12.14 Nginx訪問控制
Nginx訪問控制目錄概要
- 需求:訪問/admin/目錄的請求,只容許某幾個IP訪問,配置以下:
location /admin/
{
allow 192.168.74.129;
allow 127.0.0.1;
deny all;
}
- mkdir /data/wwwroot/test.com/admin/
- echo 「test,test」>/data/wwwroot/test.com/admin/1.html
- -t && -s reload
- curl -x127.0.0.1:80 test.com/admin/1.html -I
- curl -x192.168.133.130:80 test.com/admin/1.html -I
- 能夠匹配正則
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
- 根據user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
- deny all和return 403效果同樣
Nginx訪問控制
- Nginx訪問控制,在平時運維網站的時候,常常會有一些請求不正常,或者故意的作一些限制,一些重要的內容禁止別人訪問,就能夠作一個白名單,只容許本身的公網IP或者本身公司內的公網IP去訪問
- 編輯配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
- 增長訪問控制的代碼
location /admin/
{
allow 192.168.74.129; //白名單
allow 127.0.0.1; //白名單
deny all; //所有deny
}
最後結果以下php
[root@hanfeng ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
假設訪問的目錄是admin,作一個限制
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
#}
location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.74.129;
allow 127.0.0.1;
deny all;
}
access_log /tmp/test.com.log combined_realip;
}
而後保存退出
- 而後檢查配置文件語法錯誤,而後從新加載配置文件
[root@hanfeng ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@hanfeng ~]# /usr/local/nginx/sbin/nginx -s reload [root@hanfeng ~]#
- 測試
[root@hf-01 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 21:04:13 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Wed, 03 Jan 2018 21:43:17 GMT Connection: keep-alive ETag: "5a4d4e75-13" Accept-Ranges: bytes [root@hf-01 ~]# curl -x192.168.74.150:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 21:06:56 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Wed, 03 Jan 2018 21:43:17 GMT Connection: keep-alive ETag: "5a4d4e75-13" Accept-Ranges: bytes [root@hf-01 ~]#
- 查看日誌文件,會看到訪問的192.168.74.150的來源IP也是192.168.74.129,由於它是被容許的,在白名單以內,因此顯示狀態碼爲200
[root@hf-01 ~]# cat /tmp/test.com.log 127.0.0.1 - [05/Jan/2018:05:51:37 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [08/Jan/2018:05:04:13 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0" 192.168.74.129 - [08/Jan/2018:05:06:56 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" [root@hf-01 ~]#
- 查看IP,而後給ens36網卡配置IP
- 先查看ens36網卡是否鏈接,而後更改鏈接ens36網卡模式爲僅主機鏈接模式
[root@hf-01 ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.74.129 netmask 255.255.255.0 broadcast 192.168.74.255
inet6 fe80::20c:29ff:feff:fe93 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ff:fe:93 txqueuelen 1000 (Ethernet)
RX packets 453 bytes 42359 (41.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 308 bytes 39999 (39.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno16777736:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.74.150 netmask 255.255.255.0 broadcast 192.168.74.255
ether 00:0c:29:ff:fe:93 txqueuelen 1000 (Ethernet)
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::20c:29ff:feff:fe9d prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ff:fe:9d txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13 bytes 2334 (2.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@hf-01 ~]#
- 給ens36網卡自動獲取IP,而後再來查看ens36的網卡IP地址爲192.168.204.128
[root@hf-01 ~]# dhclient ens36 [root@hf-01 ~]#
- 這時再來使用ens36網卡的IP來訪問,會看到訪問的admin目錄爲403
[root@hf-01 ~]# curl -x192.168.204.128:80 -I test.com/admin/ HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 21:17:39 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@hf-01 ~]#
- 這時再來查看日誌文件,會看到來源的IP爲192.168.204.128,在配置文件中被沒有被容許,因此爲403
[root@hf-01 ~]# !cat cat /tmp/test.com.log 127.0.0.1 - [05/Jan/2018:05:51:37 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [08/Jan/2018:05:04:13 +0800] test.com "/admin/" 200 "http://www.test.com/1.txt" "curl/7.29.0" 192.168.74.129 - [08/Jan/2018:05:06:56 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.204.128 - [08/Jan/2018:05:17:39 +0800] test.com "/admin/" 403 "-" "curl/7.29.0" [root@hf-01 ~]#
