【利用Nginx实现白名单功能】

1.只允许白名单中IP访问系统

1.1 nginx配置

http {
      include       mime.types;
      default_type  application/octet-stream;
      sendfile        on;
      #tcp_nopush     on;
      keepalive_timeout  65;
      client_body_buffer_size  720K;
      client_max_body_size 20m;
      geo $remote_addr $geo80 {
         default 0;         #0表示禁止访问
	     include /etc/nginx/white_80ip.conf;
      }
     
     server {
        listen       80;
		 server_name  localhost;
        underscores_in_headers on;	
        location / {
	        if ( $geo80 = 0 ) {
                return 403;
            }
            root   /usr/share/nginx/html/hpcoder_web;
            index  index.html index.htm;
         }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
    }
}

1.2 白名单

white_80ip.conf 内容

allow 192.168.2.101
allow 192.168.2.102

2. 只允许白名单中IP访问指定端口

2.1 nginx 配置

stream {
        log_format proxy '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

        access_log /var/log/nginx/tcp-access.log proxy ;
        open_log_file_cache off;
        include /etc/nginx/conf.d/*.stream;

        upstream p1{

            server 192.168.18.23:17000;
        }
        
        upstream p2{

            server 192.168.18.20:22;
        }

        server{
            listen 17000;
            include /etc/nginx/p1.conf;
            deny all;
            proxy_pass p1;
            proxy_connect_timeout 1h;
            proxy_timeout 1h;

        }
        server{
            listen 17222;
            #include /etc/nginx/p1.conf;
            #deny all;
            proxy_pass p2;
            proxy_connect_timeout 1h;
            proxy_timeout 1h;

        }

}

2.2 白名单

p1.conf

allow 192.168.18.2
allow 192.168.18.5

2.3 应用场景

代理UDP端口、许可管理…

3. 执行脚本

3.1 脚本内容

#!/bin/bash

function usage()
{
printf "Usage $0 options:
        options:
            add:    增加指定ip到指定端口 
            del:    删除指定ip到指定端口
        Eg:
            增加: $0 add    software_name add_ip
            删除：$0 del    software_name del_ip
"
}

file=/etc/nginx/${2}.conf

if [ ! -f ${file} ];then
        touch ${file}
fi

if [ $# -eq 0 ];then
        usage
        exit 1
fi

case $1 in
add)
        ip=$3
        if [ $# -ne 3 ];then
                usage
                exit 1
        else
                sed -i "/^allow $ip/d" $file
                echo "allow ${ip};" >>$file
        fi
;;
del)
        ip=$3
        if [ $# -ne 3 ];then
                usage
                exit 1
        else
                sed -i "/^allow $ip/d" $file
        fi
;;
*)
        echo "Usage: $0 add || del"
        exit 1
esac

service  nginx reload >>/dev/null

3.2 调用方式

添加

./write.sh add p1 192.168.6.2

删除

./write.sh del p1 192.168.6.3