linux 学习笔记-049-Nginx 的防盗链,访问控制,解析 php 和代理功能

发布于 2018-03-15  672 次阅读


Nginx 防盗链

Nginx 的防盗链设置和 Apache 的类似,可以和之前提到的不记录静态文件日志信息的配置配合起来

这里的实验先把之前做的不记录静态文件的配置注释掉

[root@am-01:~#] vim /usr/local/nginx/conf/vhost/test.com.conf

server

{

    listen 80;

    server_name test.com test2.com test3.com;

    index index.html index.htm index.php;

    root /data/wwwroot/test.com;

    if ($host != 'test.com' ) {

        rewrite  ^/(.*)$  http://test.com/$1  permanent;

    }

    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

    {

    expires 7d;

    valid_referers none blocked server_names  *.test.com ;

    if ($invalid_referer) {

        return 403;

    }

    access_log off;

    }

#这里包含了访问日志不记录静态文件的配置,valid_referers 定义白名单,if 语句设置不在白名单的都返回 403

    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

    #{

    #      expires      7d;

    #      access_log off;

    #}    

    location ~ .*\.(js|css)$

    {

          expires      12h;

          access_log off;

    }

    access_log /tmp/1.log combined_realip;

}

#注释掉之前的不记录静态文件日志信息的配置,新的 location 配置将包含不记录静态文件日志信息的配置
[root@am-01:~#] /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@am-01:~#] /usr/local/nginx/sbin/nginx -s reload

[root@am-01:~#] curl -e "http://www.test.com/index.txt" -x127.0.0.1:80 test.com/1.jpg -I

HTTP/1.1 200 OK

Server: nginx/1.12.1

Date: Thu, 15 Mar 2018 16:00:23 GMT

Content-Type: image/jpeg

Content-Length: 8

Last-Modified: Wed, 14 Mar 2018 22:20:56 GMT

Connection: keep-alive

ETag: "5aa9a048-8"

Expires: Thu, 22 Mar 2018 16:00:23 GMT

Cache-Control: max-age=604800

Accept-Ranges: bytes

[root@am-01:~#] curl -e "http://www.baidu.com/index.txt" -x127.0.0.1:80 test.com/1.jpg -I

HTTP/1.1 403 Forbidden

Server: nginx/1.12.1

Date: Thu, 15 Mar 2018 16:00:19 GMT

Content-Type: text/html

Content-Length: 169

Connection: keep-alive

#可见防盗链已经设置成功

Nginx 访问控制

设置访问控制,只允许某些 IP 能访问某些目录或者文件

Nginx 在访问控制的书写顺序上并没有像 Apache 一样有严格限制,Nginx 会从上到下一条一条规则匹配,当匹配上了就会停止匹配,而 Apache 会把所有规则都匹配一遍,所以如果顺序有错,将会导致出问题

例子:只允许某几个 IP 访问/admin/目录

[root@am-01:~#] vim /usr/local/nginx/conf/vhost/test.com.conf

server

{

    listen 80;

    server_name test.com test2.com test3.com;

    index index.html index.htm index.php;

    root /data/wwwroot/test.com;

    if ($host != 'test.com' ) {

        rewrite  ^/(.*)$  http://test.com/$1  permanent;

    }

    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

    {

    expires 7d;

    valid_referers none blocked server_names  *.test.com ;

    if ($invalid_referer) {

        return 403;

    }

    access_log off;

    }

    location /admin/

    {

    allow 172.17.1.240;

    allow 127.0.0.1;

    deny all;

    }

#这段 location 配置决定了那些 IP 能访问 admin 目录

    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

    #{

    #      expires      7d;

    #      access_log off;

    #}    

    location ~ .*\.(js|css)$

    {

          expires      12h;

          access_log off;

    }

    access_log /tmp/1.log combined_realip;

}

#新增一段 location 配置
[root@am-01:~#] /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@am-01:~#] /usr/local/nginx/sbin/nginx -s reload

[root@am-01:~#] curl -x127.0.0.1:80 test.com/admin/ -I

HTTP/1.1 200 OK

Server: nginx/1.12.1

Date: Thu, 15 Mar 2018 16:18:46 GMT

Content-Type: text/html

Content-Length: 4

Last-Modified: Tue, 13 Mar 2018 16:55:57 GMT

Connection: keep-alive

ETag: "5aa8029d-4"

