nginx防盗链,访问控制,解析php相关配置,nginx代理
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了nginx防盗链,访问控制,解析php相关配置,nginx代理相关的知识,希望对你有一定的参考价值。
nginx防盗链
- 配置如下,可以和不记录静态文件配置结合起来
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; #设置白名单 if ($invalid_referer) { return 403; #不过不是白名单的refer就403 } access_log off; }
- 测试
[[email protected] test.com]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I HTTP/1.1 403 Forbidden Server: nginx/1.14.0 Date: Sat, 16 Jun 2018 03:27:15 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [[email protected] test.com]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I HTTP/1.1 200 OK Server: nginx/1.14.0 Date: Sat, 16 Jun 2018 03:27:23 GMT Content-Type: image/gif Content-Length: 9 Last-Modified: Sat, 16 Jun 2018 03:04:17 GMT Connection: keep-alive ETag: "5b247e31-9" Expires: Sat, 23 Jun 2018 03:27:23 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
nginx的访问控制
- 控制访问目录/admin/,只允许某几个ip访问,配置如下
location /admin/ { allow 192.168.21.128; allow 127.0.0.1; deny all; } 这里的allow和deny没有先执行后执行的顺序,执行完allow匹配后,就不会执行下面的
- 控制访问目录/admin/,只允许某几个ip访问,配置如下
- 测试
[[email protected] test.com]# mkdir /data/wwwroot/test.com/admin [[email protected] test.com]# echo "admin" >/data/wwwroot/test.com/admin/1.html [[email protected] test.com]# curl -x127.0.0.1:80 test.com/admin/1.html -I HTTP/1.1 200 OK Server: nginx/1.14.0 Date: Sat, 16 Jun 2018 03:59:22 GMT Content-Type: text/html Content-Length: 6 Last-Modified: Sat, 16 Jun 2018 03:58:46 GMT Connection: keep-alive ETag: "5b248af6-6" Accept-Ranges: bytes [[email protected] test.com]# curl -x192.168.21.128:80 test.com/admin/1.html -I HTTP/1.1 200 OK Server: nginx/1.14.0 Date: Sat, 16 Jun 2018 04:01:33 GMT Content-Type: text/html Content-Length: 6 Last-Modified: Sat, 16 Jun 2018 03:58:46 GMT Connection: keep-alive ETag: "5b248af6-6" Accept-Ranges: bytes [[email protected] test.com]# dhclient ens37 [[email protected] test.com]# ifconfig ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.110.128 netmask 255.255.255.0 broadcast 192.168.110.255 inet6 fe80::c559:4a92:72f1:b448 prefixlen 64 scopeid 0x20<link> [[email protected] test.com]# curl -x192.168.110.128:80 test.com/admin/1.html -I HTTP/1.1 403 Forbidden Server: nginx/1.14.0 Date: Sat, 16 Jun 2018 04:05:10 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
- 匹配正则,限制php解析
location ~ .*(upload|image)/.*.php$ { deny all; }
- 匹配正则,限制php解析
- 测试
[[email protected] test.com]# mkdir /data/wwwroot/test.com/upload [[email protected] test.com]# echo "11111" >/data/wwwroot/test.com/upload/1.php [[email protected] test.com]# echo "11111" >/data/wwwroot/test.com/upload/1.txt [[email protected] test.com]# curl -x127.0.0.1:80 test.com/upload/1.txt 11111 [[email protected] test.com]# curl -x127.0.0.1:80 test.com/upload/1.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.14.0</center> </body> </html>
- 根据user_agent限制
if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘) { return 403; } #deny all和return 403效果一样,~*匹配可以忽略大小写
- 根据user_agent限制
- 测试
[[email protected] test.com]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.txt <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.14.0</center> </body> </html> [[email protected] test.com]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt 11111
解析php相关配置
- nginx解析php配置如下
location ~ .php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; #这个路径要与php里对应 #fastcgi_pass 127.0.0.1:9000 fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; #这里的要与上面的root对应 }
- 这里的fastcgi_pass也有两种模式要和php里面的对应,不然会导致502
[[email protected] ~]# vim /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] listen = /tmp/php-fcgi.sock #listen = 127.0.0.1:9000 listen.mode = 666 #这里的权限必须是666,不然socket文件不能读取写入也会导致502 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024
nginx代理
- 当一个web服务器只有私网Ip时,和它想通的具有外网ip的服务器就可以是代理服务器。为了快速访问美国的服务器,可以在香港设置一个代理服务器
-
这里可以设置一个虚拟机为代理服务器,配置如下
server { listen 80; server_name ask.apelearn.com; location / { proxy_pass http://121.201.9.155/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } #定义的域名一般和被代理ip的域名保持一致 #这里已知的猿课的web服务器地址 #$host就是前面定义的域名
- 设置代理前后,可以看到效果
[[email protected] vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt -I HTTP/1.1 301 Moved Permanently Server: nginx/1.14.0 Date: Mon, 18 Jun 2018 13:07:58 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/robots.txt [[email protected] vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt -I HTTP/1.1 302 Found Server: nginx/1.14.0 Date: Mon, 18 Jun 2018 13:13:06 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Location: http://121.201.80.216:9000 #后的302应该是web服务器设置的跳转
扩展
- 502问题汇总
- location优先级
以上是关于nginx防盗链,访问控制,解析php相关配置,nginx代理的主要内容,如果未能解决你的问题,请参考以下文章
nginx防盗链,访问控制,解析php相关配置,nginx代理
Nginx防盗链访问控制 解析php相关配置及Nginx代理
Nginx防盗链Nginx访问控制Nginx解析php相关配置Nginx代理