Nginx安全控制-Basic认证与IP黑/白名单
一、Nginx Basic认证配置方法
1.1 安装Nginx与htpawd工具
yum install nginx -y
yum -y install httpd-tools
1.2 创建Nginx认证用户
#(1)创建认证用户
[root@10-9-14-94 ~]# htpasswd -c /usr/share/nginx/pass.db admin1
New password:
Re-type new password:
Adding password for user admin1
#(2)再次添加新用户
[root@10-9-14-94 ~]# htpasswd /usr/share/nginx/pass.db admin2
New password:
Re-type new password:
Adding password for user admin2
1.3 修改Nginx配置
注:增加 auth_basic 和 auth_basic_user_file
[root@10-9-14-94 ~]# vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name nginx.starcto.com;
root /usr/share/nginx/html;
auth_basic "User Authentication"; # 新增
auth_basic_user_file /usr/share/nginx/pass.db; # 新增
include /etc/nginx/default.d/*.conf;
location /
{
auth_basic on; # 新增
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
[root@10-9-14-94 ~]# systemctl restart nginx.service
1.4 访问验证
http://nginx.starcto.com
注:经测输入账号/密码后可以成功访问~
二、Nginx IP黑名单
2.1 Nginx禁止IP访问方法一
(1)修改nginx.conf配置,直接在nginx主配置文件http{}中添加deny记录
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
deny 106.75.48.221; # 禁止106.75.48.221访问
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name nginx.starcto.com;
root /usr/share/nginx/html;
auth_basic "User Authentication";
auth_basic_user_file /usr/share/nginx/pass.db;
include /etc/nginx/default.d/*.conf;
location /
{
auth_basic on;
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
[root@10-9-14-94 ~]# systemctl restart nginx.service
(2)访问验证
(3)关于deny的使用
# 封禁单个IP
deny 192.168.1.1;
# 封禁多个IP
deny 192.168.1.1 192.168.1.2;
# 封禁IP段
deny 192.168.0.0/16;
2.2 Nginx禁止IP访问方法二
(1)准备黑名单配置文件
[root@10-9-14-94 ~]# touch /etc/nginx/conf.d/blacksip.conf
[root@10-9-14-94 ~]# vim /etc/nginx/conf.d/blacksip.conf
deny 106.75.48.221;
(2)修改nginx主配置文件
[root@10-9-14-94 ~]# vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/conf.d/blacksip.conf; # 黑名单配置文件
server {
listen 80;
listen [::]:80;
server_name nginx.starcto.com;
root /usr/share/nginx/html;
auth_basic "User Authentication";
auth_basic_user_file /usr/share/nginx/pass.db;
include /etc/nginx/default.d/*.conf;
location /
{
auth_basic on;
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
(3)访问验证
三、Nginx IP白名单
[root@blogs-v2 ~]# vim /etc/nginx/conf.d/域名.conf
server {
listen 80;
listen [::]:80;
server_name 域名;
rewrite ^ https://$http_host$request_uri? permanent;
}
server {
listen 443 ssl http2 ;
listen [::]:443 ssl http2;
server_name 域名;
ssl_certificate "/data/ssl/域名/public.pem";
ssl_certificate_key "/data/ssl/域名/private.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
include /data/ssl/nginx/allow/ip-while-list.conf; # 引用白名单文件
deny all;
proxy_pass http://IP地址:8090;
client_max_body_size 10240m;
proxy_ssl_session_reuse off;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# 编辑白名单文件
[root@blogs-v2 ~]# cat /data/ssl/nginx/allow/ip-while-list.conf
allow 101.228.226.232;
allow 61.170.231.197;
allow 101.228.225.240;
allow 101.229.149.48;
allow 61.170.226.106;
# 添加白名单脚本
[root@blogs-v2 ~]# cat add-ip-while.sh
#!/bin/bash
IP=$1
echo "allow $IP;" >> /data/ssl/nginx/allow/ip-while-list.conf
cat /data/ssl/nginx/allow/ip-while-list.conf
systemctl restart nginx.service
[root@blogs-v2 ~]# ./add-ip-while.sh 61.170.226.106
作者:UStarGao
链接:https://www.starcto.com/service_operations/291.html
来源:STARCTO
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
UCloud云平台推荐
随便看看
- 2021-08-22UCloud UHub容器镜像仓库使用教程
- 2021-07-10MySQL基于Percona XtraBackup 实现全备&增量备份与恢复
- 2021-02-27VMware Workstation虚机NAT的实现
- 2021-08-07CI/CD Pipeline之Jenkins部署
- 2021-10-08Redis容器化部署教程
