12.13 Nginx防盗链 12.14 Nginx访问控制 12.15 Nginx解析php相关配置 12.16 Nginx代理

可莉
• 阅读 852

12.13 Nginx防盗链

因为该配置也使用location板块,所以本节可结合日志管理(不记录和过期时间)一起配置:

[root@cham002 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
#定义referer白名单
    if ($invalid_referer) {
        return 403;
#if函数的意思是:如果不是白名单内的域名,返回值:403
    }
    access_log off;
}

说明: “location ~* ^.+”在此0“ * ”的作用是后面匹配的内容不区分大小写。

12.13 Nginx防盗链 12.14 Nginx访问控制 12.15 Nginx解析php相关配置 12.16 Nginx代理

检测及测试

[root@cham002 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@cham002 ~]# ls /data/wwwroot/test.com/
1.gif  2.js  admin  index.html
[root@cham002 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 13:54:39 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@cham002 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 13:55:14 GMT
Content-Type: image/gif
Content-Length: 32
Last-Modified: Wed, 03 Jan 2018 13:34:18 GMT
Connection: keep-alive
ETag: "5a4cdbda-20"
Expires: Wed, 10 Jan 2018 13:55:14 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

即,使用非白名单内的referer进行访问,被拒绝!!!

12.14 Nginx访问控制

需求:访问/admin/目录的请求,只允许几个指定IP通过,配置如下:

[root@cham002 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 
server
{
    listen 80;
    server_name test.com test2.com test3.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
   # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
   # {
   #       expires      7d;
   #       access_log off;
   # }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}


    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    location /admin/
    {
       allow 127.0.0.1;
       allow 192.168.230.135;
       deny all;
#设置IP白名单
    }

    access_log /tmp/test.com.log cham;
}


[root@cham002 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload

12.13 Nginx防盗链 12.14 Nginx访问控制 12.15 Nginx解析php相关配置 12.16 Nginx代理

测试(针对目录的)

[root@cham002 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 07:59:16 GMT
Content-Type: text/html
Content-Length: 20
Last-Modified: Wed, 03 Jan 2018 08:50:53 GMT
Connection: keep-alive
ETag: "5a4c996d-14"
Accept-Ranges: bytes

[root@cham002 ~]# curl -x192.168.230.150:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 08:01:00 GMT
Content-Type: text/html
Content-Length: 20
Last-Modified: Wed, 03 Jan 2018 08:50:53 GMT
Connection: keep-alive
ETag: "5a4c996d-14"
Accept-Ranges: bytes

[root@cham002 ~]# curl -x192.168.230.135:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 08:01:14 GMT
Content-Type: text/html
Content-Length: 20
Last-Modified: Wed, 03 Jan 2018 08:50:53 GMT
Connection: keep-alive
ETag: "5a4c996d-14"
Accept-Ranges: bytes

[root@cham002 ~]# cat /tmp/test.com.log
127.0.0.1 - [03/Jan/2018:21:35:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:15:59:16 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:00 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:14 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
[root@cham002 ~]# curl -x192.168.230.150:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 08:01:37 GMT
Content-Type: text/html
Content-Length: 20
Last-Modified: Wed, 03 Jan 2018 08:50:53 GMT
Connection: keep-alive
ETag: "5a4c996d-14"
Accept-Ranges: bytes

[root@cham002 ~]# cat /tmp/test.com.log
127.0.0.1 - [03/Jan/2018:21:35:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:15:59:16 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:00 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:14 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:37 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"

[root@cham002 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.230.135  netmask 255.255.255.0  broadcast 192.168.230.255
        inet6 fe80::6f15:52d3:ebeb:e193  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b6:9f:e3  txqueuelen 1000  (Ethernet)
        RX packets 96831  bytes 41894507 (39.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 60974  bytes 20136998 (19.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.230.150  netmask 255.255.255.0  broadcast 192.168.230.255
        ether 00:0c:29:b6:9f:e3  txqueuelen 1000  (Ethernet)

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.1  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::1801:cbbb:ebcc:89a3  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b6:9f:ed  txqueuelen 1000  (Ethernet)
        RX packets 3  bytes 746 (746.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 81  bytes 6462 (6.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 1363  bytes 1359483 (1.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1363  bytes 1359483 (1.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@cham002 ~]# curl -x192.168.100.1:80 test.com/admin/
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>

