Nginx代理、Nginx防盗链、Nginx访问控制、Nginx解析php相关配置

一、Nginx防盗链

配置Nginx防盗链和配置过期时间、不记录日志都用到location,所以可以把两部分写在一起,如下所示

server {
        listen 80;
       server_name test.com;
       if ($host = "test.com"){
                rewrite ^/(.*)$ http://127.0.0.1/test/$1 permanent;
         }

         location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ 
//~* 表示后面的关键词不区分大小写
      {
         expires      1d;
          valid_referers none blocked server_names *.test.com ;
           if ($invalid_referer) {   //$invalid referer表示无效的referer
            return 403;
            }
            access_log off;
      }
  }

测试:

[root@nginx ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~] /usr/local/nginx/sbin/nginx -s reload
[root@nginx ~] curl -x127.0.0.1:80 -e "http://www.baidu.com" test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Fri, 17 Jul 2020 11:55:09 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@nginx ~] curl -x127.0.0.1:80 -e "http://www.test.com" test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Fri, 17 Jul 2020 11:55:09 GMT
Content-Type: image/gif
Content-Length: 2
Last-Modified: Fri, 17 Jul 2020 11:55:09 GMT
Connection: keep-alive
Expires: Fri, 17 Jul 2020 23:59:59 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

防盗链配置成功,而且不仅仅有防盗链的功能,还有过期时间。

二、Nginx访问控制

针对目录的访问控制

location ~ ^/test/index.html {
        root   /opt/app/code;
	deny 192.168.145.132; #禁止132主机访问,允许其他所有IP访问
	allow all;
        index  index.html index.htm;
    }  

作用:访问/test/目录的请求,只允许某几个IP访问

测试:

[root@nginx ~] /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~] curl http://192.168.145.132:80 /test/index.html -I   
HTTP/1.1 403 Forbidden
Server: nginx/1.16.1
Date: Fri, 17 Jul 2020 12:30:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

正则匹配来限制访问

 location ~ .*(image)/.*\.php$
      {
          deny all;
     }

作用:把访问的URL中带有image字符串,并且是PHP的请求拒绝访问。

测试:

[root@nginx ~] curl -x127.0.0.1:80 test/image/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.16.1</center>
</body>
</html>

三、Nginx解析php相关配置

location ~ \.php$
 51     {
 52         include fastcgi_params;   
 53         fastcgi_pass unix:/tmp/php-fcgi.sock;  
 54         fastcgi_index index.php;
 55         fastcgi_param SCRIPT_FILENAME /data/www/test$fastcgi_script_name; #脚本文件请求的路径,
            当访问127.0.0.1/index.php的时候,需要读取网站根目录下面的index.php文件,
            如果没有配置这一配置项时,nginx不回去网站根目录下访问.php文件,
            所以返回空白,所以这一项必须要具备
 56     }

fastcgi 作用

  • Nginx 与 php-fpm 通信过程是通过 nginx 的 fastcgi 模块来处理的,即 fastcgi 模块将来自客户端的关于 php 文件的请求转发给 php-fpm 来处理。既然是转发请求,那么必须要遵循一定的协议,也就是 fastcgi.conf 所规定的协议。

测试:

[root@nginx1 ~] curl -x127.0.0.1:80 test/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Fri, 17 Jul 2020 12:50:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30  

nginx与php-fpm的结合完整的流程

 test.com
        |
        |
  请求 Nginx 中的php文件
        |
        |
路由到 test/today.php
        |
        |
加载 nginx 的 fast-cgi 模块
        |
        |
fast-cgi监听127.0.0.1:9000地址
        |
        |
test/index.php 请求到达 127.0.0.1:9000
        |
        |
php-fpm 监听 127.0.0.1:9000
        |
        |
php-fpm 接收到请求,启用 worker 进程处理请求
        |
        |
php-fpm 处理完请求,返回给 nginx
        |
        |
nginx 将结果通过 http 返回给浏览器       

你可能感兴趣的:(运维)