Nginx防盗链
思路与httpd一样,配置也不难,但要与过期时间、不记录日志配置结合起来。
1.配置文件内容
[root@gary-tao ]# vim /usr/local/nginx/conf/vhost/.conf 增加如下配置:location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${expires 7d;valid_referers none blocked server_names *. ; //定义白名单if ($invalid_referer) {return 403;} //如果不是白名单里就返回403access_log off;}
如图:
2.测试语法及重新加载配置
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@gary-tao src]# /usr/local/nginx/sbin/nginx -s reload
3.使用curl测试
测试防盗链,需要增加referer才能正常访问,添加referer加-e 需要使用http://
[root@gary-tao ]# curl -e "/1.txt" -x127.0.0.1:80 -I /1.gifHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 04 Jan 11:17:05 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive[root@gary-tao ]# curl -e "/1.txt" -x127.0.0.1:80 -I /1.gifHTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 04 Jan 11:16:43 GMTContent-Type: image/gifContent-Length: 15Last-Modified: Thu, 04 Jan 10:51:09 GMTConnection: keep-aliveETag: "5a4e071d-f"Expires: Thu, 11 Jan 11:16:43 GMTCache-Control: max-age=604800Accept-Ranges: bytes
Nginx访问控制
1.配置文件,限制IP访问
[root@gary-tao ]# vim /usr/local/nginx/conf/vhost/.conf 增加如下内容:location /admin/{allow 127.0.0.1;allow 172.16.111.100;deny all;}
如图:
2.测试语法及重新加载配置
[root@gary-tao src]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@gary-tao src]# /usr/local/nginx/sbin/nginx -s reload
3.使用curl测试
解释说明:
在配置httpd的时候,还有一个order,来定义先allow还是先deny,在Nginx里并没有,只要匹配规则就结束了,假如来源IP为172.16.111.129,它就会从上到下逐一去匹配,第一个IP(127.0.0.1)不匹配,第二IP(172.16.111.100)不匹配,直到第三行(all)的时候才匹配到,匹配的这条规则为deny(也就是拒绝访问),所以最终会返回一个403的状态码,测试如下:
[root@gary-tao ]# curl -e "/1.txt" -x127.0.0.1:80 -I /admin/HTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 04 Jan 11:35:17 GMTContent-Type: text/htmlContent-Length: 20Last-Modified: Wed, 03 Jan 13:12:03 GMTConnection: keep-aliveETag: "5a4cd6a3-14"Accept-Ranges: bytes[root@gary-tao ]# curl -x172.16.111.100:80 -I /admin/HTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 04 Jan 11:36:25 GMTContent-Type: text/htmlContent-Length: 20Last-Modified: Wed, 03 Jan 13:12:03 GMTConnection: keep-aliveETag: "5a4cd6a3-14"Accept-Ranges: bytes[root@gary-tao ~]# ifconfigens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.16.111.100 netmask 255.255.0.0 broadcast 172.16.255.255inet6 fe80::1ffb:cde1:5f3e:5778 prefixlen 64 scopeid 0x20<link>ether 00:0c:29:09:e5:58 txqueuelen 1000 (Ethernet)RX packets 40262 bytes 15749043 (15.0 MiB)RX errors 0 dropped 50 overruns 0 frame 0TX packets 28168 bytes 4961855 (4.7 MiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.16.111.129 netmask 255.255.255.0 broadcast 172.16.111.255inet6 fe80::888c:a1d7:871b:8971 prefixlen 64 scopeid 0x20<link>ether 00:0c:29:09:e5:62 txqueuelen 1000 (Ethernet)RX packets 61 bytes 8623 (8.4 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 58 bytes 10741 (10.4 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1 (Local Loopback)RX packets 354 bytes 33223 (32.4 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 354 bytes 33223 (32.4 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@gary-tao ~]# curl -x172.16.111.129:80 -I /admin/HTTP/1.1 403 Forbidden Server: nginx/1.12.1Date: Thu, 04 Jan 11:46:03 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive[root@gary-tao ~]# !catcat /tmp/.log127.0.0.1 - [04/Jan/:18:53:20 +0800] "/index.html" 200 "-" "curl/7.29.0"127.0.0.1 - [04/Jan/:18:53:53 +0800] "/index.html" 200 "-" "curl/7.29.0"127.0.0.1 - [04/Jan/:18:55:22 +0800] "/2.jsagdaga" 404 "-" "curl/7.29.0"127.0.0.1 - [04/Jan/:19:35:17 +0800] "/admin/" 200 "/1.txt" "curl/7.29.0"172.16.111.100 - [04/Jan/:19:36:25 +0800] "/admin/" 200 "-" "curl/7.29.0"172.16.111.129 - [04/Jan/:19:45:58 +0800] "/admin/index.html" 403 "-" "curl/7.29.0"172.16.111.129 - [04/Jan/:19:46:03 +0800] "/admin/" 403 "-" "curl/7.29.0"
4.可以匹配正则,限制目录
[root@gary-tao ~]# vim /usr/local/nginx/conf/vhost/.conf增加如下内容:location ~ .*(upload|image)/.*\.php$ //意思是匹配upload或者image目录下的.php文件{deny all;}[root@gary-tao src]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@gary-tao src]# /usr/local/nginx/sbin/nginx -s reload
如图:使用curl测试
upload目录下的.php文件不能访问,但是除了.php的其他后缀文件就能访问。
[root@gary-tao ~]# mkdir /data/wwwroot//upload[root@gary-tao ~]# echo "1111111" > /data/wwwroot//upload/1.php[root@gary-tao ~]# curl -x127.0.0.1:80 /upload/1.php<html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.12.1</center></body></html>[root@gary-tao ~]# echo "1111111" > /data/wwwroot//upload/1.txt[root@gary-tao ~]# curl -x127.0.0.1:80 /upload/1.txt1111111[root@gary-tao ~]# cat /tmp/.log127.0.0.1 - [04/Jan/:18:53:20 +0800] "/index.html" 200 "-" "curl/7.29.0"127.0.0.1 - [04/Jan/:18:53:53 +0800] "/index.html" 200 "-" "curl/7.29.0"127.0.0.1 - [04/Jan/:18:55:22 +0800] "/2.jsagdaga" 404 "-" "curl/7.29.0"127.0.0.1 - [04/Jan/:19:35:17 +0800] "/admin/" 200 "/1.txt" "curl/7.29.0"172.16.111.100 - [04/Jan/:19:36:25 +0800] "/admin/" 200 "-" "curl/7.29.0"172.16.111.129 - [04/Jan/:19:45:58 +0800] "/admin/index.html" 403 "-" "curl/7.29.0"172.16.111.129 - [04/Jan/:19:46:03 +0800] "/admin/" 403 "-" "curl/7.29.0"127.0.0.1 - [04/Jan/:20:48:09 +0800] "/upload/1.php" 403 "-" "curl/7.29.0"127.0.0.1 - [04/Jan/:20:48:48 +0800] "/upload/1.txt" 200 "-" "curl/7.29.0"
5.根据user_agent限制
配置文件如下:如果你的网站不想被人搜到,就把那些蜘蛛网封掉,像百度,谷歌等把他们封掉,没有任何网站可以爬到你的数据,相当于网站隐藏一样,除非你告诉它网址。
[root@gary-tao ~]# vim /usr/local/nginx/conf/vhost/.conf增加如下配置:if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato'){return 403;}//deny all和return 403效果一样[root@gary-tao ~]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@gary-tao ~]# /usr/local/nginx/sbin/nginx -s reload
-A模拟user_agent,使用curl测试
Tomato是在限制的user_agent名单里,所以不能访问,这里是没有忽略大小,如果要忽略大小写,可在if语句的 ~ 后面加上,如:if ($http_user_agent ~‘Spider/3.0|YoudaoBot|Tomato’)
