方法一：

location ~* \.(js|css|jpg|png|gif|others)$ {
valid_referers none blocked *.sasacity.com sasacity.com;
if ($invalid_referer) {
rewrite ^/ http://www.sasacity.com/logo.gif;
#return 404;
}
}

方法二：
使用ngx_http_accesskey_module模块

配置例子：

location /download {
accesskey on;
accesskey_hashmethod md5;
accesskey_arg "key";
accesskey_signature "mypass$remote_addr";
}


此时客户端访问路径： http://example.com/download/file.zip?key=09093abeac094.

详细请见：http://wiki.codemongers.com/NginxHttpAccessKeyModule

首先Apache的Rewite规则差别不是很大,但是Nginx的Rewrite规则比Apache的简单灵活多了
Nginx可以用if进行条件匹配，语法规则类似C


if ($http_user_agent ~ MSIE) {
rewrite ^(.*)$ /msie/$1 break;
}

官方文档请点击这里
Rewrite的Flags

Flags can be any of the following:
* last - completes processing of rewrite directives, after which searches for corresponding URI and location
* break - completes processing of rewrite directives
*redirect - returns temporary redirect with code 302; it is used if the substituting line begins with http://
* permanent - returns permanent redirect with code 301

last - 完成重写指令后，搜索相应的URI和位置。相当于Apache里的[L]标记，表示完成rewrite，不再匹配后面的规则。
break - 中止Rewirte，不在继续匹配。
redirect - 返回临时重定向的HTTP状态302。
permanent - 返回永久重定向的HTTP状态301。

ZEND Framework的重定向规则：
案例一：
全部重定向到 /index.php
rewrite ^/(.*) /index.php?$1&;
案例二：
如果文件或目录不存在则重定向到index.php
if (!-e $request_filename) {
rewrite ^/(.*) /index.php?$1&;
}

Wordpress的重定向规则：
案例一：
http://www.wemvc.com/12 重定向到 http://www.wemvc.com/index.php?p=12
if (!-e $request_filename) {
rewrite ^/(.+)$ /index.php?p=$1 last;
}
案例二：
与zendframework配置很像
if (!-e $request_filename) {
rewrite ^/(.*) /index.php?$1&;
}

以下为Discuz完整的Rewrite for Nginx规则
if (!-f $request_filename) {
rewrite ^/archiver/((fid|tid)-[\w\-]+\.html)$ /archiver/index.php?$1 last;
rewrite ^/forum-([0-9]+)-([0-9]+)\.html$ /forumdisplay.php?fid=$1&page=$2 last;
rewrite ^/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ /viewthread.php?tid=$1&extra=page%3D$3&page=$2 last;
rewrite ^/space-(username|uid)-(.+)\.html$ /space.php?$1=$2 last;rewrite ^/tag-(.+)\.html$ /tag.php?name=$1 last;
}

文件及目录匹配，其中：
-f和!-f用来判断是否存在文件
-d和!-d用来判断是否存在目录
-e和!-e用来判断是否存在文件或目录
-x和!-x用来判断文件是否可执行

正则表达式全部符号解释
~ 为区分大小写匹配
~* 为不区分大小写匹配
!~和!~* 分别为区分大小写不匹配及不区分大小写不匹配
(pattern) 匹配 pattern 并获取这一匹配。所获取的匹配可以从产生的 Matches 集合得到，在VBScript 中使用 SubMatches 集合，在JScript 中则使用 $0…$9 属性。要匹配圆括号字符，请使用 ‘\(’ 或 ‘\)’。
^ 匹配输入字符串的开始位置。
$ 匹配输入字符串的结束位置。
学习更多正则知识请查看这里 正则表达式

In this short post the point is how to protect your files and some part of your web site with a user password. With Nginx, a lot of options exist to protect your site with usernames and passwords. In Nginx the solution is not less attractive than in apache.

In the configuration file, set folder to close, it is only necessary to load the file with passwords.
There are two examples for closing of the folder with files:
location ^~ /files/ {
root   /path/to/server;
autoindex    on;
autoindex_exact_size  off;
auth_basic “Hello, please login”;
auth_basic_user_file /usr/nginx/passwords;
access_log   /usr/nginx/logs/files.log   download;
}
and for closing of the admin-folder with the additional restriction on IP:
location ^~ /admin/ {
fastcgi_pass unix:/home/project/server.sock;
include  conf/fastcgi.conf;
allow 11.11.0.0/16;
allow 22.22.22.22;
deny all;
auth_basic “Hello, Admin, please login”;
auth_basic_user_file /usr/nginx/adminpassword;
access_log   /usr/nginx/logs/admin.log  main;
}
The passwd program utility of Apache can be used to create and update usernames and passwords of new users:
htpasswd -b passwords NewUser NewPassword
In the file the writing with the encoded password looks like:
NewUser:P47ghZ4kloG78: Your Can Comment Here
The protection from cracking the password can be organized at the same time with two methods based on the use iptables:
Blocking IP temporarily if the amount of the requests per second exceeds any reasonable amount.
Write failed attempts in the log, check it with the script every minute, than pumps the IP addresses in iptables
For the first variant it is enough to create rules:
iptables -A INPUT -p tcp –syn –dport 80 -i eth0 -m state –state NEW
-m recent –name bhttp –set
iptables -A INPUT -p tcp –syn –dport 80 -i eth0 -m state –state NEW
-m recent –name bhttp –update –seconds 120
–hitcount 360 -j DROP
iptables -A INPUT -p tcp –syn –dport 80 -i eth0 -j ACCEPT
It is possible to use TARPIT instead of DROP to complicate the life of the crackers.

For the second variant it is necessary to add in config:
location /401.html {
root   /usr/nginx;
access_log   /usr/nginx/logs/denied.log  error401;
}
For example the format error 401 looks at me:
log_format error401  ‘$remote_addr - $remote_user [$time_local] ‘
‘$status “$request”‘;
Now all wrong logins are saved in a separate log file, which is checked per cron job:
*/1 * * * * root /usr/nginx/parser401.pl >/dev/null 2>&1
For example this script: parser401.pl Скрипт проверяет лог, и если обнаруживает больше 4-х попыток неправильного набора пароля, блокирует этот IP. Script checks the log file and if it finds more than 4 attempts of the wrong password, it blocks this IP address.
Are there any ideas?