Nginx防盜鏈&Nginx訪問控制&Nginx解析php相關配置&Nginx代理

[toc]

Nginx防盜鏈&Nginx訪問控制&Nginx解析php相關配置&Nginx代理

1、Nginx防盜鏈：

1. 打開配置文件：

增長以下配置文件：

[root@xavi ~]# cd /usr/local/nginx/conf/vhost/
[root@xavi vhost]# vim test.com.conf

    } 
  #  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
  #  {
  #        expires      7d;
  #        access_log off;
  #  }
    
    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{   
    expires 7d; 
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;

• 防盜鏈部分

valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }

如上配置文件中匹配以gif,jpg,png結尾的頁面，而且設置一個白名單的referer爲*.test.com, 其它的（$invalid_referer）均403 forbidden！

2. 測試+重載（-t && -s reload）

[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload

測試

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/2.js -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:03:24 GMT
Content-Type: application/javascript
Content-Length: 14
Last-Modified: Thu, 15 Mar 2018 13:08:00 GMT
Connection: keep-alive
ETag: "5aaa7030-e"
Expires: Fri, 16 Mar 2018 02:03:24 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes

使用本地主機訪問2.js 是沒有問題的,指定一個referer，再次測試：

[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:06:07 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

2、Nginx訪問控制：

有時候在我們運維一些網站的時候，發現一些訪問是不正常的。或者爲了提升安全性，咱們須要將某些頁面加密處理！

1 增長配置文件，設置來源IP

vim /usr/local/nginx/conf/vhost/test.com.conf

location /admin/

{
    allow 127.0.0.1;
    allow 192.168.72.130; //本身試驗虛擬機的服務器
    deny all;
}

==匹配規則爲，一旦匹配則後面的均不執行，也就是容許127.0.0.1和192.168.72.130 訪問；其它的均拒絕！==

2.測試語法並重載配置

[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload

3.匹配站點後臺登陸頁，進行訪問控制！

[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:24:58 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Wed, 14 Mar 2018 14:07:17 GMT
Connection: keep-alive
ETag: "5aa92c95-f"
Accept-Ranges: bytes

[root@xavi vhost]# curl -x192.168.72.130:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:30:46 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Wed, 14 Mar 2018 14:07:17 GMT
Connection: keep-alive
ETag: "5aa92c95-f"
Accept-Ranges: bytes

查看日誌:cat /tmp/test.com.log

4.針對某個能夠上傳的目錄作指定文件（例如：php）不解析：

location ~ .*(upload|image)/.*\.php$
{
        deny all;
}

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:46:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

任何PHP文件都不解析，而txt文件能夠訪問

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK

5.根據user-agent限制：

若是站點被CC攻擊了，或者不想被蜘蛛爬本身的網站，咱們徹底能夠根據user-agent去禁止掉：

vim /usr/local/nginx/conf/vhost/test.com.conf 打開添加一下語句

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}

測試語法並重加載配置

[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload

加載1.txt測試

[root@xavi vhost]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:58:51 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:58:59 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Thu, 15 Mar 2018 14:47:36 GMT
Connection: keep-alive
ETag: "5aaa8788-6"
Accept-Ranges: bytes

咱們發現，當咱們修改user-agent爲小寫的時候，就不生效了。因此咱們須要設置忽略大小寫：

從新在虛擬機配置文件 test.com.conf下修改配置

if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}

只須要在~添加一個 * 便可！

完成過程：

[root@xavi vhost]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf 
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 15:03:22 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

3、Nginx解析php相關配置

1.增長如下配置：

location ~ \.php$
      {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;
      }

fastcgi_pass 用來指定php-fpm監聽的地址或者socket

完整以配置的內容：

vim /usr/local/nginx/conf/vhost/test.com.conf 

  #        expires      7d;
  #        access_log off;
  #  }

    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
    }
    access_log off;
}   
location ~ .*\.(js|css)$
    {   
          expires      12h;
          access_log off;
    }
    location /admin/
    
{         
    allow 127.0.0.1; 
    allow 192.168.72.130;
    deny all;
}

location ~ .*(upload|image)/.*\.php$
{   
        deny all;
}
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}       
location ~ \.php$
      {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;
      }

2.建立一個測試php文件

[root@xavi vhost]# vim /data/nginx/test.com/3.php
>?php
phpinfo();

沒法解析，顯示源碼（編輯的conf文件未完成-t&-s reload配置）

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();

這裏特別注意下配置文件中/data/nginx/test.com,而不是設置www.test.com

-t&-s reload配置後，能夠正常解析phpinfo（）

3.小結：其中fastcgi_pass用來指定php-fpm的地址，若是php-fpm監聽的是一個tcp:port的地址(好比127.0.0.1：9000),那麼也須要在這裏改爲fastcgi_pass 127.0.0.1：9000。這個地址必定要和php-fpm服務監聽的地址匹配，否是會報502錯誤.還有一個地方要注意fastcgi_param SCRIPT_FILENAME 後面跟的路徑爲該站點的根目錄，和前面定義的root那個路徑保持一致，若是這裏配置不對，訪問PHP頁面會出現404;還有一種502的現象，若是內存中出現大量的php-fpm進程佔據了內存，也會一樣致使此問題！

location ~ \.php$
      {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name;
      }

查看php-fpm: vim /usr/local/php-fpm/etc/php-fpm.conf

[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen =127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

沒法查看錯誤日誌

測試：找到了日誌文件路徑，查看了error.log,裏面是有內容的，可是忘了本身是否對nginx專門設定了日誌文件

[root@xavi ~]# cd /usr/local/nginx/logs/
[root@xavi logs]# ls
access.log  error.log  nginx_error.log  nginx.pid

[root@xavi logs]# cat error.log
2018/03/14 00:05:58 [emerg] 124460#0: unknown directive "er" in /usr/local/nginx/conf/nginx.conf:1
2018/03/14 21:06:14 [notice] 5737#0: signal process started
2018/03/14 21:41:27 [notice] 6234#0: signal process started
2018/03/14 21:59:27 [notice] 6446#0: signal process started
2018/03/14 22:16:03 [notice] 6668#0: signal process started
2018/03/14 22:38:58 [emerg] 6947#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/torreid.com.conf:3
2018/03/14 22:40:17 [emerg] 6962#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/torreid.com.conf:3
2018/03/14 22:44:22 [emerg] 7015#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/test.com.conf:4
2018/03/14 22:55:13 [emerg] 7151#0: unknown directive "//有這個default_server標記的就是默認虛擬主機" in /usr/local/nginx/conf/vhost/aaa.com.conf:4
2018/03/14 22:56:55 [emerg] 7173#0: "location" directive is not allowed here in /usr/local/nginx/conf/vhost/atorreid.com.conf:12
2018/03/14 22:58:57 [emerg] 7197#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/bcd.com.conf:3
2018/03/14 23:01:46 [warn] 7251#0: conflicting server name "test.com" on 0.0.0.0:80, i

4、Nginx代理

假如一個用戶須要訪問WEB服務器，可是用戶與WEB服務器之間是不通的，WEB服務器在內網，咱們須要一個代理服務器來幫助用戶訪問web，他必須和用戶相通，也必須和web服務器相通，在中間起到搭橋的這就是代理服務器。這樣當你下載好一個安裝包後，別的同事也能夠在內網裏共享你的下載，節約資源.

4.1 原理：

Nginx代理是一種反向代理。反向代理（Reverse Proxy）方式是指以代理服務器來接受Internet上的鏈接請求，而後將請求轉發給內部網絡上的服務器；並將從服務器上獲得的結果返回給Internet上請求鏈接的客戶端，此時代理服務器對外就表現爲一個服務器。

假如這家公司有不少臺服務器，爲了節省成本，不能爲全部的服務器都分配公網IP，而若是一個沒有公網的IP的復爲其要提供web服務，就能夠經過代理來實現，這就是 Nginx比httpd愈來愈受歡迎的緣由

graph LR 用戶–>代理服務器 代理服務器–>用戶 代理服務器–>web服務器 web服務器–>代理服務器

4.2 編輯配置文件

cd /usr/local/nginx/conf/vhost
 
vim proxy.conf

• 加入以下內容：

server
{
    listen 80;
    server_name ask.apelearn.com;
#   定義域名（通常和被代理ip的域名保持一致）
    location /
    {
        proxy_pass      http://47.91.145.78/;  //用window的cmd去ping這個網址的IP
#       指定被代理（被訪問）的IP（web服務器IP）
        proxy_set_header Host   $host;
#       $host指的是代理服務器的servername（也是被代理IP的域名）
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

由於是代理服務器因此不須要訪問本地服務器的任何文件； ask.apelearn.com; 定義一個域名；

proxy_pass http://47.91.145.78/；真實WEB服務器的IP地址。

$host; 也就是我們的server_name

重啓nginx以後再次測試，127.0.0.1就是本身的代理機，訪問的論壇

[root@xavi vhost]# curl -x127.0.0.1:80 ask.apelearn.com -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 18 Mar 2018 08:51:31 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.29
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ape__Session=kgp331gk94i16pcv9jti0qgd65; path=/; domain=.apelearn.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

測試網站的robots

[root@xavi vhost]# curl ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/