shallow丿ove
nginx访问控制
- 需求:访问/admin/目录的请求,只允许指定IP访问,配置如下 location /admin/ { allow 192.168.9.134; allow 127.0.0.1; deny all; }
- mkdir /data/wwwroot/test.com/admin/
- echo "test,test" > /data/wwwroot/test.com/admin/1.html
- -t && -s reload
- curl -x 127.0.0.1:80 test.com/admin/1.html -I
- curl -x 192.168.9.233:80 test.com/admin/1.html -I
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
25 location ~ .*\.(js|css)$
26 {
27 # expires 12h;
28 access_log off;
29 }
30 location /admin/
31 {
32 allow 192.168.9.134;
33 allow 127.0.0.1;
34 deny all;
35 }
36
37 access_log /tmp/test.com.log;
38 }
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -e "http://www.baidu.com/1.txt" -x 127.0.0.1:80 test.com/admin -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.7
Date: Thu, 04 Jan 2018 15:46:30 GMT
Content-Type: text/html
Content-Length: 184
Location: http://test.com/admin/
Connection: keep-alive
[root@localhost ~]# curl -e "http://www.baidu.com/1.txt" -x 127.0.0.1:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 04 Jan 2018 15:47:23 GMT
Content-Type: text/html
Content-Length: 25
Last-Modified: Thu, 04 Jan 2018 03:28:58 GMT
Connection: keep-alive
ETag: "5a4d9f7a-19"
Accept-Ranges: bytes
[root@localhost ~]# curl -x 192.168.9.134:80 test.com/admin/ -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 04 Jan 2018 15:49:59 GMT
Content-Type: text/html
Content-Length: 25
Last-Modified: Thu, 04 Jan 2018 03:28:58 GMT
Connection: keep-alive
ETag: "5a4d9f7a-19"
Accept-Ranges: bytes
[root@localhost ~]# cat /tmp/test.com.log
127.0.0.1 - - [04/Jan/2018:16:51:53 +0800] "GET HTTP://test.com/index.html HTTP/1.1" 200 9 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jan/2018:16:52:08 +0800] "GET HTTP://test.com/index.html HTTP/1.1" 200 9 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jan/2018:16:53:57 +0800] "GET HTTP://test.com/3.php HTTP/1.1" 404 168 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jan/2018:23:46:30 +0800] "HEAD HTTP://test.com/admin HTTP/1.1" 301 0 "http://www.baidu.com/1.txt" "curl/7.29.0"
127.0.0.1 - - [04/Jan/2018:23:47:23 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 200 0 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.9.134 - - [04/Jan/2018:23:49:59 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 200 0 "-" "curl/7.29.0"
而添加一张网卡
[root@localhost ~]# dhclient ens37
[root@localhost ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.9.134 netmask 255.255.255.0 broadcast 192.168.9.255
inet6 fe80::20c:29ff:fe0a:e7fc prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:0a:e7:fc txqueuelen 1000 (Ethernet)
RX packets 39035 bytes 3660208 (3.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11109 bytes 1576541 (1.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno16777736:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.9.139 netmask 255.255.255.0 broadcast 192.168.9.255
ether 00:0c:29:0a:e7:fc txqueuelen 1000 (Ethernet)
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.23.128 netmask 255.255.255.0 broadcast 192.168.23.255
inet6 fe80::20c:29ff:fe0a:e706 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:0a:e7:06 txqueuelen 1000 (Ethernet)
RX packets 9 bytes 1780 (1.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 51 bytes 8571 (8.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 511 bytes 48445 (47.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 511 bytes 48445 (47.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# curl -x 192.168.23.128:80 test.com/admin/ -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Thu, 04 Jan 2018 15:55:58 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
[root@localhost ~]# cat /tmp/test.com.log
127.0.0.1 - - [04/Jan/2018:16:51:53 +0800] "GET HTTP://test.com/index.html HTTP/1.1" 200 9 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jan/2018:16:52:08 +0800] "GET HTTP://test.com/index.html HTTP/1.1" 200 9 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jan/2018:16:53:57 +0800] "GET HTTP://test.com/3.php HTTP/1.1" 404 168 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jan/2018:23:46:30 +0800] "HEAD HTTP://test.com/admin HTTP/1.1" 301 0 "http://www.baidu.com/1.txt" "curl/7.29.0"
127.0.0.1 - - [04/Jan/2018:23:47:23 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 200 0 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.9.134 - - [04/Jan/2018:23:49:59 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 200 0 "-" "curl/7.29.0"
