Whitelist-based access control configuration in Nginx reverse proxy

Nginx is a high-performance HTTP server and reverse proxy server with the advantages of stability and scalability. To protect web servers from malicious users and malicious programs, many businesses and organizations implement access control measures. This article will introduce how to control reverse proxy access through whitelisting in Nginx.

1. What is a reverse proxy?

Reverse proxy refers to a Web server configuration method that hides the Web server behind a group of proxy servers. The address of the reverse proxy server is visible to the client. The reverse proxy server is responsible for forwarding the client's request to the real Web server and returning the Web server's response to the client. A reverse proxy can increase your web server's throughput and prevent attacks.

2. Why is access control needed?

Web servers usually face access from all over the world, and some of the requests may come from malicious users or malicious programs. These malicious requests may lead to security issues such as web server paralysis, data leakage, tampering and theft of sensitive information. In order to prevent these problems, it is usually necessary to implement an access control mechanism to restrict only specific IP addresses, domain names or users from accessing the web server.

3. How does Nginx implement access control based on whitelist?

1. Define the IP addresses that are allowed to be accessed

In the nginx.conf configuration file, you can use the allow directive to specify the IP addresses that are allowed to access, for example:

http {
    #定义白名单
    geo $whitelist {
        default 0;
        10.0.0.0/8 1;
        192.168.0.0/16 1;
    }

    server {
        listen 80;
        server_name example.com;
        location / {
            #指定允许访问的IP地址
            allow $whitelist;
            #禁止其他IP地址的访问
            deny all;
            #...
        }
    }
}

In the above configuration file, use the geo directive to define the whitelist. Among them, $whitelist is a variable indicating the IP addresses that are allowed to be accessed. By default, the value of $whitelist is 0, indicating that access is not allowed. If the accessed IP address is within the 10.0.0.0/8 or 192.168.0.0/16 network segment, the value of $whitelist is 1 and access is allowed. In the location, use the allow directive to specify that access to the IP addresses in the $whitelist variable is allowed, and use the deny directive to prohibit access to other IP addresses.

2. Define the domain names that are allowed to be accessed

In the nginx.conf configuration file, you can use the server_name directive to specify the domain names that are allowed to be accessed, for example:

http {
    #定义白名单
    server {
        listen       80;
        server_name  example.com;

        #允许访问的域名
        if ($host !~* ^(example.com)$ ) {
            return 403;
        }
        
        location / {
            #...
        }
    }
}

In the above configuration file, use the server_name directive to specify that only access to the example.com domain name is allowed. In location, if the requested domain name is not example.com, a 403 error will be returned directly.

3. Define users allowed to access

In the nginx configuration file, you can use HTTP Basic Authentication or other authentication mechanisms to restrict only authenticated users from accessing the web server. For example, using HTTP Basic Authentication, the username and password can be encrypted and placed in the HTTP header. Nginx authenticates the request, and only authenticated users can access the Nginx server. In the nginx.conf configuration file, you can use the auth_basic and auth_basic_user_file directives to implement HTTP Basic Authentication, for example:

http {
    #定义白名单
    server {
        listen       80;
        server_name  example.com;

        #Nginx对请求进行认证
        auth_basic           "Restricted Area";
        auth_basic_user_file conf.d/.htpasswd;
        
        location / {
            #...
        }
    }
}

In the above configuration file, specify the auth_basic directive in the server to describe the area information that requires authentication. Use the auth_basic_user_file directive to specify the path to the password file. Only authenticated users can access the web server.

4. Summary

Reverse proxy can improve the throughput of the Web server and prevent attacks. The access control mechanism can protect the Web server from attacks from malicious users and malicious programs. In Nginx, whitelist-based access control can be used to control reverse proxy access and protect the security of the web server. As needed, you can define the IP addresses, domain names or users that are allowed to access to improve the security of the reverse proxy.

The above is the detailed content of Whitelist-based access control configuration in Nginx reverse proxy. For more information, please follow other related articles on the PHP Chinese website!