Nginx防盗链
- 防盗链通俗的叫就是不让别人盗用你网站上的资源。比如:图片、视频、歌曲、文档等。
- referer的概念:假如通过A网站的一个页面http://a.com/a.html里面的链接去访问B网站的一个页面http://b.com/b.html,那么这个B网站页面的referer就是http://a.com/a.htm。也就是说是一个网址。
- 该部分配置内容与过期时间、不记录日志有部分重合,可以把2部分结合在一起。在test.com.conf中修改为如下
添加的内容
添加的内容
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ //匹配*表示后面关键词不区分大小写
{
expires 7d; //过期时间
valid_referers none blocked server_names *.test.com ;//定义白名单的域名
if ($invalid_referer) { //这段表示不是白名单访问,那么会提示403
return 403;
}
access_log off; //访问日志不记录
}添加完成后如下:
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
# expires 12h;
access_log off;
}
location ~ admin.php
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
access_log /tmp/test.com.log lufei;
- 检查并加载配置文件
[root@chunt vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@chunt vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@chunt vhost]#- 测试
[root@chunt vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 15:33:42 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@chunt vhost]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 15:34:03 GMT
Content-Type: image/gif
Content-Length: 16
Last-Modified: Wed, 14 Mar 2018 18:33:29 GMT
Connection: keep-alive
ETag: "5aa96af9-10"
Expires: Thu, 22 Mar 2018 15:34:03 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[root@chunt vhost]#
这样就说明防盗链已配置成功。
Nginx访问控制
- 需求背景
例:访问/admin/目录的请求,只允许某几个IP访问。 - 编辑test.com.conf文件
增加以下内容
location /admin/ //指定目录
{
allow 127.0.0.1;
allow 192.168.244.132;
deny all;
}在配置httpd的时候,还有一个order,来定义先allow还是先deny,在Nginx中并没有,只要匹配规则就结束了,假如来源IP为192.168.244.150,它会从上到下逐一去匹配,前2个IP都不匹配,直到第3行(all)的时候才匹配到,匹配的这条规则就是deny(拒绝访问),最终会返回一个403的状态码
配置文件中的IP也可以写成IP段,比如:192.168.244.0/24
- 检查并加载配置文件
[root@chunt vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@chunt vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@chunt vhost]#- 测试
[root@chunt vhost]# curl -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 16:01:19 GMT
Content-Type: text/html
Content-Length: 14
Last-Modified: Wed, 14 Mar 2018 16:50:45 GMT
Connection: keep-alive
ETag: "5aa952e5-e"
Accept-Ranges: bytes
[root@chunt vhost]# curl -x192.168.244.132:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 16:01:29 GMT
Content-Type: text/html
Content-Length: 14
Last-Modified: Wed, 14 Mar 2018 16:50:45 GMT
Connection: keep-alive
ETag: "5aa952e5-e"
Accept-Ranges: bytes
[root@chunt vhost]# curl -x192.168.202.128:80 test.com/admin/ -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 16:01:35 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@chunt vhost]# !cat
cat /tmp/test.com.log
127.0.0.1 - [16/Mar/2018:00:01:19 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.244.132 - [16/Mar/2018:00:01:29 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.202.128 - [16/Mar/2018:00:01:35 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
[root@chunt vhost]#
说明配置成功
- 针对正则匹配,要把可以上传文件的目录禁止解析PHP,目的是为了保证安全。在配置文件中增加以下内容
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
小括号中的|为分隔符,表示“或者”的意思,这样就可以把访问的URL中带有upload或者image字符串,并且是php的请求拒绝访问
- 检查并加载配置文件
/usr/local/nginx/conf/nginx.conf -t
/usr/local/nginx/conf/nginx.conf -s reload
- 创建upload目录,创建1.php与1.txt,用来进行比较
[root@chunt vhost]# mkdir /data/wwwroot/test.com/upload
[root@chunt vhost]# echo "yaoming" > /data/wwwroot/test.com/upload/1.php
[root@chunt vhost]# echo "yaoming" > /data/wwwroot/test.com/upload/1.txt- 测试
[root@chunt vhost]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
[root@chunt vhost]#
[root@chunt vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt
yaoming
[root@chunt vhost]# !cat
cat /tmp/test.com.log
127.0.0.1 - [16/Mar/2018:00:01:19 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.244.132 - [16/Mar/2018:00:01:29 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.202.128 - [16/Mar/2018:00:01:35 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
127.0.0.1 - [16/Mar/2018:00:31:41 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [16/Mar/2018:00:31:53 +0800] test.com "/upload/" 403 "-" "curl/7.29.0"
