了防止一些可能出现存在漏洞的后台脚本暴露,使用验证的方式保护这些文件所在的目录
使用apache的htpasswd工具生成密码
yingouqlj@yingouqlj-laptop:~$ htpasswd -b -c filename username passwd
Adding password for user ******
nginx可以为网站或目录甚至特定的文件设置密码认证。密码必须是crypt加密的。可以用apache的htpasswd来创建密码。
格式为:htpasswd -b -c site_pass username password
site_pass为密码文件。放在同nginx配置文件同一目录下,当然你也可以放在其它目录下,那在nginx的配置文件中就要写明绝对地址或相对当前目录的地址。
如果你输入htpasswd命令提示没有找到命令时,你需要安装httpd.如centos是yum install httpd
如果是为了给网站加上认证,可以直接将认证语句写在nginx的配置server段中。
如果是为了给目录加上认证,就需要写成目录形式了。同时,还要在目录中加上php的执行,否则php就会被下载而不执行了。
例如:基于整个网站的认证,auth_basic在php解释之前。
| 代码如下 | 复制代码 |
| server { listen 80; server_name www.akii.org akii.org; root /www/akii; index index.html index.htm index.php; auth_basic "input you user name and password"; auth_basic_user_file /usr/local/nginx/conf/vhost/nginx_passwd; location ~ .php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; } location ~ /.ht { deny all; } access_log /logs/akii.org_access.log main; } |
|
针对目录的认证,在一个单独的location中,并且在该location中嵌套一个解释php的location,否则php文件不会执行并且会被下载。auth_basic在嵌套的location之后。
| 代码如下 | 复制代码 |
|
1server { listen 80; server_name www.akii.org akii.org; root /www/akii; index index.html index.htm index.php; location ~ ^/admin/.* { location ~ .php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; } auth_basic "auth"; auth_basic_user_file /usr/local/nginx/conf/vhost/auth/admin.pass; } location ~ .php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; } location ~ /.ht { deny all; } access_log /logs/akii.org_access.log main; } |
|
这里有一个细节,就是location ~ ^/admin/.* {…} 保护admin目录下的所有文件。如果你只设了/admin/ 那么直接输入/admin/index.php还是可以访问并且运行的。 ^/admin/.* 意为保护该目录下所有文件。当然,只需要一次认证。并不会每次请求或每请求一个文件都要认证一下。
附一个可用的bash脚本 用于创建密码
| 代码如下 | 复制代码 |
| #!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin export PATH #set UserName username="" read -p "Please input UserName:" username if [ "$username" = "" ]; then echo "Error:UserName can't be NULL!" exit 1 fi echo "===========================" echo "UserName was: $username" echo "===========================" #set password unpassword="" read -p "Please input the Password:" unpassword if [ "$unpassword" = "" ]; then echo "Error:Password can't be NULL!" exit 1 fi echo "===========================" echo "Password was: $unpassword" echo "===========================" password=$(perl -e 'print crypt($ARGV[0], "pwdsalt")' $unpassword) #set htpasswd file htfile="" read -p "Please input Auth filename:" htfile if [ "$htfile" = "" ]; then echo "Error:Auth filename can't be NULL!" exit 1 fi echo "===========================" echo "Auth File:$htfile" echo "===========================" get_char() { SAVEDSTTY=`stty -g` stty -echo stty cbreak dd if=/dev/tty bs=1 count=1 2> /dev/null stty -raw stty echo stty $SAVEDSTTY } echo "" echo "Press any key to Creat...or Press Ctrl+c to cancel" char=`get_char` if [ ! -f $htfile ]; then echo "Create Auth file......" cat >$htfile<<eof $username:$password eof echo "Create Auth file successful,auth file path:$htfile" else echo "File already exists,please run this script again." exit 1 fi |
|
命令参数注释:
Usage:
htpasswd [-cmdpsD] passwordfile username
htpasswd -b[cmdpsD] passwordfile username password
htpasswd -n[mdps] username
htpasswd -nb[mdps] username password
-c Create a new file.
-n Don’t update file; display results on stdout.
-m Force MD5 encryption of the password (default).
-d Force CRYPT encryption of the password.
-p Do not encrypt the password (plaintext).
-s Force SHA encryption of the password.
-b Use the password from the command line rather than prompting for it.
-D Delete the specified user.
-b 使用命令行处理