12.13 Nginx防盗链

这部分配置需要和不记录日志和过期时间结合在一起，因为都用到了“location”

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${    expires 7d;    valid_referers none blocked server_names  *.test.com ;   //定义一个白名单    if ($invalid_referer) {                                        //如果不是白名单里的        return 403;                                                   //返回403    }    access_log off;}

~* 表示不区分大小写

[root@aminglinux-02 ~]# curl -e "http://www.baidu.com/1.html" -x127.0.0.1:80 test.com/1.gif -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Mon, 14 Aug 2017 15:34:55 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive[root@aminglinux-02 ~]# curl -e "http://www.test.com/1.html" -x127.0.0.1:80 test.com/1.gif -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Mon, 14 Aug 2017 15:35:20 GMTContent-Type: image/gifContent-Length: 66Last-Modified: Fri, 11 Aug 2017 17:51:27 GMTConnection: keep-aliveETag: "598dee9f-42"Expires: Mon, 21 Aug 2017 15:35:20 GMTCache-Control: max-age=604800Accept-Ranges: bytes

使用www.baidu.com的referer访问，是403；更换为www.test.com，访问就200，便是防盗链设置成功

12.14 Nginx访问控制

针对目录

location /admin/    {          allow 192.168.133.1;      //白名单          allow 127.0.0.1;             //白名单          deny all;                       //全部deny    }

执行顺序，是逐行匹配；匹配成功第一条，将不继续进行之后的匹配

[root@aminglinux-02 ~]# curl -x127.0.0.1:80 test.com/admin/1.php -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Mon, 14 Aug 2017 15:54:51 GMTContent-Type: application/octet-streamContent-Length: 11Last-Modified: Mon, 14 Aug 2017 15:54:48 GMTConnection: keep-aliveETag: "5991c7c8-b"Accept-Ranges: bytes[root@aminglinux-02 ~]# curl -x127.0.0.2:80 test.com/admin/1.php -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Mon, 14 Aug 2017 15:54:57 GMTContent-Type: application/octet-streamContent-Length: 11Last-Modified: Mon, 14 Aug 2017 15:54:48 GMTConnection: keep-aliveETag: "5991c7c8-b"Accept-Ranges: bytes[root@aminglinux-02 ~]# cat /tmp/test.com.log127.0.0.1 - [12/Aug/2017:01:48:01 +0800] test.com "/" 200 "-" "curl/7.29.0"127.0.0.1 - [12/Aug/2017:01:50:13 +0800] test.com "/2.jsfsdfe" 404 "-" "curl/7.29.0"127.0.0.1 - [14/Aug/2017:23:47:09 +0800] test.com "/admin" 301 "-" "curl/7.29.0"127.0.0.1 - [14/Aug/2017:23:51:10 +0800] test.com "/admin" 301 "-" "curl/7.29.0"127.0.0.1 - [14/Aug/2017:23:51:26 +0800] test.com "/admin" 301 "-" "curl/7.29.0"127.0.0.1 - [14/Aug/2017:23:52:59 +0800] test.com "/admin" 301 "-" "curl/7.29.0"127.0.0.1 - [14/Aug/2017:23:53:08 +0800] test.com "/admin/1.php" 404 "-" "curl/7.29.0"127.0.0.1 - [14/Aug/2017:23:54:51 +0800] test.com "/admin/1.php" 200 "-" "curl/7.29.0"127.0.0.1 - [14/Aug/2017:23:54:57 +0800] test.com "/admin/1.php" 200 "-" "curl/7.29.0"

因为跳转的地址都127.0.0.1，所以访问是正常的

为了准确测试，对ens34网卡新增一个IP使用这个IP访问，查看curl情况

[root@aminglinux-02 ~]# dhclient ens34[root@aminglinux-02 ~]# ifconfigens32: flags=4163
    
       mtu 1500        inet 192.168.133.131  netmask 255.255.255.0  broadcast 192.168.133.255        inet6 fe80::6e6a:61ff:f17c:5942  prefixlen 64  scopeid 0x20
             ether 00:0c:29:c4:13:b8  txqueuelen 1000  (Ethernet)        RX packets 19843  bytes 1420313 (1.3 MiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 4417  bytes 559642 (546.5 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0ens34: flags=4163
     
        mtu 1500        inet 192.168.161.128  netmask 255.255.255.0  broadcast 192.168.161.255        inet6 fe80::44fe:e11f:f99c:4de1  prefixlen 64  scopeid 0x20
              ether 00:0c:29:c4:13:c2  txqueuelen 1000  (Ethernet)        RX packets 6  bytes 1490 (1.4 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 3412  bytes 606434 (592.2 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73
      
         mtu 65536        inet 127.0.0.1  netmask 255.0.0.0        inet6 ::1  prefixlen 128  scopeid 0x10
       
                loop  txqueuelen 1  (Local Loopback)        RX packets 174  bytes 14813 (14.4 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 174  bytes 14813 (14.4 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@aminglinux-02 ~]# curl -x192.168.161.128:80 test.com/admin/1.php -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Mon, 14 Aug 2017 15:59:23 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive
       
