zoukankan      html  css  js  c++  java

  • Nginx安全相关配置-防盗链

                  Nginx安全相关配置-防盗链

                                           作者:尹正杰

    版权声明:原创作品,谢绝转载!否则将追究法律责任。

    一.Nginx盗链与防盗链概述

    1>.盗链与防盗链

      防盗链基于客户端携带的referer实现,referer是记录打开一个页面之前记录是从哪个页面跳转过来的标记信息,如果别人只链接了自己网站图片或某个单独的资源,而不是打开了网站的整个页面,这就是盗链。

    2>.referer的值

      referer就是之前的那个网站域名,正常的referer信息有以下几种:
    none:
          请求报文首部没有referer首部,比如用户直接在浏览器输入域名访问web网站,就没有referer信息。
    blocked:
          请求报文有referer首部,但无有效值,比如为空。
    server_names:
          referer首部中包含本主机名及即nginx监听的server_name。
    arbitrary_string:
          自定义指定字符串,但可使用*作通配符。
    regular expression:
          被指定的正则表达式模式匹配到的字符串,要使用~开头,例如:"~.*.yinzhengjie.org.cn"

    3>.百度搜索“node101.yinzhengjie.org.cn”并点击链接会访问咱们本地自建的web服务器,观察日志中的referer信息,如下图所示。

    二.搭建web服务器提供正常访问

    1>.编辑主配置文件

    [root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/nginx.conf
worker_processes  4;
worker_cpu_affinity 00000001 00000010 00000100 00001000; 
 
events {
   worker_connections  100000;
   use epoll;
   accept_mutex on;
   multi_accept on; 
}
   
   http {
     include       mime.types;
       
     default_type  text/html;
    
     server_tokens off; 
      
     charset utf-8;
   
     log_format my_access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_ti
me,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}';   
    access_log logs/access_json.log my_access_json;
 
    ssl_certificate /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.crt;
    ssl_certificate_key /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.key;
    ssl_session_cache shared:sslcache:20m;
    ssl_session_timeout 10m;
  
    include /yinzhengjie/softwares/nginx/conf.d/*.conf;
}
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

    2>.编辑子配置文件

    [root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/node101_yinzhengjie_org.cn.conf 
server {
    listen 80;
    listen 443 ssl;
    server_name node101.yinzhengjie.org.cn;
 
    access_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_access.log my_access_json;
    error_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_error.log;

    location / {
       root /yinzhengjie/data/web/nginx/static/cn;
       index index.html;
    }

    location = /favicon.ico {
       root /yinzhengjie/data/web/nginx/images/jd;
    }
}
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#

    3>.准备测试数据

    [root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/{static,images}
mkdir: created directory ‘/yinzhengjie/data/web/nginx’
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static’
mkdir: created directory ‘/yinzhengjie/data/web/nginx/images’
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/static/cn/css
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static/cn’
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static/cn/css’
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/images/jd
mkdir: created directory ‘/yinzhengjie/data/web/nginx/images/jd’
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /yinzhengjie/data/web/nginx/static/cn/css/
total 1004
-rw-r--r-- 1 root root 1025154 Dec 24 18:29 01.png
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/web/nginx/static/cn/index.html 
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>node101.yinzhengjie.org.cn</title>
        <style type="text/css">
        
            /*清除所有标签的默认样式*/
            *{
                padding: 0;
                margin: 0;
            }
            .box1{
                width: 1215px;
                height: 700px;
                background-image: url(css/01.png);
            }
            
            p{
                color: red;
                font-size: 32px;
                font-weight: bold;
                font-family: "arial","华文彩云","微软雅黑",serif;
            }
        </style>
    </head>
    <body>
        <p>这是"node101.yinzhengjie.org.cn"的首页</p>
        <div class="box1"></div>
    </body>
</html>
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# wget https://www.jd.com/favicon.ico -O /yinzhengjie/data/web/nginx/images/jd/favicon.ico                  #此处我们从网上下载一张图片作为标签的logo
--2019-12-24 18:51:03--  https://www.jd.com/favicon.ico
Resolving www.jd.com (www.jd.com)... 220.194.105.131, 2408:8710:20:1140:8000::3
Connecting to www.jd.com (www.jd.com)|220.194.105.131|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25214 (25K) [image/x-icon]
Saving to: ‘/yinzhengjie/data/web/nginx/images/jd/favicon.ico’

100%[==================================================================================================================================>] 25,214      --.-K/s   in 0s      

2019-12-24 18:51:09 (404 MB/s) - ‘/yinzhengjie/data/web/nginx/images/jd/favicon.ico’ saved [25214/25214]

[root@node101.yinzhengjie.org.cn ~]#

    4>.启动nginx服务

    [root@node101.yinzhengjie.org.cn ~]# netstat -untalp | grep nginx
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# netstat -untalp | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      24954/nginx: master 
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      24954/nginx: master 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

    5>.浏览器访问"https://node101.yinzhengjie.org.cn/",如下图所示

    6>.查看nginx的日志信息

    三.模拟web盗链(为了试验方便,我将node101.yinzhengjie.org.cn和node101.yinzhengjie.org.com部署在同一个nginx实例里)

