学习linux第五十一天

最新推荐文章于 2023-08-15 18:47:42 发布

chiyaoqiang5116

最新推荐文章于 2023-08-15 18:47:42 发布

阅读量269

点赞数

文章标签： php 运维开发工具

原文链接：https://my.oschina.net/u/3867255/blog/2962757

版权

nginx防盗链

[root@hanlin ~]# /etc/init.d/nginx start
Starting nginx (via systemctl): [ 确定 ]
[root@hanlin ~]# /etc/init.d/mysqld start
Starting MySQL SUCCESS!
[root@hanlin ~]# 181127 16:15:56 mysqld_safe A mysqld process already exists
/etc/init.d/nginx start^C
[root@hanlin ~]# /etc/init.d/php-fpm start
[root@hanlin ~]# systemctl start php-fpm
[root@hanlin ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ （当访问这些文件的时候，refer不是test.com就会报错403）
{
expires 7d;
valid_referers none blocked server_names *.test.com ; （防盗链部分配置，定义白名单）
if ($invalid_referer) { （不符合条件给出处理结果）
return 403;
}
access_log off;
}

#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
#}

location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}

access_log /tmp/test.conf.log xy;

}

[root@hanlin ~]# curl -e http://baidu.com/1.txt -x127.0.0.1:80 test.com/1.gif
dgd
[root@hanlin ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hanlin ~]# curl -e http://baidu.com/1.txt -x127.0.0.1:80 test.com/1.gif
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>

nginx访问控制

curl用法

-A/--user-agent <string>              设置用户代理发送给服务器
-b/--cookie <name=string/file>    cookie字符串或文件读取位置
-c/--cookie-jar <file>                    操作结束后把cookie写入到这个文件中
-C/--continue-at <offset>            断点续转
-D/--dump-header <file>              把header信息写入到该文件中
-e/--referer                                  来源网址
-f/--fail                                          连接失败时不显示http错误
-o/--output                                  把输出写到该文件中
-O/--remote-name                      把输出写到该文件中，保留远程文件的文件名
-r/--range <range>                      检索来自HTTP/1.1或FTP服务器字节范围
-s/--silent                                    静音模式。不输出任何东西
-T/--upload-file <file>                  上传文件
-u/--user <user[:password]>      设置服务器的用户和密码
-w/--write-out [format]                什么输出完成后
-x/--proxy <host[:port]>              在给定的端口上使用HTTP代理
-#/--progress-bar                        进度条显示当前的传送状态

[root@hanlin ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

location /admin/ （访问控制白名单）
{
allow 127.0.0.1; （跟apache不一样，一旦匹配到，不受后面条件影响）
allow 192.168.0.12;
deny all;
}
access_log /tmp/test.conf.log xy;

}

[root@hanlin ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin ~]# /usr/local/nginx/sbin/nginx -s reload

[root@hanlin network-scripts]# !curl
curl -x192.168.0.12:80 test.com/admin/
444444444444444
[root@hanlin network-scripts]# curl -x127.0.0.1:80 test.com/admin/
444444444444444
[root@hanlin network-scripts]# curl -x192.168.0.13:80 test.com/admin/
curl: (7) Failed connect to 192.168.0.13:80; 没有到主机的路由

禁止解析某类型文件，可以匹配正则

[root@hanlin network-scripts]# vim /usr/local/nginx/conf/vhost/test.com.conf

location ~ .*(upload|image)/.*\.php$ （只要是upload目录下的php文件就不允许解析）

{

deny all;

}

access_log /tmp/test.conf.log xy;

}

[root@hanlin network-scripts]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin network-scripts]# /usr/local/nginx/sbin/nginx -s reload
[root@hanlin network-scripts]# mkdir /data/wwwroot/test.com/upload
[root@hanlin network-scripts]# echo "123321" > /data/wwwroot/test.com/upload/1.php
[root@hanlin network-scripts]# curl -x192.168.0.12:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head> （访问被拒绝掉了）
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>

根据user-agent来做访问控制（防止别人窃取你的信息，不让别人知道你这个站点，除非你告诉别人）

[root@hanlin network-scripts]# vim /usr/local/nginx/conf/vhost/test.com.conf

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')

{
return 403;
}
access_log /tmp/test.conf.log xy;

[root@hanlin network-scripts]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin network-scripts]# /usr/local/nginx/sbin/nginx -s reload
[root@hanlin network-scripts]# curl -x127.0.0.1:80 test.com/admin/index.html
444444444444444
[root@hanlin network-scripts]# curl -A "Tomato" -x127.0.0.1:80 test.com/admin/index.html
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@hanlin network-scripts]# curl -A "tomato" -x127.0.0.1:80 test.com/admin/index.html （精确匹配，不忽略大小写的结果）
444444444444444

如果想要忽略大小写，~符后面加*号

if ($http_user_agent ~ *

'Spider/3.0|YoudaoBot|Tomato')

{
return 403;
}

nginx解析php相关配置

[root@hanlin network-scripts]# vim /usr/local/nginx/conf/vhost/test.com.conf

location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock; （监听sock或者携程监听ip加端口也可以，这个路径是在php.ini里面定义的，写不对会报错502）
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /tmp/test.conf.log xy;

}

[root@hanlin /]# vim /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666 （必须要有读写的权限，调用php默认用的是nobody的名义，但是sock的权限所属是root440，可以改sock权限或者改）
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

[root@hanlin /]# vim /data/wwwroot/test.com/test.php
[root@hanlin /]# curl -x127.0.0.1:80 test.com/test.php
<?php
echo phpinfo;
[root@hanlin /]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin /]# /usr/local/nginx/sbin/nginx -s reload
[root@hanlin /]# curl -x127.0.0.1:80 test.com/test.php （一旦重启配置就可以正确解析php了）
</div></body></html>[root@hanlin /]# curl -x127.0.0.1:80 test.com/test.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Tue, 27 Nov 2018 18:14:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

nginx代理

[root@hanlin /]# cd /usr/local/nginx/conf/vhost/
[root@hanlin vhost]# vim proxy.conf
server
{
listen 80;
server_name ask.apelearn.com;

location /
{
proxy_pass http://223.94.95.10/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

[root@hanlin vhost]# curl -x127.0.0.1:80 ask.apelearn.com
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
2018/11/28 02:46:18 [error] 10851#0: *38 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 127.0.0.1, server: ask.apelearn.com, request: "GET HTTP://ask.apelearn.com/ HTTP/1.1", upstream: "http://121.201.9.155:80/", host: "ask.apelearn.com"
2018/11/28 02:46:18 [info] 10851#0: *38 client 127.0.0.1 closed keepalive connection
上诉错误是ppt上代理ip错误导致

[root@hanlin vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin vhost]# /usr/local/nginx/sbin/nginx -s reload

[root@hanlin vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
[root@hanlin vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt (如果删除掉proxy.conf就会报错404)
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>

转载于:https://my.oschina.net/u/3867255/blog/2962757

chiyaoqiang5116

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
学习linux第五十一天

nginx防盗链 [root@hanlin ~]# /etc/init.d/nginx start Starting nginx (via systemctl): [ 确定 ] [root@hanlin ~]# /etc/init.d/mysqld start Starting MySQL...
复制链接

扫一扫