在Nginx中配置基于白名单的访问控制是保护后端服务安全的有效方法。以下是几种实现方式:
location / {
# 默认拒绝所有访问
deny all;
# 允许特定IP或IP段
allow 192.168.1.100;
allow 10.0.0.0/24;
allow 172.16.0.0/16;
# 反向代理配置
proxy_pass http://backend_server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 在http块中定义geo映射
http {
geo $whitelist {
default 0;
192.168.1.100 1;
10.0.0.0/24 1;
172.16.0.0/16 1;
}
server {
location / {
# 检查IP是否在白名单中
if ($whitelist = 0) {
return 403;
}
proxy_pass http://backend_server;
# 其他proxy设置...
}
}
}
http {
map $remote_addr $allowed_ip {
default 0;
"192.168.1.100" 1;
"10.0.0.1" 1;
"172.16.0.5" 1;
}
server {
location / {
if ($allowed_ip = 0) {
return 403;
}
proxy_pass http://backend_server;
# 其他proxy设置...
}
}
}
创建单独的白名单文件 /etc/nginx/whitelist.conf:
allow 192.168.1.100;
allow 10.0.0.0/24;
allow 172.16.0.0/16;
deny all;
然后在Nginx配置中引用:
location / {
include /etc/nginx/whitelist.conf;
proxy_pass http://backend_server;
# 其他proxy设置...
}
location / {
satisfy any; # 满足任一条件即可
# IP白名单
allow 192.168.1.100;
deny all;
# HTTP基本认证
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://backend_server;
# 其他proxy设置...
}
# 示例:记录被拒绝的访问
map $remote_addr $loggable {
default 1;
192.168.1.100 0;
10.0.0.0/24 0;
}
access_log /var/log/nginx/denied.log combined if=$loggable;
配置完成后,记得测试并重新加载Nginx配置:
sudo nginx -t && sudo nginx -s reload