4.46-4.47 訪問控制4/5 4.48-4.49 Nginx反向代理

4.46-4.47 訪問控制4/5

限制user-agent

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
    return 403;
}

限制uri

if ($request_uri ~ (abc|123))
{
    return 404;
}

補充：

curl命令用法：
curl -v -A 'aaaaaspider/3.0' -e "1111"  -x127.0.0.1:80 bbs.aminglinux.cc -I  
-A 指定user-agent  -e 指定referer  -x指定訪問目標服務器的ip和port -I只顯示 header信息，不顯示具體的網頁內容
-v 顯示詳細的通訊過程

4.48-4.49 Nginx反向代理

什麼叫反向代理？

A（用戶）-->  B（在和C同一個機房，而且有公網）-->  C（不帶公網的機器）

什麼場景會使用反向代理？

1）訪問不帶公網的內網機器
2）解決兩臺機器之間通訊有障礙的問題

場景設置：

1）A B 兩臺機器，其中A只有內網，B有內網和外網
2）A的內網ip是 192.168.28.107
3）B的內網ip是 192.168.28.108  B的外網IP是 192.168.149.129
4）C爲客戶端，C只能訪問B的外網IP，不能訪問A或者B的內網IP

需求目的：

C要訪問到A的內網上的網站

配置：

location /
    {
        proxy_pass http://ip;        ip去掉填寫後端web服務器的ip      
        proxy_set_header Host $host;  用來設定header信息curl能夠看到。域名，servername（代理的時候的header）
        proxy_set_header X-Real-IP $remote_addr;               下面兩段爲了在日誌當中顯示源的真正ip
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;   這兩段在訪問日誌中體現
    }


複製下面這段

    location /
    {
        proxy_pass http://ip;        
        proxy_set_header Host $host;  
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

；代碼編輯好後補充

 

限制 user-agent （指的是瀏覽器的標識）
[root@test01 ~]# vi /etc/nginx/conf.d/bbs.champin.top.conf 

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
    return 403;
}

[root@test01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 ~]# nginx -s reload


[root@test01 ~]# curl -A 'aaaaaaSpider/3.0' -x127.0.0.1:80 bbs.champin.top -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Sun, 24 Feb 2019 17:58:44 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@test01 ~]# curl -A 'aaaaaaspider/3.0' -x127.0.0.1:80 bbs.champin.top -I
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sun, 24 Feb 2019 18:02:07 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
Set-Cookie: eCL1_2132_saltkey=QCqN3bq3; expires=Tue, 26-Mar-2019 18:02:07 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: eCL1_2132_lastvisit=1551027727; expires=Tue, 26-Mar-2019 18:02:07 GMT; Max-Age=2592000; path=/
Set-Cookie: eCL1_2132_sid=Qb48Q4; expires=Mon, 25-Feb-2019 18:02:07 GMT; Max-Age=86400; path=/
Set-Cookie: eCL1_2132_lastact=1551031327%09index.php%09; expires=Mon, 25-Feb-2019 18:02:07 GMT; Max-Age=86400; path=/
Set-Cookie: eCL1_2132_sid=Qb48Q4; expires=Mon, 25-Feb-2019 18:02:07 GMT; Max-Age=86400; path=/


[root@test01 ~]# curl -v -A 'aaaaaaSpider/3.0' -x127.0.0.1:80 bbs.champin.top -I
* About to connect() to proxy 127.0.0.1 port 80 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> HEAD HTTP://bbs.champin.top/ HTTP/1.1
> User-Agent: aaaaaaSpider/3.0
> Host: bbs.champin.top
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Server: nginx/1.14.2
Server: nginx/1.14.2
< Date: Sun, 24 Feb 2019 18:04:38 GMT
Date: Sun, 24 Feb 2019 18:04:38 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 169
Content-Length: 169
< Connection: keep-alive
Connection: keep-alive

< 
* Connection #0 to host 127.0.0.1 left intact

[root@test01 ~]# curl -v -A 'aaaaaaSpider/3.0' -e "1111" -x127.0.0.1:80 bbs.champin.top -I
* About to connect() to proxy 127.0.0.1 port 80 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> HEAD HTTP://bbs.champin.top/ HTTP/1.1
> User-Agent: aaaaaaSpider/3.0
> Host: bbs.champin.top
> Accept: */*
> Referer: 1111
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Server: nginx/1.14.2
Server: nginx/1.14.2
< Date: Sun, 24 Feb 2019 18:06:42 GMT
Date: Sun, 24 Feb 2019 18:06:42 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 169
Content-Length: 169
< Connection: keep-alive
Connection: keep-alive

