12.13 Nginx Anti-theft Chain 12.14 Nginx Access Control 12.15 Nginx Resolution php Related Configuration 12.16 Nginx Agent

Keywords: Nginx PHP curl Web Server

12.13 Nginx Anti-theft Chain

The configuration is as follows, which can be combined with the above configuration

The * here represents the case-insensitive parentheses that follow.

Beginning of ^

server_names can be omitted

location ~* ^.+\.(ico|gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;   //Define a white list first
    if ($invalid_referer) {
        return 403;    //It can also be written as deny all.
    }
    access_log off;
}

-t && -s reload

curl -e "http://www,baidu.com/123 "-x127.0.0.1:80-I www.test.com/images/123.png//-e Definition referer Returns 403 Error

curl -e "http://test2.com/123 "-x127.0.0.1:80-I test.com/images/123.png//Return 200 Successful

12.14 Nginx Access Control

Requirements: Requests for access to / admin / directory, allowing only a few IP accesses, are configured as follows:

location /admin/
{
    allow 192.168.192.134;
    allow 127.0.0.1;
    deny all;
}

I think location /admin / only matches access to / admin / directory, and / admin/xx.php does not (other IPS can still access it)

To match all files in the admin directory to the rules, you need to use location ~/admin/. *

In addition, this must precede the parsing of php

nginx has no order, but once a rule is matched, it will no longer match

mkdir /data/wwwroot/test.com/admin/
echo "test,test">/data/wwwroot/test.com/admin/1.html
-t && -s reload
curl -x127.0.0.1:80 test.com/admin/1.html -I
curl -x192.168.192.134:80 test.com/admin/1.html -I

You can match regular // / As long as you match PHP under upload and images, all of them are deny off. There are uploaded directories. It is forbidden to parse php. This must be placed in front of the parsing PHP section.

location ~ .*(upload|images)/.*\.php$
{
        deny all;
}

Test:

/usr/local/nginx/sbin/nginx -t && /usr/local/nginx/sbin/nginx -s reload
mkdir /data/wwwroot/test.com/upload
echo "1111" > /data/wwwroot/test.com/upload/1.php
curl -x127.0.0.1:80 www.test.com/upload/1.php -I   //Return to 403

According to user_agent restriction If ($http_user_agent ~'Spider/3.0 | YoudaoBot | Tomato') / / / matches that contain three user_agents will be rejected, but case-sensitive matches will not be matched to tomato. If case-sensitive matches are to be ignored, write ~*

{ return 403; }

deny all and return 403 have the same effect

/usr/local/nginx/sbin/nginx -t && /usr/local/nginx/sbin/nginx -s reload

Curl-A "Tomato" - x127.0.0.1:80 www.test.com/upload/1.html-I//Return 403

12.15 Nginx parses php-related configuration

vim /data/wwwroot/test.com/1.php  //You can't do php parsing by adding the following and opening a web page test
<?php
phpinfo();
?>

The configuration is as follows: // Let nginx parse php

location ~ \.php$
    {

       # The include statement takes all the text/code/tags that exist in the specified file and copies them to the file using the include statement.
        include fastcgi_params;
       #  fastcgi_pass is used to specify the address or socket that php-fpm listens on, either locally or otherwise
        fastcgi_pass unix:/tmp/php-fcgi.sock;    //Write errors will report 502 errors. Check what listen defines in / usr/local/php-fpm/etc/php-fpm.conf and change it to listen on ip and port
        fastcgi_index index.php;
       # Path of script file request
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;   //Write the right path. Red refers to the root part of the configuration file.
    }

12.16 Nginx proxy

cd /usr/local/nginx/conf/vhost
vim proxy.conf //Add the following
server
{
    listen 80;
    server_name ask.apelearn.com;   //Define user-accessed domain names
    location /
    {
        proxy_pass     http://121.201.9.155/;// Tell nginx that the real IP is here (web server ip)
        proxy_set_header Host   $host;               //$host equals the server_name above
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Test: /usr/local/nginx/sbin/nginx -t && /usr/local/nginx/sbin/nginx -s reload

Curl ask.apelearn.com/robots.txt//Access success without proxy testing

Curl-x127.0.0.1:80 ask.apelearn.com/robots.txt// / Specify local machine, also can access, normal situation does not configure proxy, local access to remote sites is impossible, proxy server is the virtual machine that configures proxy, web server is the forum.

Nginx proxy is to customize a domain name in a proxy server, which points to one or more IP, and then parses the user's request through the proxy server to the web server corresponding to the specified IP.

When the domain name points to more than one IP, upstream is needed to ensure that users can access each IP through the proxy server normally, that is, load balancing.

Posted by JimmyD on Tue, 25 Dec 2018 09:33:06 -0800

Hot Keywords

©2024 Programmer Group