LOADING

Nginx防盗链、Nginx访问控制、Nginx解析php相关配置、Nginx代理

网络技术5个月前更新 fdadmin
1,285 0 0

目录

一、Nginx防盗链
二、Nginx访问控制
三、Nginx解析php相关配置
四、Nginx代理

一、Nginx防盗链

  • 配置Nginx防盗链和配置过期时间、不记录日志都用到location,所以可以把两部分写在一起,如下所示:

[root@minglinux-01 ~] vim /usr/local/nginx/conf/vhost/test.com.conf
···
 12     location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ 
//~* 表示后面的关键词不区分大小写
 13     {
 14           expires      7d;
 15           valid_referers none blocked server_names *.test.com ;
 16           if ($invalid_referer) {   //$invalid referer表示无效的referer
 17           return 403;
 18           }
 19           access_log off;
 20     }
···
  • 测试
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -s reload
[root@minglinux-01 ~] curl -x127.0.0.1:80 -e "http://www.baidu.com" test.com/1.gif -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Wed, 28 Nov 2018 13:02:18 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@minglinux-01 ~] curl -x127.0.0.1:80 -e "http://www.test.com" test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 28 Nov 2018 13:02:25 GMT
Content-Type: image/gif
Content-Length: 2
Last-Modified: Tue, 27 Nov 2018 15:00:53 GMT
Connection: keep-alive
ETag: "5bfd5c25-2"
Expires: Wed, 05 Dec 2018 13:02:25 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

防盗链配置成功,而且不仅仅有防盗链的功能,还有过期时间。

二、Nginx访问控制

  • 针对目录的访问控制
[root@minglinux-01 ~] vim /usr/local/nginx/conf/vhost/test.com.conf
···
 33     location /admin/
 34     {
 35     allow 192.168.162.130;
 36     allow 127.0.0.1;
 37     deny all;      // 顺序执行规则,某条规则执行后,后面的规则不在执行
 38     }   
 39     
···

作用:访问/admin/目录的请求,只允许某几个IP访问

配置httpd的时候,有一个order,来定义先allow还是先deny,在Nginx里并没有,只要匹配到规则就结束了。

  • 测试
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -s reload
[root@minglinux-01 ~] tail -2 /tmp/test.com.log
127.0.0.1 - [28/Nov/2018:21:19:08 +0800] test.com "/admin/admin.php" 200 "-" "curl/7.29.0"
192.168.162.130 - [28/Nov/2018:21:19:57 +0800] test.com "/admin/admin.php" 200 "-" "curl/7.29.0"
[root@minglinux-01 ~] curl -x192.168.162.135:80 test.com/admin/admin.php -I   //用另一个网卡IP访问不了
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Wed, 28 Nov 2018 13:32:26 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@minglinux-01 ~] tail -3 /tmp/test.com.log
127.0.0.1 - [28/Nov/2018:21:19:08 +0800] test.com "/admin/admin.php" 200 "-" "curl/7.29.0"
192.168.162.130 - [28/Nov/2018:21:19:57 +0800] test.com "/admin/admin.php" 200 "-" "curl/7.29.0"
192.168.162.135 - [28/Nov/2018:21:32:26 +0800] test.com "/admin/admin.php" 403 "-" "curl/7.29.0"

  • 根据正则匹配来限制访问
[root@minglinux-01 ~] vim /usr/local/nginx/conf/vhost/test.com.conf
 40     location ~ .*(upload|image)/.*.php$
 41     {
 42         deny all;
 43     }

作用:把访问的URL中带有upload或者image字符串,并且是PHP的请求拒绝访问。

  • 测试
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -s reload
[root@minglinux-01 ~] mkdir /data/wwwroot/test.com/upload/
[root@minglinux-01 ~] echo "123" >/data/wwwroot/test.com/upload/1.php
[root@minglinux-01 ~] curl -x127.0.0.1:80 test.com/upload/1.php

