黑帽联盟
标题:
nginx控制指定ip访问网站
[打印本页]
作者:
yun
时间:
2017-2-18 13:40
标题:
nginx控制指定ip访问网站
要求给一台nginx反向代理服务器做ip限制,居然要求在维护时,只要2个ip可以访问网站页面,其他ip只能访问维护页面
系统:centos 5.5
环境:nginx反向代理,ip是192.168.10.5
后端服务器,ip是192.168.10.150
1.先做好nginx反向代理和后端服务环境
这里就不说怎么做了,大家自己网上去找nginx反向代理是怎么做的吧.
2.在反向代理设置
大家可以看下我的nginx反向代理conf文件:
user nginx nginx;
worker_processes 1;
#worker_cpu_affinity 00000001 00000010 00000100 00001000 00001001 00001010 00001100 00010000;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
use epoll;
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
server_names_hash_bucket_size 128;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
client_body_in_file_only clean;
client_max_body_size 8m;
#open_file_cache max=10240 inactive=20s;
#open_file_cache_valid 30s;
#open_file_cache_min_uses 1;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
server_tokens off;
# fastcgi_connect_timeout 300s;
# fastcgi_send_timeout 300s;
# fastcgi_read_timeout 300s;
# fastcgi_buffer_size 128k;
# fastcgi_buffers 8 128k;#8 128
# fastcgi_busy_buffers_size 256k;
# fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
#hiden php version
fastcgi_hide_header X-Powered-By;
gzip on;
gzip_min_length 1k;
gzip_buffers 16 64k;
gzip_http_version 1.0;
#gzip_disable "MSIE [1-5]\.";
gzip_comp_level 4;
gzip_types text/plain application/x-javascript text/css application/xml image/gif image/jpg image/jpeg image/png;
#gzip_vary on;
proxy_hide_header Vary;
#limit_zone conlimit $binary_remote_addr 1m;
#limit_conn conlimit 5;
upstream 192.168.10.5 {
server 192.168.10.150:9000;
}
server {
listen 9000;
server_name _;
root /var/www/vhosts/wwwroot;
error_page 503 /503.html;
location / {
proxy_pass http://192.168.10.5;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
set $fuck 0;
if ($remote_addr = '192.168.10.24') {
set $fuck 1;
}
if ($remote_addr = '192.168.10.169') {
set $fuck 1;
}
if ($fuck = 0){
return 503;
}
}
error_page 401 403 404 /503.html;
location = /503.html {
root /var/www/vhosts/wwwroot;
break;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/vhosts/error;
}
}
include /etc/nginx/conf.d/*.conf;
}
复制代码
可以看到我的反向代理指向的10.150的9000端口,然后去/var/www/vhosts/wwwroot设置503内容:
cd /var/www/vhosts/wwwroot
vi 503.html
the is 503!!
只让192.168.10.24和192.168.10.169可以访问后端网站,其他ip都访问503.html.
3.在后端服务器设置
cd /var/www/vhosts
vi index.html
the is 10.150!!
4.重启nginx进行验证
service nginx reload
在192.168.10.24的浏览器上输入http://192.168.10.5:9000/,可以看到是允许访问后端网站的
2017-2-18 13:37 上传
下载附件
(11.83 KB)
在192.168.10.19的浏览器上输入http://192.168.10.5:9000/,可以看到是不允许访问后端网站的
2017-2-18 13:37 上传
下载附件
(10.96 KB)
欢迎光临 黑帽联盟 (https://bbs.cnblackhat.com/)
Powered by Discuz! X2.5