nginx配置
ssl的配置
ssl on;
ssl_certificate /usr/local/nginx/ssl.crt;
ssl_certificate_key /usr/local/nginx/ssl.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
配置thinkphp專案的過濾
# 檔案位置 ./conf/filter_thinkphp
#防注入
set $str &$query_string;
#thinkphp的模組名,控制器名,方法名不能包含特殊字元,且不能超過30個字元
if ($str ~* "&(g|m|a)=[^&]{0,}[^a-zA-Z0-9_&]") {
return 403;
}
if ($str ~* "&(g|m|a)=[^&]{30,}") {
return 403;
}
#請求的地址中不能有..
if ($str ~* "\.\.") {
return 403;
}
#請求的地址中不能有 ./. 或 .\.
if ($str ~* "(\./\.|\.\\\.)") {
return 403;
}
#漏洞遮蔽(thinkcmf中有) https://xz.aliyun.com/t/6626?spm=a2c4g.11174386.n2.4.9cc31051EvLkaF
#請求的地址中不能有 templateFile 引數
if ($str ~* "&templateFile=") {
return 403;
}
# 主配置檔案 ./conf/nginx.conf 格式如下
http {
server {
listen 80;
include conf/filter_thinkphp;
location ~ \.php$ {
root "E:/wamp/www";
#有些人很聰明,訪問 http:/tupian.jpg/index.php 這種路徑, php-fpm從5.3.9開始,php官方加入了一個配置"security.limit_extensions",預設狀態下只允許執行副檔名為".php"的檔案
#但windows伺服器都是用php-cgi 這就有問題了
#php找檔案從路徑開頭逐個/查詢,結果找到.jpg檔案存在,作為php指令碼執行,但是url請求的指令碼檔案是index.php所以這裡判斷下檔案是否存在,不存在拒絕
if (!-e $request_filename) {
return 403;
}
#部分檔案格式不允許下載
if ($request_filename ~* "\.(zip|gz|rar|sql|gitignore|git|htaccess)$") {
return 403;
}
#有些人很聰明,外掛裡面放自己的指令碼檔案 http:/public/abc.php , 因為自己用的框架只有1個入口檔案,和自己加的admin.php入口檔案,所以過濾其他的指令碼檔案
if ($fastcgi_script_name !~* "^/(index\.php|admin\.php)$") {
return 403;
}
#當然 可以用下面的正則做過濾 2選1 即可
# if ($fastcgi_script_name !~* "^/[a-zA-Z0-9_-]+\.php$") {
# return 403;
# }
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include conf/fastcgi_params;
fastcgi_connect_timeout 75;
fastcgi_send_timeout 300;
fastcgi_read_timeout 600;
fastcgi_buffer_size 64k;
fastcgi_buffers 8 64k;
}
location / {
root "E:/wamp/www";
index index.php;
if (!-e $request_filename) {
rewrite ^/(.*)$ /index.php?$1 last;
}
location ~ \.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 30d;
}
location ~ \.(js|css)$ {
expires 10d;
}
}
}
}
配置二級目錄的laravel專案
http {
server {
listen 80;
location = /kf2 {
rewrite ^/kf2$ /kf2/ redirect;
}
location /kf2/ {
#進入專案
root "E:\wamp\www\laravle\public";
set $web_pre /kf2;
index index.php;
#賦值自定義的uri
set $real_uri $uri;
if ( $uri ~ /kf2/(.*)$ ) {
set $real_uri $1;
}
#靜態資源優先
if ( $real_uri ~ \.(gif|jpg|jpeg|png|bmp|swf|js|css|wmv|ogg|woff2|woff|ttf|html|eot|mp4|ico)$ ) {
rewrite .* /$real_uri break;
expires 30d;
break;
}
# php指令碼
fastcgi_index index.php;
set $real_uri index.php;
include conf/fastcgi_params;
set $fastcgi_script_name_real /$real_uri;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name_real;
fastcgi_param SCRIPT_NAME $web_pre/$real_uri;
fastcgi_param DOCUMENT_URI $web_pre/$real_uri;
fastcgi_connect_timeout 75;
fastcgi_send_timeout 300;
fastcgi_read_timeout 100;
fastcgi_buffer_size 64k;
fastcgi_buffers 8 64k;
if ( $real_uri ) {
fastcgi_pass 127.0.0.1:9000;
break;
}
return 404;
}
}
}
配置二級目錄的 thinkphp 專案
http {
server {
listen 8290;
ssl_certificate conf/ssl/ssl.crt;
ssl_certificate_key conf/ssl/ssl.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
server_name _;
client_max_body_size 100M;
client_body_timeout 1m;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
root "E:/YS/wamp/www/GIT";
index index.html index.htm index.php;
error_log logs/error.8290.log info;
location = /50x.html {
root html;
}
# 8290 統一解析php檔案
include conf/denied.files.ys;
include conf/filter.thinkphp.ys;
location ~ \.php$ {
if ($fastcgi_script_name !~* "^/[\/a-zA-Z0-9_-]+\.php$") {
return 403;
}
fastcgi_pass 127.0.0.1:9003;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include conf/fastcgi_params;
fastcgi_connect_timeout 75;
fastcgi_send_timeout 300;
fastcgi_read_timeout 600;
fastcgi_buffer_size 64k;
fastcgi_buffers 8 64k;
}
# king 8290
location /king/ {
#進入專案
#賦值自定義的uri
if (!-e $request_filename) {
rewrite ^/king/index.php(.*)$ /king/index.php?s=$1 last;
rewrite ^/king/(.*)$ /king/index.php?s=$1 last;
}
}
}
}
laravel 過濾url的配置
# 檔案位置 ./conf/filter.laravel.ys
# 下面內容 在 server{} 中
# 資原始檔
location ~ \.(gif|jpg|jpeg|png|bmp|swf|js|css|wmv|ogg|woff2|woff|ttf|html|eot|mp4|ico|otf)$ {
expires 30d;
break;