192.168.23.128 - - [04/Jan/2018:23:55:58 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 403 0 "-" "curl/7.29.0"
指定页面
- 匹配正则 location ~.(abc|image)/..php$ { deny 304; }
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
30 location /admin/
31 {
32 allow 192.168.9.134;
33 allow 127.0.0.1;
34 deny all;
35 }
36
37 location ~ .*(upload|image)/.*\.php$
38 {
39 deny all;
40 }
41
42 access_log /tmp/test.com.log;
43 }
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# mkdir /data/wwwroot/test.com/upload
[root@localhost ~]# echo "hello upload" > /data/wwwroot/test.com/upload/1.php
[root@localhost ~]# curl -x 127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>
[root@localhost ~]# echo "hello upload" > /data/wwwroot/test.com/upload/1.html
[root@localhost ~]# curl -x 127.0.0.1:80 test.com/upload/1.html
hello upload
[root@localhost ~]# cat /tmp/test.com.log
127.0.0.1 - - [04/Jan/2018:16:51:53 +0800] "GET HTTP://test.com/index.html HTTP/1.1" 200 9 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jan/2018:16:52:08 +0800] "GET HTTP://test.com/index.html HTTP/1.1" 200 9 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jan/2018:16:53:57 +0800] "GET HTTP://test.com/3.php HTTP/1.1" 404 168 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jan/2018:23:46:30 +0800] "HEAD HTTP://test.com/admin HTTP/1.1" 301 0 "http://www.baidu.com/1.txt" "curl/7.29.0"
127.0.0.1 - - [04/Jan/2018:23:47:23 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 200 0 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.9.134 - - [04/Jan/2018:23:48:33 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 403 0 "-" "curl/7.29.0"
192.168.9.134 - - [04/Jan/2018:23:49:59 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 200 0 "-" "curl/7.29.0"
192.168.23.128 - - [04/Jan/2018:23:55:58 +0800] "HEAD HTTP://test.com/admin/ HTTP/1.1" 403 0 "-" "curl/7.29.0"
127.0.0.1 - - [05/Jan/2018:00:04:54 +0800] "GET HTTP://test.com/upload/1.php HTTP/1.1" 403 168 "-" "curl/7.29.0"
127.0.0.1 - - [05/Jan/2018:00:05:38 +0800] "GET HTTP://test.com/upload/1.html HTTP/1.1" 200 13 "-" "curl/7.29.0"
- 根据user_agent限制 if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') { return 403; }
- deny all和return 403效果一样
防止被爬虫,暗网?
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
30 location /admin/
31 {
32 allow 192.168.9.134;
33 allow 127.0.0.1;
34 deny all;
35 }
36
37 location ~ .*(upload|image)/.*\.php$
38 {
39 deny all;
40 }
41
42 if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
43 {
44 return 403;
45 }
46
47 access_log /tmp/test.com.log;
48 }
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -A "Tomato" -x 127.0.0.1:80 test.com/upload/1.html -I
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 04 Jan 2018 16:11:58 GMT
Content-Type: text/html
Content-Length: 13
Last-Modified: Thu, 04 Jan 2018 16:05:31 GMT
Connection: keep-alive
ETag: "5a4e50cb-d"
Accept-Ranges: bytes
[root@localhost ~]# curl -A "Tomato" -x 127.0.0.1:80 test.com/upload/1.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.4.7
Date: Thu, 04 Jan 2018 16:12:50 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
这里deny all和return 403效果一样
忽略大小写
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
1 server
2 {
3 listen 80;
4 server_name test.com test2.com test3.com;
5 index index.html index.htm index.php;
6 root /data/wwwroot/test.com;
7
8 if ( $host != 'test.com' ) {
9 rewrite ^/(.*)$ http://test.com/$1 permanent;
10 }
11
12 location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
13 {
14 expires 7d;
15 valid_referers none blocked server_names *.test.com;
16 if ($invalid_referer) {
17 return 403;
18 }
19 access_log off;
20 }
21
22 location ~ .*\.(js|css)$
23 {
24 expires 12h;
25 access_log off;
26 }
27
28 location /admin/
29 {
30 allow 127.0.0.1;
31 allow 192.168.81.133;
32 deny all;
33 }
34
35 location ~ .*(upload|image)/.*\.php$
36 {
37 deny all;
38 }
39
40 if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')
41 {
42 return 0;
43 }
44
45 access_log /tmp/test.com.log user;
46 }
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -A "tomato" -x 127.0.0.1:80 test.com/upload/1.index -I
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Fri, 02 Mar 2018 16:40:30 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