403 Forbidden

403 Forbidden


nginx/1.12.2
[root@minglinux-01 ~] echo "123" >/data/wwwroot/test.com/upload/1.txt [root@minglinux-01 ~] curl -x127.0.0.1:80 test.com/upload/1.txt 123 root@minglinux-01 ~] tail -2 /tmp/test.com.log 127.0.0.1 - [28/Nov/2018:21:52:02 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0" 127.0.0.1 - [28/Nov/2018:21:53:19 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
  • 针对user_agent访问控制
[root@minglinux-01 ~] vim /usr/local/nginx/conf/vhost/test.com.conf
···
 45     if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
 46     {
 47       return 403;
 48     }
···

~为匹配符号,只要user_agent中含有Spider/3.0或者YoudaoBot或者Tomato字符串的,都会被拒绝,return 403为直接返回403的状态码,return 403和deny all效果一样。

  • 测试
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -s reload
[root@minglinux-01 ~] curl -x127.0.0.1:80 -A "Tomato" test.com/upload/1.txt -I 
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Wed, 28 Nov 2018 14:02:41 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@minglinux-01 ~] curl -x127.0.0.1:80 -A "tomato" test.com/upload/1.txt -I 
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 28 Nov 2018 14:02:56 GMT
Content-Type: text/plain
Content-Length: 4
Last-Modified: Wed, 28 Nov 2018 13:53:13 GMT
Connection: keep-alive
ETag: "5bfe9dc9-4"
Accept-Ranges: bytes

三、Nginx解析php相关配置

[root@minglinux-01 ~] vim /usr/local/nginx/conf/vhost/test.com.conf
···
 50     location ~ .php$
 51     {
 52         include fastcgi_params;   
 53         fastcgi_pass unix:/tmp/php-fcgi.sock;  
 54         fastcgi_index index.php;
 55         fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
 56     }
···

fastcgi_pass用来指定php-fpm的地址,指定错误地址时可能报502错误
如果php-fpm监听的是一个tcp:port的地址( 比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000

factcgi_param SCRIPT_FILENAME后面跟的路径为该站点的根目录,和server中的root路径保持一致。如果配置不对,访问PHP页面会出现404。

  • 测试
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -s reload
[root@minglinux-01 ~] vim /data/wwwroot/test.com/3.php
  1 
[root@minglinux-01 ~] vim /usr/local/php-fpm/etc/php-fpm.conf

  1 [global]
  2 pid = /usr/local/php-fpm/var/run/php-fpm.pid
  3 error_log = /usr/local/php-fpm/var/log/php-fpm.log
  4 [www]
  5 listen = /tmp/php-fcgi.sock  //php-fpm监听地址
  6 listen.mode = 666  //权限666让所有文件对php的socket文件(/tmp/php-fcgi.sock)有读和写权限,无读和写权限则用户nginx无法读socket文件即无法与php-fpm通信导致php解析不正常。
  7 user = php-fpm
  8 group = php-fpm
  9 pm = dynamic
 10 pm.max_children = 50
 11 pm.start_servers = 20
 12 pm.min_spare_servers = 5
 13 pm.max_spare_servers = 35
 14 pm.max_requests = 500
 15 rlimit_files = 1024

四、Nginx代理

Nginx的代理功能非常实用,例如一个没有公网IP的服务器想要访问远端web服务器,而它们并不相通,此时可以选择一台代理服务器作为跳板,代理服务器和web服务器相通,从而使服务器可以访问到远端web服务器。

[root@minglinux-01 ~] vim /usr/local/nginx/conf/vhost/proxy.conf  //新建proxy.conf文件
  1 server  
  2 {
  3     listen 80;
  4     server_name ask.apelearn.com;  //定义要访问的域名
  5 
  6     location /
  7     {
  8         proxy_pass      http://121.201.9.155/;  //proxy_pass指定要代
理的域名所在的服务器IP
  9         proxy_set_header Host   $host; //后面的三行为定义发往后端Web服务器的请求头
 10         proxy_set_header X-Real-IP      $remote_addr;
 11         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 12     }
 13 }
  • 测试
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -s reload
[root@minglinux-01 ~] curl ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
[root@minglinux-01 ~] curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
扩展

502问题汇总 http://ask.apelearn.com/question/9109
location优先级 http://blog.lishiming.net/?p=100

文章来源于互联网:Nginx防盗链、Nginx访问控制、Nginx解析php相关配置、Nginx代理

© 版权声明

相关文章

暂无评论

暂无评论...