Nginx之白名单配置
1. 利用iptables限制nginx端口访问
[root@china ~]# vim /etc/sysconfig/iptables ...... -A INPUT -s 100.110.15.16 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -s 100.110.15.17 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -s 100.110.15.18 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
2. 利用nginx全局变量$remote_addr限制访问
server {
listen 80;
server_name testwww.yangjianbo.com;
root /var/www/vhosts/testwww.yangjianbo.com/httpdocs/main;
access_log /var/www/vhosts/testwww.yangjianbo.com/logs/access.log main;
error_log /var/www/vhosts/testwww.yangjianbo.com/logs/error.log;
##白名单设置,只允许下面三个来源ip的客户端以及本地能访问该站。主要是下面这三行
if ($remote_addr !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
location / {
try_files $uri $uri/ @router;
index index.php;
}
error_page 500 502 503 504 /50x.html;
location @router {
rewrite ^.*$ /index.php last;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9001;
fastcgi_read_timeout 30;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
#include fastcgi_params;
include fastcgi.conf;
}
}
3. 利用$http_x_forwarded参数进行访问控制
server {
listen 80;
server_name testwww.yangjianbo.com;
root /var/www/vhosts/testwww.yangjianbo.com/httpdocs/main;
access_log /var/www/vhosts/testwww.yangjianbo.com/logs/access.log main;
error_log /var/www/vhosts/testwww.yangjianbo.com/logs/error.log;
##白名单设置,只允许下面三个来源ip的客户端以及本地能访问该站。主要是下面这三行
if ($http_x_forwarded_for !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
location / {
try_files $uri $uri/ @router;
index index.php;
}
error_page 500 502 503 504 /50x.html;
location @router {
rewrite ^.*$ /index.php last;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9001;
fastcgi_read_timeout 30;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
#include fastcgi_params;
include fastcgi.conf;
}
}
4. 利用nginx的allow,deny参数进行访问控制
server {
listen 80;
server_name testwww.yangjianbo.com;
root /var/www/vhosts/testwww.yangjianbo.com/httpdocs/main;
access_log /var/www/vhosts/testwww.yangjianbo.com/logs/access.log main;
error_log /var/www/vhosts/testwww.yangjianbo.com/logs/error.log;
##白名单设置,只允许下面三个来源ip的客户端以及本地能访问该站。
allow 100.110.15.16;
allow 100.110.15.17;
allow 100.110.15.18;
allow 127.0.0.1;
deny all;
location / {
try_files $uri $uri/ @router;
index index.php;
}
error_page 500 502 503 504 /50x.html;
location @router {
rewrite ^.*$ /index.php last;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9001;
fastcgi_read_timeout 30;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
#include fastcgi_params;
include fastcgi.conf;
}
}
5. 利用geo模块(ngx_http_geo_module)
1. geo指令
语法: geo [$address] $variable { ... }
默认值: —
配置段: http
定义从指定的变量获取客户端的IP地址。默认情况下,nginx从$remote_addr变量取得客户端IP地址,但也可以从其他变量获得。
例如:
geo $remote_addr $geo {
default 0;
127.0.0.1 1;
}
geo $arg_ttlsa_com $geo {
default 0;
127.0.0.1 1;
}
2. nginx利用geo模块做限速白名单操作
[root@localhost ~]# cat /usr/local/nginx/conf/vhosts/wangshibo.conf
geo $whiteiplist {
default 1;
127.0.0.1 0;
192.168.0.0/16 0;
58.68.230.0/24 0;
}
map $whiteiplist $limit {
1 $binary_remote_addr;
0 "";
}
limit_conn_zone $limit zone=limit:10m;
server {
listen 80;
server_name dev.yangjianbo.com yangjianbo.com *.yangjianbo.com;
access_log /usr/local/nginx/logs/8080-access.log main;
error_log /usr/local/nginx/logs/8080-error.log;
location ~ / {
root /var/www/html/8080;
index index.html index.php index.htm;
}
location ^~ /download/ {
limit_conn limit 4; //最大的并发连接数
limit_rate 200k; //每个连接的带宽
alias /data/wangshibo/download/;
}
}
1)geo指令定义一个白名单$whiteiplist, 默认值为1, 所有都受限制。 如果客户端IP与白名单列出的IP相匹配,则$whiteiplist值为0也就是不受限制。2)map指令是将$whiteiplist值为1的,也就是受限制的IP,映射为客户端IP。将$whiteiplist值为0的,也就是白名单IP,映射为空的字符串。3)limit_conn_zone和limit_req_zone指令对于键为空值的将会被忽略,从而实现对于列出来的IP不做限制。
一往无前虎山行,拨开云雾见光明
浙公网安备 33010602011771号