12.13 Nginx防盗链
vim /usr/local/nginx/conf/vhost/test.com.conf
加入
location ~ ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names .test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
并保存退出。
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected]n001 vhost]# /usr/local/nginx/sbin/nginx -s reload
[[email protected] vhost]# curl -x127.0.0.1:80 -I -e "http://aaa.com/1.txt" test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Fri, 16 Mar 2018 06:24:30 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[[email protected] vhost]# curl -I -e "http://test.com/1.txt" test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Fri, 16 Mar 2018 06:28:50 GMT
Content-Type: image/gif
Content-Length: 16
Last-Modified: Wed, 14 Mar 2018 16:17:46 GMT
Connection: keep-alive
ETag: "5aa94b2a-10"
Expires: Fri, 23 Mar 2018 06:28:50 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[[email protected] vhost]# curl -I -e "http://test.com/1.txt" lgx168.com/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Fri, 16 Mar 2018 06:33:03 GMT
Content-Type: text/html
Content-Length: 26
Last-Modified: Tue, 13 Mar 2018 15:52:31 GMT
Connection: keep-alive
ETag: "5aa7f3bf-1a"
Accept-Ranges: bytes
12.14 Nginx访问控制
[[email protected] vhost]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf
location /admin/
{
allow 192.168.133.1;
allow 127.0.0.1;
deny all;
}
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
[[email protected] vhost]# mkdir /data/wwwroot/test.com/admin
[[email protected] vhost]# echo "123" > /data/wwwroot/test.com/admin/1.html
[[email protected] vhost]# curl -x192.168.15.132:80 test.com/admin/1.html
123
[[email protected] vhost]# curl -x127.0.0.1:80 test.com/admin/1.html
123
[[email protected] vhost]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.15.132 netmask 255.255.255.0 broadcast 192.168.15.255
inet6 fe80::996a:3fe7:cdd7:2bd3 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:56:59:af txqueuelen 1000 (Ethernet)
RX packets 2768 bytes 264282 (258.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2060 bytes 267554 (261.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.15.136 netmask 255.255.255.0 broadcast 192.168.15.255
ether 00:0c:29:56:59:af txqueuelen 1000 (Ethernet)
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.98 netmask 255.255.255.255 broadcast 192.168.1.98
inet6 fe80::93d:8d08:a36c:e0c3 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:56:59:b9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 744 (744.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 60 bytes 5481 (5.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 60 bytes 5481 (5.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[[email protected] vhost]# curl -x192.168.1.98:80 test.com/admin/1.html
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[[email protected] vhost]# tail /tmp/test.com.log
127.0.0.1 - [15/Mar/2018:00:19:27 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [15/Mar/2018:00:20:51 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [15/Mar/2018:00:21:03 +0800] test.com "/2.jsghfgfh" 404 "-" "curl/7.29.0"
192.168.15.132 - [16/Mar/2018:14:50:12 +0800] test.com "/admin/1.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [16/Mar/2018:14:50:30 +0800] test.com "/admin/1.html" 200 "-" "curl/7.29.0"
192.168.1.98 - [16/Mar/2018:14:51:20 +0800] test.com "/admin/1.html" 403 "-" "curl/7.29.0"
vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ .(abc|image)/..php$
{
deny all;
}
if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘)
{
return 403;
}
[[email protected] vhost]# curl -x192.168.15.132:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[[email protected] vhost]# curl -x192.168.15.132:80 test.com/upload/1.txt
123
[[email protected] vhost]# curl -A "Tomatodsfsd" -x127.0.0.1:80 test.com/upload/1.txt
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[[email protected] vhost]# curl -A "tomatodsfsd" -x127.0.0.1:80 test.com/upload/1.txt
123
[[email protected] vhost]# !tail
tail /tmp/test.com.log
127.0.0.1 - [15/Mar/2018:00:20:51 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [15/Mar/2018:00:21:03 +0800] test.com "/2.jsghfgfh" 404 "-" "curl/7.29.0"
192.168.15.132 - [16/Mar/2018:14:50:12 +0800] test.com "/admin/1.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [16/Mar/2018:14:50:30 +0800] test.com "/admin/1.html" 200 "-" "curl/7.29.0"
192.168.1.98 - [16/Mar/2018:14:51:20 +0800] test.com "/admin/1.html" 403 "-" "curl/7.29.0"
192.168.1.98 - [16/Mar/2018:15:10:35 +0800] test.com "/admin/1.html" 403 "-" "curl/7.29.0"
192.168.15.132 - [16/Mar/2018:15:11:20 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
192.168.15.132 - [16/Mar/2018:15:11:29 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
127.0.0.1 - [16/Mar/2018:15:13:48 +0800] test.com "/upload/1.txt" 403 "-" "Tomatodsfsd"
127.0.0.1 - [16/Mar/2018:15:14:08 +0800] test.com "/upload/1.txt" 200 "-" "tomatodsfsd"
12.15 Nginx解析php相关配置
vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ .php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
其中fastcgi_pass用来指定php-fpm的地址。如果php-fpm监听的是一个tcp:port的地址(127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000。这个地址一定要和php-fpm服务监听的地址匹配,否则报502错误。
fastcgi_param SCRIPT_FILENAME 后面跟的路径为该站点的要目录,和前面定义的root那个路径保持一致。如不对,访问PHP页面出现404
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload
curl -x127.0.0.1:80 test.com/3.php
12.16 Nginx代理
[[email protected] vhost]# vim proxy.conf
[[email protected] vhost]# cat !$
cat proxy.conf
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://121.201.9.155/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[[email protected] vhost]# ping ask.apelearn.com
PING ask.apelearn.com (47.91.145.78) 56(84) bytes of data.
64 bytes from 47.91.145.78 (47.91.145.78): icmp_seq=1 ttl=128 time=14.5 ms
64 bytes from 47.91.145.78 (47.91.145.78): icmp_seq=2 ttl=128 time=13.9 ms
64 bytes from 47.91.145.78 (47.91.145.78): icmp_seq=3 ttl=128 time=15.2 ms
64 bytes from 47.91.145.78 (47.91.145.78): icmp_seq=4 ttl=128 time=13.9 ms
64 bytes from 47.91.145.78 (47.91.145.78): icmp_seq=5 ttl=128 time=15.1 ms
^C
--- ask.apelearn.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4009ms
rtt min/avg/max/mdev = 13.949/14.582/15.239/0.568 ms
[[email protected] vhost]# !vim
vim proxy.conf
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
[[email protected] vhost]# curl -x127.0.0.1:80 ask.apelearn.com -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Fri, 16 Mar 2018 08:04:17 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.29
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ape__Session=jjbvdum6rk71rrofnn4lbjiap5; path=/; domain=.apelearn.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
[[email protected] vhost]# curl 127.0.0.1:80 ask.apelearn.com/robots.txt
This is the default site.
#
robots.txt for MiWen
#
User-agent: *
Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
原文地址:http://blog.51cto.com/12058686/2087674