8.15 12.13-12.16
12.13 nginx防盗链
由于防盗链和元素过期时间、不记录日志同时用到了location,所以会被写在一起
配置:
…
12 # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
13 # {
14 # expires 7d;
15 # access_log off;
16 # }
17 location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
/~* 表示后面的gif、jpg等关键词不区分大小写
.+ 表示匹配任意单字符一次或多次
/
18 {
19 expires 7d;
20 valid_referers none blocked server_names *.test.com;
/定义referer白名单的servername/
21 if ($invalid_referer) {
22 return 403;
23 }
/$invalid referer表示无效的referer,若匹配到则返回403信息/
24 access_log off;
25 }
26 location ~ .*\.(js|css)$
27 {
28 # expires 12h;
29 access_log off;
30 }12.14 nginx访问控制
…
测试:
[root@hyc-01-01 test.com]# curl -x127.0.0.1:80 -e "http://www.baidu.com" test.com/1.gif
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
[root@hyc-01-01 test.com]# curl -x127.0.0.1:80 -e "http://www.test.com" test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 13:55:38 GMT
Content-Type: image/gif
Content-Length: 11
Last-Modified: Tue, 14 Aug 2018 23:37:40 GMT
Connection: keep-alive
ETag: "5b7367c4-b"
Expires: Thu, 23 Aug 2018 13:55:38 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
www.baidu.com时状态码为403,www.test.com时状态码为200
12.14 nginx访问控制
针对目录的配置:
[root@hyc-01-01 test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf
…
26 location ~ .*\.(js|css)$
27 {
28 # expires 12h;
29 access_log off;
30 }
31 location /admin/
32 {
33 allow 127.0.0.1;
34 allow 192.168.31.129;
35 deny all;
36 }
/url匹配/admin/时按顺序允许127.0.0.1/192.168.133.130,拒绝所有
顺序执行时一旦某一条被匹配,下面的规则不再轮询
/
37 location ~ admin.php
38 {
39 auth_basic "Auth";
40 auth_basic_user_file /usr/local/nginx/conf/htpasswd;
41 }
测试:
[root@hyc-01-01 admin]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 admin]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 admin]# curl -x127.0.0.1:80 http://test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 14:42:32 GMT
Content-Type: text/html
Content-Length: 23
Last-Modified: Mon, 13 Aug 2018 23:46:22 GMT
Connection: keep-alive
ETag: "5b72184e-17"
Accept-Ranges: bytes
[root@hyc-01-01 admin]# curl -x192.168.31.129:80 http://test.com/admin/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 14:42:35 GMT
Content-Type: text/html
Content-Length: 23
Last-Modified: Mon, 13 Aug 2018 23:46:22 GMT
Connection: keep-alive
ETag: "5b72184e-17"
Accept-Ranges: bytes
[root@hyc-01-01 admin]# tail -2 /tmp/test.com.log
127.0.0.1 - [16/Aug/2018:22:42:32 +0800] test.com "/admin/index.html" 200 "-" "curl/7.29.0"
192.168.31.129 - [16/Aug/2018:22:42:35 +0800] test.com "/admin/index.html" 200 "-" "curl/7.29.0"
[root@hyc-01-01 admin]# curl -x192.168.100.1:80 http://test.com/admin/index.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 14:48:56 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@hyc-01-01 admin]# tail -1 /tmp/test.com.log
192.168.100.1 - [16/Aug/2018:22:48:56 +0800] test.com "/admin/index.html" 403 "-" "curl/7.29.0
针对正则的配置:
[root@hyc-01-01 admin]# vim /usr/local/nginx/conf/vhost/test.com.conf
…
location /admin/
{
allow 127.0.0.1;
allow 192.168.31.129;
deny all;
}
location ~ .*(upload|image)/.*\.php$
/匹配任意一个或多个字符后跟upload或image后跟/后跟任意一个或多个字符并以.php结尾的url/
{
deny all;
}
测试:
[root@hyc-01-01 admin]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 admin]# curl -x127.0.0.1:80 http://test.com/upload/test.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:07:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@hyc-01-01 upload]# curl –x127.0.0.1:80 http://test.com/upload/test.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:12:59 GMT
Content-Type: text/plain
Content-Length: 20
Last-Modified: Thu, 16 Aug 2018 15:12:36 GMT
Connection: keep-alive
ETag: "5b759464-14"
Accept-Ranges: bytes
[root@hyc-01-01 upload]# tail -1 /tmp/test.com.log
127.0.0.1 - [16/Aug/2018:23:14:33 +0800] test.com "/upload/test.txt" 200 "-" "curl/7.29.0"
针对user_agent的配置:
[root@hyc-01-01 upload]# vim /usr/local/nginx/conf/vhost/test.com.conf
…
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
/此处user_agent后的~后跟一个*表示后面匹配的项不区分大小写/
{
return 403;
}
…
测试:
[root@hyc-01-01 upload]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 upload]# curl -A "Spider/3.0" -x127.0.0.1:80 http://test.com/upload/test.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:26:28 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@hyc-01-01 upload]# curl -A "Spidor/3.0" -x127.0.0.1:80 http://test.com/upload/test.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 15:26:50 GMT
Content-Type: text/plain
Content-Length: 20
Last-Modified: Thu, 16 Aug 2018 15:12:36 GMT
Connection: keep-alive
ETag: "5b759464-14"
Accept-Ranges: bytes
12.15 nginx解析php相关配置
配置:
[root@hyc-01-01 vhost]# vim test.com.conf
51 location ~ \.php$
52 {
53 include fastcgi_params;
54 fastcgi_pass unix:/tmp/php-fcgi.sock;
/指定php-fpm的socket文件位置,指定错误socket地址时可能报502错误,nginx配置文件中监听的socket地址或ip+端口必须与php-fpm中的socket地址或ip+端口保持一致/
55 fastcgi_index index.php;
56 fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
/ /data/wwwroot/test.com 的路径要和server中的root保持一致/
57 }
测试:
[root@hyc-01-01 test.com]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo() 无法解析
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 test.com]# !curl
curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 16 Aug 2018 23:57:48 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
php-fpm也支持-t和-s reload
[root@hyc-01-01 etc]# vim php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
#listen = 127.0.0.1:9000
listen.mode = 666 为了让所有文件对php的socket文件(/tmp/php-fcgi.sock)有读和写权限,无读和写权限则用户nginx无法读socket文件即无法与php-fpm通信导致php解析不正常等;
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
…
12.16 nginx代理
Web服务器只有一个私网ip,无法正常访问;
代理服务器要能同时与用户和web服务器互通(两块网卡);
代理服务器帮助用户访问web服务器,访问完成后向用户反馈结果;
用户可以正常访问远端web服务器,但直接从本地访问速度太慢,此时可以选择一台代理服务器作为跳板,用户访问代理服务器速度较快,代理服务器访问远端web服务器速度也较快,最终用户通过代理访问web服务器速度就会比直接访问web服务器快;
配置:
[root@hyc-01-01 vhost]# pwd
/usr/local/nginx/conf/vhost
[root@hyc-01-01 vhost]# vim proxy.conf
server
{
listen 80;
server_name ask.apelearn.com; 定义要访问的域名
location /
{
proxy_pass http:// 223.94.95.10 /; 告诉代理服务器真实服务器ip地址
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
/
header信息:
Host $host 要访问的域名是servername
X-Real-IP $remote_addr
X-Forwarded-For $proxy_add_x_forwarded_for
/
}
}
测试:
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 vhost]# curl ask.apelearn.com/robots.txt
[root@hyc-01-01 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt测试成功
转载于:https://blog.51cto.com/12216458/2161380
8.15 12.13-12.16相关推荐
- odoo 仪表盘 大屏设计模块cus_dashboard支持odoo16 15 14 13 12
主要实现js代码 odoo.define('odoo_cus_dashboard.Dashboard', function (require) { "use strict"; va ...
- Cheatsheet: 2010 12.13 ~ 12.23
Web Slow Website? 6 Ways to Speed it Up MongoDB Monitoring: Keep in it RAM Minify JavaScript on the ...
- 19.12 添加自定义监控项目;19.13,19.14 配置邮件告警(上下);19.15 测试告警19.16...
19.12 添加自定义监控项目 需求:监控某台web的80端口连接数,并出图 两步:1)zabbix监控中心创建监控项目: 2)针对该监控项目以图形展现 客户端hao2机器配置: 1. 客户端(hao ...
- vector canoe 12/13/14/15 CANape 19 ASAP2 16 Canoe 15 lin flexray diva j1939 ethernet car2x scope
当众多的汽车"攻城狮"们正在为开发或测试过程中的BUG头疼时,Vector又悄无声息地发布了15.0版本的CANoe,这对小伙伴们无疑是一个晴天霹雳,相信好多"狮友&qu ...
- python 整数输出 d f_如何将数字(10,11,12,13,14,15)分配给Python 3中的字母(A,B,C,D,E,F)?...
您可以在代码中添加更多行来执行此操作: 首先创建两个带有字符的列表,一个带有要映射的整数,然后从那些创建dict: list_1=["A","B"," ...
- 4.13日第12次作业,16章外包,17章需求,19章组织级与大型项目
4.13日第12次作业,16章外包,17章需求,19章组织级与大型项目 29-高项-田哲琦 16章.外包管理 1.外包的形式有哪五种?什么是利益关系?P346-348 答:企业现行采用的主要外包形式如 ...
- 5,10,15,20-四(五氟苯基)卟啉(TF5PPH2);2,3,7,8,12,13,17,18-八氟-5,10,15,20-四(五氟苯基)卟啉(F28TPPH2)齐岳供应
5,10,15,20-四(五氟苯基)卟啉(TF5PPH2) 2,3,7,8,12,13,17,18-八氟-5,10,15,20-四(五氟苯基)卟啉(F28TPPH2) 文献摘要:卟啉的衍生物在DNA螺 ...
- 最新的三星android版本号,三星率先公布Android 12/13升级机型名单,可惜S9/Note9被抛弃...
三星率先公布Android 12/13升级机型名单,可惜S9/Note9被抛弃 2020-08-18 17:07:15 5点赞 5收藏 25评论 前不久发布Galaxy Note20系列手机时,三星曾 ...
- 信息学奥赛一本通 1209:分数求和 | OpenJudge NOI 1.13 12:分数求和
[题目链接] ybt 1209:分数求和 OpenJudge NOI 1.13 12:分数求和 [题目考点] 1. 求最大公约数 2. 求最小公倍数 [解题思路] 求最大公约数,可以用辗转相除法.具体 ...
- 小米note3android版本彩蛋,MIUI 10开发版8.12.13更新:小米MIX 3新增滑盖音效“江湖”彩蛋...
IT之家12月14日消息 今天小米推送了MIUI 10 8.12.13开发版更新,其中小米MIX 3新增了滑盖音效「江湖」的彩蛋,快速滑动可触发彩蛋:修复了小米8/小米8屏幕指纹版/小米MIX 2S/ ...
最新文章
- 返回一个一维整数数组中最大子数组的和02
- 链表节点的删除(删除重复无序节点)
- Java学习之数据类型
- c++ opencv roi
- JavaScript对象继承方式
- C++实现类不可复制
- php树形结构变成线性结构,php把数据集转换成树状结构,无限极分类生成树状 – CSDN博客...
- MySQL——排序查询
- android工作注意事项
- final在类和方法中的使用
- IOS之学习笔记九(对象的初始化)
- Lnmp上安装Yaf学习(二)
- 微机笔记6——输入输出控制
- 联合主键用hibernate注解映射方式主要有三种:
- 【 Codeforces Round #301 (Div. 2) D】Bad Luck Island【概率DP】
- CSS3_04_弹性盒子_多媒体
- 四旋翼无人机飞控系统设计(输出分配)
- 树莓派linux声卡设置
- HTB打靶(Active Directory 101 Forest)
- 2D激光雷达运动畸变矫正_base里程计