48 Lessons (Nginx Anti-theft chain, nginx access control, Nginx parsing PHP-related configuration, Nginx proxy)

Last Update:2018-08-16 Source: Internet

Author: User

Tags fpm ranges

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Nginx Anti-theft chain

Edit a virtual configuration file

[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

Add the contents of the configuration

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${    expires 7d;    valid_referers none blocked server_names  *.test.com ;    if ($invalid_referer) {        return 403;    }    access_log off;}

Add Configuration Content Explanation

Detect configuration and Reload configuration

[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

Test

Nginx access Control

Edit virtual profiles allow IP and do not allow IP access this is for the directory

[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

location /admin/{    allow 192.168.133.1;    allow 127.0.0.1;    deny all;}

Adding rules and explanations

Check Configuration and load

[[email protected] ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload

Test

[[email protected] ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/    ##是白名单里的ip可以访问HTTP/1.1 200 OKServer: nginx/1.14.0Date: Wed, 15 Aug 2018 09:08:28 GMTContent-Type: text/htmlContent-Length: 18Last-Modified: Tue, 14 Aug 2018 03:25:24 GMTConnection: keep-aliveETag: "5b724ba4-12"Accept-Ranges: bytes

[[email protected] ~]# curl -x192.168.63.100:80 -I test.com/admin/      ##是白名单里的ip可以访问HTTP/1.1 200 OKServer: nginx/1.14.0Date: Wed, 15 Aug 2018 09:09:38 GMTContent-Type: text/htmlContent-Length: 18Last-Modified: Tue, 14 Aug 2018 03:25:24 GMTConnection: keep-aliveETag: "5b724ba4-12"Accept-Ranges: bytes

[[email protected] ~]# curl -x192.168.0.110:80 -I test.com/admin/     ##不是白名单的ip不能访问

HTTP/1.1 403 ForbiddenServer: nginx/1.14.0Date: Wed, 15 Aug 2018 09:23:08 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive

To edit a virtual profile this is for regular

[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf

location ~ .*(abc|image)/.*\.php${        deny all;}

Check Configuration and load

[[email protected] ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload

Test

[[email protected] ~]# mkdir /data/wwwroot/test.com/upload     ##做一个模拟创建一个upload目录

[[email protected] ~]# echo "111" > /data/wwwroot/test.com/upload/1.php     ##在upload里面创建个PHP文件

[[email protected] ~]# curl -x127.0.0.1:80 test.com/upload/1.php     ##测试访问upload/1.php是被拒绝的

 
  
   
   Configure virtual files based on user_agent restrictions
 
   
 
[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘){      return 403;}
 
  
   
   Check Configuration and load 
   
 
[[email protected] ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload 
  
   
   Simulation test 
   
 
[[email protected] ~]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OKServer: nginx/1.14.0Date: Wed, 15 Aug 2018 10:12:25 GMTContent-Type: text/plainContent-Length: 4Last-Modified: Wed, 15 Aug 2018 10:12:22 GMTConnection: keep-aliveETag: "5b73fc86-4"Accept-Ranges: bytes
[[email protected] ~]# curl -A "Tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I     ##模拟user_agent
HTTP/1.1 403 ForbiddenServer: nginx/1.14.0Date: Wed, 15 Aug 2018 10:14:28 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive
Nginx parsing PHP related configuration
 
  
   
   Since the configuration of the virtual file is not yet able to parse PHP so configuration 
   
 
[[email protected] ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 
  
   
   What you need to add 
   
 
location ~ \.php$    {        include fastcgi_params;        fastcgi_pass unix:/tmp/php-fcgi.sock;        fastcgi_index index.php;        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;    } 
  
   
   Make a PHP 
   
 
[[email protected] ~]# vim /data/wwwroot/test.com/3.php
<?php                     ##添加到3.php里边phpinfo(); 
  
   
   Do a test. 
   
 
[[email protected] ~]# curl -x127.0.0.1:80 test.com/3.php     ##不能解析直接显示源码<?phpphpinfo(); 
  
   
   The previous configuration did not reload so the top parsing did not succeed under load 
   
 
[[email protected] ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload 
  
   
   * * After loading is done, the test can parse PHP 
   
 
**
 
  
   
   Explanation of configuration information Error 502 
   
 
 
  
   
   Let's change the php-fpm.conf configuration below. I want to listen to the IP port 
   
 
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload     ##重新加载[[email protected] ~]# /etc/init.d/php-fpm reload      ##重启php
Nginx Agent
 
  
   
   Write a new configuration file 
   
 
[[email protected] ~]# cd /usr/local/nginx/conf/vhost/   ##进入vhost[[email protected] vhost]# vim proxy.conf            ##编辑添加内容
server              添加这些东西{    listen 80;    server_name ask.apelearn.com;    location /    {        proxy_pass      http://121.201.9.155/;        proxy_set_header Host   $host;        proxy_set_header X-Real-IP      $remote_addr;        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    }}
 
  
   
   Check Configuration and load 
   
 
[[email protected] ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected]uni1 ~]# /usr/local/nginx/sbin/nginx -s reload 
  
   
   Test 
   
 
48 Lessons (Nginx Anti-theft chain, nginx access control, Nginx parsing PHP-related configuration, Nginx proxy)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More