nginx查看php-fpm状态信息

  1. #查看php-fpm状态的信息,修改php-fpm.conf
  2. pm.status_path = /php-status
  3.  
  4. #修改nginx.conf
  5. server {
  6.     listen       $IP:$Port;
  7.     server_name  _;
  8.  
  9. location ~ ^/php-status$ {
  10.                 stub_status on;
  11.                 access_log off;
  12.                 #allow all;
  13.                 allow $IP;
  14.                 deny all;
  15.                 include fastcgi_params;
  16.                 fastcgi_pass 127.0.0.1:9000;
  17.                 fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
  18.         }
  19. }
  20.  
  21. #查看方式 http://$IP/php-status
  22. #full list: http://$IP/php-status?full
  23.  
  24. #输出方式支持html、json、xml
  25. #http://$IP/php-status?html #默认
  26. ##http://$IP/php-status?full&html
  27.  
  28. #http://$IP/php-status?json #json
  29. ##http://$IP/php-status?full&json
  30.  
  31. #http://$IP/php-status?xml #xml
  32. ##http://$IP/php-status?full&xml
  33.  
  34.  
  35. #查看nginx状态
  36. server {
  37.     listen       $IP:$Port;
  38.     server_name  _;
  39.         location = /nginx-status {
  40.                 stub_status on;
  41.                 access_log off;
  42.                 allow $IP;
  43.                 deny all;
  44.         }
  45. }
  46. #查看方式 http://$IP/nginx-status

nginx防SQL注入与文件注入的相关安全设置

配置文件可以在一定程度上防止sql与文件形式的注入,放在配置文件的server块里面。

  1. server {
  2. [...]
  3.  
  4.     ## Block SQL injections
  5.     set $block_sql_injections 0;
  6.     if ($query_string ~ "union.*select.*\(") {
  7.         set $block_sql_injections 1;
  8.     }
  9.     if ($query_string ~ "union.*all.*select.*") {
  10.         set $block_sql_injections 1;
  11.     }
  12.     if ($query_string ~ "concat.*\(") {
  13.         set $block_sql_injections 1;
  14.     }
  15.     if ($block_sql_injections = 1) {
  16.         return 403;
  17.     }
  18.  
  19.     ## Block file injections
  20.     set $block_file_injections 0;
  21.     if ($query_string ~ "[a-zA-Z0-9_]=http://") {
  22.         set $block_file_injections 1;
  23.     }
  24.     if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
  25.         set $block_file_injections 1;
  26.     }
  27.     if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
  28.         set $block_file_injections 1;
  29.     }
  30.     if ($block_file_injections = 1) {
  31.         return 403;
  32.     }
  33.  
  34.     ## Block common exploits
  35.     set $block_common_exploits 0;
  36.     if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
  37.         set $block_common_exploits 1;
  38.     }
  39.     if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
  40.         set $block_common_exploits 1;
  41.     }
  42.     if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
  43.         set $block_common_exploits 1;
  44.     }
  45.     if ($query_string ~ "proc/self/environ") {
  46.         set $block_common_exploits 1;
  47.     }
  48.     if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
  49.         set $block_common_exploits 1;
  50.     }
  51.     if ($query_string ~ "base64_(en|de)code\(.*\)") {
  52.         set $block_common_exploits 1;
  53.     }
  54.     if ($block_common_exploits = 1) {
  55.         return 403;
  56.     }
  57.  
  58.     ## Block spam
  59.     set $block_spam 0;
  60.     if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
  61.         set $block_spam 1;
  62.     }
  63.     if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
  64.         set $block_spam 1;
  65.     }
  66.     if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
  67.         set $block_spam 1;
  68.     }
  69.     if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
  70.         set $block_spam 1;
  71.     }
  72.     if ($block_spam = 1) {
  73.         return 403;
  74.     }
  75.  
  76.     ## Block user agents
  77.     set $block_user_agents 0;
  78.  
  79.     # Don't disable wget if you need it to run cron jobs!
  80.     #if ($http_user_agent ~ "Wget") {
  81.     #    set $block_user_agents 1;
  82.     #}
  83.  
  84.     # Disable Akeeba Remote Control 2.5 and earlier
  85.     if ($http_user_agent ~ "Indy Library") {
  86.         set $block_user_agents 1;
  87.     }
  88.  
  89.     # Common bandwidth hoggers and hacking tools.
  90.     if ($http_user_agent ~ "libwww-perl") {
  91.         set $block_user_agents 1;
  92.     }
  93.     if ($http_user_agent ~ "GetRight") {
  94.         set $block_user_agents 1;
  95.     }
  96.     if ($http_user_agent ~ "GetWeb!") {
  97.         set $block_user_agents 1;
  98.     }
  99.     if ($http_user_agent ~ "Go!Zilla") {
  100.         set $block_user_agents 1;
  101.     }
  102.     if ($http_user_agent ~ "Download Demon") {
  103.         set $block_user_agents 1;
  104.     }
  105.     if ($http_user_agent ~ "Go-Ahead-Got-It") {
  106.         set $block_user_agents 1;
  107.     }
  108.     if ($http_user_agent ~ "TurnitinBot") {
  109.         set $block_user_agents 1;
  110.     }
  111.     if ($http_user_agent ~ "GrabNet") {
  112.         set $block_user_agents 1;
  113.     }
  114.  
  115.     if ($block_user_agents = 1) {
  116.         return 403;
  117.     }
  118. }

upstream timed out (110: Connection timed out) while reading response header from upstream

Nginx错误日志为:upstream timed out (110: Connection timed out) while reading response header from upstream
解决办法为在server字段里修改proxy_read_timeout的值,具体参考

  1. proxy_connect_timeout 300;
  2. proxy_read_timeout 300;
  3. proxy_send_timeout 300;

Nginx upstream sent too big header while reading response header from upstream

upstream sent too big header while reading response header from upstream
在http字段里添加

  1. http {
  2.     ...
  3.     proxy_buffers 8 16k;
  4.     proxy_buffer_size 32k;
  5.     }

如果是fastcgi的话

  1. http {
  2.     ...
  3.     fastcgi_buffers 8 16k;
  4.     fastcgi_buffer_size 32k;
  5. }

Nginx无法上传文件或者time out的解决办法

nginx上传附件都失败,并且页面偶尔提示timeout或者413 Request Entity Too Large
错误日志为:

  1. [error] 24225#0: *44 client intended to send too large body: 3005474 bytes, client: x.x.x.x, server: _, request: "POST /phpmyadmin/import.php HTTP/1.1", host: "baiqiuyi.com", referrer: "http://baiqiuyi.com/xxxxxxxxxxxxxxxxxx
  1. 打开nginx.conf并在http{}字段里添加
  2. client_max_body_size 64M; #多少M根据实际情况填写
  3. # keepalive_timeout 的值最好也修改一下,否则phpmyadmin上传的时候很容易time out


1 1