Nginx防盗链、Nginx访问控制、Nginx解析php相关配置、Nginx代理

image.png

[root@iZbp1e0xboek6oow616aoiZ ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
    {
      expires 7d;
      valid_referers none blocked server_names  *.test.com ;
      if ($invalid_referer) {
          return 403;
      }
      access_log off;
    }

[root@iZbp1e0xboek6oow616aoiZ ~]# /usr/local/nginx/sbin/nginx -s reload
[root@iZbp1e0xboek6oow616aoiZ ~]# curl -e "http://www.baidu.com" -x 127.0.0.1:80 -I test.com/1.jpg
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Wed, 25 Apr 2018 13:54:43 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

Nginx访问控制

Nginx访问控制

Nginx访问控制

目录访问控制

[root@iZbp1e0xboek6oow616aoiZ ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
#做白名单需要先allow再deny，黑名单反之，每条信息进来只匹配一次，匹配到就不执行下面

location /admin/
    {
      allow 192.168.133.1;
      allow 127.0.0.1;
      deny all;
    }

[root@iZbp1e0xboek6oow616aoiZ ~]# mkdir /data/wwwroot/test.com/admin/
[root@iZbp1e0xboek6oow616aoiZ ~]# echo “test,test”>/data/wwwroot/test.com/admin/1.html
[root@iZbp1e0xboek6oow616aoiZ ~]# /usr/local/nginx/sbin/nginx -s reload
[root@iZbp1e0xboek6oow616aoiZ ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[root@iZbp1e0xboek6oow616aoiZ ~]# /usr/local/nginx/sbin/nginx -s reload
[root@iZbp1e0xboek6oow616aoiZ ~]# curl -x127.0.0.1:80 test.com/admin/1.html -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Wed, 25 Apr 2018 14:04:30 GMT
Content-Type: text/html
Content-Length: 16
Last-Modified: Wed, 25 Apr 2018 13:59:24 GMT
Connection: keep-alive
ETag: "5ae089bc-10"
Accept-Ranges: bytes

[root@iZbp1e0xboek6oow616aoiZ ~]# curl -x172.16.240.247:80 test.com/admin/1.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Wed, 25 Apr 2018 14:02:15 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

正则匹配文件访问控制

#可以匹配正则，拒绝解析upload和image目录中的php文件
location ~ .*(upload|image)/.*\.php$
{
        deny all;
}
#测试
curl  -x127.0.0.1:80 test.com/upload/1.php

#根据user_agent限制，~*表示匹配不区分大小写
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}
 deny all和return 403效果一样
#测试
curl -A "tomatodsagsdfdfasdsew" -x127.0.0.1:80 test.com/upload/1.txt

curl: 增加refer：-e
增加userAgent：-A
只显示http response：-I 同时显示代码： -i
指定代理服务器：-x
-u 可以完成HTTP或者FTP的认证
curl -u user:pwd http://man.linuxde.net
curl扩展链接：http://man.linuxde.net/curl

Nginx解析php相关配置

Nginx解析php相关配置

php解析不了或者出现502需要检查下面两项,还有listen.mode权限问题和Nginx的资源问题（卡死情况）

[root@iZbp1e0xboek6oow616aoiZ ~]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

[root@iZbp1e0xboek6oow616aoiZ ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
#加入下面的配置，注意fastcgi_pass要和上面的配置一样，fastcgi_param目录要和root目录一致

location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }

Nginx代理

Nginx代理

[root@iZbp1e0xboek6oow616aoiZ vhost]# vim /usr/local/nginx/conf/vhost/proxy.conf

server
{
    listen 80;
    server_name ask.apelearn.com;

    location /
    {
        proxy_pass      http://121.201.9.155/;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

扩展
502问题汇总 http://ask.apelearn.com/question/9109
location优先级 http://blog.lishiming.net/?p=100