12.13 Nginx anti-theft chain
- Edit a virtual host configuration file
Vim/usr/local/nginx/conf/vhost/test.com.conf
- The configuration is as follows:
Location ~* ^.+\. (Gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls) $
{
Expires 7d;
Valid_referers none blocked Server_names *.test.com;
if ($invalid _referer) {
return 403;
}
Access_log off;
}
- /usr/local/nginx/sbin/nginx-t
- /usr/local/nginx/sbin/nginx-s Reload
- Test results:
Curl-x127.0.0.1:80-i Test.com/1.gif
Curl-e "http://www.baidu.com"-x127.0.0.1:80-i test.com/1.gif
12.14 Nginx access Control (important)
- 1. Matching Directory access control
- Access control requirements: Access to the/admin/directory, allowing only a few IP access.
- Edit a virtual host configuration file
- Vim/usr/local/nginx/conf/vhost/test.com.conf
- The configuration is as follows:
location/admin/
{
Allow 127.0.0.1;
Deny all;
}
- mkdir/data/wwwroot/test.com/admin/
- echo "Access control test" >/data/wwwroot/test.com/admin/1.html
- /usr/local/nginx/sbin/nginx-t
- /usr/local/nginx/sbin/nginx-s Reload
Test results:
Curl-x127.0.0.1:80 Test.com/admin/1.html-i
Curl-x192.168.206.135:80 Test.com/admin/1.html-i
- 2. Matching regular access control
Location ~. * (upload|image)/.*.php$ #匹配upload目录且以php结尾的均deny
{
Deny all;
}
Test results:
- 3. Restricting access control according to User_agent
if ($http _user_agent ~ ' spider/3.0| Youdaobot| Tomato ')
{
return 403;
}
Note:The deny all is the same as the return 403 effect
Test results:
12.15 Nginx parsing PHP related configuration
- So far, the virtual host site test.com can not parse PHP, the following configuration it can parse PHP.
- Edit a virtual host configuration file
- Vim/usr/local/nginx/conf/vhost/test.com.conf
- The configuration is as follows:
Location ~. php$
{
Include Fastcgi_params;
Fastcgi_pass Unix:/tmp/php-fcgi.sock;
Fastcgi_index index.php;
Fastcgi_param Script_filename/data/wwwroot/test.com$fastcgi_script_name;
}
- Note:fastcgi_pass is used to specify the address or socket of the PHP-FPM listener
Test results:
- Summary (very important):
- (1) Suppose we write the error in the above configuration parsing PHP statement, there will be 502 errors on access, similar to the following
- In this case, we can check the Nginx error log first.
Cat/usr/local/nginx/logs/nginx_error.log
- And see what sock is configured in the PHP configuration file.
Cat/usr/local/php-fpm/etc/php-fpm.conf
- After comparison can be found because the configuration will be/tmp/php-fcgi.sock wrong written/tmp/php-cgi.sock caused, the change back to normal.
- (2) Listen =/tmp/php-fcgi.sock is defined in the PHP configuration file, and Listen.mode = 666 is added, the purpose is to allow other users to read and write Php-fcgi.sock files to parse PHP, because nginx Default User is nobody, if you do not set Php-fcgi.sock to 666 permissions, you will not be able to access the 502 error.
- Cat/usr/local/php-fpm/etc/php-fpm.conf
12.16 Nginx Agent
- Nginx Agent:
Configure the Nginx proxy (in this case proxy.conf is equivalent to a proxy server ):
Cd/usr/local/nginx/conf/vhost
Vim proxy.conf//Add the following:
Server
{
Listen 80;
server_name ask.apelearn.com;
Location/
{
Proxy_pass http://47.91.145.78/;
Proxy_set_header Host $host;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
}
}
- Test results:
- Before configuration:
Curl-x127.0.0.1:80 Ask.apelearn.com/robots.txt
- After configuration:
Curl-x127.0.0.1:80 Ask.apelearn.com/robots.txt
- Precautions:
The IP in the configuration may be updated from time to times, and you can experiment with dig ask.apelearn.com to query the latest ask.apelearn.com IP (otherwise there may be other errors). If you do not have a dig command, you can install it by using the following statement
Yum Install-y bind*
Extended Learning:
502 Summary of issues
http://ask.apelearn.com/question/9109
Location-Priority
http://blog.lishiming.net/?p=100
2018-3-15 Linux Learning Notes
