Home  >  Article  >  Operation and Maintenance  >  How to set directory whitelist and ip whitelist in nginx

How to set directory whitelist and ip whitelist in nginx

PHPz
PHPzforward
2023-05-18 15:52:461837browse

1. Set the directory whitelist: There is no restriction on the specified request path. If there is no restriction on the request path to the api directory, it can be written as

server{
    location /app {
      proxy_pass http://192.168.1.111:8095/app;

      limit_conn conn 20;

      limit_rate 500k;

      limit_req zone=foo burst=5 nodelay; 
    }
    location /app/api {
      proxy_pass http://192.168.1.111:8095/app/api
    }
}
# 因nginx会优先进行精准匹配,所以以上写法即接触了对api目录下属路径的限制

2. To set the IP whitelist, you need to use nginx geo and nginx map

If there is no manual deletion (--without-http_geo_module or --without-http_map_module), nginx loads it by default ngx-http-geo-module and ngx-http-map-module related content;

ngx-http-geo-module can be used to create variables, the variable value depends on the client ip address;

ngx-http-map-module can create variables based on other variables and variable values, which allows classification, or mapping multiple variables to different values ​​​​and storing them in one variable;

nginx geo 格式说明
 
syntax ( 语法格式 ): geo [$address] $variable { ... }
default ( 默认 ): -
content ( 配置段位 ): http
nginx map 格式说明
syntax ( 语法格式 ): map string $variable { ... }
default ( 默认 ):-
content ( 配置段位 ): http
 
白名单配置示例
 
http{
   # ... 其他配置内容
   #定义白名单ip列表变量
   geo $whiteiplist {
     default 1 ;
     127.0.0.1/32 0;
     64.223.160.0/19 0;
   }
   #使用map指令映射将白名单列表中客户端请求ip为空串
   map $whiteiplist $limit{
     1 $binary_remote_addr ;
     0 "";
   }
   #配置请求限制内容
   limit_conn_zone $limit zone=conn:10m;
   limit_req_zone $limit zone=allips:10m rate=20r/s;
   server{
     location /yourapplicationname {
       proxy_pass http://192.168.1.111:8095/app;
       limit_conn conn 50;
       limit_rate 500k;
       limit_req zone=allips burst=5 nodelay;
     }
   }
}
白名单配置可用于对合作客户,搜索引擎等请求过滤限制
 
#(特殊情况处理)
 
#如果想仅限制指定的请求,如:只限制post请求,则:
http{
   # 其他请求..
   #请求地址map映射
   map $request_method $limit {
     default "";
     post $binary_remote_addr;
   }
   #限制定义
   limit_req_zone $limit zone=reqlimit:20m rate=10r/s;
   server{
     ... #与普通限制一致
   }
}
#在此基础上,想进行指定方法的白名单限制处理,则:
http{
   #...
   #定义白名单列表
   map $whiteiplist $limitips{
     1 $binary_remote_addr;
     0 "";
   }
 
   #基于白名单列表,定义指定方法请求限制
   map $request_method $limit {
     default "";
     # post $binary_remote_addr;
     post $limitips;
   }
 
   #对请求进行引用
   limit_req_zone $limit zone=reqlimit:20m rate=10r/s;
 
   #在server中进行引用
   server{
     #... 与普通限制相同
   }
}

The above is the detailed content of How to set directory whitelist and ip whitelist in nginx. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yisu.com. If there is any infringement, please contact admin@php.cn delete