92.Nginx configuration: Anti-theft chain, access control, parsing PHP and Proxy

Source: Internet
Author: User

First, nginx anti-theft chain

Anti-theft chain refers to a site's resources (pictures or attachments) without permission to browse and download other sites, especially the hotlinking of popular resources, the bandwidth consumption of the site is very large, set up anti-theft chain to save resources.

1. Modify the virtual host configuration file
[[email protected] vhost]# vim linuxtest.confserver{   listen 80;   server_name linuxtest.com;   index index.html index.htm index.php;   root /data/wwwroot/linuxtest;   location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$   {    expires 7d;    valid_referers none blocked server_names  *.linuxtest.com ;#   定义referer白名单       if ($invalid_referer) {        return 403;#    if函数的意思是:如果不是白名单内的域名,返回值:403    }#   location /#     { #       auth_basic         "Auth";#       auth_basic_user_file /usr/local/nginx/conf/htpasswd;#     }   access_log /tmp/linuxtest.log combined_realip;}#使用access_log指定日志存储路径和使用的日志格式名字
2. Testing
[[email protected] vhost]#/usr/local/nginx/sbin/nginx-tnginx:the configuration file/usr/local/nginx/conf/ nginx.conf syntax is oknginx:configuration file/usr/local/nginx/conf/nginx.conf test is successful[[email  Protected] vhost]#/usr/local/nginx/sbin/nginx-s reload[[email protected] vhost]# echo "This is the anti-theft chain JPG test! ">/data/wwwroot/linuxtest/test.jpg[[email protected] vhost]# curl-x127.0.0.1:80 linuxtest.com/test.jpg- ihttp/1.1 Okserver:nginx/1.12.2date:thu, Mar 2018 14:33:07 Gmtcontent-type:image/jpegcontent-length:28last-mod Ified:thu, 2018 14:32:45 Gmtconnection:keep-aliveetag: "5aaa840d-1c" Expires:thu, April Mar 2018 14:33:07 GMTCache-C Ontrol:max-age=604800accept-ranges:bytes[[email protected] vhost]# curl-x127.0.0.1:80-e "http://www.com" Linuxtest.com/test.jpg-i//-e Option Custom refererhttp/1.1 403 Forbiddenserver:nginx/1.12.2date:thu, Mar 2018 14:33:28 GM Tcontent-type:text/htmlcontent-length:169connection:keep-alive
Second, access control

Access control restricts the specified IP to access the specified directory

1. Modify the virtual host configuration file

[[email protected] vhost]# VIM linuxtest.conf//Add the following:

location/admin/
{
Allow 192.168.242.128;
Allow 127.0.0.1;
Deny all;# set IP whitelist
}

2. Testing

[Email protected] vhost]# mkdir/data/wwwroot/linuxtest/admin
[Email protected] vhost]# echo "Test,test" >/data/wwwroot/linuxtest/admin/1.html
[Email protected] vhost]# curl-x127.0.0.1:80 linuxtest.com/admin/1.html
"Test,test"
[Email protected] vhost]# curl-x192.168.242.128:80 linuxtest.com/admin/1.html
"Test,test"

3. Access Control-Regular

Location ~. (abc|image)/. php$
{
Deny all;
}

4. Access Control-Agent

if ($http _user_agent ~ ' spider/3.0| Youdaobot| Tomato ')
{
return 403;
}

Third, Nginx parsing PHP

To modify a virtual host configuration file
[Email protected] vhost]# vim linuxtest.conf

Location ~. php$
{
Include Fastcgi_params;
Fastcgi_pass 127.0.0.1:9000
Fastcgi_pass unix:/tmp/php-fcgi.sock;# Fastcgi_pass Two kinds of listening formats, but to ensure that the format of Nginx and PHP-FPM are consistent
Fastcgi_index index.php;
Fastcgi_param Script_filename/data/wwwroot/test.com$fastcgi_script_name;
}

Four, nginx agent

Nginx Proxy is a reverse proxy. The reverse proxy method is a proxy server that accepts connection requests on the Internet, then forwards requests to servers on the internal network, and returns the results from the server to the clients that request connections on the Internet, Reverse. At this point the proxy server is represented as a server externally.
Graph LR
User –> Proxy Server
Proxy Server –> User
Proxy Server –>web Server
Web server –> Proxy Server

1. Change the configuration file

[Email protected] vhost]# vim proxy.conf

Server
{
Listen 80;
server_name ask.apelearn.com;# define domain name (typically consistent with the domain name of the proxy IP)
Location/
{
Proxy_pass http://47.91.145.78/;# Specifies the IP (Web server IP) to be proxied (accessed)
Proxy_set_header Host $host; # $host refers to the servername of the proxy server (also the domain name of the proxy IP)
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
}
}

2. Testing

[[email protected] vhost]# vim proxy.conf
[[email protected] vhost]#/usr/local/nginx/sbin/nginx-s Reload
[[email protected] vhost]# curl-x127.0.0.1:80 ask.apelearn.com-i//Same-pass proxy
http/1.1 okserver: Nginx/1.12.2date:thu, 2018 15:44:25 gmtcontent-type:text/htmlconnection:keep-alivevary: accept-encodingx-powered-by:php/5.3.29p3p:cp= "CURa ADMa DEVa Psao psdo our BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI D SP COR "SET-COOKIE:APE__SESSION=K44G3EKLSERT1FGBJHL061L4F4; path=/; Domain=.apelearn.comexpires:thu, 1981 08:52:00 Gmtcache-control:no-store, No-cache, Must-revalidate, Post-check =0, Pre-check=0pragma:no-cache

[[email protected] vhost]# Curl Ask.apelearn.com-i//Direct Connect
http/1.1 Okserver:nginx/1.8.0date:thu, Mar 2018 15:46:06 Gmtcontent-type:text/htmlconnection:keep-alivevary:ac cept-encodingx-powered-by:php/5.3.29p3p:cp= "CURa ADMa DEVa Psao psdo our BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR "SET-COOKIE:APE__SESSION=IUM8S3HSRJH4ULF6QBRJPDCME2; path=/; Domain=.apelearn.comexpires:thu, 1981 08:52:00 Gmtcache-control:no-store, No-cache, Must-revalidate, Post-check =0, Pre-check=0pragma:no-cache

92.Nginx configuration: Anti-theft chain, access control, parsing PHP and Proxy

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.