14.Nginx防盗链&Nginx访问控制&Nginx解析php相关配置&Nginx代理

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了14.Nginx防盗链&Nginx访问控制&Nginx解析php相关配置&Nginx代理相关的知识,希望对你有一定的参考价值。

[toc]

一、nginx防盗链:

1. 打开配置文件:

增加如下配置文件:

[[email protected] ~]# cd /usr/local/nginx/conf/vhost/
[[email protected] vhost]# vim test.com.conf

    } 
  #  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
  #  {
  #        expires      7d;
  #        access_log off;
  #  }

    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{   
    expires 7d; 
    valid_referers none blocked server_names  *.haha.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
  • 防盗链部分
valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }

如上配置文件中匹配以gif,jpg,png结尾的页面,并且设置一个白名单的referer为*.test.com, 其它的($invalid_referer)均403 forbidden!

2. 测试+重载(-t && -s reload)

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

[[email protected] vhost]# curl -x127.0.0.1:80 test.com/2.js -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:03:24 GMT
Content-Type: application/javascript
Content-Length: 14
Last-Modified: Thu, 15 Mar 2018 13:08:00 GMT
Connection: keep-alive
ETag: "5aaa7030-e"
Expires: Fri, 16 Mar 2018 02:03:24 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes

使用本地主机访问2.js 是没有问题的,指定一个referer,再次测试:

[[email protected] vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:06:07 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

二、Nginx访问控制:

有时候在咱们运维一些网站的时候,发现一些访问是不正常的。或者为了提高安全性,我们需要将某些页面加密处理!

1 增加如下配置文件

vim /usr/local/nginx/conf/vhost/test.com.conf

location /admin/

{
    allow 127.0.0.1;
    allow 192.168.72.130; //自己试验虚拟机的网卡
    deny all;
}

技术分享图片

==匹配规则为,一旦匹配则后面的均不执行,也就是允许127.0.0.1和192.168.72.130 访问;其它的均拒绝!==

2.测试语法并重载配置

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload

3.匹配站点后台登录页,进行访问控制!

[[email protected] vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:24:58 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Wed, 14 Mar 2018 14:07:17 GMT
Connection: keep-alive
ETag: "5aa92c95-f"
Accept-Ranges: bytes
[[email protected] vhost]# curl -x192.168.72.130:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:30:46 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Wed, 14 Mar 2018 14:07:17 GMT
Connection: keep-alive
ETag: "5aa92c95-f"
Accept-Ranges: bytes

查看日志:cat /tmp/test.com.log

技术分享图片

4.针对某个可以上传的目录做指定文件(例如:php)不解析:

location ~ .*(upload|image)/.*\.php$
{
        deny all;
}

技术分享图片

[[email protected] vhost]# curl -x127.0.0.1:80 test.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:46:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

任何PHP文件都不解析,而txt文件可以访问

[[email protected] vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK

5.根据user-agent限制:

如果站点被CC攻击了,或者不想被蜘蛛爬自己的网站,我们完全可以根据user-agent去禁止掉:

vim /usr/local/nginx/conf/vhost/test.com.conf 打开添加一下语句

if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘)
{
      return 403;
}

测试语法并重加载配置

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload

加载1.txt测试

[[email protected] vhost]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:58:51 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[[email protected] vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:58:59 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Thu, 15 Mar 2018 14:47:36 GMT
Connection: keep-alive
ETag: "5aaa8788-6"
Accept-Ranges: bytes

我们发现,当我们修改user-agent为小写的时候,就不生效了。所以我们需要设置忽略大小写:

重新在虚拟机配置文件 test.com.conf下修改配置

if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘)
{
      return 403;
}

只需要在~添加一个 * 即可!

技术分享图片

完成过程:

[[email protected] vhost]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf 
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
[[email protected] vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 15:03:22 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

三、Nginx解析php相关配置

1.增加以下配置:

location ~ \.php$
      {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;
      }

fastcgi_pass 用来指定php-fpm监听的地址或者socket

完整以配置的内容:

vim /usr/local/nginx/conf/vhost/test.com.conf 

  #        expires      7d;
  #        access_log off;
  #  }

    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
    }
    access_log off;
}   
location ~ .*\.(js|css)$
    {   
          expires      12h;
          access_log off;
    }
    location /admin/

{         
    allow 127.0.0.1; 
    allow 192.168.72.130;
    deny all;
}

location ~ .*(upload|image)/.*\.php$
{   
        deny all;
}
if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘)
{
      return 403;
}       
location ~ \.php$
      {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;
      }

技术分享图片

技术分享图片

2.创建一个测试php文件

[[email protected] vhost]# vim /data/nginx/test.com/3.php
>?php
phpinfo();

无法解析,显示源码(编辑的conf文件未完成-t&-s reload配置)

[[email protected] vhost]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();

这里特别注意下配置文件中/data/nginx/test.com,而不是设置www.test.com

技术分享图片

-t&-s reload配置后,可以正常解析phpinfo()

技术分享图片

3.小结:其中fastcgi_pass用来指定php-fpm的地址,如果php-fpm监听的是一个tcp:port的地址(比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000。这个地址一定要和php-fpm服务监听的地址匹配,否是会报502错误.还有一个地方要注意fastcgi_param SCRIPT_FILENAME 后面跟的路径为该站点的根目录,和前面定义的root那个路径保持一致,如果这里配置不对,访问PHP页面会出现404;还有一种502的现象,如果内存中出现大量的php-fpm进程占据了内存,也会同样导致此问题!

location ~ \.php$
      {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name;
      }

查看php-fpm: vim /usr/local/php-fpm/etc/php-fpm.conf

[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen =127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

无法查看错误日志

技术分享图片

四、Nginx代理

假如一个用户需要访问WEB服务器,但是用户与WEB服务器之间是不通的,WEB服务器在内网,我们需要一个代理服务器来帮助用户访问web,他必须和用户相通,也必须和web服务器相通,在中间起到搭桥的这就是代理服务器。

4.1 原理:

技术分享图片

4.2 编辑配置文件

cd /usr/local/nginx/conf/vhost

vim proxy.conf
  • 加入如下内容:
server
{
    listen 80;
    server_name ask.apelearn.com;

    location /
    {
        proxy_pass      http://121.201.9.155/;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

因为是代理服务器所以不需要访问本地服务器的任何文件; ask.apelearn.com; 定义一个域名;

proxy_pass http://121.201.9.155/;真实WEB服务器的IP地址

$host; 也就是咱们的server_name

没有重启nginx服务前,先测试一下:

重启nginx之后再次测试

以上是关于14.Nginx防盗链&Nginx访问控制&Nginx解析php相关配置&Nginx代理的主要内容,如果未能解决你的问题,请参考以下文章

12.13 Nginx防盗链 12.14 Nginx访问控制 12.15 Nginx解析php相关配置 12.16 Nginx代理

12.13 Nginx防盗链 12.14 Nginx访问控制 12.15 Nginx解析php相关配

Nginx防盗链 Nginx访问控制 Nginx解析php相关配置 Nginx代理

12.13-12.16

2018-6-11

nginx:默认网站 访问控制 登录验证 日志管理 防盗链