Nginx配置防盗链、Nginx访问控制、Nginx解析php相关配置

Nginx配置防盗链

#vim /usr/local/nginx/conf/vhost/test.com.conf                       //写入如下内容

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names  *.test.com ;        //定义referer白名单
if ($invalid_referer) {
return 403;
}
access_log off;
}

# /usr/local/nginx/sbin/nginx  -t                  //检测语法

#/usr/local/nginx/sbin/nginx  -s reload           //重新加载

#echo "1223" > /data/wwwroot/test.com/1.gif                   //将1223写入1.gif中

#curl -x127.0.0.1:80 -I test.com/1.gif                   //测试防盗链

HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 09:11:57 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Thu, 04 Jan 2018 09:08:11 GMT
Connection: keep-alive
ETag: "5a4deefb-b"
Expires: Thu, 11 Jan 2018 09:11:57 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif

HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 04:19:13 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif

HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 04:19:32 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Wed, 03 Jan 2018 04:06:01 GMT
Connection: keep-alive
ETag: "5a4c56a9-b"
Expires: Wed, 10 Jan 2018 04:19:32 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

说明防盗链配置成功了

Nginx访问控制

需求：访问/admin/目录的请求，只允许某几个IP访问，配置如下：

#vim /usr/local/nginx/conf/vhost/test.com.conf                        //写入如下内容

location /admin/
{
allow 192.168.37.1;
allow 127.0.0.1;
deny all;
}

#mkdir /data/wwwroot/test.com/admin/                        //创建目录

#echo “test,test”>/data/wwwroot/test.com/admin/1.html             //写入测试语句

#/usr/local/nginx/sbin/nginx  -t && -s reload                  //检测配置文件和重新加载

#curl -x127.0.0.1:80 test.com/admin/1.html -I                  //测试

HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:05:58 GMT
Content-Type: text/html
Content-Length: 6
Last-Modified: Wed, 03 Jan 2018 05:05:20 GMT
Connection: keep-alive
ETag: "5a4c6490-6"
Accept-Ranges: bytes

#curl -x192.168.37.130:80 test.com/admin/1.html -I                 //测试能否访问

HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:06:22 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

将能上传的目录禁止解析php，防止发生别人根据目录能解析php代码上传木马文件
配置如下：

location ~ .*(upload|image)/.*\.php$
{
deny all;
}

#/usr/local/nginx/sbin/nginx  -t && -s reload                  //检测配置文件和重新加载

#mkdir /data/wwwroot/test.com/upload/                                //创建upload目录

#echo "123" > /data/wwwroot/test.com/upload/1.php             //编辑1.php文件

#curl -x127.0.0.1:80 test.com/upload/1.php -I             //测试

HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:27:09 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

# curl -x127.0.0.1:80 test.com/upload/1.txt -I

HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:32:18 GMT
Content-Type: text/plain
Content-Length: 4
Last-Modified: Wed, 03 Jan 2018 05:32:11 GMT
Connection: keep-alive
ETag: "5a4c6adb-4"
Accept-Ranges: bytes

根据user_agent限制

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}

#/usr/local/nginx/sbin/nginx  -t && -s reload                  //检测配置文件和重新加载

#curl -A "Tomatoshshd" -x127.0.0.1:80 test.com/upload/1.txt -I            //加上user_agent来进行测试

HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:49:14 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

查案日志就可以看到信息

127.0.0.1 - [03/Jan/2018:13:49:14 +0800] test.com "/upload/1.txt" 403 "-" "Tomatoshsh"

Nginx解析php相关配置

nginx没有做配置来解析php,当解析php的代码时，会直接将代码显示出来



此时更改配置文件

#vim /usr/local/nginx/conf/vhost/test.com.conf                  //写入配置文件

配置如下：
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;          //监听地址写错会出现502
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}

然后再来访问刚刚的php文件
#curl -x127.0.0.1:80 test.com/4.php                //此时能正常解析

#fastcgi_pass 用来指定php-fpm监听的地址或者socket，在/usr/local/php-fpm/etc/php-fpm.conf中的配置文件的监听地址和nginx的虚拟主机配置文件监听地址必须是一样的，否则会出现502问题

location ~ \.php$
{
include fastcgi_params;
# fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_pass 127.0.0.1:9000;                               //此处要和php-fpm配置文件里的监听地址一样
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}

/usr/local/php-fpm/etc/php-fpm.conf中的监听权限，当php-fpm的配置文件中的监听权限不定义时，会出现502的问题

#vim /usr/local/php-fpm/etc/php-fpm.conf          //编辑php-fpm服务的配置文件内容
[global]                                                    //定义全局参数
pid = /usr/local/php-fpm/var/run/php-fpm.pid                         //定义它的pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]                                                          //模块名
listen = /tmp/php-fcgi.sock                       //监听
#listen = 127.0.0.1:9000                            //监听本机ip和端口
listen.mode = 666                              //监听权限，监听socket时不定义会出现502
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

当php的资源耗尽时也会出现访问502的问题