防盜鏈
在web02模擬 惡意盜鏈web01 的內容 配置
主配置文件nginx.conf
[root@web02 conf]# cat /application/nginx/conf/nginx.conf
worker_processes 2;
worker_cpu_affinity 0101 1010;
error_log logs/error.log;
#配置Nginx worker進程最大打開文件數
worker_rlimit_nofile 65535;
user www www;
events {
#單個進程允許的客戶端最大連接數
worker_connections 20480;
#事件處理模型優化
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
#sendfile on;
#keepalive_timeout 65;
#訪問日誌配置
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#虛擬主機
include /application/nginx/conf/extra/www.conf;
include /application/nginx/conf/extra/blog.conf;
include /application/nginx/conf/extra/bbs.conf;
include /application/nginx/conf/extra/edu.conf;
include /application/nginx/conf/extra/phpmyadmin.conf;
include /application/nginx/conf/extra/status.conf;
#nginx優化----------------------
#隱藏版本號
server_tokens off;
#優化服務器域名的散列表大小
server_names_hash_bucket_size 64;
server_names_hash_max_size 2048;
#開啓高效文件傳輸模式
sendfile on;
#減少網絡報文段數量
#tcp_nopush on;
#提高I/O性能
tcp_nodelay on;
#連接超時 時間定義 默認秒 默認65秒
keepalive_timeout 60;
#讀取客戶端請求頭數據的超時時間 默認秒 默認60秒
client_header_timeout 15;
#讀取客戶端請求主體的超時時間 默認秒 默認60秒
client_body_timeout 15;
#響應客戶端的超時時間 默認秒 默認60秒
send_timeout 25;
#上傳文件的大小限制 默認1m
client_max_body_size 8m;
#nginx與php之間FastCGI 相關參數調優
#時間超時設定
fastcgi_connect_timeout 240;
fastcgi_send_timeout 240;
fastcgi_read_timeout 240;
#緩衝/緩存設置
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_temp_path /data/ngx_fcgi_tmp;
fastcgi_cache_path /data/ngx_fcgi_cache levels=2:2 keys_zone=ngx_fcgi_cache:512m inactive=1d max_size=40g;
#使用gzip壓縮
gzip on;
gzip_min_length 1k;
gzip_buffers 4 32k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/css text/xml application/javascript text/plain application/x-javascript application/xml;
gzip_vary on;
#禁止使用IP訪問web服務器
server {
listen 80 default;
server_name _;
return 501;
}
#控制nginx併發連接數量
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn_zone $server_name zone=perserver:10m;
#控制客戶端請求nginx的速率
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
}
虛擬主機配置文件
[root@web02 conf]# cat /application/nginx/conf/extra/www.conf
#server {
# listen 80;
# server_name www.daolian.com;
# rewrite ^(.*)$ https://$host$1 permanent;
#}
server {
listen 80;
server_name www.daolian.com;
root html/www;
index index.php index.html index.htm;
##https證書 # https對防盜鏈配置測試有巨大影響,需要關閉
#ssl on;
#ssl_certificate /application/nginx/conf/key/server.crt;
#ssl_certificate_key /application/nginx/conf/key/server.key;
#訪問日誌
access_log logs/access_www.log main buffer=32k flush=5s;
location / {
#控制nginx併發連接數量
limit_conn addr 1;
limit_conn perserver 2;
#控制客戶端請求nginx的速率
limit_req zone=one burst=5;
}
##客戶端對靜態內容緩存
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 30y;
root html/www;
}
location ~ .*\.(js|css)?$ {
expires 30d;
root html/www;
}
#php解析
location ~ .*\.(php|php5)?$ {
root html/www;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
#FastCGI 相關參數調優
#fastcgi_cache ngx_fcgi_cache;
fastcgi_cache_valid 200 302 1h;
fastcgi_cache_valid 301 1d;
fastcgi_cache_valid any 1m;
fastcgi_cache_min_uses 1;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_cache_key http://$host$request_uri;
}
}
編輯盜鏈文件
[root@web02 conf]# cat /application/nginx/html/www/index.html <html> <head> <title>cjh </title> </head> <body bgcolor=green> wo de bo ke! <br>wo de bo ke shi <a href="http://blog.51cto.com/13673885" target="_blank">cjh bo ke di zhi </a> <img src="http://www.abc.com/daolian.jpg" #盜鏈web01的www.abc.com域名下的daolian.jpg圖片 </body> </html>
