11月28日任务

最新推荐文章于 2024-07-25 22:32:15 发布

chuqian2480

最新推荐文章于 2024-07-25 22:32:15 发布

阅读量108

点赞数

文章标签：运维 php 开发工具

原文链接：https://my.oschina.net/u/3803396/blog/2992462

版权

12.13 Nginx防盗链

防盗链的配置里面server_names没有必要写

配置如下，可以和上面的配置结合起来

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ （~* 匹配* 表示(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)正则不区分大小写 ^以什么开头）

{

expires 7d; （过期时间7天）

valid_referers none blocked server_names *.test.com ; (定义白名单域名)

if ($invalid_referer) { （如果不是白名单）

return 403; （返回403）

}

access_log off; （访问日志不记录）

}

[root @test ~]# vim /usr/local/nginx/conf/vhost/2.com.conf

server

{

listen 80;

server_name 2.com 22.com 222.com;

index index.html index.htm index.php;

root /data/wwwroot/2.com;

if ($host != '2.com' ) {

rewrite ^/(.*)$ http://2.com/$1 permanent;

}

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

{

expires 7d;

valid_referers none blocked server_names *.2.com ;

if ($invalid_referer) {

return 403;

}

access_log off;

}

# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

# {

# expires 7d;

# access_log off;

# }

location ~ .*\.(js|css)$

{

expires 12h;

access_log off;

}

检测加载

[root @test ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root @test ~]# /usr/local/nginx/sbin/nginx -s reload

结果

[root @test ~]# curl -e " http://www.baidu.com/1.gif" -x127.0.0.1:80 2.com/1.gif -I

HTTP/1.1 403 Forbidden

Server: nginx/1.14.2

Date: Mon, 24 Dec 2018 04:23:49 GMT

Content-Type: text/html

Content-Length: 169

Connection: keep-alive

[root @test ~]# curl -e " http://www.2.com/1.gif" -x127.0.0.1:80 2.com/1.gif -I

HTTP/1.1 200 OK

Server: nginx/1.14.2

Date: Mon, 24 Dec 2018 04:24:13 GMT

Content-Type: image/gif

Content-Length: 0

Last-Modified: Mon, 24 Dec 2018 04:23:12 GMT

Connection: keep-alive

ETag: "5c205f30-0"

Expires: Mon, 31 Dec 2018 04:24:13 GMT

Cache-Control: max-age=604800

Accept-Ranges: bytes

12.14 Nginx访问控制（允许内部访问，做限制）

需求：访问/admin/目录的请求，只允许某几个IP访问，配置如下：

location /admin/

{

allow 192.168.133.1; （做白名单必须先allow再deny，Nginx会先匹配前面的条件，如果符合就不会继续走下面条件）

allow 127.0.0.1;

deny all;

}

mkdir /data/wwwroot/ test.com/admin/

echo “test,test”>/data/wwwroot/ test.com/admin/1.html

-t && -s reload

curl -x127.0.0.1:80 test.com/admin/1.html -I

curl -x192.168.133.130:80 test.com/admin/1.html -I

可以匹配正则

location ~ .*(abc|image)/.*\.php$

{

deny all;

}

根据user_agent限制

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')

{

return 403;

}

deny all和return 403效果一样

针对目录

[root@test ~]# vim /usr/local/nginx/conf/vhost/2.com.conf

server

{

listen 80;

server_name 2.com 22.com 222.com;

index index.html index.htm index.php;

root /data/wwwroot/2.com;

if ($host != '2.com' ) {

rewrite ^/(.*)$ http://2.com/$1 permanent;

}

location /admin/

{

allow 127.0.0.1;

deny all;

}

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

{

expires 7d;

valid_referers none blocked server_names *.2.com ;

if ($invalid_referer) {

return 403;

}

access_log off;

}

# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

# {

# expires 7d;

# access_log off;

# }

location ~ .*\.(js|css)$

{

expires 12h;

access_log off;

}

检测加载

[root@test ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@test ~]# /usr/local/nginx/sbin/nginx -s reload

结果：

[root@test ~]# curl -x127.0.0.1:80 2.com/admin/1.html -I

HTTP/1.1 200 OK

Server: nginx/1.14.2

Date: Mon, 24 Dec 2018 04:39:45 GMT

Content-Type: text/html

Content-Length: 0

Last-Modified: Mon, 24 Dec 2018 04:39:27 GMT

Connection: keep-alive

ETag: "5c2062ff-0"

Accept-Ranges: bytes

[root@test ~]# curl -x192.168.1.1:80 2.com/admin/1.html -I

HTTP/1.1 404 Not Found

Content-Type:text/html

Pragma:no-cache

Cache-control:no-cache, no-store, max-age=0

Transfer-Encoding:chunked

X-Frame-Options:SAMEORIGIN

Connection:Keep-Alive

针对正则匹配（网站被黑，数据信息被盗窃，原因是上传图片的目录没有做禁止解析php操作（一句话木马被解析导致））

能上传的目录禁掉解析php

[root@test ~]# vim /usr/local/nginx/conf/vhost/2.com.conf

server

{

listen 80;

server_name 2.com 22.com 222.com;

index index.html index.htm index.php;

root /data/wwwroot/2.com;

if ($host != '2.com' ) {

rewrite ^/(.*)$ http://2.com/$1 permanent;

}

location /admin/

{

allow 127.0.0.1;

deny all;

}

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

{

expires 7d;

valid_referers none blocked server_names *.2.com ;

if ($invalid_referer) {

return 403;

}

access_log off;

}

location ~ .*(upload|image)/.*\.php$ (匹配 upload或者image，以php结尾）

{

deny all;

}

# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

# {

# expires 7d;

# access_log off;

# }

location ~ .*\.(js|css)$

{

expires 12h;

access_log off;

}

检查加载

[root@test ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@test ~]# /usr/local/nginx/sbin/nginx -s reload

结果

[root@test ~]# curl -x127.0.0.1:80 2.com/upload/2.php -I

HTTP/1.1 403 Forbidden

Server: nginx/1.14.2

Date: Mon, 24 Dec 2018 04:52:42 GMT

Content-Type: text/html

Content-Length: 169

Connection: keep-alive

[root@test ~]# curl -x127.0.0.1:80 2.com/upload/2.html -I

HTTP/1.1 200 OK

Server: nginx/1.14.2

Date: Mon, 24 Dec 2018 04:52:48 GMT

Content-Type: text/html

Content-Length: 0

Last-Modified: Mon, 24 Dec 2018 04:51:04 GMT

Connection: keep-alive

ETag: "5c2065b8-0"

Accept-Ranges: bytes

根据user_agent限制（网站被cc攻击，网站禁止被蜘蛛，网站做被隐藏，不让任何网站扒到任何数据）

[root@test ~]# vim /usr/local/nginx/conf/vhost/2.com.conf

server

{

listen 80;

server_name 2.com 22.com 222.com;

index index.html index.htm index.php;

root /data/wwwroot/2.com;

if ($host != '2.com' ) {

rewrite ^/(.*)$ http://2.com/$1 permanent;

}

location /admin/

{

allow 127.0.0.1;

deny all;

}

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

{

expires 7d;

valid_referers none blocked server_names *.2.com ;

if ($invalid_referer) {

return 403;

}

access_log off;

}

location ~ .*(upload|image)/.*\.php$

{

deny all;

}

if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato') ( ~*匹配* 忽略到大小写)

{

return 403;

}

# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

# {

# expires 7d;

# access_log off;

# }

location ~ .*\.(js|css)$

{

expires 12h;

access_log off;

}

检查加载

[root@test ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@test ~]# /usr/local/nginx/sbin/nginx -s reload

结果

[root@test ~]# curl -A "Tomatopldajsldja" -x127.0.0.1:80 2.com/upload/2.html -I

HTTP/1.1 403 Forbidden

Server: nginx/1.14.2

Date: Mon, 24 Dec 2018 04:59:08 GMT

Content-Type: text/html

Content-Length: 169

Connection: keep-alive

[root@test ~]# curl -A "baidudlsajd" -x127.0.0.1:80 2.com/upload/2.html -I

HTTP/1.1 200 OK

Server: nginx/1.14.2

Date: Mon, 24 Dec 2018 04:59:20 GMT

Content-Type: text/html

Content-Length: 0

Last-Modified: Mon, 24 Dec 2018 04:51:04 GMT

Connection: keep-alive

ETag: "5c2065b8-0"

Accept-Ranges: bytes

12.15 Nginx解析php相关配置

配置如下：

location ~ \.php$

{

include fastcgi_params; （ # include语句会获取指定文件中存在的所有文本/代码/标记，并复制到使用 include 语句的文件中。）

fastcgi_pass unix:/tmp/php-fcgi.sock; （ # 指定FastCGI服务器监听端口与地址，可以是本机或者其它：）

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME

/data/wwwroot/ test.com$fastcgi_script_name; （ # #脚本文件请求的路径）

}

fastcgi_pass 用来指定php-fpm监听的地址或者socket

解析PHP

[root@test ~]# vim /usr/local/nginx/conf/vhost/2.com.conf

server

{

listen 80;

server_name 2.com 22.com 222.com;

index index.html index.htm index.php;

root /data/wwwroot/2.com;

if ($host != '2.com' ) {

rewrite ^/(.*)$ http://2.com/$1 permanent;

}

location ~ \.php$

{

include fastcgi_params;

fastcgi_pass unix:/tmp/php-fcgi.sock; （ /usr/local/php-fpm/etc/php-fpm.conf定义若监听端口fastcgi_pass 127.0.0.1:9000；）

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /data/wwwroot/2.com$fastcgi_script_name;

}

location /admin/

{

allow 127.0.0.1;

deny all;

}

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

{

expires 7d;

valid_referers none blocked server_names *.2.com ;

if ($invalid_referer) {

return 403;

}

access_log off;

}

location ~ .*(upload|image)/.*\.php$

{

deny all;

}

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')

{

return 403;

}

# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

# {

# expires 7d;

# access_log off;

# }

location ~ .*\.(js|css)$

{

expires 12h;

access_log off;

}

配置前（只能显示源码）

[root@test ~]# curl -x127.0.0.1:80 2.com/1.php

<?php

echo "dhkashdkash";

配置后

检查加载

[root@test ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@test ~]# /usr/local/nginx/sbin/nginx -s reload

[root@test ~]# curl -x127.0.0.1:80 2.com/1.php

dhkashdkash[root@test ~]#

理解：出现502的情况

php-fpm配置文件

[root@test ~]# vim /usr/local/php-fpm/etc/php-fpm.conf

[global]

pid = /usr/local/php-fpm/var/run/php-fpm.pid

error_log = /usr/local/php-fpm/var/log/php-fpm.log

[www]

listen = /tmp/php-fcgi.sock

#listen=127.0.0.1:9000

listen.mode = 666 （让任何用户都可以读）

user = php-fpm

group = php-fpm

pm = dynamic

pm.max_children = 50

pm.start_servers = 20

pm.min_spare_servers = 5

pm.max_spare_servers = 35

pm.max_requests = 500

rlimit_files = 1024

[root@test ~]# ls -l /tmp/php-fcgi.sock

srw-rw-rw- 1 root root 0 11月 23 13:54 /tmp/php-fcgi.sock

Nginx配置文件中去需要去读socket配置文件

[root@test ~]# vim /usr/local/nginx/conf/vhost/2.com.conf

Nginx去读PHP的socket文件用户

还有一种是php资源耗尽导致

12.16 Nginx代理

web服务器只有私网IP；代理服务器能和web服务器互通，并且与用户互通；

应用场景：用户能直接访问或者访问网站在海外，用户访问太慢，做一个代理服务器

cd /usr/local/nginx/conf/vhost

vim proxy.conf //加入如下内容

server

{

listen 80;

server_name ask.apelearn.com;

location /

{

proxy_pass http://121.201.9.155/;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

新配置

代理服务器

dig ask.apelearn.com 命令查看一下它对应的最新的 IP 地址再做实验 [root@test ~]# yum install -y bind*

[root@test ~]# vim /usr/local/nginx/conf/vhost/proxy.conf

server

{

listen 80;

server_name ask.apelearn.com; （定义访问域名）

location /

{

proxy_pass http://47.104.7.242/; （真正的web服务器地址）

proxy_set_header Host $host; （访问域名 $host等于server_name）

proxy_set_header X-Real-IP $remote_addr; （指定IP）

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

检查加载

[root@test ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@test ~]# /usr/local/nginx/sbin/nginx -s reload

[root@test ~]# curl ask.apelearn.com/rebots.txt（针对蜘蛛索引列表）

验证代理

转载于:https://my.oschina.net/u/3803396/blog/2992462

chuqian2480

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
11月28日任务

12.13 Nginx防盗链防盗链的配置里面server_names没有必要写配置如下，可以和上面的配置结合起来 location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bm...
复制链接

扫一扫