12.13 Nginx anti-leech
12.14 Nginx Access Control
12.15 Nginx parses php related configuration
12.16 Nginx proxy
12.13 Nginx anti-leech
outline
The anti-leech idea of Nginx is the same as that of httpd, and the configuration is not difficult.
Ready to work:
You can comment out the functions that are not used in them.
Comment out the configuration that configures static files without logging
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 7d;
# access_log off;
# }
#location ~ .*\.(js|css)$
# {
# expires 12h;
# access_log off;
# }
Topics of this section
1 The configuration of Nginx anti-leech is as follows, which can be combined with the above configuration
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}
2 parameter parsing,
~* means that (gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls) is case-insensitive, using the syntax of regular expressions.
^.+\. ^ means the beginning of xx
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
The meaning of the entire parameter is: end with xxxx (keywords in parentheses).
valid_referers none blocked server_names *.test.com ;
The referer that defines the whitelist is *.test.com
valid_referers none blocked server_names *.test.com ;
if ($invalid_referer) {
return 403;
}
3 If it is not a whitelisted referer, it will return to 403
4 Check syntax and reload
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -s reload
5 curl to test anti-leech
First test a normal curl access, status code 200
[root@AliKvn test.com]# curl -x127.0.0.1:80 test.com/1.gif -I
curl -e specifies the referer test, the status code is 403, the experiment is successful, because the original configuration is to get the 403 effect.
[root@AliKvn test.com]# curl -e "http://www.baidu.com " -x127.0.0.1:80 test.com/1.gif -I
12.14 Nginx Access Control
Access control is an important part because it also involves security.
The principle is the same as that of httpd. Nginx can also restrict certain IPs from being accessed, or only allow certain IPs to access.
The configuration method is very similar to httpd, but it is more concise and does not traverse all the way like hettpd.
For example, we have a requirement, "The request to access the admin directory only allows 127.0.0.1 access,"
1 The configuration of access control is as follows,
location /admin/
{
allow 127.0.0.1;
deny all;
}
Parameter explanation
In httpd, use order to rule the order of allow and deny, first allow and then deny, or deny first and then allow.
But in nginx, if the parameter's ip (127.0.0.1) is matched, then the rule will end here.
The order of deny and allow is not considered. If 127.0.0.2 is accessed, it is found that the ip is not matched. In this case, the access will be denied directly, and this is the end.
2 Check syntax and reload
[root@AliKvn test.com]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@AliKvn test.com]# /usr/local/nginx/sbin/nginx -s reload
Preparations before the visit:
[root@AliKvn test.com]# mkdir -p /data/wwwroot/test.com/admin/
[root@AliKvn test.com]# cd /data/wwwroot/test.com/admin/
[root@AliKvn admin]# echo "admin test" > index.html
3 curl access test
Using 127.0.0.1 test, the status code is 200, and the access is normal.
Use 172.18.171.157 to test access, status code 403, access denied.
Because 172.18.171.157 is not written into the whitelist.
Access control, can also match regular
1 Write the following parameters
location ~ .*(upload|image)/.*\.php$
{
deny all;
}
Parameter explanation:
location ~ .*(upload|image)/.*\.php$
As long as it matches upload and image, urls ending with .php are given deny.
Check syntax and reload after writing parameters.
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -s reload
Demonstration operation
2 Preparations,
Create the upload directory, then create a 1.php file under it, echo any content 1.php
[root@AliKvn vhost]# mkdir /data/wwwroot/test.com/upload/
[root@AliKvn vhost]# cd !$
cd /data/wwwroot/test.com/upload/
[root@AliKvn upload]# echo "1111" > 1.php
3 curl test
[root@AliKvn upload]# curl -x127.0.0.1:80 test.com/upload/1.php -I
Of course, it is normal that 1.php cannot be accessed, and it has played a role.
Let's try to access the txt format that is not marked.
[root@AliKvn upload]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
The access is passed, because the txt is not marked, so the access is not restricted.
You can refer to the log content for more detailed records.
Limit based on user_agent
1 Write the following parameters
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
return 403;
}
parameter parsing,
$http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato' return 403;
Where ~ is the matching symbol, as long as the user_agent contains the Spider/3.0 or YoudaoBot or Tomato string,
Access is denied and a 403 status code is returned.
The return 403 here is the same as deny all.
2 Check syntax and reload
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -s reload
3 curl test
curl -A specifies user_agent,
[root@AliKvn vhost]# curl -A "Tomato1111" -x127.0.0.1:80 test.com/upload/1.txt -I
When it is matched to the corresponding string, no matter what character is followed, it will take effect.
If you want to match case-insensitively , you can add * to ~ (~*) , corresponding to the parameter.
$http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato'
Reuse curl -A test
12.5 Nginx parses php configuration
outline
In LAMP, PHP appears as a module of httpd. As long as the PHP module is loaded, PHP scripts can be parsed.
In LNMP, PHP exists in the form of a service (php-fpm). First, start the php-fpm service, and then Nginx communicates with php-fpm.
In other words, the work of handling PHP script parsing is done by php-fmp, Nginx is just a "porter", it can pass the user's request to php-fpm,
After php-fpm processes the result, it will be passed to Nginx, and Nginx will pass the result to the user.
Before Nginx, PHP parsing is not configured, the parsing is the source code.
The following is the test description,
1 First create a php script at test.com/, the information content is the introduction page of php.
[root@AliKvn test.com]# vim /data/wwwroot/test.com/jxphp.php
<?php phpinfo();
2 curl test
[root@AliKvn test.com]# curl -x127.0.0.1:80 test.com/jxphp.php
<?php
phpinfo();
This php script is actually a php's own information introduction page. If the parsing is normal, the parsing php information should be displayed here.
