博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
【CentOS 7架构29】,设置nginx访问控制#180106
阅读量:6097 次
发布时间:2019-06-20

本文共 10947 字,大约阅读时间需要 36 分钟。

hot3.png

hellopasswd

nginx访问控制

  • 需求:访问/admin/目录的请求,只允许指定IP访问,配置如下 location /admin/ { allow 192.168.9.134; allow 127.0.0.1; deny all; }
  • mkdir /data/wwwroot/test.com/admin/
  • echo "test,test" > /data/wwwroot/test.com/admin/1.html
  • -t && -s reload
  • curl -x 127.0.0.1:80 test.com/admin/1.html -I
  • curl -x 192.168.9.233:80 test.com/admin/1.html -I
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf      25         location ~ .*\.(js|css)$     26         {     27 #               expires 12h;     28                 access_log off;     29         }     30         location /admin/     31         {     32                 allow 192.168.9.134;     33                 allow 127.0.0.1;     34                 deny all;     35         }     36      37         access_log /tmp/test.com.log;     38 }[root@localhost ~]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -e "http://www.baidu.com/1.txt" -x 127.0.0.1:80 test.com/admin -IHTTP/1.1 301 Moved PermanentlyServer: nginx/1.4.7Date: Thu, 04 Jan 2018 15:46:30 GMTContent-Type: text/htmlContent-Length: 184Location: http://test.com/admin/Connection: keep-alive[root@localhost ~]# curl -e "http://www.baidu.com/1.txt" -x 127.0.0.1:80 test.com/admin/ -IHTTP/1.1 200 OKServer: nginx/1.4.7Date: Thu, 04 Jan 2018 15:47:23 GMTContent-Type: text/htmlContent-Length: 25Last-Modified: Thu, 04 Jan 2018 03:28:58 GMTConnection: keep-aliveETag: "5a4d9f7a-19"Accept-Ranges: bytes[root@localhost ~]# curl -x 192.168.9.134:80 test.com/admin/ -IHTTP/1.1 200 OKServer: nginx/1.4.7Date: Thu, 04 Jan 2018 15:49:59 GMTContent-Type: text/htmlContent-Length: 25Last-Modified: Thu, 04 Jan 2018 03:28:58 GMTConnection: keep-aliveETag: "5a4d9f7a-19"Accept-Ranges: bytes
[root@localhost ~]# cat /tmp/test.com.log127.0.0.1 - - [04/Jan/2018:16:51:53 +0800] "GET HTTP://test.com/index.html HTTP/1.1" 200 9 "-" "curl/7.29.0"127.0.0.1 - - [04/Jan/2018:16:52:08 +0800] "GET HTTP://test.com/index.html HTTP/1.1" 200 9 "-" "curl/7.29.0"127.0.0.1 - - [04/Jan/2018:16:53:57 +0800] "GET HTTP://test.com/3.php HTTP/1.1" 404 168 "-" "curl/7.29.0"127.0.0.1 - - [04/Jan/2018:23:46:30 +0800] "HEAD HTTP://test.com/admin HTTP/1.1" 301 0 "http://www.baidu.com/1.txt" "curl/7.29.0"127.0.0.1 - - [04/Jan/2018:23:47:23 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 200 0 "http://www.baidu.com/1.txt" "curl/7.29.0"192.168.9.134 - - [04/Jan/2018:23:49:59 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 200 0 "-" "curl/7.29.0"

而添加一张网卡

[root@localhost ~]# dhclient ens37[root@localhost ~]# ifconfigeno16777736: flags=4163
    
       mtu 1500        inet 192.168.9.134  netmask 255.255.255.0  broadcast 192.168.9.255        inet6 fe80::20c:29ff:fe0a:e7fc  prefixlen 64  scopeid 0x20
             ether 00:0c:29:0a:e7:fc  txqueuelen 1000  (Ethernet)        RX packets 39035  bytes 3660208 (3.4 MiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 11109  bytes 1576541 (1.5 MiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0eno16777736:0: flags=4163
     
        mtu 1500        inet 192.168.9.139  netmask 255.255.255.0  broadcast 192.168.9.255        ether 00:0c:29:0a:e7:fc  txqueuelen 1000  (Ethernet)ens37: flags=4163
      
