12.13 Nginx防盗链
[root@localhost test.com]# vim /usr/local/nginx/conf/vhost/test.com.conf 
~* 表示不区分大小写
白名单 *.test.com,如果不是白名单,则返回403
[root@localhost test.com]# curl -e "http://www.baidu.com"-x127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Wed, 14 Mar 2018 15:07:25 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@localhost test.com]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 14 Mar 2018 15:08:44 GMT
Content-Type: image/gif
Content-Length: 20
Last-Modified: Wed, 14 Mar 2018 14:32:47 GMT
Connection: keep-alive
ETag: "5aa9328f-14"
Expires: Wed, 21 Mar 2018 15:08:44 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
[root@localhost test.com]# cat /tmp/test.com.log
127.0.0.1 - [14/Mar/2018:22:33:25 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [14/Mar/2018:22:33:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [14/Mar/2018:22:36:25 +0800] test.com "/2.jsdafafa" 404 "-" "curl/7.29.0" 12.14 Nginx访问控制
·重要的机密的内容不希望被别人访问,可以做一个白名单,只允许自己公网ip或公司内部公网ip访问
·针对目录:
[root@localhost ~]# /usr/local/nginx/conf/vhost/test.com.conf 配置文件中的allow和deny:
这里的allow和deny与apache中的order中的allow和deny规则不一样
在apache中,如果先allow后deny,那么最终结果是deny;
在nginx中,这里allow是匹配机制,如果在allow中有能匹配的,那么将不再执行下面的规则,
本例中,如果是127.0.0.1访问,那么匹配第一条allow之后,将不会再执行下面的;如果是127.0.0.2,
那么前两条都没有匹配到,那么会自然往下匹配第三条,会被deny。
·针对正则匹配
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf [root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# mkdir /data/wwwroot/test.com/upload ##创建upload文件夹
[root@localhost ~]# echo "23wewerwer" > /data/wwwroot/test.com/upload/1.php
[root@localhost ~]# cat !$ ##创建1.php,看1.php是否能被解析
cat /data/wwwroot/test.com/upload/1.php
23wewerwer
[root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
[root@localhost ~]# echo "23wewerwer" > /data/wwwroot/test.com/upload/1.txt
[root@localhost ~]# curl -x127.0.0.1:80 test.com/upload/1.txt
23wewerwer (1.php无法被解析,而通一个文件夹下1.txt就可以被解析)
[root@localhost ~]# cat /tmp/test.com.log ·根据user_agent限制:
网站被CC攻击,或想禁掉某些蜘蛛,或想做隐藏网站不想被人搜到
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -A "Tomatosdafdsf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 13:26:46 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
[root@localhost ~]# curl -A "tomatosdafdsf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 13:27:15 GMT
Content-Type: text/plain
Content-Length: 11
Last-Modified: Thu, 15 Mar 2018 13:07:37 GMT
Connection: keep-alive
ETag: "5aaa7019-b"
Accept-Ranges: bytes ·只要是能匹配到Tomato关键字就会限制,因为是精准匹配,因此tomato无法匹配
如果想要忽略大小写进行匹配,那么可以在配置文件中 ~ 后加 * ,如下图
再重新加载后,我们看,小写开头已经被限制访问了
[root@localhost ~]# curl -A "tomatosdafdsf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 13:31:26 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive 12.15 Nginx解析php相关配置
·配置解析php:
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 保存后,暂时不重新加载配置,先创建一个新的php文件,内容如下
[root@localhost ~]# vi /data/wwwroot/test.com/3.php [root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo();
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php (内容太多,不详细列出)
如果配置文件中socket文件位置写错的话:
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php 会显示502的错误
[root@localhost ~]# tail /usr/local/nginx/logs/nginx_error.log
2018/03/15 21:59:34 [crit] 1627#0: *10 connect() to unix:/tmp/php-cgi.sock failed
(2: No such file or directory) while connecting to upstream, client: 127.0.0.1,
