4.46-4.47 访问控制4/5 4.48-4.49 Nginx反向代理

4.46-4.47 访问控制4/5

限制user-agent

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
    return 403;
}

限制uri

if ($request_uri ~ (abc|123))
{
    return 404;
}

补充：

curl命令用法：
curl -v -A 'aaaaaspider/3.0' -e "1111"  -x127.0.0.1:80 bbs.aminglinux.cc -I  
-A 指定user-agent  -e 指定referer  -x指定访问目标服务器的ip和port -I只显示 header信息，不显示具体的网页内容
-v 显示详细的通讯过程

4.48-4.49 Nginx反向代理

什么叫反向代理？

A（用户）-->  B（在和C同一个机房，而且有公网）-->  C（不带公网的机器）

什么场景会使用反向代理？

1）访问不带公网的内网机器
2）解决两台机器之间通讯有障碍的问题

场景设置：

1）A B 两台机器，其中A只有内网，B有内网和外网
2）A的内网ip是 192.168.28.107
3）B的内网ip是 192.168.28.108  B的外网IP是 192.168.149.129
4）C为客户端，C只能访问B的外网IP，不能访问A或者B的内网IP

需求目的：

C要访问到A的内网上的网站

配置：

location /
    {
        proxy_pass http://ip;        ip去掉填写后端web服务器的ip      
        proxy_set_header Host $host;  用来设定header信息curl能够看到。域名，servername（代理的时候的header）
        proxy_set_header X-Real-IP $remote_addr;               下面两段为了在日志当中显示源的真正ip
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;   这两段在访问日志中体现
    }


复制下面这段

    location /
    {
        proxy_pass http://ip;        
        proxy_set_header Host $host;  
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

；代码编辑好后补充

 

限制 user-agent （指的是浏览器的标识）
[root@test01 ~]# vi /etc/nginx/conf.d/bbs.champin.top.conf 

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
    return 403;
}

[root@test01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 ~]# nginx -s reload


[root@test01 ~]# curl -A 'aaaaaaSpider/3.0' -x127.0.0.1:80 bbs.champin.top -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Sun, 24 Feb 2019 17:58:44 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@test01 ~]# curl -A 'aaaaaaspider/3.0' -x127.0.0.1:80 bbs.champin.top -I
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sun, 24 Feb 2019 18:02:07 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
Set-Cookie: eCL1_2132_saltkey=QCqN3bq3; expires=Tue, 26-Mar-2019 18:02:07 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: eCL1_2132_lastvisit=1551027727; expires=Tue, 26-Mar-2019 18:02:07 GMT; Max-Age=2592000; path=/
Set-Cookie: eCL1_2132_sid=Qb48Q4; expires=Mon, 25-Feb-2019 18:02:07 GMT; Max-Age=86400; path=/
Set-Cookie: eCL1_2132_lastact=1551031327%09index.php%09; expires=Mon, 25-Feb-2019 18:02:07 GMT; Max-Age=86400; path=/
Set-Cookie: eCL1_2132_sid=Qb48Q4; expires=Mon, 25-Feb-2019 18:02:07 GMT; Max-Age=86400; path=/


[root@test01 ~]# curl -v -A 'aaaaaaSpider/3.0' -x127.0.0.1:80 bbs.champin.top -I
* About to connect() to proxy 127.0.0.1 port 80 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> HEAD HTTP://bbs.champin.top/ HTTP/1.1
> User-Agent: aaaaaaSpider/3.0
> Host: bbs.champin.top
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Server: nginx/1.14.2
Server: nginx/1.14.2
< Date: Sun, 24 Feb 2019 18:04:38 GMT
Date: Sun, 24 Feb 2019 18:04:38 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 169
Content-Length: 169
< Connection: keep-alive
Connection: keep-alive

< 
* Connection #0 to host 127.0.0.1 left intact

[root@test01 ~]# curl -v -A 'aaaaaaSpider/3.0' -e "1111" -x127.0.0.1:80 bbs.champin.top -I
* About to connect() to proxy 127.0.0.1 port 80 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> HEAD HTTP://bbs.champin.top/ HTTP/1.1
> User-Agent: aaaaaaSpider/3.0
> Host: bbs.champin.top
> Accept: */*
> Referer: 1111
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Server: nginx/1.14.2
Server: nginx/1.14.2
< Date: Sun, 24 Feb 2019 18:06:42 GMT
Date: Sun, 24 Feb 2019 18:06:42 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 169
Content-Length: 169
< Connection: keep-alive
Connection: keep-alive

