Nginx配置防盗链
#vim /usr/local/nginx/conf/vhost/test.com.conf //写入如下内容
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ; //定义referer白名单
if ($invalid_referer) {
return 403;
}
access_log off;
}
# /usr/local/nginx/sbin/nginx -t //检测语法
#/usr/local/nginx/sbin/nginx -s reload //重新加载
#echo "1223" > /data/wwwroot/test.com/1.gif //将1223写入1.gif中
#curl -x127.0.0.1:80 -I test.com/1.gif //测试防盗链
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 09:11:57 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Thu, 04 Jan 2018 09:08:11 GMT
Connection: keep-alive
ETag: "5a4deefb-b"
Expires: Thu, 11 Jan 2018 09:11:57 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 04:19:13 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 04:19:32 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Wed, 03 Jan 2018 04:06:01 GMT
Connection: keep-alive
ETag: "5a4c56a9-b"
Expires: Wed, 10 Jan 2018 04:19:32 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
说明防盗链配置成功了
Nginx访问控制
需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:
#vim /usr/local/nginx/conf/vhost/test.com.conf //写入如下内容
location /admin/
{
allow 192.168.37.1;
allow 127.0.0.1;
deny all;
}
#mkdir /data/wwwroot/test.com/admin/ //创建目录
#echo “test,test”>/data/wwwroot/test.com/admin/1.html //写入测试语句
#/usr/local/nginx/sbin/nginx -t && -s reload //检测配置文件和重新加载
#curl -x127.0.0.1:80 test.com/admin/1.html -I //测试
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:05:58 GMT
Content-Type: text/html
Content-Length: 6
Last-Modified: Wed, 03 Jan 2018 05:05:20 GMT
Connection: keep-alive
ETag: "5a4c6490-6"
Accept-Ranges: bytes
#curl -x192.168.37.130:80 test.com/admin/1.html -I //测试能否访问
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:06:22 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
将能上传的目录禁止解析php,防止发生别人根据目录能解析php代码上传***文件
配置如下:
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
#/usr/local/nginx/sbin/nginx -t && -s reload //检测配置文件和重新加载
#mkdir /data/wwwroot/test.com/upload/ //创建upload目录
#echo "123" > /data/wwwroot/test.com/upload/1.php //编辑1.php文件
#curl -x127.0.0.1:80 test.com/upload/1.php -I //测试
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:27:09 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:32:18 GMT
Content-Type: text/plain
Content-Length: 4
Last-Modified: Wed, 03 Jan 2018 05:32:11 GMT
Connection: keep-alive
ETag: "5a4c6adb-4"
Accept-Ranges: bytes
根据user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
#/usr/local/nginx/sbin/nginx -t && -s reload //检测配置文件和重新加载
#curl -A "Tomatoshshd" -x127.0.0.1:80 test.com/upload/1.txt -I //加上user_agent来进行测试
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 05:49:14 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
查案日志就可以看到信息
127.0.0.1 - [03/Jan/2018:13:49:14 +0800] test.com "/upload/1.txt" 403 "-" "Tomatoshsh"
Nginx解析php相关配置
nginx没有做配置来解析php,当解析php的代码时,会直接将代码显示出来
此时更改配置文件
#vim /usr/local/nginx/conf/vhost/test.com.conf //写入配置文件
配置如下:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock; //监听地址写错会出现502
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
然后再来访问刚刚的php文件
#curl -x127.0.0.1:80 test.com/4.php //此时能正常解析
#fastcgi_pass 用来指定php-fpm监听的地址或者socket,在/usr/local/php-fpm/etc/php-fpm.conf中的配置文件的监听地址和nginx的虚拟主机配置文件监听地址必须是一样的,否则会出现502问题
location ~ \.php$
{
include fastcgi_params;
# fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_pass 127.0.0.1:9000; //此处要和php-fpm配置文件里的监听地址一样
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
/usr/local/php-fpm/etc/php-fpm.conf中的监听权限,当php-fpm的配置文件中的监听权限不定义时,会出现502的问题
#vim /usr/local/php-fpm/etc/php-fpm.conf //编辑php-fpm服务的配置文件内容
[global] //定义全局参数
pid = /usr/local/php-fpm/var/run/php-fpm.pid //定义它的pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www] //模块名
listen = /tmp/php-fcgi.sock //监听
#listen = 127.0.0.1:9000 //监听本机ip和端口
listen.mode = 666 //监听权限,监听socket时不定义会出现502
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
当php的资源耗尽时也会出现访问502的问题