您的位置:首页 > 运维架构 > Nginx

linux的Nginx防盗链、Nginx访问控制、Nginx解析php相关配置、Nginx代理介绍

2018-01-05 20:32 811 查看

Nginx防盗链

思路与httpd一样,配置也不难,但要与过期时间、不记录日志配置结合起来。

1.配置文件内容
[root@gary-tao test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf

增加如下配置:

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names  *.test.com ; //定义白名单
if ($invalid_referer) {
return 403;
} //如果不是白名单里就返回403
access_log off;
}

如图:



2.测试语法及重新加载配置
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -s reload

3.使用curl测试
测试防盗链,需要增加referer才能正常访问,添加referer加-e 需要使用http://

[root@gary-tao test.com]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 11:17:05 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@gary-tao test.com]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 11:16:43 GMT
Content-Type: image/gif
Content-Length: 15
Last-Modified: Thu, 04 Jan 2018 10:51:09 GMT
Connection: keep-alive
ETag: "5a4e071d-f"
Expires: Thu, 11 Jan 2018 11:16:43 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

Nginx访问控制

1.配置文件,限制IP访问
[root@gary-tao test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf

增加如下内容:

location /admin/
{
allow 127.0.0.1;
allow 172.16.111.100;
deny all;
}

如图:



2.测试语法及重新加载配置
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -s reload

3.使用curl测试
解释说明:

在配置httpd的时候,还有一个order,来定义先allow还是先deny,在Nginx里并没有,只要匹配规则就结束了,假如来源IP为172.16.111.129,它就会从上到下逐一去匹配,第一个IP(127.0.0.1)不匹配,第二IP(172.16.111.100)不匹配,直到第三行(all)的时候才匹配到,匹配的这条规则为deny(也就是拒绝访问),所以最终会返回一个403的状态码,测试如下:

[root@gary-tao test.com]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 11:35:17 GMT
Content-Type: text/html
Content-Length: 20
Last-Modified: Wed, 03 Jan 2018 13:12:03 GMT
Connection: keep-alive
ETag: "5a4cd6a3-14"
Accept-Ranges: bytes

[root@gary-tao test.com]# curl -x172.16.111.100:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 11:36:25 GMT
Content-Type: text/html
Content-Length: 20
Last-Modified: Wed, 03 Jan 2018 13:12:03 GMT
Connection: keep-alive
ETag: "5a4cd6a3-14"
Accept-Ranges: bytes
[root@gary-tao ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 172.16.111.100  netmask 255.255.0.0  broadcast 172.16.255.255
inet6 fe80::1ffb:cde1:5f3e:5778  prefixlen 64  scopeid 0x20<link>
ether 00:0c:29:09:e5:58  txqueuelen 1000  (Ethernet)
RX packets 40262  bytes 15749043 (15.0 MiB)
RX errors 0  dropped 50  overruns 0  frame 0
TX packets 28168  bytes 4961855 (4.7 MiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 172.16.111.129  netmask 255.255.255.0  broadcast 172.16.111.255
inet6 fe80::888c:a1d7:871b:8971  prefixlen 64  scopeid 0x20<link>
ether 00:0c:29:09:e5:62  txqueuelen 1000  (Ethernet)
RX packets 61  bytes 8623 (8.4 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 58  bytes 10741 (10.4 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
inet 127.0.0.1  netmask 255.0.0.0
inet6 ::1  prefixlen 128  scopeid 0x10<host>
loop  txqueuelen 1  (Local Loopback)
RX packets 354  bytes 33223 (32.4 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 354  bytes 33223 (32.4 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@gary-tao ~]# curl -x172.16.111.129:80 -I test.com/admin/
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 11:46:03 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@gary-tao ~]# !cat
cat /tmp/test.com.log
127.0.0.1 - [04/Jan/2018:18:53:20 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:18:53:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:18:55:22 +0800] test.com "/2.jsagdaga" 404 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:19:35:17 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
172.16.111.100 - [04/Jan/2018:19:36:25 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
172.16.111.129 - [04/Jan/2018:19:45:58 +0800] test.com "/admin/index.html" 403 "-" "curl/7.29.0"
172.16.111.129 - [04/Jan/2018:19:46:03 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"

4.可以匹配正则,限制目录
[root@gary-tao ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

增加如下内容:

location ~ .*(upload|image)/.*\.php$ //意思是匹配upload或者image目录下的.php文件
{
deny all;
}

[root@gary-tao src]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@gary-tao src]# /usr/local/nginx/sbin/nginx -s reload


如图:



