612b:cb7prefixlen64scopeid0x20<link>ether00:0c:29:2e:28:f2txqueuelen1000(Ethernet)RXpackets1029bytes97446(95.1KiB)RXerrors0dropped0overruns0frame0TXpackets772bytes97801(95.5KiB)TXerrors0dropped0overruns0carrier0collisions0ens33:0:flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500inet192.168.202.151netmask255.255.255.0broadcast192.168.202.255ether00:0c:29:2e:28:f2txqueuelen1000(Ethernet)ens37:flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500inet192.168.202.132netmask255.255.255.0broadcast192.168.202.255inet6fe80::707c:946e:3252:cf7fprefixlen64scopeid0x20<link>ether00:0c:29:2e:28:fctxqueuelen1000(Ethernet)RXpackets18bytes2216(2.1KiB)RXerrors0dropped0overruns0frame0TXpackets16bytes2796(2.7KiB)TXerrors0dropped0overruns0carrier0collisions0lo:flags=73<UP,LOOPBACK,RUNNING>mtu65536inet127.0.0.1netmask255.0.0.0inet6::1prefixlen128scopeid0x10<host>looptxqueuelen1(LocalLoopback)RXpackets117bytes10333(10.0KiB)RXerrors0dropped0overruns0frame0TXpackets117bytes10333(10.0KiB)TXerrors0dropped0overruns0carrier0collisions0[root@localhost~]#```-接下来用这个ip来实验下```[root@localhost~]#curl-x192.168.202.132:80test.com/admin/<html><head><title>403Forbidden</title></head><bodybgcolor="white"><center><h1>403Forbidden</h1></center><hr><center>nginx/1.12.1</center></body></html>[root@localhost~]#!catcat/tmp/test.com.log127.0.0.1-[19/Oct/2017:22:02:53+0800]test.com"/index.html"200"-""curl/7.29.0"127.0.0.1-[19/Oct/2017:22:03:58+0800]test.com"/index.html"200"-""curl/7.29.0"127.0.0.1-[19/Oct/2017:22:06:06+0800]test.com"/2.jslasdflk"404"-""curl/7.29.0"127.0.0.1-[21/Oct/2017:20:23:57+0800]test.com"/admin/"200"http://www.baidu.com/1.txt""curl/7.29.0"192.168.202.131-[21/Oct/2017:20:25:47+0800]test.com"/admin/"200"-""curl/7.29.0"192.168.202.132-[21/Oct/2017:20:34:03+0800]test.com"/admin/"403"-""curl/7.29.0"[root@localhost~]#```-来源ip192.168.202.132并没有被允许，所以报错误403-而这个是被允许的，127.0.0.1```[root@localhost~]#curl-e"http://www.baidu.com/1.txt"-x127.0.0.1:80-Itest.com/admin/HTTP/1.1200OKServer:nginx/1.12.1Date:Sat,21Oct201712:36:44GMTContent-Type:text/htmlContent-Length:19Last-Modified:Tue,17Oct201714:08:26GMTConnection:keep-aliveETag:"59e60eda-13"Accept-Ranges:bytes[root@localhost~]#```-进入配置文件/usr/local/nginx/conf/vhost/test.com.conf,只要是匹配upload的，然后以php结尾的，都给他屏蔽```[root@localhost~]#vi/usr/local/nginx/conf/vhost/test.com.conflocation~.*\.(js|css)${#expires12h;access_logoff;}location/admin/{allow127.0.0.1;allow192.168.202.131;denyall;}location~.*(upload|image)/.*\.php${denyall;}:wq[root@localhost~]#/usr/local/nginx/sbin/nginx-tnginx:theconfigurationfile/usr/local/nginx/conf/nginx.confsyntaxisoknginx:configurationfile/usr/local/nginx/conf/nginx.conftestissuccessful[root@localhost~]#/usr/local/nginx/sbin/nginx-sreload[root@localhost~]#```-创建一个目录upload,再再下面创建一个1.php在里面写入1111-再次访问下```[root@localhost~]#mkdir/data/wwwroot/test.com/upload[root@localhost~]#echo"1111">/data/wwwroot/test.com/upload/1.php[root@localhost~]#curl-x127.0.0.1:80test.com/upload