Nginx防盗链&Nginx访问控制&Nginx解析php相关配置&Nginx代理

时间 2019-11-13

标签 nginx 防盗访问控制解析 php 相关配置代理栏目 Nginx 繁體版

原文原文链接

[toc]javascript

Nginx防盗链&Nginx访问控制&Nginx解析php相关配置&Nginx代理

1、Nginx防盗链：

1. 打开配置文件：

增长以下配置文件：php

[root@xavi ~]# cd /usr/local/nginx/conf/vhost/
[root@xavi vhost]# vim test.com.conf

    } 
  #  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
  #  {
  #        expires      7d;
  #        access_log off;
  #  }
    
    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{   
    expires 7d; 
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;

防盗链部分

valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }

如上配置文件中匹配以gif,jpg,png结尾的页面，而且设置一个白名单的referer为*.test.com, 其它的（$invalid_referer）均403 forbidden！css

2. 测试+重载（-t && -s reload）

[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/2.js -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:03:24 GMT
Content-Type: application/javascript
Content-Length: 14
Last-Modified: Thu, 15 Mar 2018 13:08:00 GMT
Connection: keep-alive
ETag: "5aaa7030-e"
Expires: Fri, 16 Mar 2018 02:03:24 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes

使用本地主机访问2.js 是没有问题的,指定一个referer，再次测试：

[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:06:07 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

2、Nginx访问控制：

有时候在我们运维一些网站的时候，发现一些访问是不正常的。或者为了提升安全性，咱们须要将某些页面加密处理！html

1 增长配置文件，设置来源IP

vim /usr/local/nginx/conf/vhost/test.com.confjava

location /admin/

{
    allow 127.0.0.1;
    allow 192.168.72.130; //本身试验虚拟机的服务器
    deny all;
}

==匹配规则为，一旦匹配则后面的均不执行，也就是容许127.0.0.1和192.168.72.130 访问；其它的均拒绝！==nginx

2.测试语法并重载配置

[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload

3.匹配站点后台登陆页，进行访问控制！

[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:24:58 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Wed, 14 Mar 2018 14:07:17 GMT
Connection: keep-alive
ETag: "5aa92c95-f"
Accept-Ranges: bytes

[root@xavi vhost]# curl -x192.168.72.130:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:30:46 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Wed, 14 Mar 2018 14:07:17 GMT
Connection: keep-alive
ETag: "5aa92c95-f"
Accept-Ranges: bytes

查看日志:cat /tmp/test.com.log

4.针对某个能够上传的目录作指定文件（例如：php）不解析：

location ~ .*(upload|image)/.*\.php$
{
        deny all;
}

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:46:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

任何PHP文件都不解析，而txt文件能够访问

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK

5.根据user-agent限制：

若是站点被CC攻击了，或者不想被蜘蛛爬本身的网站，咱们彻底能够根据user-agent去禁止掉：web

vim /usr/local/nginx/conf/vhost/test.com.conf 打开添加一下语句

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}

测试语法并重加载配置

[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload

加载1.txt测试

[root@xavi vhost]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:58:51 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:58:59 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Thu, 15 Mar 2018 14:47:36 GMT
Connection: keep-alive
ETag: "5aaa8788-6"
Accept-Ranges: bytes

咱们发现，当咱们修改user-agent为小写的时候，就不生效了。因此咱们须要设置忽略大小写：ajax

从新在虚拟机配置文件 test.com.conf下修改配置vim

if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}

只须要在~添加一个 * 便可！

完成过程：安全

[root@xavi vhost]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf 
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 15:03:22 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

3、Nginx解析php相关配置

1.增长如下配置：

location ~ \.php$
      {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;
      }

fastcgi_pass 用来指定php-fpm监听的地址或者socket

完整以配置的内容：

vim /usr/local/nginx/conf/vhost/test.com.conf 

  #        expires      7d;
  #        access_log off;
  #  }

    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
    }
    access_log off;
}   
location ~ .*\.(js|css)$
    {   
          expires      12h;
          access_log off;
    }
    location /admin/
    
{         
    allow 127.0.0.1; 
    allow 192.168.72.130;
    deny all;
}

location ~ .*(upload|image)/.*\.php$
{   
        deny all;
}
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}       
location ~ \.php$
      {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;
      }

2.建立一个测试php文件

[root@xavi vhost]# vim /data/nginx/test.com/3.php
>?php
phpinfo();

没法解析，显示源码（编辑的conf文件未完成-t&-s reload配置）

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();

