Nginx anti-leech first enter the /usr/local/nginx/conf/vhost/ directory, edit the configuration file vim test.com.confvim test.com.conf and then the following content location ~ ^.+.(gif|jpg| png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${ expires 7d; valid_referers none blocked server_names .test.com ; if ($invalid_referer) { return 403; } access_log off ;} valid_referers none blocked server_names *.test.com ; if ($invalid_referer) { return 403; At this time, the core part of anti-leech, the meaning of the first line is to define the white list, the second line is if it does not match, the third line is the status code. Save after typing, check syntax, and reload. Nginx access control is the same as httpd. Nginx also needs to restrict certain IPs from accessing or only allow certain IPs to access. The configuration method is very similar to httpd. But more concise. No need to go through it all like httpd.
To configure access control, you still need to edit the virtual host configuration file
/usr/local/nginx/conf/vhost/
and then add the access control configuration
location /admin/
{
allow 192.168.1.107;
allow 127.0.0.1;
deny all;
}
When we make a whitelist, we must first allow and then deny. allow means to allow, deny means to deny. Be sure to use ";" at the end of each statement.
Then we do an experiment, create a directory mkdir /data/wwwroot/test.com/admin/
and write the content in it
echo "test,test">/data/wwwroot/test.com/admin/1.html
Then we do test
curl -x 127.0.0.1:80 -I test.com/admin/1.html
HTTP/1.1 200 OK
curl -x 192.168.1.107:80 -I test.com/admin/1.html
HTTP/1.1 200 OK
And entering other IP access is unsuccessful, this is restricting IP access. This is for directories.
We can also restrict its access
location ~ . (upload|image)/. .php$
{
deny all;
}
The delimiter "|" in parentheses means or, so that the accessed URL can be included in the A string with a keyword, and is a php request forbidding access. The purpose of this is to prohibit the directory where the file is uploaded from parsing php, in order to ensure security.
Then we do an experiment.
First create an upload directory, write a php file in it, and then access
curl -x192.168.1.107:80 -I test.com/upload/1.php
HTTP/1.1 403 Forbidden
The result is inaccessible, our purpose is also achieved.
If we don't want others to know about our site, we can restrict based on user_agent as if our site was hidden.
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
The " " after ~ is case-ignoring.
Nginx parses php related configuration
in lamp, php appears as a module of httpd, as long as the module is loaded, php script can be parsed. In lnmp, php exists as a service (php-fpm). First, start the php-fpm service, and then Nginx communicates with php, which means that the work of processing php script parsing is done by php-fpm. Finish.
location ~ .php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
This is the configuration file for Nginx to parse php.
What we need to pay attention to here is fastcgi_pass unix:/tmp/php-fcgi.sock; easy to write wrong, if it is wrong, 502 will be displayed.
We set up an experiment, deliberately wrote /tmp/php-fcgi.sock wrong, and then accessed.
curl -x192.168.1.107:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
Since we wrote the wrong configuration file, it shows 502, then Let's check the error log nginx_error.log
2018/04/26 23:22:39 [crit] 2076#0: *49 connect() to unix:/tmp/php-fgi.sock failed (2: No such file or directory) while connecting to upstream, client: 192.168.1.107, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fgi.sock:", host: "test.com"
it means to unix:/tmp/php-fgi.sock failed (2: No such file or directory).
When we encounter such a problem, we have to think carefully about whether the address we configured is wrong? First, let's take a look at the error log, first to see if the file exists. If it doesn't exist, we have to check the php-fpm configuration file to see what the sock we defined is. We must keep the sock in php-fpm consistent with the sock in the virtual host's configuration file. Otherwise, an error 502 will be reported.
If php-fpm is listening on a port, say 127.0.0.1:9000, then we also need to make a change in the virtual host configuration file.
First find fastcgi_pass, and then change it to the form of the listening port. For example fastcgi_pass 127.0.0.1:9000; then check for syntax errors and reload. After this series of operations, we can parse php. Therefore, the fastcgi_pass in the virtual host must be the same as the IP monitored in php-fpm, otherwise 502 will be reported.
In the future, if we parse php and 502 appears, we must check whether the configuration monitoring ip and sock in php-fpm are consistent. If they are inconsistent, 502 will be reported.
In addition, the path followed by SCRIPT_FILENAME must be written correctly. It is the same as the path followed by root on the configuration file, and they must correspond. If the configuration is incorrect, 404 will be reported when accessing.
There is also a case where 502 is reported because there is a line of listen.mode=666 in our php-fpm configuration file. This line of configuration is logged out or not. This configuration allows all users to execute this file. If there is no such line configuration, only the root user can execute permissions.
Nginx proxy
When users cannot directly access the server, then we can make a proxy server.
First enter /usr/local/nginx/cnof/vhost
and then edit a new configuration file
vim proxy.conf and
add the following content
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://121.201.9.155/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}}
where proxy_pass is to define the IP of the web server you want to access
server_name is to define the domain name
and then we check the syntax to reload.
If we do not know the ip of the web server to be accessed when we are acting as a proxy, we can use the method of dig + domain name to obtain the ip.
Install the dig command: yum install -y bind*