nginx access control module
1. IP-based access control: http_access_module
2. User-based trust login: http_auth_basic_module
IP-based access control
There are four situations for IP-based access control: allow everyone to access, deny everyone to access, deny someone to allow all, and allow someone to deny everything. Note: It cannot be configured to allow all and deny one, otherwise the rejection will become invalid, and it cannot be configured to deny all and allow one, otherwise the permission will become invalid.
Configuration syntax:
配置语法
语法:allow address|CIDR|unix:|all;
默认:模默认无
CONTEXT(应用域):http,server、location、limit_except
语法:deny address|CIDR|unix:|all;
默认:默认无
应用域:http,server,location、limit_exceptConfigure test:
允许所有人访问
[root@localhost ~]# vim /etc/nginx/conf.d/rewrite.conf
server {
listen 80;
server_name www.hjf777.com;
location / {
root /html;
index index.html;
allow all;
}
}
[root@localhost ~]#
[root@localhost ~]# tree /html/
/html/
└── index.html
用192.168.242.134机器访问
[root@localhost ~]# curl 192.168.242.138
123
用192.168.242.140机器访问
[root@localhost ~]# curl 192.168.242.138
123拒绝所有人访问
[root@localhost ~]# vim /etc/nginx/conf.d/rewrite.conf
server {
listen 80;
server_name www.hjf777.com;
location / {
root /html;
index index.html;
deny all;
}
}
[root@localhost ~]# tree /html/
/html/
└── index.html
用192.168.242.134机器访问
[root@localhost ~]# curl 192.168.242.138
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.2</center>
</body>
</html>
用192.168.242.140机器访问
[root@localhost ~]# curl 192.168.242.138
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.2</center>
</body>
</html>
允许某个访问拒绝所有
[root@localhost ~]# vim /etc/nginx/conf.d/rewrite.conf
server {
listen 80;
server_name www.hjf777.com;
location / {
root /html;
index index.html;
allow 192.168.242.134;
deny all;
}
}
[root@localhost ~]# tree /html/
/html/
└── index.html
用192.168.242.134机器访问
[root@localhost ~]# curl 192.168.242.138
123
用192.168.242.140机器访问
[root@localhost ~]# curl 192.168.242.138
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.2</center>
</body>
</html>拒绝某个访问允许所有
[root@localhost ~]# vim /etc/nginx/conf.d/rewrite.conf
server {
listen 80;
server_name www.hjf777.com;
location / {
root /html;
index index.html;
deny 192.168.242.134;
allow all;
}
}
[root@localhost ~]# tree /html/
/html/
└── index.html
用192.168.242.134机器访问
[root@localhost ~]# curl 192.168.242.138
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.2</center>
</body>
</html>
用192.168.242.140机器访问
[root@localhost ~]# curl 192.168.242.138
123User-based trust login
Configuration syntax:
Syntax:auth_basic string | off;
default:auth_basic off;
Context:http,server,location,limit_except
Syntax:auth_basic_user_file file;
default:默认无
Context:http,server,location,limit_except
file:存储用户名密码信息的文件。Configuration example:
[root@localhost ~]# vim /etc/nginx/conf.d/rewrite.conf
server {
listen 80;
server_name www.hjf777.com;
location / {
root /html;
index index.html;
auth_basic "welcome!"; #设置开启auth_basic指令 “welcome”自定义,写什么都可以
auth_basic_user_file /etc/nginx/auth_conf; #指定密码文件
}
} 注意:密码文件可以放在任意目录下,前提是nginx对其有权限,所有建议放在nginx的工作目录下
[root@localhost ~]# yum install -y httpd-tools
....
[root@localhost ~]# htpasswd -cm /etc/nginx/auth_conf hjf
New password:
Re-type new password:
Adding password for user hjf
[root@localhost ~]# cat /etc/nginx/auth_conf
hjf:$apr1$h0ZsB8Ux$as3.Cx943iojJs3HFYTKI.
-c 创建一个新文件
-m 强制对密码进行MD5加密(默认)。Access test:
Limitations
(1) User information depends on file methods
(2) Operation and management machinery is inefficient.
Solutions
(1) Nginx combines LUA to achieve efficient authentication
(2) Nginx and LDAP are connected, using the nginx-auth-ldap module
(3) Nginx only As an intermediate agent, the specific authentication is handed over to the application.