In order to speed up the analysis speed of the website, dynamic pages and static pages can be parsed by different servers to speed up the analysis speed. Reduce the pressure of the original single server. Simply put, it is to use regular expression matching and filtering, and then submit it to a different server.
1. Dynamic and static separation
Prepare a nginx proxy for two http, handle dynamic and static separately
配置nginx反向代理upstream;
upstream static {
server 192.168.49.140:80;
}
upstream phpserver {
server 192.168.49.143:80;
}
server {
listen 80;
server_name localhost
#动态资源加载
location ~ \.(php|jsp)$ {
proxy_pass http://phpserver;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#静态资源加载
location ~ .*\.(html|jpg|png|css|js)$ {
proxy_pass http://static;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
静态资源配置
server {
listen 80;
server_name localhost;
location ~ \.(html|jpg|png|js|css) {
root /home/www/nginx;
}
}
动态资源配置:
yum 安装php7.1
[root@nginx-server ~]#rpm -Uvh https://mirror.webtatic.com/yum/el7/epel-release.rpm
[root@nginx-server ~]#rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
[root@nginx-server ~]#yum install php71w-xsl php71w php71w-ldap php71w-cli php71w-common php71w-devel php71w-gd php71w-pdo php71w-mysql php71w-mbstring php71w-bcmath php71w-mcrypt -y
[root@nginx-server ~]#yum install -y php71w-fpm
[root@nginx-server ~]#systemctl start php-fpm
[root@nginx-server ~]#systemctl enable php-fpm
编辑nginx的配置文件:
server {
listen 80;
server_name localhost;
location ~ \.php$ {
root /home/nginx/html; #指定网站目录,注意访问权限755
fastcgi_pass 127.0.0.1:9000; #指定访问地址
fastcgi_index index.php; #指定默认文件
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; #站点根目录,取决于root配置项
include fastcgi_params; #包含nginx常量定义
}
}
When accessing a static page, the location matches (html|jpg|png|js|css) and
forwards it to the static server, and the static service processes the request through regular matching of the location.When accessing dynamic pages, files whose location matches the end of .\php are forwarded to the back-end php service to process the request.
Enter the ip/index.php of the proxy server in the browser, first visit the dynamic server, and find a static picture during the visit, visit the static server again, find the picture, send it to the proxy server, and return to the browser for display.
Pay attention to the issue of permissions.
2. nginx anti-leech problem
两个网站 A 和 B, B网站引用了A网站上的图片,这种行为就叫做盗链。 防盗链,就是要防止B引用A的图片。
1. nginx module to prevent website resources from being stolen
ngx_http_referer_module
How to distinguish abnormal users?
HTTP Referer is a part of Header. When the browser sends a request to the Web server, it will usually bring the Referer.
Tell the server which page I am linking from, the server can obtain some information for processing, such as preventing unauthorized
Hotlink pictures, files, etc. on your website. Therefore, the HTTP Referer header information can be disguised and generated by the program, so through Referer
Information anti-leeching is not 100% reliable, but it can limit most of the hot-leaving situations.
2. Anti-leech configuration
Configuration points:
[root@nginx-server ~]# vim /etc/nginx/nginx.conf
# 日志格式添加"$http_referer"
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# valid_referers 使用方式
Syntax: valid_referers none | blocked | server_names | string ...;
Default: —
Context: server, location
-
none: Allow requests without http_refer to access resources;
-
blocked: Allow requests that do not start with http:// and without protocol to access resources-filtered by the firewall;
-
server_names: Only allow requests from the specified ip/domain name to access resources (whitelist);
Prepare two machines, one picture
图片网站服务器:上传图片192.168.1.9 [root@nginx-server ~]# cp test.jpg /usr/share/nginx/html/ [root@nginx-server ~]# cd /etc/nginx/conf.d/ [root@nginx-server conf.d]# cp default.conf default.conf.bak [root@nginx-server conf.d]# mv default.conf nginx.conf [root@nginx-server conf.d]# vim nginx.conf server { listen 80; server_name localhost; location / { root /usr/share/nginx/html; index index.html index.htm; } } [root@nginx-server conf.d]# nginx -t [root@nginx-server conf.d]# systemctl restart nginx
access:
Referer: This matched connection is empty "-"
盗链机器配置:192.168.1.10 [root@nginx-client ~]# cd /usr/share/nginx/html/ [root@nginx-client html]# cp index.html index.html.bak [root@nginx-client html]# vim index.html <html> <head> <meta charset="utf-8"> <title>qf.com</title> </head> <body style="background-color:red;"> <img src="http://192.168.1.9/test.jpg"/> </body> </html> [root@nginx-client html]# systemctl restart nginx
View server logs:
Referer records: The connection is 1.10 this machine.
在图片服务器操作 [root@nginx-server conf.d]# vim nginx.conf server { listen 80; server_name localhost; location / { root /usr/share/nginx/html; index index.html index.htm; valid_referers none blocked www.jd.com; #允许这些访问 if ($invalid_referer) { return 403; } } } [root@nginx-server conf.d]# systemctl restart nginx
Test visit:
Picture server view log:
The above configuration does not allow access to the machine 192.168.1.10.
实例二,继续在图片服务器上面操作 [root@nginx-server html]# vim /etc/nginx/conf.d/nginx.conf #将原来的删除掉 server { listen 80; server_name localhost; location ~ .*\.(gif|jpg|png|jpeg)$ { root /usr/share/nginx/html; valid_referers none blocked *.qf.com 192.168.1.10; if ($invalid_referer) { return 403; } } } 重载nginx服务 [root@nginx-server ~]# nginx -s reload
在其中一台机器测试: 测试不带http_refer: [root@nginx-server conf.d]# curl -I "http://192.168.1.9/test.jpg" HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Mon, 02 Sep 2019 14:02:56 GMT Content-Type: image/jpeg Content-Length: 27961 Last-Modified: Mon, 02 Sep 2019 13:23:12 GMT Connection: keep-alive ETag: "5d6d17c0-6d39" Accept-Ranges: bytes 测试带非法http_refer: [root@nginx-server conf.d]# curl -e http://www.baidu.com -I "http://192.168.1.9/test.jpg" HTTP/1.1 403 Forbidden Server: nginx/1.16.1 Date: Mon, 02 Sep 2019 14:03:48 GMT Content-Type: text/html Content-Length: 153 Connection: keep-alive 测试带合法的http_refer: [root@nginx-server conf.d]# curl -e http://www.qf.com -I "http://192.168.1.9/test.jpg" HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Mon, 02 Sep 2019 14:04:52 GMT Content-Type: image/jpeg Content-Length: 27961 Last-Modified: Mon, 02 Sep 2019 13:23:12 GMT Connection: keep-alive ETag: "5d6d17c0-6d39" Accept-Ranges: bytes [root@ansible-server conf.d]# curl -e http://192.168.1.10 -I "http://192.168.1.9/test.jpg" HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Mon, 02 Sep 2019 14:05:36 GMT Content-Type: image/jpeg Content-Length: 27961 Last-Modified: Mon, 02 Sep 2019 13:23:12 GMT Connection: keep-alive ETag: "5d6d17c0-6d39" Accept-Ranges: bytes
If the user directly enters your picture address in the browser, the picture is displayed normally because it conforms to the none rule.
View the log on the image server: