8.15 12.13-12.16
2018-08-18 08:10
337 查看
12.13 nginx防盗链
由于防盗链和元素过期时间、不记录日志同时用到了location,所以会被写在一起
16d0
配置:
…
12 # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
13 # {
14 # expires 7d;
15 # access_log off;
16 # }
17 location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
/~* 表示后面的gif、jpg等关键词不区分大小写 .+ 表示匹配任意单字符一次或多次/ 18 {
19 expires 7d;
20 valid_referers none blocked server_names *.test.com;
/定义referer白名单的servername/
21 if ($invalid_referer) {
22 return 403;
23 }
/$invalid referer表示无效的referer,若匹配到则返回403信息/ 24 access_log off;
25 }
26 location ~ .*\.(js|css)$
27 {
28 # expires 12h;
29 access_log off;
30 }12.14 nginx访问控制
…
测试:
[root@hyc-01-01 test.com]# curl -x127.0.0.1:80 -e "http://www.baidu.com" test.com/1.gif
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
[root@hyc-01-01 test.com]# curl -x127.0.0.1:80 -e "http://www.test.com" test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 13:55:38 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Tue, 14 Aug 2018 23:37:40 GMT
Connection: keep-alive
ETag: "5b7367c4-b"
Expires: Thu, 23 Aug 2018 13:55:38 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
www.baidu.com时状态码为403,www.test.com时状态码为200
12.14 nginx访问控制
针对目录的配置:
[root@hyc-01-01 test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf
…
26 location ~ .*\.(js|css)$
27 {
28 # expires 12h;
29 access_log off;
30 }
31 &nb
b60
sp; location /admin/
32 {
33 allow 127.0.0.1;
34 allow 192.168.31.129;
35 deny all;
36 }
/url匹配/admin/时按顺序允许127.0.0.1/192.168.133.130,拒绝所有
顺序执行时一旦某一条被匹配,下面的规则不再轮询
/ 37 location ~ admin.php
38 {
39 auth_basic "Auth";
40 auth_basic_user_file /usr/local/nginx/conf/htpasswd;
41 }
测试:
[root@hyc-01-01 admin]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 admin]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 admin]# curl -x127.0.0.1:80 http://test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 14:42:32 GMT
Content-Type: text/html
Content-Length: 23
Last-Modified: Mon, 13 Aug 2018 23:46:22 GMT
Connection: keep-alive
ETag: "5b72184e-17"
Accept-Ranges: bytes
[root@hyc-01-01 admin]# curl -x192.168.31.129:80 http://test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 14:42:35 GMT
Content-Type: text/html
Content-Length: 23
Last-Modified: Mon, 13 Aug 2018 23:46:22 GMT
Connection: keep-alive
ETag: "5b72184e-17"
Accept-Ranges: bytes
[root@hyc-01-01 admin]# tail -2 /tmp/test.com.log
127.0.0.1 - [16/Aug/2018:22:42:32 +0800] test.com "/admin/index.html" 200 "-" "curl/7.29.0"
192.168.31.129 - [16/Aug/2018:22:42:35 +0800] test.com "/admin/index.html" 200 "-" "curl/7.29.0"
[root@hyc-01-01 admin]# curl -x192.168.100.1:80 http://test.com/admin/index.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 14:48:56 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@hyc-01-01 admin]# tail -1 /tmp/test.com.log
192.168.100.1 - [16/Aug/2018:22:48:56 +0800] test.com "/admin/index.html" 403 "-" "curl/7.29.0
针对正则的配置:
[root@hyc-01-01 admin]# vim /usr/local/nginx/conf/vhost/test.com.conf
…
location /admin/
{
allow 127.0.0.1;
allow 192.168.31.129;
deny all;
}
location ~ .*(upload|image)/.*\.php$
/匹配任意一个或多个字符后跟upload或image后跟/后跟任意一个或多个字符并以.php结尾的url/
{
deny all;
}
测试:
[root@hyc-01-01 admin]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 admin]# curl -x127.0.0.1:80 http://test.com/upload/test.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:07:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@hyc-01-01 upload]# curl –x127.0.0.1:80 http://test.com/upload/test.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:12:59 GMT
Content-Type: text/plain
Content-Length: 20
Last-Modified: Thu, 16 Aug 2018 15:12:36 GMT
Connection: keep-alive
ETag: "5b759464-14"
Accept-Ranges: bytes
[root@hyc-01-01 upload]# tail -1 /tmp/test.com.log
127.0.0.1 - [16/Aug/2018:23:14:33 +0800] test.com "/upload/test.txt" 200 "-" "curl/7.29.0"
针对user_agent的配置:
[root@hyc-01-01 upload]# vim /usr/local/nginx/conf/vhost/test.com.conf
…
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
/此处user_agent后的~后跟一个*表示后面匹配的项不区分大小写/
{
return 403;
}
…
测试:
[root@hyc-01-01 upload]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 upload]# curl -A "Spider/3.0" -x127.0.0.1:80 http://test.com/upload/test.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:26:28 GMT
Content-Type: text/html
Content-Length: 1
1c7c
69
Connection: keep-alive
[root@hyc-01-01 upload]# curl -A "Spidor/3.0" -x127.0.0.1:80 http://test.com/upload/test.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:26:50 GMT
Content-Type: text/plain
Content-Length: 20
Last-Modified: Thu, 16 Aug 2018 15:12:36 GMT
Connection: keep-alive
ETag: "5b759464-14"
Accept-Ranges: bytes
12.15 nginx解析php相关配置
配置:
[root@hyc-01-01 vhost]# vim test.com.conf
51 location ~ \.php$
52 {
53 include fastcgi_params;
54 fastcgi_pass unix:/tmp/php-fcgi.sock;
/指定php-fpm的socket文件位置,指定错误socket地址时可能报502错误,nginx配置文件中监听的socket地址或ip+端口必须与php-fpm中的socket地址或ip+端口保持一致/ 55 fastcgi_index index.php;
56 fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
/ /data/wwwroot/test.com 的路径要和server中的root保持一致/
57 }
测试:
[root@hyc-01-01 test.com]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo() 无法解析
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 test.com]# !curl
curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 23:57:48 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
php-fpm也支持-t和-s reload
[root@hyc-01-01 etc]# vim php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 666 为了让所有文件对php的socket文件(/tmp/php-fcgi.sock)有读和写权限,无读和写权限则用户nginx无法读socket文件即无法与php-fpm通信导致php解析不正常等;
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
…
12.16 nginx代理
Web服务器只有一个私网ip,无法正常访问;
代理服务器要能同时与用户和web服务器互通(两块网卡);
代理服务器帮助用户访问web服务器,访问完成后向用户反馈结果;
用户可以正常访问远端web服务器,但直接从本地访问速度太慢,此时可以选择一台代理服务器作为跳板,用户访问代理服务器速度较快,代理服务器访问远端web服务器速度也较快,最终用户通过代理访问web服务器速度就会比直接访问web服务器快;
配置:
[root@hyc-01-01 vhost]# pwd
/usr/local/nginx/conf/vhost
[root@hyc-01-01 vhost]# vim proxy.conf
server
{
listen 80;
server_name ask.apelearn.com; 定义要访问的域名
location /
{
proxy_pass http:// 223.94.95.10 /; 告诉代理服务器真实服务器ip地址
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
/
header信息: Host $host 要访问的域名是servername
X-Real-IP $remote_addr
X-Forwarded-For $proxy_add_x_forwarded_for
/ }
}
测试:
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 vhost]# curl ask.apelearn.com/robots.txt
[root@hyc-01-01 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt测试成功
由于防盗链和元素过期时间、不记录日志同时用到了location,所以会被写在一起
16d0
配置:
…
12 # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
13 # {
14 # expires 7d;
15 # access_log off;
16 # }
17 location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
/~* 表示后面的gif、jpg等关键词不区分大小写 .+ 表示匹配任意单字符一次或多次/ 18 {
19 expires 7d;
20 valid_referers none blocked server_names *.test.com;
/定义referer白名单的servername/
21 if ($invalid_referer) {
22 return 403;
23 }
/$invalid referer表示无效的referer,若匹配到则返回403信息/ 24 access_log off;
25 }
26 location ~ .*\.(js|css)$
27 {
28 # expires 12h;
29 access_log off;
30 }12.14 nginx访问控制
…
测试:
[root@hyc-01-01 test.com]# curl -x127.0.0.1:80 -e "http://www.baidu.com" test.com/1.gif
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
[root@hyc-01-01 test.com]# curl -x127.0.0.1:80 -e "http://www.test.com" test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 13:55:38 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Tue, 14 Aug 2018 23:37:40 GMT
Connection: keep-alive
ETag: "5b7367c4-b"
Expires: Thu, 23 Aug 2018 13:55:38 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
www.baidu.com时状态码为403,www.test.com时状态码为200
12.14 nginx访问控制
针对目录的配置:
[root@hyc-01-01 test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf
…
26 location ~ .*\.(js|css)$
27 {
28 # expires 12h;
29 access_log off;
30 }
31 &nb
b60
sp; location /admin/
32 {
33 allow 127.0.0.1;
34 allow 192.168.31.129;
35 deny all;
36 }
/url匹配/admin/时按顺序允许127.0.0.1/192.168.133.130,拒绝所有
顺序执行时一旦某一条被匹配,下面的规则不再轮询
/ 37 location ~ admin.php
38 {
39 auth_basic "Auth";
40 auth_basic_user_file /usr/local/nginx/conf/htpasswd;
41 }
测试:
[root@hyc-01-01 admin]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 admin]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 admin]# curl -x127.0.0.1:80 http://test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 14:42:32 GMT
Content-Type: text/html
Content-Length: 23
Last-Modified: Mon, 13 Aug 2018 23:46:22 GMT
Connection: keep-alive
ETag: "5b72184e-17"
Accept-Ranges: bytes
[root@hyc-01-01 admin]# curl -x192.168.31.129:80 http://test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 14:42:35 GMT
Content-Type: text/html
Content-Length: 23
Last-Modified: Mon, 13 Aug 2018 23:46:22 GMT
Connection: keep-alive
ETag: "5b72184e-17"
Accept-Ranges: bytes
[root@hyc-01-01 admin]# tail -2 /tmp/test.com.log
127.0.0.1 - [16/Aug/2018:22:42:32 +0800] test.com "/admin/index.html" 200 "-" "curl/7.29.0"
192.168.31.129 - [16/Aug/2018:22:42:35 +0800] test.com "/admin/index.html" 200 "-" "curl/7.29.0"
[root@hyc-01-01 admin]# curl -x192.168.100.1:80 http://test.com/admin/index.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 14:48:56 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@hyc-01-01 admin]# tail -1 /tmp/test.com.log
192.168.100.1 - [16/Aug/2018:22:48:56 +0800] test.com "/admin/index.html" 403 "-" "curl/7.29.0
针对正则的配置:
[root@hyc-01-01 admin]# vim /usr/local/nginx/conf/vhost/test.com.conf
…
location /admin/
{
allow 127.0.0.1;
allow 192.168.31.129;
deny all;
}
location ~ .*(upload|image)/.*\.php$
/匹配任意一个或多个字符后跟upload或image后跟/后跟任意一个或多个字符并以.php结尾的url/
{
deny all;
}
测试:
[root@hyc-01-01 admin]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 admin]# curl -x127.0.0.1:80 http://test.com/upload/test.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:07:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@hyc-01-01 upload]# curl –x127.0.0.1:80 http://test.com/upload/test.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:12:59 GMT
Content-Type: text/plain
Content-Length: 20
Last-Modified: Thu, 16 Aug 2018 15:12:36 GMT
Connection: keep-alive
ETag: "5b759464-14"
Accept-Ranges: bytes
[root@hyc-01-01 upload]# tail -1 /tmp/test.com.log
127.0.0.1 - [16/Aug/2018:23:14:33 +0800] test.com "/upload/test.txt" 200 "-" "curl/7.29.0"
针对user_agent的配置:
[root@hyc-01-01 upload]# vim /usr/local/nginx/conf/vhost/test.com.conf
…
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
/此处user_agent后的~后跟一个*表示后面匹配的项不区分大小写/
{
return 403;
}
…
测试:
[root@hyc-01-01 upload]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 upload]# curl -A "Spider/3.0" -x127.0.0.1:80 http://test.com/upload/test.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:26:28 GMT
Content-Type: text/html
Content-Length: 1
1c7c
69
Connection: keep-alive
[root@hyc-01-01 upload]# curl -A "Spidor/3.0" -x127.0.0.1:80 http://test.com/upload/test.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:26:50 GMT
Content-Type: text/plain
Content-Length: 20
Last-Modified: Thu, 16 Aug 2018 15:12:36 GMT
Connection: keep-alive
ETag: "5b759464-14"
Accept-Ranges: bytes
12.15 nginx解析php相关配置
配置:
[root@hyc-01-01 vhost]# vim test.com.conf
51 location ~ \.php$
52 {
53 include fastcgi_params;
54 fastcgi_pass unix:/tmp/php-fcgi.sock;
/指定php-fpm的socket文件位置,指定错误socket地址时可能报502错误,nginx配置文件中监听的socket地址或ip+端口必须与php-fpm中的socket地址或ip+端口保持一致/ 55 fastcgi_index index.php;
56 fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
/ /data/wwwroot/test.com 的路径要和server中的root保持一致/
57 }
测试:
[root@hyc-01-01 test.com]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo() 无法解析
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 test.com]# !curl
curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 23:57:48 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
php-fpm也支持-t和-s reload
[root@hyc-01-01 etc]# vim php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 666 为了让所有文件对php的socket文件(/tmp/php-fcgi.sock)有读和写权限,无读和写权限则用户nginx无法读socket文件即无法与php-fpm通信导致php解析不正常等;
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
…
12.16 nginx代理
Web服务器只有一个私网ip,无法正常访问;
代理服务器要能同时与用户和web服务器互通(两块网卡);
代理服务器帮助用户访问web服务器,访问完成后向用户反馈结果;
用户可以正常访问远端web服务器,但直接从本地访问速度太慢,此时可以选择一台代理服务器作为跳板,用户访问代理服务器速度较快,代理服务器访问远端web服务器速度也较快,最终用户通过代理访问web服务器速度就会比直接访问web服务器快;
配置:
[root@hyc-01-01 vhost]# pwd
/usr/local/nginx/conf/vhost
[root@hyc-01-01 vhost]# vim proxy.conf
server
{
listen 80;
server_name ask.apelearn.com; 定义要访问的域名
location /
{
proxy_pass http:// 223.94.95.10 /; 告诉代理服务器真实服务器ip地址
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
/
header信息: Host $host 要访问的域名是servername
X-Real-IP $remote_addr
X-Forwarded-For $proxy_add_x_forwarded_for
/ }
}
测试:
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 vhost]# curl ask.apelearn.com/robots.txt
[root@hyc-01-01 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt测试成功
相关文章推荐
- 12.13 Nginx防盗链 12.14 Nginx访问控制 12.15 Nginx解析php相关配置 12.16 Nginx代理
- 12.13 Nginx防盗链;12.14 Nginx访问控制;12.15 Nginx解析php相关配置;12.16 Nginx代理
- 六级词汇天天练(12.13)
- Cheatsheet: 2010 12.13 ~ 12.23
- 12.13【学习新知】【数据结构】字典树
- 类的设计和实现(C++Primer 习题12.13的思考)
- 12.16 android textView 跑马灯
- 8.15
- 蓝懿iOS 技术内容和心得 12.13
- 【12.16】VC++调用Word OLE进行自动化生成报表
- 【NOIP2016提高A组模拟8.15】Throw
- 上周热点回顾(8.15-8.21)
- Buy RSorder runescape gold 2007 legit with 10% bonus as 2017 New year gift 12.16-1.4
- 【JZOJ3771】【NOI2015模拟8.15】小 Z 的烦恼
- 8.15 M - Cyclic Tour
- 【jzoj5281】【NOIP提高组模拟A组8.15】【钦点】
- java语言程序设计 第十二章 (12.11、12.12、12.13、12.14)
- 咸鱼日记12.13——第一行代码java
- 8.15 证明最大公共子图问题是NP问题
- 引用、常引用、const CString&amp; 08.12.13