One Nginx anti-theft chain
1. Modify the virtual host configuration file
# vim /usr/local/nginx/conf/vhost/test.com.conf
Add the following content to the configuration file. The content here is combined with the expiration time of static elements and no logging:
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ //^ means starting with...,
{
expires 7d;
valid_referers none blocked server_names *.test.com ; //referer白名单
if ($invalid_referer) { //If it is not a referer in the whitelist, return 403
return 403;
}
access_log off;
}
2. Test for syntax errors and reload the configuration file
# /usr/local/nginx/sbin/nginx -t
# /usr/local/nginx/sbin/nginx -s reload
3. Test verification
When the referer is a link outside the whitelist, it will be blocked
# curl -e "http://www.baidu.com" -x127.0.0.1:80 test.com/1.gif -I
When the referer is a link on the whitelist, the access will be successful
# curl -e "http://test.com" -x127.0.0.1:80 test.com/1.gif -I
Two Nginx access control
1. Configure IP whitelist
Edit the virtual host configuration file /usr/local/nginx/conf/vhost/test.com.conf and add the following:
locaton /admin/ //Access control for directories
{
allow 192.168.31.157; //Note that the whitelist needs to be allowed first, then deny
allow 127.0.0.1;
deny all;
}
Unlike the order in apache, all access is denied first, then the whitelist is turned on, and all codes are executed sequentially; in nginx, there is no order. When executing a statement, as long as it matches the accessed IP, it will not be executed. The latter statement, so you need to write allow in front and deny in the back
2. Check for syntax errors and reload the configuration file
# /usr/local/nginx/sbin/nginx -t
# /usr/local/nginx/sbin/nginx -s reload
3. Test verification
# curl -x192.168.31.157:80 -I test.com/admin/1.php
# curl -x127.0.0.1:80 -I test.com/admin/1.php
If the source IP is not in the whitelist, 403 Forbidden will appear
4. Access Control - Regular Matching
Access control by matching regular expressions to allow or deny access
For example, you can add the following content to the virtual host configuration file, indicating that it is forbidden to upload files or pictures to parse php
location ~ .*(upload|image)/.*\.php$ //Match files ending with php in the upload or image directory
{
deny all; // deny access
}
After checking the syntax and loading the configuration file, let's access the php file test.com/upload/1.php under upload and prompt access is prohibited
Next, visit the txt file test.com/upload/1.txt under upload and visit OK
5. Restrict access according to user_agent
Add the following code to the virtual host configuration file:
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') //Indicates that if the user_agent contains any one of Spider/3.0|YoudaoBot|Tomato, access will be denied
{
return 403; //deny all has the same effect as return 403
}
Now it is possible to visit test.com/upload/1.txt successfully
Next, simulate the user agent Tomatodsewre, because it matches Tomato, all servers deny access
# curl -A "Tomatodsewre" -x127.0.0.1:80 -I test.com/upload/1.txt
But in the following figure, when we simulate the user agent tomatodsewre, after the first letter is changed from size to lowercase, the access is successful, which shows that our current configuration is size-sensitive
# curl -A "tomatodsewre" -x127.0.0.1:80 -I test.com/upload/1.txt
At this point, we only need to add a * sign after the matching symbol ~ to indicate that case is ignored, as follows
After adding *, if we visit test.com/upload/1.txt again, it will prompt that access is forbidden
Three Nginx parsing php related configuration
1. Edit the virtual host configuration file
Add the following to the virtual host configuration file:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
Before reloading the configuration file, let's test access to a page 3.php, the content of the file is as follows
Next, let's visit this page. The result of the visit is the content of the 3.php file, but the php file is not parsed.
# curl -x127.0.0.1:80 test.com/3.php
2. Check the syntax and reload the configuration file
# /usr/local/nginx/sbin/nginx -t
# /usr/local/nginx/sbin/nginx -s reload
3. Test verification
Now let's visit the 3.php page again, the php statement in the file is parsed
# curl -x127.0.0.1:80 test.com/3.php
4. 502 status code
When fastcgi_pass unix:/tmp/php-fcgi.sock in the configuration file; the path /tmp/php-fcgi.sock configured in this line is wrong, a 502 error will appear. Let’s change the path to the following error path
Then come to test access # curl -x127.0.0.1:80 test.com/3.php and the following 502 will appear
When we encounter a 502 error, we can analyze it from several aspects:
1) Let's look at the error log # tail /usr/local/nginx/logs/nginx_error.log
The prompt says that there is no directory or file /tmp/php-cgi.sock, we # ls /tmp/php-cgi.sock found that there is no such file
At this time, we need to go to the php-fpm configuration file to check the path of the socket monitored by php-fpm and compare it with the path in the nginx configuration file above, and find that the path in the nginx configuration file is wrong.
This is summed up as follows: what is the listening socket path in the php-fpm configuration file, and what should be written in the fastcgi_pass path in the nginx configuration file
2) Experiment: First, the php-fpm configuration file configures the listening IP and port, as follows
Then restart php-fpm
# /etc/init.d/php-fpm reload
At this point we can see that 127.0.0.1:9000 has been monitored
Let's visit again # curl -x127.0.0.1:80 test.com/3.php
Look at the error log again # tail /usr/local/nginx/logs/nginx_error.log
The reason for this error is that the configuration file of nginx has not been modified to the form of IP + port, it needs to be modified to the following figure
After reloading the configuration file, let's check the access results again, and the result is that we have successfully accessed
Summary: In summary, if the php-fpm configuration file uses the form of IP+port, then the same form should be used in the nginx configuration file
3) Another place to check when a 502 error occurs is the path in the figure below the nginx configuration file
It should correspond to the path of the following figure
4) In php5.4 and later versions, there is a feature that if we listen to socket in the php-fpm configuration file and do not define listen.mode, then the /tmp/php-fcgi.sock file permissions will become 440
We modify the configuration file to the following form:
After reloading the configuration file, check the file permissions of /tmp/php-fcgi.sock. You can see that its permissions are 440, and the group and owner are both root users.
Then configure the nginx configuration file as socket,
Then visit # curl -x127.0.0.1:80 test.com/3.php The result is still 502 error
By looking at the error log, we can see that the reason for the 502 error is because of permission denied,
We mentioned above that the file permission of /tmp/php-fcgi.sock is 440, and the group and owner are both root users, but the following figure shows that the owner and group of the nginx process are both nobody
Let's test temporarily change the owner and group of /tmp/php-fcgi.sock to nobody
# chown nobody /tmp/php-fcgi.sock
Then visit # curl -x127.0.0.1:80 test.com/3.php, the result is successful, this is because the nobody user has read and write permissions at this time
5) Another 502 error situation is that the resources of the php-fpm service are exhausted. For example, a mysql query is stuck and the resources of php-fpm are exhausted. At this time, it is necessary to optimize
After modifying the php-fpm configuration file above, you need to restart the php-fpm service
Four Nginx proxies
Usage scenarios: a. Users cannot directly access the network of the web server
b. Although the user can directly access the web server, the network is too slow
Proxy server features: can communicate with both the user and the web server
Here we try to configure our virtual server as a proxy server, and then use the internal loopback IP127.0.0.1 of the virtual server to access the external website www.cxkchina.com/robots.txt. The internal loopback IP127.0.0.1 was originally cannot access the Internet
1. Change directory
# cd /usr/local/nginx/conf/vhost/
2. New virtual host configuration file
Write the following in the new virtual host configuration file proxy.conf:
server
{
listen 80;
server_name www.cxkchina.com; //The domain name for the proxy server
// There is no root written here, the reason is because this server is a proxy server, it does not need to access any files on the local server
location /
{
proxy_pass http://121.201.9.155/; //Tell nginx the IP of the real WEB server here
proxy_set_header Host $host; //Tell nginx that the domain name Host it wants to access is the domain name $host set above, and $host is server_name
proxy_set_header X-Real-IP $remote_addr; // Define the value of the variable X-Real-IP is $remote_addr
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; // Define the value of the variable X-Forwarded-For is $proxy_add_x_forwarded_for
}
}
2. Detect syntax errors and reload configuration files
# /usr/local/nginx/sbin/nginx -t
# /usr/local/nginx/sbin/nginx -s reload
3. Test verification
Under normal circumstances, visit the page www.cxkchina.com/robots.txt
Use the loopback IP127.0.0.1 inside the virtual server to access the external website www.cxkchina.com/robots.txt
Related recommended links:
502 Question Summary http://ask.apelearn.com/question/9109
location priority http://blog.lishiming.net/?p=100