127.0.0.1 - [16/Mar/2018:00:32:01 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
127.0.0.1 - [16/Mar/2018:00:35:40 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [16/Mar/2018:00:35:45 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
[root@chunt vhost]#
设置成功
如果网站被cc攻击,或者禁掉某些蜘蛛,想网站设置为隐藏的,不想被其他网站搜到,那么可以封掉这些蜘蛛,比如百度、goole等,这些网站是不能爬到你的数据,也不告诉网址,那别人是不可能知道你有这个站点的,这时可以根据user_agent限制,
- 在配置文件中增加以下内容
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}检查并加载配置文件
测试
[root@chunt vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 16:56:26 GMT
Content-Type: text/plain
Content-Length: 8
Last-Modified: Thu, 15 Mar 2018 16:34:52 GMT
Connection: keep-alive
ETag: "5aaaa0ac-8"
Accept-Ranges: bytes
[root@chunt vhost]# curl -A "Tomatoxfgdff" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 16:56:32 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@chunt vhost]#
[root@chunt vhost]# curl -A "tomatoxfgdff" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 16:56:41 GMT
Content-Type: text/plain
Content-Length: 8
Last-Modified: Thu, 15 Mar 2018 16:34:52 GMT
Connection: keep-alive
ETag: "5aaaa0ac-8"
Accept-Ranges: bytes
这里是严格匹配,所以下面这个tomatoxfgdff访问时是200,如果想忽略大小写,可以在匹配符号后加上一个*即可。例if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
Nginx解析php相关配置
- 在LAMP中,php是作为httpd的一个模块出现,只要php模块被加载,那么就能解析PHP脚本了。而在LNMP中,PHP是以一个服务的形式存在的。首先要启动php-fpm服务,然后Nginx再和php-fpm通信。也就是说处理php脚本解析的工作是由php-fpm来完成的,Nginx只是在将用户的请求传递给php-fpm,然后将处理完的结果返回给用户。
- 配置过程
1.在配置文件中增加以下内容
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name;
}2.先不进行加载配置文件,创建一个3.php
<?php
phpinfo();
~ 这时候是不能解析的,会显示源代码
[root@chunt vhost]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();
[root@chunt vhost]#
3 .再进行加载配置文件后,那么这个3.phpj就能被正常解析了。 
4.如果在配置文件中` fastcgi_pass unix:/tmp/php-fcgi.sock;这里出现错误,那么显示502 .
例:这里路径不正确
fastcgi_pass unix:/tmp/php-fcg.sock;
[root@chunt vhost]# vi test.conf
[root@chunt vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@chunt vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@chunt vhost]# curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
[root@chunt vhost]#
提示502是因为它找不到这个sock。
5.这里查看错误日志
[root@chunt vhost]# tail /usr/local/nginx/logs/nginx_error.log
2018/03/16 01:58:56 [notice] 7057#0: signal 15 (SIGTERM) received, exiting
2018/03/16 01:58:56 [notice] 7058#0: exiting
2018/03/16 01:58:56 [notice] 7058#0: exit
2018/03/16 01:58:56 [notice] 7059#0: exiting
2018/03/16 01:58:56 [notice] 7059#0: exit
2018/03/16 01:58:56 [notice] 7057#0: signal 17 (SIGCHLD) received
2018/03/16 01:58:56 [notice] 7057#0: worker process 7058 exited with code 0
2018/03/16 01:58:56 [notice] 7057#0: worker process 7059 exited with code 0
2018/03/16 01:58:56 [notice] 7057#0: exit
2018/03/16 01:59:04 [crit] 7117#0: *1 connect() to unix:/tmp/php-fcg.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcg.sock:", host: "test.com" //提示找不到文件或目录unix:/tmp/php-fcg.sock
[root@chunt vhost]#
出现502问题排查
(1先查看错误日志,确定地址是否存在。在查看/usr/lcoal/php-fpm/etc/php-fpm.conf中listen定义的是什么,检查它们是否是一样的。 
test.com.conf中定义的路径 
(2 在test.com.conf中fastcgi_pass用来指定php-fpm的地址,如果php-fpm监听是一个tcp:port的地址(比如:127.0.0.1:9000),那么fastcgi_pass也要为127.0.0.1:9000。不然也会出现502错误。
(3.在test.com.conf中
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
root /data/wwwroot/test.com;
fastcgi_param 的路径要与root路径一致
(4.在php5,4以及以后的版本都有一个特点。如果监听的是listen = /tmp/php-fcgi.sock,如果不去定义listen.mode 那么/tmp/php-fcig.sock的权限会变为660.再去访问还是会报错(权限被拒绝)。nignx去读取sock文件是以noboby的用户身份去执行的,将sock文件临时拥有可读权限,那么就可以正常访问了。或者在配置文件中去定义它的权限。
(5还有一种502的情况,就是php-fpm的资源耗尽了。也会出现502问题,这时就需要去优化。
Nginx代理
- Nginx的代理功能非常实用,这也是nginx比apache更流行的原因。。如果一公司有很多台服务器,为了节约成本,不能为所用服务器分配公网IP,而如果没有公网IP的服务器要提供web服务,就可以通过代理来实现
- 在新创建的proxy.conf中配置
server
{
listen 80;
server_name ask.apelearn.com; /域名
location /
{
proxy_pass http://121.201.9.155/; /服务器IP
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
- 检查并加载配置文件
-测试
curl -x127.0.0.1:80 ask.apelearn.com/robots.txt