[toc]
Nginx防盗链&Nginx访问控制&Nginx解析php相关配置&Nginx代理
一、Nginx防盗链:
1. 打开配置文件:
增加如下配置文件:
[root@xavi ~]# cd /usr/local/nginx/conf/vhost/
[root@xavi vhost]# vim test.com.conf
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
- 防盗链部分
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
如上配置文件中匹配以gif,jpg,png结尾的页面,并且设置一个白名单的referer为*.test.com, 其它的($invalid_referer)均403 forbidden!
2. 测试+重载(-t && -s reload)
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
测试
[root@xavi vhost]# curl -x127.0.0.1:80 test.com/2.js -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:03:24 GMT
Content-Type: application/javascript
Content-Length: 14
Last-Modified: Thu, 15 Mar 2018 13:08:00 GMT
Connection: keep-alive
ETag: "5aaa7030-e"
Expires: Fri, 16 Mar 2018 02:03:24 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
使用本地主机访问2.js 是没有问题的,指定一个referer,再次测试:
[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:06:07 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
二、Nginx访问控制:
有时候在咱们运维一些网站的时候,发现一些访问是不正常的。或者为了提高安全性,我们需要将某些页面加密处理!
1 增加配置文件,设置来源IP
vim /usr/local/nginx/conf/vhost/test.com.conf
location /admin/
{
allow 127.0.0.1;
allow 192.168.72.130; //自己试验虚拟机的服务器
deny all;
}
==匹配规则为,一旦匹配则后面的均不执行,也就是允许127.0.0.1和192.168.72.130 访问;其它的均拒绝!==
2.测试语法并重载配置
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
3.匹配站点后台登录页,进行访问控制!
[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:24:58 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Wed, 14 Mar 2018 14:07:17 GMT
Connection: keep-alive
ETag: "5aa92c95-f"
Accept-Ranges: bytes
[root@xavi vhost]# curl -x192.168.72.130:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:30:46 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Wed, 14 Mar 2018 14:07:17 GMT
Connection: keep-alive
ETag: "5aa92c95-f"
Accept-Ranges: bytes
查看日志:cat /tmp/test.com.log
4.针对某个可以上传的目录做指定文件(例如:php)不解析:
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:46:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
任何PHP文件都不解析,而txt文件可以访问
[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
5.根据user-agent限制:
如果站点被CC攻击了,或者不想被蜘蛛爬自己的网站,我们完全可以根据user-agent去禁止掉:
vim /usr/local/nginx/conf/vhost/test.com.conf 打开添加一下语句
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
测试语法并重加载配置
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
加载1.txt测试
[root@xavi vhost]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:58:51 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:58:59 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Thu, 15 Mar 2018 14:47:36 GMT
Connection: keep-alive
ETag: "5aaa8788-6"
Accept-Ranges: bytes
我们发现,当我们修改user-agent为小写的时候,就不生效了。所以我们需要设置忽略大小写:
重新在虚拟机配置文件 test.com.conf下修改配置
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
只需要在~添加一个 * 即可!
完成过程:
[root@xavi vhost]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 15:03:22 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
三、Nginx解析php相关配置
1.增加以下配置:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;
}
fastcgi_pass 用来指定php-fpm监听的地址或者socket
完整以配置的内容:
vim /usr/local/nginx/conf/vhost/test.com.conf
# expires 7d;
# access_log off;
# }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 127.0.0.1;
allow 192.168.72.130;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;
}
2.创建一个测试php文件
[root@xavi vhost]# vim /data/nginx/test.com/3.php
>?php
phpinfo();
无法解析,显示源码(编辑的conf文件未完成-t&-s reload配置)
[root@xavi vhost]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();
这里特别注意下配置文件中/data/nginx/test.com,而不是设置www.test.com
-t&-s reload配置后,可以正常解析phpinfo()
3.小结:其中fastcgi_pass用来指定php-fpm的地址,如果php-fpm监听的是一个tcp:port的地址(比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000。这个地址一定要和php-fpm服务监听的地址匹配,否是会报502错误.还有一个地方要注意fastcgi_param SCRIPT_FILENAME 后面跟的路径为该站点的根目录,和前面定义的root那个路径保持一致,如果这里配置不对,访问PHP页面会出现404;还有一种502的现象,如果内存中出现大量的php-fpm进程占据了内存,也会同样导致此问题!
