1. Nginx configure access IP whitelist
Sometimes deployed applications need to allow only certain IPs to be accessed, and other IPs are not allowed to access. In this case, it is necessary to set up an access whitelist;
There are many ways to set access whitelist:
1. Through network firewall configuration, such as Alibaba Cloud/Huawei Cloud Management Platform 2. Through
server firewall configuration, iptables
3. Through nginx configuration access distribution restrictions
4. Through nginx’s allow and deny parameters Access restrictions (this article uses this scheme)
Nginx whitelist is controlled using allow and deny. This configuration can be added in the http segment, or in the server or location.
If you want to increase the IP range that is allowed to be accessed, such as 10.10.10.0~10.10.10.255, you need to use CIDR format to represent your IP range. In Nginx, only IP addresses and CIDR format are allowed by default. CIDR to IPv4 website: https://www .ipaddressguide.com/cidr
Example 1:
All nginx proxies take effect, only allowing access to 192.168.1.6, and all other IPs are inaccessible.
http {
......
allow 192.168.1.6;
deny all;
......
}Example 2:
The nginx server proxy takes effect on a certain port. Only access to 192.168.1.6 and 192.168.1.6 is allowed, and all other IPs are inaccessible.
server {
......
allow 192.168.1.6;
allow 192.168.1.8;
deny all;
......
}Example 3:
A certain location proxy of nginx takes effect and only allows access to the 192.168.1.6 and 192.168.2.0~192.168.2.255 network segments. All other IPs are inaccessible.
location /screen {
......
allow 192.168.1.6;
allow 192.168.2.0/24;
deny all;
......
}After the modification is completed, reloading the nginx configuration file will take effect: sbin/nginx -s reload
Note: If this machine also needs to access this proxy, remember to add allow 127.0.0.1 ;
Supporting operation : On the Internet, generally the IP of the access client is not the local area network IP of the machine, but the export IP of the operator, so please pay attention;
Query method : Baidu or Sogou, enter the keyword "IP", and then click on the relevant search results of "IP address query" to query your IP.
If you are not sure or cannot access the external network, you can search in the nginx error log, logs/error.log, to find the IP that accesses this nginx.
2. Four ways to add a whitelist to Nginx
1) Add firewall whitelist
Make a whitelist in iptables for the ports enabled by the nginx domain name configuration (such as port 80). For example, only 100.110.15.16, 100.110.15.17, 100.110.15.18 is allowed to access. But this will make all domain name access to port 80 of nginx There are no restrictions, and the scope is relatively large!
2) Distribution restrictions using the $remote_addr parameter for access
If you only want to restrict access to a certain domain name under nginx, you can set it in the nginx configuration file, as follows:
##白名单设置,只允许下面三个来源ip的客户端以及本地能访问该站。主要是下面这三行
if ($remote_addr !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
3) You can also use the $http_x_forwarded_for parameter to restrict distribution of access, as follows:
##白名单设置,只允许下面三个来源ip的客户端以及本地能访问该站。
if ($http_x_forwarded_for !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
4) You can also use nginx’s allow and deny parameters to restrict access.
##白名单设置,只允许下面三个来源ip的客户端以及本地能访问该站。
allow 100.110.15.16;
allow 100.110.15.17;
allow 100.110.15.18;
allow 127.0.0.1;
deny all;
3. Nginx sets access jump based on user IP
the first method
It is judged based on the $remote_addr client IP address . If the judgment is successful, a 301 jump will be returned. Regular rules can be written. If there are a large number of irregular IPs, it will be a headache.
if ($remote_addr = 192.168.1.123) {
return 301 https://blog.whsir.com;
}The second method
nginx is implemented through lua. This method was given by Kong Dashen . Write the IP that needs to be 301 jumped directly into the /tmp/ip file. It supports network segments, one per line. After adding, there is no need to restart nginx, and it will take effect immediately.
