Nginx安全相关配置-防盗链
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.Nginx盗链与防盗链概述
1>.盗链与防盗链
防盗链基于客户端携带的referer实现,referer是记录打开一个页面之前记录是从哪个页面跳转过来的标记信息,如果别人只链接了自己网站图片或某个单独的资源,而不是打开了网站的整个页面,这就是盗链。
2>.referer的值
referer就是之前的那个网站域名,正常的referer信息有以下几种:
none:
请求报文首部没有referer首部,比如用户直接在浏览器输入域名访问web网站,就没有referer信息。
blocked:
请求报文有referer首部,但无有效值,比如为空。
server_names:
referer首部中包含本主机名及即nginx监听的server_name。
arbitrary_string:
自定义指定字符串,但可使用*作通配符。
regular expression:
被指定的正则表达式模式匹配到的字符串,要使用~开头,例如:"~.*.yinzhengjie.org.cn"
3>.百度搜索“node101.yinzhengjie.org.cn”并点击链接会访问咱们本地自建的web服务器,观察日志中的referer信息,如下图所示。
二.搭建web服务器提供正常访问
1>.编辑主配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/nginx.conf
worker_processes 4;
worker_cpu_affinity 00000001 00000010 00000100 00001000;
events {
worker_connections 100000;
use epoll;
accept_mutex on;
multi_accept on;
}
http {
include mime.types;
default_type text/html;
server_tokens off;
charset utf-8;
log_format my_access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_ti
me,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}';
access_log logs/access_json.log my_access_json;
ssl_certificate /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.crt;
ssl_certificate_key /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
include /yinzhengjie/softwares/nginx/conf.d/*.conf;
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
2>.编辑子配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/node101_yinzhengjie_org.cn.conf
server {
listen 80;
listen 443 ssl;
server_name node101.yinzhengjie.org.cn;
access_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_access.log my_access_json;
error_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_error.log;
location / {
root /yinzhengjie/data/web/nginx/static/cn;
index index.html;
}
location = /favicon.ico {
root /yinzhengjie/data/web/nginx/images/jd;
}
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#
3>.准备测试数据
[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/{static,images} mkdir: created directory ‘/yinzhengjie/data/web/nginx’ mkdir: created directory ‘/yinzhengjie/data/web/nginx/static’ mkdir: created directory ‘/yinzhengjie/data/web/nginx/images’ [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/static/cn/css mkdir: created directory ‘/yinzhengjie/data/web/nginx/static/cn’ mkdir: created directory ‘/yinzhengjie/data/web/nginx/static/cn/css’ [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/images/jd mkdir: created directory ‘/yinzhengjie/data/web/nginx/images/jd’ [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /yinzhengjie/data/web/nginx/static/cn/css/ total 1004 -rw-r--r-- 1 root root 1025154 Dec 24 18:29 01.png [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/web/nginx/static/cn/index.html <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>node101.yinzhengjie.org.cn</title> <style type="text/css"> /*清除所有标签的默认样式*/ *{ padding: 0; margin: 0; } .box1{ width: 1215px; height: 700px; background-image: url(css/01.png); } p{ color: red; font-size: 32px; font-weight: bold; font-family: "arial","华文彩云","微软雅黑",serif; } </style> </head> <body> <p>这是"node101.yinzhengjie.org.cn"的首页</p> <div class="box1"></div> </body> </html> [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# wget https://www.jd.com/favicon.ico -O /yinzhengjie/data/web/nginx/images/jd/favicon.ico #此处我们从网上下载一张图片作为标签的logo --2019-12-24 18:51:03-- https://www.jd.com/favicon.ico Resolving www.jd.com (www.jd.com)... 220.194.105.131, 2408:8710:20:1140:8000::3 Connecting to www.jd.com (www.jd.com)|220.194.105.131|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 25214 (25K) [image/x-icon] Saving to: ‘/yinzhengjie/data/web/nginx/images/jd/favicon.ico’ 100%[==================================================================================================================================>] 25,214 --.-K/s in 0s 2019-12-24 18:51:09 (404 MB/s) - ‘/yinzhengjie/data/web/nginx/images/jd/favicon.ico’ saved [25214/25214] [root@node101.yinzhengjie.org.cn ~]#
4>.启动nginx服务
[root@node101.yinzhengjie.org.cn ~]# netstat -untalp | grep nginx
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# netstat -untalp | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 24954/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 24954/nginx: master
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