[root@gary-tao ~]# curl -A "Tomatoalsdkflsd" -x127.0.0.1:80 /upload/1.txt -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 04 Jan 12:56:14 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive[root@gary-tao ~]# curl -A "tomatoalsdkflsd" -x127.0.0.1:80 /upload/1.txt -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 04 Jan 12:58:10 GMTContent-Type: text/plainContent-Length: 8Last-Modified: Thu, 04 Jan 12:48:43 GMTConnection: keep-aliveETag: "5a4e22ab-8"Accept-Ranges: bytes[root@gary-tao ~]# curl -A "tomatoalsdkflsd" -x127.0.0.1:80 /upload/1.txt -I //加了*号后还是403HTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 04 Jan 12:58:59 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive
Nginx解析php相关配置
在LAMP中,PHP是作为httpd的一个模块出现的,只要PHP模块被加载,那么就能解析PHP脚本了,而在LNMP中,PHP是以一个服务(php-fpm)的形式存在的,首先要启动php-fpm服务,然后Nginx再和php-fpm通信。也就是说,处理PHP脚本解析的工作是由php-fpm处理完成后把结果传递给Nginx,Nginx再把结果返回给用户。
1.测试
没有更改配置文件增加php解析时先编辑一个php文件,测试是否可以解析php,结果如下:
[root@gary-tao ~]# vi /data/wwwroot//3.php增加如下内容:<?phpphpinfo();?>[root@gary-tao ~]# curl -x127.0.0.1:80 /3.php<?phpphpinfo();?>
2.修改配置文件
[root@gary-tao ~]# vim /usr/local/nginx/conf/vhost/.conf增加配置如下:location ~ \.php${include fastcgi_params;fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /data/wwwroot/$fastcgi_script_name;}[root@gary-tao ~]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@gary-tao ~]# /usr/local/nginx/sbin/nginx -s reload
解释说明
其中fastcgi_pas用来指定php-fpm的地址,如果php-fpm监听的是一个tcp:port的地址(比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000。这个地址一事实上要和php-fpm服务监听的地址匹配,否则会报502错误。
还有一个地方也需要注意,factcgi_parm SCRIPT_FILENAME后面跟的路径为该站点的根目录,和前面定义的root那个路径保持一致,如果这里配置不对,访问PHP页面会出现404。
如图
配置图
解析正常
Nginx代理
一家公司有很多台服务器,为了节省成本,不能为所有服务器都分配公网IP,而如果一个没有公网IP的服务器提供web服务,就可以通过代理来实现。
创建一个新的配置文件
[root@gary-tao ~]# cd /usr/local/nginx/conf/vhost[root@gary-tao vhost]# vim proxy.conf增加如下内容:server{listen 80;server_name ;location /{proxy_passhttp://121.201.9.155/; //指定要代理的域名所在的服务器IP,即Web服务器的地址proxy_set_header Host $host;proxy_set_header X-Real-IP$remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}}//这里没有root,因为它是代理服务器,不需要访问本地服务器上的任何文件[root@gary-tao vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@gary-tao vhost]# /usr/local/nginx/sbin/nginx -s reload
针对蜘蛛的索引的列表,一般网站都会有这个
[root@gary-tao vhost]# curl /robots.txt## robots.txt for MiWen#User-agent: *Disallow: /?/admin/Disallow: /?/people/Disallow: /?/question/Disallow: /account/Disallow: /app/Disallow: /cache/Disallow: /install/Disallow: /models/Disallow: /crond/run/Disallow: /search/Disallow: /static/Disallow: /setting/Disallow: /system/Disallow: /tmp/Disallow: /themes/Disallow: /uploads/Disallow: /url-*Disallow: /views/Disallow: /*/ajax/[root@gary-tao vhost]#
通过本地的IP访问了远程的站点,代理服务器就是我们的虚拟机,Web服务器就是我们访问的
[root@gary-tao vhost]# curl -x127.0.0.1:80 /robots.txt## robots.txt for MiWen#User-agent: *Disallow: /?/admin/Disallow: /?/people/Disallow: /?/question/Disallow: /account/Disallow: /app/Disallow: /cache/Disallow: /install/Disallow: /models/Disallow: /crond/run/Disallow: /search/Disallow: /static/Disallow: /setting/Disallow: /system/Disallow: /tmp/Disallow: /themes/Disallow: /uploads/Disallow: /url-*Disallow: /views/Disallow: /*/ajax/[root@gary-tao vhost]#
