LNMP架构——Nginx防盗链,访问控制

Nginx防盗链

盗链是指一个网站的资源(图片或附件)未经允许在其它网站提供浏览和下载，尤其热门资源的盗链，对网站带宽的消耗非常大；

修改配置文件

[root@dl-001 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
............
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
     //定义referer白名单
    if ($invalid_referer) {
        return 403;
    //if函数的意思是：如果不是白名单内的域名，返回值：403
    }
    access_log off;
}
..............

---

重新加载

[root@dl-001 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@dl-001 ~]# /usr/local/nginx/sbin/nginx -s reload

---

检测

[root@dl-001 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/baidu.png
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Mon, 14 Aug 2017 06:22:36 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

说明：使用非白名单内的referer进行访问会被限制！！！

---

Nginx访问控制

访问控制即限制指定的IP才能访问指定的目录

添加配置文件

[root@dl-001 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 
……
location /admin/
    {
    allow 192.168.8.132;
    allow 127.0.0.1;
    deny all;
    //设置IP白名单
    }
……

---

重新加载

[root@dl-001 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@dl-001 ~]# /usr/local/nginx/sbin/nginx -s reload

---

创建所需目录

[root@dl-001 ~]# mkdir /data/wwwroot/test.com/admin

[root@dl-001 ~]#  echo “test,test”>/data/wwwroot/test.com/admin/1.html

---

测试

[root@dl-001 ~]# curl -x127.0.0.1:80  test.com/admin/1.html
“test,test”

[root@dl-001 ~]# curl -x192.168.6.128:80  test.com/admin/1.html
“test,test”

//完成！

---

访问控制——正则匹配

location ~ .*(abc|image)/.*\.php$
{
        deny all;
}

---

访问控制——user_agent限制

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}

说明： deny all和return 403效果一样