We talked earlier under Nginx as the web server configuration https, common log module configuration, rewrite url rewrite module requested by the user, review Refer https://www.cnblogs.com/qiuhom-1874/p/12398242.html ; today is how to chat Nginx reverse proxy, how the security chain; the foregoing Finally, we mention the security chain, in the end what is the security chain it? In the Internet we usually believe many people have encountered such a situation, we open a web page, in which you can see a lot of split map, see the picture, or see this picture surfers use only certain sites and the like, this is the security chain; we know inside a web page, which the resources are not necessarily from a server, such as picture images is likely to come from the server, js, css likely to come from other static resources on the server; so people know a little know how to picture someone on the site, js files it links to your website using, this behavior is called theft of other people's resources, referred hotlinking; here is not too much elaborated; we say it's nginx referer module it.
A, ngx_http_referer_module: means for preventing access to this "Referer" request header field contains an invalid value of the site;
Usually once a http transaction is the client requests the server, the server responds with a process client; the client requests the server will add some information at the request of the head, such as the method used to request resources service side of it, what path resources is, http protocol version used is how much, what, and so on host host request; wherein if the client is involved in domain name directly from the browser to directly access the web server, its head is no referer this information; referer what is? referer recording client come to visit our client, if the client is click access to our servers through a Web site, it sends a request over the head there is a corresponding domain name website; security chain is the use of the referer header information control unit to do;
1, valid_referers none | blocked | server_names | string ...; to define the legal referer legal values; under explanation here, none represents no referer request header fields, no fields are usually referer intervention from the browser (web client) domain access; blocked indicating that the request has referer header field, but has no value, as such a request we can not judge our clients are accessing the server from where we usually allow access when such a request; server_name represents a request there referer header field and information, its value is the host name of the other party; when we define a legal referer, can use a wildcard or regular to match the server_name;
Example:
valid_referers none blocked server_names
*.example.com example.* www.example.org/galleries/
~\.google\.;
Note: The above configuration defining a legal referer there, there are no request packet requests referer field, but there are no values referer field, ending with the beginning of any content is the host hostname .example.com or begins with the example, or www.example.org/galleries/ referer is google or contained are legitimate, meaning that the client requests referer information packet that we meet the legal definition of information, or that can be matched to the legitimate referer we define our He says that the user is a legitimate request, of course, that should be allowed to be accessed; of course we have defined referer legitimate, lawful referer if the client requests message in the referer information unworthy we define the match, we say here client referer is illegal, is not allowed, of course you should do other processing; this is ngxin in the internal mechanism, it is not matched by the legal referer referer illegal referer, usually reserved for these unlawful use $ invalid_referer referer; or we interpret it this way, not to be matched referer legitimate request Packets will be matched by $ invalid_referer; With this mechanism we can clearly define the legal time of those requests, opposed those requests is not legitimate, for illegal so we can deal with; follows
Note: The above configuration means that if the client requests referer information is not the end of the .ilinux.com message or not to www.ilinux beginning or not www.ilinux.io or does not contain .baidu or .google we respond to the customers. end request response code of 403;
Two, ngx_http_proxy_module: This module allows passes the request to another server.
1, proxy_pass URL; main role instruction is used to set the address of the proxy server, it can be said host name, IP address plus port form; wherein the proxy server indicated by the URL address, including the protocol, the host name or IP plus port, URI and so on. Transmission protocol is usually "http" or "https"; if we were acting is a local unix-domain sockets, also support with http: // or https: // plus the form of unix socket path; if we represent a group of servers, we can use the upstream instruction to the group of servers in the same merged into group server group a name, of course, this is behind us to talk nginx as a configuration of a balanced load; here particular note is URL whether to include URI, what this means is that the URL does not contain URI, which means that the URL is no proxy URI, the only protocol IP address or domain name or host name, which is called with no URI; URI says that in addition to the agreement with the host foreign name or domain name or IP address, and there are RUI; for both cases on Nginx processing logic is not the same, if not RUL nginx server that contains the URI URI will not change the source address; if the URL contains the URI, nginx server It will replace the original URI using the new URI;
Example:
Note: The above configuration is that we do not include the URL of the situation URI, the user request www.test.com/en/docs/ will be matched to the location, and then will visit www.test.com/en/docs/ is delegated to http://nginx.org/en/docs/; we can understand when the proxy URL does not contain URI, Nginx server requested by the user will be deemed to be a proxy server URI URI; so the above configuration says the user will be proxied to access www.test.com/en/docs/ http://nginx.org/en/docs/
提示:在做以上实验时,需要在Windows上做好解析www.test.com;Windows上需要在C:\Windows\System32\drivers\etc\hosts文件中添加一条解析记录,语法同Linux里的hosts一样192.168.0.30 www.ilinux.io www.test.com;
提示:以上配置就是URL包含URI的情况,这种情况Nginx服务器会把用户请求的URI替换成被代理的URI;以上面的配置示例,如果用户请求www.test.com/test/那么这个请求到了nginx服务器时,nginx会把用户原有的URI/test/替换成/en/docs/,所以用户请求www.test.com/test/就会被代理至http://nginx.org/en/docs/;
提示:通过上面的演示,我们可以总结为,如果我们不想改变源请求的URI,那么我们在后端代理时就不带URI,如果我们想更改源请求URI,那么我们在后端代理时,就带上URI即可
理解了上面我们所的URL包含或不包含URI,我们就不难理解下面的例子
示例:proxy_pass URL末尾是否带“/”问题
提示:以上配置和我们之前的第一个示例就只多了一个“/”;多一个“/”在我们看来是不要紧,但它对nginx来说,意思却变了,就以我们上面说的,这种就是URL包含URI的情况,nginx会把后面的“/”认为是URI,不是认为,它本来就是一个URI;当客户端请求www.test.com/en/docs/时,nginx会把该请求代理至http://nginx.org/;当然这样处理后的结果肯定和我们之前的结果是完全不一样的,http://nginx.org/就表示请求nginx.org的主页;
提示:和第一个示例一样的URL,对于proxy_pass URL后面没有"/"和有“/”被代理响应的结果是不一样的;
除了上面URL包含或不包含URI问题需要我们特别注意外,我们还要注意,如果location定义URI时使用了正则,或在if语句或在limit_execept中使用了proxy_pass指令,则proxy_pass 之后不能使用URI;用户请求时传递的URI将直接附加代理到的服务器之后;意思就是URL包含URI的情况不能在location 使用了正则匹配URL,或者URL包含URI的情况不允许用在if语句中 或limit_except中
示例:
提示:这种配置我们在语法检查的时候就通不过,要想被通过,我们只需要把proxy_pass指令后面的URI去掉即可
