linux的Nginx防盗链、Nginx访问控制、Nginx解析php相关配置、Nginx代理介绍
2018-01-05 20:32
1186 查看
Nginx防盗链
思路与httpd一样,配置也不难,但要与过期时间、不记录日志配置结合起来。1.配置文件内容
[root@gary-tao test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf 增加如下配置: location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; //定义白名单 if ($invalid_referer) { return 403; } //如果不是白名单里就返回403 access_log off; }
如图:
2.测试语法及重新加载配置
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@gary-tao src]# /usr/local/nginx/sbin/nginx -s reload
3.使用curl测试
测试防盗链,需要增加referer才能正常访问,添加referer加-e 需要使用http://
[root@gary-tao test.com]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 11:17:05 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@gary-tao test.com]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 11:16:43 GMT Content-Type: image/gif Content-Length: 15 Last-Modified: Thu, 04 Jan 2018 10:51:09 GMT Connection: keep-alive ETag: "5a4e071d-f" Expires: Thu, 11 Jan 2018 11:16:43 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
Nginx访问控制
1.配置文件,限制IP访问[root@gary-tao test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf 增加如下内容: location /admin/ { allow 127.0.0.1; allow 172.16.111.100; deny all; }
如图:
2.测试语法及重新加载配置
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@gary-tao src]# /usr/local/nginx/sbin/nginx -s reload
3.使用curl测试
解释说明:
在配置httpd的时候,还有一个order,来定义先allow还是先deny,在Nginx里并没有,只要匹配规则就结束了,假如来源IP为172.16.111.129,它就会从上到下逐一去匹配,第一个IP(127.0.0.1)不匹配,第二IP(172.16.111.100)不匹配,直到第三行(all)的时候才匹配到,匹配的这条规则为deny(也就是拒绝访问),所以最终会返回一个403的状态码,测试如下:
[root@gary-tao test.com]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 11:35:17 GMT Content-Type: text/html Content-Length: 20 Last-Modified: Wed, 03 Jan 2018 13:12:03 GMT Connection: keep-alive ETag: "5a4cd6a3-14" Accept-Ranges: bytes [root@gary-tao test.com]# curl -x172.16.111.100:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 11:36:25 GMT Content-Type: text/html Content-Length: 20 Last-Modified: Wed, 03 Jan 2018 13:12:03 GMT Connection: keep-alive ETag: "5a4cd6a3-14" Accept-Ranges: bytes [root@gary-tao ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.16.111.100 netmask 255.255.0.0 broadcast 172.16.255.255 inet6 fe80::1ffb:cde1:5f3e:5778 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:09:e5:58 txqueuelen 1000 (Ethernet) RX packets 40262 bytes 15749043 (15.0 MiB) RX errors 0 dropped 50 overruns 0 frame 0 TX packets 28168 bytes 4961855 (4.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.16.111.129 netmask 255.255.255.0 broadcast 172.16.111.255 inet6 fe80::888c:a1d7:871b:8971 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:09:e5:62 txqueuelen 1000 (Ethernet) RX packets 61 bytes 8623 (8.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 58 bytes 10741 (10.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 354 bytes 33223 (32.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 354 bytes 33223 (32.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@gary-tao ~]# curl -x172.16.111.129:80 -I test.com/admin/ HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 11:46:03 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@gary-tao ~]# !cat cat /tmp/test.com.log 127.0.0.1 - [04/Jan/2018:18:53:20 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:18:53:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:18:55:22 +0800] test.com "/2.jsagdaga" 404 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:19:35:17 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0" 172.16.111.100 - [04/Jan/2018:19:36:25 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 172.16.111.129 - [04/Jan/2018:19:45:58 +0800] test.com "/admin/index.html" 403 "-" "curl/7.29.0" 172.16.111.129 - [04/Jan/2018:19:46:03 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
4.可以匹配正则,限制目录
[root@gary-tao ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
增加如下内容:
location ~ .*(upload|image)/.*\.php$ //意思是匹配upload或者image目录下的.php文件
{
deny all;
}
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@gary-tao src]# /usr/local/nginx/sbin/nginx -s reload
如图:
使用curl测试
upload目录下的.php文件不能访问,但是除了.php的其他后缀文件就能访问。
[root@gary-tao ~]# mkdir /data/wwwroot/test.com/upload [root@gary-tao ~]# echo "1111111" > /data/wwwroot/test.com/upload/1.php [root@gary-tao ~]# curl -x127.0.0.1:80 test.com/upload/1.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@gary-tao ~]# echo "1111111" > /data/wwwroot/test.com/upload/1.txt [root@gary-tao ~]# curl -x127.0.0.1:80 test.com/upload/1.txt 1111111 [root@gary-tao ~]# cat /tmp/test.com.log 127.0.0.1 - [04/Jan/2018:18:53:20 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:18:53:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:18:55:22 +0800] test.com "/2.jsagdaga" 404 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:19:35:17 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0" 172.16.111.100 - [04/Jan/2018:19:36:25 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 172.16.111.129 - [04/Jan/2018:19:45:58 +0800] test.com "/admin/index.html" 403 "-" "curl/7.29.0" 172.16.111.129 - [04/Jan/2018:19:46:03 +0800] test.com "/admin/" 403 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:20:48:09 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0" 127.0.0.1 - [04/Jan/2018:20:48:48 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
5.根据user_agent限制
如果你的网站不想被人搜到,就把那些蜘蛛网封掉,像百度,谷歌等把他们封掉,没有任何网站可以爬到你的数据,相当于网站隐藏一样,除非你告诉它网址。
配置文件如下:
[root@gary-tao ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 增加如下配置: if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') { return 403; } //deny all和return 403效果一样 [root@gary-tao ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@gary-tao ~]# /usr/local/nginx/sbin/nginx -s reload
-A模拟user_agent,使用curl测试
Tomato是在限制的user_agent名单里,所以不能访问,这里是没有忽略大小,如果要忽略大小写,可在if语句的 ~ 后面加上 ,如:if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato’)
[root@gary-tao ~]# curl -A "Tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 12:56:14 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@gary-tao ~]# curl -A "tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 12:58:10 GMT Content-Type: text/plain Content-Length: 8 Last-Modified: Thu, 04 Jan 2018 12:48:43 GMT Connection: keep-alive ETag: "5a4e22ab-8" Accept-Ranges: bytes [root@gary-tao ~]# curl -A "tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I //加了*号后还是403 HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Thu, 04 Jan 2018 12:58:59 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
Nginx解析php相关配置
在LAMP中,PHP是作为httpd的一个模块出现的,只要PHP模块被加载,那么就能解析PHP脚本了,而在LNMP中,PHP是以一个服务(php-fpm)的形式存在的,首先要启动php-fpm服务,然后Nginx再和php-fpm通信。也就是说,处理PHP脚本解析的工作是由php-fpm处理完成后把结果传递给Nginx,Nginx再把结果返回给用户。1.测试
没有更改配置文件增加php解析时先编辑一个php文件,测试是否可以解析php,结果如下:
[root@gary-tao ~]# vi /data/wwwroot/test.com/3.php 增加如下内容: <?php phpinfo(); ?> [root@gary-tao ~]# curl -x127.0.0.1:80 test.com/3.php <?php phpinfo(); ?>
2.修改配置文件
[root@gary-tao ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 增加配置如下: location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; } [root@gary-tao ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@gary-tao ~]# /usr/local/nginx/sbin/nginx -s reload
解释说明
其中fastcgi_pas用来指定php-fpm的地址,如果php-fpm监听的是一个tcp:port的地址(比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000。这个地址一事实上要和php-fpm服务监听的地址匹配,否则会报502错误。
还有一个地方也需要注意,factcgi_parm SCRIPT_FILENAME后面跟的路径为该站点的根目录,和前面定义的root那个路径保持一致,如果这里配置不对,访问PHP页面会出现404。
如图
配置图
解析正常
Nginx代理
一家公司有很多台服务器,为了节省成本,不能为所有服务器都分配公网IP,而如果一个没有公网IP的服务器提供web服务,就可以通过代理来实现。创建一个新的配置文件
[root@gary-tao ~]# cd /usr/local/nginx/conf/vhost [root@gary-tao vhost]# vim proxy.conf 增加如下内容: server { listen 80; server_name ask.apelearn.com; location / { proxy_pass http://121.201.9.155/; //指定要代理的域名所在的服务器IP,即Web服务器的地址 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } //这里没有root,因为它是代理服务器,不需要访问本地服务器上的任何文件 [root@gary-tao vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@gary-tao vhost]# /usr/local/nginx/sbin/nginx -s reload
针对蜘蛛的索引的列表,一般网站都会有这个
[root@gary-tao vhost]# curl ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/[root@gary-tao vhost]#
通过本地的IP访问了远程的站点,代理服务器就是我们的虚拟机,Web服务器就是我们访问的ask.apelearn.com
[root@gary-tao vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/[root@gary-tao vhost]#
相关文章推荐
- linux学习第四十六篇:Nginx防盗链,Nginx访问控制,Nginx解析php相关配置,Nginx代理
- LNMP(nginx防盗链,访问控制,解析php相关配置,Nginx代理,常见502问题)
- 【LNMP】Nginx防盗链、Nginx访问控制、Nginx解析php相关配置和Nginx代理
- Nginx配置防盗链、Nginx访问控制、Nginx解析php相关配置
- Nginx防盗链、访问控制、Nginx解析PHP相关配置、Nginx代理
- 12.13 Nginx防盗链 12.14 Nginx访问控制 12.15 Nginx解析php相关配置 12.16 Nginx代理
- LNMP架构 (4) 之 Nginx的防盗链、访问控制、解析php相关配置
- 十二周四次课 2018.01.05 Nginx防盗链、Nginx访问控制、Nginx解析php相关配置、Nginx代理
- nginx防盗链、访问控制、PHP解析、服务器代理
- Nginx防盗链、Nginx访问控制、Nginx解析php的配置
- Nginx防盗链,Nginx访问控制,Nginx解析PHP的相关配置,Nginx代理
- 详解Nginx防盗链和Nginx访问控制与Nginx解析php的配置
- Nginx防盗链、Nginx访问控制、Nginx解析php相关配置、Nginx代理
- Nginx防盗链、访问控制、解析php相关配置、代理
- Nginx防盗链、Nginx访问控制、Nginx解析php相关配置
- Nginx防盗链、Nginx访问控制、Nginx解析php相关配置、Nginx代理
- LNMP架构(四)之Nginx防盗链,访问控制,解析php,代理
- nginx防盗链、访问控制、PHP解析、服务器代理
- Nginx防盗链,Nginx访问控制,,Nginx解析php相关配置,Nginx代理