Nginx anti-theft chain, nginx access control, Nginx parsing PHP-related configuration, nginx Agent

One: Nginx anti-theft chain

Add the following code in the server section of nginx.conf
Location ~ ^.+. ( Gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls) $ {
Valid_referers None blocked Server_names taobao.com . baidu.com. google.com. cn . soso.com; The sites for these domain names are not hotlinking.
if ($invalid _referer) {
#return 403;
Rewrite ^/http://www.example.com/nophoto.gif;
}
}
Note: If location is already added to the previous configuration. . (gif|jpg|jpeg|png|bmp|swf) $
{
Expires 30d;
Access_log off;
}
Then it will be repeated with this part, when the above is in effect, so we need to put the two together. As follows:
Location ~ ^.+. (Gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls) $
{
Expires 30d;
Valid_referers None blocked Server_names taobao.com . baidu.com. google.com. CN *.soso.com; The sites for these domain names are not hotlinking.
if ($invalid _referer) {
#return 403;
Rewrite ^/http://www.example.com/nophoto.gif;
}
Access_log off;
}
Description: The person who stole our pictures jumps to the source path when they visit these images, and of course it can display 403 directly, that is, return 403, which saves resources.

II: Nginx access control

To restrict access to only one IP, add the following configuration:
Allow 192.168.1.101;
Deny all;
Prohibit an IP or IP segment access to the site's setup method, first establish the following configuration file placed in the Nginx conf
Under directory, named Deny.ip
Cat Deny.ip
Deny 192.168.1.11;
Deny 192.168.1.123;
Deny 10.0.1.0/24;
In the corresponding virtual host configuration file, add:
Include Deny.ip;
Restart the Nginx service:
#/usr/local/nginx/sbin/nginx Reload
You can also use Deny all in the DENY.IP format;
If you want to implement such an application, except for a few IPs, all others reject,
That's what you need to write in Deny.ip.
Allow 1.1.1.1;
Allow 1.1.1.2;
Deny all;
Sometimes the PHP parsing is restricted according to the directory:
Location ~. (diy|template|attachments|forumdata|attachment|image)/. php$
{
Deny all;
}

Three: Nginx parsing PHP related configuration

Configure the Nginx configuration file to enable PHP support.
#vim/usr/local/nginx/conf/nginx.conf
Found it
Location =/50x.html {
root HTML;
}
After that, add the following configuration:
Location ~. php$ {
root HTML;
Fastcgi_pass Unix:/tmp/php-fcgi.sock;
Fastcgi_index index.php;
Fastcgi_param Script_filename/usr/local/nginx/html$fastcgi_script_name;
Include Fastcgi_params;
}
Reload/usr/local/nginx/sbin/nginx-s Reload
To create a test file:
#vim/usr/local/nginx/html/2.php
The contents are as follows:
<?php
echo "Test PHP scripts.";
?>
Test:
#curl localhost/2.php
Test PHP scripts. [Email protected] nginx]#
This indicates that PHP parsing is normal.

Four: Nginx Agent

#vim/usr/local/nginx/conf/vhosts/proxy.conf
Add the following content:
server {
Listen 80;
server_name aaa.com;

        location / {            proxy_pass      http://2.2.2.2/;            proxy_set_header Host   $host;            proxy_set_header X-Real-IP      $remote_addr;            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;        }                    #            access_log  /home/logs/aaa_access.log combined;    }

Description: The IP behind the Proxy_pass with the machine to be proxied. If the back end of the machine has more than one, you can also use upstream
To achieve load balancing, this part of the knowledge point is described in detail later, configured as follows:
Upstream BBB
{
Server 1.2.3.1:80;
Server 1.2.3.4:80;
}

server {
Listen 80;
server_name bbb.com;

    location / {            proxy_pass      http://bbb/;            proxy_set_header Host   $host;            proxy_set_header X-Real-IP      $remote_addr;            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    }            #           access_log  /home/logs/bb_access.log combined;

}

Proxy all domain names on a server
First in the Vhosts directory need to build two files, one is the servername list file, one is a virtual host configuration file
The contents of two files were
(1) ServerName
server_name www.123.net.cn www.alsdjfl.com www.asdfa1.com; It's a simple line, and of course this server_name can continue to add

(2) Virtual host configuration file
server {
Listen 80;
Include Vhosts/servername; The file here is the top servername list file.
Location/{
Proxy_pass http://1.2.1.2/; This is the server IP address that needs to be the proxy.
Proxy_set_header Host $host;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
}
Access_log/dev/null;
}

Nginx anti-theft chain, nginx access control, Nginx parsing PHP-related configuration, nginx Agent