      
     
    

证明配置成功，非第一和第二条的IP访问，无法打开

针对指定URL

location ~ .*(upload|image)/.*\.php${        deny all;}

为了方便测试，创建所需文件和目录

[root@aminglinux-02 ~]# mkdir /data/wwwroot/test.com/upload[root@aminglinux-02 ~]# cd !$cd /data/wwwroot/test.com/upload[root@aminglinux-02 upload]# vim 1.php[root@aminglinux-02 upload]# vim 1.jpg[root@aminglinux-02 test.com]# curl -x127.0.0.1:80 test.com/upload/1.php
    
     
403 Forbidden
    
    
    
     nginx/1.12.1
    [root@aminglinux-02 test.com]# curl -x127.0.0.1:80 test.com/upload/1.jpg1.jpg1.jpg1.jpg1.jpg1.jpg1.jpg

针对user_agent限制

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')    {          return 403;    }

return 403和deny all 效果是一样的

测试

[root@aminglinux-02 test.com]# curl -A "Tomato" -x127.0.0.1:80 test.com/index.html -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Mon, 14 Aug 2017 16:23:57 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive

因为配置是严格匹配

[root@aminglinux-02 test.com]# curl -A "tomato" -x127.0.0.1:80 test.com/index.html -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Mon, 14 Aug 2017 16:24:04 GMTContent-Type: text/htmlContent-Length: 9Last-Modified: Thu, 10 Aug 2017 17:35:22 GMTConnection: keep-aliveETag: "598c995a-9"Accept-Ranges: bytes

更改为不区分大小写

更改前

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')

更改后

if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')

测试

[root@aminglinux-02 test.com]# curl -A "tomato" -x127.0.0.1:80 test.com/index.html -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Mon, 14 Aug 2017 16:26:25 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive[root@aminglinux-02 test.com]# curl -A "Tomato" -x127.0.0.1:80 test.com/index.html -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Mon, 14 Aug 2017 16:26:34 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive

12.15 Nginx解析php相关配置

解析PHP

创建phpinfo文件

[root@aminglinux-02 test.com]# pwd/data/wwwroot/test.com[root@aminglinux-02 test.com]# vim 3.php[root@aminglinux-02 test.com]# cat 3.php
    

查看系统是否能解析php

[root@aminglinux-02 test.com]# curl -x127.0.0.1:80 test.com/3.php
    

直线显示源代码，不能解析

修改配置

[root@aminglinux-02 test.com]# !vimvim /usr/local/nginx/conf/vhost/test.com.conflocation ~ \.php$    {        include fastcgi_params;        fastcgi_pass unix:/tmp/php-fcgi.sock;   //写错这个路径，就会显示502        fastcgi_index index.php;        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;  // /data/wwwroot/这个路径对应的是 配置文件里面设置的 root 对应路径    }

配置完成后检查语法和重新加载服务

-t && -s reload

案例：

一、

sock写错导致访问页面出现502

[root@aminglinux-02 test.com]# curl -x127.0.0.1:80 test.com/3.php
    
     
502 Bad Gateway
    
    
    
     nginx/1.12.1
    

1、查看nginx的错误日志

如果不清楚错误日志的路径，可以在配置nginx.conf查看

[root@aminglinux-02 test.com]# cat /usr/local/nginx/logs/nginx_error.log2017/08/15 00:41:29 [crit] 5987#0: *26 connect() to unix:/tmp/php-fci.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fci.sock:", host: "test.com"

2、根据这句语句No such file or directory 可以了解到“ 没有这样的文件或目录”，可以尝试查找看看php-fci.sock这个文件

[root@aminglinux-02 test.com]# ls /tmp/php-fci.sockls: 无法访问/tmp/php-fci.sock: 没有那个文件或目录

