Linux Learning Summary (42) LNMP access Control Chapter

1 Nginx configuration anti-theft chain

The principle of anti-theft chain we have already introduced in lamp, here no longer repeat, directly look at the configuration process.
The core statement is

  valid_referers none blocked server_names  *.test.com ;    if ($invalid_referer) {        return 403;    }

Of course we have to put it in the location, combined with the previous cache expiration configuration, the following structure is formed

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$     {          expires      7d;    //针对上面匹配的文件，设置缓存时间为7天          valid_referers none blocked server_names  *.test.com ;   //指定有效的referer           if ($invalid_referer) {                 return 403;        //  如果是无效的referer，则禁止访问，返回403          }               access_log off;     //针对以上location匹配的文件不记录访问日志    }     

/usr/local/nginx/sbin/nginx-t
/usr/local/nginx/sbin/nginx-s Reload
Curl-x127.0.0.1:80-i-E "Http://www.baidu.com/1.txt" test.com/2.jpg

Curl-x127.0.0.1:80-i-E "Http://test.com/1.txt" test.com/2.jpg

2 Access Control

Requirements one, for the admin directory to make an access limit, only allow native 127.0.0.1 access, deny all other IP. Configured as follows

location /admin/{ allow 127.0.0.1; deny all;}

Let's take a look at his logic. In Apache, there is an order that defines a sequence of executions of deny and allow, and each rule will match. For example, for the current requirement configuration, this

 <Directory /data/wwwroot/www.123.com/admin/>        Order deny,allow        Deny from all        Allow from 127.0.0.1    </Directory>

If you change the above to order Allow,deny then deny all, the Allow statement fails. In Nginx, from the top down as long as the match to the rule will end. The first rule matches until the second rule is not matched.

curl -x127.0.0.1:80 test.com/admin/index.htmlcurl -x192.168.226.130:80 test.com/admin/index.html

Where 192.168.226.130 is the native ens33 NIC IP
If you restrict individual IP access, you can write

location /admin/{      deny 192.168.226.130; }

The default is to allow all. There's no need to write allow all.
You can also match the regular limit

location ~ .*(upload|image)/.*\.php${        deny all;}

This denies the request for PHP files in the upload or image directory
Note: This section of the configuration to be added in the parsing of PHP configuration before, otherwise cannot limit parsing PHP

Restrict domain access to the specified use_agent, match ~ after * can ignore case matching

if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘){      return 403;}curl -x127.0.0.1:80 test.com -A "spider/3.0"

It means restricting some crawlers, or youdao bots, or tomato related visits. is to have targeted restrictions on certain accesses.

3 Parsing PHP Configuration

location ~ \.php$    {        include fastcgi_params;        fastcgi_pass unix:/tmp/php-fcgi.sock;        fastcgi_index index.php;        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;    }

Fastcgi_pass Unix:/tmp/php-fcgi.sock; This line specifies the socket that listens for PHP-FPM, which can be the form of IP plus port, which is consistent with the PHP-FPM configuration file. corresponding behavior listen =/tmp/php-fcgi.sock. The configuration file is/usr/local/php-fpm/etc/php-fpm.conf, and we have the specified profile path when we install PHP.
Fastcgi_param script_filename/data/wwwroot/test.com$fastcgi_script_name; In the row, the
/data/wwwroot/test.com to be consistent with the virtual host
vim /data/wwwroot/test.com/2.php
Write a bit of content

<?phpecho "a really php script";?>

Perform the-s reload after Curl test
Curl-x127.0.0.1:80 test.com/2.php

4 Nginx Proxy

Proxy Server:
Usually said the agent is the forward proxy, the process of the proxy is hidden the real client, the server does not know the real client is who, XXX servers, is the forward proxy. The reverse proxy agent is the service side, hiding the real service side.
In a forward proxy, the proxy and client belong to the same LAN
In reverse proxy, proxy and server belong to a LAN

To edit a new virtual host

vim /usr/local/nginx/conf/vhost/proxy.conf server{    listen 80;    server_name proxybaidu.com; //本地代理服务器器域名    location /    {        proxy_pass      http://61.135.169.125/;  //被代理的服务器ip        proxy_set_header Host www.baidu.com; //指定被代理的服务器域名        proxy_set_header X-Real-IP      $remote_addr;        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    }}crul -x127.0.0.1:80 proxybaidu.com

We found through the Local intranet access to the Baidu home page. In order to understand the proxy, specifically renamed the proxy server domain name, usually the proxy server domain name will be written and provide site resources of the same server domain name, so for the client will not be differentiated, save a lot of trouble. Baidu This IP we through ping www.baidu.com to obtain.
Summary: The above experiment is a reverse proxy. How to understand the Echo proxy hides the service side, the proxy server and the real service side are in the same subnet? The experiment I changed the proxybaidu.com to Baidu.com, and then set the local DNS on the WinDOS host, and then visit Baidu, I can not see the data from my virtual machine web, so hide the server. So why is my virtual machine web and Baidu in the same subnet, before answering this question, I first say that the key point is that we call the server and the client, the local area network and public network, or the same subnet is a relative sense of the concept, separate discussion meaningless. -X127.0.0.1:80 is to specify the local private network, for the loopback address, because our virtual machine NAT to the host in the public network, so from the overall view of our virtual machine Web and Baidu is in the same subnet.

Linux Learning Summary (42) LNMP access Control Chapter