1 前言

生产环境中，我们有时候需用使用Nginx限制文件类型的访问，由此需求我们整理出本章节的内容。

2 最佳实践

2.1 服务器环境

如果你尚未配置Nginx服务器环境，请按如下配置准备，
https://www.cmdschool.org/archives/7415

2.2 只允许某类型的文件访问

2.2.1 修改配置文件

vim /etc/nginx/conf.d/www.cmdschool.org_80.conf

将配置修改如下，

server {
    listen       80;
    server_name  www.cmdschool.org;

    location ~* \.(html|htm|php|gif|jpg|jpeg|bmp|png|ico|js|css)$ {
        root   /var/www/www.cmdschool.org;
        index  index.html index.htm  index.php;
        expires 3d;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

2.2.2 重启服务使配置生效

systemctl restart nginx.service

2.2.3 创建测试页

echo www.cmdschool.org > /var/www/www.cmdschool.org/index.html
echo www.cmdschool.org > /var/www/www.cmdschool.org/index.bat

2.2.4 测试html类型的文件访问

curl http://www.cmdschool.org/index.html

命令显示如下，

www.cmdschool.org

2.2.5 测试bat类型的文件访问

curl http://www.cmdschool.org/index.bat

命令显示如下，

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.16.1</center>
</body>
</html>

2.3 只拒绝访问某类型的文件

2.3.1 修改配置文件

vim /etc/nginx/conf.d/www.cmdschool.org_80.conf

将配置修改如下，

server {
    listen       80;
    server_name  www.cmdschool.org;

    location / {
        root   /var/www/www.cmdschool.org;
        index  index.html index.htm  index.php;
    }

    location ~ \.(exe|bat)$ {
        root   /var/www/www.cmdschool.org;
        return 410;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

2.3.2 重启服务使配置生效

systemctl restart nginx.service

2.3.3 创建测试页

echo www.cmdschool.org > /var/www/www.cmdschool.org/index.html
echo www.cmdschool.org > /var/www/www.cmdschool.org/index.bat

2.3.4 测试html类型的文件访问

curl http://www.cmdschool.org/index.html

命令显示如下，

www.cmdschool.org

2.3.5 测试bat类型的文件访问

curl http://www.cmdschool.org/index.bat

命令显示如下，

<html>
<head><title>410 Gone</title></head>
<body>
<center><h1>410 Gone</h1></center>
<hr><center>nginx/1.16.1</center>
</body>
</html>

2.4 为拒绝访问某类型设置特许

2.4.1 修改配置文件

vim /etc/nginx/conf.d/www.cmdschool.org_80.conf

将配置修改如下，

server {
    listen       80;
    server_name  www.cmdschool.org;

    location / {
        root   /var/www/www.cmdschool.org;
        index  index.html index.htm  index.php;
    }

    location ~ /exception/(example.exe|example.bat)$ {
        root   /var/www/www.cmdschool.org;
    }

    location ~* \.(exe|bat)$ {
        root   /var/www/www.cmdschool.org;
        return 410;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

以上利用匹配模式的优先级别实现，优先级别从高到底排列如下，

“=”精确匹配
“^~”不做模式匹配
“~”正则表达式的模式匹配
“~*”正则表达式的模式匹配
“” 无符号匹配模式

2.4.2 重启服务使配置生效

systemctl restart nginx.service

2.4.3 创建测试页

echo www.cmdschool.org > /var/www/www.cmdschool.org/index.html
echo www.cmdschool.org > /var/www/www.cmdschool.org/index.bat
echo www.cmdschool.org > /var/www/www.cmdschool.org/exception/example.bat
echo www.cmdschool.org > /var/www/www.cmdschool.org/exception/example.exe

2.4.4 测试html类型的文件访问

curl http://www.cmdschool.org/index.html

命令显示如下，

www.cmdschool.org

2.4.5 测试bat类型的文件访问

curl http://www.cmdschool.org/index.bat

命令显示如下，

<html>
<head><title>410 Gone</title></head>
<body>
<center><h1>410 Gone</h1></center>
<hr><center>nginx/1.16.1</center>
</body>
</html>

2.4.5 测试特许的bat文件访问

curl http://www.cmdschool.org/exception/example.bat
curl http://www.cmdschool.org/exception/example.ext

命令显示如下，

www.cmdschool.org