Nginx anti-theft chain, access control, PHP parsing, Server Agent

12.13 Nginx anti-theft chain

Because this configuration also uses the location tile, this section can be configured together with Log management:

[Email protected] ~]# vim/usr/local/nginx/conf/vhost/test.com.conf
......
Location ~ ^.+. ( Gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls) $
{
Expires 7d;
Valid_referers None blocked Server_names . test.com;
#定义referer白名单
if ($invalid _referer) {
return 403;
#if函数的意思是: If the domain name is not whitelisted, the return value: 403
}
Access_log off;
}
......

[Email protected] ~]#/usr/local/nginx/sbin/nginx-t
Nginx:the configuration file/usr/local/nginx/conf/nginx.conf syntax is OK
Nginx:configuration file/usr/local/nginx/conf/nginx.conf Test is successful
[Email protected] ~]#/usr/local/nginx/sbin/nginx-s Reload

Description: "Location ~ ^.+" in this 0 "" role is that the content of the subsequent matches is not case sensitive.

Detection

[Email protected] ~]# curl-e "Http://www.baidu.com/1.txt"-x127.0.0.1:80-i test.com/baidu.png
http/1.1 403 Forbidden
server:nginx/1.12.1
Date:mon, 06:22:36 GMT
Content-type:text/html
content-length:169
Connection:keep-alive
That is, the use of non-whitelist referer access, is denied!!!

12.14 Nginx Access Control

Requirements: Access to the/admin/directory request, only allow a few specified IP through, configured as follows:

[Email protected] ~]# vim/usr/local/nginx/conf/vhost/test.com.conf
......
location/admin/
{
Allow 192.168.8.132;
Allow 127.0.0.1;
Deny all;
#设置IP白名单
}
......

[Email protected] ~]#/usr/local/nginx/sbin/nginx-t
Nginx:the configuration file/usr/local/nginx/conf/nginx.conf syntax is OK
Nginx:configuration file/usr/local/nginx/conf/nginx.conf Test is successful
[Email protected] ~]#/usr/local/nginx/sbin/nginx-s Reload
Create the directory specified above:

[Email protected] ~]# mkdir/data/wwwroot/test.com/admin

[Email protected] ~]# echo "Test,test" >/data/wwwroot/test.com/admin/1.html
Test

[Email protected] ~]# curl-x127.0.0.1:80 test.com/admin/1.html
"Test,test"

[Email protected] ~]# curl-x192.168.8.132:80 test.com/admin/1.html
"Test,test"
Access control--regular match

Location ~. (abc|image)/. php$
{
Deny all;
}
Access Control--user_agent Restrictions

if ($http _user_agent ~ ' spider/3.0| Youdaobot| Tomato ')
{
return 403;
}
Description: Deny all is the same as the return 403 effect

12.15 Nginx parsing PHP related configuration

Core configuration:

Vim/usr/local/nginx/conf/vhost/test.com.conf
......
Location ~. php$
{
Include Fastcgi_params;
#fastcgi_pass 127.0.0.1:9000
Fastcgi_pass Unix:/tmp/php-fcgi.sock;
# #fastcgi_pass两种监听格式, but make sure the format is the same in Nginx and PHP-FPM
Fastcgi_index index.php;
Fastcgi_param Script_filename/data/wwwroot/test.com$fastcgi_script_name;
}
......
Note: In this note two points, Fastcgi_pass has two formats, but no matter which format is used to ensure that the format of Nginx and php-fpm consistent, otherwise will be error 502;fastcgi _param SCRIPT _ The path to filename is the same as the root path!

12.16 Nginx Agent

Nginx Proxy is a reverse proxy. The reverse proxy method is a proxy server that accepts connection requests on the Internet, then forwards requests to servers on the internal network, and returns the results from the server to the clients that request connections on the Internet, Reverse. At this point the proxy server is represented as a server externally.

Working principle

Nginx Proxy is a proxy server to customize a domain name, which points to an IP, and then the user's request through this proxy server to access the specified IP corresponding to the Web server.

Graph LR
User--Proxy server
Proxy Server-User
Proxy Server-->web Server
Web server--Proxy server
Go to the Virtual host directory:

[Email protected] ~]# cd/usr/local/nginx/conf/vhost/
Creating a proxy Server

[Email protected] vhost]# vim proxy.conf
Server
{
Listen 80;
server_name ask.apelearn.com;
#定义域名 (generally consistent with the domain name of the proxy IP)
Location/
{
Proxy_pass http://121.201.9.155/;
#指定被代理 (accessed) IP (Web server IP)
Proxy_set_header Host $host;
# $host refers to the proxy server's servername (also the domain name of the proxy IP)
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
}
}
Description: Because the virtual host is used only as a proxy server, you do not need to access the local files, so you do not need to set the root directory.

Detection

Before setting up an agent

[Email protected] vhost]# curl-x127.0.0.1:80 ask.apelearn.com/robots.txt
<body bgcolor= "White" >
<center></body>
After setting up the agent

[Email protected] vhost]#/usr/local/nginx/sbin/nginx-t
Nginx:the configuration file/usr/local/nginx/conf/nginx.conf syntax is OK
Nginx:configuration file/usr/local/nginx/conf/nginx.conf Test is successful
[Email protected] vhost]#/usr/local/nginx/sbin/nginx-s Reload

[Email protected] vhost]# curl-x127.0.0.1:80 ask.apelearn.com/robots.txt
#

Robots.txt for Miwen

#

User-agent: *

Disallow:/?/admin/
Disallow:/?/people/
Disallow:/?/question/
Disallow:/account/
Disallow:/app/
Disallow:/cache/

Nginx anti-theft chain, access control, PHP parsing, Server Agent