Nginx访问控制

Nginx访问控制

平时运维网站时，会有一些请求不正常，要做一些限制，使用访问控制，让重要的、机密的文件只允许自己的公网IP或者公司内部的IP来访问。

配置访问控制

1.修改虚拟主机配置文件

[root@antong ~]# vim /usr/local/nginx/conf/vhost/test.com.conf  //加入以下内容
    location /admin/
    {
           allow 127.0.0.1;   //这两个IP访问，其他拒绝。
           allow 192.168.200.30;
           deny all;     //和Apache不一样的是，nginx每条都是绑定的，没有先允许先拒绝这个说法
    }  
[root@antong ~]# /usr/local/nginx/sbin/nginx -t                
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@antong ~]# /usr/local/nginx/sbin/nginx -s reload

2.测试

[root@antong ~]# curl -x127.0.0.1:80 test.com/admin/ -I                       
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Mon, 06 Sep 2021 09:44:28 GMT
Content-Type: text/html
Content-Length: 13
Last-Modified: Mon, 06 Sep 2021 09:44:11 GMT
Connection: keep-alive
ETag: "6135e2eb-d"
Accept-Ranges: bytes
[root@antong ~]# curl -x192.168.200.30:80 test.com/admin/ -I          
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Mon, 06 Sep 2021 09:44:59 GMT
Content-Type: text/html
Content-Length: 13
Last-Modified: Mon, 06 Sep 2021 09:44:11 GMT
Connection: keep-alive
ETag: "6135e2eb-d"
Accept-Ranges: bytes
[root@antong ~]# curl -x192.168.200.31:80 test.com/admin/ -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.8
Date: Mon, 06 Sep 2021 09:50:20 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

[root@antong ~]# cat /tmp/test.com.log
127.0.0.1 - [06/Sep/2021:05:44:28 -0400] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.200.30 - [06/Sep/2021:05:44:59 -0400] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.200.31 - [06/Sep/2021:05:50:20 -0400] test.com "/admin/" 403 "-" "curl/7.29.0"

匹配正则访问控制

上传图片的目录没有做禁止解析php，黑客上传木马，php也能解析，会导致网站被黑，数据库信息盗窃。

1.修改虚拟主机配置文件

[root@antong ~]# vim /usr/local/nginx/conf/vhost/test.com.conf  //加入以下内容
location ~ .*(upload|image)/.*\.php$
{
        deny all;
}
[root@antong ~]# /usr/local/nginx/sbin/nginx -t                
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@antong ~]# /usr/local/nginx/sbin/nginx -s reload

2.测试

[root@antong ~]# mkdir /data/wwwroot/test.com/upload
[root@antong ~]# echo "11111" > /data/wwwroot/test.com/upload/1.php
[root@antong ~]# curl -x127.0.0.1:80 test.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.8
Date: Mon, 06 Sep 2021 10:00:08 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
[root@antong ~]# echo "11111" > /data/wwwroot/test.com/upload/1.txt
[root@antong ~]# curl -x127.0.0.1:80 test.com/upload/1.txt -I      
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Mon, 06 Sep 2021 10:01:07 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Mon, 06 Sep 2021 10:01:03 GMT
Connection: keep-alive
ETag: "6135e6df-6"
Accept-Ranges: bytes

User_agent限制

1.修改虚拟主机配置文件

[root@antong ~]# vim /usr/local/nginx/conf/vhost/test.com.conf  //加入以下内容
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;   //deny all和return 403效果一样
}
[root@antong ~]# /usr/local/nginx/sbin/nginx -t                
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@antong ~]# /usr/local/nginx/sbin/nginx -s reload

2.测试

[root@antong ~]# curl -A "Tomatoadad" -x127.0.0.1:80 test.com/upload/1.txt
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>
[root@antong ~]# curl -A "tomatoadad" -x127.0.0.1:80 test.com/upload/1.txt  
11111          //想忽略大小写，匹配符号后面加*号