14.Nginx anti-theft chain &nginx access control &nginx parsing PHP related configuration &nginx agent

[TOC]

One, nginx anti-theft chain: 1. To open a configuration file:

Add the following configuration file:

[[email protected] ~]# cd /usr/local/nginx/conf/vhost/[[email protected] vhost]# vim test.com.conf    }   #  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$  #  {  #        expires      7d;  #        access_log off;  #  }    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${       expires 7d;     valid_referers none blocked server_names  *.haha.com ;    if ($invalid_referer) {        return 403;    }    access_log off;

• Anti-theft chain part

valid_referers none blocked server_names  *.test.com ;    if ($invalid_referer) {        return 403;    }

As in the configuration file, match the page ending with Gif,jpg,png, and set a white list of referer to *.test.com, and the other ($invalid _referer) 403 forbidden!

2. Test + reload (-t &&-S reload)

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload

Test

[[email protected] vhost]# curl -x127.0.0.1:80 test.com/2.js -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:03:24 GMTContent-Type: application/javascriptContent-Length: 14Last-Modified: Thu, 15 Mar 2018 13:08:00 GMTConnection: keep-aliveETag: "5aaa7030-e"Expires: Fri, 16 Mar 2018 02:03:24 GMTCache-Control: max-age=43200Accept-Ranges: bytes

Using a local host to access 2.js is no problem, specify a referer, and test again:

[[email protected] vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gifHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:06:07 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive

Second, Nginx access control:

Sometimes when we are running some websites, we find that some visits are not normal. Or to improve security, we need to encrypt some pages!

1 Add the following configuration file

Vim/usr/local/nginx/conf/vhost/test.com.conf

location /admin/{    allow 127.0.0.1;    allow 192.168.72.130; //自己试验虚拟机的网卡    deny all;}

= = Match rule is, once the match is not executed, that is, allow 127.0.0.1 and 192.168.72.130 access; ==

2. Testing the syntax and overloading the configuration

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload

3. Match the Site background login page for access Control!

[[email protected] vhost]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/admin/ -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:24:58 GMTContent-Type: text/htmlContent-Length: 15Last-Modified: Wed, 14 Mar 2018 14:07:17 GMTConnection: keep-aliveETag: "5aa92c95-f"Accept-Ranges: bytes

[[email protected] vhost]# curl -x192.168.72.130:80 -I test.com/admin/HTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:30:46 GMTContent-Type: text/htmlContent-Length: 15Last-Modified: Wed, 14 Mar 2018 14:07:17 GMTConnection: keep-aliveETag: "5aa92c95-f"Accept-Ranges: bytes

View log: Cat/tmp/test.com.log

4. Do not parse the specified file (for example: PHP) for a directory that can be uploaded:

location ~ .*(upload|image)/.*\.php${        deny all;}

[[email protected] vhost]# curl -x127.0.0.1:80 test.com/upload/1.php -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:46:06 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive

No PHP files are parsed, and txt files can be accessed

[[email protected] vhost]# curl -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 200 OK

5. According to User-agent restrictions:

If the site is a cc attack, or do not want to be crawled by the spider's own site, we can completely according to User-agent to prohibit:

Vim/usr/local/nginx/conf/vhost/test.com.conf Open Add statement

if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘){      return 403;}

Test syntax and reload configuration

[[email protected] vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload

Load 1.txt Test

[[email protected] vhost]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:58:51 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive[[email protected] vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 200 OKServer: nginx/1.12.1Date: Thu, 15 Mar 2018 14:58:59 GMTContent-Type: text/plainContent-Length: 6Last-Modified: Thu, 15 Mar 2018 14:47:36 GMTConnection: keep-aliveETag: "5aaa8788-6"Accept-Ranges: bytes

We found that when we modified the user-agent to lowercase, it did not take effect. So we need to set the Ignore case:

To re-modify the configuration under Virtual machine configuration file test.com.conf

if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘){      return 403;}只需要在~添加一个 * 即可！

Complete the process:

