12.13 Nginx防盜鍊
[root@localhost test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf 
~* 表示不區分大小寫
白名單 *.test.com,如果不是白名單,則傳回403
[root@localhost test.com]# curl -e "http://www.baidu.com"-x127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Wed, 14 Mar 2018 15:07:25 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@localhost test.com]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 14 Mar 2018 15:08:44 GMT
Content-Type: image/gif
Content-Length: 20
Last-Modified: Wed, 14 Mar 2018 14:32:47 GMT
Connection: keep-alive
ETag: "5aa9328f-14"
Expires: Wed, 21 Mar 2018 15:08:44 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[root@localhost test.com]# cat /tmp/test.com.log
127.0.0.1 - [14/Mar/2018:22:33:25 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [14/Mar/2018:22:33:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [14/Mar/2018:22:36:25 +0800] test.com "/2.jsdafafa" 404 "-" "curl/7.29.0" 12.14 Nginx通路控制
·重要的機密的内容不希望被别人通路,可以做一個白名單,隻允許自己公網ip或公司内部公網ip通路
·針對目錄:
[root@localhost ~]# /usr/local/nginx/conf/vhost/test.com.conf 配置檔案中的allow和deny:
這裡的allow和deny與apache中的order中的allow和deny規則不一樣
在apache中,如果先allow後deny,那麼最終結果是deny;
在nginx中,這裡allow是比對機制,如果在allow中有能比對的,那麼将不再執行下面的規則,
本例中,如果是127.0.0.1通路,那麼比對第一條allow之後,将不會再執行下面的;如果是127.0.0.2,
那麼前兩條都沒有比對到,那麼會自然往下比對第三條,會被deny。
·針對正則比對
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf [root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# mkdir /data/wwwroot/test.com/upload ##建立upload檔案夾
[root@localhost ~]# echo "23wewerwer" > /data/wwwroot/test.com/upload/1.php
[root@localhost ~]# cat !$ ##建立1.php,看1.php是否能被解析
cat /data/wwwroot/test.com/upload/1.php
23wewerwer
[root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
[root@localhost ~]# echo "23wewerwer" > /data/wwwroot/test.com/upload/1.txt
[root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.txt
23wewerwer (1.php無法被解析,而通一個檔案夾下1.txt就可以被解析)
[root@localhost ~]# cat /tmp/test.com.log ·根據user_agent限制:
網站被CC攻擊,或想禁掉某些蜘蛛,或想做隐藏網站不想被人搜到
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -A "Tomatosdafdsf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 13:26:46 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@localhost ~]# curl -A "tomatosdafdsf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 13:27:15 GMT
Content-Type: text/plain
Content-Length: 11
Last-Modified: Thu, 15 Mar 2018 13:07:37 GMT
Connection: keep-alive
ETag: "5aaa7019-b"
Accept-Ranges: bytes ·隻要是能比對到Tomato關鍵字就會限制,因為是精準比對,是以tomato無法比對
如果想要忽略大小寫進行比對,那麼可以在配置檔案中 ~ 後加 * ,如下圖
再重新加載後,我們看,小寫開頭已經被限制通路了
[root@localhost ~]# curl -A "tomatosdafdsf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 13:31:26 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive 12.15 Nginx解析php相關配置
·配置解析php:
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 儲存後,暫時不重新加載配置,先建立一個新的php檔案,内容如下
[root@localhost ~]# vi /data/wwwroot/test.com/3.php [root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php (内容太多,不詳細列出)
如果配置檔案中socket檔案位置寫錯的話:
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php 會顯示502的錯誤
[root@localhost ~]# tail /usr/local/nginx/logs/nginx_error.log
2018/03/15 21:59:34 [crit] 1627#0: *10 connect() to unix:/tmp/php-cgi.sock failed
(2: No such file or directory) while connecting to upstream, client: 127.0.0.1,
server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream:
"fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com" 可以看出是 .sock 檔案位置不正确,我們去檢視php-fpm.conf的配置檔案來檢視.sock檔案位址
[root@localhost ~]# cat /usr/local/php-fpm/etc/php-fpm.conf 将vhost配置檔案裡解析php相關配置更改後,就可以正常通路了
·監聽ip端口
如果php-fpm的監聽,不去監聽socket,而是去監聽端口,如下圖
[root@localhost ~]# vim /usr/local/php-fpm/etc/php-fpm.conf [root@localhost ~]# /usr/local/php-fpm/sbin/php-fpm -t ##檢查
[15-Mar-2018 22:13:07] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload ##重新加載
[root@localhost ~]# netstat -lntp ##監聽端口9000 [root@localhost ~]# !curl ##依然是502錯誤
curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
[root@localhost ~]# !tail
tail /usr/local/nginx/logs/nginx_error.log
2018/03/15 21:59:34 [crit] 1627#0: *10 connect() to unix:/tmp/php-cgi.sock failed
(2: No such file or directory) while connecting to upstream, client: 127.0.0.1,
server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream:
"fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
2018/03/15 22:15:43 [crit] 1821#0: *12 connect() to unix:/tmp/php-fcgi.sock failed
(2: No such file or directory) while connecting to upstream, client: 127.0.0.1,
server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream:
"fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com" 把原先fastcgi_pass注釋掉,添加127.0.0.1:9000
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf [root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/php-fpm/sbin/php-fpm -t
[15-Mar-2018 22:24:19] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@localhost ~]# !curl
curl -x127.0.0.1:80 test.com/3.php 已經可以解析php了
(是以php-fpm中配置裡,和虛拟主機配置裡要一一對應,sock對應sock,端口對應端口)
★配置檔案中的SCRIPT_FILENAME一定要和配置檔案最上方的 root 對應的路徑一緻:
·php-fpm.conf的配置中,listen.mode為nginx的執行權限,讓nginx去讀/tmp/php-fcgi.sock
[root@localhost ~]# vim /usr/local/php-fpm/etc/php-fpm.conf ·如果沒有這個權限,那麼php-fcgi.sock的預設權限為440,屬主和屬組都是root,而nginx屬主是nobody,無法讀取,是以會報錯,我們下面來試驗一下
虛拟主機改回php-fcgi.sock,對應php-fpm.conf
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html> (502錯誤,正式因為權限問題)
而錯誤日志中,也是Permission denied的錯誤了
[root@localhost ~]# cat /usr/local/nginx/logs/nginx_error.log [root@localhost ~]# ll /tmp/php-fcgi.sock
srw-rw---- 1 root root 0 3月 15 22:48 /tmp/php-fcgi.sock
[root@localhost ~]# ps aux |grep nginx nginx屬主為nobody,對php-fcgi.sock沒有讀權限,是以會502錯誤,如果想正常通路,那麼至少需要可讀可寫
臨時将/tmp/php-fcgi.sock屬主改為nobody,此時通路不會出現502錯誤
[root@localhost ~]# chown nobody /tmp/php-fcgi.sock
[root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 15:00:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30 是以,我們在/usr/local/php-fpm/etc/php-fpm.conf配置中的listen.mode要的權限要讓所有人對檔案/tmp/php-fcgi.sock可讀可寫
·php-fpm資源耗盡也會出現502錯誤,此時需要去優化
12.16 Nginx代理
1,使用者不能直接通路Web伺服器,Web伺服器隻有私網ip
2,雖然使用者可以通路Web伺服器,但是通路速度太慢
和使用者、web伺服器互通都可以互通,作為中間代理者,幫助使用者通路,通路完之後把結果傳回使用者
[root@localhost ~]# cd /usr/local/nginx/conf/vhost/
[root@localhost vhost]# vim proxy.conf proxy_pass Web伺服器IP位址
proxy_set_header Host 通路的主機名/域名 ($HOST也就是server_name)
proxy_set_header X-Real-IP 指定IP的
[root@localhost vhost]# curl ask.apelearn.com/robots.txt [root@localhost vhost]# curl -x 127.0.0.1:80 ask.apelearn.com/robots.txt 成功連接配接
錯誤總結: