Home > Developer > Web Develop

Nginx anti-theft chain + access control + limit specified directory run php+ parsing support php+ now user_agent

Source: Internet
Author: User
Tags fpm ranges
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Nginx Anti-theft chain

Role: Prevent other websites to cite this web site pictures and video resources, resulting in excessive traffic, resulting in unnecessary economic expenditure;
For example: This website test.com has the picture file 1.gif, and B website uses test.com/1.gif to quote our picture, then this website's picture accesses will rise, but the bandwidth will increase, accesses the test.com the user quantity not to increase, the export bandwidth cost lacks increases;

Edit a virtual configuration file 
vim /usr/local/nginx/conf/vhost/test.com.conf

Add code

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${    expires 7d;    valid_referers none blocked server_names  *.test.com ;        //定义白名单为*.test.com,如果不是*.test.com就不允许    if ($invalid_referer) {        return 403;    }    access_log off;}

Note: If there is a configuration static file expiration time with not logging, be sure to comment or delete first, here is the duplicate;

Detection and entry into force 
/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload
Test normal access Mode 
curl -x127.0.0.1:80 test.com/2.doc -I
HTTP/1.1 200 OKServer: nginx/1.12.2Date: Thu, 15 Mar 2018 10:13:16 GMTContent-Type: application/mswordContent-Length: 0Last-Modified: Thu, 15 Mar 2018 10:12:05 GMTConnection: keep-aliveETag: "5aaa46f5-0"Expires: Thu, 22 Mar 2018 10:13:16 GMTCache-Control: max-age=604800Accept-Ranges: bytes
Impersonate another site for misappropriation 
curl -e "http://www.baidu.com"; -x127.0.0.1:80 test.com/2.doc -I
HTTP/1.1 403 ForbiddenServer: nginx/1.12.2Date: Thu, 15 Mar 2018 10:15:42 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive
Nginx access Control

Requirements: Access to the/admin/directory request, only a few IP access allowed;

Edit a virtual configuration file 
vim /usr/local/nginx/conf/vhost/test.com.conf

Add code

    location /admin/        //定义访问/admin/目录规则    {        allow 127.0.0.1;        //允许127.0.0.1访问        allow 192.168.188.1;        //允许192.168.188.1访问        deny all;                    //拒绝所有访问;一定要先允许再拒绝所有;    }
Detection and entry into force 
/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload
Test using Whitelist access 
curl -x127.0.0.1:80 test.com/admin/admin.html -I
HTTP/1.1 200 OKServer: nginx/1.12.2Date: Thu, 15 Mar 2018 10:38:25 GMTContent-Type: text/htmlContent-Length: 34Last-Modified: Tue, 13 Mar 2018 12:25:30 GMTConnection: keep-aliveETag: "5aa7c33a-22"Accept-Ranges: bytes
Use non-whitelist access 
curl -x192.168.188.2:80 test.com/admin/admin.html -I
HTTP/1.1 403 ForbiddenServer: nginx/1.12.2Date: Thu, 15 Mar 2018 10:38:38 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive
Restrict directory to run PHP edit virtual configuration file 
vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ .*(abc|image)/.*\.php${        deny all;}
Inspection effective 
/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload
Test

Access to the curl access limit in the ABC directory for php,403 Forbidden Access

curl -x127.0.0.1:80 test.com/abc/a.php -I
HTTP/1.1 403 ForbiddenServer: nginx/1.12.2Date: Thu, 15 Mar 2018 12:42:20 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive
Restrict user_agent masquerading name on line DDoS Access attack edit virtual configuration file 
vim /usr/local/nginx/conf/vhost/test.com.conf

Code:

if ($http_user_agent ~* ‘Spider/3.0|YoudaoBot|Tomato‘){      return 403;}

* Note: The code represents a case-insensitive, ~ to match the meaning; * *

Detection and entry into force 
/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload
Test

Define user_agent named Tomato123 on the line access, forbidden to access 403;

curl -A "Tomato123" -x127.0.0.1:80 test.com/1.html -I
HTTP/1.1 403 ForbiddenServer: nginx/1.12.2Date: Thu, 15 Mar 2018 12:47:04 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive
Nginx Parsing support PHP Edit virtual configuration file 
vim /usr/local/nginx/conf/vhost/test.com.conf

Code

location ~ \.php$    {        include fastcgi_params;        fastcgi_pass unix:/tmp/php-fcgi.sock;        fastcgi_index index.php;        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;    }

Note: Fastcgi_pass Unix:/tmp/php-fcgi.sock;
This sock directory must be consistent with the Listen =/tmp/php-fcgi.sock in the/usr/local/php-fpm/etc/php-fpm.conf file;
otherwise error 502;
If the php-fpm.conf file is not listening sock but the IP address and port, such as Listen = 127.0.0.1:9000,
Then the test.com.conf need to change fastcgi_pass 127.0.0.1:9000;

Inspection effective 
/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload

Nginx anti-theft chain + access control + limit specified directory run php+ parsing support php+ now user_agent

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
php access control php user access control php directory access php virtual directory support php json parsing nginx php php limit

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More