【2018.06.11學習筆記】【linux高級知識 12.13-12.16】

12.13 Nginx防盜鏈

防盜鏈，能夠和不記錄訪問日誌、過時時間的配置段一塊兒設置：

[root@nginx ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

server
{
   listen 80;
   server_name test.com test1.com test2.com;
server
{
   listen 80;
   server_name test.com test1.com test2.com;
   index index.html index.php;
   root /data/wwwroot/test.com;
  # location /
  # {
  #   auth_basic "Auth";
  #   auth_basic_user_file /usr/local/nginx/conf/htpasswd;
  # }

   location ~* ^(.+)\.(gif|jpg|jpeg|png|bmp|swf)$   //匹配url
   {
     expires 7d;
     access_log off;
     valid_referers none blocked server_names *.test.com;  //設定referers白名單
     if ($invalid_referer)   //若是不是白名單referer
     {
         return 403;   //就返回403拒絕訪問
     }
   }
[root@nginx ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]# /usr/local/nginx/sbin/nginx -s reload

驗證測試防盜鏈：

[root@nginx ~]# curl -e "http://www.baidu.com" -x127.0.0.1:80 test.com/1.txt
echo "this is test page!"
[root@nginx ~]# curl -e "http://www.baidu.com" -x127.0.0.1:80 test.com/1.gif
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
[root@nginx ~]# curl -e "http://test.com" -x127.0.0.1:80 test.com/1.gif
"this is a gif file"

12.14 Nginx訪問控制

對網站目錄進行訪問控制，限制來源ip：

[root@nginx ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

server
{
   listen 80;
   server_name test.com test1.com test2.com;
   index index.html index.php;
   root /data/wwwroot/test.com;
  # location /
  # {
  #   auth_basic "Auth";
  #   auth_basic_user_file /usr/local/nginx/conf/htpasswd;
  # }

    location /admin/
    {
        allow 127.0.0.1;  //容許本機訪問
        allow 192.168.87.150;  // nginx不像Apache，沒有order順序的概念，若是匹配了ip就執行，後面則再也不匹配相同的ip。
        deny all;  //禁止其餘全部ip
    }

驗證測試對目錄admin的訪問：

[root@nginx ~]# curl -x127.0.0.1:80 test.com/admin/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Mon, 11 Jun 2018 09:07:54 GMT
Content-Type: text/plain
Content-Length: 0
Last-Modified: Mon, 11 Jun 2018 09:07:06 GMT
Connection: keep-alive
ETag: "5b1e3bba-0"
Accept-Ranges: bytes
[root@nginx ~]# curl -x192.168.87.128:80 test.com/admin/1.txt -I  //192.168.87.128不被容許，因此403
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Mon, 11 Jun 2018 09:15:21 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

還能夠對文件，或者url進行訪問控制：使用正則匹配

server
{
   server_name test.com test1.com test2.com;
   index index.html index.php;
   root /data/wwwroot/test.com;
    location ~ .*(abc|image)/.*\.php$  //禁止訪問abc或者image目錄下的php文件
     {   
        deny all;
     }  
｝

驗證測試對url的訪問控制：

[root@nginx ~]# curl -x127.0.0.1:80 test.com/abc/2.php -I  //訪問abc下的php文件403
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Mon, 11 Jun 2018 09:28:28 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@nginx ~]# curl -x127.0.0.1:80 test.com/abc/1.txt -I  //訪問abc下的txt 200
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Mon, 11 Jun 2018 09:28:37 GMT
Content-Type: text/plain
Content-Length: 18
Last-Modified: Mon, 11 Jun 2018 09:28:13 GMT
Connection: keep-alive
ETag: "5b1e40ad-12"
Accept-Ranges: bytes

對user_agent進行訪問控制：

[root@nginx ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

server
{
   listen 80;
   server_name test.com test1.com test2.com;
   index index.html index.php;
   root /data/wwwroot/test.com;
    location /admin/
    {
        allow 127.0.0.1;
        allow 192.168.87.128;
        deny all;
    }
    location ~ .*(abc|image)/.*\.php$
{
    deny all;
}
   if ($http_user_agent ~* 'spider/3.0|YoudaoBot|Tomato') //匹配user_agent，爲黑名單，禁止訪問
{
   return 403;
}

[root@nginx ~]# curl -A "tomato" -x127.0.0.1:80 test.com/1.txt -I //tomato的403
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Mon, 11 Jun 2018 09:34:22 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@nginx ~]# curl -A "IE" -x127.0.0.1:80 test.com/1.txt -I  //IE的200
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Mon, 11 Jun 2018 09:35:14 GMT
Content-Type: text/plain
Content-Length: 26
Last-Modified: Sun, 10 Jun 2018 06:15:24 GMT
Connection: keep-alive
ETag: "5b1cc1fc-1a"
Accept-Ranges: bytes

12.15 Nginx解析php相關配置

要增長一段配置纔可以解析php：

[root@nginx ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 
server
{
   listen 80;
   server_name test.com test1.com test2.com;
   index index.html index.php;
   root /data/wwwroot/test.com;

    location ~\.php$
{
    include fastcgi_params;  //
	//php的監聽sock, 若是php-fpm配置文件裏是監聽的127.0.0.1:9000,那麼這裏改成fastcgi_pass 127.0.0.1:9000
    //若是寫錯了sock路徑，會報502
	fastcgi_pass unix:/tmp/php-fcgi.sock;  
    fastcgi_index index.php;  //主頁
    fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; //
}
//php-fpm配置文件
[root@nginx test.com]# vim /usr/local/php-fpm/etc/php-fpm.conf

[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock 
listen.mode = 666  //上面監聽的是sock，這裏必須加權限爲666，不然502。由於Nginx進程的運行用戶是nobody，沒有權限讀取sock的話，就報錯。
user = php-fpm
group = php-fpm

驗證測試php頁面：

[root@nginx test.com]# vim 1.php
<?php
phpinfo();  //顯示php信息函數

[root@nginx test.com]# curl -x127.0.0.1:80 test.com/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Mon, 11 Jun 2018 10:14:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.32
[root@nginx test.com]# curl -x127.0.0.1:80 test.com/1.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; color: #222; font-family: sans-serif;}
pre {margin: 0; font-family: monospace;}
a:link {color: #009; text-decoration: none; background-color: #fff;}
a:hover {text-decoration: underline;}
table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;}
.center {text-align: center;}
.center table {margin: 1em auto; text-align: left;}
.center th {text-align: center !important;}
td, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;}
h1 {font-size: 150%;}
h2 {font-size: 125%;}
.p {text-align: left;}
.e {background-color: #ccf; width: 300px; font-weight: bold;}
.h {background-color: #99c; font-weight: bold;}
.v {background-color: #ddd; max-width: 300px; overflow-x: auto;}
.v i {color: #999;}
img {float: right; border: 0;}

瀏覽器訪問php驗證：打開服務器的80端口，確保telnet80成功

[root@nginx test.com]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
[root@nginx test.com]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  肯定  ]
[root@nginx test.com]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   172 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

12.16 Nginx代理

當用戶訪問一個網站的時候，那個網站是在私有網內的，外網用戶沒法訪問，能夠經過一個可以訪問私有網絡的代理服務器來間接訪問網站。

經過代理服務器，也可以提升網站的訪問速度。如大陸用戶經過香港的代理服務器訪問美國的網站，可以提升訪問速度。

在代理服務器上安裝Nginx，並進行配置：vhost下新建一個 proxy.conf

[root@nginx vhost]# vim proxy.conf

server
{
   listen 80;  //監聽80端口
   server_name ask.apelearn.com; //訪問的域名

   location /
   {
     proxy_pass http://223.94.95.10;   //代理的web服務器的ip
     proxy_set_header Host $Host;   //主機名
     proxy_set_header X-Real-IP $remote_addr;   //客戶端ip
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; // 代理服務器ip 
   }
}

測試驗證代理apelearn.com網站

[root@nginx vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt   //經過本機代理 讀取了apelearn的蜘蛛機器人文本的內容。
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@nginx vhost]#