3、结果还是没有文件或者目录，这就需要查看一下，配置的地址是否正确

[root@aminglinux-02 test.com]# cat /usr/local/php-fpm/etc/php-fpm.conf[global]pid = /usr/local/php-fpm/var/run/php-fpm.piderror_log = /usr/local/php-fpm/var/log/php-fpm.log[www]listen = /tmp/php-fcgi.sock    //查看这一段，定义的文件和缺少的文件是否一样listen.mode = 666user = php-fpmgroup = php-fpmpm = dynamicpm.max_children = 50pm.start_servers = 20pm.min_spare_servers = 5pm.max_spare_servers = 35pm.max_requests = 500rlimit_files = 1024

对比过后 发现文件名出错，这时在去看nginx下的conf配置是否正确

发现就是虚拟主机配置文件出错，修改回正确的sock名字就恢复正常

fastcgi_pass unix:/tmp/php-fcgi.sock;

PS：

PHP下的listen = /tmp/php-fcgi.sock这段配置很重要，决定了nginx是否能正确解析而不是502\

1. 当PHP配置文件 listen 使用sock时，那么对应的nginx配置文件下就必须使用 fastcgi_pass unix:/tmp/php-fcgi.sock；
2. 当PHP配置文件listen 使用 IP加端口“127.0.0.1：9000”的时候，那么对应的nginx就要改成fastcgi_pass 127.0.0.1：9000；

二、

php配置文件下的 listen.mode = 666 这一项如果不做定义，默认用的是660，使用默认的权限，将会影响nginx访问产生502

[global]pid = /usr/local/php-fpm/var/run/php-fpm.piderror_log = /usr/local/php-fpm/var/log/php-fpm.log[www]listen = /tmp/php-fcgi.sock# listen.mode = 666user = php-fpmgroup = php-fpmpm = dynamicpm.max_children = 50pm.start_servers = 20pm.min_spare_servers = 5pm.max_spare_servers = 35pm.max_requests = 500rlimit_files = 1024[root@aminglinux-02 test.com]# /etc/init.d/php-fpm restartGracefully shutting down php-fpm . doneStarting php-fpm  done

因为nginx默认访问php服务的用户的nobody，而且660权限,因为文件所属主、组是root，只能root用户访问，nobody用户去调用 sock的时候，将出现错误，最终返回502

[root@aminglinux-02 test.com]# !lsls -lhtr /tmp/php-fcgi.socksrw-rw---- 1 root root 0 8月  15 01:28 /tmp/php-fcgi.sock[root@aminglinux-02 test.com]# !curlcurl -x127.0.0.1:80 test.com/3.php
    
     
502 Bad Gateway
    
    
    
     nginx/1.12.1
    

所以在配置php-fpm的时候，默认将listen.mode = 设置为666，为的就是让所有用户都可以访问和读

三、

php-fpm 资源耗尽的时候，也会502

12.16 Nginx代理

需求：

用户需要访问web服务器，但用户因为各种原因没办法访问或者访问很慢（私网无访问、境内访问国外服务器），所以，就需要一个能访问web服务器的代理者，让用户通过代理服务器访问

解决办法

创建代理服务器

[root@aminglinux-02 test.com]# cd /usr/local/nginx/conf/vhost[root@aminglinux-02 vhost]# pwd/usr/local/nginx/conf/vhost[root@aminglinux-02 vhost]# vim proxy.conf  //加入以下内容server{    listen 80;    server_name ask.apelearn.com;                       //定义域名    location /    {        proxy_pass      http://121.201.9.155/;         //定义域名        proxy_set_header Host   $host;                   //定义访问的域名 为 $host =server_name ask.apelearn.com        proxy_set_header X-Real-IP      $remote_addr;         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    }}

代理服务器配置，没有root，因为是代理服务器，所以不需要访问本地服务器上的任务文件

配置完成后检查语法和重新加载服务

-t && -s reload

[root@aminglinux-02 vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@aminglinux-02 vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

[root@aminglinux-02 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt## robots.txt for MiWen#User-agent: *Disallow: /?/admin/Disallow: /?/people/Disallow: /?/question/Disallow: /account/Disallow: /app/Disallow: /cache/Disallow: /install/Disallow: /models/Disallow: /crond/run/Disallow: /search/Disallow: /static/Disallow: /setting/Disallow: /system/Disallow: /tmp/Disallow: /themes/Disallow: /uploads/Disallow: /url-*Disallow: /views/Disallow: /*/ajax/[root@aminglinux-02 vhost]#

成功连上