nginx配置

源地址 note.youdao.com/share/?id=cb2806d2...

ssl的配置

ssl on;
ssl_certificate /usr/local/nginx/ssl.crt;
ssl_certificate_key /usr/local/nginx/ssl.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;

配置thinkphp项目的过滤

# 文件位置 ./conf/filter_thinkphp
#防注入
set $str &$query_string;
#thinkphp的模块名,控制器名,方法名不能包含特殊字符,且不能超过30个字符
if ($str ~* "&(g|m|a)=[^&]{0,}[^a-zA-Z0-9_&]") {
    return 403;
}
if ($str ~* "&(g|m|a)=[^&]{30,}") {
    return 403;
}
#请求的地址中不能有..
if ($str ~* "\.\.") {
    return 403;
}
#请求的地址中不能有 ./. 或 .\.
if ($str ~* "(\./\.|\.\\\.)") {
    return 403;
}
#漏洞屏蔽(thinkcmf中有) https://xz.aliyun.com/t/6626?spm=a2c4g.11174386.n2.4.9cc31051EvLkaF
#请求的地址中不能有 templateFile 参数
if ($str ~* "&templateFile=") {
    return 403;
}
# 主配置文件 ./conf/nginx.conf 格式如下
http {
    server {
        listen          80;

        include conf/filter_thinkphp;

        location ~ \.php$ {
            root   "E:/wamp/www";
            #有些人很聪明,访问 http://***/tupian.jpg/index.php 这种路径, php-fpm从5.3.9开始，php官方加入了一个配置"security.limit_extensions"，默认状态下只允许执行扩展名为".php"的文件  
            #但windows服务器都是用php-cgi 这就有问题了  
            #php找文件从路径开头逐个/查找,结果找到.jpg文件存在，作为php脚本执行,但是url请求的脚本文件是index.php所以这里判断下文件是否存在,不存在拒绝  
            if (!-e $request_filename) {return 403;}
            #部分文件格式不允许下载  
            if ($request_filename ~* "\.(zip|gz|rar|sql|gitignore|git|htaccess)$") {return 403;}
            #有些人很聪明,插件里面放自己的脚本文件 http://***/public/abc.php ,    因为自己用的框架只有1个入口文件,和自己加的admin.php入口文件,所以过滤其他的脚本文件  
            if ($fastcgi_script_name !~* "^/(index\.php|admin\.php)$") {return 403;}
            #当然 可以用下面的正则做过滤 2选1 即可
#            if ($fastcgi_script_name !~* "^/[a-zA-Z0-9_-]+\.php$") {
#                return 403;
#            }
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        conf/fastcgi_params;
            fastcgi_connect_timeout 75;
            fastcgi_send_timeout 300;
            fastcgi_read_timeout 600;
            fastcgi_buffer_size 64k;
            fastcgi_buffers 8 64k;}

        location / {
            root    "E:/wamp/www";
            index   index.php;

            if (!-e $request_filename) {
                rewrite ^/(.*)$ /index.php?$1 last;}
            location ~ \.(gif|jpg|jpeg|png|bmp|swf)$ {
                expires 30d;}
            location ~ \.(js|css)$ {
                expires 10d;}}}
}

配置二级目录的laravel项目

http {
    server {
        listen          80;

        location = /kf2 {
            rewrite ^/kf2$ /kf2/ redirect;}
        location /kf2/ {
            #进入项目
            root    "E:\wamp\www\laravle\public";set $web_pre /kf2;
            index   index.php;
            #赋值自定义的uri  
            set $real_uri $uri;if ( $uri ~ /kf2/(.*)$ ) {set $real_uri $1;}
            #静态资源优先  
            if ( $real_uri ~ \.(gif|jpg|jpeg|png|bmp|swf|js|css|wmv|ogg|woff2|woff|ttf|html|eot|mp4|ico)$ ) {
                rewrite .* /$real_uri break;
                expires 30d;break;}
            # php脚本
            fastcgi_index  index.php;set $real_uri index.php;
            include        conf/fastcgi_params;set $fastcgi_script_name_real /$real_uri;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name_real;
            fastcgi_param  SCRIPT_NAME        $web_pre/$real_uri;
            fastcgi_param  DOCUMENT_URI       $web_pre/$real_uri;
            fastcgi_connect_timeout 75;
            fastcgi_send_timeout 300;
            fastcgi_read_timeout 100;
            fastcgi_buffer_size 64k;
            fastcgi_buffers 8 64k;if ( $real_uri ) {
                fastcgi_pass   127.0.0.1:9000;break;}return 404;}}
}

