Nginx配置防盗链
1、编辑虚拟主机配置文件
配置referer规则
server
{
listen 80 default_server;
server_name www.test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location ~
*
^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{ 这里的
~
* 表示
匹配符合后面条件的所有文件
expires 7d;
有效期7天
valid_referers
none
blocked server_names
*.test.com ; 定义referer,
none空 和
*.test.com
if ($invalid_referer) 若不匹配白名单列表
{
return 403; 直接返回403 也可以写成deny all
}
access_log off;
不记录日志
}
location ~ .*\.(js|css)$
匹配文件类型
{
expires 12h;
有效期12小时
access_log off;
不记录日志
}
access_log /data/logs/test.log combined_realip;
}
2、测试访问:
[root@aliyun logs]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aliyun logs]# /usr/local/nginx/sbin/nginx -s reload
[root@aliyun logs]# touch /data/wwwroot/test.com/1,jpeg
[root@aliyun logs]# curl -e "http://www.baidu.com" -x127.0.0.1:80 test.com/1.jpeg -I
HTTP/1.1
403 Forbidden
Server: nginx/1.14.0
Date: Mon, 11 Jun 2018 19:23:41 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@aliyun logs]# curl -e "http://www.test.com" -x127.0.0.1:80 test.com/1.jpeg -I
HTTP/1.1
200 OK
Server: nginx/1.14.0
Date: Mon, 11 Jun 2018 19:31:57 GMT
Content-Type: image/jpeg
Content-Length: 0
Last-Modified: Mon, 11 Jun 2018 19:31:48 GMT
Connection: keep-alive
ETag: "5b1ece24-0"
Expires: Mon, 18 Jun 2018 19:31:57 GMT
Cache-Control:
max-age=604800
Accept-Ranges: bytes
[root@aliyun logs]#
Nginx访问控制
1、编辑虚拟主机配置文件
配置访问规则
server
{
listen 80 default_server;
server_name www.test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location ~
*
^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{ 这里的
~
* 表示忽略大小写
匹配符合后面条件的所有文件
expires 7d;
有效期7天
valid_referers
none
blocked server_names
*.test.com ; 定义referer,
none空 和
*.test.com
if ($invalid_referer) 若不匹配白名单列表
{
return 403; 直接返回403 也可以写成deny all
}
access_log off;
不记录日志
}
location /admin/ 指定要控制的目录
{
allow 192.168.1.0/24 允许某一个网段访问,用于内网的访问
allow 127.0.0.1; 允许本机访问,
与apache不同,匹配到其中一条规则即不在往下匹配
deny all; 拒绝所有访问
}
location ~
*
.*(upload|image)/.*\.php$
匹配所有包含upload或image的目录里所有的.php文件
{
*号是忽略大小写
deny all;
全部拒绝,和return 403一样
}
if ($http_user_agent ~
*
'Spider/3.0|YoudaoBot|Tomato')
{
忽略大小写判断包含Spider/3.0或YoudaoBot或Tomato的user_agent
return 403;
返回403,和deny all 一样
}
location ~ .*\.(js|css)$
匹配文件类型
{
expires 12h;
有效期12小时
access_log off;
不记录日志
}
access_log /data/logs/test.log combined_realip;
}
2、测试访问:
[root@aliyun logs]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aliyun logs]# /usr/local/nginx/sbin/nginx -s reload
[root@aliyun ~]# mkdir /data/wwwroot/test.com/admin/
[root@aliyun ~]# mkdir /data/wwwroot/test.com/upload/
[root@aliyun upload]# touch /data/wwwroot/test.com/admin/index.html
[root@aliyun upload]# touch /data/wwwroot/test.com/upload/test.php
测试访问admin目录
[root@aliyun upload]# curl -x127.0.0.1:80 test.com/
admin
/ -I
HTTP/1.1
200 OK
Server: nginx/1.14.0
Date: Tue, 12 Jun 2018 07:30:03 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Tue, 12 Jun 2018 07:24:37 GMT
Connection: keep-alive
ETag: "5b1f7535-0"
Accept-Ranges: bytes
[root@aliyun upload]# curl -x
12.19.23.43:80
test.com/
admin
/ -I
HTTP/1.1
403 Forbidden
这个ip是你的网卡ip,可以用来测试
Server: nginx/1.14.0
Date: Tue, 12 Jun 2018 07:31:26 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
测试访问upload目录
[root@aliyun upload]# curl -x127.0.0.1:80
test.com
/
upload
/test.php -I
HTTP/1.1
403 Forbidden
Server: nginx/1.14.0
Date: Tue, 12 Jun 2018 07:50:46 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@aliyun upload]# curl -x127.0.0.1:80 test.com/
upload
/test.txt -I
HTTP/1.1
404 Not Found
说明可以访问但没有这个资源
Server: nginx/1.14.0
Date: Tue, 12 Jun 2018 07:50:54 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@aliyun upload]# curl -x127.0.0.1:80 test.com
/Image/test.php
-I
HTTP/1.1
403 Forbidden
不存在的目录但匹配了规则
Server: nginx/1.14.0
Date: Tue, 12 Jun 2018 07:54:04 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@aliyun upload]# curl -x127.0.0.1:80 test.com
/Image/test.