web01上傳在站點目錄上傳daolian.jpg圖片
瀏覽器訪問測試盜鏈能否成功
在windows中注意配置hosts 注意:配置的地址是web02 惡意盜鏈的服務器地址
10.0.0.8 www.daolian.com
web01模擬被盜鏈的服務器配置
主配置文件nginx.conf
[root@web01 conf]# cat /application/nginx/conf/nginx.conf
worker_processes 2;
worker_cpu_affinity 0101 1010;
error_log logs/error.log;
#配置Nginx worker進程最大打開文件數
worker_rlimit_nofile 65535;
user www www;
events {
#單個進程允許的客戶端最大連接數
worker_connections 20480;
#使用epoll模型
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
#sendfile on;
#keepalive_timeout 65;
#訪問日誌配置
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#虛擬主機
include /application/nginx/conf/extra/www.conf;
include /application/nginx/conf/extra/blog.conf;
include /application/nginx/conf/extra/bbs.conf;
include /application/nginx/conf/extra/edu.conf;
include /application/nginx/conf/extra/phpmyadmin.conf;
include /application/nginx/conf/extra/status.conf;
#nginx優化----------------------
#隱藏版本號
server_tokens on;
#優化服務器域名的散列表大小
server_names_hash_bucket_size 64;
server_names_hash_max_size 2048;
#開啓高效文件傳輸模式
sendfile on;
#減少網絡報文段數量
#tcp_nopush on;
#提高I/O性能
tcp_nodelay on;
#連接超時 時間定義 默認秒 默認65秒
keepalive_timeout 60;
#讀取客戶端請求頭數據的超時時間 默認秒 默認60秒
client_header_timeout 15;
#讀取客戶端請求主體的超時時間 默認秒 默認60秒
client_body_timeout 15;
#響應客戶端的超時時間 默認秒 默認60秒
send_timeout 25;
#上傳文件的大小限制 默認1m
client_max_body_size 8m;
#nginx與php之間FastCGI 相關參數調優
#時間超時設定
fastcgi_connect_timeout 240;
fastcgi_send_timeout 240;
fastcgi_read_timeout 240;
#緩衝/緩存設置
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_temp_path /data/ngx_fcgi_tmp;
fastcgi_cache_path /data/ngx_fcgi_cache levels=2:2 keys_zone=ngx_fcgi_cache:512m inactive=1d max_size=40g;
#使用gzip壓縮
gzip on;
gzip_min_length 1k;
gzip_buffers 4 32k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/css text/xml application/javascript text/plain application/x-javascript application/xml;
gzip_vary on;
#禁止使用IP訪問web服務器
server {
listen 80 default;
server_name _;
return 501;
}
}
虛擬主機配置文件
[root@web01 conf]# cat /application/nginx/conf/extra/www.conf
server {
listen 80;
server_name www.abc.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443;
server_name www.abc.com;
root html/www;
index index.php index.html index.htm;
#https證書
ssl on;
ssl_certificate /application/nginx/conf/key/server.crt;
ssl_certificate_key /application/nginx/conf/key/server.key;
#訪問日誌
access_log logs/access_www.log main;
#隱藏版本號
server_tokens on;
location ~* .*\.(jpg|gif|swf|flv|wma|wmv|asf|mp3|mmf|zip|rar)$ { #小括號中不能包含要跳轉的圖片結尾格式.png,-->否則會進入死循環跳轉
valid_referers none blocked *.abc.com abc.com www.abc.com;
if ($invalid_referer) {
#return 403;
rewrite ^/ https://www.abc.com/fangdaolian.png;
expires 365d; #說明: 可以添加緩存expire配置, 讓禁止盜鏈的圖片在用戶本地緩存,就不用讓用戶再向被盜鏈端的服務器請求該fangdaolian.png圖片了,在一定程度上即防止盜鏈了,也避免了服務器的流量損失
}
}
#客戶端對靜態內容緩存
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 30y;
root html/www;
}
location ~ .*\.(js|css)?$ {
expires 30d;
root html/www;
}
##php解析
location ~ .*\.(php|php5)?$ {
root html/www;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
#FastCGI 相關參數調優
#fastcgi_cache ngx_fcgi_cache;
fastcgi_cache_valid 200 302 1h;
fastcgi_cache_valid 301 1d;
fastcgi_cache_valid any 1m;
fastcgi_cache_min_uses 1;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_cache_key http://$host$request_uri;
}
}
瀏覽器訪問盜鏈端-觀察能否防止盜鏈
在windows中注意配置hosts 注意:配置的地址是web02 惡意盜鏈的服務器地址
10.0.0.8 www.daolian.com
讓開發人員根據cookie進行防盜鏈
通過加密變換訪問路徑實現防盜鏈--不斷改變圖片地址進行防盜鏈