< 
* Connection #0 to host 127.0.0.1 left intact


限制uri

if ($request_uri ~ (viewthread|abc|123))
{
    return 404;
}

用浏览器访问 新发的test帖子，帖子的uri里面包含了viewthread，实际帖子存在网页也会404 not found

if ($request_uri ~ (viewthread|abc|123))  这样子写是不行的，以下
    {
        allow 127.0.0.1;
        allow 192.168.1.0/24;
        deny all;
    }



http://bbs.champin.top/forum.php?mod=viewthread&tid=1232&extra=page%3D1这样网页访问也会变成403



nginx的反向代理

用虚拟机模拟，108机器增长一块仅主机模式的网卡，并开启，链接上108
108
[root@test02 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.28.108  netmask 255.255.252.0  broadcast 192.168.31.255
        inet6 fe80::98ef:5fb6:2c54:d563  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::8eb9:eeb2:ea98:c999  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:20:ad:bc  txqueuelen 1000  (Ethernet)
        RX packets 2492  bytes 3197805 (3.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 883  bytes 77855 (76.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.229.128  netmask 255.255.255.0  broadcast 192.168.229.255
        inet6 fe80::ee2d:59da:a6ba:e82  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:20:ad:c6  txqueuelen 1000  (Ethernet)
        RX packets 4  bytes 989 (989.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 1308 (1.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 68  bytes 5524 (5.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 68  bytes 5524 (5.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  

并无ens37的配置文件，要设置成静态ip要拷贝配置文件
[root@test02 ~]# ls /etc/sysconfig/network-scripts/ifcfg-
ifcfg-ens33  ifcfg-lo    

[root@test02 ~]# cd /etc/sysconfig/network-scripts/
[root@test02 network-scripts]# cp ifcfg-ens33 ifcfg-ens37
[root@test02 network-scripts]# vi ifcfg-ens37


TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=bfc98778-197a-423a-aec7-acdb02e60879
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.229.129
NETMASK=255.255.255.0
~                                                                                                           
~                                                                                                           
~                                                                                                           
~                                                                                                           

systemctl restart network重启网络服务

[root@test02 network-scripts]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.28.108  netmask 255.255.252.0  broadcast 192.168.31.255
        inet6 fe80::98ef:5fb6:2c54:d563  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::8eb9:eeb2:ea98:c999  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:20:ad:bc  txqueuelen 1000  (Ethernet)
        RX packets 3590  bytes 3292584 (3.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1547  bytes 161035 (157.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.229.129  netmask 255.255.255.0  broadcast 192.168.229.255
        inet6 fe80::20c:29ff:fe20:adc6  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:20:ad:c6  txqueuelen 1000  (Ethernet)
        RX packets 5  bytes 1331 (1.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 48  bytes 4364 (4.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 92  bytes 7564 (7.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 92  bytes 7564 (7.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

107
[root@test01 ~]# scp /etc/yum.repos.d/nginx.repo 192.168.28.108:/etc/yum.repos.d/

108
yum install -y nginx

[root@test02 ~]# cd /etc/nginx/conf.d/
[root@test02 conf.d]# ls
default.conf
[root@test02 conf.d]# vi default.conf
 deny all;掉default.conf

[root@test02 conf.d]# vi bbs.champin.top.conf

server
{
        listen 80;
        server_name bbs.champin.top;
    location /
    {
        proxy_pass http://192.168.28.107;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
~        

[root@test02 conf.d]# systemctl start nginx
[root@test02 conf.d]# ps aux |grep nginx
root       4440  0.0  0.0  46352   984 ?        Ss   03:20   0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx      4441  0.0  0.1  46864  1680 ?        S    03:20   0:00 nginx: worker process
root       4444  0.0  0.0 112664   972 pts/0    S+   03:22   0:00 grep --color=auto nginx
[root@test02 conf.d]# nginx -t 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test02 conf.d]# nginx -s reload

由于是虚拟机模拟，还要绑定hosts 192.168.229.129 bbs.champin.top

[root@test02 conf.d]# firewall-cmd --add-port=80/tcp --permanent
success
[root@test02 conf.d]# firewall-cmd --reload
success

[root@test02 conf.d]# iptables -nvL |grep 80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW