nginx:避免 php 在路径上使用“catch-all”位置

nginx:避免 php 在路径上使用“catch-all”位置

首先对我的英语水平表示抱歉。

我正在尝试在 nginx 配置文件中创建一个位置,以便通过代理将发往该位置的所有请求发送到另一个端口。所有其他请求都应发送到本地服务器,因此我使用“catch-all”位置来执行此操作。

我的配置如下:

server {
  server_name example.com;
  listen *:80; 

  root /web/;

  index index.php index.html;
  autoindex off; 

  # Logs
  access_log /var/log/nginx/web.log;
  error_log /var/log/nginx/web_err.log;

 # WordPress multisite by path
  if (!-e $request_filename) {
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
    rewrite ^(/[^/]+)?(/wp-.*) $2 last;
    rewrite ^(/[^/]+)?(/.*\.php) $2 last;
  }

  # Bloqueando zonas sensibles
  if ($request_uri ~* /(readme.html|license.txt|install.php|wp-config.php|fantastico_fileslist.txt|fantversion.php).*) {
    return 444;
  }


  # Behind proxy

  set_real_ip_from    0.0.0.0/16;
  real_ip_header      X-Forwarded-For;


  # Cache (A revisar)
  open_file_cache          max=2000 inactive=20s;
  open_file_cache_valid    60s;
  open_file_cache_min_uses 5;
  open_file_cache_errors   off;


  # Compression
  # Enable Gzip compressed.
  gzip on;

  # Enable compression both for HTTP/1.0 and HTTP/1.1.
  gzip_http_version  1.1;
  gzip_disable        "msie6";

  # Don't compress anything that's already small and unlikely to shrink much
  # if at all (the default is 20 bytes, which is bad as that usually leads to
  # larger files after gzipping).
  gzip_min_length    256;

  # Compress data even for clients that are connecting to us via proxies,
  # identified by the "Via" header (required for CloudFront).
  gzip_proxied       any;

  # Tell proxies to cache both the gzipped and regular version of a resource
  # whenever the client's Accept-Encoding capabilities header varies;
  # Avoids the issue where a non-gzip capable client (which is extremely rare
  # today) would display gibberish if their proxy gave them the gzipped version.
  gzip_vary          on;

  # Compress all output labeled with one of the following MIME-types.
  gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/rss+xml
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/svg+xml
    image/x-icon
    text/css
    text/plain
    text/x-component;

  # Compression level (1-9).
  # 5 is a perfect compromise between size and cpu usage, offering about
  # 75% reduction for most ascii files (almost identical to level 9).
  gzip_comp_level    5;

  # Oculta la versión del servidor nginx
  server_tokens off;

  # DOS
  limit_conn conn_limit_per_ip 10;
  limit_req zone=req_limit_per_ip burst=25 nodelay;
  limit_conn_status 499;

  ## Block download agents
  if ($http_user_agent ~* LWP::Simple|wget|libwww-perl) {
    return 403;
  }

  ## Block some nasty robots
  if ($http_user_agent ~ Abonti|aboutthedomain|AhrefsBot|Baidu|betaBot|Baiduspider|BLEXBot|email|FatBot|Havij|htmlparser|httrack|iisbot|Lipperhey|LoadImpactPageAnalyzer|LoadImpactRload|ltx71|LWP::simple|Mail.Ru|MetaURI|MJ12bot|Purebot|safebot|scan|scrapboti|semanticbot|SeznamBot|ShopWiki|Skrapebot|Sogou|spider|Stratagems|Twengabot|Twitterbot|Typhoeus|UnisterBot|WebCollector|WebCopier|WebCopy|webcraw|WinHTTrack|Wotbox|YandexBot|Zeus) {
    return 403;
  }

  location ~ .(gif|png|jpe?g)$ {
    valid_referers none blocked www.example.com;
    if ($invalid_referer) {
      return   403;
    }
  }


  # deny scripts inside writable directories
  location ~* /(var|images|cache|media|logs|tmp)/.*.(php|pl|py|jsp|asp|sh|cgi)$ {
    return 403;
  }

  ## Only allow these request methods ##
  if ($request_method !~ ^(GET|POST|HEAD)$ ) {
    return 403;
  }

  # Protect other sensitive files
  location ~ (/(.git/|backup-db/|.htaccess|.*sql)|/\.+) {
    return 403;
  }

## Start: Size Limits & Buffer Overflows ##
  client_body_buffer_size  12K;
  client_header_buffer_size 12K;
  # 413 (Request Entity Too Large)
  client_max_body_size 25M;
  # 414 (Request-URI Too Large)
  # 400 (Bad Request)
  large_client_header_buffers 2 12K;
  ## END: Size Limits & Buffer Overflows ##

  ## Start: Timeouts ##
  # 408 (Request Time-out)
  client_body_timeout   10s;
  # 408 (Request Time-out)
  client_header_timeout 10s;
  keepalive_timeout     5s 5;
  send_timeout          10s;
  ## End: Timeouts ##

  location / {
    try_files $uri $uri/ /index.php?$args;  # make index.php handle requests for /
    access_log off;       # do not log access to static files
    expires max;        # cache static files aggressively
  }

  location ~* \.(eot|ttf|woff|woff2)$ {
    add_header Access-Control-Allow-Origin *;
  }

  location ~*\.(jpeg|jpg|gif|png|css|js|ico|swf|gz|svg|svgz|ttf|otf|woff|eot|mp4|ogg|ogv|webm|zip)$ {
    try_files $uri $uri/ @proxy;    # look for static files in root directory and ask backend if not successful
    expires max;
    #add_header Access-Control-Allow-Origin "*";
    sendfile           on;
    sendfile_max_chunk 1m;
    access_log off;
  }

# Locations extas 
location ^~ /annualreport/ {
    proxy_pass http://127.0.0.1:8080/;
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Host $host:$server_port;
  }

  location @proxy {
    fastcgi_pass php_backend_pool1;      # proxy everything from this location to backend
  }


  location ~\.php$ {    try_files $uri =404;      # if reference to php executable is invalid return 404

    expires off;              # no need to cache php executable files

    fastcgi_read_timeout 600;
    fastcgi_send_timeout 600;
    fastcgi_buffers 8 8k;
    fastcgi_buffer_size 8k;


    fastcgi_intercept_errors on; 
    fastcgi_keep_conn on;       # use persistent connects to backend

    include fastcgi_params;


    fastcgi_param  HTTPS on;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;


    fastcgi_pass php_backend_pool1;
  }

}

我的问题是,当我尝试使用该位置时,仅当文件不是 php 文件时才有效:

例如这些作品:

/otherlocation/
/otherlocation/file.html
/otherlocation/myimage.jpg

但这些是由本地服务器处理的,而是使用代理传递:

/otherlocation/index.php
/otherlocation/somefile.php

有没有办法强制所有以 /otherlocation 开头的位置通过 proxy_pass,即使文件是 php?

谢谢!!

编辑: 我已经发布了整个配置文件。

我正在思考这个问题,也许最好的选择是创建两个监听本地主机的虚拟主机,然后创建一个主代理来从中进行选择。

相关内容