栏目头部广告

Nginx安全控制-Basic认证与IP黑/白名单

一、Nginx Basic认证配置方法

1.1 安装Nginx与htpawd工具

yum install nginx -y
yum -y install httpd-tools

1.2 创建Nginx认证用户

#(1)创建认证用户
[root@10-9-14-94 ~]# htpasswd -c /usr/share/nginx/pass.db admin1
New password:
Re-type new password:
Adding password for user admin1

#(2)再次添加新用户
[root@10-9-14-94 ~]# htpasswd /usr/share/nginx/pass.db admin2
New password:
Re-type new password:
Adding password for user admin2

1.3 修改Nginx配置

注:增加 auth_basic 和 auth_basic_user_file

[root@10-9-14-94 ~]# vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80;
        listen       [::]:80;
        server_name  nginx.starcto.com;
        root         /usr/share/nginx/html;

        auth_basic "User Authentication";                # 新增
        auth_basic_user_file /usr/share/nginx/pass.db;   # 新增

        include /etc/nginx/default.d/*.conf;

        location /
        {
                auth_basic on;                           # 新增
        }

        error_page 404 /404.html;
        location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }
}

[root@10-9-14-94 ~]# systemctl restart nginx.service

1.4 访问验证

http://nginx.starcto.com

image.png

注:经测输入账号/密码后可以成功访问~

二、Nginx IP黑名单

2.1 Nginx禁止IP访问方法一

(1)修改nginx.conf配置,直接在nginx主配置文件http{}中添加deny记录

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    deny 106.75.48.221;            # 禁止106.75.48.221访问
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80;
        listen       [::]:80;
        server_name  nginx.starcto.com;
        root         /usr/share/nginx/html;

        auth_basic "User Authentication";
        auth_basic_user_file /usr/share/nginx/pass.db;

        include /etc/nginx/default.d/*.conf;

        location /
        {
                auth_basic on;
        }

        error_page 404 /404.html;
        location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }
}

[root@10-9-14-94 ~]# systemctl restart nginx.service

(2)访问验证

image.png

(3)关于deny的使用

# 封禁单个IP
deny 192.168.1.1;

# 封禁多个IP
deny 192.168.1.1 192.168.1.2;

# 封禁IP段
deny 192.168.0.0/16;

2.2 Nginx禁止IP访问方法二

(1)准备黑名单配置文件

[root@10-9-14-94 ~]# touch /etc/nginx/conf.d/blacksip.conf
[root@10-9-14-94 ~]# vim /etc/nginx/conf.d/blacksip.conf
deny 106.75.48.221;

(2)修改nginx主配置文件

[root@10-9-14-94 ~]# vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
   worker_connections 1024;
}

http {
   log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';

   access_log  /var/log/nginx/access.log  main;

   sendfile            on;
   tcp_nopush          on;
   tcp_nodelay         on;
   keepalive_timeout   65;
   types_hash_max_size 4096;

   include             /etc/nginx/mime.types;
   default_type        application/octet-stream;

   include /etc/nginx/conf.d/*.conf;
   include /etc/nginx/conf.d/blacksip.conf;        # 黑名单配置文件
   server {
       listen       80;
       listen       [::]:80;
       server_name  nginx.starcto.com;
       root         /usr/share/nginx/html;

       auth_basic "User Authentication";
       auth_basic_user_file /usr/share/nginx/pass.db;    

       include /etc/nginx/default.d/*.conf;

       location /
       {
               auth_basic on;
       }

       error_page 404 /404.html;
       location = /404.html {
       }

       error_page 500 502 503 504 /50x.html;
       location = /50x.html {
       }
   }
}

(3)访问验证

Nginx安全控制-Basic认证与IP黑名单(图3)

三、Nginx IP白名单

[root@blogs-v2 ~]# vim /etc/nginx/conf.d/域名.conf
server {
   listen 80;
   listen [::]:80;
   server_name 域名;
   rewrite ^ https://$http_host$request_uri? permanent;
}

server {
   listen       443 ssl http2 ;
   listen       [::]:443 ssl http2;
   server_name  域名;

   ssl_certificate "/data/ssl/域名/public.pem";
   ssl_certificate_key "/data/ssl/域名/private.key";
   ssl_session_cache shared:SSL:1m;
   ssl_session_timeout  10m;
   ssl_ciphers HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers on;

   location / {
   include /data/ssl/nginx/allow/ip-while-list.conf;   # 引用白名单文件
   deny all;
   proxy_pass        http://IP地址:8090;
         client_max_body_size    10240m;
         proxy_ssl_session_reuse off;
         proxy_redirect    off; 
         proxy_set_header   Host             $host;
         proxy_set_header   X-Real-IP        $remote_addr;
         proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
   }
}   

# 编辑白名单文件
[root@blogs-v2 ~]# cat /data/ssl/nginx/allow/ip-while-list.conf 
allow 101.228.226.232;
allow 61.170.231.197;
allow 101.228.225.240;
allow 101.229.149.48;
allow 61.170.226.106;

# 添加白名单脚本
[root@blogs-v2 ~]# cat add-ip-while.sh 
#!/bin/bash
IP=$1
echo "allow $IP;" >> /data/ssl/nginx/allow/ip-while-list.conf
cat /data/ssl/nginx/allow/ip-while-list.conf
systemctl restart nginx.service

[root@blogs-v2 ~]# ./add-ip-while.sh 61.170.226.106

作者:UStarGao

链接:https://www.starcto.com/service_operations/291.html
来源:STARCTO
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处

UCloud云平台推荐


UCloud新用户专属注册连接

UCloud CDN超值特惠专场

UCloud全球云主机(UHost/VPS)大促页面

UCloud快杰云主机大促页面

文章页广告

随便看看

栏目底部广告
`