180105 LNMP 设置nginx防盗链
2018-01-09 19:38
141 查看
nginx防盗链
配置 location ~*^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com; if ($invalid_referer){ return 403; } access_log off; }[root@node15 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
[root@node15 ~]# cat /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
access_log /tmp/test.com.log aming;
}
[root@node15 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@node15 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@node15 ~]# curl -x 127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Tue, 09 Jan 2018 10:39:00 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Sat, 06 Jan 2018 13:50:29 GMT
Connection: keep-alive
ETag: "5a50d425-b"
Expires: Tue, 16 Jan 2018 10:39:00 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[root@node15 ~]# curl -e "http://www.baidu.com/1.txt" -x 127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Tue, 09 Jan 2018 10:39:25 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@node15 ~]# curl -e "http://www.test.com/1.txt" -x 127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Tue, 09 Jan 2018 10:39:49 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Sat, 06 Jan 2018 13:50:29 GMT
Connection: keep-alive
ETag: "5a50d425-b"
Expires: Tue, 16 Jan 2018 10:39:49 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[root@node15 ~]# cat /tmp/test.com.log
127.0.0.1 - [06/Jan/2018:21:53:08 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
nginx访问控制
需求:访问/admin/目录的请求,只允许指定IP访问,配置如下 location /admin/ { allow 192.168.9.134; allow 127.0.0.1; deny all; }mkdir /data/wwwroot/test.com/admin/
echo "test,test" > /data/wwwroot/test.com/admin/1.html
-t && -s reload
curl -x 127.0.0.1:80 test.com/admin/1.html -I
curl -x 192.168.9.233:80 test.com/admin/1.html -I
[root@node15 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
[root@node15 ~]# cat /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.88.15;
allow 127.0.0.1;
deny all;
}
access_log /tmp/test.com.log aming;
}
[root@node15 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@node15 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@node15 ~]# curl -e "http://www.baidu.com/1.txt" -x 127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Tue, 09 Jan 2018 10:50:35 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Thu, 04 Jan 2018 01:38:23 GMT
Connection: keep-alive
ETag: "5a4d858f-13"
Accept-Ranges: bytes
[root@node15 ~]# curl -x 192.168.88.15:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Tue, 09 Jan 2018 10:51:17 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Thu, 04 Jan 2018 01:38:23 GMT
Connection: keep-alive
ETag: "5a4d858f-13"
Accept-Ranges: bytes
[root@node15 ~]# cat /tmp/test.com.log
127.0.0.1 - [06/Jan/2018:21:53:08 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [09/Jan/2018:18:50:35 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.88.15 - [09/Jan/2018:18:51:17 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
添加一块网卡
[root@node15 ~]# dhclient ens37
[root@node15 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.88.15 netmask 255.255.255.0 broadcast 192.168.88.255
inet6 fe80::7ad7:f9f6:7824:e6a prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:4f:6c:8d txqueuelen 1000 (Ethernet)
RX packets 1086 bytes 96156 (93.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 687 bytes 83255 (81.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.73.128 netmask 255.255.255.0 broadcast 192.168.73.255
inet6 fe80::a15f:8aaa:fdf6:b2f2 prefixlen 64 scop
[root@node15 ~]# curl -x192.168.73.128:80 test.com/admin/
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@node15 ~]# cat /tmp/test.com.log
127.0.0.1 - [06/Jan/2018:21:53:08 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [09/Jan/2018:18:50:35 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.88.15 - [09/Jan/2018:18:51:17 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.73.128 - [09/Jan/2018:18:55:45 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
匹配正则
[root@node15 ~]# vi /usr/local/nginx/conf/vhost/test.c
