49, Nginx Anti-theft chain, nginx access control, Nginx parsing PHP-related configuration, nginx Agent

49, Nginx Anti-theft chain, nginx access control, Nginx parsing PHP-related configuration, nginx agent

First, nginx anti-theft chain

Must be combined with "do not log and expire" because they are used at the same time.

# vim/usr/local/nginx/conf/vhost/test.com.conf

Location ~* ^.+\. (Gif|jpg|png|bmp|swf|jpeg|flv|rar|zip|doc|pdf|gz|bz2|xls) $

{

Expires 7d; Expiry time

valid_referers None blocked Server_names *.test.com ;

Defines the referer of the whitelist.

if ($invalid _referer) {

If you are not on the whitelist, you will get feedback 403.

return 403;

}

Access_log off; Access logs are not logged

}

#/usr/local/nginx/sbin/nginx-t

#/usr/local/nginx/sbin/nginx-s Reload

Test:

# curl-x 127.0.0.1:80 test.com/1.gif-i

http/1.1 OK

# curl-x 127.0.0.1:80 test.com/1.jpg-i

http/1.1 OK

# CURL-E "http://www. baidu.com /1.txt "-X 127.0.0.1:80 test.com/1.jpg-i

http/1.1 403 Forbidden

# CURL-E "http://www. test.com /1.txt "-X 127.0.0.1:80 test.com/1.jpg-i

http/1.1 OK

Referer is test.com when the access is not denied, indicating that the anti-theft chain configuration was successful.

The core configuration is on these three lines:

valid_referers None blocked Server_names *.test.com ;

if ($invalid _referer) {

return 403; You can also write deny all here.

Second, Nginx access control

requirements: Visit/admin/ Catalogue request, only a few IP access is allowed, configured as follows:

# vim/usr/local/nginx/conf/vhost/test.com.conf

location/admin/

{

Allow 192.168.93.130;

Allow 127.0.0.1;

Deny all;

}

There is no first allow like Apache, and then the order of deny is said.

Nginx is as long as the match to the IP this rule, stopped, no longer continue to match the other rules, it will not be denied, so the final result is allow.

So in three rules, only one source IP will take effect.

To match for the regular:

# vim/usr/local/nginx/conf/vhost/test.com.conf

Location ~.* (upload|image)/.*\.php$

{

Deny all;

}

#/usr/local/nginx/sbin/nginx-t

#/usr/local/nginx/sbin/nginx-s Reload

Test:

# Mkdir/data/wwwroot/test.com/upload

# echo "11111" >/data/wwwroot/test.com/upload/1.php

# echo "11111" >/data/wwwroot/test.com/upload/1.txt

# curl-x 127.0.0.1:80 test.com/upload/1.php-i

http/1.1 403 Forbidden//was rejected directly

# curl-x 127.0.0.1:80 test.com/upload/1.txt-i

http/1.1 OK

# Cat/tmp/test.com.log

127.0.0.1-[27/apr/2018:04:59:16 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"

127.0.0.1-[27/apr/2018:05:03:43 +0800] test.com "/upload/1.txt"-"curl/7.29.0"

TXT can be accessed, PHP is banned.

According to User_agent restrictions:

# vim/usr/local/nginx/conf/vhost/test.com.conf

if ($http _user_agent ~* ' spider/3.0| Youdaobot| Tomato ')

{

return 403; Deny all is the same as the return 403 effect

}

#/usr/local/nginx/sbin/nginx-t

#/usr/local/nginx/sbin/nginx-s Reload

$http _user_agent ~ * : The match character is followed by an * number to ignore the case.

# curl-a " Tomato "-X 127.0.0.1:80 test.com/upload/1.txt-i

http/1.1 403 Forbidden

# curl-a " Tomato "-X 127.0.0.1:80 test.com/upload/1.txt-i

http/1.1 403 Forbidden

Three, Nginx parsing PHP related configuration

# vim/usr/local/nginx/conf/vhost/test.com.conf

Location ~ \.php$

{

Include Fastcgi_params;

Fastcgi_pass Unix:/tmp/php-fcgi.sock;

When the additional path is written here, 502 is displayed because the socket cannot be found.

Fastcgi_index index.php;

Fastcgi_param Script_filename/data/wwwroot/test.com$fastcgi_script_name;

}

#/usr/local/nginx/sbin/nginx-t

#/usr/local/nginx/sbin/nginx-s Reload

# vim/data/wwwroot/test.com/2.php

<?php

Phpinfo ();

# curl-x 127.0.0.1:80 test.com/2.php

The source code is accessed without reloading the configuration file before it can be parsed, and the content is seen in the access.

When the status code 502 appears: To check this place, Nginx and php-fpm configured address whether the corresponding; Fastcgi_pass unix:/tmp/php-fcgi.sock;

(a) First, look at the error log, first look at this file there is no (/tmp/php-cgi.sock), if not, and then view the php-fpm.conf file to see what sock is, and then corresponding to the fastcgi_pass of the nginx side, to correspond, Otherwise it will be 502.

(b) To listen to the port

Know that the listener is the IP and port, in the configuration file will make changes

The Fastcgi_pass Unix:/tmp/php-fcgi.sock will be replaced by:

Fastcgi_pass 127.0.0.1:9000;

Otherwise it will be 502.

# vim/usr/local/php-fpm/etc/php-fpm.conf

Listen.mode = 666 Read and Write permissions: 666

Four, nginx agent

# cd/usr/local/nginx/conf/vhost/

[Email protected] vhost]# vim proxy.conf

Server

{

Listen 80;

server_name ask.apelearn.com;

Location/

{

Proxy_pass http://121.201.9.155/; Web server address

Proxy_set_header Host $host; $Host is server_name.

Proxy_set_header X-real-ip $remote _addr;

Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;

}

}

#/usr/local/nginx/sbin/nginx-t

#/usr/local/nginx/sbin/nginx-s Reload

# curl-x 127.0.0.1:80 Ask.apelearn.com/robots.txt

At this time the proxy server is my virtual machine, Web server is ask.apelearn.com this forum

49, Nginx Anti-theft chain, nginx access control, Nginx parsing PHP-related configuration, nginx Agent