码迷,mamicode.com
首页 > 系统相关 > 详细

2018-04-26 Linux学习

时间:2018-04-27 12:26:09      阅读:215      评论:0      收藏:0      [点我收藏+]

标签:Linux学习

12.13 Nginx防盗链

配置如下,可以和上面的配置结合起来

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}

操作过程

[root@linux01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != ‘test.com‘ ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}

location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$

{

expires 7d;

access_log off;

}

location ~ .*.(js|css)$

{

expires 12h;

access_log off;

}

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}

access_log /tmp/test.com.log combined_realip;

}

[root@linux01 ~]# touch /data/wwwroot/test.com/1.txt
[root@linux01 ~]# vim /data/wwwroot/test.com/1.txt
test fangdaolian

未重启Nginx测试

[root@linux01 ~]# curl -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Fri, 20 Apr 2018 10:37:00 GMT
Content-Type: image/gif
Content-Length: 0
Last-Modified: Fri, 20 Apr 2018 09:54:31 GMT
Connection: keep-alive
ETag: "5ad9b8d7-0"
Expires: Fri, 27 Apr 2018 10:37:00 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

[root@linux01 ~]# curl -e "http://www.baidu.com/1.txt"  -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Fri, 20 Apr 2018 10:37:40 GMT
Content-Type: image/gif
Content-Length: 0
Last-Modified: Fri, 20 Apr 2018 09:54:31 GMT
Connection: keep-alive
ETag: "5ad9b8d7-0"
Expires: Fri, 27 Apr 2018 10:37:40 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

重启Nginx

[root@linux01 ~]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux01 ~]# /usr/local/nginx/sbin/nginx -s reload

重启Nginx测试

[root@linux01 ~]# curl -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Fri, 20 Apr 2018 10:39:25 GMT
Content-Type: image/gif
Content-Length: 0
Last-Modified: Fri, 20 Apr 2018 09:54:31 GMT
Connection: keep-alive
ETag: "5ad9b8d7-0"
Expires: Fri, 27 Apr 2018 10:39:25 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

[root@linux01 ~]# curl -e "http://www.baidu.com/1.txt"  -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Fri, 20 Apr 2018 10:39:38 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@linux01 ~]# curl -e "http://www.test.com/1.txt"  -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Fri, 20 Apr 2018 10:40:14 GMT
Content-Type: image/gif
Content-Length: 0
Last-Modified: Fri, 20 Apr 2018 09:54:31 GMT
Connection: keep-alive
ETag: "5ad9b8d7-0"
Expires: Fri, 27 Apr 2018 10:40:14 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

以上两个测试说明防盗链功能成功了

12.14 Nginx访问控制

需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:
location /admin/
{
allow 192.168.133.1;
allow 127.0.0.1;
deny all;
}

mkdir /data/wwwroot/test.com/admin/
echo “test,test”>/data/wwwroot/test.com/admin/1.html
-t && -s reload
curl -x127.0.0.1:80 test.com/admin/1.html -I
curl -x192.168.133.130:80 test.com/admin/1.html -I

操作过程

[root@linux-01 test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
listen 80;
server_name test.com test2.com test3.com;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
if ($host != ‘test.com‘ ) {
rewrite ^/(.*)$ http://test.com/$1 permanent;
}

location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$

{

expires 7d;

access_log off;

}

location ~ .*.(js|css)$

{

expires 12h;

access_log off;

}

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}   
location /admin/
{
    allow 127.0.0.1;
    allow 192.168.106.160;
    deny all;
}   

access_log /tmp/test.com.log combined_realip;

}

[root@linux-01 test.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-01 test.com]# /usr/local/nginx/sbin/nginx -s reload

[root@linux-01 test.com]# curl -e "http://www.baidu.com/1.txt"  -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 27 Mar 2018 19:32:41 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Mon, 26 Mar 2018 21:02:38 GMT
Connection: keep-alive
ETag: "5ab95fee-13"
Accept-Ranges: bytes

[root@linux-01 test.com]# curl -x192.168.106.160:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 27 Mar 2018 19:34:01 GMT
Content-Type: text/html
Content-Length: 19
Last-Modified: Mon, 26 Mar 2018 21:02:38 GMT
Connection: keep-alive
ETag: "5ab95fee-13"
Accept-Ranges: bytes

可以匹配正则
location ~ .(abc|image)/..php$
{
deny all;
}
根据user_agent限制
if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘)
{
return 403;
}
deny all和return 403效果一样

[root@linux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

在配置中继续添加:
location ~ .(upload|image)/..php$
{
deny all;
} 

[root@linux-01 ~]# mkdir /data/wwwroot/test.com/upload
[root@linux-01 ~]# echo "11111" > /data/wwwroot/test.com/upload/1.php

[root@linux01 ~]# curl -x127.0.0.1:80 test.com/upload/1.php
11111

[root@linux-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-01 ~]# /usr/local/nginx/sbin/nginx -s reload

[root@linux-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>

[root@linux-01 ~]# echo "121212" > /data/wwwroot/test.com/upload/1.txt
[root@linux-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt
121212

[root@linux-01 ~]# cat /tmp/test.com.log 
...............................................
127.0.0.1 - [20/Apr/2018:19:04:00 +0800] test.com "/upload/1.php" 200 "-" "curl/7.29.0"
127.0.0.1 - [20/Apr/2018:19:04:26 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [20/Apr/2018:19:06:34 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"

添加后,会匹配大小写

[root@linux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

接上继续添加如下
if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘)
{
return 403;
}

[root@linux01 ~]# curl -A "Tomatosljlas" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Fri, 20 Apr 2018 13:51:44 GMT
Content-Type: text/plain
Content-Length: 7
Last-Modified: Fri, 20 Apr 2018 11:06:09 GMT
Connection: keep-alive
ETag: "5ad9c9a1-7"
Accept-Ranges: bytes

[root@linux01 ~]# curl -A "tomatosljlas" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Fri, 20 Apr 2018 13:52:18 GMT
Content-Type: text/plain
Content-Length: 7
Last-Modified: Fri, 20 Apr 2018 11:06:09 GMT
Connection: keep-alive
ETag: "5ad9c9a1-7"
Accept-Ranges: bytes

[root@linux-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-01 ~]# /usr/local/nginx/sbin/nginx -s reload

[root@linux01 ~]# curl -A "Tomatosljlas" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Fri, 20 Apr 2018 13:53:02 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@linux01 ~]# curl -A "tomatosljlas" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Fri, 20 Apr 2018 13:53:06 GMT
Content-Type: text/plain
Content-Length: 7
Last-Modified: Fri, 20 Apr 2018 11:06:09 GMT
Connection: keep-alive
ETag: "5ad9c9a1-7"
Accept-Ranges: bytes

修改if行,添加 * 号,大小写都识别

[root@linux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘)
{
return 403;
}

[root@linux-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-01 ~]# /usr/local/nginx/sbin/nginx -s reload

[root@linux-01 ~]# curl -A "tomatosljlas" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Fri, 20 Apr 2018 13:58:17 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

12.15 Nginx解析php相关配置

配置如下:
location ~ .php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}

fastcgi_pass 用来指定php-fpm监听的地址或者socket (出现502错误时需要检查)

操作过程

[root@linux-01 ~]# vim /data/wwwroot/test.com/3.php
<?php
phpinfo();
[root@linux-01 ~]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();

[root@linux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

配置文件继续添加如下内容
location ~ .php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}

[root@linux-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-01 ~]# /usr/local/nginx/sbin/nginx -s reload

[root@linux-01 ~]# curl -x127.0.0.1:80 test.com/3.php   //显示phpinfo信息

12.16 Nginx代理

cd /usr/local/nginx/conf/vhost
vim proxy.conf //加入如下内容
server
{
listen 80;
server_name ask.apelearn.com;

location /
{
    proxy_pass      http://121.201.9.155/;
    proxy_set_header Host   $host;
    proxy_set_header X-Real-IP      $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

}

操作过程

[root@linux-01 ~]# vim /usr/local/nginx/conf/vhost/proxy.conf

写入以下内容
server
{
listen 80;
server_name ask.apelearn.com;

location /
{
    proxy_pass      http://47.91.145.78/;
    proxy_set_header Host   $host;
    proxy_set_header X-Real-IP      $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

}

[root@linux-01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux-01 ~]# /usr/local/nginx/sbin/nginx -s reload

以下两个结果显示一样,代理配置成功
[root@linux-01 ~]# curl ask.apelearn.com/robots.txt
[root@linux-01 ~]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt

2018-04-26 Linux学习

标签:Linux学习

原文地址:http://blog.51cto.com/9298822/2108355
(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
分享档案
更多>
2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)
周排行
mamicode.com排行更多图片
更多
友情链接
兰亭集智   国之画   百度统计   站长统计   阿里云   chrome插件   新版天听网
关于我们 - 联系我们 - 留言反馈
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!