4000
om.conf
[root@node15 ~]# cat /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.88.15;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
access_log /tmp/test.com.log aming;
}
[root@node15 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@node15 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@node15 ~]# mkdir /data/wwwroot/test.com/upload
[root@node15 ~]# echo "1111111" > /data/wwwroot/test.com/upload/1.php
[root@node15 ~]# curl -x 127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@node15 ~]# echo "1111111" > /data/wwwroot/test.com/upload/1.txt
[root@node15 ~]# curl -x 127.0.0.1:80 test.com/upload/1.txt
1111111
[root@node15 ~]# cat /tmp/test.com.log
127.0.0.1 - [06/Jan/2018:21:53:08 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [09/Jan/2018:18:50:35 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.88.15 - [09/Jan/2018:18:51:17 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.73.128 - [09/Jan/2018:18:55:45 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
127.0.0.1 - [09/Jan/2018:19:00:31 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [09/Jan/2018:19:02:14 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
根据user_agent限制 if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato') { return 403; }
deny all和return 403效果一样
[root@node15 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
[root@node15 ~]# cat /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.88.15;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
access_log /tmp/test.com.log aming;
}
[root@node15 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@node15 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@node15 ~]# !curl
curl -x192.168.73.128:80 test.com/admin/
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@node15 ~]# curl -A "Tomato" -x 127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Tue, 09 Jan 2018 11:07:13 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
nginx解析php的配置
配置 location ~ .php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; }fastcgi_pass #用于指定php-fpm监听的地址或socket
[root@node15 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
[root@node15 ~]# cat /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.88.15;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /tmp/test.com.log aming;
}
[root@node15 ~]# vi /data/wwwroot/test.com/3.php
[root@node15 ~]# cat /data/wwwroot/test.com/3.php
<?php
phpinfo(0;
[root@node15 ~]# curl -x 127.0.0.1:80 test.com/3.php
<?php
phpinfo(0;
[root@node15 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@node15 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@node15 ~]# curl -x 127.0.0.1:80 test.com/3.php
nginx代理
用户向代理服务器发送信息,web服务器接收到代理服务器的信息后,返回给代理服务器,最后发送到用户 线上环境是需要把网站域名解析到代理服务器上,这样用户的请求到了代理上,然后代理去帮用户到真实服务器获取数据,然后代理再把数据反馈给用户 类似于访问国外的服务器 类似于负载均衡cd /usr/local/nginx/conf/vhost
vi proxy.conf server { listen 80; server name ask.apelearn.com;
[root@node15 ~]# cd /usr/local/nginx/conf/vhost/
[root@node15 vhost]# vi proxy.conf
[root@node15 vhost]# cat proxy.conf
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://121.201.9.155/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@node15 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@node15 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@node15 vhost]# curl ask.apelearn.com/robots.txt
[root@node15 vhost]# curl -x 127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#
User-agent: *
Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@node15 vhost]#
相关文章推荐
- lnmp/nginx系统真正有效防盗链完整设置方法
- nginx系统真正有效的图片防盗链完整设置详解
- 【LNMP】Nginx防盗链、Nginx访问控制、Nginx解析php相关配置和Nginx代理
- LNMP(nginx防盗链,访问控制,解析php相关配置,Nginx代理,常见502问题)
- nginx设置图片防盗链
- nginx系统真正有效的图片防盗链完整设置详解
- nginx系统真正有效的图片防盗链完整设置详解
- Nginx防盗链详细设置
- nginx系统真正有效的图片防盗链完整设置详解
- LNMP下为Nginx目录设置访问验证的用户名密码
- nginx系统真正有效的图片防盗链完整设置详解
- nginx如何设置防盗链
- lnmp之php-fpm+nginx+ulimit的综合设置之故障排除
- nginx防止跨站 lnmp多站点安全设置之一
- [转载]nginx简单防盗链及设置默认虚拟主机(禁止通过IP访问)
- nginx系统真正有效的图片防盗链完整设置详解
- LNMP搭建11:Nginx配置防盗链
- Nginx防盗链详细设置
- nginx 设置防盗链
- lnmp/nginx系统图片防盗链