nginx防盗链、访问控制、PHP解析、服务器代理
2018-01-04 00:00
846 查看
12.13 Nginx防盗链
因为该配置也使用location板块,所以本节可结合日志管理(不记录和过期时间)一起配置:[root@cham002 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; #定义referer白名单 if ($invalid_referer) { return 403; #if函数的意思是:如果不是白名单内的域名,返回值:403 } access_log off; }
说明: “location ~* ^.+”在此0“ * ”的作用是后面匹配的内容不区分大小写。
检测及测试
[root@cham002 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload [root@cham002 ~]# ls /data/wwwroot/test.com/ 1.gif 2.js admin index.html [root@cham002 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Wed, 03 Jan 2018 13:54:39 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@cham002 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Wed, 03 Jan 2018 13:55:14 GMT Content-Type: image/gif Content-Length: 32 Last-Modified: Wed, 03 Jan 2018 13:34:18 GMT Connection: keep-alive ETag: "5a4cdbda-20" Expires: Wed, 10 Jan 2018 13:55:14 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
即,使用非白名单内的referer进行访问,被拒绝!!!
12.14 Nginx访问控制
需求:访问/admin/目录的请求,只允许几个指定IP通过,配置如下:[root@cham002 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf server { listen 80; server_name test.com test2.com test3.com; index index.html index.htm index.php; root /data/wwwroot/test.com; if ($host != 'test.com' ) { rewrite ^/(.*)$ http://test.com/$1 permanent; } # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ # { # expires 7d; # access_log off; # } location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; if ($invalid_referer) { return 403; } access_log off; } location ~ .*\.(js|css)$ { expires 12h; access_log off; } location /admin/ { allow 127.0.0.1; allow 192.168.230.135; deny all; #设置IP白名单 } access_log /tmp/test.com.log cham; } [root@cham002 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload
测试(针对目录的)
[root@cham002 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 07:59:16 GMT Content-Type: text/html Content-Length: 20 Last-Modified: Wed, 03 Jan 2018 08:50:53 GMT Connection: keep-alive ETag: "5a4c996d-14" Accept-Ranges: bytes [root@cham002 ~]# curl -x192.168.230.150:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 08:01:00 GMT Content-Type: text/html Content-Length: 20 Last-Modified: Wed, 03 Jan 2018 08:50:53 GMT Connection: keep-alive ETag: "5a4c996d-14" Accept-Ranges: bytes [root@cham002 ~]# curl -x192.168.230.135:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 08:01:14 GMT Content-Type: text/html Content-Length: 20 Last-Modified: Wed, 03 Jan 2018 08:50:53 GMT Connection: keep-alive ETag: "5a4c996d-14" Accept-Ranges: bytes [root@cham002 ~]# cat /tmp/test.com.log 127.0.0.1 - [03/Jan/2018:21:35:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:15:59:16 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0" 192.168.230.135 - [04/Jan/2018:16:01:00 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.230.135 - [04/Jan/2018:16:01:14 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" [root@cham002 ~]# curl -x192.168.230.150:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 08:01:37 GMT Content-Type: text/html Content-Length: 20 Last-Modified: Wed, 03 Jan 2018 08:50:53 GMT Connection: keep-alive ETag: "5a4c996d-14" Accept-Ranges: bytes [root@cham002 ~]# cat /tmp/test.com.log 127.0.0.1 - [03/Jan/2018:21:35:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:15:59:16 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0" 192.168.230.135 - [04/Jan/2018:16:01:00 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.230.135 - [04/Jan/2018:16:01:14 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.230.135 - [04/Jan/2018:16:01:37 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" [root@cham002 ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.230.135 netmask 255.255.255.0 broadcast 192.168.230.255 inet6 fe80::6f15:52d3:ebeb:e193 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:b6:9f:e3 txqueuelen 1000 (Ethernet) RX packets 96831 bytes 41894507 (39.9 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 60974 bytes 20136998 (19.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.230.150 netmask 255.255.255.0 broadcast 192.168.230.255 ether 00:0c:29:b6:9f:e3 txqueuelen 1000 (Ethernet) ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255 inet6 fe80::1801:cbbb:ebcc:89a3 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:b6:9f:ed txqueuelen 1000 (Ethernet) RX packets 3 bytes 746 (746.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 81 bytes 6462 (6.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 1363 bytes 1359483 (1.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1363 bytes 1359483 (1.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@cham002 ~]# curl -x192.168.100.1:80 test.com/admin/ <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@cham002 ~]# cat /tmp/test.com.log 127.0.0.1 - [03/Jan/2018:21:35:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:15:59:16 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0" 192.168.230.135 - [04/Jan/2018:16:01:00 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.230.135 - [04/Jan/2018:16:01:14 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.230.135 - [04/Jan/2018:16:01:37 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.100.1 - [04/Jan/2018:16:05:14 +0800] test.com "/admin/" 403 "-" "curl/7.29.0
访问控制(针对正则匹配)
