2018-3-1512周4次课 Nginx防盗链访问控制配置PHP解析代理
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了2018-3-1512周4次课 Nginx防盗链访问控制配置PHP解析代理相关的知识,希望对你有一定的参考价值。
12.13 nginx防盗链
[[email protected] test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf
~* 表示不区分大小写
白名单 *.test.com,如果不是白名单,则返回403
[[email protected] test.com]# curl -e "http://www.baidu.com"-x127.0.0.1:80 test.com/1.gif -I HTTP/1.1 403 Forbidden Server: nginx/1.12.2 Date: Wed, 14 Mar 2018 15:07:25 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [[email protected] test.com]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Wed, 14 Mar 2018 15:08:44 GMT Content-Type: image/gif Content-Length: 20 Last-Modified: Wed, 14 Mar 2018 14:32:47 GMT Connection: keep-alive ETag: "5aa9328f-14" Expires: Wed, 21 Mar 2018 15:08:44 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes [[email protected] test.com]# cat /tmp/test.com.log 127.0.0.1 - [14/Mar/2018:22:33:25 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [14/Mar/2018:22:33:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [14/Mar/2018:22:36:25 +0800] test.com "/2.jsdafafa" 404 "-" "curl/7.29.0"
12.14 Nginx访问控制
·重要的机密的内容不希望被别人访问,可以做一个白名单,只允许自己公网ip或公司内部公网ip访问
·针对目录:
[[email protected] ~]# /usr/local/nginx/conf/vhost/test.com.conf
配置文件中的allow和deny:
这里的allow和deny与apache中的order中的allow和deny规则不一样
在apache中,如果先allow后deny,那么最终结果是deny;
在nginx中,这里allow是匹配机制,如果在allow中有能匹配的,那么将不再执行下面的规则,本例中,如果是127.0.0.1访问,那么匹配第一条allow之后,将不会再执行下面的;如果是127.0.0.2,那么前两条都没有匹配到,那么会自然往下匹配第三条,会被deny。
·针对正则匹配
[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[[email protected] ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload [[email protected] ~]# mkdir /data/wwwroot/test.com/upload##创建upload文件夹 [[email protected] ~]# echo "23wewerwer" > /data/wwwroot/test.com/upload/1.php [[email protected] ~]# cat !$##创建1.php,看1.php是否能被解析 cat /data/wwwroot/test.com/upload/1.php 23wewerwer [[email protected] ~]# curl -x127.0.0.1:80 test.com/upload/1.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.12.2</center> </body> </html> [[email protected] ~]# echo "23wewerwer" > /data/wwwroot/test.com/upload/1.txt [[email protected] ~]# curl -x127.0.0.1:80 test.com/upload/1.txt 23wewerwer
(1.php无法被解析,而通一个文件夹下1.txt就可以被解析)
[[email protected] ~]# cat /tmp/test.com.log
·根据user_agent限制:
网站被CC攻击,或想禁掉某些蜘蛛,或想做隐藏网站不想被人搜到
[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload [[email protected] ~]# curl -A "Tomatosdafdsf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.2 Date: Thu, 15 Mar 2018 13:26:46 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [[email protected] ~]# curl -A "tomatosdafdsf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Thu, 15 Mar 2018 13:27:15 GMT Content-Type: text/plain Content-Length: 11 Last-Modified: Thu, 15 Mar 2018 13:07:37 GMT Connection: keep-alive ETag: "5aaa7019-b" Accept-Ranges: bytes
·只要是能匹配到Tomato关键字就会限制,因为是精准匹配,因此tomato无法匹配
如果想要忽略大小写进行匹配,那么可以在配置文件中 ~ 后加 * ,如下图
再重新加载后,我们看,小写开头已经被限制访问了
[[email protected] ~]# curl -A "tomatosdafdsf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.2 Date: Thu, 15 Mar 2018 13:31:26 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
12.15 Nginx解析php相关配置
·配置解析php:
[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
保存后,暂时不重新加载配置,先创建一个新的php文件,内容如下
[[email protected] ~]# vi /data/wwwroot/test.com/3.php
[[email protected] ~]# curl -x127.0.0.1:80 test.com/3.php <?php phpinfo(); [[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload [[email protected] ~]# curl -x127.0.0.1:80 test.com/3.php
(内容太多,不详细列出)
如果配置文件中socket文件位置写错的话:
