在nginx中:实现禁止国外IP访问

Nginx实现禁止国外IP访问

解释:本文安装nginx的防止国外ip访问模块 、实现对老外进行封禁

模块:(ngx_http_geoip2_module)

参考:https://www.cnblogs.com/yakniu/p/16407953.html
	 https://blog.csdn.net/qq_43652666/article/details/134493884

步骤

1、前提条件
	#1、通过git去下载模块
		git clone https://github.com/leev/ngx_http_geoip2_module.git

	#2、前提有nginx
		nginx -V	(复制之前的模块、编译时候加上)

2、先查看之前模块及版本
[root@P006-HB2C ~]# /usr/local/openresty/nginx/sbin/nginx -V 
nginx version: openresty/1.21.4.2
built by gcc 9.1.1 20190605 (Red Hat 9.1.1-2) (GCC) 
built with OpenSSL 1.1.1s  1 Nov 2022
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.2 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.25 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.34 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.13 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --with-cc='ccache gcc -fdiagnostics-color=always' --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module


#原位置	--prefix=/usr/local/openresty/nginx

3、新版本编译(添加模块)
#添加模块(--add-module=/usr/local/ngx_http_geoip2_module)
./configure  --prefix=/usr/local/openresty/nginx   --add-module=/usr/local/ngx_http_geoip2_module   --with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.2 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.25 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.34 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.13 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --with-cc='ccache gcc -fdiagnostics-color=always' --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module

#新地址	--prefix=/usr/local/openresty/nginx 

#编译
make

#备份之前的版本
cp /usr/local/openresty/nginx  /usr/local/openresty/nginx-bak

#用新的去覆盖旧的
cp /data/nginx /usr/local/openresty/nginx 

#杀死nginx
[root@fxkj nginx-1.18.0]# pkill /usr/local/openresty/nginx 

#再次启动Nginx
/usr/local/openresty/nginx

4、修改nginx的配置文件(修改配置文件的http模块:添加封禁ip模块的配置规则)

#/usr/local/openresty/nginx/conf/nginx.conf

load_module /opt/nginx/nginx-1.24.0/objs/ngx_http_geoip2_module.so;

# 以下内容位于http模块中
    server_tokens off;
    charset utf-8;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"'
                      '"$geoip2_country_code" $geoip2_country_name_cn';  # 日志中显示访问国家代码,地区,要配置日志中显示中文才能看到。

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    real_ip_header X-Forwarded-For;
    map $http_x_forwarded_for $realip {
        ~^(\d+\.\d+\.\d+\.\d+) $1;
        default $remote_addr;
    }
    geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {  # 加载模块
        $geoip2_country_code source=$realip country iso_code;
        $geoip2_country_name_en source=$realip country names en;
        $geoip2_country_name_cn source=$realip country names zh-CN;
    }

####下面就是在server模块中添加一个location规则

	location / {
                if ($geoip2_country_code != CN ){
                    return 404;
                }
        }
posted @ 2024-12-18 17:24  姬高波  阅读(252)  评论(0)    收藏  举报