Note that nginx must compile the lua module before it can be used. My whsir one-click package nginx has integrated lua.
rpm -ivh http://mirrors.whsir.com/centos/whsir-release-centos.noarch.rpm
yum install wnginx -yset_by_lua $info '
local opt = ngx.var.remote_addr
local file = io.popen("ip=" ..opt.. ";if grep -q $ip /tmp/ip;then echo $ip; exit 0;fi ; for net in $(grep / /tmp/ip);do [ $(ipcalc -n $ip/${net#*/}) = $(ipcalc -n $net) ] && echo $ip && break; done")
content1 = file:read("*l")
return content1
';
if ( $info = $remote_addr) {
return 301 https://blog.whsir.com;
}4. Detailed steps for configuring IP whitelist in nginx
Analyze the nginx access log to see which IPs have accessed nginx.
Command reference:
awk '{print $1}' logs/access.log | sort | uniq -c | sort -nr -k1Output effect example:
1053 192.168.3.15
893 192.168.3.10
818 192.168.0.8
1. Add IP whitelist file
Add the file ip.conf in the conf of the nginx directory. Note that the whitelist file does not need to add any comments and can have blank lines.
vi ip.conf192.168.3.11 1;
192.168.3.10 1;
192.168.0.112 1;
2. Configure nginx.conf
to edit the http node:
http {
# ...
# geo IP whitelist
geo $remote_addr $ip_whitelist {
default 0;
include ip.conf;
}
# ...
}Edit server node:
server {
listen 80;
# ...
# IP whitelist
set $whitelist_flag 1;
if ( $ip_whitelist != 1 ) {
set $whitelist_flag "${whitelist_flag}0";
}
if ( $request_uri !~* '/warn_navigate_page' ) {
set $whitelist_flag "${whitelist_flag}0";
}
if ( $whitelist_flag = "100" ) {
#return 403;
rewrite ^(.*)$ $scheme://$host:$server_port/warn_navigate_page break; #白名单的提示页面
}
# ...
}It can also be edited in the location node, example:
Edit location node:
location /test {
proxy_pass http://IP/test;
# ...
# IP whitelist
set $whitelist_flag 1;
if ( $ip_whitelist != 1 ) {
set $whitelist_flag "${whitelist_flag}0";
}
if ( $request_uri !~* '/warn_navigate_page' ) {
set $whitelist_flag "${whitelist_flag}0";
}
if ( $whitelist_flag = "100" ) {
#return 403;
rewrite ^(.*)$ $scheme://$host:$server_port/warn_navigate_page break; #白名单的提示页面
}
# ...
}Add navigation prompt page/warn_navigate_page
server {
listen 80;
# ...
# 白名单的提示导航页面
location /warn_navigate_page {
root /home/java/nginx/bizapp/warn_navigate_page;
index warn_navigate_page.html warn_navigate_page.htm;
rewrite ^(.*)$ /warn_navigate_page.html break;
}
}3. Edit the prompt navigation page of the whitelist.
Edit the page warn_navigate_page.html in /home/java/nginx/bizapp/warn_navigate_page.
reference:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=no">
<meta content="yes" name="apple-mobile-web-app-capable">
<meta content="black" name="apple-mobile-web-app-status-bar-style">
<meta content="telephone=no" name="format-detection">
<meta content="email=no" name="format-detection">
<title>系统通知</title>
<style type="text/css">
body {
background: url(https://www.baidu.com/img/PCtm_d9c8750bed0b3c7d089fa7d55720d6cf.png) no-repeat;
background-size: 100% 100%;
background-attachment: fixed;
}
</style>
</head>
<body>
<div>
<pre> 【通知公告】
尊敬的用户您好,系统已不提供IP地址直接访问,请联系管理员添加白名单。互联网的域名访问地址:<a href="https://www.baidu.com">跳转https://www.weidianyuedu.com</a>
</pre>
</div>
</body>
<script type="text/javascript">
</script>
</html>
Reference: https://blog.csdn.net/wanzhong11/article/details/131396910