1 前言
生产环境中,我们有时候需用使用Nginx限制文件类型的访问,由此需求我们整理出本章节的内容。
2 最佳实践
2.1 服务器环境
2.2 只允许某类型的文件访问
2.2.1 修改配置文件
vim /etc/nginx/conf.d/www.cmdschool.org_80.conf
将配置修改如下,
server {
listen 80;
server_name www.cmdschool.org;
location ~* \.(html|htm|php|gif|jpg|jpeg|bmp|png|ico|js|css)$ {
root /var/www/www.cmdschool.org;
index index.html index.htm index.php;
expires 3d;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
2.2.2 重启服务使配置生效
systemctl restart nginx.service
2.2.3 创建测试页
echo www.cmdschool.org > /var/www/www.cmdschool.org/index.html
echo www.cmdschool.org > /var/www/www.cmdschool.org/index.bat
2.2.4 测试html类型的文件访问
curl http://www.cmdschool.org/index.html
命令显示如下,
www.cmdschool.org
2.2.5 测试bat类型的文件访问
curl http://www.cmdschool.org/index.bat
命令显示如下,
404 Not Found404 Not Found
2.3 只拒绝访问某类型的文件
2.3.1 修改配置文件
vim /etc/nginx/conf.d/www.cmdschool.org_80.conf
将配置修改如下,
server {
listen 80;
server_name www.cmdschool.org;
location / {
root /var/www/www.cmdschool.org;
index index.html index.htm index.php;
}
location ~ \.(exe|bat)$ {
root /var/www/www.cmdschool.org;
return 410;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
2.3.2 重启服务使配置生效
systemctl restart nginx.service
2.3.3 创建测试页
echo www.cmdschool.org > /var/www/www.cmdschool.org/index.html
echo www.cmdschool.org > /var/www/www.cmdschool.org/index.bat
2.3.4 测试html类型的文件访问
curl http://www.cmdschool.org/index.html
命令显示如下,
www.cmdschool.org
2.3.5 测试bat类型的文件访问
curl http://www.cmdschool.org/index.bat
命令显示如下,
410 Gone410 Gone
2.4 为拒绝访问某类型设置特许
2.4.1 修改配置文件
vim /etc/nginx/conf.d/www.cmdschool.org_80.conf
将配置修改如下,
server {
listen 80;
server_name www.cmdschool.org;
location / {
root /var/www/www.cmdschool.org;
index index.html index.htm index.php;
}
location ~ /exception/(example.exe|example.bat)$ {
root /var/www/www.cmdschool.org;
}
location ~* \.(exe|bat)$ {
root /var/www/www.cmdschool.org;
return 410;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
以上利用匹配模式的优先级别实现,优先级别从高到底排列如下,
“=”精确匹配
“^~”不做模式匹配
“~”正则表达式的模式匹配
“~*”正则表达式的模式匹配
“” 无符号匹配模式
2.4.2 重启服务使配置生效
systemctl restart nginx.service
2.4.3 创建测试页
echo www.cmdschool.org > /var/www/www.cmdschool.org/index.html
echo www.cmdschool.org > /var/www/www.cmdschool.org/index.bat
echo www.cmdschool.org > /var/www/www.cmdschool.org/exception/example.bat
echo www.cmdschool.org > /var/www/www.cmdschool.org/exception/example.exe
2.4.4 测试html类型的文件访问
curl http://www.cmdschool.org/index.html
命令显示如下,
www.cmdschool.org
2.4.5 测试bat类型的文件访问
curl http://www.cmdschool.org/index.bat
命令显示如下,
410 Gone410 Gone
2.4.5 测试特许的bat文件访问
curl http://www.cmdschool.org/exception/example.bat
curl http://www.cmdschool.org/exception/example.ext
命令显示如下,
www.cmdschool.org