linux学习lesson51

1 nginx防盗链

配置如下，可以和上面的配置结合起来

编辑配置文件：

[root@linux01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
}
location ~* ^.+\.
(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ // *表示后面（）里的内容不区分大小写
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) { //否定不是test.com
return 403;
}
access_log off;
}

重新加载配置文件：

[root@linux01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux01 ~]# /usr/local/nginx/sbin/nginx -s reload

curl 测试：（定义referer为www.baidu.com）

[root@linux01 ~]# curl -e "http://www.baidu.com" -x127.0.0.1:80 test.com/1.png -I
HTTP/1.1 403 Forbidden
Server: nginx/1.15.5
Date: Sat, 24 Nov 2018 10:29:29 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

状态码返回403，访问受限

curl 测试：（定义referer为www.test.com）

[root@linux01 ~]# curl -e "http://www.test.com" -x127.0.0.1:80 test.com/1.png -I
HTTP/1.1 200 OK
Server: nginx/1.15.5
Date: Sat, 24 Nov 2018 10:29:36 GMT
Content-Type: image/png
Content-Length: 211090
Last-Modified: Sat, 24 Nov 2018 10:16:52 GMT
Connection: keep-alive
ETag: "5bf92514-33892"
Expires: Sat, 01 Dec 2018 10:29:36 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

状态码返回200，访问成功

2 nginx访问控制

需求：访问/admin/目录的请求，只允许某几个IP访问，配置如下：
编辑配置文件：

server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
location /admin/
{
allow 192.168.133.112; //只要匹配其中一条就停止了，与Apache的不一样
allow 127.0.0.1;
deny all;
}
}

重新加载配置文件：

[root@linux01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux01 ~]# /usr/local/nginx/sbin/nginx -s reload

创建目录：

[root@linux01 ~]# mkdir /data/wwwroot/test.com/admin/
[root@linux01 ~]# echo “test,test”>/data/wwwroot/test.com/admin/1.html

curl测试：（指定192.168.139.111访问）

[root@linux01 ~]# curl -x192.168.139.111:80 test.com/admin/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.15.5
Date: Sat, 24 Nov 2018 10:43:31 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

状态码返回403，访问成功

curl测试：（指定127.0.0.1访问）

[root@linux01 ~]# curl -x127.0.0.1:80 test.com/admin/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.15.5
Date: Sat, 24 Nov 2018 10:44:11 GMT
Content-Type: application/octet-stream
Content-Length: 21
Last-Modified: Sat, 24 Nov 2018 10:36:21 GMT
Connection: keep-alive
ETag: "5bf929a5-15"
Accept-Ranges: bytes

状态码返回200，访问成功

需求：防止图片目录解析php，否则容易被人值木马
可以匹配正则
编辑配置文件：

server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
}

重新加载配置：

[root@linux01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux01 ~]# /usr/local/nginx/sbin/nginx -s reload

创建目录和文件：

[root@linux01 test.com]# mkdir upload
[root@linux01 test.com]# vim upload/1.php
<?php
echo 123;
?>
[root@linux01 test.com]# vim upload/1.txt
hello

curl测试：

[root@linux01 ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.15.5</center>
</body>
</html>

状态码返回403，访问受限

[root@linux01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt
hello

成功访问

根据user_agent限制

编辑配置文件：

[root@linux01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') //禁止Spider/3.0，YoudaoBot，Tomato访问
{
return 403;
}
}

重新加载配置文件：

[root@linux01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux01 ~]# /usr/local/nginx/sbin/nginx -s reload

curl测试：（-A指定Tomato访问）

[root@linux01 ~]# curl -A "Tomato" -x127.0.0.1:80 test.com/1.png -I
HTTP/1.1 403 Forbidden
Server: nginx/1.15.5
Date: Sat, 24 Nov 2018 10:59:40 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

状态码返回403，访问受限

[root@linux01 ~]# curl -A "baidu" -x127.0.0.1:80 test.com/1.png -I
HTTP/1.1 200 OK
Server: nginx/1.15.5
Date: Sat, 24 Nov 2018 11:01:18 GMT
Content-Type: image/png
Content-Length: 211090
Last-Modified: Sat, 24 Nov 2018 10:16:52 GMT
Connection: keep-alive
ETag: "5bf92514-33892"
Expires: Sat, 01 Dec 2018 11:01:18 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

状态码返回200，成功访问

3 nginx解析php相关配置

修改配置文件：

[root@linux01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock; //如果修改了，跟配置文件不一致，会报502
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
/data/wwwroot/test.com$fastcgi_script_name;
}
}

没有加载配置文件curl测试：

[root@linux01 ~]# curl -x127.0.0.1:80 test.com/1.php
<?php
echo  "hello";
?>

重新加载配置文件：

[root@linux01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux01 ~]# /usr/local/nginx/sbin/nginx -s reload

curl测试：

[root@linux01 ~]# curl -x127.0.0.1:80 test.com/1.php
hello

fastcgi_pass 用来指定php-fpm监听的地址或者socket

遇到访问502

查看logs日志和配置文件是否有误

查看php-fpm.conf和conf/vhost/test.com.conf的配置文件php的sock路径是否一致

查看cat /usr/local/php-fpm/etc/php-fpm.conf
listen = /tmp/php-fcgi.sock

查看cat /usr/local/nginx/conf/vhost/test.com.conf
fastcgi_pass unix:/tmp/php-cgi.sock;

查看nginx_errors_log日志信息
php和nginx的listen = /tmp/php-fcgi.sock是否一致

还有一种可能就是php服务资源耗尽了

4 nginx代理

修改配置文件：

[root@linux01 ~]# cd /usr/local/nginx/conf/vhost
[root@linux01 vhost]# vim proxy.conf //加入如下内容
server
{
listen 80;
server_name www.baidu.com; //访问的web域名

location /
{
proxy_pass http://163.177.151.110/; //需要访问服务器的ip
proxy_set_header Host $host; //$host表示的是server_name
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

获取百度的ip：（yum install -y bind-utils）

[root@linux01 ~]# dig www.baidu.com

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59086
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com.            IN    A

;; ANSWER SECTION:
www.baidu.com.        837    IN    CNAME    www.a.shifen.com.
www.a.shifen.com.    127    IN    A    163.177.151.110
www.a.shifen.com.    127    IN    A    163.177.151.109

;; Query time: 13 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: Sat Nov 24 23:40:01 CST 2018
;; MSG SIZE  rcvd: 101

重新加载配置文件：

[root@linux01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux01 ~]# /usr/local/nginx/sbin/nginx -s reload

curl测试：
直接访问百度：

[root@linux01 ~]# curl  www.baidu.com/robots.txt
User-agent: Baiduspider
Disallow: /baidu
Disallow: /s?
Disallow: /ulink?
Disallow: /link?
Disallow: /home/news/data/
以下略...

通过本机代理访问百度：

[root@linux01 ~]# curl -x127.0.0.1:80  www.baidu.com/robots.txt
User-agent: Baiduspider
Disallow: /baidu
Disallow: /s?
Disallow: /ulink?
Disallow: /link?
Disallow: /home/news/data/
以下略...

代理成功

扩展
502问题汇总 http://ask.apelearn.com/question/9109
location优先级 http://blog.lishiming.net/?p=100