Nginx拒绝不适用于文件夹文件

时间:2013-10-16 15:26:26

标签: nginx

我正在尝试限制对我的网站的访问以仅允许特定的IP并且我遇到以下问题:当我访问www.example.com时,deny工作正常,但是当我尝试访问www.example.com时/index.php它返回“拒绝访问”页面并且php文件直接在浏览器中下载而不进行处理。 我确实想要拒绝访问网站上所有IP的所有文件,但我的。我该怎么做?

这是我的配置:

server {
listen 80;
server_name example.com; 
root /var/www/example;

location / {
    index index.html index.php; ## Allow a static html file to be shown first
    try_files $uri $uri/ @handler; ## If missing pass the URI to front handler
    expires 30d; ## Assume all files are cachable
 allow my.public.ip;
 deny all;
}

location @handler { ## Common front handler
    rewrite / /index.php;
}
location ~ .php/ { ## Forward paths like /js/index.php/x.js to relevant handler
    rewrite ^(.*.php)/ $1 last;
}

location ~ .php$ { ## Execute PHP scripts
    if (!-e $request_filename) { rewrite / /index.php last; } ## Catch 404s that try_files miss

    expires        off; ## Do not cache dynamic content
    fastcgi_pass   127.0.0.1:9001;
    fastcgi_param  HTTPS $fastcgi_https;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    include        fastcgi_params; ## See /etc/nginx/fastcgi_params
    }
}

2 个答案:

答案 0 :(得分:0)

这是因为您的拒绝/允许规则仅适用于一个位置。

删除它并尝试:

server {
    listen 80;
    server_name example.com; 
    root /var/www/example;
    if ($remote_addr != "YOUR.PUBLIC.IP") {return 403;}
    ...
}

由于测试不在任何特定的位置区块内,因此适用于所有情况。

另请注意,IF在这里并不邪恶,因为它只是“返回”。

答案 1 :(得分:0)

好的,所以我找到了解决方案。 Nginx处理最精确的正则表达式,在这种情况下是php文件的正则表达式。要使配置工作,必须在/ location规则中定义所有其他位置,除了@handler(您不能置于任何规则下 - 仅作为root)

server {
listen 80;
server_name example.com; 
root /var/www/example;

    location / {
    index index.html index.php; ## Allow a static html file to be shown first
    try_files $uri $uri/ @handler; ## If missing pass the URI to front handler
    expires 30d; ## Assume all files are cachable
    allow my.public.ip;
    deny all;

    location ~ .php/ { ## Forward paths like /js/index.php/x.js to relevant handler
        rewrite ^(.*.php)/ $1 last;
    }

    location ~ .php$ { ## Execute PHP scripts
        if (!-e $request_filename) { rewrite / /index.php last; } ## Catch 404s that try_files miss

        expires        off; ## Do not cache dynamic content
        fastcgi_pass   127.0.0.1:9001;
        fastcgi_param  HTTPS $fastcgi_https;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params; ## See /etc/nginx/fastcgi_params
        }
}

    location @handler { ## Common front handler
        rewrite / /index.php;
    }

}