LNMP architecture (Nginx anti-theft chain, Nginx access control, Nginx parsing php-related configuration, Nginx proxy)

Keywords: Nginx PHP curl Windows

Nginx Anti-theft Chain

1. Edit the virtual host file / usr/local/nginx/conf/vhost/test.com.conf and add the following code

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ; #Here the server_names configuration can be omitted
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}

2. Check the configuration file and reload it

/usr/local/nginx/sbin/nginx -t #Check the configuration file for errors
/usr/local/nginx/sbin/nginx -s reload #Reload configuration file

3. Testing anti-theft chain

curl command refer test

curl -e "http://www.baidu.com/123.txt" -x127.0.0.1:80 -I test.com/test.jpg

View the Reference Results: Tip 403 means no privileges

[root@yolks2 ~]# curl -e "http://www.baidu.com/123.txt" -x127.0.0.1:80 -I test.com/test.jpg
HTTP/1.1 403 Forbidden
Server: nginx/1.6.3
Date: Thu, 16 Aug 2018 12:42:14 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

Nginx access control

Requirements: Requests to access / admin / directory, allowing only a few IP accesses to prevent a one-sentence Trojan horse

1. Edit the virtual host file / usr/local/nginx/conf/vhost/test.com.conf and add the following code

location /admin/
{
    allow 192.168.248.129; #Host ip
    allow 127.0.0.1; #Local host
    deny all;
}

Rules are executed in the order they are written here, allow before deny.

2. Check the configuration file and reload it

/usr/local/nginx/sbin/nginx -t #Check the configuration file for errors
/usr/local/nginx/sbin/nginx -s reload #Reload configuration file

3. Testing

windows machine configures hosts and Linux machine opens 80 port firewall rule:

Add rules

iptables  -I  INPUT  -p  tcp  --dport  80  -j  ACCEPT

Access effects using Windows browsers:

Nginx view logs on Linux: cat/tmp/test.com.log, because the ip accessed at this time is not on the whitelist, so it is deny dropped

4. Adding a specific directory (such as upload) prohibits php parsing. The key code is as follows:

1) Operation file: / usr/local/nginx/conf/vhost/test.com.conf

location ~ .*(upload|image)/.*\.php$
{
        deny all;
}

2) Check the configuration file and reload it

/usr/local/nginx/sbin/nginx -t #Check the configuration file for errors
/usr/local/nginx/sbin/nginx -s reload #Reload configuration file
  1. Create / upload / and create test php files in / data / wwroot / test. COM / directory
[root@yolks2 ~]# mkdir /data/wwwroot/test.com/upload #Create the corresponding directory
[root@yolks2 ~]# echo "test upload php" >> /data/wwwroot/test.com/upload/testphp.php #Create test files

4) test

If the configuration is commented out here, php will not be parsed. If the browser accesses it, it will download the php file to the local location. The reason is that we haven't configured the relevant configuration to parse php yet. Specifically refer to Nginx to parse php related configuration content.

Create a txt file and test again:

echo "test123" >> /data/wwwroot/test.com/upload/test123.txt

5. According to user_agent restriction

1) Add the following configuration

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}
  1. Check the configuration file and reload it
/usr/local/nginx/sbin/nginx -t #Check the configuration file for errors
/usr/local/nginx/sbin/nginx -s reload #Reload configuration file

3) test

[root@yolks2 ~]# curl -x127.0.0.1:80 test.com/upload/test123.txt -I
HTTP/1.1 200 OK
Server: nginx/1.6.3
Date: Thu, 16 Aug 2018 14:37:31 GMT
Content-Type: text/plain
Content-Length: 8
Last-Modified: Thu, 16 Aug 2018 14:29:50 GMT
Connection: keep-alive
ETag: "5b758a5e-8"
Accept-Ranges: bytes

[root@yolks2 ~]# curl -A "Tomatoshksjskskj" -x127.0.0.1:80 test.com/upload/test123.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.6.3
Date: Thu, 16 Aug 2018 14:38:05 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

Strictly differentiated configuration needs to be slightly modified

if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato') #Add * wildcard matching here
{
      return 403;
}

Nginx parses php-related configuration

At this point, because we have not added the relevant parsing configuration, the php file will not parse. Create a file in the / data / wwroot / test. COM / directory for testing:

Create the test0816.php file as follows:

<?php
echo "this is test php page!";
?>

php appears 502 solution

1. Edit the virtual host file / usr/local/nginx/conf/vhost/test.com.conf and add the following code

location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock; #Failure to write or make mistakes here will result in 503 errors.
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }

The **/tmp/php-fcgi.sock** parameter in the above configuration is derived from the php-fpm configuration file:

/data/wwroot/test.com $fastcgi_script_name refers to the following:

2. Check the configuration file and reload it

/usr/local/nginx/sbin/nginx -t #Check the configuration file for errors
/usr/local/nginx/sbin/nginx -s reload #Reload configuration file

3. test 502

[root@yolks2 ~]# curl -x127.0.0.1:80 test.com/test0816.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.6.3</center>
</body>
</html>

view log

Solution: Modify to ip access

Access with Windows

Nginx agent

Enter the / usr/local/nginx/conf/vhost directory and edit the new file proxy.conf

cd /usr/local/nginx/conf/vhost/ #Entering directory
vim proxy.conf #Edit file

1. The following configuration:

server
{
    listen 80;
    server_name ask.apelearn.com; #The server_name address to be accessed, that is, the domain name to be accessed

    location /
    {
        proxy_pass      http://223.94.95.10/;65507
        proxy_set_header Host   $host; #$host refers to the server_name above.
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

2. Check the configuration file and reload it

/usr/local/nginx/sbin/nginx -t #Check the configuration file for errors
/usr/local/nginx/sbin/nginx -s reload #Reload configuration file

3. Testing

[root@yolks2 vhost]# curl -x127.0.0.1:80  ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/

Expand

Summary of 502 Questions http://ask.apelearn.com/question/9109
location priority http://blog.lishiming.net/?p=100

Posted by Drebin on Tue, 11 Dec 2018 05:21:07 -0800