[[email protected] vhost]# !vimvim /usr/local/nginx/conf/vhost/test.com.conf [[email protected] vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload[[email protected] vhost]# curl -A "tomato" -x127.0.0.1:80 test.com/upload/1.txt -IHTTP/1.1 403 ForbiddenServer: nginx/1.12.1Date: Thu, 15 Mar 2018 15:03:22 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive

Third, Nginx parsing PHP related configuration 1. Add the following configuration:

location ~ \.php$      {        include fastcgi_params;        fastcgi_pass unix:/tmp/php-fcgi.sock;        fastcgi_index index.php;        fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;      }

Fastcgi_pass used to specify the address or socket of the PHP-FPM listener

Complete to configure the content:

vim /usr/local/nginx/conf/vhost/test.com.conf   #        expires      7d;  #        access_log off;  #  }    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$    }    access_log off;}   location ~ .*\.(js|css)$    {             expires      12h;          access_log off;    }    location /admin/{             allow 127.0.0.1;     allow 192.168.72.130;    deny all;}location ~ .*(upload|image)/.*\.php${           deny all;}if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘){      return 403;}       location ~ \.php$      {        include fastcgi_params;        fastcgi_pass unix:/tmp/php-fcgi.sock;        fastcgi_index index.php;        fastcgi_param SCRIPT_FILENAME /data/nginx/www.test.com$fastcgi_script_name;      }

2. Create a test PHP file

[[email protected] vhost]# vim /data/nginx/test.com/3.php>?phpphpinfo();

Unable to parse, show source code (edited conf file not completed-t&-s reload configuration)

[[email protected] vhost]# curl -x127.0.0.1:80 test.com/3.php<?phpphpinfo();

Pay special attention to the/data/nginx/test.com in the configuration file, not the settings www.test.com

-T&-S reload configured, the Phpinfo () can be parsed normally

3. Summary: Where Fastcgi_pass is used to specify the address of the PHP-FPM, if PHP-FPM is listening to a tcp:port address (such as 127.0.0.1:9000), then you need to change this to Fastcgi_pass 127.0.0.1:9000. This address must match the PHP-FPM service listening address, no 502 error will be reported. There is one more place to note that the path followed by Fastcgi_param Script_filename is the root of the site, consistent with the path of the root defined earlier, If this is not configured, access to the PHP page will appear 404, there is a 502 phenomenon, if the memory of a large number of PHP-FPM processes occupy the memory, it will also cause this problem!

location ~ \.php$      {        include fastcgi_params;        fastcgi_pass unix:/tmp/php-fcgi.sock;        fastcgi_index index.php;        fastcgi_param SCRIPT_FILENAME /data/nginx/test.com$fastcgi_script_name;      }

View php-fpm:vim/usr/local/php-fpm/etc/php-fpm.conf

[global]pid = /usr/local/php-fpm/var/run/php-fpm.piderror_log = /usr/local/php-fpm/var/log/php-fpm.log[www]listen = /tmp/php-fcgi.sock#listen =127.0.0.1:9000listen.mode = 666user = php-fpmgroup = php-fpmpm = dynamicpm.max_children = 50pm.start_servers = 20pm.min_spare_servers = 5pm.max_spare_servers = 35pm.max_requests = 500rlimit_files = 1024

Unable to view error log

Four, nginx agent

If a user needs to access the Web server, but there is no connection between the user and the Web server, Web server in the network, we need a proxy server to help users access the Web, he must communicate with the user, and also must communicate with the Web server, in the middle of bridging this is the proxy server.

4.1 Principle:

4.2 Editing a configuration file

cd /usr/local/nginx/conf/vhostvim proxy.conf

• Add the following content:

server{    listen 80;    server_name ask.apelearn.com;    location /    {        proxy_pass      http://121.201.9.155/;        proxy_set_header Host   $host;        proxy_set_header X-Real-IP      $remote_addr;        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    }}

Because it is a proxy server, you do not need to access any files on the local server; ask.apelearn.com; Define a domain name;

Proxy_pass http://121.201.9.155/; The IP address of the real Web server.

$host; That's our server_name.

Before restarting the Nginx service, test it first: Restart Nginx and test again

14.Nginx anti-theft chain &nginx access control &nginx parsing PHP related configuration &nginx agent