1、allow、deny deny和allow指令属于ngx_http_access_module,nginx默认加载此模块,所以可直接使用。这种方式,最简单,最直接。设置类似防火墙iptable,使用方法:直接配置文件中添加
白名单设置,需要在末尾加上deny all; 表示除了上面的允许ip其他全部拒绝
http{
upstream mynew{
server 127.0.0.1:8080;
}
server{
location / {
allow 218.193.159.197;
allow 218.193.0.0/16; #ip段
deny all;
proxy_pass http://mynew;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
}
}
}
黑名单设置,不需要加allow all 因为allow all是默认的
http{
upstream mynew{
server 127.0.0.1:8080;
}
server{
location / {
deny 218.193.159.197;
deny 218.193.0.0/16; #ip段
proxy_pass http://mynew;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
}
}
}
白名单指定路径访问 /_web/login.jsp只允许218.193.159.197、218.193.159.198访问 其余不做限制
http{
upstream mynew{
server 127.0.0.1:8080;
}
server {
listen 80;
server_name www.aaa.com;
proxy_next_upstream error timeout http_502 http_503 http_504;
location / {
proxy_pass http://mynew;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
}
location = /_web/login.jsp {
allow 218.193.159.197;
allow 218.193.159.198;
deny all;
proxy_pass http://mynew;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
}
}
}
allow后面ip是remote_addr,很多时候请求会经过waf之类的设备,这时所有的remote_addr都变成相同的ip,就不能根据remote_addr去判断,需要通过http_x_forwarded_for去判断
http{
upstream mynew{
server 127.0.0.1:8080;
}
server {
listen 80;
server_name www.aaa.com;
proxy_next_upstream error timeout http_502 http_503 http_504;
location / {
proxy_pass http://mynew;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
}
location = /_web/login.jsp {
if ($http_x_forwarded_for !~* (218.193.159.197|218.193.159.198)) {
return 403;
break;
}
proxy_pass http://mynew;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
}
}
}
黑名单设置 注意ingressnginx不支持10.80.0.0/24这种网段写法
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
set $test '';
if ( $request_uri ~* (/login.jsp|/dfxylapp/react/index.html) ) {
set $test 1;
}
if ( $remote_addr !~* (10.80.0.[1-254]) ) {
set $test "${test}2";
}
if ( $test = 12 ) {
return 403;
}
官网参考文档:https://istio.io/latest/zh/docs/reference/config/security/authorization-policy/
$ cd /opt/sudytech/deploy/istio
白名单
cat>>mypolicy.yaml<apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- from:
- source:
ipBlocks: ["192.168.51.29","241.255.0.218","192.168.52.0/24"]
to:
- operation:
hosts: ["test.sudytech.edu.cn"]
#paths: ["/get"]
EOF
黑名单
cat>>mypolicy.yaml<apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
ipBlocks: ["192.168.51.29","241.255.0.218","192.168.52.0/24"]
to:
- operation:
hosts: ["test.sudytech.edu.cn"]
#paths: ["/get"]
EOF
$ kubectl apply -f mypolicy.yaml
curl访问地址提示权限拒绝表示配置成功
$ curl test.sudytech.edu.cn
RBAC: access denied
其中ipBlocks可查看istio-system名称空间下istio-ingressgateway-947ld pod日志获取
$ kubectl logs -f istio-ingressgateway-947ld -n istio-system | cut -d ' ' -f 14