Nginx realizes dynamic and static separation and anti-theft chain

In order to speed up the analysis speed of the website, dynamic pages and static pages can be parsed by different servers to speed up the analysis speed. Reduce the pressure of the original single server. Simply put, it is to use regular expression matching and filtering, and then submit it to a different server.

1. Dynamic and static separation

Prepare a nginx proxy for two http, handle dynamic and static separately

配置nginx反向代理upstream；
upstream static {
    
    
        server 192.168.49.140:80;
        }
upstream phpserver {
    
    
        server 192.168.49.143:80;
        }
     server {
    
    
        listen      80;
        server_name     localhost
        #动态资源加载
        location ~ \.(php|jsp)$ {
    
    
            proxy_pass http://phpserver;
            proxy_set_header Host $host:$server_port;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                }
        #静态资源加载
        location ~ .*\.(html|jpg|png|css|js)$ {
    
    
            proxy_pass http://static;
            proxy_set_header Host $host:$server_port;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                }
        }

静态资源配置
server {
    
    
        listen 80;
        server_name     localhost;

        location ~ \.(html|jpg|png|js|css) {
    
    
        root /home/www/nginx;
        }
}

动态资源配置:
yum 安装php7.1
[root@nginx-server ~]#rpm -Uvh https://mirror.webtatic.com/yum/el7/epel-release.rpm
[root@nginx-server ~]#rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
[root@nginx-server ~]#yum install php71w-xsl php71w php71w-ldap php71w-cli php71w-common php71w-devel php71w-gd php71w-pdo php71w-mysql php71w-mbstring php71w-bcmath php71w-mcrypt -y
[root@nginx-server ~]#yum install -y php71w-fpm
[root@nginx-server ~]#systemctl start php-fpm
[root@nginx-server ~]#systemctl enable php-fpm
编辑nginx的配置文件:
server {
    
    
        listen      80;
        server_name     localhost;
        location ~ \.php$ {
    
    
            root           /home/nginx/html;  #指定网站目录，注意访问权限755
            fastcgi_pass   127.0.0.1:9000;    #指定访问地址
            fastcgi_index  index.php;		#指定默认文件
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name; #站点根目录，取决于root配置项
            include        fastcgi_params;  #包含nginx常量定义
        		}
        }

When accessing a static page, the location matches (html|jpg|png|js|css) and
forwards it to the static server, and the static service processes the request through regular matching of the location.

When accessing dynamic pages, files whose location matches the end of .\php are forwarded to the back-end php service to process the request.

Enter the ip/index.php of the proxy server in the browser, first visit the dynamic server, and find a static picture during the visit, visit the static server again, find the picture, send it to the proxy server, and return to the browser for display.

Pay attention to the issue of permissions.

2. nginx anti-leech problem

两个网站 A 和 B， B网站引用了A网站上的图片，这种行为就叫做盗链。 防盗链，就是要防止B引用A的图片。

1. nginx module to prevent website resources from being stolen

ngx_http_referer_module

How to distinguish abnormal users?

HTTP Referer is a part of Header. When the browser sends a request to the Web server, it will usually bring the Referer.

Tell the server which page I am linking from, the server can obtain some information for processing, such as preventing unauthorized

Hotlink pictures, files, etc. on your website. Therefore, the HTTP Referer header information can be disguised and generated by the program, so through Referer

Information anti-leeching is not 100% reliable, but it can limit most of the hot-leaving situations.

2. Anti-leech configuration

Configuration points:

[root@nginx-server ~]# vim /etc/nginx/nginx.conf
# 日志格式添加"$http_referer"
log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                         '$status $body_bytes_sent "$http_referer" '
                         '"$http_user_agent" "$http_x_forwarded_for"';
# valid_referers 使用方式                         
Syntax: 	valid_referers none | blocked | server_names | string ...;
Default: 	—
Context: server, location

none: Allow requests without http_refer to access resources;
blocked: Allow requests that do not start with http:// and without protocol to access resources-filtered by the firewall;

server_names: Only allow requests from the specified ip/domain name to access resources (whitelist);

Prepare two machines, one picture

图片网站服务器：上传图片192.168.1.9
[root@nginx-server ~]# cp test.jpg /usr/share/nginx/html/
[root@nginx-server ~]# cd /etc/nginx/conf.d/
[root@nginx-server conf.d]# cp default.conf default.conf.bak
[root@nginx-server conf.d]# mv default.conf nginx.conf
[root@nginx-server conf.d]# vim nginx.conf
server {
      
      
    listen       80;
    server_name  localhost;
    location / {
      
      
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}
[root@nginx-server conf.d]# nginx -t
[root@nginx-server conf.d]# systemctl restart nginx

access:
[External link image transfer failed. The origin site may have an anti-leech link mechanism. It is recommended to save the image and upload it directly (img-hcHcfa2t-1598873877374)(assets/1567431249504.png)]

