2018-3-1512 weeks 4 sessions nginx anti-theft chain, access control, configuration PHP parsing, proxy

12.13 Nginx Anti-theft chain

[Email protected] test.com]# vim/usr/local/nginx/conf/vhost/test.com.conf

~* indicates case insensitive

Whitelist *.test.com, if not whitelist, returns 403

[[email protected] test.com]# curl -e  "Http://www.baidu.com"-x127.0.0.1:80  test.com/1.gif -ihttp/1.1 403 forbiddenserver: nginx/1.12.2date: wed, 14  mar 2018 15:07:25 gmtcontent-type: text/htmlcontent-length: 169connection:  keep-alive[[email protected] test.com]# curl -e  "Http://www.test.com/1.txt"  - X127.0.0.1:80 test.com/1.gif -ihttp/1.1 200 okserver: nginx/1.12.2date: wed,  14 Mar 2018 15:08:44 GMTContent-Type: image/gifContent-Length:  20last-modified: wed, 14 mar 2018 14:32:47 gmtconnection: keep-aliveetag:   "5AA9328F-14" expires: wed, 21 mar 2018 15:08:44 gmtcache-control:  max-age=604800accept-ranges: bytes[[email protected] test.com]# cat /tmp/ Test.com.log127.0.0.1 - [14/mar/2018:22:33:25 +0800] test.com  "/index.html"  200  "-"   "curl/7.29.0" 127.0.0.1 - [14/mar/ 2018:22:33:36 +0800] test.com  "/index.html"  200  "-"   "curl/7.29.0" 127.0.0.1  - [14/mar/2018:22:36:25 +0800] test.com  "/2.jsdafafa"  404  "-"   "curl/7.29.0"

12.14 Nginx Access Control

• Important confidential content does not want to be accessed by others, can make a whitelist, only allow their own public network IP or corporate intranet IP Access

• For catalogs:

[Email protected] ~]#/usr/local/nginx/conf/vhost/test.com.conf

Allow and deny in the configuration file:

Allow and deny here are not the same as the Allow and deny rules in Apache order

In Apache, if deny is the first, then the end result is deny;

In Nginx, allow is the matching mechanism, and if there is a match in enable, then the following rule will no longer be executed, in this case, If it is a 127.0.0.1 access, then after matching the first allow, the following will no longer be executed, if it is 127.0.0.2, then the first two are not matched, then will naturally fall to match the third rule, will be deny.

• For regular matches

[Email protected] ~]# vim/usr/local/nginx/conf/vhost/test.com.conf

[[Email protected] ~]# /usr/local/nginx/sbin/nginx -tnginx: the configuration  file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration  file /usr/local/nginx/conf/nginx.conf test is successful[[email protected] ~]#  /usr/local/nginx/sbin/nginx -s reload[[email protected] ~]# mkdir /data/ wwwroot/test.com/upload# #创建upload文件夹 [[email protected]calhost ~]# echo  "23wewerwer"   > /data/wwwroot/test.com/upload/1.php[[email protected] ~]# cat !$## Create 1.php to see if 1.php can be parsed cat /data/wwwroot/test.com/upload/1.php23wewerwer[[email protected] ~]#  curl -x127.0.0.1:80 test.com/upload/1.php
(1.php cannot be parsed, and 1.txt can be parsed under a folder)
[Email protected] ~]# Cat/tmp/test.com.log

• According to user_agent restrictions:
Websites are attacked by CC, or want to ban some spiders, or want to do hidden sites do not want to be searched by people
[Email protected] ~]# vim/usr/local/nginx/conf/vhost/test.com.conf
[[email protected] ~]#/usr/local/nginx/sbin/nginx-s reload[[email protected] ~]# curl-a "TOMATOSDAFDSF"-x127.0.0.1:80 test.com/upload/1.txt-ihttp/1.1 403 Forbiddenserver:nginx/1.12.2date:thu, Mar 2018 13:26:46 gmtcontent-type:text/h Tmlcontent-length:169connection:keep-alive[[email protected] ~]# curl-a "TOMATOSDAFDSF"-x127.0.0.1:80 test.com/ upload/1.txt-ihttp/1.1 Okserver:nginx/1.12.2date:thu, Mar 2018 13:27:15 Gmtcontent-type:text/plaincontent-leng Th:11last-modified:thu, 2018 13:07:37 Gmtconnection:keep-aliveetag: "5aaa7019-b" accept-ranges:bytes

• The tomato keyword can be limited as long as it matches, because it is a precision match, so tomato cannot match
If you want to ignore the case to match, then you can add * after the config file, as
After reloading, we see that the lowercase start has been restricted to access the

[Email protected] ~]# curl-a "TOMATOSDAFDSF"-x127.0.0.1:80 test.com/upload/1.txt-ihttp/1.1 403 Forbiddenserver:nginx /1.12.2date:thu, 2018 13:31:26 gmtcontent-type:text/htmlcontent-length:169connection:keep-alive


 
  
 
 
  
 
12.15 Nginx parsing PHP related configuration

• Configuration parsing PHP:
[Email protected] ~]# vim/usr/local/nginx/conf/vhost/test.com.conf
After saving, temporarily do not reload the configuration, first create a new PHP file, the content is as follows
[Email protected] ~]# vi/data/wwwroot/test.com/3.php
[Email protected] ~]# curl-x127.0.0.1:80 test.com/3.php<?phpphpinfo (); [Email protected] ~]#/usr/local/nginx/sbin/nginx-s reload[[email protected] ~]# curl-x127.0.0.1:80 test.com/3.php
(Too much content, not listed in detail)

If the socket file location in the configuration file is incorrectly written:
[Email protected] ~]# vim/usr/local/nginx/conf/vhost/test.com.conf
[Email protected] ~]#/usr/local/nginx/sbin/nginx-s reload[[email protected] ~]# curl-x127.0.0.1:80 test.com/3.php
A 502 error is displayed
[Email protected] ~]# TAIL/USR/LOCAL/NGINX/LOGS/NGINX_ERROR.LOG2018/03/15 21:59:34 [crit] 1627#0: *10 connect () to Unix :/tmp/php-cgi.sock failed (2:no such file or directory) while connecting to upstream, client:127.0.0.1, server:test.com , Request: "GET HTTP://test.com/3.php http/1.1", Upstream: "Fastcgi://unix:/tmp/php-cgi.sock:", Host: "Test.com"

It can be seen that the. sock file is not in the correct location, we go to view the php-fpm.conf configuration file to view the. sock file address
[Email protected] ~]# cat/usr/local/php-fpm/etc/php-fpm.conf
After parsing the PHP-related configuration changes in the Vhost configuration file, you can access the

• Monitor IP ports
If the php-fpm listening, do not listen to the socket, but to listen to the port, such as
[Email protected] ~]# vim/usr/local/php-fpm/etc/php-fpm.conf
[Email protected] ~]#/usr/local/php-fpm/sbin/php-fpm-t # #检查 [15-mar-2018 22:13:07] Notice:configuration            file/usr/local/php-fpm/etc/php-fpm.conf test is successful[[email protected] ~]#/usr/local/nginx/sbin/nginx-s Reload # #重新加载 [[email protected] ~]# NETSTAT-LNTP # #监听端口9000
[[email protected] ~]# !curl                         # #依然是502错误curl  -x127.0.0.1 : 80 test.com/3.php

Comment out the original fastcgi_pass, add 127.0.0.1:9000
[Email protected] ~]# vim/usr/local/nginx/conf/vhost/test.com.conf
[Email protected] ~]#/usr/local/nginx/sbin/nginx-tnginx:the configuration file/usr/local/nginx/conf/nginx.conf Syntax is oknginx:configuration file/usr/local/nginx/conf/nginx.conf test is successful[[email protected] ~]#/usr/loca l/php-fpm/sbin/php-fpm-t[15-mar-2018 22:24:19] notice:configuration file/usr/local/php-fpm/etc/php-fpm.conf test is Successful[[email protected] ~]#/usr/local/nginx/sbin/nginx-s reload[[email protected] ~]#/ETC/INIT.D/PHP-FPM Reloadreload service php-fpm done[[email protected] ~]#!curlcurl-x127.0.0.1:80 test.com/3.php
I can already parse PHP.
(therefore php-fpm in the configuration, and the virtual host configuration to correspond, sock corresponding to sock, port corresponding port)

★ The Script_filename in the configuration file must match the path of the root at the top of the configuration file:
php-fpm.conf configuration, Listen.mode for nginx execution permissions, let Nginx read/tmp/php-fcgi.sock
[Email protected] ~]# vim/usr/local/php-fpm/etc/php-fpm.conf

• If you do not have this permission, then the default permission of Php-fcgi.sock is 440, both the host and the group are root, and Nginx is the master is nobody, can not read, so will be error, we have to experiment below

Virtual host changed back to Php-fcgi.sock, corresponding php-fpm.conf
[Email protected] ~]# vim/usr/local/nginx/conf/vhost/test.com.conf
[Email protected] ~]#/usr/local/nginx/sbin/nginx-s reload[[email protected] ~]# curl-x127.0.0.1:80 test.com/3.php 
(502 errors, formally due to permissions issues)

And in the error log, it's permission denied's error.
[[email protected] ~]# Cat/usr/local/nginx/logs/nginx_error.log[object Object]
[[email protected] ~]# LL/TMP/PHP-FCGI.SOCKSRW-RW----1 root root 0 March 22:48/tmp/php-fcgi.sock[[email protected] ~]# PS aux |grep Nginx[object Object]
Nginx is the main nobody, no read access to the Php-fcgi.sock, so it will be 502 error, if you want to access the normal, then at least the need to read writable

Temporarily change/tmp/php-fcgi.sock owner to nobody, no 502 error in Access
[Email protected] ~]# chown nobody/tmp/php-fcgi.sock[[email protected] ~]# curl-x127.0.0.1:80 TEST.COM/3.PHP-IHTTP/1. 1 Okserver:nginx/1.12.2date:thu, 2018 15:00:42 gmtcontent-type:text/html; charset=utf-8connection:keep-alivex-powered-by:php/5.6.30

Therefore, the permissions that we listen.mode in the/usr/local/php-fpm/etc/php-fpm.conf configuration allow everyone to/tmp/php-fcgi.sock the file to be readable and writable

A 502 error will also occur when PHP-FPM resources are exhausted, which needs to be optimized


 
  
 
 
  
 
12.16 Nginx Agent

1, the user cannot directly access the Web server, the Web server only private network IP
2, although the user can access the Web server, but the access speed is too slow
and users, Web server interoperability can be interoperable, as an intermediary agent, to help users access, after the end of the visit to return the results of users

[Email protected] ~]# cd/usr/local/nginx/conf/vhost/[[email protected] vhost]# vim proxy.conf

 
  
 
Proxy_passweb Server IP Address
Proxy_set_header host name/domain name accessed by host ($HOST that is server_name)
Proxy_set_header x-real-ip Specifies the IP
[Email protected] vhost]# Curl Ask.apelearn.com/robots.txt
[Email protected] vhost]# curl-x 127.0.0.1:80 ask.apelearn.com/robots.txt

Error Summary:
In Curl-x 127.0.0.1:80 ask.apelearn.com/ Robots.txt times Wrong 502, find the configuration file found no errors, and later thought may be ask.apelearn.com URL IP is wrong, so use the host command to see the IP address, found that has been updated, so re-change the proxy.conf configuration file proxy IP of _pass


If there are errors, please correct, learn from each other and progress together!!!
2018-3-1512 weeks 4 sessions nginx anti-theft chain, access control, configuration PHP parsing, proxy