标签:访问控制 防盗链 限制目录允许php 支持php 限制agent
nginx防盗链作用:防止其他网站引用本web站图片与视频资源,导致本站流量过大,从而造成不必要的经济开支;
比如:本网站test.com有图片文件1.gif,而B网站使用test.com/1.gif 引用我们的图片,那么本网站的图片访问就会上升,但是带宽会增加,访问test.com的用户量却没有增加,出口带宽成本缺增加了;
vim /usr/local/nginx/conf/vhost/test.com.conf
增加代码
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ; //定义白名单为*.test.com,如果不是*.test.com就不允许
if ($invalid_referer) {
return 403;
}
access_log off;
}
注意:如果有配置静态文件失效时间与不记录日志,一定要注释或先删除,这里是重复的;
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload
curl -x127.0.0.1:80 test.com/2.doc -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 10:13:16 GMT
Content-Type: application/msword
Content-Length: 0
Last-Modified: Thu, 15 Mar 2018 10:12:05 GMT
Connection: keep-alive
ETag: "5aaa46f5-0"
Expires: Thu, 22 Mar 2018 10:13:16 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
curl -e "http://www.baidu.com"; -x127.0.0.1:80 test.com/2.doc -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 10:15:42 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
需求:访问/admin/目录的请求,只允许某几个ip访问;
vim /usr/local/nginx/conf/vhost/test.com.conf
增加代码
location /admin/ //定义访问/admin/目录规则
{
allow 127.0.0.1; //允许127.0.0.1访问
allow 192.168.188.1; //允许192.168.188.1访问
deny all; //拒绝所有访问;一定要先允许再拒绝所有;
}
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload
curl -x127.0.0.1:80 test.com/admin/admin.html -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 10:38:25 GMT
Content-Type: text/html
Content-Length: 34
Last-Modified: Tue, 13 Mar 2018 12:25:30 GMT
Connection: keep-alive
ETag: "5aa7c33a-22"
Accept-Ranges: bytes
curl -x192.168.188.2:80 test.com/admin/admin.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 10:38:38 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ .*(abc|image)/.*\.php$
{
deny all;
}
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload
访问curl访问限制abc目录下的php,403禁止访问
curl -x127.0.0.1:80 test.com/abc/a.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 12:42:20 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
vim /usr/local/nginx/conf/vhost/test.com.conf
代码:
if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘)
{
return 403;
}
*注意:代码代表不区分大小写,~为匹配的意思;**
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload
定义user_agent名为Tomato123就行访问,禁止访问403;
curl -A "Tomato123" -x127.0.0.1:80 test.com/1.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 12:47:04 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
vim /usr/local/nginx/conf/vhost/test.com.conf
代码
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
注意: fastcgi_pass unix:/tmp/php-fcgi.sock;
这个sock目录必须和/usr/local/php-fpm/etc/php-fpm.conf文件中的listen = /tmp/php-fcgi.sock必须一致;
否则错误502;
如果php-fpm.conf文件中的不是监听sock而是ip地址和端口,比如listen = 127.0.0.1:9000,
那么test.com.conf中就需要改为fastcgi_pass 127.0.0.1:9000;
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload
nginx防盗链+访问控制+限制指定目录运行php+解析支持php+现在user_agent
标签:访问控制 防盗链 限制目录允许php 支持php 限制agent
原文地址:http://blog.51cto.com/shuzonglu/2087374