nginx 请求referfer nginx 请求成功返回401错误

转载

mob6454cc72f29c 2024-03-27 10:42:01

文章标签 nginx 请求referfer 运维 php 开发工具 nginx 文章分类 运维

状态码：

200：表示正常

301：表示域名跳转

401：表示需要输入用户名和密码

403：表示可能被禁止访问

302、404：表示输入的路径可能有错

500：表示php脚本有问题

502：配置错误nginx用sock或者IP+port，还有就是资源耗尽，nginx属主

写个nginx启动脚本

vim /etc/init.d/nginx
 
#!/bin/bash
# chkconfig: - 30 21
# description: http service.
# Source Function Library
. /etc/init.d/functions
# Nginx Settings

NGINX_SBIN="/usr/local/nginx/sbin/nginx"
NGINX_CONF="/usr/local/nginx/conf/nginx.conf"
NGINX_PID="/usr/local/nginx/logs/nginx.pid"
RETVAL=0
prog="Nginx"

start() {
        echo -n$"Starting $prog: "
        mkdir -p/dev/shm/nginx_temp
        daemon$NGINX_SBIN -c $NGINX_CONF
        RETVAL=$?
        echo
        return$RETVAL
}

stop() {
        echo -n$"Stopping $prog: "
        killproc-p $NGINX_PID $NGINX_SBIN -TERM
        rm -rf/dev/shm/nginx_temp
        RETVAL=$?
        echo
        return$RETVAL
}

reload(){
        echo -n$"Reloading $prog: "
        killproc-p $NGINX_PID $NGINX_SBIN -HUP
        RETVAL=$?
        echo
        return$RETVAL
}

restart(){
        stop
        start
}

configtest(){
    $NGINX_SBIN -c $NGINX_CONF -t
    return 0
}

case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  reload)
        reload
        ;;
  restart)
        restart
        ;;
  configtest)
        configtest
        ;;
  *)
        echo$"Usage: $0 {start|stop|reload|restart|configtest}"
        RETVAL=1
esac
exit $RETVAL 
 
 
chmod 755 /etc/init.d/nginx
chkconfig --add nginx
chkconfig nginx on

整理nginx配置文件

#清空原来的配置
vim /usr/local/nginx/conf/nginx.conf
user nobody nobody;
worker_processes 2;
error_log/usr/local/nginx/logs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;
events
{
   use epoll;
   worker_connections 6000;
}
http
 
{
   include mime.types;
   default_type application/octet-stream;
   server_names_hash_bucket_size 3526;
   server_names_hash_max_size 4096;
   log_format combined_realip '$remote_addr $http_x_forwarded_for[$time_local]'
    '$host "$request_uri" $status'
   '"$http_referer" "$http_user_agent"';
   sendfile on;
   tcp_nopush on;
   keepalive_timeout 30;
   client_header_timeout 3m;
   client_body_timeout 3m;
   send_timeout 3m;
   connection_pool_size 256;
    client_header_buffer_size1k;
   large_client_header_buffers 8 4k;
   request_pool_size 4k;
   output_buffers 4 32k;
   postpone_output 1460;
   client_max_body_size 10m;
   client_body_buffer_size 256k;
   client_body_temp_path /usr/local/nginx/client_body_temp;
   proxy_temp_path /usr/local/nginx/proxy_temp;
   fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
   fastcgi_intercept_errors on;
   tcp_nodelay on;
   gzip on;
   gzip_min_length 1k;
   gzip_buffers 4 8k;
   gzip_comp_level 5;
    gzip_http_version 1.1;
   gzip_types text/plain application/x-javascript text/css text/htmapplication/xml;
虚拟主机
}

添加虚拟主机

#默认虚拟主机独立一个文件
mkdir /usr/local/nginx/conf/vhosts
vim/usr/local/nginx/conf/vhosts/default.conf                                    #默认虚拟主机多了个default
server
 
{
default;
   server_name localhost;
   index index.html index.htm index.php;
   root /data/abc;
 
   location ~ \.php$ {
       include fastcgi_params;
       fastcgi_pass unix:/tmp/php-fcgi.sock;
       fastcgi_index index.php;
       fastcgi_param SCRIPT_FILENAME /data/abc$fastcgi_script_name;
    }
}
#设置个空目录，让它403

#第二虚拟主机独立一个文件

vim /usr/local/nginx/conf/vhosts/123.conf              #第二个虚拟主机
server
 
{
   listen 80;
   server_name www.123.com;
   index index.html index.htm index.php;
   root /data/www;
 
   location ~ \.php$ {
       include fastcgi_params;
       #fastcgi_pass unix:/tmp/php-fcgi.sock;
       fastcgi_pass 127.0.0.1:9000;
       fastcgi_index index.php;
       fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
    }
}
#只能用域名访问，nginx通过fastcgi的端口加IP的形式把php交给php-fpm处理，最后返回给nginx代理
#虚拟主机的根目录为/data/www