[root@cham002 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf server { listen 80; server_name test.com test2.com test3.com; index index.html index.htm index.php; root /data/wwwroot/test.com; if ($host != 'test.com' ) { rewrite ^/(.*)$ http://test.com/$1 permanent; } # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ # { # expires 7d; # access_log off; # } location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; if ($invalid_referer) { return 403; } access_log off; } location ~ .*\.(js|css)$ { expires 12h; access_log off; } location /admin/ { allow 127.0.0.1; allow 192.168.230.135; deny all; } location ~ .*(upload|image)/.*\.php$ { deny all; } access_log /tmp/test.com.log cham; } [root@cham002 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload [root@cham002 ~]# mkdir /data/wwwroot/test.com/upload [root@cham002 ~]# echo "11111" > /data/wwwroot/test.com/upload/1.php
测试
[root@cham002 ~]# curl -x127.0.0.1:80 test.com/upload/1.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@cham002 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt 11111 看日志 [root@cham002 ~]# cat /tmp/test.com.log 127.0.0.1 - [03/Jan/2018:21:35:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:15:59:16 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0" 192.168.230.135 - [04/Jan/2018:16:01:00 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.230.135 - [04/Jan/2018:16:01:14 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.230.135 - [04/Jan/2018:16:01:37 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.100.1 - [04/Jan/2018:16:05:14 +0800] test.com "/admin/" 403 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:16:15:46 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:16:16:46 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
针对user_agent限制
server { listen 80; server_name test.com test2.com test3.com; index index.html index.htm index.php; root /data/wwwroot/test.com; if ($host != 'test.com' ) { rewrite ^/(.*)$ http://test.com/$1 permanent; } # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ # { # expires 7d; # access_log off; # } location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; if ($invalid_referer) { return 403; } access_log off; } location ~ .*\.(js|css)$ { expires 12h; access_log off; } location /admin/ { allow 127.0.0.1; allow 192.168.230.135; deny all; } location ~ .*(upload|image)/.*\.php$ { deny all; } if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') { return 403; } access_log /tmp/test.com.log cham; } [root@cham002 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload [root@cham002 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 08:22:45 GMT Content-Type: text/plain Content-Length: 6 Last-Modified: Thu, 04 Jan 2018 08:16:39 GMT Connection: keep-alive ETag: "5a4de2e7-6" Accept-Ranges: bytes [root@cham002 ~]# curl -A "Tomatodsfsdf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 08:23:37 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
说明: deny all和return 403效果一样
12.15 Nginx解析PHP相关配置
核心配置: [root@cham002 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf location ~ \.php$ { include fastcgi_params; #fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_pass 127.0.0.1:9000; ##fastcgi_pass两种监听格式,但是要保证Nginx和php-fpm中格式一致 fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; } [root@cham002 ~]# cat /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] #listen = /tmp/php-fcgi.sock listen = 127.0.0.1:9000 listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024 [root@cham002 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload [root@cham002 ~]# /etc/init.d/php-fpm reload Reload service php-fpm done [root@cham002 ~]# curl -x 127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 10:44:25 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.30
注: 在此注意两点,fastcgi_pass有两种格式,但是无论使用哪种格式都有保证Nginx和php-fpm中格式一致,否则会报错502;fastcgi _param SCRIPT _FILENAME所在行的路径要和root路径一致!
12.16 Nginx代理
Nginx代理是一种反向代理。反向代理(Reverse Proxy)方式是指以代理服务器来接受Internet上的连接请求,然后将请求转发给内部网络上的服务器;并将从服务器上得到的结果返回给Internet上请求连接的客户端,此时代理服务器对外就表现为一个服务器。工作原理
Nginx代理是在一台代理服务器中自定义一个域名,该域名指向一个IP,然后将用户的请求通过这台代理服务器访问指定的IP所对应的web服务器。graph LR 用户-->代理服务器 代理服务器-->用户 代理服务器-->web服务器 web服务器-->代理服务器
[root@cham002 ~]# cd /usr/local/nginx/conf/vhost [root@cham002 vhost]# vim proxy.conf server { listen 80; server_name ask.apelearn.com; #定义域名(一般和被代理ip的域名保持一致) location / { proxy_pass http://121.201.9.155/; #指定被代理(被访问)的IP(web服务器IP) proxy_set_header Host $host; #$host指的是代理服务器的servername(也是被代理IP的域名) proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
说明: 因为该虚拟主机只用作代理服务器,不需要访问本地文件,所以不需要设置根目录。
没有设置代理前 [root@cham002 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt <html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@cham002 vhost]# [root@cham002 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@cham002 vhost]# /usr/local/nginx/sbin/nginx -s reload 设置代理后 [root@cham002 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/[root@cham002 vhost]#
相关文章推荐
- nginx防盗链、访问控制、PHP解析、服务器代理
- LNMP(nginx防盗链,访问控制,解析php相关配置,Nginx代理,常见502问题)
- linux的Nginx防盗链、Nginx访问控制、Nginx解析php相关配置、Nginx代理介绍
- LNMP架构(四)之Nginx防盗链,访问控制,解析php,代理
- Nginx防盗链、Nginx访问控制、Nginx解析php的配置
- linux学习第四十六篇:Nginx防盗链,Nginx访问控制,Nginx解析php相关配置,Nginx代理
- 十二周四次课 2018.01.05 Nginx防盗链、Nginx访问控制、Nginx解析php相关配置、Nginx代理
- 12.13 Nginx防盗链 12.14 Nginx访问控制 12.15 Nginx解析php相关配置 12.16 Nginx代理
- LNMP架构 (4) 之 Nginx的防盗链、访问控制、解析php相关配置
- nginx防盗链+访问控制+限制指定目录运行php+解析支持php+现在user_agent
- nginx防盗链、访问控制、PHP解析、服务器代理
- 12-1 12 防盗链 访问控制 php解析 代理
- nginx默认虚拟主机,用户认证,域名重定向,日志,静态文件不记录日志,防盗链,访问控制,php解析
- Nginx防盗链、访问控制、Nginx解析PHP相关配置、Nginx代理
- Nginx配置防盗链、Nginx访问控制、Nginx解析php相关配置
- 【LNMP】Nginx防盗链、Nginx访问控制、Nginx解析php相关配置和Nginx代理
- 详解Nginx防盗链和Nginx访问控制与Nginx解析php的配置
- 49.Nginx防盗链 访问控制 解析php相关 代理服务器
- LNMP架构(四)Nginx防盗链-访问配置-解析PHP配置