Nginx配置防盜鏈、Nginx訪問控制、Nginx解析php相關配置

Nginx配置防盜鏈

#vim /usr/local/nginx/conf/vhost/test.com.conf                       //寫入以下內容

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{    
     expires 7d;    
     valid_referers none blocked server_names  *.test.com ;        //定義referer白名單
     if ($invalid_referer) {        
          return 403;    
     }    
access_log off;
}

# /usr/local/nginx/sbin/nginx  -t                  //檢測語法

#/usr/local/nginx/sbin/nginx  -s reload           //從新加載

#echo "1223" > /data/wwwroot/test.com/1.gif                   //將1223寫入1.gif中

#curl -x127.0.0.1:80 -I test.com/1.gif                   //測試防盜鏈

HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 09:11:57 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Thu, 04 Jan 2018 09:08:11 GMT
Connection: keep-alive
ETag: "5a4deefb-b"
Expires: Thu, 11 Jan 2018 09:11:57 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif

HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 04:19:13 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif

HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 04:19:32 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Wed, 03 Jan 2018 04:06:01 GMT
Connection: keep-alive
ETag: "5a4c56a9-b"
Expires: Wed, 10 Jan 2018 04:19:32 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

說明防盜鏈配置成功了

Nginx訪問控制

需求：訪問/admin/目錄的請求，只容許某幾個IP訪問，配置以下：

#vim /usr/local/nginx/conf/vhost/test.com.conf                        //寫入以下內容

location /admin/
{    
        allow 192.168.37.1;     
        allow 127.0.0.1;    
        deny all;
}

#mkdir /data/wwwroot/test.com/admin/                        //建立目錄

#echo 「test,test」>/data/wwwroot/test.com/admin/1.html             //寫入測試語句

#/usr/local/nginx/sbin/nginx  -t && -s reload                  //檢測配置文件和從新加載

#curl -x127.0.0.1:80 test.com/admin/1.html -I                  //測試

HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:05:58 GMT
Content-Type: text/html
Content-Length: 6
Last-Modified: Wed, 03 Jan 2018 05:05:20 GMT
Connection: keep-alive
ETag: "5a4c6490-6"
Accept-Ranges: bytes

#curl -x192.168.37.130:80 test.com/admin/1.html -I                 //測試可否訪問

HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:06:22 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

將能上傳的目錄禁止解析php，防止發生別人根據目錄能解析php代碼上傳***文件
配置以下：

location ~ .*(upload|image)/.*\.php$
{        
deny all;
}

#/usr/local/nginx/sbin/nginx  -t && -s reload                  //檢測配置文件和從新加載

#mkdir /data/wwwroot/test.com/upload/                                //建立upload目錄

#echo "123" > /data/wwwroot/test.com/upload/1.php             //編輯1.php文件

#curl -x127.0.0.1:80 test.com/upload/1.php -I             //測試

HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:27:09 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

# curl -x127.0.0.1:80 test.com/upload/1.txt -I

HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:32:18 GMT
Content-Type: text/plain
Content-Length: 4
Last-Modified: Wed, 03 Jan 2018 05:32:11 GMT
Connection: keep-alive
ETag: "5a4c6adb-4"
Accept-Ranges: bytes

根據user_agent限制

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{      
         return 403;
}

#/usr/local/nginx/sbin/nginx  -t && -s reload                  //檢測配置文件和從新加載

#curl -A "Tomatoshshd" -x127.0.0.1:80 test.com/upload/1.txt -I            //加上user_agent來進行測試

HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:49:14 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

查案日誌就能夠看到信息

127.0.0.1 - [03/Jan/2018:13:49:14 +0800] test.com "/upload/1.txt" 403 "-" "Tomatoshsh"

Nginx解析php相關配置

nginx沒有作配置來解析php,當解析php的代碼時，會直接將代碼顯示出來

此時更改配置文件

#vim /usr/local/nginx/conf/vhost/test.com.conf                  //寫入配置文件

配置以下：
location ~ \.php$    
{        
      include fastcgi_params;        
      fastcgi_pass unix:/tmp/php-fcgi.sock;          //監聽地址寫錯會出現502
      fastcgi_index index.php;        
      fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;    
   }

而後再來訪問剛剛的php文件
#curl -x127.0.0.1:80 test.com/4.php                //此時能正常解析

#fastcgi_pass 用來指定php-fpm監聽的地址或者socket，在/usr/local/php-fpm/etc/php-fpm.conf中的配置文件的監聽地址和nginx的虛擬主機配置文件監聽地址必須是同樣的，不然會出現502問題

location ~ \.php$    
{        
      include fastcgi_params;        
     # fastcgi_pass unix:/tmp/php-fcgi.sock;          
       fastcgi_pass 127.0.0.1:9000;                               //此處要和php-fpm配置文件裏的監聽地址同樣
      fastcgi_index index.php;        
      fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;    
   }

/usr/local/php-fpm/etc/php-fpm.conf中的監聽權限，當php-fpm的配置文件中的監聽權限不定義時，會出現502的問題

#vim /usr/local/php-fpm/etc/php-fpm.conf          //編輯php-fpm服務的配置文件內容
[global]                                                    //定義全局參數
pid = /usr/local/php-fpm/var/run/php-fpm.pid                         //定義它的pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]                                                          //模塊名
listen = /tmp/php-fcgi.sock                       //監聽
#listen = 127.0.0.1:9000                            //監聽本機ip和端口
listen.mode = 666                              //監聽權限，監聽socket時不定義會出現502
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
   rlimit_files = 1024

當php的資源耗盡時也會出現訪問502的問題