txt
-I
HTTP/1.1
404 Not Found
不存在的目录未匹配规则
Server: nginx/1.14.0
Date: Tue, 12 Jun 2018 07:54:27 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
测试匹配user_gent
[root@aliyun upload]# curl -x127.0.0.1:80 test.com/admin/ -I
HTTP/1.1
200 OK
Server: nginx/1.14.0
Date: Tue, 12 Jun 2018 08:02:05 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Tue, 12 Jun 2018 07:24:37 GMT
Connection: keep-alive
ETag: "5b1f7535-0"
Accept-Ranges: bytes
[root@aliyun upload]# curl -x127.0.0.1:80 test.com/admin/ -I -A "
YoudaoBot
"
HTTP/1.1
403 Forbidden
Server: nginx/1.14.0
Date: Tue, 12 Jun 2018 08:03:26 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@aliyun upload]# curl -x127.0.0.1:80 test.com/admin/ -I -A "
youdaobot
"
HTTP/1.1
403 Forbidden
Server: nginx/1.14.0
Date: Tue, 12 Jun 2018 08:03:37 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
php解析相关配置
1、编辑虚拟主机配置文件
配置php解析
server
{
listen 80 default_server;
server_name www.test.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
location ~
*
^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{ 这里的
~
* 表示忽略大小写
匹配符合后面条件的所有文件
expires 7d;
有效期7天
valid_referers
none
blocked server_names
*.test.com ; 定义referer,
none空 和
*.test.com
if ($invalid_referer) 若不匹配白名单列表
{
return 403; 直接返回403 也可以写成deny all
}
access_log off;
不记录日志
}
location /admin/ 指定要控制的目录
{
allow 192.168.1.0/24 允许某一个网段访问,用于内网的访问
allow 127.0.0.1; 允许本机访问,
与apache不同,匹配到其中一条规则即不在往下匹配
deny all; 拒绝所有访问
}
location ~
*
.*(upload|image)/.*\.php$
匹配所有包含upload或image的目录里所有的.php文件
{
*号是忽略大小写
deny all;
全部拒绝,和return 403一样
}
if ($http_user_agent ~
*
'Spider/3.0|YoudaoBot|Tomato')
{
忽略大小写判断包含Spider/3.0或YoudaoBot或Tomato的user_agent
return 403;
返回403,和deny all 一样
}
location ~ .*\.(js|css)$
匹配文件类型
{
expires 12h;
有效期12小时
access_log off;
不记录日志
}
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_pass 用来指定php-fpm监听的socket或端口
若监听的是IP端口,必须写成 fastcgi_pass
*
.
*
.
*
.
*
:
*;的格式,php-fpm服务监听的ip和端口
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
access_log /data/logs/test.log combined_realip;
}
2、测试访问:
[root@aliyun logs]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aliyun logs]# /usr/local/nginx/sbin/nginx -s reload
[root@aliyun upload]#
service nginx restart
[root@aliyun upload]# vim /data/wwwroot/test.com/test.php
写入以下内容:
<?php
echo "it's work!"
?>
[root@aliyun upload]# curl -x127.0.0.1:80 test.com/test.php -i
HTTP/1.1
200 OK
Server: nginx/1.14.0
Date: Tue, 12 Jun 2018 10:42:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.36
it's work!
Nginx代理
1、创建代理配置脚本
[root@aliyun ~]# vim /usr/local/nginx/conf/vhost/proxy.conf
写入以下内容:
server
{
listen 80;
server_name baidu.com;
location /
{
proxy_pass http://123.125.115.110/; web服务器的地址
proxy_set_header Host $host; 主机名=server_name baidu.com
proxy_set_header X-Real-IP $remote_addr; 客户端ip(真实来访ip)
可以有多个格式为:client1, proxy1, proxy2.....经过了几个代理服务器(CDN)就有几个,也可能只有客户端IP,代理服务器的IP被CDN服务商屏蔽了,只传来客户端IP,可以通过php程序或Nginx的add header设置来获得X-Forwarded-For信息。
proxy_set_header
X-Forwarded-For
$proxy_add_x_forwarded_for
;
设置请求头
XXF变量为
$proxy_add_x_forwarded_for变量 =
X-Forwarded-For
,
$remote_addr
} 如果XXF中有多个IP,考虑到兼容性应设为
$http_x_forwarded_for变量或不设置也可以
}
保存退出
2、测试代理是否成功:
先不重载nginx测试:
[root@aliyun ~]# curl baidu.com/robots.txt
直接读取百度的robots.txt
User-agent: Baiduspider
Disallow: /baidu
Disallow: /s?
Disallow: /ulink?
Disallow: /link?
[root@aliyun ~]# curl -x127.0.0.1:80 baidu.com/robots.txt
从本地读取百度的robots.txt,找不到
<html>
<head><title>
404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
重载nginx后再次测试:
[root@aliyun ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aliyun ~]# /usr/local/nginx/sbin/nginx -s reload
[root@aliyun ~]# curl -x127.0.0.1:80 baidu.com/robots.txt
再次从本地读取百度的robots.txt
User-agent: Baiduspider
Disallow: /baidu
Disallow: /s?
Disallow: /ulink?
Disallow: /link?
User-agent: Googlebot
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: MSNBot
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: Baiduspider-image
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: YoudaoBot
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: Sogou web spider
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: Sogou inst spider
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: Sogou spider2
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: Sogou blog
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: Sogou News Spider
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: Sogou Orion spider
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: JikeSpider
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: Sosospider
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: PangusoSpider
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: yisouspider
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: EasouSpider
Disallow: /baidu
Disallow: /s?
Disallow: /shifen/
Disallow: /homepage/
Disallow: /cpro
Disallow: /ulink?
Disallow: /link?
User-agent: *
Disallow: /
[root@aliyun ~]#
扫一扫
887
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