針對正則匹配
- 例子
- 網站被黑,數據庫被盜竊,就是由於上傳圖片的目錄沒有作禁止解析php的操做,最終致使上傳了一句話木馬,php也能解析,因此網站就會被黑
- 只要能上傳的目錄,都要禁掉,禁止解析PHP
- 加如下代碼,便可禁掉上傳的目錄解析PHP
location ~ .*(upload|image)/.*\.php$ //只要匹配upload,而後以php結尾的
{
deny all; //都禁掉
}
- 打開配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#{ # expires 7d; # access_log off; #} location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.74.129;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
access_log /tmp/test.com.log combined_realip;
}
保存退出
- 檢查配置文件語法錯誤,並從新加載配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@hf-01 ~]#
- 測試,首先是訪問的那個目錄,而後訪問的php資源
- 建立一個upload目錄,而後在建立一個php文件
[root@hf-01 ~]# mkdir /data/wwwroot/test.com/upload [root@hf-01 ~]# echo "11111" > /data/wwwroot/test.com/upload/1.php [root@hf-01 ~]#
- 訪問upload目錄下的1.php文件,會看到是403狀態碼,被拒絕訪問
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@hf-01 ~]#
- 這時再upload目錄下建立1.txt,再來測試訪問
[root@hf-01 ~]# echo "dasdasdas" >/data/wwwroot/test.com/upload/1.txt [root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt dasdasdas [root@hf-01 ~]#
- 查看訪問日誌cat /tmp/test.com.log
[root@hf-01 ~]# cat /tmp/test.com.log
根據user_agent限制
- 若是你的網站被cc攻擊,或者禁掉某些蜘蛛,若是你的網站想作一個被隱藏的網站,不想被別人搜索到,那麼就能夠將百度、谷歌、有道等這些蜘蛛封掉,沒有任何蜘蛛爬到你的網站,也不將網址告訴任何人,那別人就沒法知道你的站點,由於你的網站是被隱藏的。
- 只須要根據user_agent限制,添加如下代碼
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
- deny all和return 403效果同樣
- 打開配置文件vim /usr/local/nginx/conf/vhost/test.com.conf
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test1.com test2.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != 'test.com' ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#{ # expires 7d; # access_log off; #} location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
location ~ .*\.(js|css)$
{
expires 12h;
access_log off;
}
location /admin/
{
allow 192.168.74.129;
allow 127.0.0.1;
deny all;
}
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
access_log /tmp/test.com.log combined_realip;
}
保存退出
- 檢查配置文件語法錯誤,並從新加載配置文件
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@hf-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@hf-01 ~]#
- 模擬user_agent,訪問測試,會看到顯示403
[root@hf-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 22:04:06 GMT Content-Type: text/plain Content-Length: 10 Last-Modified: Sun, 07 Jan 2018 21:45:54 GMT Connection: keep-alive ETag: "5a529512-a" Accept-Ranges: bytes [root@hf-01 ~]# curl -A "Tomatoslfdfsdf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 22:05:21 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@hf-01 ~]#
- deny all和return 403效果同樣
- 若是訪問的時候,改爲小寫再訪問,則狀態碼爲200,由於這個是嚴格匹配的
[root@hf-01 ~]# curl -A "tomatoslfdfsdf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 22:09:10 GMT Content-Type: text/plain Content-Length: 10 Last-Modified: Sun, 07 Jan 2018 21:45:54 GMT Connection: keep-alive ETag: "5a529512-a" Accept-Ranges: bytes [root@hf-01 ~]#
- 若是想忽略大小寫,在配置文件中的匹配符號後加 * 號便可
[root@hf-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
- 在檢查配置文件,並從新加載
[root@hf-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@hf-01 ~]#
- 再來測試,會顯示403
[root@hf-01 ~]# curl -A "tomatoslfdfsdf" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Sun, 07 Jan 2018 22:11:06 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@hf-01 ~]#
相關文章
- 1. 12.13 Nginx防盜鏈12.14 Nginx訪問控制12.15 Nginx解析php相關配置
- 2. nginx訪問控制
- 3. Nginx--訪問控制
- 4. Nginx-訪問控制
- 5. Nginx訪問控制
- 6. nginx---訪問控制
- 7. 12.13 Nginx防盜鏈 12.14 Nginx訪問控制 12.15 Nginx解析php相關配置 12.16 Nginx代理
- 8. nginx 訪問頻率控制
- 9. nginx location 訪問控制
- 10. nginx的訪問控制
- 更多相關文章...
- • Swift 訪問控制 - Swift 教程
- • Lua 數據庫訪問 - Lua 教程
- • 漫談MySQL的鎖機制
- • Docker容器實戰(六) - 容器的隔離與限制
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