[External link image transfer failed. The source site may have an anti-leech link mechanism. It is recommended to save the image and upload it directly (img-1zuNltx4-1598873780626)(assets/1567431923290.png)]

Referer: This matched connection is empty "-"

盗链机器配置:192.168.1.10
[root@nginx-client ~]# cd /usr/share/nginx/html/
[root@nginx-client html]# cp index.html index.html.bak
[root@nginx-client html]# vim index.html
<html>
<head>
    <meta charset="utf-8">
    <title>qf.com</title>
</head>
<body style="background-color:red;">
    <img src="http://192.168.1.9/test.jpg"/>
</body>
</html>
[root@nginx-client html]# systemctl restart nginx

[External link image transfer failed, the source site may have an anti-leech link mechanism, it is recommended to save the image and upload it directly (img-Ujkbk0jz-1598873780627)(assets/1567431311856.png)]

View server logs:

[External link image transfer failed. The source site may have an anti-leech link mechanism. It is recommended to save the image and upload it directly (img-ugAmw4vp-1598873780631)(assets/1567432284586.png)]

Referer records: The connection is 1.10 this machine.

在图片服务器操作
[root@nginx-server conf.d]# vim nginx.conf
server {
      
      
    listen       80;
    server_name  localhost;
    location / {
      
      
        root   /usr/share/nginx/html;
        index  index.html index.htm;

        valid_referers none blocked www.jd.com;  #允许这些访问
                if ($invalid_referer) {
      
      
                   return 403;
                }
        }
}
[root@nginx-server conf.d]# systemctl restart nginx

Test visit:

[External link image transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the image and upload it directly (img-1NS8OXPG-1598873780633)(assets/1567431693886.png)]

Picture server view log:

[External link image transfer failed. The origin site may have an anti-leech link mechanism. It is recommended to save the image and upload it directly (img-E66cY6eG-1598873780634)(assets/1567431765456.png)]

The above configuration does not allow access to the machine 192.168.1.10.

实例二，继续在图片服务器上面操作
[root@nginx-server html]# vim /etc/nginx/conf.d/nginx.conf #将原来的删除掉
server {
      
      
    listen       80;
    server_name  localhost;
    location ~  .*\.(gif|jpg|png|jpeg)$ {
      
      
        root  /usr/share/nginx/html;

        valid_referers none blocked *.qf.com 192.168.1.10;
                if ($invalid_referer) {
      
      
                        return 403;
                }
        }

}
重载nginx服务
[root@nginx-server ~]# nginx -s reload

在其中一台机器测试:
测试不带http_refer：
[root@nginx-server conf.d]# curl -I "http://192.168.1.9/test.jpg"
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 02 Sep 2019 14:02:56 GMT
Content-Type: image/jpeg
Content-Length: 27961
Last-Modified: Mon, 02 Sep 2019 13:23:12 GMT
Connection: keep-alive
ETag: "5d6d17c0-6d39"
Accept-Ranges: bytes

测试带非法http_refer:
[root@nginx-server conf.d]# curl -e http://www.baidu.com -I "http://192.168.1.9/test.jpg"
HTTP/1.1 403 Forbidden
Server: nginx/1.16.1
Date: Mon, 02 Sep 2019 14:03:48 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

测试带合法的http_refer:
[root@nginx-server conf.d]# curl -e http://www.qf.com -I "http://192.168.1.9/test.jpg"
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 02 Sep 2019 14:04:52 GMT
Content-Type: image/jpeg
Content-Length: 27961
Last-Modified: Mon, 02 Sep 2019 13:23:12 GMT
Connection: keep-alive
ETag: "5d6d17c0-6d39"
Accept-Ranges: bytes

[root@ansible-server conf.d]# curl -e http://192.168.1.10 -I "http://192.168.1.9/test.jpg"
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 02 Sep 2019 14:05:36 GMT
Content-Type: image/jpeg
Content-Length: 27961
Last-Modified: Mon, 02 Sep 2019 13:23:12 GMT
Connection: keep-alive
ETag: "5d6d17c0-6d39"
Accept-Ranges: bytes

If the user directly enters your picture address in the browser, the picture is displayed normally because it conforms to the none rule.

View the log on the image server:

[External link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-unqLvvNh-1598873780635)(assets/1567434440812.png)]