提示:总结一点就是location中使用了正则匹配 URL时,后面代理是不能有URI的,否则语法错误;
2、proxy_set_header field value;设定发往后端主机的请求报文的请求首部的值;可用在http,server,location配置段中
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
提示:以上配置表示在用户请求通过代理发送给后端主机时,在其请求头部加上X-Real-IP这个字段,并且这个字段的值是$remote_addr(客户端IP地址)和X-Forwarded-For字段,其值为$proxy_add_x_forwarded_for;$proxy_add_x_forwarded_for 这个变量是也是记录IP地址的,不同的是,这个变量它记录了客户端IP和代理服务端ip,两个IP分别用逗号隔开,如果没有代理服务器的场景,这个变量的意义同$remote_addr是一样的,都是记录客户端客户端IP
3、proxy_cache_path:定义可用于proxy功能的缓存,此指令只可配置在http配置段;
语法:
proxy_cache_path path [levels=levels] [use_temp_path=on|off] keys_zone=name:size [inactive=time] [max_size=size] [manager_files=number] [manager_sleep=time] [manager_threshold=time] [loader_files=number] [loader_sleep=time] [loader_threshold=time] [purger=on|off] [purger_files=number] [purger_sleep=time] [purger_threshold=time];
path:表示设置缓存数据存放路径,该路径必须事先存在;
levels;表示设置存放缓存数据的目录级别,这个和前面说的nginx缓存目录一样。levels=1:2表示两级目录,且一级目录是一个字符哈希目录,二级目录是两个字符的哈希目录,目录名称是基于URL哈希算法获取到的;
keys_zone=name:size 表示设置缓存索引在内存区域的名称和大小;
inactive=time设置非活动缓存时间,在指定的时间内如果该缓存项没有被命中,nginx就会强制把该缓存从磁盘上删除,如果下次有人访问时在缓存,依次循环;默认10分钟;
max_size=size:设置磁盘中缓存数据的大小限制,当缓存数据超过我们设定的大小时,就是用LRU算法来删除缓存;
loader_files=number:设置缓存索引重建进程每次加载的数据元素的数量上限;
loader_sleep=time:设置缓存索引重建进程在一次遍历结束、下次遍历开始之间的暂停时长,默认是50ms
loader_threshold=time:设置遍历一次磁盘缓存源数据的时间上限,默认设置为200ms
通常情况下我们不需要设置这么多选项,只需要把前三个选项设置好就行了,没有特殊的要求后面的选项我们用默认值就可以
示例:
提示:以上配置表示定义代理缓存路径是/cache/proxy/nginx 目录级别是1:2:1 缓存索引重建进程内存区域名称为proxy_cache,大小为10M 对于磁盘上的/cache/proxy/nginx/目录最大缓存空间为2g;这样设置后,我们就可以在各个server或location中来调用此缓存定义
4、proxy_cache zone | off;指明要调用的缓存,或关闭缓存机制;此指令可用于http,server,location配置段中;
示例
提示:这样去调用缓存空间进行缓存是不能够缓存的,因为我们调用缓存空间是有条件的,比如我们要对那些请求方法的请求进行缓存?对不同响应码的资源缓存多久?是否在后端服务器出现错误时,我们继续使用缓存来响应?所以我们现在虽然配置了调用缓存空间,但是我们服务器还是不知道怎么去缓存客户访问的内容;所以它干脆就不给缓存;
示例:我们只调用了缓存空间,没有配置其他配置,用户访问的数据是否能够缓存下来呢?
提示:可以看到我们只配置缓存空间然后调用是不行的,我们还需要指定缓存的key是什么 ,对客户端使用的那些方法进行缓存,对不同的响应码的资源缓存多久,这是调用缓存空间的几个必要的配置,我们需要加上才行;
5、proxy_cache_key:定义缓存key,默认是$scheme$proxy_host$request_uri,它这个默认就是缓存的key是协议加代理主机地址或主机名或FQDN和用户请求的uri当作缓存的KEY;也就是说服务端怎么去找缓存的方式,对应key的定义;
6、proxy_cache_methods METHODS:定义缓存用户的请求方式,也就是说那些请求方法的资源我们要进行缓存,默认是GET HEAD;
7、proxy_cache_valid code:定义不同的响应码的资源缓存时长;
8、proxy_cache_use_stale error |timeout|……:定义后端服务器基于那种状态使用缓存,默认是不基于后端服务器状态使用缓存;比如后端服务器发生错误,是否用缓存中的内容响应客户端?如果我们定义 proxy_cache_use_stale http 403就表示后端服务器如果响应代理服务器403,我们代理服务器就是用之前的缓存,响应客户端;
示例:
提示:以上配置表示使用proxy_cache缓存空间,缓存key是用户请求的uri进行缓存,对用户使用GET 和HEAD方法请求的资源进行缓存,对响应码是200 302的资源缓存15分钟,对响应码是404的资源缓存1分钟,后端服务器出现500 或502的错误,代理服务器使用以前的缓存响应客户端;
提示:可看到浏览器请求了两个uri,在对应的缓存目录里就存在两个缓存项;这里面每一个缓存项就是对应一个用户请求过多URI;通常情况我们启用了Nginx代理缓存功能时,用户第一次访问就会很慢,但是只要把数据缓存下来后,后续的用户在访问相同的URI时,这个速度就会有明显的提升;
总结对于nginx的缓存,我们首先在http配置段定义一个缓存空间,然后在各server或location中调用我们定义的缓存空间,并明确说明各种响应码的资源缓存多长时间,对于proxy_cache_key 和 proxy_cache_methods是可以不指定的,不指定就代表使用默认值,从上面的配置我们其实就只定义响应码是多少的资源缓存多久,其他的按照默认来,它也是可以进行缓存的;