server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream:
"fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com" 可以看出是 .sock 文件位置不正确,我们去查看php-fpm.conf的配置文件来查看.sock文件地址
[root@localhost ~]# cat /usr/local/php-fpm/etc/php-fpm.conf 将vhost配置文件里解析php相关配置更改后,就可以正常访问了
·监听ip端口
如果php-fpm的监听,不去监听socket,而是去监听端口,如下图
[root@localhost ~]# vim /usr/local/php-fpm/etc/php-fpm.conf [root@localhost ~]# /usr/local/php-fpm/sbin/php-fpm -t ##检查
[15-Mar-2018 22:13:07] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload ##重新加载
[root@localhost ~]# netstat -lntp ##监听端口9000 [root@localhost ~]# !curl ##依然是502错误
curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
[root@localhost ~]# !tail
tail /usr/local/nginx/logs/nginx_error.log
2018/03/15 21:59:34 [crit] 1627#0: *10 connect() to unix:/tmp/php-cgi.sock failed
(2: No such file or directory) while connecting to upstream, client: 127.0.0.1,
server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream:
"fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
2018/03/15 22:15:43 [crit] 1821#0: *12 connect() to unix:/tmp/php-fcgi.sock failed
(2: No such file or directory) while connecting to upstream, client: 127.0.0.1,
server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream:
"fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com" 把原先fastcgi_pass注释掉,添加127.0.0.1:9000
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf [root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/php-fpm/sbin/php-fpm -t
[15-Mar-2018 22:24:19] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@localhost ~]# !curl
curl -x127.0.0.1:80 test.com/3.php 已经可以解析php了
(因此php-fpm中配置里,和虚拟主机配置里要一一对应,sock对应sock,端口对应端口)
★配置文件中的SCRIPT_FILENAME一定要和配置文件最上方的 root 对应的路径一致:
·php-fpm.conf的配置中,listen.mode为nginx的执行权限,让nginx去读/tmp/php-fcgi.sock
[root@localhost ~]# vim /usr/local/php-fpm/etc/php-fpm.conf ·如果没有这个权限,那么php-fcgi.sock的默认权限为440,属主和属组都是root,而nginx属主是nobody,无法读取,因此会报错,我们下面来试验一下
虚拟主机改回php-fcgi.sock,对应php-fpm.conf
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/test.com.conf [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html> (502错误,正式因为权限问题)
而错误日志中,也是Permission denied的错误了
[root@localhost ~]# cat /usr/local/nginx/logs/nginx_error.log [root@localhost ~]# ll /tmp/php-fcgi.sock
srw-rw---- 1 root root 0 3月 15 22:48 /tmp/php-fcgi.sock
[root@localhost ~]# ps aux |grep nginx nginx属主为nobody,对php-fcgi.sock没有读权限,所以会502错误,如果想正常访问,那么至少需要可读可写
临时将/tmp/php-fcgi.sock属主改为nobody,此时访问不会出现502错误
[root@localhost ~]# chown nobody /tmp/php-fcgi.sock
[root@localhost ~]# curl -x127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 15 Mar 2018 15:00:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30 因此,我们在/usr/local/php-fpm/etc/php-fpm.conf配置中的listen.mode要的权限要让所有人对文件/tmp/php-fcgi.sock可读可写
·php-fpm资源耗尽也会出现502错误,此时需要去优化
12.16 Nginx代理
1,用户不能直接访问Web服务器,Web服务器只有私网ip
2,虽然用户可以访问Web服务器,但是访问速度太慢
和用户、web服务器互通都可以互通,作为中间代理者,帮助用户访问,访问完之后把结果返回用户
[root@localhost ~]# cd /usr/local/nginx/conf/vhost/
[root@localhost vhost]# vim proxy.conf proxy_pass Web服务器IP地址
proxy_set_header Host 访问的主机名/域名 ($HOST也就是server_name)
proxy_set_header X-Real-IP 指定IP的
[root@localhost vhost]# curl ask.apelearn.com/robots.txt [root@localhost vhost]# curl -x 127.0.0.1:80 ask.apelearn.com/robots.txt 成功连接
错误总结: