ACL configuration based on keywords and blacklist in Nginx reverse proxy-Nginx-php.cn

Home

Operation and Maintenance

Nginx

ACL configuration based on keywords and blacklist in Nginx reverse proxy

王林

Jun 10, 2023 am 09:52 AM

nginxreverse proxyacl configuration

With the rapid progress of network development, the number of applications and services deployed is increasing. In some scenarios, requests need to be routed to specific servers or applications. Nginx is a high-performance web server and a commonly used reverse proxy method that can solve these problems. Based on the ACL module provided by the Nginx reverse proxy, administrators can flexibly control and manage request routing, access control, and other network security issues.

In a reverse proxy, a request is sent from the client to the reverse proxy server, and the proxy server sends a request to the backend server on behalf of the client and provides the return result to the client. For example, in modern web applications with multiple languages and technology stacks, Nginx reverse proxy can be used to route different requests to different back-end services through the same domain name.

In this article, we will learn how to configure keyword- and blacklist-based ACLs to implement more granular routing policies and security controls for Nginx reverse proxy.

Keyword ACL

Keyword ACL is a way to implement request routing by matching keywords in the request URL. For example, in the current application, when the requested URL contains "/app1/", we want the Nginx reverse proxy to route the request to backend application 1. If the URL contains "/app2/", the request is routed to backend application 2.

To implement this function, you need to configure a keyword ACL in the Nginx configuration file. Here's how to configure it:

http {
    ...
    # 关键词acl
    map $request_uri $app_name {
        ~* "/app1/" app1;
        ~* "/app2/" app2;
        default "";
    }
}

In this configuration, $request_uri is an Nginx built-in variable that represents the requested URL. The value of this variable is passed to the map directive, which matches the predefined keyword regular expression. If the match is successful, the name of the application is stored in the $app_name variable, otherwise the default value is used.

Next, you can pass the $app_name variable defined above as the target of the proxy to the proxy URL option in the proxy directive:

server {
    ...
    location / {
        ...
        # 配置关键词代理
        proxy_pass http://$app_name.backend.com;
    }
}

In this configuration, the keyword ACL will be requested from The name of the requested application is matched in the URL, and the client's request is routed to the corresponding back-end application through proxy instructions.

Blacklist-based ACL

Blacklist ACL is a method used to block access to certain IPs or request URLs. This approach is very useful in some situations. For example, in the event of a malicious attack, the administrator can configure a blacklist ACL in the Nginx reverse proxy to deny access to a group of IP addresses. You can also use blacklist ACLs to deny certain common attack URLs.

Here's how to configure a blacklist-based ACL:

http {
    ...
    # 黑名单acl
    geo $blocked_ip {
        default 0;
        include /path/to/blacklists/ip.txt;
    }
}

In this configuration, the geo directive defines a memory variable named $blocked_ip, which is used to store the list of blocked IP addresses. In this example, an external IP address blacklist file is used. The format of the file is as follows:

10.2.1.10 1;
192.168.0.0/24 1;
202.102.85.154 1;

Each line of the file contains an IP address or network segment in CIDR format, followed by the number 1 to indicate that this IP address or CIDR network segment is blocked.

Next you can use this blacklist ACL in the Nginx configuration:

server {
    ...
    location / {
        ...
        # 配置黑名单ACL
        if ($blocked_ip) {
            return 403;
        }
        proxy_pass http://backend.com;
    }
}

In this configuration, the if directive is used to determine whether the requested IP address is in the blacklist. If so A 403 Forbidden response will be returned directly. Otherwise, the request will be routed to the backend proxy server.

To sum up, Nginx reverse proxy provides a good ACL module, which can be used together with other functional modules to achieve very flexible request routing and access control. In the use of reverse proxy, understanding and mastering these methods can allow us to better adapt to various situations and improve the quality and security of network services.

The above is the detailed content of ACL configuration based on keywords and blacklist in Nginx reverse proxy. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

内存飙升！记一次nginx拦截爬虫Mar 30, 2023 pm 04:35 PM

本篇文章给大家带来了关于nginx的相关知识，其中主要介绍了nginx拦截爬虫相关的，感兴趣的朋友下面一起来看一下吧，希望对大家有帮助。

nginx限流模块源码分析May 11, 2023 pm 06:16 PM

高并发系统有三把利器：缓存、降级和限流；限流的目的是通过对并发访问/请求进行限速来保护系统，一旦达到限制速率则可以拒绝服务（定向到错误页）、排队等待（秒杀）、降级（返回兜底数据或默认数据）；高并发系统常见的限流有：限制总并发数（数据库连接池）、限制瞬时并发数（如nginx的limit_conn模块，用来限制瞬时并发连接数）、限制时间窗口内的平均速率（nginx的limit_req模块，用来限制每秒的平均速率）；另外还可以根据网络连接数、网络流量、cpu或内存负载等来限流。1.限流算法最简单粗暴的

nginx+rsync+inotify怎么配置实现负载均衡May 11, 2023 pm 03:37 PM

实验环境前端nginx：ip192.168.6.242，对后端的wordpress网站做反向代理实现复杂均衡后端nginx：ip192.168.6.36，192.168.6.205都部署wordpress，并使用相同的数据库1、在后端的两个wordpress上配置rsync+inotify，两服务器都开启rsync服务，并且通过inotify分别向对方同步数据下面配置192.168.6.205这台服务器vim/etc/rsyncd.confuid=nginxgid=nginxport=873ho

nginx php403错误怎么解决Nov 23, 2022 am 09:59 AM

nginx php403错误的解决办法：1、修改文件权限或开启selinux；2、修改php-fpm.conf，加入需要的文件扩展名；3、修改php.ini内容为“cgi.fix_pathinfo = 0”；4、重启php-fpm即可。

如何解决跨域？常见解决方案浅析Apr 25, 2023 pm 07:57 PM

跨域是开发中经常会遇到的一个场景，也是面试中经常会讨论的一个问题。掌握常见的跨域解决方案及其背后的原理，不仅可以提高我们的开发效率，还能在面试中表现的更加

nginx部署react刷新404怎么办Jan 03, 2023 pm 01:41 PM

nginx部署react刷新404的解决办法：1、修改Nginx配置为“server {listen 80;server_name https://www.xxx.com;location / {root xxx;index index.html index.htm;...}”；2、刷新路由，按当前路径去nginx加载页面即可。

Linux系统下如何为Nginx安装多版本PHPMay 11, 2023 pm 07:34 PM

linux版本：64位centos6.4nginx版本：nginx1.8.0php版本：php5.5.28&php5.4.44注意假如php5.5是主版本已经安装在/usr/local/php目录下，那么再安装其他版本的php再指定不同安装目录即可。安装php#wgethttp://cn2.php.net/get/php-5.4.44.tar.gz/from/this/mirror#tarzxvfphp-5.4.44.tar.gz#cdphp-5.4.44#./configure--pr