Accept-Ranges: bytes

[root@am-01:~#] curl -x172.17.1.240:80 test.com/admin/ -I

HTTP/1.1 200 OK

Server: nginx/1.12.1

Date: Thu, 15 Mar 2018 16:18:49 GMT

Content-Type: text/html

Content-Length: 4

Last-Modified: Tue, 13 Mar 2018 16:55:57 GMT

Connection: keep-alive

ETag: "5aa8029d-4"

Accept-Ranges: bytes

[root@am-01:~#] cat /tmp/1.log

127.0.0.1 - [16/Mar/2018:00:18:46 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"

172.17.1.240 - [16/Mar/2018:00:18:49 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"

#使用白名单的 IP 可以访问 admin 目录
[root@am-01:~#] vim /usr/local/nginx/conf/vhost/test.com.conf

server

{

    listen 80;

    server_name test.com test2.com test3.com;

    index index.html index.htm index.php;

    root /data/wwwroot/test.com;

    if ($host != 'test.com' ) {

        rewrite  ^/(.*)$  http://test.com/$1  permanent;

    }

    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

    {

    expires 7d;

    valid_referers none blocked server_names  *.test.com ;

    if ($invalid_referer) {

        return 403;

    }

    access_log off;

    }

    location /admin/

    {

    #allow 172.17.1.240;

    allow 127.0.0.1;

    deny all;

    }

    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

    #{

    #      expires      7d;

    #      access_log off;

    #}    

    location ~ .*\.(js|css)$

    {

          expires      12h;

          access_log off;

    }

    access_log /tmp/1.log combined_realip;

}

#把白名单中的"allow 172.17.1.240;"注释掉,继续测试
[root@am-01:~#] /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@am-01:~#] /usr/local/nginx/sbin/nginx -s reload

[root@am-01:~#] curl -x172.17.1.240:80 test.com/admin/ -I

HTTP/1.1 403 Forbidden

Server: nginx/1.12.1

Date: Thu, 15 Mar 2018 16:22:15 GMT

Content-Type: text/html

Content-Length: 169

Connection: keep-alive

[root@am-01:~#] cat /tmp/1.log

127.0.0.1 - [16/Mar/2018:00:18:46 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"

172.17.1.240 - [16/Mar/2018:00:18:49 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"

172.17.1.240 - [16/Mar/2018:00:22:15 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"

#可以见到,这次返回的是 403 状态码了

Nginx 还可以匹配正则,利用正则禁止某些目录不能解析 php 并返回 403 状态码,预防木马病毒

[root@am-01:~#] vim /usr/local/nginx/conf/vhost/test.com.conf

server

{

    listen 80;

    server_name test.com test2.com test3.com;

    index index.html index.htm index.php;

    root /data/wwwroot/test.com;

    if ($host != 'test.com' ) {

        rewrite  ^/(.*)$  http://test.com/$1  permanent;

    }

    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

    {

    expires 7d;

    valid_referers none blocked server_names  *.test.com ;

    if ($invalid_referer) {

        return 403;

    }

    access_log off;

    }

    location /admin/

    {

    #allow 172.17.1.240;

    allow 127.0.0.1;

    deny all;

    }

    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

    #{

    #      expires      7d;

    #      access_log off;

    #}    

    location ~ .*\.(js|css)$

    {

          expires      12h;

          access_log off;

    }

    location ~ .*(abc|image)/.*\.php$

    {

        deny all;

    }

#禁止 abc 和 image 目录解析 php

    access_log /tmp/1.log combined_realip;

}

#新增一段 location 配置
[root@am-01:~#] /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@am-01:~#] /usr/local/nginx/sbin/nginx -s reload

[root@am-01:~#] mkdir /data/wwwroot/test.com/image

[root@am-01:~#] echo "111" > /data/wwwroot/test.com/image/1.php

[root@am-01:~#] curl -x127.0.0.1:80 test.com/image/1.php

<html>

<head><title>403 Forbidden</title></head>

<body bgcolor="white">

<center><h1>403 Forbidden</h1></center>

<hr><center>nginx/1.12.1</center>

</body>

</html>

#可见设置了不能解析 php 的目录后,访问这个目录下的 php 文件会返回 403 状态码

Nginx 也可以根据 user_agent 做限制,例如你的站点不想让搜索引擎等蜘蛛爬取到,则可以通过设置 user_agent 来做一些限制

[root@am-01:~#] vim /usr/local/nginx/conf/vhost/test.com.conf

server

{

    listen 80;

    server_name test.com test2.com test3.com;

    index index.html index.htm index.php;

    root /data/wwwroot/test.com;

    if ($host != 'test.com' ) {

        rewrite  ^/(.*)$  http://test.com/$1  permanent;

    }

    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

    {

    expires 7d;

    valid_referers none blocked server_names  *.test.com ;

    if ($invalid_referer) {

        return 403;

    }

    access_log off;

    }

    location /admin/

    {

    #allow 172.17.1.240;

    allow 127.0.0.1;

    deny all;

    }

    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

    #{

    #      expires      7d;

    #      access_log off;

    #}    

    location ~ .*\.(js|css)$

    {

          expires      12h;

          access_log off;

    }

    location ~ .*(abc|image)/.*\.php$

    {

        deny all;

    }

    if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')

   {

      return 403;

   }

#设置针对 user_agent 的限制

    access_log /tmp/1.log combined_realip;

}

#新增一段 location 配置
[root@am-01:~#] /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@am-01:~#] /usr/local/nginx/sbin/nginx -s reload

[root@am-01:~#] echo "1111" > /data/wwwroot/test.com/1.txt

[root@am-01:~#] curl -x127.0.0.1:80 test.com/1.txt

1111

[root@am-01:~#] curl -A "YoudaoBot" -x127.0.0.1:80 test.com/1.txt

<html>

<head><title>403 Forbidden</title></head>

<body bgcolor="white">

<center><h1>403 Forbidden</h1></center>

<hr><center>nginx/1.12.1</center>

</body>

</html>

#可以见到,"YoudaoBot"这个 user_agent 已经被限制访问站点

#这里是严格匹配的,如果想 user_agent 大小写都能匹配,可以如下操作,在~后面加一个*号即可

#      if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')

#   {

#      return 403;

#   }

Nginx 解析 php 相关配置

当前并没有在 test.com.conf 设置解析 php 的语句,所以目前是解析不了 php 的

案例 01:

[root@am-01:~#] vim /data/wwwroot/test.com/index.php

<?php

phpinfo();

?>

[root@am-01:~#] curl -x127.0.0.1:80 test.com/index.php

<?php

phpinfo();

?>
[root@am-01:~#] vim /usr/local/nginx/conf/vhost/test.com.conf

server

{

    listen 80;

    server_name test.com test2.com test3.com;

    index index.html index.htm index.php;

    root /data/wwwroot/test.com;

    if ($host != 'test.com' ) {

        rewrite  ^/(.*)$  http://test.com/$1  permanent;

    }

    location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

    {

    expires 7d;

    valid_referers none blocked server_names  *.test.com ;

    if ($invalid_referer) {

        return 403;

    }

    access_log off;

    }

    location /admin/

    {

    #allow 172.17.1.240;

    allow 127.0.0.1;

    deny all;

    }

    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

    #{

    #      expires      7d;

    #      access_log off;

    #}    

    location ~ .*\.(js|css)$

    {

          expires      12h;

          access_log off;

    }

    location ~ .*(abc|image)/.*\.php$

    {

        deny all;

    }

    if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')

   {

      return 403;

   }

    location ~ \.php$

    {

        include fastcgi_params;

        fastcgi_pass unix:/tmp/php-fcgi.sock;

#这个/tmp/php-fcgi.sock 是重点,不能错,是由/usr/local/php-fpm/etc/php-fpm.conf 配置文件决定的

        fastcgi_index index.php;

        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;

    } 

#添加解析 php 的语句

    access_log /tmp/1.log combined_realip;

}

#新增一段 location 配置
[root@am-01:~#] /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@am-01:~#] /usr/local/nginx/sbin/nginx -s reload

#测试配置文件正确性并重载配置文件

在客户端浏览器测试,可以见到,解析 php 的设置已经生效

linux 学习笔记-049-Nginx 的防盗链,访问控制,解析 php 和代理功能

案例 02:

[root@am-01:~#] vim /usr/local/php-fpm/etc/php-fpm.conf

  [global]

  pid = /usr/local/php-fpm/var/run/php-fpm.pid

  error_log = /usr/local/php-fpm/var/log/php-fpm.log

  [www]

  #listen = /tmp/php-fcgi.sock

  listen = 127.0.0.1:9000

  listen.mode = 666

  user = php-fpm

  group = php-fpm

  pm = dynamic

  pm.max_children = 50

  pm.start_servers = 20

  pm.min_spare_servers = 5

  pm.max_spare_servers = 35

  pm.max_requests = 500

  rlimit_files = 1024

[root@am-01:~#] /usr/local/php-fpm/sbin/php-fpm -t

[16-Mar-2018 06:05:57] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@am-01:~#] /etc/init.d/php-fpm reload

Reload service php-fpm  done

#把 php-fpm 的配置文件中的"listen = /tmp/php-fcgi.sock"改为"listen = 127.0.0.1:9000",并测试 php-fpm 配置文件的正确性和重新加载一下
[root@am-01:~#] netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   

tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      92883/php-fpm: mast

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      88450/nginx: master

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1111/sshd          

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1837/master        

tcp6       0      0 :::3306                 :::*                    LISTEN      97359/mysqld       

tcp6       0      0 :::22                   :::*                    LISTEN      1111/sshd          

tcp6       0      0 ::1:25                  :::*                    LISTEN      1837/master        

#可以见到 php-fpm 的监听已经变为 127.0.0.1:9000
[root@am-01:~#] vim /usr/local/nginx/conf/vhost/test.com.conf

server

{

listen 80;

server_name test.com test2.com test3.com;

index index.html index.htm index.php;

root /data/wwwroot/test.com;

if ($host != 'test.com' ) {

rewrite  ^/(.*)$  http://test.com/$1  permanent;

}

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$

{

expires 7d;

valid_referers none blocked server_names  *.test.com ;

if ($invalid_referer) {

return 403;

}

access_log off;

}

location /admin/

{

#allow 172.17.1.240;

allow 127.0.0.1;

deny all;

}

#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

#{

#      expires      7d;

#      access_log off;

#}

location ~ .*\.(js|css)$

{

expires      12h;

access_log off;

}

location ~ .*(abc|image)/.*\.php$

{

deny all;

}

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')

{

return 403;

}

location ~ \.php$

{

include fastcgi_params;

#fastcgi_pass unix:/tmp/php-fcgi.sock;

fastcgi_pass 127.0.0.1:9000;

#这里把"fastcgi_pass unix:/tmp/php-fcgi.sock;"注释掉,使用 php-fpm.conf 中指定的监听端口的信息

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;

}

#添加解析 php 的语句

access_log /tmp/1.log combined_realip;

}

#新增一段 location 配置
[root@am-01:~#] /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@am-01:~#] /usr/local/nginx/sbin/nginx -s reload

#测试 nginx 配置文件正确性并重载配置文件

在客户端浏览器测试,可以见到,解析 php 的设置已经生效

linux 学习笔记-049-Nginx 的防盗链,访问控制,解析 php 和代理功能

案例 03

[root@am-01:~#] vim /usr/local/php-fpm/etc/php-fpm.conf

[global]

pid = /usr/local/php-fpm/var/run/php-fpm.pid

error_log = /usr/local/php-fpm/var/log/php-fpm.log

[www]

listen = /tmp/php-fcgi.sock

#listen = 127.0.0.1:9000

#listen.mode = 666

user = php-fpm

group = php-fpm

pm = dynamic

pm.max_children = 50

pm.start_servers = 20

pm.min_spare_servers = 5

pm.max_spare_servers = 35

pm.max_requests = 500

rlimit_files = 1024

#这里修改 php-fpm.conf 文件,启用"listen = /tmp/php-fcgi.sock",同时注释"listen.mode = 666"
[root@am-01:~#] vim /usr/local/nginx/conf/vhost/test.com.conf

fastcgi_pass unix:/tmp/php-fcgi.sock;

#fastcgi_pass 127.0.0.1:9000;

[root@am-01:~#] /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@am-01:~#] /usr/local/nginx/sbin/nginx -s reload

#把"fastcgi_pass 127.0.0.1:9000;"注释,启用"fastcgi_pass unix:/tmp/php-fcgi.sock;",测试 nginx 配置文件正确性并重载配置文件
[root@am-01:~#] /etc/init.d/php-fpm restart

Gracefully shutting down php-fpm . done

Starting php-fpm  done

[root@am-01:~#] ls -l /tmp/php-fcgi.sock

srw-rw---- 1 root root 0 3 月  16 06:24 /tmp/php-fcgi.sock

[root@am-01:~#] ps -aux | grep nginx

root      88450  0.0  0.1  21292  1696 ?        Ss   3 月 14   0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

nobody    92917  0.0  0.4  23468  4164 ?        S    06:12   0:00 nginx: worker process

nobody    92918  0.0  0.4  23468  4164 ?        S    06:12   0:00 nginx: worker process

root      92965  0.0  0.0 112680   980 pts/1    S+   06:25   0:00 grep --color=auto nginx

[root@am-01:~#] curl -x127.0.0.1:80 test.com/index.php

<html>

<head><title>502 Bad Gateway</title></head>

<body bgcolor="white">

<center><h1>502 Bad Gateway</h1></center>

<hr><center>nginx/1.12.1</center>

</body>

</html>

[root@am-01:~#] cat /usr/local/nginx/logs/nginx_error.log

2018/03/14 00:00:24 [emerg] 88352#0: bind() to 0.0.0.0:80 failed (98: Address already in use)

