@[TOC](Nginx 盗链、防盗链、反向代理 动静分离 小节9)
盗链
nginx
[root@nginx ~]# cp /usr/share/pixmaps/faces/legacy/sunflower.jpg /data/site2/flower.jp
[root@nginx certs]# nginx -s reload
#盗链'a.org/flower.jpg'图片
[root@nginx ~]# vim /data/site1/daolian.html
daolian
<img src=http://www.a.org/flower.jpg>
[root@nginx certs]# nginx -s reload
[root@nginx ~]# vim /etc/nginx/conf.d/test.conf
server_tokens off;
server {
listen 80;
listen 443 ssl;
server_name www.a.net;
root /data/site1/;
ssl_certificate /etc/nginx/ssl/a.net.crt;
ssl_certificate_key /etc/nginx/ssl/a.net.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
access_log /var/log/nginx/a_net.access.log access_json;
location / {
if ( !-e $request_filename ) {
rewrite ^/(.*)$ https://www.a.net/ redirect;
}
}
}
server {
listen 80;
listen 443 ssl;
server_name www.a.org;
root /data/site2/;
ssl_certificate /etc/nginx/ssl/a.org.crt;
ssl_certificate_key /etc/nginx/ssl/a.org.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
access_log /var/log/nginx/a_org.access.log main; <--日志格式、改一下
}
[root@nginx certs]# nginx -s reload
ngx_http_referer_module
- ngx_http_referer_module模块:
用来阻止Referer首部无有效值的请求访问,可防止盗链
- valid_referers none|blocked|server_names|string ...;
定义referer首部的合法可用值,不能匹配的将是非法值
none:请求报文首部没有referer首部
blocked:请求报文有referer首部,但无有效值
server_names:referer首部中包含本主机名
arbitrary_string:任意字符串,但可使用*作通配符
regular expression:被指定的正则表达式模式匹配到的字符串,要使用~开头,例如:~.*.a.com
- 防止盗链生产案例:
valid_referers none block server_names *.a.com a.* *.a1.com a1.* ~\.a\. ~\.google\. ~\.baidu\.; if ($invalid_referer) { return 403 "Forbidden Access"; }
实验:referer 防盗链
[root@nginx ~]# vim /etc/nginx/conf.d/test.conf
server_tokens off;
server {
listen 80;
listen 443 ssl;
server_name www.a.net;
root /data/site1/;
ssl_certificate /etc/nginx/ssl/a.net.crt;
ssl_certificate_key /etc/nginx/ssl/a.net.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
access_log /var/log/nginx/a_net.access.log access_json;
location / {
if ( !-e $request_filename ) {
rewrite ^/(.*)$ https://www.a.net/ redirect;
}
}
}
server {
listen 80;
listen 443 ssl;
server_name www.a.org;
root /data/site2/;
ssl_certificate /etc/nginx/ssl/a.org.crt;
ssl_certificate_key /etc/nginx/ssl/a.org.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
access_log /var/log/nginx/a_org.access.log main;
valid_referers none block server_names <--
*.a.org ~\.google\. ~\.baidu\.; <--
if ($invalid_referer) { <--
return 403 "Forbidden Access"; <--
} <--
}
[root@nginx ~]# nginx -s reload
nginx反向代理
- 反向代理:reverse proxy,可代理外网用户的请求到内部的指定web服务器,并将数据返回给用户
- nginx除了可以在企业提供高性能的web服务之外,另外还可以将本身不具备的请求通过某种预定义的协议转发至其它服务器处理,不同的协议就是nginx服务器与其他服务器进行通信的一种规范
- 主要在不同的场景使用以下模块实现不同的功能:
- ngx_http_proxy_module:将客户端请求以http协议转发至后端服务器
- ngx_http_fastcgi_module:将客户端对php请求以fastcgi协议转发至后端
- ngx_http_uwsgi_module:将客户端对Python请求以uwsgi协议转发至后端
- ngx_stream_proxy_module:将客户端请求以tcp协议转发至后端服务器
httpd1 192.168.37.20\GW 192.168.37.2
[root@httpd1 ~]# yum install httpd -y
[root@httpd1 ~]# echo 192.168.37.20 > /var/www/html/index.html
[root@httpd1 ~]# systemctl start httpd
nginx
[root@nginx ~]# vim /etc/nginx/conf.d/test.conf
server_tokens off;
server {
listen 80;
server_name www.a.net;
root /data/site1/;
# ssl_certificate /etc/nginx/ssl/a.net.crt;
# ssl_certificate_key /etc/nginx/ssl/a.net.key;
# ssl_session_cache shared:sslcache:20m;
# ssl_session_timeout 10m;
access_log /var/log/nginx/a_net.access.log access_json;
location / { <--
proxy_pass http://192.168.37.20; <--调度
} <--
}
server {
listen 80;
server_name www.a.org;
root /data/site2/;
ssl_certificate /etc/nginx/ssl/a.org.crt;
ssl_certificate_key /etc/nginx/ssl/a.org.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
access_log /var/log/nginx/a_org.access.log main;
valid_referers none block server_names
*.a.org ~\.google\. ~\.baidu\.;
if ($invalid_referer) {
return 403 "Forbidden Access";
}
}
[root@nginx ~]# nginx -s reload
ngx_http_proxy_module
ngx_http_proxy_module模块:
转发请求至另一台主机 proxy_pass URL; 注意:proxy_pass后面路径不带uri时,会将location的uri传递(附加)给后端主机 server { ... server_name HOSTNAME; location /uri/ { proxy_pass http://host[:port]; 注意:最后没有/ } ... } 上面示例:http://HOSTNAME/uri --> http://host/uri ,功能类似 root 如果上面示例中有 /,即:http://host[:port]/ 此方式较少使用 意味着:http://HOSTNAME/uri --> http://host/ 即置换,功能类似 alias
nginx
[root@nginx ~]# vim /etc/nginx/conf.d/test.conf
server_tokens off;
server {
listen 80;
server_name www.a.net;
server_tokens off;
server {
listen 80;
server_name www.a.net;
root /data/site1/;
# ssl_certificate /etc/nginx/ssl/a.net.crt;
# ssl_certificate_key /etc/nginx/ssl/a.net.key;
# ssl_session_cache shared:sslcache:20m;
# ssl_session_timeout 10m;
access_log /var/log/nginx/a_net.access.log access_json;
location ~* ^.*\.(gif|jpg|bmp|jpeg)$ { <--访问图片时
proxy_pass http://192.168.37.20; <--调度到此网站
} <--
location /api { <--访问页面时
proxy_pass http://192.168.37.30; <--调度到此网站
} <--
}
server {
listen 80;
server_name www.a.org;
root /data/site2/;
ssl_certificate /etc/nginx/ssl/a.org.crt;
ssl_certificate_key /etc/nginx/ssl/a.org.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
access_log /var/log/nginx/a_org.access.log main;
valid_referers none block server_names
*.a.org ~\.google\. ~\.baidu\.;
if ($invalid_referer) {
return 403 "Forbidden Access";
}
}
[root@nginx ~]# nginx -s reload
httpd2
192.168.37.30\GW 192.168.37.2
[root@httpd2 ~]# yum install httpd -y
[root@httpd2 ~]# systemctl start httpd
[root@httpd2 ~]# echo 192.168.37.30 > /var/www/html/index.html
#需要创建目录、访问的是站点下的api目录
[root@httpd2 ~]# mkdir /var/www/html/api
[root@httpd2 ~]# echo /var/www/html/api/index.html 192.168.37.30 > /var/www/html/index.html
