linux的Nginx防盗链、Nginx访问控制、Nginx解析php相关配置、Nginx代理介绍

Nginx防盗链

> 思路与httpd一样,配置也不难,但要与过期时间、不记录日志配置结合起来。

1.配置文件内容
[root@gary-tao test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf 

增加如下配置:

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ; //定义白名单
    if ($invalid_referer) {
        return 403;
    } //如果不是白名单里就返回403
    access_log off;
}
如图:

2.测试语法及重新加载配置
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -s reload
3.使用curl测试

测试防盗链,需要增加referer才能正常访问,添加referer加-e 需要使用http://

[root@gary-tao test.com]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 11:17:05 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@gary-tao test.com]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 11:16:43 GMT
Content-Type: image/gif
Content-Length: 15
Last-Modified: Thu, 04 Jan 2018 10:51:09 GMT
Connection: keep-alive
ETag: "5a4e071d-f"
Expires: Thu, 11 Jan 2018 11:16:43 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

Nginx访问控制

1.配置文件,限制IP访问
[root@gary-tao test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf 

增加如下内容:

location /admin/
{
    allow 127.0.0.1;
    allow 172.16.111.100;
    deny all;
}
如图:

2.测试语法及重新加载配置
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -s reload
3.使用curl测试
解释说明:

> 在配置httpd的时候,还有一个order,来定义先allow还是先deny,在Nginx里并没有,只要匹配规则就结束了,假如来源IP为172.16.111.129,它就会从上到下逐一去匹配,第一个IP(127.0.0.1)不匹配,第二IP(172.16.111.100)不匹配,直到第三行(all)的时候才匹配到,匹配的这条规则为deny(也就是拒绝访问),所以最终会返回一个403的状态码,测试如下:

[root@gary-tao test.com]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 11:35:17 GMT
Content-Type: text/html
Content-Length: 20
Last-Modified: Wed, 03 Jan 2018 13:12:03 GMT
Connection: keep-alive
ETag: "5a4cd6a3-14"
Accept-Ranges: bytes

[root@gary-tao test.com]# curl -x172.16.111.100:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 11:36:25 GMT
Content-Type: text/html
Content-Length: 20
Last-Modified: Wed, 03 Jan 2018 13:12:03 GMT
Connection: keep-alive
ETag: "5a4cd6a3-14"
Accept-Ranges: bytes
[root@gary-tao ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.111.100  netmask 255.255.0.0  broadcast 172.16.255.255
        inet6 fe80::1ffb:cde1:5f3e:5778  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:09:e5:58  txqueuelen 1000  (Ethernet)
        RX packets 40262  bytes 15749043 (15.0 MiB)
        RX errors 0  dropped 50  overruns 0  frame 0
        TX packets 28168  bytes 4961855 (4.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.111.129  netmask 255.255.255.0  broadcast 172.16.111.255
        inet6 fe80::888c:a1d7:871b:8971  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:09:e5:62  txqueuelen 1000  (Ethernet)
        RX packets 61  bytes 8623 (8.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 58  bytes 10741 (10.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 354  bytes 33223 (32.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 354  bytes 33223 (32.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@gary-tao ~]# curl -x172.16.111.129:80 -I test.com/admin/
HTTP/1.1 403 Forbidden  
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 11:46:03 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@gary-tao ~]# !cat
cat /tmp/test.com.log
127.0.0.1 - [04/Jan/2018:18:53:20 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:18:53:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:18:55:22 +0800] test.com "/2.jsagdaga" 404 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:19:35:17 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
172.16.111.100 - [04/Jan/2018:19:36:25 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
172.16.111.129 - [04/Jan/2018:19:45:58 +0800] test.com "/admin/index.html" 403 "-" "curl/7.29.0"
172.16.111.129 - [04/Jan/2018:19:46:03 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
4.可以匹配正则,限制目录
[root@gary-tao ~]# vim /usr/local/nginx/conf/vhost/test.com.conf


增加如下内容:

location ~ .*(upload|image)/.*\.php$  //意思是匹配upload或者image目录下的.php文件
{
        deny all;
}


[root@gary-tao src]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -s reload
  • 如图:

