Nginx防盗链
因为改配置也是用location板块,所以本节可结合日志管理一起配置。
[root@localhost vhost]
……
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
access_log off;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
……
检测并重载配置:
[root@localhost vhost]
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]
-
测试
不匹配白名单不能访问:
[root@localhost vhost]# curl -utest:159820 -e "http://www.baidu.com/1.png" -x127.0.0.1:80 test.com/1.png -I
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Sat, 06 Jan 2018 03:27:54 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
匹配白名单能访问:
[root@localhost vhost]# curl -utest:159820 -e "http://www.test.com/1.png" -x127.0.0.1:80 test.com/1.png -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sat, 06 Jan 2018 03:28:04 GMT
Content-Type: image/png
Content-Length: 412758
Last-Modified: Sat, 06 Jan 2018 03:18:57 GMT
Connection: keep-alive
ETag: "5a504021-64c56"
Expires: Sat, 13 Jan 2018 03:28:04 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
注意: 添加规则时需注意每个中括号中的内容。
Nginx访问控制
需求:允许指定ip访问/admin/目录。
-
配置虚拟主机配置文件
[root@localhost vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
......
location /admin/
{
allow 192.168.159.128;
allow 127.0.0.1;
deny all;
#设置IP白名单,allow为允许,deny为拒绝。匹配到之后就不继续往下匹配。
}
......
测试并重载配置文件:
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
-
测试
[root@localhost vhost]# curl -x127.0.0.1:80 test.com/admin/1.txt
test abc 123
[root@localhost vhost]# curl -x192.168.159.128:80 test.com/admin/1.txt
test abc 123
白名单ip正常访问
[root@localhost vhost]# curl -x192.168.100.1:80 test.com/admin/1.txt
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
不在白名单ip的主机访问,返回代码403
- 针对正则匹配
-
上传图片的目录没有做禁止就系php的操作,导致上传的一句话木马被php解析,导致数据库被盗。按理说我们应该让能上传的目录禁止解析php的操作。
[root@localhost vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
......
location ~ .(upload|image)/..php$
{
deny all;
}
......
测试并重载配置:
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
-
测试
[root@localhost vhost]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
#不能访问php文件,返回代码403
[root@localhost vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt
test111
#可以访问txt文件。
-
user_agent限制
想禁止蜘蛛,防止被其它网站爬数据。
-
编辑虚拟主机配置文件
[root@localhost vhost]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
#user_agent 匹配Spider/3.0|YoudaoBot|Tomato
{
return 403;
}
测试并重载配置:
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
-
测试
[root@localhost vhost]# curl -A"YoudaoBot" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Sat, 06 Jan 2018 07:14:19 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
#user_agent 在限制范围内时,不能访问。
[root@localhost vhost]# curl -A"baidu" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sat, 06 Jan 2018 07:18:42 GMT
Content-Type: text/plain
Content-Length: 8
Last-Modified: Sat, 06 Jan 2018 06:45:41 GMT
Connection: keep-alive
ETag: "5a507095-8"
Accept-Ranges: bytes
#user_agent 不在限制范围内时,可以正常访问。
注意: user_agent是严格匹配的,如果要忽略大小写,则在~后加个星号。 if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
Nginx解析php相关配置
vim /usr/local/nginx/conf/vhost/test.com.conf
……
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
……
在此注意两点:
1、fastcgi_pass有两种格式,但是无论使用哪种格式都有保证nginx虚拟主机中的fastcgi_pass指定的路径和/usr/local/php-fpm/etc/php-fpm.conf中listen路径格式一致,否则会报错502;(要么同为.sock,么同为地址端口)
2、fastcgi _param SCRIPT _FILENAME所在行的路径要和root路径一致!
Nginx代理
Nginx代理是一种反向代理。反向代理(Reverse Proxy)方式是指以代理服务器来接受Internet上的连接请求,然后将请求转发给内部网络上的服务器;并将从服务器上得到的结果返回给Internet上请求连接的客户端,此时代理服务器对外就表现为一个服务器。
Nginx代理是在一台代理服务器中自定义一个域名,该域名指向一个IP,然后将用户的请求通过这台代理服务器访问指定的IP所对应的web服务器。
-
在/usr/local/nginx/conf/vhost/目录下新建一个proxy.conf文件。
切换目录并创建文件:
[root@localhost ~]# cd /usr/local/nginx/conf/vhost
[root@localhost vhost]# vim proxy.conf
......
server
{
listen 80;
server_name ask.apelearn.com;
#定义域名(一般和被代理ip的域名保持一致)
location /
{
proxy_pass http://121.201.9.155/;
#指定被代理(被访问)的IP(web服务器IP)
proxy_set_header Host $host;
#$host指的是代理服务器的servername(也是被代理IP的域名)
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
......
检测并重载配置:
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
-
测试
修改配置之前:
[root@localhost vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
无法访问ask.apelearn.com
修改配置后:
[root@localhost vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
robots.txt for MiWen
#
User-agent: *
Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-
Disallow: /views/
Disallow: //ajax/
#可以访问
本文转自 豆渣锅 51CTO博客,原文链接:http://blog.51cto.com/754599082/2058143
