码迷,mamicode.com
首页 > Web开发 > 详细

Nginx防盗链以及访问控制,Nginx解析php配置和代理

时间:2018-03-16 10:34:15      阅读:320      评论:0      收藏:0      [点我收藏+]

标签:Nginx

Nginx防盗链

技术分享图片

1.编辑配置文件:

[root@weixing01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}

2.测试重新加载:

[root@weixing01 ~]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@weixing01 ~]# /usr/local/nginx/sbin/nginx -s reload

3.验证:

[root@weixing01 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1 -I test.com/1.gif
curl: (7) Failed connect to 127.0.0.1:1080; 拒绝连接
[root@weixing01 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 14:25:23 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@weixing01 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 14:25:35 GMT
Content-Type: image/gif
Content-Length: 14
Last-Modified: Wed, 14 Mar 2018 17:20:46 GMT
Connection: keep-alive
ETag: "5aa959ee-e"
Expires: Thu, 22 Mar 2018 14:25:35 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

Nginx访问控制

技术分享图片
针对目录
1.编辑配置文件:

[root@weixing01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 
 location /admin/
    {
         allow 127.0.0.1;
         allow 192.168.188.130;
         deny all;
    }

2.测试并重新加载:

[root@weixing01 ~]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@weixing01 ~]# /usr/local/nginx/sbin/nginx -s reload

3.进行验证:

[root@weixing01 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 14:52:12 GMT
Content-Type: application/octet-stream
Content-Length: 10
Last-Modified: Thu, 15 Mar 2018 14:52:04 GMT
Connection: keep-alive
ETag: "5aaa8894-a"
Accept-Ranges: bytes

针对正则:

技术分享图片

4.修改配置文件:

[root@weixing01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 
location ~ .*(upload|image)/.*\.php$
{   
        deny all;
}

5.测试并重新加载:

[root@weixing01 ~]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@weixing01 ~]# /usr/local/nginx/sbin/nginx -s reload

6.验证:

[root@weixing01 ~]# mkdir /data/wwwroot/test.com/upload
[root@weixing01 ~]# echo "1111" > /data/wwwroot/test.com/upload/1.php
[root@weixing01 ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
[root@weixing01 ~]# echo "1111" > /data/wwwroot/test.com/upload/1.txt
[root@weixing01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt
1111

7.针对user_agent限制,修改配置文件:

[root@weixing01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 
if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘)
{
      return 403;
}     

8.测试并重新加载:

[root@weixing01 ~]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@weixing01 ~]# /usr/local/nginx/sbin/nginx -s reload

9.进行验证 :

[root@weixing01 ~]# curl -A Tomatosjklajg-x127.0.0.1:80 test.com/upload/1.txt  -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 15:05:33 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@weixing01 ~]# curl -A Tmatosjklajg-x127.0.0.1:80 test.com/upload/1.txt  -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 15:05:47 GMT
Content-Type: text/plain
Content-Length: 5
Last-Modified: Thu, 15 Mar 2018 15:01:29 GMT
Connection: keep-alive
ETag: "5aaa8ac9-5"
Accept-Ranges: bytes

Nginx解析php相关配置

技术分享图片

1.修改配置文件:

[root@weixing01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }

2.测试:

[root@weixing01 ~]# vi /data/wwwroot/test.com/3.php
[root@weixing01 ~]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();

无法解析,重新加载

[root@weixing01 ~]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@weixing01 ~]# /usr/local/nginx/sbin/nginx -s reload

再次查看结果
可以正常解析
3.如果遇到502的情况:

location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fgi.sock;                      #此行配置要根据主配置文件来看是写sock还是ip地址,一定要保持一致
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }

    access_log /tmp/test.com.log weixing;

}
[root@weixing01 ~]# curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>

不一致就会出现这种情况

Nginx代理

技术分享图片

1.写一个配置文件:

[root@weixing01 ~]# cd /usr/local/
apache2.4/ bin/       include/   libexec/   nginx/     php-fpm/   src/       
apr/       etc/       lib/       mariadb/   php/       sbin/      
apr-util/  games/     lib64/     mysql/     php7/      share/     
[root@weixing01 ~]# cd /usr/local/nginx/conf
[root@weixing01 conf]# cd vhost/
[root@weixing01 vhost]# vim proxy.conf
server
{
    listen 80;
    server_name ask.apelearn.com;

    location /
    {
        proxy_pass      http://47.91.145.78/;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

2.验证并重新加载:

[root@weixing01 vhost]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@weixing01 vhost]# /usr/local/nginx/sbin/nginx -s reload

3.进行测试:

[root@weixing01 vhost]# curl -x127.0.0.1:80  ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/

Nginx防盗链以及访问控制,Nginx解析php配置和代理

标签:Nginx

原文地址:http://blog.51cto.com/13517254/2087402

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!