  • 使用curl测试

upload目录下的.php文件不能访问,但是除了.php的其他后缀文件就能访问。

[root@gary-tao ~]# mkdir /data/wwwroot/test.com/upload
[root@gary-tao ~]# echo "1111111" > /data/wwwroot/test.com/upload/1.php
[root@gary-tao ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@gary-tao ~]# echo "1111111" > /data/wwwroot/test.com/upload/1.txt
[root@gary-tao ~]# curl -x127.0.0.1:80 test.com/upload/1.txt
1111111
[root@gary-tao ~]# cat /tmp/test.com.log
127.0.0.1 - [04/Jan/2018:18:53:20 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:18:53:53 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:18:55:22 +0800] test.com "/2.jsagdaga" 404 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:19:35:17 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
172.16.111.100 - [04/Jan/2018:19:36:25 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
172.16.111.129 - [04/Jan/2018:19:45:58 +0800] test.com "/admin/index.html" 403 "-" "curl/7.29.0"
172.16.111.129 - [04/Jan/2018:19:46:03 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:20:48:09 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:20:48:48 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
5.根据user_agent限制

> 如果你的网站不想被人搜到,就把那些蜘蛛网封掉,像百度,谷歌等把他们封掉,没有任何网站可以爬到你的数据,相当于网站隐藏一样,除非你告诉它网址。

  • 配置文件如下:
[root@gary-tao ~]# vim /usr/local/nginx/conf/vhost/test.com.conf


增加如下配置:

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}
//deny all和return 403效果一样

[root@gary-tao ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@gary-tao ~]# /usr/local/nginx/sbin/nginx -s reload
  • -A模拟user_agent,使用curl测试

> Tomato是在限制的user_agent名单里,所以不能访问,这里是没有忽略大小,如果要忽略大小写,可在if语句的 ~ 后面加上 ,如:if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato’)

[root@gary-tao ~]# curl -A "Tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 12:56:14 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@gary-tao ~]# curl -A "tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 12:58:10 GMT
Content-Type: text/plain
Content-Length: 8
Last-Modified: Thu, 04 Jan 2018 12:48:43 GMT
Connection: keep-alive
ETag: "5a4e22ab-8"
Accept-Ranges: bytes
[root@gary-tao ~]# curl -A "tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I //加了*号后还是403
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 12:58:59 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

Nginx解析php相关配置

> 在LAMP中,PHP是作为httpd的一个模块出现的,只要PHP模块被加载,那么就能解析PHP脚本了,而在LNMP中,PHP是以一个服务(php-fpm)的形式存在的,首先要启动php-fpm服务,然后Nginx再和php-fpm通信。也就是说,处理PHP脚本解析的工作是由php-fpm处理完成后把结果传递给Nginx,Nginx再把结果返回给用户。

1.测试

没有更改配置文件增加php解析时先编辑一个php文件,测试是否可以解析php,结果如下:

[root@gary-tao ~]# vi /data/wwwroot/test.com/3.php

增加如下内容:

<?php
phpinfo();
?>

[root@gary-tao ~]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();
?>
2.修改配置文件
[root@gary-tao ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

增加配置如下:

location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock; 
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }


[root@gary-tao ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@gary-tao ~]# /usr/local/nginx/sbin/nginx -s reload
解释说明

> 其中fastcgi_pas用来指定php-fpm的地址,如果php-fpm监听的是一个tcp:port的地址(比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000。这个地址一事实上要和php-fpm服务监听的地址匹配,否则会报502错误。 >还有一个地方也需要注意,factcgi_parm SCRIPT_FILENAME后面跟的路径为该站点的根目录,和前面定义的root那个路径保持一致,如果这里配置不对,访问PHP页面会出现404。

如图

配置图 解析正常

Nginx代理

> 一家公司有很多台服务器,为了节省成本,不能为所有服务器都分配公网IP,而如果一个没有公网IP的服务器提供web服务,就可以通过代理来实现。

创建一个新的配置文件
[root@gary-tao ~]# cd /usr/local/nginx/conf/vhost
[root@gary-tao vhost]# vim proxy.conf


增加如下内容:

server
{
    listen 80;
    server_name ask.apelearn.com;

    location /
    {
        proxy_pass      http://121.201.9.155/; //指定要代理的域名所在的服务器IP,即Web服务器的地址
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
//这里没有root,因为它是代理服务器,不需要访问本地服务器上的任何文件


[root@gary-tao vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@gary-tao vhost]# /usr/local/nginx/sbin/nginx -s reload
针对蜘蛛的索引的列表,一般网站都会有这个
[root@gary-tao vhost]# curl ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@gary-tao vhost]#
通过本地的IP访问了远程的站点,代理服务器就是我们的虚拟机,Web服务器就是我们访问的ask.apelearn.com
[root@gary-tao vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@gary-tao vhost]#
相关文章
相关标签/搜索