nginx防盜鏈，訪問控制，解析php相關配置，nginx代理

nginx防盜鏈

• 配置如下，可以和不記錄靜態文件配置結合起來

  location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
  {
  expires 7d;
  valid_referers none blocked server_names  *.test.com ; #設置白名單
  if ($invalid_referer) {
      return 403;          #不過不是白名單的refer就403
  }
  access_log off;
  }

• 測試

  [root@akuilinux01 test.com]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I
  HTTP/1.1 403 Forbidden
  Server: nginx/1.14.0
  Date: Sat, 16 Jun 2018 03:27:15 GMT
  Content-Type: text/html
  Content-Length: 169
  Connection: keep-alive
  [root@akuilinux01 test.com]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I
  HTTP/1.1 200 OK
  Server: nginx/1.14.0
  Date: Sat, 16 Jun 2018 03:27:23 GMT
  Content-Type: image/gif
  Content-Length: 9
  Last-Modified: Sat, 16 Jun 2018 03:04:17 GMT
  Connection: keep-alive
  ETag: "5b247e31-9"
  Expires: Sat, 23 Jun 2018 03:27:23 GMT
  Cache-Control: max-age=604800
  Accept-Ranges: bytes

  nginx的訪問控制

  1. 控制訪問目錄/admin/，只允許某幾個ip訪問，配置如下

     location /admin/
     {
     allow 192.168.21.128;
     allow 127.0.0.1;
     deny all;
     }
     這裏的allow和deny沒有先執行後執行的順序，執行完allow匹配後，就不會執行下面的

• 測試

  [root@akuilinux01 test.com]# mkdir /data/wwwroot/test.com/admin
  [root@akuilinux01 test.com]# echo "admin" >/data/wwwroot/test.com/admin/1.html
  [root@akuilinux01 test.com]# curl -x127.0.0.1:80 test.com/admin/1.html -I
  HTTP/1.1 200 OK
  Server: nginx/1.14.0
  Date: Sat, 16 Jun 2018 03:59:22 GMT
  Content-Type: text/html
  Content-Length: 6
  Last-Modified: Sat, 16 Jun 2018 03:58:46 GMT
  Connection: keep-alive
  ETag: "5b248af6-6"
  Accept-Ranges: bytes
  [root@akuilinux01 test.com]# curl -x192.168.21.128:80 test.com/admin/1.html -I
  HTTP/1.1 200 OK
  Server: nginx/1.14.0
  Date: Sat, 16 Jun 2018 04:01:33 GMT
  Content-Type: text/html
  Content-Length: 6
  Last-Modified: Sat, 16 Jun 2018 03:58:46 GMT
  Connection: keep-alive
  ETag: "5b248af6-6"
  Accept-Ranges: bytes
  [root@akuilinux01 test.com]# dhclient ens37
  [root@akuilinux01 test.com]# ifconfig 
  ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
      inet 192.168.110.128  netmask 255.255.255.0  broadcast 192.168.110.255
      inet6 fe80::c559:4a92:72f1:b448  prefixlen 64  scopeid 0x20<link>
  [root@akuilinux01 test.com]# curl -x192.168.110.128:80 test.com/admin/1.html -I
  HTTP/1.1 403 Forbidden
  Server: nginx/1.14.0
  Date: Sat, 16 Jun 2018 04:05:10 GMT
  Content-Type: text/html
  Content-Length: 169
  Connection: keep-alive

  2. 匹配正則，限制php解析

     location ~ .*(upload|image)/.*\.php$
     {
     deny all;
     }

• 測試

  [root@akuilinux01 test.com]# mkdir /data/wwwroot/test.com/upload
  [root@akuilinux01 test.com]# echo "11111" >/data/wwwroot/test.com/upload/1.php
  [root@akuilinux01 test.com]# echo "11111" >/data/wwwroot/test.com/upload/1.txt
  [root@akuilinux01 test.com]# curl -x127.0.0.1:80 test.com/upload/1.txt
  11111
  [root@akuilinux01 test.com]# curl -x127.0.0.1:80 test.com/upload/1.php
  <html>
  <head><title>403 Forbidden</title></head>
  <body bgcolor="white">
  <center><h1>403 Forbidden</h1></center>
  <hr><center>nginx/1.14.0</center>
  </body>
  </html>

  3. 根據user_agent限制

     if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
     {
     return 403;
     }
     #deny all和return 403效果一樣,~*匹配可以忽略大小寫

• 測試

  [root@akuilinux01 test.com]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.txt
  <html>
  <head><title>403 Forbidden</title></head>
  <body bgcolor="white">
  <center><h1>403 Forbidden</h1></center>
  <hr><center>nginx/1.14.0</center>
  </body>
  </html>
  [root@akuilinux01 test.com]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt
  11111

  解析php相關配置

• nginx解析php配置如下

  location ~ \.php$
  {
      include fastcgi_params;
      fastcgi_pass unix:/tmp/php-fcgi.sock; 
      #這個路徑要與php裏對應
     #fastcgi_pass 127.0.0.1:9000
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
      #這裏的要與上面的root對應
  }

• 這裏的fastcgi_pass也有兩種模式要和php裏面的對應，不然會導致502

  [root@akuilinux01 ~]# vim /usr/local/php-fpm/etc/php-fpm.conf
  [global]
  pid = /usr/local/php-fpm/var/run/php-fpm.pid
  error_log = /usr/local/php-fpm/var/log/php-fpm.log
  [www]
  listen = /tmp/php-fcgi.sock
  #listen = 127.0.0.1:9000
  listen.mode = 666 #這裏的權限必須是666，不然socket文件不能讀取寫入也會導致502
  user = php-fpm
  group = php-fpm
  pm = dynamic
  pm.max_children = 50
  pm.start_servers = 20
  pm.min_spare_servers = 5
  pm.max_spare_servers = 35
  pm.max_requests = 500
  rlimit_files = 1024

  nginx代理

• 當一個web服務器只有私網Ip時，和它想通的具有外網ip的服務器就可以是代理服務器。爲了快速訪問美國的服務器，可以在香港設置一個代理服務器

• 這裏可以設置一個虛擬機爲代理服務器，配置如下

  server
  {
  listen 80;
  server_name ask.apelearn.com;
  
  location /
  {
      proxy_pass      http://121.201.9.155/;
      proxy_set_header Host   $host;
      proxy_set_header X-Real-IP      $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
  }
  #定義的域名一般和被代理ip的域名保持一致
  #這裏已知的猿課的web服務器地址
  #$host就是前面定義的域名

• 設置代理前後，可以看到效果

  [root@akuilinux01 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt -I
  HTTP/1.1 301 Moved Permanently
  Server: nginx/1.14.0
  Date: Mon, 18 Jun 2018 13:07:58 GMT
  Content-Type: text/html
  Content-Length: 185
  Connection: keep-alive
  Location: http://test.com/robots.txt
  [root@akuilinux01 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt -I
  HTTP/1.1 302 Found
  Server: nginx/1.14.0
  Date: Mon, 18 Jun 2018 13:13:06 GMT
  Content-Type: text/html; charset=UTF-8
  Connection: keep-alive
  Location: http://121.201.80.216:9000
  #後的302應該是web服務器設置的跳轉

  擴展

• 502問題彙總
• location優先級