    1>.编辑模拟盗链网址的子配置文件

    [root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/node101_yinzhengjie_com.conf 
server {
    listen 80;
    listen 443 ssl;
    server_name node101.yinzhengjie.com;
 
    access_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_com_access.log my_access_json;
    error_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_com_error.log;

    location / {
       root /yinzhengjie/data/web/nginx/static/com;
       index index.html;
    }

    location = /favicon.ico {
       root /yinzhengjie/data/web/nginx/images/jd;
    }
}
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

    2>.创建测试数据

    [root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/static/com
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static/com’
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/web/nginx/static/com/index.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/web/nginx/static/com/index.html
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>node101.yinzhengjie.com</title>
        <style type="text/css">
        
            /*清除所有标签的默认样式*/
            *{
                padding: 0;
                margin: 0;
            }
            .box1{
                width: 1215px;
                height: 700px;
            }
            
            p{
                color: deeppink;
                font-size: 50px;
                font-weight: bold;
                font-family: "curlz mt","微软雅黑",serif;
            }
        </style>
    </head>
    <body>
        <p>这是"node101.yinzhengjie.com"的首页</p>
        <div class="box1">
            <img src="https://node101.yinzhengjie.org.cn/css/01.png"  alt="运维工程师"/>
        </div>
    </body>
</html>
[root@node101.yinzhengjie.org.cn ~]#

    3>.重新加载nginx的配置文件

    [root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root     24954     1  0 18:44 ?        00:00:00 nginx: master process nginx
nginx    24955 24954  0 18:44 ?        00:00:00 nginx: worker process
nginx    24956 24954  0 18:44 ?        00:00:00 nginx: worker process
nginx    24957 24954  0 18:44 ?        00:00:00 nginx: worker process
nginx    24958 24954  0 18:44 ?        00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -s reload
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root     24954     1  0 18:44 ?        00:00:00 nginx: master process nginx
nginx    25418 24954  0 19:14 ?        00:00:00 nginx: worker process
nginx    25419 24954  0 19:14 ?        00:00:00 nginx: worker process
nginx    25420 24954  0 19:14 ?        00:00:00 nginx: worker process
nginx    25421 24954  0 19:14 ?        00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

    4>.浏览器访问"http://node101.yinzhengjie.com/",我们发现可以正常访问

    5>.观察node101.yinzhengjie.org.cn的日志,该站点并没有对用户提供服务,却为别的站点服务而正浪费着带宽呢,如下图所示。

    6>.观察node101.yinzhengjie.org.cn的日志,如下图所示。

    三.模拟防盗链

    1>.在被盗链的站点上实现防盗链

    [root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/node101_yinzhengjie_org.cn.conf 
server {
    listen 80;
    listen 443 ssl;
    server_name node101.yinzhengjie.org.cn;
 
    access_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_access.log my_access_json;
    error_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_error.log;

    location / {
       root /yinzhengjie/data/web/nginx/static/cn;
       index index.html;
       #定义有效的请求referer,用空格隔开即可
       valid_referers none blocked server_names *.baidu.com example.*  ~.google.;
       #如果没有在上面的有效链接定义那么均属于无效请求referer
       if ($invalid_referer) {
           return 403;
       }
    }

    location = /favicon.ico {
       root /yinzhengjie/data/web/nginx/images/jd;
    }
}
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#

    2>.重新加载配置文件

    [root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root     24954     1  0 18:44 ?        00:00:00 nginx: master process nginx
nginx    25418 24954  0 19:14 ?        00:00:00 nginx: worker process
nginx    25419 24954  0 19:14 ?        00:00:00 nginx: worker process
nginx    25420 24954  0 19:14 ?        00:00:00 nginx: worker process
nginx    25421 24954  0 19:14 ?        00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -s reload
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root     24954     1  0 18:44 ?        00:00:00 nginx: master process nginx
nginx    25710 24954  1 19:37 ?        00:00:00 nginx: worker process
nginx    25711 24954  1 19:37 ?        00:00:00 nginx: worker process
nginx    25712 24954  1 19:37 ?        00:00:00 nginx: worker process
nginx    25713 24954  0 19:37 ?        00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

    3>.浏览器访问"http://node101.yinzhengjie.com/",我们发现无法正常访问,如下图所示

    4>.查看"node101.yinzhengjie.org.cn"站点日志信息,如下图所示

    5>.查看node101.yinzhengjie.org.cn的日志信息
  • 相关阅读:
    Elementary Methods in Number Theory Exercise 1.2.25
    Elementary Methods in Number Theory Exercise 1.2.14
    图解欧几里德算法
    图解欧几里德算法
    Elementary Methods in Number Theory Exercise 1.2.14
    Android中的长度单位详解(dp、sp、px、in、pt、mm)
    分享下多年积累的对JAVA程序员成长之路的总结
    android异常之都是deamon惹的祸The connection to adb is down, and a severe error has occured.
    TomatoCartv1.1.8.2部署时报错
    JavaScript浏览器对象之二Document对象
  • 原文地址:https://www.cnblogs.com/yinzhengjie/p/12079540.html
Copyright © 2011-2022 走看看