117笔记问答Nginx日志中的Referer字段是一个HTTP请求头,用于指示请求的来源页面。通过分析Referer字段,可以获取到访问者的来源信息,从而进行访问控制、防盗链等操作。
如何使用Referer字段
- 防盗链:通过配置Nginx的
valid_referers指令,可以限制只有来自特定来源的请求才能访问某些资源。例如,以下配置允许来自example.com的请求访问/secure/路径,并拒绝其他所有来源的请求:
valid_referers none blocked server_names ~\.example\.com$ ~^example\.com$;
if ($invalid_referer) {
return 403;
}
- 访问控制:在Kubernetes环境中使用Nginx Ingress时,可以通过配置Annotations来实现Referer的过滤。例如,以下配置允许来自特定IP地址范围的请求访问
/secure/路径:
metadata:
name: referer-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/16"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/regex-match: "^https?://(www\.)?example\.com"
- 日志分析:Nginx日志中包含了Referer字段,可以通过分析该字段来了解用户的访问来源。例如,以下是一个优化后的Nginx日志格式,其中包含了Referer字段:
{
"time_local": "$time_iso8601",
"msec": "$msec",
"remote_addr": "$remote_addr",
"remote_user": "$remote_user",
"body_bytes_sent": "$body_bytes_sent",
"content_length": "$content_length",
"upstream_response_length": "$upstream_response_length",
"upstream_addr": "$upstream_addr",
"upstream_connect_time": "$upstream_connect_time",
"bytes_sent": "$bytes_sent",
"request_length": "$request_length",
"connection_requests": "$connection_requests",
"http_status": "$status",
"schema": "$scheme",
"uri": "$uri",
"http_cookie": "$http_cookie",
"request_uri": "$request_uri",
"query_string": "$query_string",
"method": "$request_method",
"request_time": "$request_time",
"upstream_response_time": "$upstream_response_time",
"upstream_status": "$upstream_status",
"http_host": "$http_host",
"http_referrer": "$http_referer",
"http_x_forwarded_for": "$http_x_forwarded_for",
"sla_appname": "$cookie_sla_appname",
"http_user_agent": "$http_user_agent",
"host": "$host",
"request": "$request",
"server_addr": "$server_addr",
"request_id": "$http_x_request_id"
}
通过上述配置和分析方法,可以有效地利用Nginx日志中的Referer字段来增强服务器的安全性和访问控制能力。