nginx防盗链
[root@hanlin ~]# /etc/init.d/nginx start
Starting nginx (via systemctl): [ 确定 ]
[root@hanlin ~]# /etc/init.d/mysqld start
Starting MySQL SUCCESS!
[root@hanlin ~]# 181127 16:15:56 mysqld_safe A mysqld process already exists
/etc/init.d/nginx start^C
[root@hanlin ~]# /etc/init.d/php-fpm start
[root@hanlin ~]# systemctl start php-fpm
[root@hanlin ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ (当访问这些文件的时候,refer不是test.com就会报错403)
{
expires 7d;
valid_referers none blocked server_names *.test.com ; (防盗链部分配置,定义白名单)
if ($invalid_referer) { (不符合条件给出处理结果)
return 403;
}
access_log off;
}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
#}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
access_log /tmp/test.conf.log xy;
}
[root@hanlin ~]# curl -e http://baidu.com/1.txt -x127.0.0.1:80 test.com/1.gif
dgd
[root@hanlin ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hanlin ~]# curl -e http://baidu.com/1.txt -x127.0.0.1:80 test.com/1.gif
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
nginx访问控制
curl用法
-A/--user-agent <string> 设置用户代理发送给服务器 -b/--cookie <name=string/file> cookie字符串或文件读取位置 -c/--cookie-jar <file> 操作结束后把cookie写入到这个文件中 -C/--continue-at <offset> 断点续转 -D/--dump-header <file> 把header信息写入到该文件中 -e/--referer 来源网址 -f/--fail 连接失败时不显示http错误 -o/--output 把输出写到该文件中 -O/--remote-name 把输出写到该文件中,保留远程文件的文件名 -r/--range <range> 检索来自HTTP/1.1或FTP服务器字节范围 -s/--silent 静音模式。不输出任何东西 -T/--upload-file <file> 上传文件 -u/--user <user[:password]> 设置服务器的用户和密码 -w/--write-out [format] 什么输出完成后 -x/--proxy <host[:port]> 在给定的端口上使用HTTP代理 -#/--progress-bar 进度条显示当前的传送状态
[root@hanlin ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
location /admin/ (访问控制白名单)
{
allow 127.0.0.1; (跟apache不一样,一旦匹配到,不受后面条件影响)
allow 192.168.0.12;
deny all;
}
access_log /tmp/test.conf.log xy;
}
[root@hanlin ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hanlin network-scripts]# !curl
curl -x192.168.0.12:80 test.com/admin/
444444444444444
[root@hanlin network-scripts]# curl -x127.0.0.1:80 test.com/admin/
444444444444444
[root@hanlin network-scripts]# curl -x192.168.0.13:80 test.com/admin/
curl: (7) Failed connect to 192.168.0.13:80; 没有到主机的路由
禁止解析某类型文件,可以匹配正则
[root@hanlin network-scripts]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ .*(upload|image)/.*\.php$ (只要是upload目录下的php文件就不允许解析)
{
deny all;
}
access_log /tmp/test.conf.log xy;
}
[root@hanlin network-scripts]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin network-scripts]# /usr/local/nginx/sbin/nginx -s reload
[root@hanlin network-scripts]# mkdir /data/wwwroot/test.com/upload
[root@hanlin network-scripts]# echo "123321" > /data/wwwroot/test.com/upload/1.php
[root@hanlin network-scripts]# curl -x192.168.0.12:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head> (访问被拒绝掉了)
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
根据user-agent来做访问控制(防止别人窃取你的信息,不让别人知道你这个站点,除非你告诉别人)
[root@hanlin network-scripts]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
access_log /tmp/test.conf.log xy;
[root@hanlin network-scripts]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin network-scripts]# /usr/local/nginx/sbin/nginx -s reload
[root@hanlin network-scripts]# curl -x127.0.0.1:80 test.com/admin/index.html
444444444444444
[root@hanlin network-scripts]# curl -A "Tomato" -x127.0.0.1:80 test.com/admin/index.html
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@hanlin network-scripts]# curl -A "tomato" -x127.0.0.1:80 test.com/admin/index.html (精确匹配,不忽略大小写的结果)
444444444444444
如果想要忽略大小写,~符后面加*号
if ($http_user_agent ~ *
'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
nginx解析php相关配置
[root@hanlin network-scripts]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock; (监听sock或者携程监听ip加端口也可以,这个路径是在php.ini里面定义的,写不对会报错502)
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /tmp/test.conf.log xy;
}
[root@hanlin /]# vim /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666 (必须要有读写的权限,调用php默认用的是nobody的名义,但是sock的权限所属是root440,可以改sock权限或者改)
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@hanlin /]# vim /data/wwwroot/test.com/test.php
[root@hanlin /]# curl -x127.0.0.1:80 test.com/test.php
<?php
echo phpinfo;
[root@hanlin /]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin /]# /usr/local/nginx/sbin/nginx -s reload
[root@hanlin /]# curl -x127.0.0.1:80 test.com/test.php (一旦重启配置就可以正确解析php了)
</div></body></html>[root@hanlin /]# curl -x127.0.0.1:80 test.com/test.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Tue, 27 Nov 2018 18:14:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
nginx代理
[root@hanlin /]# cd /usr/local/nginx/conf/vhost/
[root@hanlin vhost]# vim proxy.conf
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://223.94.95.10/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@hanlin vhost]# curl -x127.0.0.1:80 ask.apelearn.com
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
2018/11/28 02:46:18 [error] 10851#0: *38 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 127.0.0.1, server: ask.apelearn.com, request: "GET HTTP://ask.apelearn.com/ HTTP/1.1", upstream: "http://121.201.9.155:80/", host: "ask.apelearn.com"
2018/11/28 02:46:18 [info] 10851#0: *38 client 127.0.0.1 closed keepalive connection
上诉错误是ppt上代理ip错误导致
[root@hanlin vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@hanlin vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#
User-agent: *
Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
[root@hanlin vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt (如果删除掉proxy.conf就会报错404)
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>