One Nginx anti-theft chain

1. Modify the virtual host configuration file

# vim /usr/local/nginx/conf/vhost/test.com.conf

Add the following content to the configuration file. The content here is combined with the expiration time of static elements and no logging:

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ //^ means starting with...,

{

expires 7d;

valid_referers none blocked server_names *.test.com ; //referer白名单

if ($invalid_referer) { //If it is not a referer in the whitelist, return 403

return 403;

}

access_log off;

}

2. Test for syntax errors and reload the configuration file

# /usr/local/nginx/sbin/nginx -t
# /usr/local/nginx/sbin/nginx -s reload

3. Test verification

When the referer is a link outside the whitelist, it will be blocked

# curl -e "http://www.baidu.com" -x127.0.0.1:80 test.com/1.gif -I

When the referer is a link on the whitelist, the access will be successful

# curl -e "http://test.com" -x127.0.0.1:80 test.com/1.gif -I

Two Nginx access control

1. Configure IP whitelist

Edit the virtual host configuration file /usr/local/nginx/conf/vhost/test.com.conf and add the following:

locaton /admin/ //Access control for directories
{
allow 192.168.31.157; //Note that the whitelist needs to be allowed first, then deny
allow 127.0.0.1;
deny all;

}
Unlike the order in apache, all access is denied first, then the whitelist is turned on, and all codes are executed sequentially; in nginx, there is no order. When executing a statement, as long as it matches the accessed IP, it will not be executed. The latter statement, so you need to write allow in front and deny in the back

2. Check for syntax errors and reload the configuration file

# /usr/local/nginx/sbin/nginx -t

# /usr/local/nginx/sbin/nginx -s reload

3. Test verification

# curl -x192.168.31.157:80 -I test.com/admin/1.php

# curl -x127.0.0.1:80 -I test.com/admin/1.php

If the source IP is not in the whitelist, 403 Forbidden will appear

4. Access Control - Regular Matching

Access control by matching regular expressions to allow or deny access

For example, you can add the following content to the virtual host configuration file, indicating that it is forbidden to upload files or pictures to parse php

location ~ .*(upload|image)/.*\.php$ //Match files ending with php in the upload or image directory
{
deny all; // deny access
}

After checking the syntax and loading the configuration file, let's access the php file test.com/upload/1.php under upload and prompt access is prohibited

Next, visit the txt file test.com/upload/1.txt under upload and visit OK

5. Restrict access according to user_agent

Add the following code to the virtual host configuration file:

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') //Indicates that if the user_agent contains any one of Spider/3.0|YoudaoBot|Tomato, access will be denied

{

return 403; //deny all has the same effect as return 403

}

Now it is possible to visit test.com/upload/1.txt successfully

Next, simulate the user agent Tomatodsewre, because it matches Tomato, all servers deny access

# curl -A "Tomatodsewre" -x127.0.0.1:80 -I test.com/upload/1.txt

But in the following figure, when we simulate the user agent tomatodsewre, after the first letter is changed from size to lowercase, the access is successful, which shows that our current configuration is size-sensitive

# curl -A "tomatodsewre" -x127.0.0.1:80 -I test.com/upload/1.txt

At this point, we only need to add a * sign after the matching symbol ~ to indicate that case is ignored, as follows

After adding *, if we visit test.com/upload/1.txt again, it will prompt that access is forbidden

Three Nginx parsing php related configuration

1. Edit the virtual host configuration file

Add the following to the virtual host configuration file:

location ~ \.php$

{

include fastcgi_params;

fastcgi_pass unix:/tmp/php-fcgi.sock;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;

}

Before reloading the configuration file, let's test access to a page 3.php, the content of the file is as follows

Next, let's visit this page. The result of the visit is the content of the 3.php file, but the php file is not parsed.

# curl -x127.0.0.1:80 test.com/3.php

2. Check the syntax and reload the configuration file

# /usr/local/nginx/sbin/nginx -t

# /usr/local/nginx/sbin/nginx -s reload

3. Test verification

Now let's visit the 3.php page again, the php statement in the file is parsed

# curl -x127.0.0.1:80 test.com/3.php

4. 502 status code

When fastcgi_pass unix:/tmp/php-fcgi.sock in the configuration file; the path /tmp/php-fcgi.sock configured in this line is wrong, a 502 error will appear. Let’s change the path to the following error path

Then come to test access # curl -x127.0.0.1:80 test.com/3.php and the following 502 will appear

When we encounter a 502 error, we can analyze it from several aspects:

1) Let's look at the error log # tail /usr/local/nginx/logs/nginx_error.log

The prompt says that there is no directory or file /tmp/php-cgi.sock, we # ls /tmp/php-cgi.sock found that there is no such file

At this time, we need to go to the php-fpm configuration file to check the path of the socket monitored by php-fpm and compare it with the path in the nginx configuration file above, and find that the path in the nginx configuration file is wrong.

This is summed up as follows: what is the listening socket path in the php-fpm configuration file, and what should be written in the fastcgi_pass path in the nginx configuration file

2) Experiment: First, the php-fpm configuration file configures the listening IP and port, as follows

Then restart php-fpm

# /etc/init.d/php-fpm reload

At this point we can see that 127.0.0.1:9000 has been monitored

Let's visit again # curl -x127.0.0.1:80 test.com/3.php

Look at the error log again # tail /usr/local/nginx/logs/nginx_error.log

The reason for this error is that the configuration file of nginx has not been modified to the form of IP + port, it needs to be modified to the following figure

After reloading the configuration file, let's check the access results again, and the result is that we have successfully accessed

Summary: In summary, if the php-fpm configuration file uses the form of IP+port, then the same form should be used in the nginx configuration file

3) Another place to check when a 502 error occurs is the path in the figure below the nginx configuration file

It should correspond to the path of the following figure

4) In php5.4 and later versions, there is a feature that if we listen to socket in the php-fpm configuration file and do not define listen.mode, then the /tmp/php-fcgi.sock file permissions will become 440

We modify the configuration file to the following form:

After reloading the configuration file, check the file permissions of /tmp/php-fcgi.sock. You can see that its permissions are 440, and the group and owner are both root users.

Then configure the nginx configuration file as socket,

Then visit # curl -x127.0.0.1:80 test.com/3.php The result is still 502 error

By looking at the error log, we can see that the reason for the 502 error is because of permission denied,

We mentioned above that the file permission of /tmp/php-fcgi.sock is 440, and the group and owner are both root users, but the following figure shows that the owner and group of the nginx process are both nobody

Let's test temporarily change the owner and group of /tmp/php-fcgi.sock to nobody

# chown nobody /tmp/php-fcgi.sock

Then visit # curl -x127.0.0.1:80 test.com/3.php, the result is successful, this is because the nobody user has read and write permissions at this time

5) Another 502 error situation is that the resources of the php-fpm service are exhausted. For example, a mysql query is stuck and the resources of php-fpm are exhausted. At this time, it is necessary to optimize

After modifying the php-fpm configuration file above, you need to restart the php-fpm service

Four Nginx proxies

Usage scenarios: a. Users cannot directly access the network of the web server

b. Although the user can directly access the web server, the network is too slow

Proxy server features: can communicate with both the user and the web server

Here we try to configure our virtual server as a proxy server, and then use the internal loopback IP127.0.0.1 of the virtual server to access the external website www.cxkchina.com/robots.txt. The internal loopback IP127.0.0.1 was originally cannot access the Internet

1. Change directory

# cd /usr/local/nginx/conf/vhost/

2. New virtual host configuration file

Write the following in the new virtual host configuration file proxy.conf:

server

{

listen 80;

server_name www.cxkchina.com; //The domain name for the proxy server

// There is no root written here, the reason is because this server is a proxy server, it does not need to access any files on the local server

location /

{

proxy_pass http://121.201.9.155/; //Tell nginx the IP of the real WEB server here

proxy_set_header Host $host; //Tell nginx that the domain name Host it wants to access is the domain name $host set above, and $host is server_name

proxy_set_header X-Real-IP $remote_addr; // Define the value of the variable X-Real-IP is $remote_addr

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; // Define the value of the variable X-Forwarded-For is $proxy_add_x_forwarded_for

}

2. Detect syntax errors and reload configuration files

# /usr/local/nginx/sbin/nginx -t

# /usr/local/nginx/sbin/nginx -s reload

3. Test verification

Under normal circumstances, visit the page www.cxkchina.com/robots.txt

Use the loopback IP127.0.0.1 inside the virtual server to access the external website www.cxkchina.com/robots.txt

LNMP Architecture (4)

One Nginx anti-theft chain

Two Nginx access control

Three Nginx parsing php related configuration

Four Nginx proxies

Guess you like