Nginx as a static resource Web service to control browser caching and implement anti-theft chain

Source: Internet
Author: User
Tags ranges
This article introduces to you about Nginx as a static resource Web service to control the browser cache and the implementation of anti-theft chain, there is a certain reference value, the need for friends can refer to, I hope to help you.

One, control browser cache

1. Introduction to Browser caching

The browser cache follows the caching mechanism defined by the HTTP protocol (for example: Expires; Cache-control, etc.).

Request response process When browser has no cache

Request response process when the browser has a cache

Browser cache check expiration mechanism

whether the check expires Cache-control (max-age), Expires
The ETag header information verification in the Protocol Etag
Last-modified Header Information Verification Last-modified

Browser request Process

2. Nginx Control Browser Cache configuration

Nginx controls the browser cache by adding Cache-control (max-age) and Expires header information.

Ngx_http_headers_module

Grammar

Syntax:    expires [modified] time;        Expires Epoch | Max | Off;default:    expires off; Context:    http, server, location, if

This configuration item controls the "Expires" and "Cache-control" header information in the HTTP response, which controls the role of the page cache.

The expiration time in the "Expires" header information is the same as the time value you set for the current system time. If the modified parameter is specified, the expiration time is the same as the last modified time of the file and the time value you set.
The content of the "Cache-control" header information depends on the symbol for the specified time. You can use a positive or negative number in the time value.
When time is negative, "Cache-control:no-cache";
When time is positive or 0, "Cache-control:max-age=time", the unit is seconds.

The epoch parameter is used to specify a value of "Expires" of 1 January, 1970, 00:00:01 GMT.
The max parameter specifies the value of "Expires" as "Thu, 2037 23:55:55 GMT", and "Cache-control" with a value of 10 years.
The off parameter invalidates the addition or modification of the "Expires" and "Cache-control" Response header information.

3. Application examples

1. vim/etc/nginx/conf.d/static.conf

server {location    ~. *\. ( Txt|xml) $ {        # Set expiration time is 1 days        expires 1d;        Root/vagrant/doc;}    }

2. Nginx-s Reload re-loading the Nginx configuration file

3. Create a /vagrant/doc/hello.txt file

4. Access 192.168.33.88/hello.txt via Curl to view HTTP response header information

[root/etc/nginx]# curl-i 192.168.33.88/hello.txthttp/1.1 okserver:nginx/1.14.0date:tue, Jul 2018 07:12:11 GMTCon Tent-type:text/plaincontent-length:12last-modified:tue, 2018 07:07:22 Gmtconnection:keep-aliveetag: " 5b4d95aa-c "expires:wed, Jul 2018 07:12:11 Gmtcache-control:max-age=86400accept-ranges:bytes

With a focus on viewing Expires and Cache-Control two fields, it is visible that the Hello.txt cache time is 1 days.

Second, anti-theft chain

Purpose: To prevent misappropriation of resources
IDEA: Differentiate which requests are non-normal user requests

1. Based on the Http_refer anti-theft chain configuration module

Ngx_http_referer_module

Grammar

Syntax:    valid_referers None | blocked | server_names | string ...;D efault:    -context:    Server, location

None: The Referer field is not in the request header
Blocked: the "Referer" field exists in the request header, but its value has been removed by the firewall or proxy server, which is a string that does not start with "http:/" or "https://";
Server_names: The "Referer" Request header field contains the server name
Arbitrary string: Defines a server name and an optional URI prefix. The server name can start or end with a "*". When checked, the server port in the "Referer" field is ignored.
Regular expression: The string must begin with a ~, and it is worth noting that the regular expression matches the content after "http:/" or "https://".

Example

Valid_referers None blocked Server_names *.example.com example.* www.example.org/galleries/~\.google\.;

2. Application examples

1. Vim conf.d/static.conf

server {location    ~. *\. ( Txt|xml) $ {                # Configure anti-chain rules        valid_referers none blocked 192.168.1.110 *.example.com example.* ~\.google\.;        # If the anti-theft chain rule is not met, return 403        if ($invalid _referer) {            return 403;        }        Root/vagrant/doc;}    }

2. Nginx-s Reload re-loading the Nginx configuration file

3. Create a /vagrant/doc/hello.txt file

    • Vim/vagrant/a/a.txt

Hello world!

4. Using Curl for access testing

    • Without referer, can be accessed normally

[root~]# curl-i http://127.0.0.1/hello.txtHTTP/1.1 Okserver:nginx/1.14.0date:fri, Geneva 2018 01:34:12 Gmtcontent-t Ype:text/plaincontent-length:12last-modified:tue, 2018 07:07:22 Gmtconnection:keep-aliveetag: "5b4d95aa-c" Accept-ranges:bytes
    • Referer for http://www.baidu.com , return 403

[root~]# curl-e "http://www.baidu.com"-I http://127.0.0.1/hello.txtHTTP/1.1 403 forbiddenserver:nginx/1.14.0date: Fri, 2018 01:34:34 gmtcontent-type:text/htmlcontent-length:169connection:keep-alive
    • Referer http://192.168.1.110 , can be accessed normally

[root~]# curl-e "http://192.168.1.110"-I http://127.0.0.1/hello.txtHTTP/1.1 Okserver:nginx/1.14.0date:thu, Geneva 2018 11:31:51 Gmtcontent-type:text/plaincontent-length:12last-modified:tue, Jul 2018 07:07:22 Gmtconnection:keep-a Liveetag: "5b4d95aa-c" accept-ranges:bytes
    • Referer with a example. start or .example.com end that can be accessed normally

[root~]# curl-e "http://www.example.com"-I http://127.0.0.1/hello.txtHTTP/1.1 Okserver:nginx/1.14.0date:thu, A UG 2018 11:33:47 Gmtcontent-type:text/plaincontent-length:12last-modified:tue, Jul 2018 07:07:22 Gmtconnection:keep -aliveetag: "5b4d95aa-c" accept-ranges:bytes[root~]# curl-e "http://example.baidu.com"-I HTTP://127.0.0.1/ hello.txthttp/1.1 Okserver:nginx/1.14.0date:thu, 2018 11:33:53 Gmtcontent-type:text/plaincontent-length:12 Last-modified:tue, 2018 07:07:22 Gmtconnection:keep-aliveetag: "5b4d95aa-c" accept-ranges:bytes
    • Referer http://192.168.1.110 , can be accessed normally

[root~]# curl-e "http://192.168.1.110"-I http://127.0.0.1/hello.txtHTTP/1.1 Okserver:nginx/1.14.0date:thu, Geneva 2018 11:31:51 Gmtcontent-type:text/plaincontent-length:12last-modified:tue, Jul 2018 07:07:22 Gmtconnection:keep-a Liveetag: "5b4d95aa-c" accept-ranges:bytes
    • Referer for http://google.com , return 403

[root~]# curl-e "http://google.com"-I http://127.0.0.1/hello.txtHTTP/1.1 403 Forbiddenserver:nginx/1.14.0date:thu, 2018 11:37:43 Gmtcontent-type:text/htmlcontent-length:169connection:keep-alive
    • Referer http://www.google.com , can be accessed normally

[root~]# curl-e "http://www.google.com"-I http://127.0.0.1/hello.txtHTTP/1.1 Okserver:nginx/1.14.0date:thu, 2018 11:37:50 Gmtcontent-type:text/plaincontent-length:12last-modified:tue , 2018 07:07:22 Gmtconnection:keep-aliveetag: "5b4d95aa-c" Accept-ranges:bytes 
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.