Nginx防盜鏈的配置能夠和日誌記錄的相關配置結合起來,由於都用到了location進行匹配php
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; //定義白名單 if ($invalid_referer) { //若是不是白名單的域名 return 403; //返回403 } access_log off; }
[root@linux-10 ~]# curl -e "http://www.baidu.com" -x 127.0.0.1:80 test.com/123.png -I HTTP/1.1 403 Forbidden Server: nginx/1.14.0 Date: Mon, 11 Jun 2018 13:16:31 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@linux-10 ~]# curl -e "http://test.com" -x 127.0.0.1:80 test.com/123.png -I HTTP/1.1 200 OK Server: nginx/1.14.0 Date: Mon, 11 Jun 2018 13:16:42 GMT Content-Type: image/png Content-Length: 19 Last-Modified: Sat, 09 Jun 2018 03:40:35 GMT Connection: keep-alive ETag: "5b1b4c33-13" Expires: Mon, 18 Jun 2018 13:16:42 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
需求:訪問/admin/目錄的請求,只容許某幾個IP訪問html
修改虛擬主機配置文件linux
location /admin/ { allow 192.168.88.10; allow 127.0.0.1; deny all; }
Nginx的匹配機制與防火牆相似,從上到下依次匹配,匹配到相應規則即停止繼續向下匹配。nginx
結果測試web
[root@linux-10 ~]# curl -x127.0.0.1:80 test.com/admin/1.txt -I HTTP/1.1 200 OK Server: nginx/1.14.0 Date: Mon, 11 Jun 2018 17:24:11 GMT Content-Type: text/plain Content-Length: 5 Last-Modified: Mon, 11 Jun 2018 16:35:39 GMT Connection: keep-alive ETag: "5b1ea4db-5" Accept-Ranges: bytes [root@linux-10 ~]# curl -x192.168.47.128:80 test.com/admin/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.14.0 Date: Mon, 11 Jun 2018 17:24:15 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
注:直接訪問/admin/目錄自己會產生403,由於虛擬主機配置文件中定義了index 因此,若是隻寫目錄,它會去找index.php index.html index.htm 若是沒有這些名字的文件,就會返回403,這個和deny配置沒有關係。服務器
location能夠匹配正則,進而能夠限制訪問的文件類型dom
location ~ .*(upload|image)/.*\.php$ { deny all; }
根據user_agent限制curl
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') { return 403; }
注:deny all和return 403的效果相同ide
location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; //要與其餘服務中的配置文件的配置保持一致 fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; }
[root@linux-10 ~]# curl -x127.0.0.1:80 test.com/test.php fsdfsdfsdfsd
問題緣由:post
一、查看Nginx的錯誤日誌,看一下配置文件裏面是否正確對應(尤爲是各文件中監聽的是端口仍是sock)
二、PHP-fpm服務進程資源耗盡
用戶不能直接訪問WEB服務器,而代理服務器既能夠與用戶互通,也能夠和WEB服務器互通,所以用戶經過訪問代理服務器的方式來訪問WEB服務器。
server { listen 80; server_name ask.apelearn.com; location / { proxy_pass http://223.94.95.10/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
注:代理服務器自己起代理做用,所以server_name要填寫被代理的WEB服務器的域名,代理服務器自己不存在域名。
[root@linux-10 ~]# curl -x127.0.0.1:80 ask.apelearn.com/robot.txt <html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.14.0</center> </body> </html> [root@linux-10 ~]# curl -x127.0.0.1:80 ask.apelearn.com/robot.txt -I HTTP/1.1 200 OK Server: nginx/1.14.0 Date: Tue, 12 Jun 2018 02:12:51 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.3 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: ape__Session=g4j6kgen2rjm59fhdni6ohv0d4; path=/; domain=.apelearn.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache myheader: web1
從測試結果能夠看出,配置完成Nginx代理後,可經過訪問本機迴環地址127.0.0.1:80,直接訪問到猿課論壇,本次實驗中,用戶是代理服務器自己,用戶訪問代理服務器,最終訪問到WEB服務器(猿課論壇)。