nginx访问控制

2019独角兽企业重金招聘Python工程师标准>>>

访问控制

允许一些网段地址访问，禁止另一些网段地址访问

限制IP访问：

1）白名单：
	allow 127.0.0.1;
	deny all;
2）黑名单
	deny 127.0.0.1;
	deny 1.1.1.1;

限制某个目录被访问

location /admin/    //在admin目录下操作
{
	allow 127.0.0.1;
	allow 192.168.112.136;
	deny all;
}

示例：

# vim /etc/nginx/conf.d/bbs.wangzb.cc.conf

server {
listen       80;
server_name  bbs.wangzb.cc;
allow 127.0.0.1;  //  允许127.0.0.1
allow 192.168.1.0/24;   //24代表255.255.255.0段的地址
deny all; //拒绝其他地址

测试IP访问限制

访问127.0.0.1:80，状态是200

# curl -x127.0.0.1:80 -I bbs.wangzb.com

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sun, 17 Feb 2019 04:29:35 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.0
Set-Cookie: DjaQ_2132_saltkey=s61mW6eU; expires=Tue, 19-Mar-2019 04:29:35 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: DjaQ_2132_lastvisit=1550374175; expires=Tue, 19-Mar-2019 04:29:35 GMT; Max-Age=2592000; path=/
Set-Cookie: DjaQ_2132_sid=tmbMTm; expires=Mon, 18-Feb-2019 04:29:35 GMT; Max-Age=86400; path=/
Set-Cookie: DjaQ_2132_lastact=1550377775%09index.php%09; expires=Mon, 18-Feb-2019 04:29:35 GMT; Max-Age=86400; path=/
Set-Cookie: DjaQ_2132_onlineusernum=3; expires=Sun, 17-Feb-2019 04:34:35 GMT; Max-Age=300; path=/
Set-Cookie: DjaQ_2132_sid=tmbMTm; expires=Mon, 18-Feb-2019 04:29:35 GMT; Max-Age=86400; path=/

测试访问192.168.222.11:80（不在范围内），状态是403

控制访问2：

限制IP访问文件权限

# vim /etc/nginx/conf.d/admin.php
location ~ /admin.php
{
    allow 127.0.0.1;
    allow 192.168.1.0/24;
    deny all;
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  /data/wwwroot/bbs.wangzb.cc$fastcgi_script_name;
    include        fastcgi_params;

}

测试文件访问

# curl -x192.168.1.34:80 -I bbs.wangzb.cc/admin.php

访问控制3

限制某个目录下的某类文件

编辑配置文件，配置如下：

location ~ .*(upload|image|attachment|cache)/.*\.php$
{
    deny all;
}

测试：

# curl -x127.0.0.1:80 -I bbs.wangzb.cc/attachment/sdwefad.php

是403错误

HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Sun, 17 Feb 2019 06:07:02 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

访问限制意外的文件，状态就是404

# curl -x127.0.0.1:80 -I bbs.wangzb.cc/cache.txt
HTTP/1.1 404 Not Found
Server: nginx/1.14.2
Date: Sun, 17 Feb 2019 06:09:23 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

访问控制4

限制user-agent

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
  return 403;
}

模拟测试

# curl -A 'aaaaaSpider/3.0' -x127.0.0.1 bbs.wangzb.cc -I

curl: (7) Failed connect to 127.0.0.1:1080; 拒绝连接
[root@wangzb01 conf.d]# curl -A 'aaaaaSpider/3.0' -x127.0.0.1:80 bbs.wangzb.cc -I
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Sun, 17 Feb 2019 06:19:19 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

补充：

curl命令用法
curl -A 'aaaaaSpider/3.0' -x127.0.0.1:80 bbs.wangzb.cc -I
	-A 指定user-agent
	-e 指定referer 
	-x 指定访问目标服务器的ip和port
	-I 只显示header信息不显示具体网页内容。
	-v 显示详细的通信过程

控制访问5

限制uri

if ($request_uri ~ (viewthread|abc|123))
{
  return 403;
}

转载于:https://my.oschina.net/u/3954059/blog/3011142