[root@cham002 ~]# cat /tmp/test.com.log
127.0.0.1 - [03/Jan/2018:21:35:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:15:59:16 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:00 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:14 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:37 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.100.1 - [04/Jan/2018:16:05:14 +0800] test.com "/admin/" 403 "-" "curl/7.29.0

访问控制(针对正则匹配)

[root@cham002 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 
server
{
    listen 80;
    server_name test.com test2.com test3.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
   # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
   # {
   #       expires      7d;
   #       access_log off;
   # }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}


    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    location /admin/
    {
       allow 127.0.0.1;
       allow 192.168.230.135;
       deny all;
    }

    location ~ .*(upload|image)/.*\.php$
    {
        deny all;
    }


    access_log /tmp/test.com.log cham;
}

[root@cham002 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@cham002 ~]# mkdir /data/wwwroot/test.com/upload
[root@cham002 ~]# echo "11111" > /data/wwwroot/test.com/upload/1.php

12.13 Nginx防盗链 12.14 Nginx访问控制 12.15 Nginx解析php相关配置 12.16 Nginx代理

测试

[root@cham002 ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>


[root@cham002 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt
11111
看日志
[root@cham002 ~]# cat /tmp/test.com.log
127.0.0.1 - [03/Jan/2018:21:35:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:15:59:16 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:00 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:14 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:37 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.100.1 - [04/Jan/2018:16:05:14 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:16:15:46 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:16:16:46 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"

针对user_agent限制

12.13 Nginx防盗链 12.14 Nginx访问控制 12.15 Nginx解析php相关配置 12.16 Nginx代理

server
{
    listen 80;
    server_name test.com test2.com test3.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
   # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
   # {
   #       expires      7d;
   #       access_log off;
   # }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}


    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    location /admin/
    {
       allow 127.0.0.1;
       allow 192.168.230.135;
       deny all;
    }

    location ~ .*(upload|image)/.*\.php$
    {
        deny all;
    }
    
    if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
    {
      return 403;
    }



    access_log /tmp/test.com.log cham;
}
[root@cham002 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@cham002 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 08:22:45 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Thu, 04 Jan 2018 08:16:39 GMT
Connection: keep-alive
ETag: "5a4de2e7-6"
Accept-Ranges: bytes

[root@cham002 ~]# curl -A "Tomatodsfsdf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 08:23:37 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

说明: deny all和return 403效果一样

12.15 Nginx解析PHP相关配置

核心配置:
[root@cham002 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

 location ~ \.php$
    {
        include fastcgi_params;
        #fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_pass 127.0.0.1:9000;
##fastcgi_pass两种监听格式,但是要保证Nginx和php-fpm中格式一致
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }

[root@cham002 ~]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
#listen = /tmp/php-fcgi.sock
listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

[root@cham002 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@cham002 ~]# /etc/init.d/php-fpm reload
Reload service php-fpm  done

[root@cham002 ~]# curl -x 127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 10:44:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

12.13 Nginx防盗链 12.14 Nginx访问控制 12.15 Nginx解析php相关配置 12.16 Nginx代理

注: 在此注意两点,fastcgi_pass有两种格式,但是无论使用哪种格式都有保证Nginx和php-fpm中格式一致,否则会报错502;fastcgi _param SCRIPT _FILENAME所在行的路径要和root路径一致!

12.16 Nginx代理

Nginx代理是一种反向代理。反向代理(Reverse Proxy)方式是指以代理服务器来接受Internet上的连接请求,然后将请求转发给内部网络上的服务器;并将从服务器上得到的结果返回给Internet上请求连接的客户端,此时代理服务器对外就表现为一个服务器。

 12.13 Nginx防盗链 12.14 Nginx访问控制 12.15 Nginx解析php相关配置 12.16 Nginx代理

工作原理

Nginx代理是在一台代理服务器中自定义一个域名,该域名指向一个IP,然后将用户的请求通过这台代理服务器访问指定的IP所对应的web服务器。

graph LR
用户-->代理服务器
代理服务器-->用户
代理服务器-->web服务器
web服务器-->代理服务器

[root@cham002 ~]# cd /usr/local/nginx/conf/vhost
[root@cham002 vhost]# vim proxy.conf 

server
{
    listen 80;
    server_name ask.apelearn.com;
 #定义域名(一般和被代理ip的域名保持一致)

    location /
    {
        proxy_pass      http://121.201.9.155/;
#指定被代理(被访问)的IP(web服务器IP)
        proxy_set_header Host   $host;
#$host指的是代理服务器的servername(也是被代理IP的域名)
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

说明: 因为该虚拟主机只用作代理服务器,不需要访问本地文件,所以不需要设置根目录。

没有设置代理前
[root@cham002 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@cham002 vhost]# 

[root@cham002 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@cham002 vhost]# /usr/local/nginx/sbin/nginx -s reload
设置代理后
[root@cham002 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@cham002 vhost]#
点赞
收藏
评论区
推荐文章
芝士年糕 芝士年糕
2年前
nginx 启动、停止、关闭
使用3A服务器搭建的centos系统安装nginx教程在我的往期博客中1,nginx指定配置文件/usr/local/nginx/sbin/nginxc/usr/local/nginx/conf/nginx.conf1c参数指定了要加载的nginx配置文件路径1,从容停止Nginx:killQUIT主进程号2,快速停止Nginx:kil
Stella981 Stella981
3年前
Nginx 配置静态文件 404 问题
使用Nginx做访问静态资源的时候,配置之后访问一直是 404。我的配置是location/dist{      root/usr/local/nginx/html/dist;      }原因:root配置的意思是,会在root配置的目录后跟上URL,组成对应的文件路径。即我的访问h
Stella981 Stella981
3年前
Nginx配置https
一、开启nginx的ssl模块1.未安装过nginx,编译安装配置参数如下:./configure\prefix/usr/local/nginx\withpcre\withhttp\_ssl\_modulessl模块\withhttp\_stub\_status\_module\wit
Wesley13 Wesley13
3年前
LNMP架构之虚拟主机配置、用户认证及域名重定向
本文索引:配置nginx虚拟主机nginx用户认证针对目录针对文件域名重定向配置nginx虚拟主机修改nginx主配置文件root@localhostnginx1.12.2vim/usr/local/nginx/conf/ngi
Wesley13 Wesley13
3年前
LNMP架构之访问日志、日志切割、静态文件不记录及过期时间设置
本文索引:Nginx访问日志Nginx日志切割静态文件不记录日志和过期时间Nginx访问日志修改nginx配置文件root@localhostvhostvim/usr/local/nginx/conf/nginx.conf搜索:/log_format
Stella981 Stella981
3年前
API网关【gateway 】
最近在公司进行API网关重写,公司内采用serverMesh进行服务注册,调用,这里结合之前学习对API网关服务进行简单的总结与分析。由于采用了大量的nginx相关的东西,所以在此记录一下:在nginx使用openresty加入nginx模块编辑nginx下conf配置文件nginx.confvinginx.c
Stella981 Stella981
3年前
Nginx SSL补充安装
在centos中,配置nginx的https时,出现如下错误。nginx:\emerg\unknowndirective"ssl"in/usr/local/nginx/conf/nginx.conf:102,说明编译是没有启用SSL。到解压的nginx目录下./configurewith
Stella981 Stella981
3年前
Nginx之使用nginx搭建简单的文件服务器
  使用nginx可以搭建简单文件服务器  安装nginx(不详述)    修改配置文件/usr/local/nginx/conf/nginx.confuserroot;worker_processes1;error_loglogs/error.log;pidlog
Wesley13 Wesley13
3年前
2018.9.20笔记
Nginx默认虚拟主机去掉usr/local/nginx/conf/nginx.conf中的内容Server{.....}vim/usr/local/nginx/conf/nginx.conf//增加includevhost/.conf;
Stella981 Stella981
3年前
LNMP架构之防盗链、访问控制、php解析、代理的设置
本文索引:Ningx防盗链Ningx访问控制针对目录的访问控制针对文件的访问控制针对user\_agentNginx解析php相关配置访问报502错误分析Nginx代理Nginx防盗链修改虚拟主机配置文件