配置二级目录的 thinkphp 项目

http {
    server {
        listen          8290;
        ssl_certificate   conf/ssl/ssl.crt;
        ssl_certificate_key  conf/ssl/ssl.key;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        server_name     _;
        client_max_body_size 100M;
        client_body_timeout 1m;
        error_page  404              /404.html;
        error_page   500 502 503 504  /50x.html;

        root   "E:/YS/wamp/www/GIT";
        index  index.html index.htm index.php;

        error_log  logs/error.8290.log  info;

        location = /50x.html {
            root   html;}

        # 8290 统一解析php文件
        include conf/denied.files.ys;
        include conf/filter.thinkphp.ys;

        location ~ \.php$ {if ($fastcgi_script_name !~* "^/[\/a-zA-Z0-9_-]+\.php$") {return 403;}
            fastcgi_pass   127.0.0.1:9003;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        conf/fastcgi_params;
            fastcgi_connect_timeout 75;
            fastcgi_send_timeout 300;
            fastcgi_read_timeout 600;
            fastcgi_buffer_size 64k;
            fastcgi_buffers 8 64k;}

        # king 8290
        location /king/ {
            #进入项目  
            #赋值自定义的uri  
            if (!-e $request_filename) {
                rewrite ^/king/index.php(.*)$ /king/index.php?s=$1 last;
                rewrite ^/king/(.*)$ /king/index.php?s=$1 last;}}}
}

laravel 过滤url的配置

# 文件位置 ./conf/filter.laravel.ys
# 下面内容 在 server{} 中

# 资源文件
location ~ \.(gif|jpg|jpeg|png|bmp|swf|js|css|wmv|ogg|woff2|woff|ttf|html|eot|mp4|ico|otf)$ {
    expires 30d;break;
}

# 过滤url 只能包含 0-9a-zA-Z./-_  但不能有..
location ~ \.\. {return 401;
}
location ~ [^0-9a-zA-Z\./-_] {return 402;
}

#这里是直接转发php的所以不会代理到别处
#nginx realip_module 模块需要在编译nginx的时候加上参数--with-http_realip_module 这里只是为了 remote_addr 是上层的 remote_addr
#laravel 有 TrustProxies 所以这里都注释掉
#可以 nginx -V 查看 大写V
# 如果被 server 127.0.0.1:8306; 代理
#set_real_ip_from   127.0.0.1;
# 如果被 server 192.168.83.180:8306; 代理
#set_real_ip_from   192.168.83.180;
#real_ip_header    X-Forwarded-For;
#real_ip_recursive on;

# 交给 php处理
location / {
    #进入项目
    index   index.php;
    # php脚本
    fastcgi_index  index.php;set $real_uri index.php;

    #include        conf/fastcgi_params;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;


    set $fastcgi_script_name_real /$real_uri;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name_real;
    fastcgi_param  SCRIPT_NAME        /$real_uri;
    fastcgi_param  DOCUMENT_URI       /$real_uri;
    fastcgi_connect_timeout 75;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 100;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 8 64k;
    fastcgi_pass   127.0.0.1:9004;break;
}
# 文件位置 ./conf/demo.ys.conf
#nginx 做代理的一层

#定义集群
upstream demo{
    server 127.0.0.1:8306;
    server 127.0.0.1:8307;
}
server {
    listen          8305;
    server_name     _;
    client_max_body_size 100M;
    client_body_timeout 1m;
    error_log  logs/error.8305.log  info;

    location / {
        proxy_pass http://demo;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Real-PORT $remote_port;
        #我是最外层 所以我的 X-Forwarded-For 配置为真实客户端ip 内层的代理 可以配置为 proxy_add_x_forwarded_for 把自己的ip add进去
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Prefix /;
        #laravel的TrustProxies配置后需要X-Forwarded-For|X-Forwarded-Proto|X-Forwarded-Prefix
    }

    location /test/ {
        proxy_pass http://demo/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Real-PORT $remote_port;
        #我是最外层 所以我的 X-Forwarded-For 配置为真实客户端ip 内层的代理 可以配置为 proxy_add_x_forwarded_for 把自己的ip add进去
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Prefix /test/;
        #laravel的TrustProxies配置后需要X-Forwarded-For|X-Forwarded-Proto|X-Forwarded-Prefix
    }
}

#web-01 web项目
server {
    listen          8306;
    server_name     _;
    client_max_body_size 100M;
    client_body_timeout 1m;
    error_page  404              /404.html;
    error_page   500 502 503 504  /50x.html;
    root   "E:\YS\wamp\www\GIT\demo\public";
    error_log  logs/error.8306.log  info;
    location = /50x.html {
        root   html;}
    include conf/filter.laravel.ys;
}
#web-02 web项目
server {
    listen          8307;
    server_name     _;
    client_max_body_size 100M;
    client_body_timeout 1m;
    error_page  404              /404.html;
    error_page   500 502 503 504  /50x.html;
    root   "E:\YS\wamp\www\GIT\demo\public";
    error_log  logs/error.8307.log  info;
    location = /50x.html {
        root   html;}
    include conf/filter.laravel.ys;
}
// laravel 项目配置文件
// App\Http\Middleware\TrustProxies.php
<?php

namespace App\Http\Middleware;

use Fideloper\Proxy\TrustProxies as Middleware;
use Illuminate\Http\Request;

class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var array|string|null
     */
    protected $proxies = [// 这里配置 ???'127.0.0.1',];

    /**
     * The headers that should be used to detect proxies.
     *
     * @var int
     */
    protected $headers = Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_X_FORWARDED_AWS_ELB | Request::HEADER_X_FORWARDED_PREFIX;
}