/1.php<html><head><title>403Forbidden</title></head><bodybgcolor="white"><center><h1>403Forbidden</h1></center><hr><center>nginx/1.12.1</center></body></html>[root@localhost~]#```-再访问下txt不访问php,就可以访问```[root@localhost~]#echo"1111">/data/wwwroot/test.com/upload/1.txt[root@localhost~]#curl-x127.0.0.1:80test.com/upload/1.txt1111[root@localhost~]#[root@localhost~]#curl-x127.0.0.1:80test.com/upload/1.php-IHTTP/1.1403ForbiddenServer:nginx/1.12.1Date:Sat,21Oct201713:17:44GMTContent-Type:text/htmlContent-Length:169Connection:keep-alive[root@localhost~]#```-看下日志```[root@localhost~]#cat/tmp/test.com.log127.0.0.1-[19/Oct/2017:22:02:53+0800]test.com"/index.html"200"-""curl/7.29.0"127.0.0.1-[19/Oct/2017:22:03:58+0800]test.com"/index.html"200"-""curl/7.29.0"127.0.0.1-[19/Oct/2017:22:06:06+0800]test.com"/2.jslasdflk"404"-""curl/7.29.0"127.0.0.1-[21/Oct/2017:20:23:57+0800]test.com"/admin/"200"http://www.baidu.com/1.txt""curl/7.29.0"192.168.202.131-[21/Oct/2017:20:25:47+0800]test.com"/admin/"200"-""curl/7.29.0"192.168.202.132-[21/Oct/2017:20:34:03+0800]test.com"/admin/"403"-""curl/7.29.0"127.0.0.1-[21/Oct/2017:20:36:44+0800]test.com"/admin/"200"http://www.baidu.com/1.txt""curl/7.29.0"127.0.0.1-[21/Oct/2017:21:14:52+0800]test.com"/upload/1.php"403"-""curl/7.29.0"127.0.0.1-[21/Oct/2017:21:17:13+0800]test.com"/upload/1.txt"200"-""curl/7.29.0"127.0.0.1-[21/Oct/2017:21:17:44+0800]test.com"/upload/1.php"403"-""curl/7.29.0"[root@localhost~]#```-针对user_agent限制if($http_user_agent~‘Spider/3.0|YoudaoBot|Tomato’){return403;}return403和denyall效果是一样的测试-打开配置文件```[root@localhost~]#vi/usr/local/nginx/conf/vhost/test.com.confserver{listen80;server_nametest.comtest2.comtest3.com;indexindex.htmlindex.htmindex.php;root/data/wwwroot/test.com;if($host!=‘test.com‘){rewrite^/(.*)$http://test.com/$1permanent;}#location~.*\.(gif|jpg|jpeg|png|bmp|swf)$#{#expires7d;#access_logoff;#}if($invalid_referer){return403;}access_logoff;}location~.*\.(js|css)${#expires12h;access_logoff;}location/admin/{allow127.0.0.1;allow192.168.202.131;denyall;}location~.*(upload|image)/.*\.php${denyall;}if($http_user_agent~‘Spider/3.0|YoudaoBot|Tomato‘){return403;}:wq[root@localhost~]#/usr/local/nginx/sbin/nginx-tnginx:theconfigurationfile/usr/local/nginx/conf/nginx.confsyntaxisoknginx:configurationfile/usr/local/nginx/conf/nginx.conftestissuccessful[root@localhost~]#/usr/local/nginx/sbin/nginx-sreload[root@localhost~]#!curlcurl-x127.0.0.1:80test.com/upload/1.php-IHTTP/1.1403ForbiddenServer:nginx/1.12.1Date:Sat,21Oct201713:22:47GMTContent-Type:text/htmlContent-Length:169Connection:keep-alive[root@localhost~]#curl-x127.0.0.1:80test.com/upload/1.txt-IHTTP/1.1200OKServer:nginx/1.12.1Date:Sat,21Oct201713:23:01GMTContent-Type:text/plainContent-Length:5Last-Modified:Sat,21Oct201713:17:00GMTConnection:keep-aliveETag:"59eb48cc-5"Accept-Ranges:bytes[root@localhost~]#```-现在要做一个模拟user_agent```[root@localhost~]#curl-A"Tomatoalsdkflsd"-x127.0.0.1:80test.com/upload/1.txt-IHTTP/1.1403ForbiddenServer:nginx/1.12.1Date:Sat,21Oct201713:24:10GMTContent-Type:text/htmlContent-Length:169Connection:keep-alive[root@localhost~]#```-如果是小写就可以```[root@localhost~]#curl-A"tomatoalsdkflsd"-x127.0.0.1:80test.com/upload/1.txt-IHTTP/1.1200OKServer:nginx/1.12.1Date:Sat,21Oct201713:24:42GMTContent-Type:text/plainContent-Length:5Last-Modified:Sat,21Oct201713:17:00GMTConnection:keep-aliveETag:"59eb48cc-5"Accept-Ranges:bytes[root@localhost~]#```-如果想要不区分大小写，去配置文件里，改下配置文件在~后面加个*```if($http_user_agent~*‘Spider/3.0|YoudaoBot|Tomato‘){return403;}access_log/tmp/test.com.logaming;}:wq[root@localhost~]#!curlcurl-A"tomatoalsdkflsd"-x127.0.0.1:80test.com/upload/1.txt-IHTTP/1.1403ForbiddenServer:nginx/1.12.1Date:Sat,21Oct201713:28:09GMTContent-Type:text/htmlContent-Length:169Connection:keep-alive[root@localhost~]#curl-A"tomatoalsdkflsd"-x127.0.0.1:80test.com/upload/1.txt-IHTTP/1.1403ForbiddenServer:nginx/1.12.1Date:Sat,21Oct201713:28:22GMTContent-Type:text/htmlContent-Length:169Connection:keep-alive[root@localhost~]#```-这样改成小写也是403错误，这就是访问控制#12.15Nginx解析php相关配置-配置如下：```location~\.php${includefastcgi_params;fastcgi_passunix:/tmp/php-fcgi.sock;fastcgi_indexindex.php;fastcgi_paramSCRIPT_FILENAME/data/wwwroot/test.com$fastcgi_script_name;}```-fastcgi_pass用来指定php-fpm监听的地址或者socket-先打开虚拟主机配置文件，把这段放到配置文件里去```#location~.*\.(gif|jpg|jpeg|png|bmp|swf)$#{#expires7d;#access_logoff;#}location~*^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${expires7d;valid_referersnoneblockedserver_names*.test.com;if($invalid_referer){return403;}{#expires12h;access_logoff;}location/admin/{allow127.0.0.1;allow192.168.202.131;denyall;}location~.*(upload|image)/.*\.php${denyall;}if($http_user_agent~*‘Spider/3.0|YoudaoBot|Tomato‘){return403;}location~\.php${includefastcgi_params;fastcgi_passunix:/tmp/php-fcgi.sock;fastcgi_indexindex.php;fastcgi_paramSCRIPT_FILENAME/data/wwwroot/test.com$fastcgi_script_name;}:wq```-因为现在，这个虚拟主机配置文件，它还不能够去解析php，我们先不去重新加载，先来做一个php，```[root@localhost~]#vi/usr/local/nginx/conf/vhost/test.com.conf[root@localhost~]#vi/data/wwwroot/test.com/upload/1.1.php1.txt[root@localhost~]#vi/data/wwwroot/test.com/upload/1.1.php1.txt[root@localhost~]#vi/data/wwwroot/test.com/1.gif2.jsadmin/index.htmlupload/[root@localhost~]#vi/data/wwwroot/test.com/3.php<?phpphpinfo();~:wq[root@localhost~]#vi/data/wwwroot/test.com/3.php[root@localhost~]#curl-x127.0.0.1:80test.com/3.php<?phpphpinfo();[root@localhost~]#```-不能解析，直接把源码给显示出来了-现在重新加载下,再来看下，其实就可了，这既是php.info的页面，只不过在curl显示出来的是网页的源码，如果把它放到浏览器里面，它就会显示一个漂亮的表格```[root@localhost~]#/usr/local/nginx/sbin/nginx-sreload[root@localhost~]#</table><h2>PHPLicense</h2><table><tr><td><p>Thisprogramisfreesoftware;youcanredistributeitand/ormodifyitunderthetermsofthePHPLicenseaspublishedbythePHPGroupandincludedinthedistributioninthefile:LICENSE</p><p>Thisprogramisdistributedinthehopethatitwillbeuseful,butWITHOUTANYWARRANTY;withouteventheimpliedwarrantyofMERCHANTABILITYorFITNESSFORAPARTICULARPURPOSE.</p><p>Ifyou