通过XFF地址动态限制访问
方案特点:
- 无需reload
- API管理
NGINX PLUS的KEYVAL是可以通过API进行管理的内部可持久化kv存储。
KEYVAL查找XFF地址是否在黑白名单中,来实现访问控制。
KEYVAL存放黑白名单列表:
- 定义键值为1为白名单
- 定义键值为0为黑名单
- 不在列表的IP为空值
列表格式:
"10.0.0.1": "0",
"10.0.0.4": "0",
"10.0.0.2": "1",
"10.0.0.3": "0"
动态黑白名单限制配置
http {
map $http_x_forwarded_for $client_ip {
"~(?P<ip>\d+\.\d+\.\d+\.\d+)" $ip;
"~(?P<ip>[^;]+)" $ip;
default "255.255.255.255"; #如果XFF地址格式错误,定义为特殊地址
}
keyval_zone zone=one:2m state=/var/lib/nginx/state/one.keyval;
keyval $client_ip $target zone=one; #用client_ip查找IP,匹配后赋值给$target
}
location /example {
if ($target != 1) #不为1则禁止访问。 定义1为白名单标记
{
return 403 "you can't access"; }
proxy_pass http://192.168.145.130:800/;
}
}
测试禁止IP访问
curl -H "X-Forwarded-For: 11.0.0.1" http://192.168.145.130:8888/example
命令行查看黑白名单
curl -X GET -s http://192.168.145.130:8888/api/7/http/keyvals/one | jq
{
"10.0.0.1": "0",
"10.0.0.4": "0",
"10.0.0.2": "1",
"10.0.0.3": "0"
}
浏览器查看黑白名单
初次创建记录
curl -X POST -d '{"10.0.0.1":"1", "10.0.0.2":"1", "10.0.0.3":"1"}' -s http://192.168.145.130:8888/api/7/http/keyvals/one
追加记录
curl -X POST -d '{"20.0.0.1": "1" }' -s http://192.168.145.130:8888/api/7/http/keyvals/one
修改记录
curl -X PATCH -d '{"20.0.0.1": "0" }' -s http://192.168.145.130:8888/api/7/http/keyvals/one
删除所有记录
curl -X DELETE -s http://192.168.145.130:8888/api/7/http/keyvals/one
- NGINX管理方案
新建NGINX
- 创建nginx
- 加载配置模板
- 输入黑白名单
- 确认黑白名单
个别黑白名单管理
- 查看黑白名单
- 添加新记录/修改记录
- 确认黑白名单
批量黑白名单管理
- 删除黑白名单
- 添加新记录
- 确认黑白名单
参考:
- K8S架构下配置
-
DOCKFILE中禁止容器携带配置文件 && rm -rf /etc/nginx/nginx.conf \ && rm -rf /etc/nginx/conf.d/default.conf \ Deployment配置 apiVersion: apps/v1 kind: Deployment metadata: name: ng-deployment namespace: ns1 labels: app: nginx-plus spec: replicas: 1 selector: matchLabels: app: nginx-plus template: metadata: labels: app: nginx-plus spec: containers: - name: xxxxxx resources: limits: cpu: "1" memory: 512Mi requests: cpu: "2" memory: 1024Mi image: xxxxxx imagePullPolicy: IfNotPresent ports: - name: http containerPort: 80 - name: api containerPort: 8888 livenessProbe: failureThreshold: 3 httpGet: path: /nginx-health port: 80 initialDelaySeconds: 10 periodSeconds: timeoutSeconds: 2 readinessProbe: failureThreshold: 3 httpGet: path: /nginx-health port: 80 periodSeconds: 5 timeoutSeconds: 2 volumeMounts: - mountPath: /etc/nginx/conf.d readOnly: true name: nginx-config-per-svc volumes: - name: nginx-config-per-svc configMap: name: nginx-config-per-svc - NGINX PLUS配置
-
load_module modules/ngx_http_js_module.so; user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include conf/mime.types; default_type application/default_type; log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$gzip_ratio"'; log_format download '$remote_addr - $remote_user [$time_local] "$request" ' '$status "$request_body" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log download; client_header_timeout 3m; client_body_timeout 3m; send_timeout 3m; client_header_buffer_size 1k; large_client_header_buffers 4 4k; gzip on; gzip_min_length 1100; gzip_buffers 4 8k; gzip_types text/plain; output_buffers 1 32k; postpone_output 1460; sendfile on; tcp_nopush on; tcp_nodelay on; send_lowat 12000; keepalive_timeout 75 20; lingering_time 30; lingering_timeout 10; reset_timedout_connection on; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; map $http_x_forwarded_for $client_ip { "~(?P<ip>\d+\.\d+\.\d+\.\d+)" $ip; "~(?P<ip>[^;]+)" $ip; default "255.255.255.255"; } keyval_zone zone=one:2m state=one.keyval; keyval $client_ip $target zone=one;
6705
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