}
# 過濾url 只能包含 0-9a-zA-Z./-_ 但不能有..
location ~ \.\. {
return 401;
}
location ~ [^0-9z-zA-Z\./-_] {
return 402;
}
#這裡是直接轉發php的所以不會代理到別處
#nginx realip_module 模組需要在編譯nginx的時候加上引數--with-http_realip_module 這裡只是為了 remote_addr 是上層的 remote_addr
#laravel 有 TrustProxies 所以這裡都註釋掉
#可以 nginx -V 檢視 大寫V
# 如果被 server 127.0.0.1:8306; 代理
#set_real_ip_from 127.0.0.1;
# 如果被 server 192.168.83.180:8306; 代理
#set_real_ip_from 192.168.83.180;
#real_ip_header X-Forwarded-For;
#real_ip_recursive on;
# 交給 php處理
location / {
#進入專案
index index.php;
# php指令碼
fastcgi_index index.php;
set $real_uri index.php;
#include conf/fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
set $fastcgi_script_name_real /$real_uri;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name_real;
fastcgi_param SCRIPT_NAME /$real_uri;
fastcgi_param DOCUMENT_URI /$real_uri;
fastcgi_connect_timeout 75;
fastcgi_send_timeout 300;
fastcgi_read_timeout 100;
fastcgi_buffer_size 64k;
fastcgi_buffers 8 64k;
fastcgi_pass 127.0.0.1:9004;
break;
}
# 檔案位置 ./conf/demo.ys.conf
#nginx 做代理的一層
#定義叢集
upstream demo{
server 127.0.0.1:8306;
server 127.0.0.1:8307;
}
server {
listen 8305;
server_name _;
client_max_body_size 100M;
client_body_timeout 1m;
error_log logs/error.8305.log info;
location / {
proxy_pass http://demo;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
#我是最外層 所以我的 X-Forwarded-For 配置為真實客戶端ip 內層的代理 可以配置為 proxy_add_x_forwarded_for 把自己的ip add進去
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Prefix /;
#laravel的TrustProxies配置後需要X-Forwarded-For|X-Forwarded-Proto|X-Forwarded-Prefix
}
location /test/ {
proxy_pass http://demo/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
#我是最外層 所以我的 X-Forwarded-For 配置為真實客戶端ip 內層的代理 可以配置為 proxy_add_x_forwarded_for 把自己的ip add進去
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Prefix /test/;
#laravel的TrustProxies配置後需要X-Forwarded-For|X-Forwarded-Proto|X-Forwarded-Prefix
}
}
#web-01 web專案
server {
listen 8306;
server_name _;
client_max_body_size 100M;
client_body_timeout 1m;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
root "E:\YS\wamp\www\GIT\demo\public";
error_log logs/error.8306.log info;
location = /50x.html {
root html;
}
include conf/filter.laravel.ys;
}
#web-02 web專案
server {
listen 8307;
server_name _;
client_max_body_size 100M;
client_body_timeout 1m;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
root "E:\YS\wamp\www\GIT\demo\public";
error_log logs/error.8307.log info;
location = /50x.html {
root html;
}
include conf/filter.laravel.ys;
}
<?php
namespace App\Http\Middleware;
use Fideloper\Proxy\TrustProxies as Middleware;
use Illuminate\Http\Request;
class TrustProxies extends Middleware
{
protected $proxies = [
'127.0.0.1',
];
protected $headers = Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_X_FORWARDED_AWS_ELB | Request::HEADER_X_FORWARDED_PREFIX;
}
本作品採用《CC 協議》,轉載必須註明作者和本文連結