2019-02-11笔记—Nginx功能配置（访问控制）

限制IP访问

1. 白名单控制
   虚拟主机配置文件添加配置

    allow 127.0.0.1;
    allow 192.168.1.0/24;
    deny all;

测试：

[root@linux2019 conf.d]# curl -x127.0.0.1:80 -I bbs.aibenwoniu.xyz
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Thu, 31 Jan 2019 02:41:04 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
[root@linux2019 conf.d]# curl -x192.168.85.129:80 -I bbs.aibenwoniu.xyz
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Thu, 31 Jan 2019 02:41:55 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

2. 黑名单控制

虚拟主机配置文件添加配置

    deny 192.168.85.0/24;

测试：

[root@linux2019 conf.d]# curl -x192.168.85.129:80 -I bbs.aibenwoniu.xyz
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Thu, 31 Jan 2019 02:46:04 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@linux2019 conf.d]# curl -x127.0.0.1:80 -I bbs.aibenwoniu.xyz
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Thu, 31 Jan 2019 02:46:16 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1

限制某个目录

虚拟主机配置文件添加配置

location /data/
    {
	allow 127.0.0.1;
	allow 192.168.1.0/24;
	deny all;
    }

测试：

[root@linux2019 conf.d]# curl -x192.168.85.129:80 -I bbs.aibenwoniu.xyz/data/
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Thu, 31 Jan 2019 02:57:17 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@linux2019 conf.d]# curl -x127.0.0.1:80 -I bbs.aibenwoniu.xyz/data/
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Thu, 31 Jan 2019 02:57:22 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Fri, 25 Jan 2019 07:58:54 GMT
Connection: keep-alive
ETag: "5c4ac1be-0"
Accept-Ranges: bytes

#测试其他目录访问
[root@linux2019 conf.d]# curl -x127.0.0.1:80 -I bbs.aibenwoniu.xyz/config/
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Thu, 31 Jan 2019 03:01:56 GMT
Content-Type: text/html
Content-Length: 1
Last-Modified: Fri, 25 Jan 2019 07:58:54 GMT
Connection: keep-alive
ETag: "5c4ac1be-1"
Accept-Ranges: bytes

限制某个目录下的某类文件

添加配置

location ~ .*(upload|image)/.*\.php$
{
    deny all;
}

测试：

[root@linux2019 conf.d]# curl -x127.0.0.1:80 -I bbs.aibenwoniu.xyz/upload/abc.php
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Thu, 31 Jan 2019 03:16:29 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

限制user-agent

添加配置

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
    return 403;
}

测试：

[root@linux2019 conf.d]# curl -A 'test/spider/Tomato' -x127.0.0.1:80 -I bbs.aibenwoniu.xyz -v -e test-http-user-agent
* About to connect() to proxy 127.0.0.1 port 80 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> HEAD HTTP://bbs.aibenwoniu.xyz/ HTTP/1.1
> User-Agent: test/spider/Tomato
> Host: bbs.aibenwoniu.xyz
> Accept: */*
> Referer: test-http-user-agent
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Server: nginx/1.14.2
Server: nginx/1.14.2
< Date: Thu, 31 Jan 2019 03:44:24 GMT
Date: Thu, 31 Jan 2019 03:44:24 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 169
Content-Length: 169
< Connection: keep-alive
Connection: keep-alive

< 
* Connection #0 to host 127.0.0.1 left intact

PS:curl命令参数说明

• -A：指定user-agent
• -e：指定referer
• -I：只显示header信息
• -x：指定访问的服务器IP和端口
• -v：显示访问过程

限制uri

添加配置

if ($request_uri ~ (abc|123))
{
    return 404;
}

#http://bbs.aibenwoniu.xyz/forum.php?mod=viewthread&tid=1&extra=page%3D1
# request_uri包括document_uri和args
#（bbs.aibenwoniu.xyz）host
#（forum.php）document_uri
#（mod=viewthread&tid=1&extra=page%3D1）args（请求的参数）