Nginx anti-theft chain, access control, parsing PHP-related configuration, nginx Agent

Nginx Anti-theft chain

• Configured as follows, can be combined with non-logged static file configuration

  location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${expires 7d;valid_referers none blocked server_names  *.test.com ; #设置白名单if ($invalid_referer) {    return 403;          #不过不是白名单的refer就403}access_log off;}

• Test

  [[email protected] test.com]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/1.gif -IHTTP/1.1 403 ForbiddenServer: nginx/1.14.0Date: Sat, 16 Jun 2018 03:27:15 GMTContent-Type: text/htmlContent-Length: 169Connection: keep-alive[[email protected] test.com]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/1.gif -IHTTP/1.1 200 OKServer: nginx/1.14.0Date: Sat, 16 Jun 2018 03:27:23 GMTContent-Type: image/gifContent-Length: 9Last-Modified: Sat, 16 Jun 2018 03:04:17 GMTConnection: keep-aliveETag: "5b247e31-9"Expires: Sat, 23 Jun 2018 03:27:23 GMTCache-Control: max-age=604800Accept-Ranges: bytes

  Nginx's access control
  1. Control access to directory/admin/, allowing only a few IP access, configured as follows

     location /admin/{allow 192.168.21.128;allow 127.0.0.1;deny all;}这里的allow和deny没有先执行后执行的顺序，执行完allow匹配后，就不会执行下面的

• Test

  [[email protected] test.com]# mkdir/data/wwwroot/test.com/admin[[email protected] test.com]# echo "admin" >/data/wwwroot/test.com/admin/1.html[[email protected] test.com]# curl-x127.0.0.1:80 test.com/admin/1. html-ihttp/1.1 Okserver:nginx/1.14.0date:sat, June 2018 03:59:22 gmtcontent-type:text/htmlcontent-length:6last- Modified:sat, June 2018 03:58:46 Gmtconnection:keep-aliveetag: "5b248af6-6" accept-ranges:bytes[[email  Protected] test.com]# curl-x192.168.21.128:80 test.com/admin/1.html-ihttp/1.1 Okserver:nginx/1.14.0date:sat, J Un 2018 04:01:33 gmtcontent-type:text/htmlcontent-length:6last-modified:sat, June 2018 03:58:46 Gmtconnection:keep-a Liveetag: "5b248af6-6" accept-ranges:bytes[[email protected] test.com]# dhclient ens37[[email protected] test.com]# ifconfig ens37:flags=4163<up,broadcast,running,multicast> MTU inet 192.168.110.128 netmask 255 .255.255.0 broadcast 192.168.110.255 Inet6 fe80::c559:4a92:72f1:b448 Prefixlen ScopeID 0x20<link>[[email protected] test.com]# curl-x192.168.110.128:80 test.com/admin/1.html-ihttp/1.1 403 Forbiddenserver:nginx/1.14.0date:sat, June 2018 04:05:10 gmtcontent-type:text/h Tmlcontent-length:169connection:keep-alive

  2. Match regular, limit PHP parsing

     location ~ .*(upload|image)/.*\.php${deny all;}

• Test

  [[email protected] test.com]# mkdir /data/wwwroot/test.com/upload[[email protected] test.com]# echo "11111" >/data/wwwroot/test.com/upload/1.php[[email protected] test.com]# echo "11111" >/data/wwwroot/test.com/upload/1.txt[[email protected] test.com]# curl -x127.0.0.1:80 test.com/upload/1.txt11111[[email protected] test.com]# curl -x127.0.0.1:80 test.com/upload/1.php

  3. Restrictions according to User_agent

     if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘){return 403;}#deny all和return 403效果一样,~*匹配可以忽略大小写

• Test

  [[email protected] test.com]# curl -A "Tomato" -x127.0.0.1:80 test.com/upload/1.txt

  Parsing PHP-related configurations
• Nginx parsing PHP configuration is as follows

  location ~ \.php${    include fastcgi_params;    fastcgi_pass unix:/tmp/php-fcgi.sock;     #这个路径要与php里对应   #fastcgi_pass 127.0.0.1:9000    fastcgi_index index.php;    fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;    #这里的要与上面的root对应}

• Here the Fastcgi_pass also have two modes to and PHP inside the corresponding, otherwise it will cause 502

  [[email protected] ~]# vim /usr/local/php-fpm/etc/php-fpm.conf[global]pid = /usr/local/php-fpm/var/run/php-fpm.piderror_log = /usr/local/php-fpm/var/log/php-fpm.log[www]listen = /tmp/php-fcgi.sock#listen = 127.0.0.1:9000listen.mode = 666 #这里的权限必须是666，不然socket文件不能读取写入也会导致502user = php-fpmgroup = php-fpmpm = dynamicpm.max_children = 50pm.start_servers = 20pm.min_spare_servers = 5pm.max_spare_servers = 35pm.max_requests = 500rlimit_files = 1024

  Nginx Agent
• When a Web server has only private IP, and it figured out that the server with an external IP can be a proxy server. For quick access to servers in the United States, you can set up a proxy server in Hong Kong

• Here you can set up a virtual machine as a proxy server, configured as follows

  server{listen 80;server_name ask.apelearn.com;location /{    proxy_pass      http://121.201.9.155/;    proxy_set_header Host   $host;    proxy_set_header X-Real-IP      $remote_addr;    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}}#定义的域名一般和被代理ip的域名保持一致#这里已知的猿课的web服务器地址#$host就是前面定义的域名

• Before and after setting up the agent, you can see the effect

  [[email protected] vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt -IHTTP/1.1 301 Moved PermanentlyServer: nginx/1.14.0Date: Mon, 18 Jun 2018 13:07:58 GMTContent-Type: text/htmlContent-Length: 185Connection: keep-aliveLocation: http://test.com/robots.txt[[email protected] vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt -IHTTP/1.1 302 FoundServer: nginx/1.14.0Date: Mon, 18 Jun 2018 13:13:06 GMTContent-Type: text/html; charset=UTF-8Connection: keep-aliveLocation: http://121.201.80.216:9000#后的302应该是web服务器设置的跳转

  Extended
• 502 Summary of issues
• Location-Priority

Nginx anti-theft chain, access control, parsing PHP-related configuration, nginx Agent