[toc]

一、Nginx防盗链:

1. 打开配置文件:

增加如下配置文件:

[root@xavi ~]# cd /usr/local/nginx/conf/vhost/
[root@xavi vhost]# vim test.com.conf

    } 
  #  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
  #  {
  #        expires      7d;
  #        access_log off;
  #  }

    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{   
    expires 7d; 
    valid_referers none blocked server_names  *.haha.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
  • 防盗链部分
valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }

如上配置文件中匹配以gif,jpg,png结尾的页面,并且设置一个白名单的referer为*.test.com, 其它的($invalid_referer)均403 forbidden!

2. 测试+重载(-t && -s reload)

[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/2.js -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:03:24 GMT
Content-Type: application/javascript
Content-Length: 14
Last-Modified: Thu, 15 Mar 2018 13:08:00 GMT
Connection: keep-alive
ETag: "5aaa7030-e"
Expires: Fri, 16 Mar 2018 02:03:24 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes

使用本地主机访问2.js 是没有问题的,指定一个referer,再次测试:

[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:06:07 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

二、Nginx访问控制:

有时候在咱们运维一些网站的时候,发现一些访问是不正常的。或者为了提高安全性,我们需要将某些页面加密处理!

1 增加如下配置文件

vim /usr/local/nginx/conf/vhost/test.com.conf

location /admin/

{
    allow 127.0.0.1;
    allow 192.168.72.130; //自己试验虚拟机的网卡
    deny all;
}

==匹配规则为,一旦匹配则后面的均不执行,也就是允许127.0.0.1和192.168.72.130 访问;其它的均拒绝!==

2.测试语法并重载配置

[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload

3.匹配站点后台登录页,进行访问控制!

[root@xavi vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:24:58 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Wed, 14 Mar 2018 14:07:17 GMT
Connection: keep-alive
ETag: "5aa92c95-f"
Accept-Ranges: bytes
[root@xavi vhost]# curl -x192.168.72.130:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:30:46 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Wed, 14 Mar 2018 14:07:17 GMT
Connection: keep-alive
ETag: "5aa92c95-f"
Accept-Ranges: bytes

查看日志:cat /tmp/test.com.log

4.针对某个可以上传的目录做指定文件(例如:php)不解析:

location ~ .*(upload|image)/.*\.php$
{
        deny all;
}

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:46:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

任何PHP文件都不解析,而txt文件可以访问

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK

5.根据user-agent限制:

如果站点被CC***了,或者不想被蜘蛛爬自己的网站,我们完全可以根据user-agent去禁止掉:

vim /usr/local/nginx/conf/vhost/test.com.conf 打开添加一下语句

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}

测试语法并重加载配置

[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload

加载1.txt测试

[root@xavi vhost]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:58:51 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 14:58:59 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Thu, 15 Mar 2018 14:47:36 GMT
Connection: keep-alive
ETag: "5aaa8788-6"
Accept-Ranges: bytes

我们发现,当我们修改user-agent为小写的时候,就不生效了。所以我们需要设置忽略大小写:

重新在虚拟机配置文件 test.com.conf下修改配置

if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}

只需要在~添加一个 * 即可!

完成过程:

[root@xavi vhost]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf 
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xavi vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@xavi vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 15 Mar 2018 15:03:22 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

三、Nginx解析php相关配置

1.增加以下配置:

location ~ \.php$
      {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;
      }

fastcgi_pass 用来指定php-fpm监听的地址或者socket

完整以配置的内容:

vim /usr/local/nginx/conf/vhost/test.com.conf 

  #        expires      7d;
  #        access_log off;
  #  }

    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
    }
    access_log off;
}   
location ~ .*\.(js|css)$
    {   
          expires      12h;
          access_log off;
    }
    location /admin/

{         
    allow 127.0.0.1; 
    allow 192.168.72.130;
    deny all;
}

location ~ .*(upload|image)/.*\.php$
{   
        deny all;
}
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}       
location ~ \.php$
      {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;
      }

2.创建一个测试php文件

[root@xavi vhost]# vim /data/nginx/test.com/3.php
>?php
phpinfo();

无法解析,显示源码(编辑的conf文件未完成-t&-s reload配置)

[root@xavi vhost]# curl -x127.0.0.1:80 test.com/3.php

这里特别注意下配置文件中/data/nginx/test.com,而不是设置www.test.com

-t&-s reload配置后,可以正常解析phpinfo()

3.小结:其中fastcgi_pass用来指定php-fpm的地址,如果php-fpm监听的是一个tcp:port的地址(比如127.0.0.1:9000),那么也需要在这里改成fastcgi_pass 127.0.0.1:9000。这个地址一定要和php-fpm服务监听的地址匹配,否是会报502错误.还有一个地方要注意fastcgi_param SCRIPT_FILENAME 后面跟的路径为该站点的根目录,和前面定义的root那个路径保持一致,如果这里配置不对,访问PHP页面会出现404;还有一种502的现象,如果内存中出现大量的php-fpm进程占据了内存,也会同样导致此问题!

location ~ \.php$
      {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name;
      }

查看php-fpm: vim /usr/local/php-fpm/etc/php-fpm.conf

[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen =127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

无法查看错误日志


测试:找到了日志文件路径,查看了error.log,里面是有内容的,但是忘了自己是否对nginx专门设定了日志文件

[root@xavi ~]# cd /usr/local/nginx/logs/
[root@xavi logs]# ls
access.log  error.log  nginx_error.log  nginx.pid
[root@xavi logs]# cat error.log
2018/03/14 00:05:58 [emerg] 124460#0: unknown directive "er" in /usr/local/nginx/conf/nginx.conf:1
2018/03/14 21:06:14 [notice] 5737#0: signal process started
2018/03/14 21:41:27 [notice] 6234#0: signal process started
2018/03/14 21:59:27 [notice] 6446#0: signal process started
2018/03/14 22:16:03 [notice] 6668#0: signal process started
2018/03/14 22:38:58 [emerg] 6947#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/torreid.com.conf:3
2018/03/14 22:40:17 [emerg] 6962#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/torreid.com.conf:3
2018/03/14 22:44:22 [emerg] 7015#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/test.com.conf:4
2018/03/14 22:55:13 [emerg] 7151#0: unknown directive "//有这个default_server标记的就是默认虚拟主机" in /usr/local/nginx/conf/vhost/aaa.com.conf:4
2018/03/14 22:56:55 [emerg] 7173#0: "location" directive is not allowed here in /usr/local/nginx/conf/vhost/atorreid.com.conf:12
2018/03/14 22:58:57 [emerg] 7197#0: a duplicate default server for 0.0.0.0:80 in /usr/local/nginx/conf/vhost/bcd.com.conf:3
2018/03/14 23:01:46 [warn] 7251#0: conflicting server name "test.com" on 0.0.0.0:80, i

四、Nginx代理

假如一个用户需要访问WEB服务器,但是用户与WEB服务器之间是不通的,WEB服务器在内网,我们需要一个代理服务器来帮助用户访问web,他必须和用户相通,也必须和web服务器相通,在中间起到搭桥的这就是代理服务器。这样当你下载好一个安装包后,别的同事也可以在内网里共享你的下载,节约资源.

4.1 原理:

Nginx代理是一种反向代理。反向代理(Reverse Proxy)方式是指以代理服务器来接受Internet上的连接请求,然后将请求转发给内部网络上的服务器;并将从服务器上得到的结果返回给Internet上请求连接的客户端,此时代理服务器对外就表现为一个服务器。

假如这家公司有很多台服务器,为了节省成本,不能为所有的服务器都分配公网IP,而如果一个没有公网的IP的复为其要提供web服务,就可以通过代理来实现,这就是 Nginx比httpd越来越受欢迎的原因

graph LR
用户–>代理服务器
代理服务器–>用户
代理服务器–>web服务器
web服务器–>代理服务器

4.2 编辑配置文件

cd /usr/local/nginx/conf/vhost

vim proxy.conf
  • 加入如下内容:
server
{
    listen 80;
    server_name ask.apelearn.com;
#   定义域名(一般和被代理ip的域名保持一致)
    location /
    {
        proxy_pass      http://47.91.145.78/;  //用window的cmd去ping这个网址的IP
#       指定被代理(被访问)的IP(web服务器IP)
        proxy_set_header Host   $host;
#       $host指的是代理服务器的servername(也是被代理IP的域名)
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

因为是代理服务器所以不需要访问本地服务器的任何文件; ask.apelearn.com; 定义一个域名;

proxy_pass http://47.91.145.78/;真实WEB服务器的IP地址。

$host; 也就是咱们的server_name

重启nginx之后再次测试,127.0.0.1就是自己的代理机,访问的论坛

[root@xavi vhost]# curl -x127.0.0.1:80 ask.apelearn.com -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 18 Mar 2018 08:51:31 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.29
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ape__Session=kgp331gk94i16pcv9jti0qgd65; path=/; domain=.apelearn.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

测试网站的robots

[root@xavi vhost]# curl ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/