2018/03/14 00:00:24 [emerg] 88352#0: bind() to 0.0.0.0:80 failed (98: Address already in use)

2018/03/14 00:00:24 [emerg] 88352#0: bind() to 0.0.0.0:80 failed (98: Address already in use)

2018/03/14 00:00:24 [emerg] 88352#0: bind() to 0.0.0.0:80 failed (98: Address already in use)

2018/03/14 00:00:24 [emerg] 88352#0: bind() to 0.0.0.0:80 failed (98: Address already in use)

2018/03/14 00:00:24 [emerg] 88352#0: still could not bind()

2018/03/16 06:29:36 [crit] 93027#0: *85 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/index.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"

#可见"php-fcgi.sock"的权限变为了 660,并且所有者和所属组均为 root,而 nginx 是以 nobody 用户启动的,也以这个用户去访问 php-fcgi.sock 的,所以没有权限访问 php-fcgi.sock,就导致 502 了

注意事项

当访问网站出现 502 的时候

01:需关注 nginx 虚拟主机配置文件中的"fastcgi_pass"所定义的参数是不是 php-fpm 配置文件中的"listen"所定义的参数

02:nginx 虚拟主机配置文件中的“SCRIPT_FILENAME”后面跟着的站点路径是正确的

03:php-fpm.conf 文件中的"listen.mode = 666"参数不能少

04:php-fpm 资源耗尽,也会出现 502

Nginx 代理

用到的场所:用户不能直接访问网站服务器,需要代理服务器才能访问;或者用户直接访问服务器很慢,需要通过代理服务器访问网站服务器

linux 学习笔记-049-Nginx 的防盗链,访问控制,解析 php 和代理功能

[root@am-01:~#] cd /usr/local/nginx/conf/vhost/

[root@am-01:/usr/local/nginx/conf/vhost#] vim proxy.conf

server

{

listen 80;

server_name www.itwordsweb.com;

#定义域名

location /

{

proxy_pass      http://113.207.76.122/;

#定义 web 服务器的 IP 地址

proxy_set_header Host   $host;

proxy_set_header X-Real-IP      $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

}

#新建一个代理配置文件,填写相关设置
[root@am-01:/usr/local/nginx/conf/vhost#] /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@am-01:/usr/local/nginx/conf/vhost#] /usr/local/nginx/sbin/nginx -s reload

#测试 nginx 配置文件正确性并重载配置文件
[root@am-01:/usr/local/nginx/conf/vhost#] curl www.itwordsweb.com/robots.txt

User-agent: *

Disallow: /wp-admin/

Disallow: /wp-content/

Disallow: /wp-includes/

Disallow: /*/comment-page-*

Disallow: /*?replytocom=*

Disallow: /category/*/page/

Disallow: /tag/*/page/

Disallow: /*/trackback

Disallow: /feed

Disallow: /*/feed

Disallow: /comments/feed

Disallow: /?s=*

Disallow: /*/?s=*\

Disallow: /*?*

Disallow: /attachment/



Sitemap: https://www.itwordsweb.com/sitemap.xml

#直接访问 www.itwordsweb.com/robots.txt 是可以访问的
[root@am-01:/usr/local/nginx/conf/vhost#] curl -x127.0.0.1:80 www.itwordsweb.com/robots.txt

User-agent: *

Disallow: /wp-admin/

Disallow: /wp-content/

Disallow: /wp-includes/

Disallow: /*/comment-page-*

Disallow: /*?replytocom=*

Disallow: /category/*/page/

Disallow: /tag/*/page/

Disallow: /*/trackback

Disallow: /feed

Disallow: /*/feed

Disallow: /comments/feed

Disallow: /?s=*

Disallow: /*/?s=*\

Disallow: /*?*

Disallow: /attachment/



Sitemap: https://www.itwordsweb.com/sitemap.xml

#可见,这时使用本机作为代理访问 www.itwordsweb.com/robots.txt 也是可以正常访问的

注意事项

01:不管是代理服务器上,还是被代理的机器上,域名保持一致

02:线上环境是需要把网站域名解析到代理服务器上,这样用户的请求到了代理上,然后代理去帮用户到真实服务器获取数据,然后代理再把数据反馈给用户

扩展

502 问题汇总:

http://ask.apelearn.com/question/9109

location 优先级:

http://blog.lishiming.net/?p=100