         mtu 1500        inet 192.168.23.128  netmask 255.255.255.0  broadcast 192.168.23.255        inet6 fe80::20c:29ff:fe0a:e706  prefixlen 64  scopeid 0x20
               ether 00:0c:29:0a:e7:06  txqueuelen 1000  (Ethernet)        RX packets 9  bytes 1780 (1.7 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 51  bytes 8571 (8.3 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73
       
          mtu 65536        inet 127.0.0.1  netmask 255.0.0.0        inet6 ::1  prefixlen 128  scopeid 0x10
        
                 loop  txqueuelen 0  (Local Loopback)        RX packets 511  bytes 48445 (47.3 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 511  bytes 48445 (47.3 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@localhost ~]# curl -x 192.168.23.128:80 test.com/admin/ -IHTTP/1.1 403 ForbiddenServer: nginx/1.4.7Date: Thu, 04 Jan 2018 15:55:58 GMTContent-Type: text/htmlContent-Length: 168Connection: keep-alive[root@localhost ~]# cat /tmp/test.com.log127.0.0.1 - - [04/Jan/2018:16:51:53 +0800] "GET HTTP://test.com/index.html HTTP/1.1" 200 9 "-" "curl/7.29.0"127.0.0.1 - - [04/Jan/2018:16:52:08 +0800] "GET HTTP://test.com/index.html HTTP/1.1" 200 9 "-" "curl/7.29.0"127.0.0.1 - - [04/Jan/2018:16:53:57 +0800] "GET HTTP://test.com/3.php HTTP/1.1" 404 168 "-" "curl/7.29.0"127.0.0.1 - - [04/Jan/2018:23:46:30 +0800] "HEAD HTTP://test.com/admin HTTP/1.1" 301 0 "http://www.baidu.com/1.txt" "curl/7.29.0"127.0.0.1 - - [04/Jan/2018:23:47:23 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 200 0 "http://www.baidu.com/1.txt" "curl/7.29.0"192.168.9.134 - - [04/Jan/2018:23:49:59 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 200 0 "-" "curl/7.29.0"192.168.23.128 - - [04/Jan/2018:23:55:58 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 403 0 "-" "curl/7.29.0"

指定页面

  • 匹配正则 location ~.(abc|image)/..php$ { deny 304; }
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf      30         location /admin/     31         {     32                 allow 192.168.9.134;     33                 allow 127.0.0.1;     34                 deny all;     35         }     36      37         location ~ .*(upload|image)/.*\.php$     38         {     39                 deny all;     40         }     41      42         access_log /tmp/test.com.log;     43 }[root@localhost ~]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# mkdir /data/wwwroot/test.com/upload[root@localhost ~]# echo "hello upload" > /data/wwwroot/test.com/upload/1.php[root@localhost ~]# curl -x 127.0.0.1:80 test.com/upload/1.php403 Forbidden
    
     
403 Forbidden
    
    
    
     nginx/1.4.7
    
[root@localhost ~]# echo "hello upload" > /data/wwwroot/test.com/upload/1.html[root@localhost ~]# curl -x 127.0.0.1:80 test.com/upload/1.htmlhello upload
[root@localhost ~]# cat /tmp/test.com.log127.0.0.1 - - [04/Jan/2018:16:51:53 +0800] "GET HTTP://test.com/index.html HTTP/1.1" 200 9 "-" "curl/7.29.0"127.0.0.1 - - [04/Jan/2018:16:52:08 +0800] "GET HTTP://test.com/index.html HTTP/1.1" 200 9 "-" "curl/7.29.0"127.0.0.1 - - [04/Jan/2018:16:53:57 +0800] "GET HTTP://test.com/3.php HTTP/1.1" 404 168 "-" "curl/7.29.0"127.0.0.1 - - [04/Jan/2018:23:46:30 +0800] "HEAD HTTP://test.com/admin HTTP/1.1" 301 0 "http://www.baidu.com/1.txt" "curl/7.29.0"127.0.0.1 - - [04/Jan/2018:23:47:23 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 200 0 "http://www.baidu.com/1.txt" "curl/7.29.0"192.168.9.134 - - [04/Jan/2018:23:48:33 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 403 0 "-" "curl/7.29.0"192.168.9.134 - - [04/Jan/2018:23:49:59 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 200 0 "-" "curl/7.29.0"192.168.23.128 - - [04/Jan/2018:23:55:58 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 403 0 "-" "curl/7.29.0"127.0.0.1 - - [05/Jan/2018:00:04:54 +0800] "GET HTTP://test.com/upload/1.php HTTP/1.1" 403 168 "-" "curl/7.29.0"127.0.0.1 - - [05/Jan/2018:00:05:38 +0800] "GET HTTP://test.com/upload/1.html HTTP/1.1" 200 13 "-" "curl/7.29.0"
  • 根据user_agent限制 if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') { return 403; }
  • deny all和return 403效果一样

防止被爬虫,暗网?

[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf     30         location /admin/     31         {     32                 allow 192.168.9.134;     33                 allow 127.0.0.1;     34                 deny all;     35         }     36      37         location ~ .*(upload|image)/.*\.php$     38         {     39                 deny all;     40         }     41      42         if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')     43         {     44                 return 403;     45         }     46      47         access_log /tmp/test.com.log;     48 }[root@localhost ~]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -A "Tomato" -x 127.0.0.1:80 test.com/upload/1.html -IHTTP/1.1 200 OKServer: nginx/1.4.7Date: Thu, 04 Jan 2018 16:11:58 GMTContent-Type: text/htmlContent-Length: 13Last-Modified: Thu, 04 Jan 2018 16:05:31 GMTConnection: keep-aliveETag: "5a4e50cb-d"Accept-Ranges: bytes[root@localhost ~]# curl -A "Tomato" -x 127.0.0.1:80 test.com/upload/1.html -IHTTP/1.1 403 ForbiddenServer: nginx/1.4.7Date: Thu, 04 Jan 2018 16:12:50 GMTContent-Type: text/htmlContent-Length: 168Connection: keep-alive

这里deny all和return 403效果一样

忽略大小写

[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf      1 server      2 {      3     listen 80;      4     server_name test.com test2.com test3.com;      5     index index.html index.htm index.php;      6     root /data/wwwroot/test.com;      7       8     if ( $host != 'test.com' ) {      9         rewrite ^/(.*)$ http://test.com/$1 permanent;     10     }     11      12     location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$     13     {     14         expires 7d;     15         valid_referers none blocked server_names *.test.com;     16         if ($invalid_referer) {     17             return 403;     18         }     19         access_log off;     20     }     21      22     location ~ .*\.(js|css)$     23     {     24         expires 12h;     25         access_log off;     26     }     27      28     location /admin/     29     {     30         allow 127.0.0.1;     31         allow 192.168.81.133;     32         deny all;     33     }     34      35     location ~ .*(upload|image)/.*\.php$     36     {     37         deny all;     38     }     39      40     if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')     41     {     42         return 0;     43     }     44      45     access_log /tmp/test.com.log user;     46 }[root@localhost ~]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload[root@localhost ~]# curl -A "tomato" -x 127.0.0.1:80 test.com/upload/1.index -IHTTP/1.1 403 ForbiddenServer: nginx/1.8.0Date: Fri, 02 Mar 2018 16:40:30 GMTContent-Type: text/htmlContent-Length: 168Connection: keep-alive

修改于180106

转载于:https://my.oschina.net/hellopasswd/blog/1603238

你可能感兴趣的文章
3springboot:springboot配置文件(外部配置加载顺序、自动配置原理,@Conditional)
查看>>
9、Dubbo-配置(4)
查看>>
前端第七天
查看>>
BZOJ 2190[SDOI2008]仪仗队
查看>>
图解SSH原理及两种登录方法
查看>>
[转载] 七龙珠第一部——第058话 魔境圣地
查看>>
【总结整理】JQuery基础学习---样式篇
查看>>
查询个人站点的文章、分类和标签查询
查看>>
基础知识:数字、字符串、列表 的类型及内置方法
查看>>
JSP的隐式对象
查看>>
P127、面试题20:顺时针打印矩阵
查看>>
JS图片跟着鼠标跑效果
查看>>
[SCOI2005][BZOJ 1084]最大子矩阵
查看>>
学习笔记之Data Visualization
查看>>
Leetcode 3. Longest Substring Without Repeating Characters
查看>>
【FJOI2015】金币换位问题
查看>>
数学之美系列二十 -- 自然语言处理的教父 马库斯
查看>>
Android实现自定义位置无标题Dialog
查看>>
面试总结
查看>>
Chrome浏览器播放HTML5音频没声音的解决方案
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2025-01-04 22:16:34   当前IP: 3.135.220.239   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我