Nginx anti-theft chain, nginx access control, Nginx parsing PHP-related configuration, nginx Agent

Nginx anti-theft chain first into the/usr/local/nginx/conf/vhost/directory, edit the configuration file vim Test.com.confvim test.com.conf then the contents of the following location ~ ^.+. (Gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls) ${expires 7d; valid_referers None blocked Server_names . test.com; if ($invalid _referer) {return 403;} Access_log off;} Valid_referers none blocked Server_names *.test.com; if ($invalid _referer) {return 403; At this point the core of the anti-theft chain, the meaning of the first line is to define the white list, the second line is if it does not match, the third line is the status code. Save after input, check syntax, reload. Nginx access control and httpd, Nginx also need to restrict some IP can not access or only allow certain IP access, the configuration method and httpd very similar. But it's more concise. It doesn't have to be like httpd all over the calendar.
Configure access control or edit the configuration file for a virtual host
/usr/local/nginx/conf/vhost/
And then add the access control configuration to the back.
location/admin/
{
Allow 192.168.1.107;
Allow 127.0.0.1;
Deny all;
}
When we make a white list, we must first allow and then deny. Allow is the permissible meaning, and deny is the meaning of the refusal. Be sure to end with ";" at the end of each statement.
Then we do an experiment to create a directory mkdir/data/wwwroot/test.com/admin/
Then write the content inside
echo "Test,test" >/data/wwwroot/test.com/admin/1.html
And then we do the tests.
Curl-x 127.0.0.1:80-i test.com/admin/1.html
http/1.1 OK
Curl-x 192.168.1.107:80-i test.com/admin/1.html
http/1.1 OK
The input of other IP access is unsuccessful, which is to restrict IP access. This is for the directory.

We can also restrict its access by regular means.
Location ~. (upload|image)/. php$
{
Deny all;
}
Delimiter in parentheses "|" Yes or no, this makes it possible to access the URL with the keyword string, and the PHP request is forbidden. The purpose of this is to disable the parsing of PHP in the directory where the files are uploaded to ensure security.
Then we do an experiment.
First create a upload directory, write a PHP file in it, and then access
Curl-x192.168.1.107:80-i test.com/upload/1.php
http/1.1 403 Forbidden
The results were inaccessible and our purpose was reached.

If we don't want people to know about our site, we can restrict it according to User_agent, just as our website is hidden.
if ($http _user_agent ~ ' spider/3.0| Youdaobot| Tomato ')
{
return 403;
}
where ~ followed by "" is ignoring case.

Nginx parsing PHP related configuration
In Lamp, PHP is as a module of httpd, as long as the module is loaded, you can parse the PHP script. In Lnmp, PHP is as a service (PHP-FPM) in the form of the first to start the PHP-FPM service, and then Nginx and PHP communication, that is, the processing of PHP script parsing is done by PHP-FPM.
Location ~. php$
{
Include Fastcgi_params;
Fastcgi_pass Unix:/tmp/php-fcgi.sock;
Fastcgi_index index.php;
Fastcgi_param Script_filename/data/wwwroot/test.com$fastcgi_script_name;
}
This is the Nginx parsing PHP configuration file.
Here we need to pay attention to is Fastcgi_pass Unix:/tmp/php-fcgi.sock, easy to write wrong, if write wrong, will show 502.
We set up an experiment to deliberately write the/tmp/php-fcgi.sock wrong and then visit.
Curl-x192.168.1.107:80 test.com/3.php
Because we wrote the wrong configuration file, we showed 502, and then we looked at the error log Nginx_error.log
2018/04/26 23:22:39 [Crit] 2076#0: *49 connect () to Unix:/tmp/php-fgi.sock failed (2:no such file or directory) while con Necting to Upstream, client:192.168.1.107, server:test.com, Request: "GET HTTP://test.com/3.php http/1.1", upstream: "FA Stcgi://unix:/tmp/php-fgi.sock: ", Host:" Test.com "
It means to Unix:/tmp/php-fgi.sock failure (2: No such file or directory).
When we encounter such a problem, we have to think about it is not the address we configured it? First we look at the error log, first of all, the file does not exist. If it doesn't exist, we're going to look at the PHP-FPM configuration file and see what we define as sock. We must keep the sock in php-fpm consistent with the sock in the configuration file for the virtual host. Otherwise, the error will be 502.

If PHP-FPM is listening on a port, such as 127.0.0.1:9000, then we also need to make a change in the configuration file of the virtual host.
First find the Fastcgi_pass, and then change it to the listening port form. For example Fastcgi_pass 127.0.0.1:9000; then check the syntax for errors and reload. After this series of operations, we have the ability to parse PHP. Therefore, the Fastcgi_pass in the virtual host must be consistent with the IP that is monitored in the php-fpm, otherwise it will be reported 502.
In the future if we appear to parse PHP 502, we must check the configuration of php-fpm in the IP and sock is consistent, if inconsistent will be reported 502.
And there's the path behind the script_filename. Be sure to write the right, he is the same as the configuration file root behind the path is consistent, they must correspond together. If the configuration is not correct, the visit will be reported 404.
There is also a situation reported 502 is because our PHP-FPM configuration file has a row listen.mode=666 this line of configuration is logged out or not, so that all users can execute this file, if there is no line configuration, only the root user can execute permissions.

Nginx Agent
When the user does not have direct access to the server, then we can make a proxy server.
First Enter/usr/local/nginx/cnof/vhost
Then edit a new configuration file
Vim proxy.conf
Add content as follows
Server
{
Listen 80;
server_name ask.apelearn.com;

location /{    proxy_pass      http://121.201.9.155/;    proxy_set_header Host   $host;    proxy_set_header X-Real-IP      $remote_addr;    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}

}
Where Proxy_pass is the IP that defines the Web server you want to access
server_name is the domain name defined
Then we check the syntax to reload.
If we do not know the IP of the Web server to be visited when we are acting, we can obtain IP using dig + domain name method.
Install dig command: Yum install-y bind*

Nginx anti-theft chain, nginx access control, Nginx parsing PHP-related configuration, nginx Agent