Nginx防盗链、访问控制、解析php相关配置、代理

12.13 Nginx防盗链

配置

#编辑配置文件
[root@taoyuan ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

#内容如下
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires     7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer){
return 403;
}
access_log off;
}

截图如下：

检测 && 加载

[root@taoyuan ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@taoyuan ~]# /usr/local/nginx/sbin/nginx -s reload

测试

[root@taoyuan ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Fri, 05 Jan 2018 12:52:13 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@taoyuan ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Fri, 05 Jan 2018 12:52:25 GMT
Content-Type: image/gif
Content-Length: 6
Last-Modified: Thu, 04 Jan 2018 14:03:12 GMT
Connection: keep-alive
ETag: "5a4e3420-6"
Expires: Fri, 12 Jan 2018 12:52:25 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

#表示配置成功了。

12.14 Nginx访问控制

需求：

访问/admin/目录的请求，只允许某几个IP访问，配置如下：

#编辑配置文件
[root@taoyuan ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

#配置内容
location /admin/
{
allow 127.0.0.1;
allow 192.168.0.10;
deny all;
}

截图如下：



测试

#检测 && 加载
[root@taoyuan ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@taoyuan ~]# /usr/local/nginx/sbin/nginx -s reload
#测试
[root@taoyuan ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Fri, 05 Jan 2018 13:05:25 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Wed, 03 Jan 2018 14:08:45 GMT
Connection: keep-alive
ETag: "5a4ce3ed-13"
Accept-Ranges: bytes

[root@taoyuan ~]# curl -x192.168.0.10:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Fri, 05 Jan 2018 13:05:32 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Wed, 03 Jan 2018 14:08:45 GMT
Connection: keep-alive
ETag: "5a4ce3ed-13"
Accept-Ranges: bytes

[root@taoyun ~]# curl -x192.168.0.12:80 -I test.com/admin/
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 10 Jan 2018 06:44:37 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
#192.168.0.12 需要增加一个网卡测试
#配置匹配 第三条规则 所以 返回403

可以匹配正则
适用于禁止解析PHP限制

#编辑配置文件
[root@taoyuan ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

#内容如下：
location ~.*(upload|image)/.*\.php$
{
deny all;
}

测试

#检测 && 加载
[root@taoyuan ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@taoyuan ~]# /usr/local/nginx/sbin/nginx -s reload
#创建测试文件
[root@taoyuan ~]# mkdir /data/wwwroot/test.com/upload

[root@taoyuan ~]# echo "upload/1.php" > /data/wwwroot/test.com/upload/1.php

#curl测试
[root@taoyuan ~]# curl -x127.0.0.1:80 -I test.com/upload/1.php
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Fri, 05 Jan 2018 13:19:45 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
#状态码403 1.php后缀的将不能访问

#测试访问其他后缀的
[root@taoyuan ~]# echo "upload/1.php" > /data/wwwroot/test.com/upload/1.txt
[root@taoyuan ~]# curl -x127.0.0.1:80 -I test.com/upload/1.txt
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Fri, 05 Jan 2018 13:20:57 GMT
Content-Type: text/plain
Content-Length: 13
Last-Modified: Fri, 05 Jan 2018 13:20:47 GMT
Connection: keep-alive
ETag: "5a4f7baf-d"
Accept-Ranges: bytes
#状态码200 说明配置生效

user_agent限制

#配置文件
[root@taoyuan ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

#内容如下
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}

-t && -s reload

检测

[root@taoyuan ~]# curl -A "Tomato1312411" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Fri, 05 Jan 2018 13:34:49 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@taoyuan ~]# curl -A "tomato1312411" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Fri, 05 Jan 2018 13:36:27 GMT
Content-Type: text/plain
Content-Length: 13
Last-Modified: Fri, 05 Jan 2018 13:20:47 GMT
Connection: keep-alive
ETag: "5a4f7baf-d"
Accept-Ranges: bytes

#这个是精确匹配的，如果需要不区分大小写可以在 ~ 后面加个*号。

12.15 Nginx解析php相关配置

配置文件 /usr/local/nginx/conf/vhost/test.com.conf

#编辑配置文件，内容如下
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}

不加载测试是否能解析PHP

[root@taoyuan ~]# curl -x127.0.0.1:80 test.com/1.php
<?php echo "<h1>test.com/1.php</h1>"; ?>
#显示源码

12.16 Nginx代理

用户不能直接访问web服务器，可以用代理服务器，作为中间者。

创建proxy.conf

[root@taoyuan ~]# cd /usr/local/nginx/conf/vhost/
[root@taoyuan vhost]# vim proxy.conf

#内容如下
server
{
listen 80;
server_name ask.apelearn.com;
#定义域名

location /
{
proxy_pass    http://121.201.9.155/; #远程web服务端
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-forwarded-For $proxy_add_x_forwarded_for;
}
}

测试

[root@taoyuan vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@taoyuan vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@taoyuan vhost]# curl ask.apelearn.com/robots.txt
#
#robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
……

扩展
502问题汇总 http://ask.apelearn.com/question/9109

location优先级 http://blog.lishiming.net/?p=100