12.13 nginx防盗链
由于防盗链和元素过期时间、不记录日志同时用到了location,所以会被写在一起
配置:
…
12 # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
13 # {
14 # expires 7d;
15 # access_log off;
16 # }
17 location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
/~* 表示后面的gif、jpg等关键词不区分大小写
.+ 表示匹配任意单字符一次或多次
/
18 {
19 expires 7d;
20 valid_referers none blocked server_names *.test.com;
/定义referer白名单的servername/
21 if ($invalid_referer) {
22 return 403;
23 }
/$invalid referer表示无效的referer,若匹配到则返回403信息/
24 access_log off;
25 }
26 location ~ .*\.(js|css)$
27 {
28 # expires 12h;
29 access_log off;
30 }12.14 nginx访问控制
…
测试:
[root@hyc-01-01 test.com]# curl -x127.0.0.1:80 -e "http://www.baidu.com" test.com/1.gif
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
[root@hyc-01-01 test.com]# curl -x127.0.0.1:80 -e "http://www.test.com" test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 13:55:38 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Tue, 14 Aug 2018 23:37:40 GMT
Connection: keep-alive
ETag: "5b7367c4-b"
Expires: Thu, 23 Aug 2018 13:55:38 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
www.baidu.com时状态码为403,www.test.com时状态码为200
12.14 nginx访问控制
针对目录的配置:
[root@hyc-01-01 test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf
…
26 location ~ .*\.(js|css)$
27 {
28 # expires 12h;
29 access_log off;
30 }
31 location /admin/
32 {
33 allow 127.0.0.1;
34 allow 192.168.31.129;
35 deny all;
36 }
/url匹配/admin/时按顺序允许127.0.0.1/192.168.133.130,拒绝所有
顺序执行时一旦某一条被匹配,下面的规则不再轮询
/
37 location ~ admin.php
38 {
39 auth_basic "Auth";
40 auth_basic_user_file /usr/local/nginx/conf/htpasswd;
41 }
测试:
[root@hyc-01-01 admin]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 admin]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 admin]# curl -x127.0.0.1:80 http://test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 14:42:32 GMT
Content-Type: text/html
Content-Length: 23
Last-Modified: Mon, 13 Aug 2018 23:46:22 GMT
Connection: keep-alive
ETag: "5b72184e-17"
Accept-Ranges: bytes
[root@hyc-01-01 admin]# curl -x192.168.31.129:80 http://test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 14:42:35 GMT
Content-Type: text/html
Content-Length: 23
Last-Modified: Mon, 13 Aug 2018 23:46:22 GMT
Connection: keep-alive
ETag: "5b72184e-17"
Accept-Ranges: bytes
[root@hyc-01-01 admin]# tail -2 /tmp/test.com.log
127.0.0.1 - [16/Aug/2018:22:42:32 +0800] test.com "/admin/index.html" 200 "-" "curl/7.29.0"
192.168.31.129 - [16/Aug/2018:22:42:35 +0800] test.com "/admin/index.html" 200 "-" "curl/7.29.0"
[root@hyc-01-01 admin]# curl -x192.168.100.1:80 http://test.com/admin/index.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 14:48:56 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@hyc-01-01 admin]# tail -1 /tmp/test.com.log
192.168.100.1 - [16/Aug/2018:22:48:56 +0800] test.com "/admin/index.html" 403 "-" "curl/7.29.0
针对正则的配置:
[root@hyc-01-01 admin]# vim /usr/local/nginx/conf/vhost/test.com.conf
…
location /admin/
{
allow 127.0.0.1;
allow 192.168.31.129;
deny all;
}
location ~ .*(upload|image)/.*\.php$
/匹配任意一个或多个字符后跟upload或image后跟/后跟任意一个或多个字符并以.php结尾的url/
{
deny all;
}
测试:
[root@hyc-01-01 admin]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 admin]# curl -x127.0.0.1:80 http://test.com/upload/test.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:07:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@hyc-01-01 upload]# curl –x127.0.0.1:80 http://test.com/upload/test.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:12:59 GMT
Content-Type: text/plain
Content-Length: 20
Last-Modified: Thu, 16 Aug 2018 15:12:36 GMT
Connection: keep-alive
ETag: "5b759464-14"
Accept-Ranges: bytes
[root@hyc-01-01 upload]# tail -1 /tmp/test.com.log
127.0.0.1 - [16/Aug/2018:23:14:33 +0800] test.com "/upload/test.txt" 200 "-" "curl/7.29.0"
针对user_agent的配置:
[root@hyc-01-01 upload]# vim /usr/local/nginx/conf/vhost/test.com.conf
…
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
/此处user_agent后的~后跟一个*表示后面匹配的项不区分大小写/
{
return 403;
}
…
测试:
[root@hyc-01-01 upload]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 upload]# curl -A "Spider/3.0" -x127.0.0.1:80 http://test.com/upload/test.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:26:28 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@hyc-01-01 upload]# curl -A "Spidor/3.0" -x127.0.0.1:80 http://test.com/upload/test.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:26:50 GMT
Content-Type: text/plain
Content-Length: 20
Last-Modified: Thu, 16 Aug 2018 15:12:36 GMT
Connection: keep-alive
ETag: "5b759464-14"
Accept-Ranges: bytes
12.15 nginx解析php相关配置
配置:
[root@hyc-01-01 vhost]# vim test.com.conf
51 location ~ \.php$
52 {
53 include fastcgi_params;
54 fastcgi_pass unix:/tmp/php-fcgi.sock;
/指定php-fpm的socket文件位置,指定错误socket地址时可能报502错误,nginx配置文件中监听的socket地址或ip+端口必须与php-fpm中的socket地址或ip+端口保持一致/
55 fastcgi_index index.php;
56 fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
/ /data/wwwroot/test.com 的路径要和server中的root保持一致/
57 }
测试:
[root@hyc-01-01 test.com]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo() 无法解析
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 test.com]# !curl
curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 23:57:48 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
php-fpm也支持-t和-s reload
[root@hyc-01-01 etc]# vim php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 666 为了让所有文件对php的socket文件(/tmp/php-fcgi.sock)有读和写权限,无读和写权限则用户nginx无法读socket文件即无法与php-fpm通信导致php解析不正常等;
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
…
12.16 nginx代理
Web服务器只有一个私网ip,无法正常访问;
代理服务器要能同时与用户和web服务器互通(两块网卡);
代理服务器帮助用户访问web服务器,访问完成后向用户反馈结果;
用户可以正常访问远端web服务器,但直接从本地访问速度太慢,此时可以选择一台代理服务器作为跳板,用户访问代理服务器速度较快,代理服务器访问远端web服务器速度也较快,最终用户通过代理访问web服务器速度就会比直接访问web服务器快;
配置:
[root@hyc-01-01 vhost]# pwd
/usr/local/nginx/conf/vhost
[root@hyc-01-01 vhost]# vim proxy.conf
server
{
listen 80;
server_name ask.apelearn.com; 定义要访问的域名
location /
{
proxy_pass http:// 223.94.95.10 /; 告诉代理服务器真实服务器ip地址
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
/
header信息:
Host $host 要访问的域名是servername
X-Real-IP $remote_addr
X-Forwarded-For $proxy_add_x_forwarded_for
/
}
}
测试:
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 vhost]# curl ask.apelearn.com/robots.txt
[root@hyc-01-01 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt测试成功
转载于:https://blog.51cto.com/12216458/2161380