这里特别注意下配置文件中/data/nginx/test.com,而不是设置www.test.com

-t&-s reload配置后，能够正常解析phpinfo（）

3.小结：其中fastcgi_pass用来指定php-fpm的地址，若是php-fpm监听的是一个tcp:port的地址(好比127.0.0.1：9000),那么也须要在这里改为fastcgi_pass 127.0.0.1：9000。这个地址必定要和php-fpm服务监听的地址匹配，否是会报502错误.还有一个地方要注意fastcgi_param SCRIPT_FILENAME 后面跟的路径为该站点的根目录，和前面定义的root那个路径保持一致，若是这里配置不对，访问PHP页面会出现404;还有一种502的现象，若是内存中出现大量的php-fpm进程占据了内存，也会一样致使此问题！

location ~ \.php$
      {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name;
      }

查看php-fpm: vim /usr/local/php-fpm/etc/php-fpm.conf

[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen =127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

没法查看错误日志

测试：找到了日志文件路径，查看了error.log,里面是有内容的，可是忘了本身是否对nginx专门设定了日志文件

[root@xavi ~]# cd /usr/local/nginx/logs/
[root@xavi logs]# ls
access.log  error.log  nginx_error.log  nginx.pid

[root@xavi logs]# cat error.log
2018/03/14 00:05:58 [emerg] 124460#0: unknown directive "er" in /usr/local/nginx/conf/nginx.conf:1
2018/03/14 21:06:14 [notice] 5737#0: signal process started
2018/03/14 21:41:27 [notice] 6234#0: signal process started
2018/03/14 21:59:27 [notice] 6446#0: signal process started
2018/03/14 22:16:03 [notice] 6668#0: signal process started
2018/03/14 22:38:58 [emerg] 6947#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/torreid.com.conf:3
2018/03/14 22:40:17 [emerg] 6962#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/torreid.com.conf:3
2018/03/14 22:44:22 [emerg] 7015#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/test.com.conf:4
2018/03/14 22:55:13 [emerg] 7151#0: unknown directive "//有这个default_server标记的就是默认虚拟主机" in /usr/local/nginx/conf/vhost/aaa.com.conf:4
2018/03/14 22:56:55 [emerg] 7173#0: "location" directive is not allowed here in /usr/local/nginx/conf/vhost/atorreid.com.conf:12
2018/03/14 22:58:57 [emerg] 7197#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/bcd.com.conf:3
2018/03/14 23:01:46 [warn] 7251#0: conflicting server name "test.com" on 0.0.0.0:80, i

4、Nginx代理

假如一个用户须要访问WEB服务器，可是用户与WEB服务器之间是不通的，WEB服务器在内网，咱们须要一个代理服务器来帮助用户访问web，他必须和用户相通，也必须和web服务器相通，在中间起到搭桥的这就是代理服务器。这样当你下载好一个安装包后，别的同事也能够在内网里共享你的下载，节约资源.

4.1 原理：

Nginx代理是一种反向代理。反向代理（Reverse Proxy）方式是指以代理服务器来接受Internet上的链接请求，而后将请求转发给内部网络上的服务器；并将从服务器上获得的结果返回给Internet上请求链接的客户端，此时代理服务器对外就表现为一个服务器。

假如这家公司有不少台服务器，为了节省成本，不能为全部的服务器都分配公网IP，而若是一个没有公网的IP的复为其要提供web服务，就能够经过代理来实现，这就是 Nginx比httpd愈来愈受欢迎的缘由

graph LR 用户–>代理服务器代理服务器–>用户代理服务器–>web服务器 web服务器–>代理服务器

4.2 编辑配置文件

cd /usr/local/nginx/conf/vhost
 
vim proxy.conf

加入以下内容：

server
{
    listen 80;
    server_name ask.apelearn.com;
#   定义域名（通常和被代理ip的域名保持一致）
    location /
    {
        proxy_pass      http://47.91.145.78/;  //用window的cmd去ping这个网址的IP
#       指定被代理（被访问）的IP（web服务器IP）
        proxy_set_header Host   $host;
#       $host指的是代理服务器的servername（也是被代理IP的域名）
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

由于是代理服务器因此不须要访问本地服务器的任何文件； ask.apelearn.com; 定义一个域名；

proxy_pass http://47.91.145.78/；真实WEB服务器的IP地址。

$host; 也就是我们的server_name

重启nginx以后再次测试，127.0.0.1就是本身的代理机，访问的论坛

[root@xavi vhost]# curl -x127.0.0.1:80 ask.apelearn.com -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 18 Mar 2018 08:51:31 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.29
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ape__Session=kgp331gk94i16pcv9jti0qgd65; path=/; domain=.apelearn.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

测试网站的robots

[root@xavi vhost]# curl ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/