您的位置: 首页  >  IT文章  >  Nginx安全相关配置-防盗链

Nginx安全相关配置-防盗链

分类: IT文章 2023-10-26 19:17:50

              Nginx安全相关配置-防盗链

                                       作者:尹正杰

版权声明:原创作品,谢绝转载!否则将追究法律责任。

一.Nginx盗链与防盗链概述

1>.盗链与防盗链

  防盗链基于客户端携带的referer实现,referer是记录打开一个页面之前记录是从哪个页面跳转过来的标记信息,如果别人只链接了自己网站图片或某个单独的资源,而不是打开了网站的整个页面,这就是盗链。

2>.referer的值

  referer就是之前的那个网站域名,正常的referer信息有以下几种:
    none:
      请求报文首部没有referer首部,比如用户直接在浏览器输入域名访问web网站,就没有referer信息。
    blocked:
      请求报文有referer首部,但无有效值,比如为空。
    server_names:
      referer首部中包含本主机名及即nginx监听的server_name。
    arbitrary_string:
      自定义指定字符串,但可使用*作通配符。
    regular expression:
      被指定的正则表达式模式匹配到的字符串,要使用~开头,例如:"~.*.yinzhengjie.org.cn"

3>.百度搜索“node101.yinzhengjie.org.cn”并点击链接会访问咱们本地自建的web服务器,观察日志中的referer信息,如下图所示。

Nginx安全相关配置-防盗链

二.搭建web服务器提供正常访问

1>.编辑主配置文件

[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/nginx.conf
worker_processes  4;
worker_cpu_affinity 00000001 00000010 00000100 00001000; 
 
events {
   worker_connections  100000;
   use epoll;
   accept_mutex on;
   multi_accept on; 
}
   
   http {
     include       mime.types;
       
     default_type  text/html;
    
     server_tokens off; 
      
     charset utf-8;
   
     log_format my_access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_ti
me,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}';   
    access_log logs/access_json.log my_access_json;
 
    ssl_certificate /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.crt;
    ssl_certificate_key /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.key;
    ssl_session_cache shared:sslcache:20m;
    ssl_session_timeout 10m;
  
    include /yinzhengjie/softwares/nginx/conf.d/*.conf;
}
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

2>.编辑子配置文件

[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/node101_yinzhengjie_org.cn.conf 
server {
    listen 80;
    listen 443 ssl;
    server_name node101.yinzhengjie.org.cn;
 
    access_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_access.log my_access_json;
    error_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_error.log;

    location / {
       root /yinzhengjie/data/web/nginx/static/cn;
       index index.html;
    }

    location = /favicon.ico {
       root /yinzhengjie/data/web/nginx/images/jd;
    }
}
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#

3>.准备测试数据

[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/{static,images}
mkdir: created directory ‘/yinzhengjie/data/web/nginx’
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static’
mkdir: created directory ‘/yinzhengjie/data/web/nginx/images’
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/static/cn/css
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static/cn’
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static/cn/css’
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/images/jd
mkdir: created directory ‘/yinzhengjie/data/web/nginx/images/jd’
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /yinzhengjie/data/web/nginx/static/cn/css/
total 1004
-rw-r--r-- 1 root root 1025154 Dec 24 18:29 01.png
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/web/nginx/static/cn/index.html 
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>node101.yinzhengjie.org.cn</title>
        <style type="text/css">
        
            /*清除所有标签的默认样式*/
            *{
                padding: 0;
                margin: 0;
            }
            .box1{
                width: 1215px;
                height: 700px;
                background-image: url(css/01.png);
            }
            
            p{
                color: red;
                font-size: 32px;
                font-weight: bold;
                font-family: "arial","华文彩云","微软雅黑",serif;
            }
        </style>
    </head>
    <body>
        <p>这是"node101.yinzhengjie.org.cn"的首页</p>
        <div class="box1"></div>
    </body>
</html>
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# wget https://www.jd.com/favicon.ico -O /yinzhengjie/data/web/nginx/images/jd/favicon.ico                  #此处我们从网上下载一张图片作为标签的logo
--2019-12-24 18:51:03--  https://www.jd.com/favicon.ico
Resolving www.jd.com (www.jd.com)... 220.194.105.131, 2408:8710:20:1140:8000::3
Connecting to www.jd.com (www.jd.com)|220.194.105.131|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25214 (25K) [image/x-icon]
Saving to: ‘/yinzhengjie/data/web/nginx/images/jd/favicon.ico’

100%[==================================================================================================================================>] 25,214      --.-K/s   in 0s      

2019-12-24 18:51:09 (404 MB/s) - ‘/yinzhengjie/data/web/nginx/images/jd/favicon.ico’ saved [25214/25214]

[root@node101.yinzhengjie.org.cn ~]#

4>.启动nginx服务

[root@node101.yinzhengjie.org.cn ~]# netstat -untalp | grep nginx
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# netstat -untalp | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      24954/nginx: master 
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      24954/nginx: master 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

