ngx_http_access_module模块:可实现基于ip的访问控制功能
Syntax: allow address | CIDR | unix: | all;
Default: —
Context: http, server, location, limit_except
该ngx_http_access_module
模块允许限制对某些客户端地址的访问。
自上而下检查,一旦匹配,将生效,不在匹配后面的策略,条件严格的置前
location / { deny 192.168.1.1; allow 192.168.1.0/24; allow 10.1.1.0/16; allow 2001:0db8::/32; deny all; } #依次检查规则,直到找到第一个匹配项。在此示例中,仅允许对IPv4网络 10.1.1.0/16(192.168.1.0/24 不包括地址192.168.1.1)和IPv6网络进行访问2001:0db8::/32。在有很多规则的情况下, 最好使用 ngx_http_geo_module模块变量。
测试实例
[root@node1 ~]# uname -r 3.10.0-957.el7.x86_64 [root@node1 ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [root@node1 ~]# nginx -V nginx version: nginx/1.16.0 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --user=www --group=www --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module ip: 10.0.0.101
实验要求
使用curl 10.0.0.101 页面 ni hao nginx!!! 只能10.0.0.102访问,10.0.0.103禁止访问
配置虚拟主机
server { listen 80; server_name localhost; #charset koi8-r; access_log logs/host.access.log main; location / { deny 10.0.0.103; allow 10.0.0.102; deny all; root html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; }
检查配置文件并重新加载配置文件
[root@node1 ~]# nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@node1 ~]# nginx -s reload #nginx已经启动 [root@node1 ~]# netstat -ant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 10.0.0.101:22 10.0.0.1:65155 ESTABLISHED tcp 0 180 10.0.0.101:22 10.0.0.1:62206 ESTABLISHED tcp6 0 0 :::22 :::* LISTEN
创建nginx的访问页面
echo ‘ni hao nginx!!!‘ > /usr/local/nginx/html/index.html
在10.0.0.102*问10.0.0.101
[root@node2 ~]# ifconfig eth0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.0.102 netmask 255.0.0.0 broadcast 10.255.255.255 [root@node2 ~]# curl 10.0.0.101 ni hao nginx!!! #可以正常访问
在10.0.0.103*问10.0.0.101
[root@node3 ~]# ifconfig eth0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.0.103 netmask 255.0.0.0 broadcast 10.255.255.255 [root@node3 ~]# curl 10.0.0.101 <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.16.0</center> </body> </html> #无法正常访问
在nginx服务器10.0.0.101上查看日志文件
[root@node1 ~]# ifconfig eth0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.0.101 netmask 255.0.0.0 broadcast 10.255.255.255 [root@node1 ~]# cat /usr/local/nginx/logs/host.access.log 10.0.0.103 - - [09/Sep/2020:16:56:44 +0800] "GET / HTTP/1.1" 403 153 "-" "curl/7.29.0" "-" 10.0.0.103 - - [09/Sep/2020:16:56:45 +0800] "GET / HTTP/1.1" 403 153 "-" "curl/7.29.0" "-" #10.0.0.103访问失败