Nginx配置防盜鏈
#vim /usr/local/nginx/conf/vhost/test.com.conf //寫入如下內容
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ; //定義referer白名單
if ($invalid_referer) {
return 403;
}
access_log off;
}
# /usr/local/nginx/sbin/nginx -t //檢測語法
#/usr/local/nginx/sbin/nginx -s reload //重新加載
#echo "1223" > /data/wwwroot/test.com/1.gif //將1223寫入1.gif中
#curl -x127.0.0.1:80 -I test.com/1.gif //測試防盜鏈
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 09:11:57 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Thu, 04 Jan 2018 09:08:11 GMT
Connection: keep-alive
ETag: "5a4deefb-b"
Expires: Thu, 11 Jan 2018 09:11:57 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 04:19:13 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 04:19:32 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Wed, 03 Jan 2018 04:06:01 GMT
Connection: keep-alive
ETag: "5a4c56a9-b"
Expires: Wed, 10 Jan 2018 04:19:32 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
說明防盜鏈配置成功了
Nginx訪問控制
需求:訪問/admin/目錄的請求,只允許某幾個IP訪問,配置如下:
#vim /usr/local/nginx/conf/vhost/test.com.conf //寫入如下內容
location /admin/
{
allow 192.168.37.1;
allow 127.0.0.1;
deny all;
}
#mkdir /data/wwwroot/test.com/admin/ //創建目錄
#echo “test,test”>/data/wwwroot/test.com/admin/1.html //寫入測試語句
#/usr/local/nginx/sbin/nginx -t && -s reload //檢測配置文件和重新加載
#curl -x127.0.0.1:80 test.com/admin/1.html -I //測試
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:05:58 GMT
Content-Type: text/html
Content-Length: 6
Last-Modified: Wed, 03 Jan 2018 05:05:20 GMT
Connection: keep-alive
ETag: "5a4c6490-6"
Accept-Ranges: bytes
#curl -x192.168.37.130:80 test.com/admin/1.html -I //測試能否訪問
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:06:22 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
將能上傳的目錄禁止解析php,防止發生別人根據目錄能解析php代碼上傳***文件
配置如下:
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
#/usr/local/nginx/sbin/nginx -t && -s reload //檢測配置文件和重新加載
#mkdir /data/wwwroot/test.com/upload/ //創建upload目錄
#echo "123" > /data/wwwroot/test.com/upload/1.php //編輯1.php文件
#curl -x127.0.0.1:80 test.com/upload/1.php -I //測試
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:27:09 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:32:18 GMT
Content-Type: text/plain
Content-Length: 4
Last-Modified: Wed, 03 Jan 2018 05:32:11 GMT
Connection: keep-alive
ETag: "5a4c6adb-4"
Accept-Ranges: bytes
根據user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
#/usr/local/nginx/sbin/nginx -t && -s reload //檢測配置文件和重新加載
#curl -A "Tomatoshshd" -x127.0.0.1:80 test.com/upload/1.txt -I //加上user_agent來進行測試
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:49:14 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
查案日誌就可以看到信息
127.0.0.1 - [03/Jan/2018:13:49:14 +0800] test.com "/upload/1.txt" 403 "-" "Tomatoshsh"
Nginx解析php相關配置
nginx沒有做配置來解析php,當解析php的代碼時,會直接將代碼顯示出來
此時更改配置文件
#vim /usr/local/nginx/conf/vhost/test.com.conf //寫入配置文件
配置如下:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock; //監聽地址寫錯會出現502
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
然後再來訪問剛剛的php文件
#curl -x127.0.0.1:80 test.com/4.php //此時能正常解析
#fastcgi_pass 用來指定php-fpm監聽的地址或者socket,在/usr/local/php-fpm/etc/php-fpm.conf中的配置文件的監聽地址和nginx的虛擬主機配置文件監聽地址必須是一樣的,否則會出現502問題
location ~ \.php$
{
include fastcgi_params;
# fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_pass 127.0.0.1:9000; //此處要和php-fpm配置文件裏的監聽地址一樣
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
/usr/local/php-fpm/etc/php-fpm.conf中的監聽權限,當php-fpm的配置文件中的監聽權限不定義時,會出現502的問題
#vim /usr/local/php-fpm/etc/php-fpm.conf //編輯php-fpm服務的配置文件內容
[global] //定義全局參數
pid = /usr/local/php-fpm/var/run/php-fpm.pid //定義它的pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www] //模塊名
listen = /tmp/php-fcgi.sock //監聽
#listen = 127.0.0.1:9000 //監聽本機ip和端口
listen.mode = 666 //監聽權限,監聽socket時不定義會出現502
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
當php的資源耗盡時也會出現訪問502的問題