Nginx用户认证

#独立一段添加
#工具apache的htpasswd，限制后台admin.php
vim /usr/local/nginx/conf/vhosts/123.conf
 
location ~ .*admin\.php$ {
        auth_basic "tingshi";
       auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
       include fastcgi_params;
       fastcgi_pass unix:/tmp/php-fcgi.sock;
       fastcgi_index index.php;
       fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
 
touch /usr/local/nginx/conf/.htpasswd
htpasswd -c /usr/local/nginx/conf/.htpasswdaming                        #通过htpasswd工具创建用户
#每个动态网页都需要php解析

域名重定向

#外部添加
   listen 80;
   server_name www.123.comwww.abc.com;
    if ($host != 'www.123.com')
    {
        rewrite ^/(.*)$http://www.123.com/$1 permanent;
    }
   index index.html index.htm index.php;
   root /data/www;
#支持多个域名重定向，在外层设置重定向
/usr/local/nginx/sbin/nginx -s reload

不记录指定文件类型日志/配置静态文件过期时间

#独立一段添加

access_log /tmp/access.log aming;                                    #这在全局设置
   location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
       {
                expires      30d;
                access_log off;
       }
 
   location ~ .*\.(js|css)$
       {
                expires      12h;
                access_log off;
       }
#在设置access_log之前要打开mginx配置文件vim/usr/local/nginx/conf/nginx.conf
其中定好日志的格式log_format aming       aming就是格式，被access_log引用，其它两个location在外面定义
expires     30d                                        #配置静态文件的过期时间

日志切割

vim /usr/local/sbin/nginx_logroate.sh
 
#!/bin/bash
d=`date -d "-1 day" +%F`
[ -d /tmp/nginx_log ] || mkdir/tmp/nginx_log
mv /tmp/access.log /tmp/nginx_log/$d.log
/etc/init.d/nginx reload > /dev/null
cd /tmp/nginx_log
gzip -f $d.log
 
crontab –e                                    #加入到计划任务
0 0 * * * /bin/bash /usr/local/sbin/nginx_logroate.sh
#每天的0点执行

静态文件的过期时间

#内部添加
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
       {
                expires      30d;
                access_log off;
       }
expires     30d                                        #配置静态文件的过期时间

配置防盗链

#防止某张图片或者某些东西被另一个网站盗用，内部添加
|rar|zip|bz2)$
       {
                expires      30d;
                access_log off;
valid_referersnone blocked *.123.com *.abc.com;
                if ($invalid_referer)
                {
                    return 403;
                }
       }
#测试
curl -e"http://www.baidu.com/123" -x127.0.0.1:80'http://www.123.com/static/p_w_picpath/common/titlebg.png' –I             #返回403
curl -e "http://www.123.com/123"-x127.0.0.1:80 'http://www.123.com/static/p_w_picpath/common/titlebg.png' –I                 #返回200
指定referer的时候就应该带上

访问控制

#限制某些IP，外部添加限定整个根目录，内部添加限制某些文件，定义了匹配对象的时候优先匹配
server
 
{
   listen 80;
   server_name www.123.com www.abc.com;
   if ($host != 'www.123.com')
    {
       rewrite ^/(.*)$ http://www.123.com/$1 permanent;
    }
   index index.html index.htm index.php;
   root /data/www;
   access_log /tmp/access.log aming;
deny 127.0.0.1;
 
   location ~ .*admin\.php$ {
allow 127.0.0.1;
        deny all;
       #auth_basic "tingshi";
       #auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
       include fastcgi_params;
       fastcgi_pass unix:/tmp/php-fcgi.sock;
       fastcgi_index index.php;
       fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
 
curl -x127.0.0.1:80 www.123.com/admin.php-I
curl -x127.0.0.1:80 www.123.com/forum.php-I
curl -x192.168.134.132:80www.123.com/admin.php -I
当定义了匹配对象的时候优先匹配，也就是越精准越优先，当没有定义匹配对象的时候屎从上到下逐条匹配。

禁止指定user_agent

#禁止某些搜索引擎，在外部配置
if ($http_user_agent  ~* 'curl|baidu|youdao')
       {
           return 403;
        }
}
 
curl -A "qwewbaiduq"-x127.0.0.1:80 www.123.com/admin.php -I
curl -x 127.0.0.1:80 www.123.com/admin.php-I

nginx代理

#代理百度的IP,独立一个文件
upstream bbb
{
           server  14.215.177.38;
           server  14.215.177.38;
}
 
server {
       listen 80;
       server_name www.baidu.com;
 
       location / {
                proxy_pass      http://bbb/;
                proxy_set_header Host   $host;
                proxy_set_header X-Real-IP      $remote_addr;
                proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;
       }
           access_log /home/logs/bb_access.log combined;
}
curl -x127.0.0.1:80 www.baidu.com -I

转载于:https://blog.51cto.com/11746718/1876249

本文章为转载内容，我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题，欢迎原作者联系我们进行内容更正或删除文章。