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name;
}
查看php-fpm: vim /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen =127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
无法查看错误日志
测试:找到了日志文件路径,查看了error.log,里面是有内容的,但是忘了自己是否对nginx专门设定了日志文件
[root@xavi ~]# cd /usr/local/nginx/logs/
[root@xavi logs]# ls
access.log error.log nginx_error.log nginx.pid
[root@xavi logs]# cat error.log
2018/03/14 00:05:58 [emerg] 124460#0: unknown directive "er" in /usr/local/nginx/conf/nginx.conf:1
2018/03/14 21:06:14 [notice] 5737#0: signal process started
2018/03/14 21:41:27 [notice] 6234#0: signal process started
2018/03/14 21:59:27 [notice] 6446#0: signal process started
2018/03/14 22:16:03 [notice] 6668#0: signal process started
2018/03/14 22:38:58 [emerg] 6947#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/torreid.com.conf:3
2018/03/14 22:40:17 [emerg] 6962#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/torreid.com.conf:3
2018/03/14 22:44:22 [emerg] 7015#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/test.com.conf:4
2018/03/14 22:55:13 [emerg] 7151#0: unknown directive "//有这个default_server标记的就是默认虚拟主机" in /usr/local/nginx/conf/vhost/aaa.com.conf:4
2018/03/14 22:56:55 [emerg] 7173#0: "location" directive is not allowed here in /usr/local/nginx/conf/vhost/atorreid.com.conf:12
2018/03/14 22:58:57 [emerg] 7197#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/bcd.com.conf:3
2018/03/14 23:01:46 [warn] 7251#0: conflicting server name "test.com" on 0.0.0.0:80, i
四、Nginx代理
假如一个用户需要访问WEB服务器,但是用户与WEB服务器之间是不通的,WEB服务器在内网,我们需要一个代理服务器来帮助用户访问web,他必须和用户相通,也必须和web服务器相通,在中间起到搭桥的这就是代理服务器。这样当你下载好一个安装包后,别的同事也可以在内网里共享你的下载,节约资源.
4.1 原理:
Nginx代理是一种反向代理。反向代理(Reverse Proxy)方式是指以代理服务器来接受Internet上的连接请求,然后将请求转发给内部网络上的服务器;并将从服务器上得到的结果返回给Internet上请求连接的客户端,此时代理服务器对外就表现为一个服务器。
假如这家公司有很多台服务器,为了节省成本,不能为所有的服务器都分配公网IP,而如果一个没有公网的IP的复为其要提供web服务,就可以通过代理来实现,这就是 Nginx比httpd越来越受欢迎的原因
graph LR 用户–>代理服务器 代理服务器–>用户 代理服务器–>web服务器 web服务器–>代理服务器
4.2 编辑配置文件
cd /usr/local/nginx/conf/vhost
vim proxy.conf
- 加入如下内容:
server
{
listen 80;
server_name ask.apelearn.com;
# 定义域名(一般和被代理ip的域名保持一致)
location /
{
proxy_pass http://47.91.145.78/; //用window的cmd去ping这个网址的IP
# 指定被代理(被访问)的IP(web服务器IP)
proxy_set_header Host $host;
# $host指的是代理服务器的servername(也是被代理IP的域名)
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
因为是代理服务器所以不需要访问本地服务器的任何文件; ask.apelearn.com; 定义一个域名;
proxy_pass http://47.91.145.78/;真实WEB服务器的IP地址。
$host; 也就是咱们的server_name
重启nginx之后再次测试,127.0.0.1就是自己的代理机,访问的论坛
[root@xavi vhost]# curl -x127.0.0.1:80 ask.apelearn.com -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 18 Mar 2018 08:51:31 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.29
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ape__Session=kgp331gk94i16pcv9jti0qgd65; path=/; domain=.apelearn.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
测试网站的robots
[root@xavi vhost]# curl ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#
User-agent: *
Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/
来源:oschina
链接:https://my.oschina.net/u/3960917/blog/2962972