First, nginx anti-theft chain
Anti-theft chain refers to a site's resources (pictures or attachments) without permission to browse and download other sites, especially the hotlinking of popular resources, the bandwidth consumption of the site is very large, set up anti-theft chain to save resources.
1. Modify the virtual host configuration file
[[email protected] vhost]# vim linuxtest.confserver{ listen 80; server_name linuxtest.com; index index.html index.htm index.php; root /data/wwwroot/linuxtest; location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.linuxtest.com ;# 定义referer白名单 if ($invalid_referer) { return 403;# if函数的意思是:如果不是白名单内的域名,返回值:403 }# location /# { # auth_basic "Auth";# auth_basic_user_file /usr/local/nginx/conf/htpasswd;# } access_log /tmp/linuxtest.log combined_realip;}#使用access_log指定日志存储路径和使用的日志格式名字
2. Testing
[[email protected] vhost]#/usr/local/nginx/sbin/nginx-tnginx:the configuration file/usr/local/nginx/conf/ nginx.conf syntax is oknginx:configuration file/usr/local/nginx/conf/nginx.conf test is successful[[email Protected] vhost]#/usr/local/nginx/sbin/nginx-s reload[[email protected] vhost]# echo "This is the anti-theft chain JPG test! ">/data/wwwroot/linuxtest/test.jpg[[email protected] vhost]# curl-x127.0.0.1:80 linuxtest.com/test.jpg- ihttp/1.1 Okserver:nginx/1.12.2date:thu, Mar 2018 14:33:07 Gmtcontent-type:image/jpegcontent-length:28last-mod Ified:thu, 2018 14:32:45 Gmtconnection:keep-aliveetag: "5aaa840d-1c" Expires:thu, April Mar 2018 14:33:07 GMTCache-C Ontrol:max-age=604800accept-ranges:bytes[[email protected] vhost]# curl-x127.0.0.1:80-e "http://www.com" Linuxtest.com/test.jpg-i//-e Option Custom refererhttp/1.1 403 Forbiddenserver:nginx/1.12.2date:thu, Mar 2018 14:33:28 GM Tcontent-type:text/htmlcontent-length:169connection:keep-alive
Second, access control
Access control restricts the specified IP to access the specified directory
1. Modify the virtual host configuration file
[[email protected] vhost]# VIM linuxtest.conf//Add the following:
location/admin/
{
Allow 192.168.242.128;
Allow 127.0.0.1;
Deny all;# set IP whitelist
}
2. Testing
[Email protected] vhost]# mkdir/data/wwwroot/linuxtest/admin
[Email protected] vhost]# echo "Test,test" >/data/wwwroot/linuxtest/admin/1.html
[Email protected] vhost]# curl-x127.0.0.1:80 linuxtest.com/admin/1.html
"Test,test"
[Email protected] vhost]# curl-x192.168.242.128:80 linuxtest.com/admin/1.html
"Test,test"
3. Access Control-Regular
Location ~. (abc|image)/. php$
{
Deny all;
}
4. Access Control-Agent
if ($http _user_agent ~ ' spider/3.0| Youdaobot| Tomato ')
{
return 403;
}
Third, Nginx parsing PHP
To modify a virtual host configuration file
[Email protected] vhost]# vim linuxtest.conf
Location ~. php$
{
Include Fastcgi_params;
Fastcgi_pass 127.0.0.1:9000
Fastcgi_pass unix:/tmp/php-fcgi.sock;# Fastcgi_pass Two kinds of listening formats, but to ensure that the format of Nginx and PHP-FPM are consistent
Fastcgi_index index.php;
Fastcgi_param Script_filename/data/wwwroot/test.com$fastcgi_script_name;
}
Four, nginx agent
Nginx Proxy is a reverse proxy. The reverse proxy method is a proxy server that accepts connection requests on the Internet, then forwards requests to servers on the internal network, and returns the results from the server to the clients that request connections on the Internet, Reverse. At this point the proxy server is represented as a server externally.
Graph LR
User –> Proxy Server
Proxy Server –> User
Proxy Server –>web Server
Web server –> Proxy Server
1. Change the configuration file
[Email protected] vhost]# vim proxy.conf
Server
{
Listen 80;
server_name ask.apelearn.com;# define domain name (typically consistent with the domain name of the proxy IP)
Location/
{
Proxy_pass http://47.91.145.78/;# Specifies the IP (Web server IP) to be proxied (accessed)
Proxy_set_header Host $host; # $host refers to the servername of the proxy server (also the domain name of the proxy IP)
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
}
}
2. Testing
[[email protected] vhost]# vim proxy.conf
[[email protected] vhost]#/usr/local/nginx/sbin/nginx-s Reload
[[email protected] vhost]# curl-x127.0.0.1:80 ask.apelearn.com-i//Same-pass proxy
http/1.1 okserver: Nginx/1.12.2date:thu, 2018 15:44:25 gmtcontent-type:text/htmlconnection:keep-alivevary: accept-encodingx-powered-by:php/5.3.29p3p:cp= "CURa ADMa DEVa Psao psdo our BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI D SP COR "SET-COOKIE:APE__SESSION=K44G3EKLSERT1FGBJHL061L4F4; path=/; Domain=.apelearn.comexpires:thu, 1981 08:52:00 Gmtcache-control:no-store, No-cache, Must-revalidate, Post-check =0, Pre-check=0pragma:no-cache
[[email protected] vhost]# Curl Ask.apelearn.com-i//Direct Connect
http/1.1 Okserver:nginx/1.8.0date:thu, Mar 2018 15:46:06 Gmtcontent-type:text/htmlconnection:keep-alivevary:ac cept-encodingx-powered-by:php/5.3.29p3p:cp= "CURa ADMa DEVa Psao psdo our BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR "SET-COOKIE:APE__SESSION=IUM8S3HSRJH4ULF6QBRJPDCME2; path=/; Domain=.apelearn.comexpires:thu, 1981 08:52:00 Gmtcache-control:no-store, No-cache, Must-revalidate, Post-check =0, Pre-check=0pragma:no-cache
92.Nginx configuration: Anti-theft chain, access control, parsing PHP and Proxy