20180611

6月11日任务
12.13 Nginx防盗链
12.14 Nginx访问控制
12.15 Nginx解析php相关配置
12.16 Nginx代理

扩展
502问题汇总 http://ask.apelearn.com/question/9109
location优先级 http://blog.lishiming.net/?p=100

1. Nginx防盗链

防盗链可以和不记录静态文件相结合

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}

none: referer为空
blocked: 有referer但被防火墙或是代理去除了, 不以http://或者https://开头
server_names: Referer来源头部包含当前的server_names(当前域名)

valid_referers none blocked domain.com *.domain.com server_names ~\.google\. ~\.baidu\.;
  if ($invalid_referer) {
    return 403;
    #rewrite ^/ http://www.domain.com/403.jpg;

http://nginx.org/en/docs/http/ngx_http_referer_module.html 示例

valid_referers none blocked server_names
              *.example.com example.* www.example.org/galleries/
              ~\.google\.;

if ($invalid_referer) {
    return 403;
}

2. Nginx访问控制

针对目录

需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:

location /admin/
{
    allow 192.168.133.1;
    allow 127.0.0.1;
    deny all;
}

创建测试目录并写入文件
mkdir /data/wwwroot/test.com/admin/
echo "test,test">/data/wwwroot/test.com/admin/1.html

重启nginx
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload

curl测试
curl -x127.0.0.1:80 test.com/admin/1.html -I
curl -x192.168.133.130:80 test.com/admin/1.html -I

可以匹配正则

location ~ .*(upload|image)/.*\.php$
{
        deny all;
}

根据user_agent限制

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}

curl测试
curl -A "tomato123123" -x127.0.0.1:80 test.com/upload/1.txt
curl -A: 模拟useragent

deny all和return 403效果一样

3. Nginx解析php相关配置

配置如下:

location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }

fastcgi_pass 用来指定php-fpm监听的地址或者socket

4. Nginx代理

编辑proxy.conf文件
vim /usr/local/nginx/conf/vhost/proxy.conf

server
{
    listen 80;
    server_name ask.apelearn.com;

    location /
    {
        proxy_pass      http://121.201.9.155/;
        proxy_set_header Host  $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

不支持https代理

未经允许不得转载:外贸SOHO笔记 » 20180611

赞 (0) 打赏

评论 0

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

觉得文章有用就打赏一下作者~

支付宝扫一扫打赏

微信扫一扫打赏