nginx anti-leech, access control, PHP parsing, server proxy

12.13 Nginx anti-leech

Because this configuration also uses the location section, this section can be configured in conjunction with log management:

[root@1 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
……
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    #定义referer白名单
    if ($invalid_referer) {
        return 403;
    #if函数的意思是：如果不是白名单内的域名，返回值：403
    }
    access_log off;
}
……

[root@1 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@1 ~]# /usr/local/nginx/sbin/nginx -s reload

Description:  The function of "location ~* ^.+" here 0 " * " is that the matching content is not case-sensitive.

detect

[root@1 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/baidu.png
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Mon, 14 Aug 2017 06:22:36 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

That is, using a referer that is not in the whitelist for access is denied! ! !

12.14 Nginx Access Control

Requirements: For requests to access the /admin/ directory, only a few specified IPs are allowed to pass through. The configuration is as follows:

[root@1 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 
……
location /admin/
    {
    allow 192.168.8.132;
    allow 127.0.0.1;
    deny all;
    #设置IP白名单
    }
……

[root@1 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@1 ~]# /usr/local/nginx/sbin/nginx -s reload

Create the directory specified above:

[root@1 ~]# mkdir /data/wwwroot/test.com/admin

[root@1 ~]#  echo “test,test”>/data/wwwroot/test.com/admin/1.html

test

[root@1 ~]# curl -x127.0.0.1:80  test.com/admin/1.html
“test,test”

[root@1 ~]# curl -x192.168.8.132:80  test.com/admin/1.html
“test,test”

Access Control - Regular Matching

location ~ .*(abc|image)/.*\.php$
{
        deny all;
}

Access Control - user_agent restrictions

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}

Description:  deny all has the same effect as return 403

12.15 Nginx parses PHP related configuration

Core configuration:

vim /usr/local/nginx/conf/vhost/test.com.conf
……
location ~ \.php$
    {
        include fastcgi_params;
        #fastcgi_pass 127.0.0.1:9000
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        ##fastcgi_pass两种监听格式，但是要保证Nginx和php-fpm中格式一致
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }
……

Note:  Pay attention to two points here, fastcgi_pass has two formats, but no matter which format is used, it is guaranteed that the formats in Nginx and php-fpm are the same, otherwise an error 502 will be reported; the path of the line where fastcgi _param SCRIPT _FILENAME is located must be consistent with the root path !

12.16 Nginx proxy

Nginx proxy is a reverse proxy. Reverse Proxy means that a proxy server accepts connection requests on the Internet, and then forwards the request to a server on the internal network; and returns the result obtained from the server to the client requesting a connection on the Internet, At this time, the proxy server appears as a server to the outside world.

working principle

Nginx proxy is to customize a domain name in a proxy server, the domain name points to an IP, and then access the user's request through the proxy server to the web server corresponding to the specified IP.

graph LR
用户-->代理服务器
代理服务器-->用户
代理服务器-->web服务器
web服务器-->代理服务器

Enter the virtual host directory:

[root@1 ~]# cd /usr/local/nginx/conf/vhost/

Create a proxy server

[root@1 vhost]# vim proxy.conf
server
{
    listen 80;
    server_name ask.apelearn.com;
    #定义域名（一般和被代理ip的域名保持一致）
    location /
    {
        proxy_pass      http://121.201.9.155/;
        #指定被代理（被访问）的IP（web服务器IP）
        proxy_set_header Host   $host;
        #$host指的是代理服务器的servername（也是被代理IP的域名）
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Note:  Because the virtual host is only used as a proxy server and does not need to access local files, it is not necessary to set the root directory.

detect

Before setting up the proxy

[root@1 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>

After setting up the proxy

[root@1 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@adailinux vhost]# /usr/local/nginx/sbin/nginx -s reload


[root@1 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/