4.41-静态文件过期缓存 4.42-Nginx防盗链 4.43-4.45 访问控制1/2/3

最新推荐文章于 2024-11-08 14:24:57 发布

weixin_34259159

最新推荐文章于 2024-11-08 14:24:57 发布

阅读量133

点赞数

文章标签：运维 php 操作系统

原文链接：https://my.oschina.net/u/3708120/blog/3010280

版权

2019独角兽企业重金招聘Python工程师标准>>>

4.41-静态文件过期缓存

什么是静态文件的过期时间

让图片之类的静态文件，缓存在客户端的浏览器中，在没有过期之前，浏览器不需要请求该图片。
就是为了让这些图片有一个时效性。
如果服务器上图片已经做了更新，但是客户端访问到的还是旧的。

如何配置：

vi  虚拟主机配置文件，增加或更改

    location ~* \.(png|jpeg|gif|js|css|bmp|flv)$
    {
    	expires 1d;
        access_log off;
	    }

补充：

curl -x 用来指定目标服务器的IP和端口，例：curl -x127.0.0.1:80 -I www.aminglinux.cc

bc 是一个linux系统下面的计算器，yum install -y bc

4.42-Nginx防盗链

什么叫防盗链？

两个网站 A 和 B， A网站引用了B网站上的图片，这种行为就叫做盗链。 防盗链，就是要防止A引用B的图片。

配置：

    location ~ \.(png|gif|jpeg|bmp|mp3|mp4|flv)$
    {
        valid_referers none blocked server_names *.aming.com;
        if ($invalid_referer) {
                return 403;
        }
    }

补充：

rz 上传文件，yum install lrzsz
sz filename  这样去把这个文件推送到windows上

测试防盗链： curl  -I -e "http://www.aaa.com/1.txt" http://www.aming.com/1.png
curl的-e指定自定义的referer

4.43-4.45 访问控制1/2/3

限制IP访问：

1）白名单

allow 127.0.0.1;
dney all;

2）黑名单

    deny 127.0.0.1;
    deny 1.1.1.1;

限制某个目录

location /admin/ //在admin目录下操作

{
    allow 127.0.0.1;
    allow 192.168.112.136;
    deny all;
}

限制某个目录下的某类文件

location ~ .*(upload|image)/.*\.php$
{
    deny all;
}

代码部分后续补充

静态文件过期缓存

一般没有设置静态文件过期缓存的网页
[root@test01 logrotate.d]# curl -x127.0.0.1:80 -I http://bbs.champin.top/static/image/common/logo_88_31.gif
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 18 Feb 2019 18:18:55 GMT
Content-Type: image/gif
Content-Length: 2528
Last-Modified: Thu, 14 Feb 2019 17:25:04 GMT
Connection: keep-alive
ETag: "5c65a470-9e0"
Accept-Ranges: bytes

[root@test01 logrotate.d]# cd
[root@test01 ~]# vim /etc/nginx/conf.d/bbs.champin.top.conf
  location ~* \.(png|jpeg|gif|js|css|bmp|flv)$
    {
        expires 1d;
        access_log off;
    }


[root@test01 ~]# curl -x127.0.0.1:80 -I http://bbs.champin.top/static/image/common/logo_88_31.gif
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 18 Feb 2019 18:23:13 GMT
Content-Type: image/gif
Content-Length: 2528
Last-Modified: Thu, 14 Feb 2019 17:25:04 GMT
Connection: keep-alive
ETag: "5c65a470-9e0"
Expires: Tue, 19 Feb 2019 18:23:13 GMT
Cache-Control: max-age=86400       除以3600刚等于24，刚好一天
Accept-Ranges: bytes


Nginx防盗链

[root@test01 ~]# cd /data/wwwroot/www.champin.top/

[root@test01 ~]# yum install -y lrzsz   用rz命令上传一张图片到linux
[root@test01 www.champin.top]# ls ChMkJ1bKyj2IY5I6AAKq8xGyChkAALIYgLJm6cAAqsL010.jpg 1.png

用浏览器做测试，www.champin.top/1.png.打开图片，复制下url地址http://blog.champin.top/1.png，在论坛上发帖，上传网路图片粘贴http://blog.champin.top/1.png。



 location ~ \.(png|gif|jpeg|bmp|mp3|mp4|flv)$
    {
        valid_referers none blocked server_names www.champin.*;
        if ($invalid_referer) {
                return 403;
        }
    }
 
[root@test01 www.champin.top]# nginx -t 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 www.champin.top]# nginx -s reload
  
做了防盗链之后。在浏览器上在论坛上图片不显示了。按f12后刷新，找到1.png变成了403，但图片在博客上是可以直接访问，如果404了，把location root弄成全局。


[root@test01 www.champin.top]# curl -I -x127.0.0.1:80 -e "http://bbb.ccc.top/1.txt" "http://blog.champin.top/1.png"
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Mon, 18 Feb 2019 19:05:12 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@test01 www.champin.top]# curl -I -x127.0.0.1:80 -e "http://www.champin.top/1.txt" "http://blog.champin.top/1.png"
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 18 Feb 2019 19:05:27 GMT
Content-Type: image/png
Content-Length: 142135
Last-Modified: Mon, 18 Feb 2019 05:57:24 GMT
Connection: keep-alive
ETag: "5c6a4944-22b37"
Expires: Tue, 19 Feb 2019 19:05:27 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes

 
访问控制   （限制ip）

[root@test01 ~]#  vi /etc/nginx/conf.d/bbs.champin.top.conf 

server {
    listen       80;
    server_name  bbs.champin.top;
    白名单
    allow 127.0.0.1;
    allow 192.168.1.0/24;  （只允许这两个IP其他的拒绝）
    deny all;

[root@test01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 ~]# nginx -s reload

[root@test01 ~]# curl -x127.0.0.1:80 bbs.champin.top -I    访问通过
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Tue, 19 Feb 2019 17:00:35 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
Set-Cookie: eCL1_2132_saltkey=Ib9b9Mro; expires=Thu, 21-Mar-2019 17:00:35 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: eCL1_2132_lastvisit=1550592035; expires=Thu, 21-Mar-2019 17:00:35 GMT; Max-Age=2592000; path=/
Set-Cookie: eCL1_2132_sid=IATCGj; expires=Wed, 20-Feb-2019 17:00:35 GMT; Max-Age=86400; path=/
Set-Cookie: eCL1_2132_lastact=1550595635%09index.php%09; expires=Wed, 20-Feb-2019 17:00:35 GMT; Max-Age=86400; path=/
Set-Cookie: eCL1_2132_onlineusernum=1; expires=Tue, 19-Feb-2019 17:05:35 GMT; Max-Age=300; path=/
Set-Cookie: eCL1_2132_sid=IATCGj; expires=Wed, 20-Feb-2019 17:00:35 GMT; Max-Age=86400; path=/

[root@test01 ~]# curl -x192.168.28.107:80 bbs.champin.top 
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>

如果把网段改成192.168.28.0/24
[root@test01 ~]# curl -x192.168.28.107:80 bbs.champin.top -I
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Tue, 19 Feb 2019 18:26:27 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
Set-Cookie: eCL1_2132_saltkey=W7z71obL; expires=Thu, 21-Mar-2019 18:26:27 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: eCL1_2132_lastvisit=1550597187; expires=Thu, 21-Mar-2019 18:26:27 GMT; Max-Age=2592000; path=/
Set-Cookie: eCL1_2132_sid=l2ss2g; expires=Wed, 20-Feb-2019 18:26:27 GMT; Max-Age=86400; path=/
Set-Cookie: eCL1_2132_lastact=1550600787%09index.php%09; expires=Wed, 20-Feb-2019 18:26:27 GMT; Max-Age=86400; path=/
Set-Cookie: eCL1_2132_onlineusernum=1; expires=Tue, 19-Feb-2019 18:31:27 GMT; Max-Age=300; path=/
Set-Cookie: eCL1_2132_sid=l2ss2g; expires=Wed, 20-Feb-2019 18:26:27 GMT; Max-Age=86400; path=/


[root@test01 ~]#  vi /etc/nginx/conf.d/bbs.champin.top.conf 
黑名单（允许不用写）
  deny 127.0.0.1;  拒绝这两个ip 其他的允许
    deny 1.1.1.1;

[root@test01 ~]# curl -x127.0.0.1:80 bbs.champin.top -I   拒绝的
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Tue, 19 Feb 2019 18:35:35 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive


[root@test01 ~]# curl -x192.168.28.107:80 bbs.champin.top -I    允许的
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Tue, 19 Feb 2019 18:36:16 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
Set-Cookie: eCL1_2132_saltkey=PShnZ6Ue; expires=Thu, 21-Mar-2019 18:36:16 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: eCL1_2132_lastvisit=1550597776; expires=Thu, 21-Mar-2019 18:36:16 GMT; Max-Age=2592000; path=/
Set-Cookie: eCL1_2132_sid=Ql354h; expires=Wed, 20-Feb-2019 18:36:16 GMT; Max-Age=86400; path=/
Set-Cookie: eCL1_2132_lastact=1550601376%09index.php%09; expires=Wed, 20-Feb-2019 18:36:16 GMT; Max-Age=86400; path=/
Set-Cookie: eCL1_2132_onlineusernum=1; expires=Tue, 19-Feb-2019 18:41:16 GMT; Max-Age=300; path=/
Set-Cookie: eCL1_2132_sid=Ql354h; expires=Wed, 20-Feb-2019 18:36:16 GMT; Max-Age=86400; p

限制某个目录（针对某一个内部ip，目录或者文件都是一样的）

[root@test01 ~]# vi /etc/nginx/conf.d/bbs.champin.top.conf 

server {
    listen       80;
    server_name  bbs.champin.top;
    
    #charset koi8-r;
    location ~* \.(png|jpeg|gif|js|css|bmp|flv)$
    {
        expires 1d;
        access_log off;
    }
   
    location ~ /admin.php
    {
        allow 127.0.0.1;
        allow 192.168.1.0/24;       在此
        deny all;
        root           /data/wwwroot/bbs.champin.top;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /data/wwwroot/bbs.champin.top$fastcgi_script_name;
        include        fastcgi_params;
    }

[root@test01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 ~]# nginx -s reload

[root@test01 ~]# curl -x127.0.0.1:80 bbs.champin.top/admin.php -I    可以访问的
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sun, 24 Feb 2019 17:20:22 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
Set-Cookie: eCL1_2132_saltkey=GqQTq3zq; expires=Tue, 26-Mar-2019 17:20:22 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: eCL1_2132_lastvisit=1551025222; expires=Tue, 26-Mar-2019 17:20:22 GMT; Max-Age=2592000; path=/
Set-Cookie: eCL1_2132_sid=i0hT05; expires=Mon, 25-Feb-2019 17:20:22 GMT; Max-Age=86400; path=/
Set-Cookie: eCL1_2132_lastact=1551028822%09admin.php%09; expires=Mon, 25-Feb-2019 17:20:22 GMT; Max-Age=86400; path=/


[root@test01 ~]# curl -x192.168.28.107:80 bbs.champin.top/admin.php -I  不能访问 
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Sun, 24 Feb 2019 17:21:12 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@test01 ~]# curl -x192.168.28.107:80 bbs.champin.top/admin -I  换一个目录404说明是可以访问的
HTTP/1.1 404 Not Found
Server: nginx/1.14.2
Date: Sun, 24 Feb 2019 17:21:49 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@test01 ~]# vi /etc/nginx/conf.d/bbs.champin.top.conf 
   location /abc               直接限定一个目录
      {  
        allow 127.0.0.1;
        allow 192.168.1.0/24;
        deny all;
      }

[root@test01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 ~]# nginx -s reload
[root@test01 ~]# curl -x192.168.28.107:80 bbs.champin.top/abc/123 -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Sun, 24 Feb 2019 17:27:47 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@test01 ~]# curl -x127.0.0.1:80 bbs.champin.top/abc/123 -I
HTTP/1.1 404 Not Found
Server: nginx/1.14.2
Date: Sun, 24 Feb 2019 17:28:11 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive


限制某个目录下的某类文件
[root@test01 ~]# vi /etc/nginx/conf.d/bbs.champin.top.conf 
  location ~ .*(upload|image|attachment|cache)/.*\.php$
    {
        deny all;
    }

[root@test01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 ~]# nginx -s reload

不能访问
[root@test01 ~]# curl -x127.0.0.1:80 bbs.champin.top/abc/attachment/adfsdfsdf/dfsd.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Sun, 24 Feb 2019 17:36:55 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

在attachment,改成attachmenst就可以访问
[root@test01 ~]# curl -x127.0.0.1:80 bbs.champin.top/abc/attachmenst/adfsdfsdf/dfsd.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.14.2
Date: Sun, 24 Feb 2019 17:37:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1

[root@test01 ~]# curl -x127.0.0.1:80 bbs.champin.top/upload/adfsdfsdf/dfsd.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Sun, 24 Feb 2019 17:39:40 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@test01 ~]# curl -x127.0.0.1:80 bbs.champin.top/cache/adfsdfsdf/dfsd.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Sun, 24 Feb 2019 17:39:56 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

转载于:https://my.oschina.net/u/3708120/blog/3010280