< 
* Connection #0 to host 127.0.0.1 left intact


限制uri

if ($request_uri ~ (viewthread|abc|123))
{
    return 404;
}

用瀏覽器訪問 新發的test帖子，帖子的uri裏面包含了viewthread，實際帖子存在網頁也會404 not found

if ($request_uri ~ (viewthread|abc|123))  這樣子寫是不行的，以下
    {
        allow 127.0.0.1;
        allow 192.168.1.0/24;
        deny all;
    }



http://bbs.champin.top/forum.php?mod=viewthread&tid=1232&extra=page%3D1這樣網頁訪問也會變成403



nginx的反向代理

用虛擬機模擬，108機器增長一塊僅主機模式的網卡，並開啓，鏈接上108
108
[root@test02 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.28.108  netmask 255.255.252.0  broadcast 192.168.31.255
        inet6 fe80::98ef:5fb6:2c54:d563  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::8eb9:eeb2:ea98:c999  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:20:ad:bc  txqueuelen 1000  (Ethernet)
        RX packets 2492  bytes 3197805 (3.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 883  bytes 77855 (76.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.229.128  netmask 255.255.255.0  broadcast 192.168.229.255
        inet6 fe80::ee2d:59da:a6ba:e82  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:20:ad:c6  txqueuelen 1000  (Ethernet)
        RX packets 4  bytes 989 (989.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 1308 (1.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 68  bytes 5524 (5.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 68  bytes 5524 (5.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  

並無ens37的配置文件，要設置成靜態ip要拷貝配置文件
[root@test02 ~]# ls /etc/sysconfig/network-scripts/ifcfg-
ifcfg-ens33  ifcfg-lo    

[root@test02 ~]# cd /etc/sysconfig/network-scripts/
[root@test02 network-scripts]# cp ifcfg-ens33 ifcfg-ens37
[root@test02 network-scripts]# vi ifcfg-ens37


TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=bfc98778-197a-423a-aec7-acdb02e60879
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.229.129
NETMASK=255.255.255.0
~                                                                                                           
~                                                                                                           
~                                                                                                           
~                                                                                                           

systemctl restart network重啓網絡服務

[root@test02 network-scripts]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.28.108  netmask 255.255.252.0  broadcast 192.168.31.255
        inet6 fe80::98ef:5fb6:2c54:d563  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::8eb9:eeb2:ea98:c999  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:20:ad:bc  txqueuelen 1000  (Ethernet)
        RX packets 3590  bytes 3292584 (3.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1547  bytes 161035 (157.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.229.129  netmask 255.255.255.0  broadcast 192.168.229.255
        inet6 fe80::20c:29ff:fe20:adc6  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:20:ad:c6  txqueuelen 1000  (Ethernet)
        RX packets 5  bytes 1331 (1.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 48  bytes 4364 (4.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 92  bytes 7564 (7.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 92  bytes 7564 (7.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

107
[root@test01 ~]# scp /etc/yum.repos.d/nginx.repo 192.168.28.108:/etc/yum.repos.d/

108
yum install -y nginx

[root@test02 ~]# cd /etc/nginx/conf.d/
[root@test02 conf.d]# ls
default.conf
[root@test02 conf.d]# vi default.conf
 deny all;掉default.conf

[root@test02 conf.d]# vi bbs.champin.top.conf

server
{
        listen 80;
        server_name bbs.champin.top;
    location /
    {
        proxy_pass http://192.168.28.107;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
~        

[root@test02 conf.d]# systemctl start nginx
[root@test02 conf.d]# ps aux |grep nginx
root       4440  0.0  0.0  46352   984 ?        Ss   03:20   0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx      4441  0.0  0.1  46864  1680 ?        S    03:20   0:00 nginx: worker process
root       4444  0.0  0.0 112664   972 pts/0    S+   03:22   0:00 grep --color=auto nginx
[root@test02 conf.d]# nginx -t 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test02 conf.d]# nginx -s reload

由於是虛擬機模擬，還要綁定hosts 192.168.229.129 bbs.champin.top

[root@test02 conf.d]# firewall-cmd --add-port=80/tcp --permanent
success
[root@test02 conf.d]# firewall-cmd --reload
success

[root@test02 conf.d]# iptables -nvL |grep 80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW