LNMP第四节(6月11日)

12.13 Nginx防盗链
12.14 Nginx访问控制
12.15 Nginx解析php相关配置
12.16 Nginx代理

12.13 Nginx防盗链

Nginx防盗链的核心语句是可以嵌套在静态文件不记录日志和过期时间的语句中一起使用的,这样Nginx的配置就更加清晰明了。

步骤

1.配置文件

1
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test2.com.conf
1
2
3
4
5
6
7
8
9
10
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
   {
      expires 7d;
      valid_referers none blocked server_names  *.test2.com ;
      if ($invalid_referer)
           {
           return 403;
           }
      access_log off;
   }

~*表示不区分大小写的匹配 valid_referers none blocked server_names 定义白名单的referer none blocked表示空referer server_names可以忽略不写 invalid_referer表示非白名单
Nginx的正则表达式匹配 https://blog.csdn.net/a519640026/article/details/9138487

2.检查语法并加载配置文件

1
2
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@localhost ~]# curl -e "http://www.baidu.com" -x 192.168.80.102:80 test2.com/1.png -I
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Sat, 09 Jun 2018 03:50:29 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

[root@localhost ~]# curl -e "http://test2.com" -x 192.168.80.102:80 test2.com/1.png -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sat, 09 Jun 2018 03:51:56 GMT
Content-Type: image/png
Content-Length: 3
Last-Modified: Fri, 08 Jun 2018 14:36:28 GMT
Connection: keep-alive
ETag: "5b1a946c-3"
Expires: Sat, 16 Jun 2018 03:51:56 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

-e指定referer
这里referer不是test2.com的都会禁止访问png

12.14 Nginx访问控制

为了让公司内部的IP访问指定的目录,其他IP都拒绝掉

步骤

1.配置文件

1
2
3
4
5
6
location ~ /admin/
       {
       allow 127.0.0.1;
       allow 192.168.80.102;
       deny all;
       }

Nginx的访问控制和Apache的不同 他的顺序是从上至下匹配,只要匹配到要求就会停止匹配。127.0.0.1匹配到到allow后就会停止匹配

2.检查语法并加载配置文件

1
2
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

1
2
[root@localhost ~]# mkdir /var/www/test2/admin/
[root@localhost ~]# echo "1111" > /var/www/test2/admin/1.php
1
2
3
4
5
6
7
8
9
10
[root@localhost ~]# curl -x 127.0.0.1:80 test2.com/admin/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sat, 09 Jun 2018 04:27:49 GMT
Content-Type: application/octet-stream
Content-Length: 5
Last-Modified: Sat, 09 Jun 2018 04:26:55 GMT
Connection: keep-alive
ETag: "5b1b570f-5"
Accept-Ranges: bytes

我们新建一块网卡并动态配置IP给他在访问admin目录

1
2
3
4
5
6
7
8
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.218.128  netmask 255.255.255.0  broadcast 192.168.218.255
        inet6 fe80::1e59:e2e4:8f43:12e8  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:06:17:15  txqueuelen 1000  (Ethernet)
        RX packets 3  bytes 746 (746.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 1308 (1.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

1
2
3
4
5
6
7
[root@localhost ~]# curl -x 192.168.218.128:80 test2.com/admin/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Sat, 09 Jun 2018 04:32:33 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

可以发现网卡ens37的IP被拒绝访问admin目录

对文件或者链接进行访问控制

步骤

1.配置文件

1
2
3
4
location ~ .*(upload|image)/.*\.php$
   {
   deny all;
   }

(upload|image)/表示uplocad或者image目录 这里就是禁止访问该目录下的php文件,以达到禁止解析PHP的目的

2.检查语法并加载配置文件

1
2
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

1
2
3
[root@localhost ~]# mkdir /var/www/test2/upload/ /var/www/test2/image
[root@localhost ~]# echo "111" > /var/www/test2/image/1.php
[root@localhost ~]# echo "111" > /var/www/test2/image/1.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[root@localhost ~]# curl -x 192.168.218.128:80 test2.com/admin/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sat, 09 Jun 2018 04:45:37 GMT
Content-Type: application/octet-stream
Content-Length: 5
Last-Modified: Sat, 09 Jun 2018 04:26:55 GMT
Connection: keep-alive
ETag: "5b1b570f-5"
Accept-Ranges: bytes

[root@localhost ~]# curl -x 192.168.218.128:80 test2.com/image/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Sat, 09 Jun 2018 04:45:54 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

[root@localhost ~]# curl -x 192.168.218.128:80 test2.com/image/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sat, 09 Jun 2018 04:48:49 GMT
Content-Type: text/plain
Content-Length: 4
Last-Modified: Sat, 09 Jun 2018 04:48:17 GMT
Connection: keep-alive
ETag: "5b1b5c11-4"
Accept-Ranges: bytes

新网卡IP192.168.218.128访问image目录下的php文件被拒绝了

对user_agent进行访问控制

步骤

1.配置文件

1
2
3
4
5
6
7
location ~ /
    {
    if ($http_user_agent ~* 'chrome')
            {
            return 403;
            }
    }

return 403deny all效果一样 if和()之间有空格 否则报错 这里是禁止Chrome浏览器访问

2.检查语法并加载配置文件

1
2
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

使用ie浏览器访问test2

使用Chrome访问test2

12.15 Nginx解析php相关配置

步骤

1.配置文件

1
2
3
4
5
6
7
location ~ \.php$
    {
    include fastcgi_params;
    fastcgi_pass unix:/tmp/php-fcgi.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME /var/www/test2$fastcgi_script_name;
    }

fastcgi_pass必须和php-fpm.conf的监听方式一致,否则报错502 fastcgi_pass 127.0.0.1:9000; 使用ip端口方式监听 fastcgi_param SCRIPT_FILENAME 中的路径要和root的路径一致

2.检查语法并加载配置文件

1
2
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

1
2
3
4
[root@localhost ~]# vim /var/www/test2/test.php
<?php
phpinfo();
?>

成功解析PHP

注意事项:出现502页面

1
2
3
4
5
6
7
[root@localhost ~]# curl -x 127.0.0.1:80 test2.com/test.php -I
HTTP/1.1 502 Bad Gateway
Server: nginx/1.8.0
Date: Sat, 09 Jun 2018 06:36:04 GMT
Content-Type: text/html
Content-Length: 172
Connection: keep-alive

1.fastcgi_pass中sock写错

1
fastcgi_pass unix:/tmp/php-fcgi1.sock;

这里/tmp/php-fcgi1.sock是没有的

1
2
[root@localhost ~]# tail /usr/local/nginx/logs/nginx_error.log
2018/06/09 14:36:04 [crit] 1705#0: *40 connect() to unix:/tmp/php-fcgi1.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test2.com, request: "HEAD HTTP://test2.com/test.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi1.sock:", host: "test2.com"

日志显示找到该sock

2.fastcgi_pass中的监听方式和php-fpm.conf中的监听方式不一致

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
;listen = /tmp/php-fcgi.sock
;listen.mode = 666
listen = 127.0.0.1:9000
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

这里php-fpm.conf监听方式是IP+端口

/usr/local/php-fpm/sbin/php-fpm -t 检查语句
service php-fpm restart 重启php-fpm服务

1
2018/06/09 14:52:48 [crit] 1768#0: *44 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test2.com, request: "HEAD HTTP://test2.com/test.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test2.com"

日志显示没找到该sock

3./tmp/php-fcgi.sock的权限不够

由于Nginx的用户是nobody 而php-fcgi.sock的用户是root 因此要想Nginx和php-fcgi.sock通讯,就必须要让php-fcgi.sock的其他用户拥有6的权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
;listen.mode = 666
;listen = 127.0.0.1:9000
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

这里把sock的权限给注释了

1
2018/06/09 15:08:18 [crit] 1963#0: *54 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test2.com, request: "HEAD HTTP://test2.com/test.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test2.com"

日志显示sock的权限不够 禁止访问

12.16 Nginx代理

Nginx可以做代理服务器。代理服务器可以让外网的用户访问到处在内网中的服务器,也可以通过代理服务器来加快访问速度。

步骤

1.配置文件

1
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/proxy.conf

新建个proxy.conf的配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
server
{
    listen 80;
    server_name ask.apelearn.com;

    location /
    {
        proxy_pass      http://223.94.95.10/;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

server_name指要访问的web服务器的域名 proxy_pass指要访问的web服务器的IP地址 proxy_set_header Host 代理头的主机名,指server_name

2.检查语法并加载配置文件

1
2
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

使用本地IP来访问ask.apelearn.com 说明代理成功

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@localhost ~]# curl -x 127.0.0.1:80 ask.apelearn.com -I
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sat, 09 Jun 2018 07:43:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ape__Session=5dj4jumegivdbfk609hbfedka7; path=/; domain=.apelearn.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
myheader: web1

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

欢迎光临<br><br>本博客是用来记录学习Linux Python Shell和Perl<br>谢谢大家