5>.浏览器访问"https://node101.yinzhengjie.org.cn/",如下图所示

Nginx安全相关配置-防盗链

6>.查看nginx的日志信息

Nginx安全相关配置-防盗链

三.模拟web盗链(为了试验方便,我将node101.yinzhengjie.org.cn和node101.yinzhengjie.org.com部署在同一个nginx实例里)

1>.编辑模拟盗链网址的子配置文件

[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/node101_yinzhengjie_com.conf 
server {
    listen 80;
    listen 443 ssl;
    server_name node101.yinzhengjie.com;
 
    access_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_com_access.log my_access_json;
    error_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_com_error.log;

    location / {
       root /yinzhengjie/data/web/nginx/static/com;
       index index.html;
    }

    location = /favicon.ico {
       root /yinzhengjie/data/web/nginx/images/jd;
    }
}
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

2>.创建测试数据

[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/static/com
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static/com’
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/web/nginx/static/com/index.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/web/nginx/static/com/index.html
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>node101.yinzhengjie.com</title>
        <style type="text/css">
        
            /*清除所有标签的默认样式*/
            *{
                padding: 0;
                margin: 0;
            }
            .box1{
                width: 1215px;
                height: 700px;
            }
            
            p{
                color: deeppink;
                font-size: 50px;
                font-weight: bold;
                font-family: "curlz mt","微软雅黑",serif;
            }
        </style>
    </head>
    <body>
        <p>这是"node101.yinzhengjie.com"的首页</p>
        <div class="box1">
            <img src="https://node101.yinzhengjie.org.cn/css/01.png"  alt="运维工程师"/>
        </div>
    </body>
</html>
[root@node101.yinzhengjie.org.cn ~]#

3>.重新加载nginx的配置文件

[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root     24954     1  0 18:44 ?        00:00:00 nginx: master process nginx
nginx    24955 24954  0 18:44 ?        00:00:00 nginx: worker process
nginx    24956 24954  0 18:44 ?        00:00:00 nginx: worker process
nginx    24957 24954  0 18:44 ?        00:00:00 nginx: worker process
nginx    24958 24954  0 18:44 ?        00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -s reload
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root     24954     1  0 18:44 ?        00:00:00 nginx: master process nginx
nginx    25418 24954  0 19:14 ?        00:00:00 nginx: worker process
nginx    25419 24954  0 19:14 ?        00:00:00 nginx: worker process
nginx    25420 24954  0 19:14 ?        00:00:00 nginx: worker process
nginx    25421 24954  0 19:14 ?        00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

4>.浏览器访问"http://node101.yinzhengjie.com/",我们发现可以正常访问

Nginx安全相关配置-防盗链

5>.观察node101.yinzhengjie.org.cn的日志,该站点并没有对用户提供服务,却为别的站点服务而正浪费着带宽呢,如下图所示。

Nginx安全相关配置-防盗链

6>.观察node101.yinzhengjie.org.cn的日志,如下图所示。

Nginx安全相关配置-防盗链

三.模拟防盗链

1>.在被盗链的站点上实现防盗链

[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/node101_yinzhengjie_org.cn.conf 
server {
    listen 80;
    listen 443 ssl;
    server_name node101.yinzhengjie.org.cn;
 
    access_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_access.log my_access_json;
    error_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_error.log;

    location / {
       root /yinzhengjie/data/web/nginx/static/cn;
       index index.html;
       #定义有效的请求referer,用空格隔开即可
       valid_referers none blocked server_names *.baidu.com example.*  ~.google.;
       #如果没有在上面的有效链接定义那么均属于无效请求referer
       if ($invalid_referer) {
           return 403;
       }
    }

    location = /favicon.ico {
       root /yinzhengjie/data/web/nginx/images/jd;
    }
}
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#

2>.重新加载配置文件

[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root     24954     1  0 18:44 ?        00:00:00 nginx: master process nginx
nginx    25418 24954  0 19:14 ?        00:00:00 nginx: worker process
nginx    25419 24954  0 19:14 ?        00:00:00 nginx: worker process
nginx    25420 24954  0 19:14 ?        00:00:00 nginx: worker process
nginx    25421 24954  0 19:14 ?        00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -s reload
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root     24954     1  0 18:44 ?        00:00:00 nginx: master process nginx
nginx    25710 24954  1 19:37 ?        00:00:00 nginx: worker process
nginx    25711 24954  1 19:37 ?        00:00:00 nginx: worker process
nginx    25712 24954  1 19:37 ?        00:00:00 nginx: worker process
nginx    25713 24954  0 19:37 ?        00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

3>.浏览器访问"http://node101.yinzhengjie.com/",我们发现无法正常访问,如下图所示

Nginx安全相关配置-防盗链

4>.查看"node101.yinzhengjie.org.cn"站点日志信息,如下图所示

Nginx安全相关配置-防盗链

5>.查看node101.yinzhengjie.org.cn的日志信息

Nginx安全相关配置-防盗链

相关推荐