But the source code is displayed here, so it proves that the php interpretation fails.
The configuration is as follows:
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
}
Parse parameters:
fastcgi_pass is used to specify the address or socket where php-fpm listens to tcp:port. If the configuration here does not match, a 502 error will occur .
fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
The path after fastcgi_param should be connected to the root path, which is also the path of the site directory. If this configuration is not paired, a 440 error will appear .
After the configuration is complete
3 Check the parameter configuration and reload -t&&-s reload
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@AliKvn test.com]# /usr/local/nginx/sbin/nginx -s reload
4 curl test effect
This is the effect of correct parsing. The effect of correct parsing of php is the source code of the web page, not the source code of the configuration.
[root@AliKvn test.com]# curl -x127.0.0.1:80 test.com/jxphp.php
5 curl -I 200 The status code is passed, the access is normal, and the php parsing is normal.
[root@AliKvn test.com]# curl -x127.0.0.1:80 test.com/jxphp.php -I
HTTP/1.1 200 OK
fastcgi_pass is used to specify the address or socket that php-fpm listens to
If the curl parsing is a 502 error, most of the fastcgi_pass addresses here do not match and the sock cannot be found.
When encountering a 502 error, you can view the error log for the first time.
The address of fastcgi_pass is deliberately changed below to demonstrate the effect of the negative teaching material.
1 Cross out the fc string in the path
fastcgi_pass unix:/tmp/php- fcgi.sock;
2 Check syntax and reload,
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -s reload
3 curl test, 502 status code appears because the socket could not be found
curl -x127.0.0.1:80 test.com/jxphp.php -I
HTTP/1.1 502 Bad Gateway
4 Let's take a look at the error logging information, nginx_error.log
[root@AliKvn vhost]# tail -1 /usr/local/nginx/logs/nginx_error.log
2018/04/28 20:38:49 [crit] 24338#0: *310 connect() to unix:/tmp/php-gi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/jxphp.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-gi.sock:", host: "test.com"
Mainly check this explanation, connect() to unix:/tmp/php-gi.sock failed.
The general meaning is that if the sock connection to php fails, the correct socket path cannot be found (in fact, at this time, the wrong path of ls, the file should not exist, even if it exists, it may be problematic).
5 The address of fastcgi_pass must be the same as the listen path of /php-fpm/etc/php-fpm.conf, otherwise the above situation will occur.
So change the fastcgi_pass of the virtual host configuration file test.com.conf back
[root@AliKvn vhost]# cat /usr/local/php-fpm/etc/php-fpm.conf
As experimented above, if listening on an IP port, the address of fastcgi_pass should also be configured as a port, as follows:
1
2 Check the syntax of php-fpm and reload php-fpm (note that the check and reload here are for php-fpm, so their commands are different from nginx -t, -s. Modifying php-fpm.conf requires reload or restart)
[root@AliKvn ~]# /usr/local/php-fpm/sbin/php-fpm -t
[28-Apr-2018 21:04:01] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf
[root@AliKvn ~]# /etc/init.d/php-fpm reload
Reload service php-fpm done
3 Check the listening port
[root@AliKvn ~]# netstat -lntp |grep 9000
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 24697/php-fpm: mast
4 After listening to the ip port at this time, you need to modify the virtual host configuration file test.com.conf
[root@AliKvn vhost]# vim test.com.conf
Check syntax and reload
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -s reload
5 curl test, the explanation is successful
Summarize the above various status codes
502 error,
The path of fastcgi_pass is wrong, resulting in the socket not being found.
If the listening path is different from fastcgi_pass, the monitoring will fail, resulting in a 502 error.
440 error,
If listening on a socket, but not defining listen mode=666 will result in 440.
404 error,
fastcgi_param SCRIPT_FILENAME paths are not paired, a 404 error will occur.
12.6 Nginx proxy
outline
A company has many servers. In order to save costs, it is not possible to assign public IPs to all servers. If a server without a public IP wants to provide Web services, it can be achieved through a proxy.
Proxy principle:
Users want to access the Web server, but they are not connected in the middle. If they want to connect the two, they must be implemented through a proxy server. The proxy server can connect the user and the Web server. It acts as an intermediary between the user and the Web server, and it can feed back information to the user and the Web server.
for example:
For example, the mainland wants to access the US website, but the speed of accessing the US website from the mainland is very slow, but Hong Kong's access to the US is very fast. If you want to access the US website in the mainland as fast as Hong Kong accesses the US, then the mainland can use Hong Kong as an agent and then directly access the US website, which greatly improves the speed.
The relationship between the three is equivalent to a user, a proxy server, and a web server.
The configuration operation is as follows:
1 cd /usr/local/nginx/conf/vhost
2 vim proxy.conf
The parameter configuration is as follows
server
{
listen 80;
server_name ask.apelearn.com;
location /
{
proxy_pass http://47.91.145.78/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Parameter parsing:
No root , because the proxy server doesn't need to access any files on the local server.
proxy_pass http://47.91.145.78/;
Specify the server IP where the domain name to be proxied is located. This IP can be obtained by ping ask.apelearn.com.
proxy_set_header Host $host;
Indicates that the domain name of the backend web server is the same as the server_name in the current configuration file
$host = server_name
3 After the configuration is complete, check the syntax and reload
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -s reload
4 curl test, local to ask.apelearn.com, equivalent to Host $host
Summarize:
The ultimate purpose of the test is to pass 47.91.145.78 which can be accessed at ask.apelearn.com
The proxy server is the machine,
The web server is ask.apelearn.com