使用curl测试

upload目录下的.php文件不能访问,但是除了.php的其他后缀文件就能访问。

[root@gary-tao ~]# mkdir /data/wwwroot/test.com/upload
[root@gary-tao ~]# echo "1111111" > /data/wwwroot/test.com/upload/1.php
[root@gary-tao ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@gary-tao ~]# echo "1111111" > /data/wwwroot/test.com/upload/1.txt
[root@gary-tao ~]# curl -x127.0.0.1:80 test.com/upload/1.txt
1111111
[root@gary-tao ~]# cat /tmp/test.com.log
127.0.0.1 - [04/Jan/2018:18:53:20 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:18:53:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:18:55:22 +0800] test.com "/2.jsagdaga" 404 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:19:35:17 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
172.16.111.100 - [04/Jan/2018:19:36:25 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
172.16.111.129 - [04/Jan/2018:19:45:58 +0800] test.com "/admin/index.html" 403 "-" "curl/7.29.0"
172.16.111.129 - [04/Jan/2018:19:46:03 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:20:48:09 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:20:48:48 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"

5.根据user_agent限制

如果你的网站不想被人搜到,就把那些蜘蛛网封掉,像百度,谷歌等把他们封掉,没有任何网站可以爬到你的数据,相当于网站隐藏一样,除非你告诉它网址。

配置文件如下:

[root@gary-tao ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

增加如下配置:

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
//deny all和return 403效果一样

[root@gary-tao ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@gary-tao ~]# /usr/local/nginx/sbin/nginx -s reload


-A模拟user_agent,使用curl测试

Tomato是在限制的user_agent名单里,所以不能访问,这里是没有忽略大小,如果要忽略大小写,可在if语句的 ~ 后面加上 ,如:if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato’)

[root@gary-tao ~]# curl -A "Tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 12:56:14 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@gary-tao ~]# curl -A "tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 12:58:10 GMT
Content-Type: text/plain
Content-Length: 8
Last-Modified: Thu, 04 Jan 2018 12:48:43 GMT
Connection: keep-alive
ETag: "5a4e22ab-8"
Accept-Ranges: bytes
[root@gary-tao ~]# curl -A "tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I //加了*号后还是403
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 12:58:59 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

Nginx解析php相关配置

在LAMP中,PHP是作为httpd的一个模块出现的,只要PHP模块被加载,那么就能解析PHP脚本了,而在LNMP中,PHP是以一个服务(php-fpm)的形式存在的,首先要启动php-fpm服务,然后Nginx再和php-fpm通信。也就是说,处理PHP脚本解析的工作是由php-fpm处理完成后把结果传递给Nginx,Nginx再把结果返回给用户。

1.测试
没有更改配置文件增加php解析时先编辑一个php文件,测试是否可以解析php,结果如下:

[root@gary-tao ~]# vi /data/wwwroot/test.com/3.php

增加如下内容:

<?php
phpinfo();
?>

[root@gary-tao ~]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();
?>

2.修改配置文件
[root@gary-tao ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

增加配置如下:

location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}

[root@gary-tao ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@gary-tao ~]# /usr/local/nginx/sbin/nginx -s reload

解释说明

其中fastcgi_pas用来指定php-fpm的地址,如果php-fpm监听的是一个tcp:port的地址(比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000。这个地址一事实上要和php-fpm服务监听的地址匹配,否则会报502错误。
还有一个地方也需要注意,factcgi_parm SCRIPT_FILENAME后面跟的路径为该站点的根目录,和前面定义的root那个路径保持一致,如果这里配置不对,访问PHP页面会出现404。

如图
配置图



解析正常



Nginx代理

一家公司有很多台服务器,为了节省成本,不能为所有服务器都分配公网IP,而如果一个没有公网IP的服务器提供web服务,就可以通过代理来实现。



创建一个新的配置文件
[root@gary-tao ~]# cd /usr/local/nginx/conf/vhost
[root@gary-tao vhost]# vim proxy.conf

增加如下内容:

server
{
listen 80;
server_name ask.apelearn.com;

location /
{
proxy_pass      http://121.201.9.155/; //指定要代理的域名所在的服务器IP,即Web服务器的地址
proxy_set_header Host   $host;
proxy_set_header X-Real-IP      $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
//这里没有root,因为它是代理服务器,不需要访问本地服务器上的任何文件

[root@gary-tao vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@gary-tao vhost]# /usr/local/nginx/sbin/nginx -s reload

针对蜘蛛的索引的列表,一般网站都会有这个
[root@gary-tao vhost]# curl ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@gary-tao vhost]#

通过本地的IP访问了远程的站点,代理服务器就是我们的虚拟机,Web服务器就是我们访问的ask.apelearn.com
[root@gary-tao vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@gary-tao vhost]#
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息