一、最常用的方法(代码中限制)
1、如何限制IP
function get_new_ip(){
if(getenv('HTTP_CLIENT_IP')) {
$onlineip = getenv('HTTP_CLIENT_IP');
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
} elseif(getenv('REMOTE_ADDR')) {
$onlineip = getenv('REMOTE_ADDR');
} else {
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
}
return $onlineip;
}
$onlineip = get_new_ip();
$wip = ['127.0.0.1'];
if(!in_array($onlineip, $wip)){
header("HTTP/1.1 404 Not Found");
header("Status: 404 Not Found");
exit;
}
2、进行密码验证
/ Password protect
define('ADMIN_USERNAME','test'); // Admin Username
define('ADMIN_PASSWORD','test'); // Admin Password
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||
$_SERVER['PHP_AUTH_USER'] != ADMIN_USERNAME || $_SERVER['PHP_AUTH_PW'] != ADMIN_PASSWORD) {
Header("WWW-Authenticate: Basic realm=\"discuz Login\"");
Header("HTTP/1.0 401 Unauthorized");
echo <<<EOB
<html><body>
<h1>Rejected!</h1>
<big>Wrong Username or Password!</big>
</body></html>
EOB;
exit;
}
// END OF DEFAULT CONFIG AREA /
二、NGINX中限制
1、IP限制
官方文档:http://nginx.org/en/docs/http/ngx_http_access_module.html
location / { deny 192.168.1.1; allow 192.168.1.0/24; allow 10.1.1.0/16; allow 2001:0db8::/32; deny all; }
2、auth_basic 本机认证(nginx默认支持)
官方文档:http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html
安装密码工具
yum -y install httpd-tools
生成密码
htpasswd -c pass.db
nginx中配置(需要维护 pass.db 文件)
auth_basic "User Authentication"; auth_basic_user_file conf/pass.db;
3、ngx_http_auth_request_module 第三方认证
官方文档:http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
需要安装:--with-http_auth_request_module 模块
#auth_basic "User Authentication"; #auth_basic_user_file conf/pass.db; auth_request /auth; location = /auth { proxy_pass ... proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; }
这里可以反代到,http://www.auth.com/api/HttpBasicAuthenticate.php,代码如下:
/ Password protect define('ADMIN_USERNAME','test'); // Admin Username define('ADMIN_PASSWORD','test'); // Admin Password if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_USER'] != ADMIN_USERNAME || $_SERVER['PHP_AUTH_PW'] != ADMIN_PASSWORD) { Header("WWW-Authenticate: Basic realm=\"discuz Login\""); Header("HTTP/1.0 401 Unauthorized"); echo <<<EOB <html><body> <h1>Rejected!</h1> <big>Wrong Username or Password!</big> </body></html> EOB; exit; } // END OF DEFAULT CONFIG AREA /
4、 ngx_http_auth_jwt_module 第三方认证
官方文档:http://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html
location / { auth_jwt "closed site"; auth_jwt_key_file conf/keys.json; auth_jwt_claim_set $email info e-mail; auth_jwt_claim_set $job info "job title"; }
加密算法更加复杂
原理同上
配置代码:
location ~ /admin/.*php$ { location = /admin.php { allow 127.0.0.1; deny all; auth_basic "Authorized users only"; auth_basic_user_file authkey/auth.com.db; fastcgi_pass common; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; }