Home > Operation and Maintenance > Nginx > How to ban access to php in nginx

How to ban access to php in nginx

WBOY
Release: 2023-05-17 21:19:04
forward
1258 people have browsed it

nginx禁止访问php的方法:1、配置nginx,禁止解析指定目录下的指定程序;2、将“location ~^/images/.*\.(php|php5|sh|pl|py)${deny all...}”语句放置在server标签内即可。

nginx站点目录及文件URL访问控制

一、根据扩展名限制程序和文件访问

利用nginx配置禁止访问上传资源目录下的PHP、Shell、Perl、Python程序文件。

配置nginx,禁止解析指定目录下的指定程序。

location ~ ^/images/.*\.(php|php5|sh|pl|py)$
        {
            deny all;
        }
         
location ~ ^/static/.*\.(php|php5|sh|pl|py)$
        {
            deny all;
        }
         
location ~ ^/data/(attachment|avatar).*\.(php|php5)$
        {
            deny all;
        }
Copy after login

对上述目录的限制必须写在nginx处理PHP服务配置的前面,如下:

放置在server标签内:

<div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false"> server { listen 80; server_name www.dmtest.com; location / { root html; index index.php index.html index.htm; } location ~ ^/images/.*\.(php|php5|sh|pl|py)$ { deny all; } location ~ ^/static/.*\.(php|php5|sh|pl|py)$ { deny all; } location ~ ^/data/(attachment|avatar).*\.(php|php5)$ { deny all; } ...... ...... }</pre><div class="contentsignin">Copy after login</div></div><p>nginx下配置禁止访问*.txt和*.doc文件 </p>

配置如下:

放置在server标签内:

<div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false"> location ~* \.(txt|doc)$ { if (-f $request_filename) { root /data/www/www; #rewrite ... #可以重定向到某个URL; break; } } location ~* \.(txt|doc)$ { root /data/www/www; deny all; }</pre><div class="contentsignin">Copy after login</div></div><p>二、禁止访问指定目录下的所有文件和目录 </p>

配置禁止党文指定的单个或多个目录。

禁止访问单个目录的命令如下:

放置在server标签内:

<div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false"> location ~ ^/(static)/ { deny all; } location ~ ^/static { deny all; }</pre><div class="contentsignin">Copy after login</div></div><p>禁止访问多个目录的配置如下: </p><div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false">location ~ ^/(static|js) { deny all; }</pre><div class="contentsignin">Copy after login</div></div><p>禁止访问目录并返回指定的http状态码,配置如下: </p>

放置在server标签内:

<div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:js;toolbar:false"> server { listen 80; server_name www.dmtest.com; location / { root html; index index.php index.html index.htm; } location /admin/ { return 404; }    #访问admin目录返回404; location /templates/ { return 403; }  #访问templates目录返回403 location ~ ^/images/.*\.(php|php5|sh|pl|py)$ { deny all; }</pre><div class="contentsignin">Copy after login</div></div><p>作用:禁止访问目录下的指定文件或者禁止访问指定目录下的所有内容。 </p>

三、限制网站来源IP访问

禁止目录让外界访问,但允许某IP访问该目录且支持PHP解析,配置如下:

在server标签内配置如下:

<div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false"> location ~ ^/mysql_loging/ { allow 192.168.0.4; deny all; } location ~ .*\.(php|php5)?$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; }</pre><div class="contentsignin">Copy after login</div></div><p>说明:该配置只允许192.168.0.4IP访问mysql_loging目录</p><p>限制IP或IP段访问,配置如下:</p><p>添加在server标签内:</p><div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false"> location / { deny 192.168.0.4; allow 192.168.1.0/16; allow 10.0.0.0/24; deny all; }</pre><div class="contentsignin">Copy after login</div></div><p>说明:此限制是对某些IP做整个网站的限制访问。 </p>

nginx做反向代理的时候也可以限制客户端IP,具体如下:

方法1:使用if来控制,配置如下:

<div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false">if ( $remoteaddr = 10.0.0.7 ) { return 403; } if ( $remoteaddr = 218.247.17.130 ) { set $allow_access_root &amp;#39;ture&amp;#39;; }</pre><div class="contentsignin">Copy after login</div></div><p>方法2:利用deny和allow只允许IP访问,配置如下: </p><div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false">location / { root html/blog; index index.php index.html index.htm; allow 10.0.0.7; deny all; }</pre><div class="contentsignin">Copy after login</div></div><p>登录后复制</p>

方法3:只拒绝某些IP访问,配置如下:

<div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false">location / { root html/blog; index indx.php index.html index.htm; deny 10.0.0.7; allow all; }</pre><div class="contentsignin">Copy after login</div></div><p>注意事项: </p>

deny一定要加一个IP,否者会直接跳转到403,不在往下执行了,如果403默认页在同一域名下,会造成死循环访问。

对于allow的IP段,从允许访问的段位从小到大排列,如127.0.0.0/24的下面才能是10.10.0.0/16,其中:

  24表示子网掩码:255.255.255.0

  16表示子网掩码:255.255.0.0

  8表示子网掩码:255.0.0.0

以deny all; 结尾,表示除了上面允许的,其他的都禁止。如:

<div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false">deny 192.168.1.1; allow 127.0.0.0/24; allow 192.168.0.0/16; allow 10.10.0.0/8; deny all;</pre><div class="contentsignin">Copy after login</div></div><p>四、配置nginx,禁止非法域名解析访问企业网站 </p>

方法1:让使用IP访问网站的用户,或恶意接卸域名的用户,收到501错误,配置如下:

<div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false">server { listen 80 default_server; server_name _; return 501; }</pre><div class="contentsignin">Copy after login</div></div><p>方法2:通过301跳转主页,配置如下: </p><div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false">server { listen 80 default_server; server_name _; rewrite ^(.*) http://www.dmtest.com/$1 permanent; }</pre><div class="contentsignin">Copy after login</div></div><p>方法3:发现某域名恶意解析到公司的服务器IP,在server标签里添加以下代码即可,若有多个server要多处添加。 </p>

if ($host !~ ^www/.dmtest/.com$) {
        rewrite ^(.*) http://www.dmtest.com.com$1 permanent;
}
Copy after login

The above is the detailed content of How to ban access to php in nginx. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:yisu.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template