[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload [[email protected] ~]# curl -x127.0.0.1:80 test.com/3.php
会显示502的错误
[[email protected] ~]# tail /usr/local/nginx/logs/nginx_error.log 2018/03/15 21:59:34 [crit] 1627#0: *10 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
可以看出是 .sock 文件位置不正确,我们去查看php-fpm.conf的配置文件来查看.sock文件地址
[[email protected] ~]# cat /usr/local/php-fpm/etc/php-fpm.conf
将vhost配置文件里解析php相关配置更改后,就可以正常访问了
·监听ip端口
如果php-fpm的监听,不去监听socket,而是去监听端口,如下图
[[email protected] ~]# vim /usr/local/php-fpm/etc/php-fpm.conf
[[email protected] ~]# /usr/local/php-fpm/sbin/php-fpm -t ##检查 [15-Mar-2018 22:13:07] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload ##重新加载 [[email protected] ~]# netstat -lntp ##监听端口9000
[[email protected] ~]# !curl ##依然是502错误 curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.12.2</center> </body> </html> [[email protected] ~]# !tail tail /usr/local/nginx/logs/nginx_error.log 2018/03/15 21:59:34 [crit] 1627#0: *10 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com" 2018/03/15 22:15:43 [crit] 1821#0: *12 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
把原先fastcgi_pass注释掉,添加127.0.0.1:9000
[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[[email protected] ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [[email protected] ~]# /usr/local/php-fpm/sbin/php-fpm -t [15-Mar-2018 22:24:19] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload [[email protected] ~]# /etc/init.d/php-fpm reload Reload service php-fpm done [[email protected] ~]# !curl curl -x127.0.0.1:80 test.com/3.php
已经可以解析php了
(因此php-fpm中配置里,和虚拟主机配置里要一一对应,sock对应sock,端口对应端口)
★配置文件中的SCRIPT_FILENAME一定要和配置文件最上方的 root 对应的路径一致:
·php-fpm.conf的配置中,listen.mode为nginx的执行权限,让nginx去读/tmp/php-fcgi.sock
[[email protected] ~]# vim /usr/local/php-fpm/etc/php-fpm.conf
·如果没有这个权限,那么php-fcgi.sock的默认权限为440,属主和属组都是root,而nginx属主是nobody,无法读取,因此会报错,我们下面来试验一下
虚拟主机改回php-fcgi.sock,对应php-fpm.conf
[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload [[email protected] ~]# curl -x127.0.0.1:80 test.com/3.php <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.12.2</center> </body> </html>
(502错误,正式因为权限问题)
而错误日志中,也是Permission denied的错误了
[[email protected] ~]# cat /usr/local/nginx/logs/nginx_error.log[object Object]
[[email protected] ~]# ll /tmp/php-fcgi.sock srw-rw---- 1 root root 0 3月 15 22:48 /tmp/php-fcgi.sock [[email protected] ~]# ps aux |grep nginx[object Object]
nginx属主为nobody,对php-fcgi.sock没有读权限,所以会502错误,如果想正常访问,那么至少需要可读可写
临时将/tmp/php-fcgi.sock属主改为nobody,此时访问不会出现502错误
[[email protected] ~]# chown nobody /tmp/php-fcgi.sock [[email protected] ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Thu, 15 Mar 2018 15:00:42 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.30
因此,我们在/usr/local/php-fpm/etc/php-fpm.conf配置中的listen.mode要的权限要让所有人对文件/tmp/php-fcgi.sock可读可写
·php-fpm资源耗尽也会出现502错误,此时需要去优化
12.16 Nginx代理
1,用户不能直接访问Web服务器,Web服务器只有私网ip
2,虽然用户可以访问Web服务器,但是访问速度太慢
和用户、web服务器互通都可以互通,作为中间代理者,帮助用户访问,访问完之后把结果返回用户
[[email protected] ~]# cd /usr/local/nginx/conf/vhost/ [[email protected] vhost]# vim proxy.conf
proxy_pass Web服务器IP地址
proxy_set_header Host 访问的主机名/域名 ($HOST也就是server_name)
proxy_set_header X-Real-IP 指定IP的
[[email protected] vhost]# curl ask.apelearn.com/robots.txt
[[email protected] vhost]# curl -x 127.0.0.1:80 ask.apelearn.com/robots.txt
错误总结:
在curl -x 127.0.0.1:80 ask.apelearn.com/robots.txt时报错502,查找配置文件发现并无错误,后来想到可能是ask.apelearn.com网址的ip不对,因此用host命令去查看网址的ip,发现已经更新了,所以重新改proxy.conf配置文件中proxy_pass的ip
如有错误,欢迎指正,互相学习,共同进步!!!
以上是关于2018-3-1512周4次课 Nginx防盗链访问控制配置PHP解析代理的主要内容,如果未能解决你的问题,请参考以下文章
2018-3-6 10周5次课 配置防盗链访问控制DirectoryFilesMatch