目录
一、Nginx防盗链
二、Nginx访问控制
三、Nginx解析php相关配置
四、Nginx代理
一、Nginx防盗链
- 配置Nginx防盗链和配置过期时间、不记录日志都用到location,所以可以把两部分写在一起,如下所示:
[root@minglinux-01 ~] vim /usr/local/nginx/conf/vhost/test.com.conf
···
12 location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
//~* 表示后面的关键词不区分大小写
13 {
14 expires 7d;
15 valid_referers none blocked server_names *.test.com ;
16 if ($invalid_referer) { //$invalid referer表示无效的referer
17 return 403;
18 }
19 access_log off;
20 }
···
- 测试
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -s reload
[root@minglinux-01 ~] curl -x127.0.0.1:80 -e "http://www.baidu.com" test.com/1.gif -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Wed, 28 Nov 2018 13:02:18 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@minglinux-01 ~] curl -x127.0.0.1:80 -e "http://www.test.com" test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 28 Nov 2018 13:02:25 GMT
Content-Type: image/gif
Content-Length: 2
Last-Modified: Tue, 27 Nov 2018 15:00:53 GMT
Connection: keep-alive
ETag: "5bfd5c25-2"
Expires: Wed, 05 Dec 2018 13:02:25 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
防盗链配置成功,而且不仅仅有防盗链的功能,还有过期时间。
二、Nginx访问控制
- 针对目录的访问控制
[root@minglinux-01 ~] vim /usr/local/nginx/conf/vhost/test.com.conf
···
33 location /admin/
34 {
35 allow 192.168.162.130;
36 allow 127.0.0.1;
37 deny all; // 顺序执行规则,某条规则执行后,后面的规则不在执行
38 }
39
···
作用:访问/admin/目录的请求,只允许某几个IP访问
配置httpd的时候,有一个order,来定义先allow还是先deny,在Nginx里并没有,只要匹配到规则就结束了。
- 测试
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -s reload
[root@minglinux-01 ~] tail -2 /tmp/test.com.log
127.0.0.1 - [28/Nov/2018:21:19:08 +0800] test.com "/admin/admin.php" 200 "-" "curl/7.29.0"
192.168.162.130 - [28/Nov/2018:21:19:57 +0800] test.com "/admin/admin.php" 200 "-" "curl/7.29.0"
[root@minglinux-01 ~] curl -x192.168.162.135:80 test.com/admin/admin.php -I //用另一个网卡IP访问不了
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Wed, 28 Nov 2018 13:32:26 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@minglinux-01 ~] tail -3 /tmp/test.com.log
127.0.0.1 - [28/Nov/2018:21:19:08 +0800] test.com "/admin/admin.php" 200 "-" "curl/7.29.0"
192.168.162.130 - [28/Nov/2018:21:19:57 +0800] test.com "/admin/admin.php" 200 "-" "curl/7.29.0"
192.168.162.135 - [28/Nov/2018:21:32:26 +0800] test.com "/admin/admin.php" 403 "-" "curl/7.29.0"
- 根据正则匹配来限制访问
[root@minglinux-01 ~] vim /usr/local/nginx/conf/vhost/test.com.conf
40 location ~ .*(upload|image)/.*.php$
41 {
42 deny all;
43 }
作用:把访问的URL中带有upload或者image字符串,并且是PHP的请求拒绝访问。
- 测试
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -s reload
[root@minglinux-01 ~] mkdir /data/wwwroot/test.com/upload/
[root@minglinux-01 ~] echo "123" >/data/wwwroot/test.com/upload/1.php
[root@minglinux-01 ~] curl -x127.0.0.1:80 test.com/upload/1.php
403 Forbidden
403 Forbidden
nginx/1.12.2
[root@minglinux-01 ~] echo "123" >/data/wwwroot/test.com/upload/1.txt
[root@minglinux-01 ~] curl -x127.0.0.1:80 test.com/upload/1.txt
123
root@minglinux-01 ~] tail -2 /tmp/test.com.log
127.0.0.1 - [28/Nov/2018:21:52:02 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [28/Nov/2018:21:53:19 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
- 针对user_agent访问控制
[root@minglinux-01 ~] vim /usr/local/nginx/conf/vhost/test.com.conf
···
45 if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
46 {
47 return 403;
48 }
···
~为匹配符号,只要user_agent中含有Spider/3.0或者YoudaoBot或者Tomato字符串的,都会被拒绝,return 403为直接返回403的状态码,return 403和deny all效果一样。
- 测试
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -s reload
[root@minglinux-01 ~] curl -x127.0.0.1:80 -A "Tomato" test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Wed, 28 Nov 2018 14:02:41 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@minglinux-01 ~] curl -x127.0.0.1:80 -A "tomato" test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 28 Nov 2018 14:02:56 GMT
Content-Type: text/plain
Content-Length: 4
Last-Modified: Wed, 28 Nov 2018 13:53:13 GMT
Connection: keep-alive
ETag: "5bfe9dc9-4"
Accept-Ranges: bytes
三、Nginx解析php相关配置
[root@minglinux-01 ~] vim /usr/local/nginx/conf/vhost/test.com.conf
···
50 location ~ .php$
51 {
52 include fastcgi_params;
53 fastcgi_pass unix:/tmp/php-fcgi.sock;
54 fastcgi_index index.php;
55 fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
56 }
···
fastcgi_pass用来指定php-fpm的地址,指定错误地址时可能报502错误
。如果php-fpm监听的是一个tcp:port的地址( 比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000
factcgi_param SCRIPT_FILENAME后面跟的路径为该站点的根目录,和server中的root路径保持一致。如果配置不对,访问PHP页面会出现404。
- 测试
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -s reload
[root@minglinux-01 ~] vim /data/wwwroot/test.com/3.php
1
[root@minglinux-01 ~] vim /usr/local/php-fpm/etc/php-fpm.conf
1 [global]
2 pid = /usr/local/php-fpm/var/run/php-fpm.pid
3 error_log = /usr/local/php-fpm/var/log/php-fpm.log
4 [www]
5 listen = /tmp/php-fcgi.sock //php-fpm监听地址
6 listen.mode = 666 //权限666让所有文件对php的socket文件(/tmp/php-fcgi.sock)有读和写权限,无读和写权限则用户nginx无法读socket文件即无法与php-fpm通信导致php解析不正常。
7 user = php-fpm
8 group = php-fpm
9 pm = dynamic
10 pm.max_children = 50
11 pm.start_servers = 20
12 pm.min_spare_servers = 5
13 pm.max_spare_servers = 35
14 pm.max_requests = 500
15 rlimit_files = 1024
四、Nginx代理
Nginx的代理功能非常实用,例如一个没有公网IP的服务器想要访问远端web服务器,而它们并不相通,此时可以选择一台代理服务器作为跳板,代理服务器和web服务器相通,从而使服务器可以访问到远端web服务器。
[root@minglinux-01 ~] vim /usr/local/nginx/conf/vhost/proxy.conf //新建proxy.conf文件
1 server
2 {
3 listen 80;
4 server_name ask.apelearn.com; //定义要访问的域名
5
6 location /
7 {
8 proxy_pass http://121.201.9.155/; //proxy_pass指定要代
理的域名所在的服务器IP
9 proxy_set_header Host $host; //后面的三行为定义发往后端Web服务器的请求头
10 proxy_set_header X-Real-IP $remote_addr;
11 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
12 }
13 }
- 测试
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -s reload
[root@minglinux-01 ~] curl ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#
User-agent: *
Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
[root@minglinux-01 ~] curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#
User-agent: *
Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
扩展
502问题汇总 http://ask.apelearn.com/question/9109
location优先级 http://blog.lishiming.net/?p=100
© 版权声明
文章版权归作者所有,未经允许请勿转载。
相关文章
暂无评论...