5>.浏览器访问"https://node101.yinzhengjie.org.cn/",如下图所示
6>.查看nginx的日志信息
三.模拟web盗链(为了试验方便,我将node101.yinzhengjie.org.cn和node101.yinzhengjie.org.com部署在同一个nginx实例里)
1>.编辑模拟盗链网址的子配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/node101_yinzhengjie_com.conf
server {
listen 80;
listen 443 ssl;
server_name node101.yinzhengjie.com;
access_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_com_access.log my_access_json;
error_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_com_error.log;
location / {
root /yinzhengjie/data/web/nginx/static/com;
index index.html;
}
location = /favicon.ico {
root /yinzhengjie/data/web/nginx/images/jd;
}
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
2>.创建测试数据
[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/static/com mkdir: created directory ‘/yinzhengjie/data/web/nginx/static/com’ [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/web/nginx/static/com/index.html [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/web/nginx/static/com/index.html <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>node101.yinzhengjie.com</title> <style type="text/css"> /*清除所有标签的默认样式*/ *{ padding: 0; margin: 0; } .box1{ width: 1215px; height: 700px; } p{ color: deeppink; font-size: 50px; font-weight: bold; font-family: "curlz mt","微软雅黑",serif; } </style> </head> <body> <p>这是"node101.yinzhengjie.com"的首页</p> <div class="box1"> <img src="https://node101.yinzhengjie.org.cn/css/01.png" alt="运维工程师"/> </div> </body> </html> [root@node101.yinzhengjie.org.cn ~]#
3>.重新加载nginx的配置文件
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root 24954 1 0 18:44 ? 00:00:00 nginx: master process nginx
nginx 24955 24954 0 18:44 ? 00:00:00 nginx: worker process
nginx 24956 24954 0 18:44 ? 00:00:00 nginx: worker process
nginx 24957 24954 0 18:44 ? 00:00:00 nginx: worker process
nginx 24958 24954 0 18:44 ? 00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -s reload
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root 24954 1 0 18:44 ? 00:00:00 nginx: master process nginx
nginx 25418 24954 0 19:14 ? 00:00:00 nginx: worker process
nginx 25419 24954 0 19:14 ? 00:00:00 nginx: worker process
nginx 25420 24954 0 19:14 ? 00:00:00 nginx: worker process
nginx 25421 24954 0 19:14 ? 00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
4>.浏览器访问"http://node101.yinzhengjie.com/",我们发现可以正常访问
5>.观察node101.yinzhengjie.org.cn的日志,该站点并没有对用户提供服务,却为别的站点服务而正浪费着带宽呢,如下图所示。
6>.观察node101.yinzhengjie.org.cn的日志,如下图所示。
三.模拟防盗链
1>.在被盗链的站点上实现防盗链
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/node101_yinzhengjie_org.cn.conf server { listen 80; listen 443 ssl; server_name node101.yinzhengjie.org.cn; access_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_access.log my_access_json; error_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_error.log; location / { root /yinzhengjie/data/web/nginx/static/cn; index index.html; #定义有效的请求referer,用空格隔开即可 valid_referers none blocked server_names *.baidu.com example.* ~.google.; #如果没有在上面的有效链接定义那么均属于无效请求referer if ($invalid_referer) { return 403; } } location = /favicon.ico { root /yinzhengjie/data/web/nginx/images/jd; } } [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# nginx -t nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful [root@node101.yinzhengjie.org.cn ~]#
2>.重新加载配置文件
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep root 24954 1 0 18:44 ? 00:00:00 nginx: master process nginx nginx 25418 24954 0 19:14 ? 00:00:00 nginx: worker process nginx 25419 24954 0 19:14 ? 00:00:00 nginx: worker process nginx 25420 24954 0 19:14 ? 00:00:00 nginx: worker process nginx 25421 24954 0 19:14 ? 00:00:00 nginx: worker process [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# nginx -s reload [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep root 24954 1 0 18:44 ? 00:00:00 nginx: master process nginx nginx 25710 24954 1 19:37 ? 00:00:00 nginx: worker process nginx 25711 24954 1 19:37 ? 00:00:00 nginx: worker process nginx 25712 24954 1 19:37 ? 00:00:00 nginx: worker process nginx 25713 24954 0 19:37 ? 00:00:00 nginx: worker process [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
3>.浏览器访问"http://node101.yinzhengjie.com/",我们发现无法正常访问,如下图所示
4>.查看"node101.yinzhengjie.org.cn"站点日志信息,如下图所示
5>.查看node101.yinzhengjie.org.cn的日志信息
