博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理

Nginx基础 - 09用户认证及访问限制

Posted on 2023-03-12 08:11  Kingdomer  阅读(203)  评论(0编辑  收藏  举报

 

一、 Nginx访问控制

基于IP的访问控制 http_access_module
基于用户登录认证 http_auth_basic_module
 
Syntax:	allow address | CIDR | unix: | all;
Default:	—
Context:	http, server, location, limit_except

 

Syntax:	deny address | CIDR | unix: | all;
Default:	—
Context:	http, server, location, limit_except

 

server {
    listen 80;
    server_name www.myshop.com;

    location / {
        root /application/nginx/shop;
        index index.html;
        deny 192.168.6.51;         # 拒绝192.168.6.51, 其余全部允许
        allow all;
    }

    location /data {
        root /application/nginx/shop;
        autoindex on;
        autoindex_localtime on;
        autoindex_exact_size off;
        charset utf-8,gbk;
        allow 192.168.6.102;     # 只允许192.168.6.102, 其他都拒绝
        deny all;
    }
}

  

http_access_module 局限性
客户端(IP: 1.1.1.1) <--> 代理服务器(IP:2.2.2.2) <--> Web服务器(IP: 3.3.3.3)
客户端使用代理服务器访问 Web服务器
Web服务器使用 remote_addr 只能获取到代理服务器IP, 无法获取客户端的真实IP
 
使用http_x_forwarded_for 记录真实客户端IP地址和代理服务器IP
 
代理服务器开启x_forwarded_for 记录客户端真实IP

Web服务器开启x_forwarded_for 记录客户端真实IP, 以及代理服务器IP

 

采用HTTP头信息控制访问, 代理及Web服务开启http_x_forwarded_for

结合geo模块处理

通过HTTP自动以变量传递

 

 

 基于用户登录的认证

Syntax:  auth_basic string | off;
Default: auth_basic off;
Context: http, server, location, limit_except

Enables validation of user name and password using the "HTTP Basic Authentication" protocol.
    The specified parameter is used as a realm. Parameter value can contain variables (1.3.10, 1.2.7).
    The special value off cancels the effect of the auth_basic directive inherited from the previous configuration level.

  

Syntax:  auth_basic_user_file file;
Default: —
Context: http, server, location, limit_except

 

[root@my-node10 ~]# yum install httpd-tools

[root@my-node10 ~]# htpasswd -c /etc/nginx/conf.d/htpasswd myadmin
New password:
Re-type new password:
Adding password for user myadmin

[root@my-node10 conf.d]# cat htpasswd
myadmin:$apr1$osxHGBpo$7jKN2s28hzapqImNlPzEM.

[root@my-node10 conf.d]# htpasswd -c ./htpasswd myadmin            # 覆盖之前的用户,文件中只能有一个
New password:
Re-type new password:
Adding password for user myadmin

[root@my-node10 conf.d]# htpasswd -b ./htpasswd myroot root@2023   # 追加一个用户
Adding password for user myroot

  

    location /data {
        root /application/nginx/shop;
        autoindex on;
        autoindex_localtime on;
        autoindex_exact_size off;
        charset utf-8,gbk;
        auth_basic "Auth access Blog Input your passwd!";
        auth_basic_user_file /etc/nginx/conf.d/htpasswd; 
    }

  

[root@my-node51 ~]#  curl http://www.myshop.com/data
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>

[root@my-node51 ~]#  curl -umyadmin:xxxx http://www.myshop.com/data
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>

  

用户认证:  

局限性: 用户信息依赖文件; 操作管理不方便,效率低

解决方案: 结合LUA实现高效验证;   结合LDAP,利用 nginx-auth-ladp 模块

 

二、Nginx 访问限制

连接频率限制 limit_conn_module
请求频率限制 limit_req_module
 
HTTP协议的请求与连接
HTTP是建立在TCP协议之上的, 先通过TCP三次握手,建立TCP连接,在连接基础上进行HTTP请求。
HTTP请求建立在一次TCP连接基础上, 一次TCP连接至少有一个HTTP请求,
 
HTTP协议版本与TCP连接复用
HTTP/1.0  TCP不能复用
HTTP/1.1  顺序性TCP复用
HTTP/2.0  多路复用TCP复用
 

Nginx 请求限制配置

// http 模块配置,rate限制速率,限制一秒钟最多一个IP请求
limit_req_zone $binary_remote_addr zone=req_zone:1m rate=1r/s;

// location 模块配置,1r/s只接收一个请求,多余直接处理丢弃
limit_req zone=req_zone;

// location 模块配置,请求超过1r/s,剩下的将被延迟处理,
// 请求数超过burst定义的数量,多余的请求返回503
limit_req zone=req_zone burst=3 nodelay;

  

配置

limit_req_zone $binary_remote_addr zone=index_req_zone:1m rate=1r/s;
server {
    listen 80;
    server_name www.myshop.com;
    location / {
        root /application/nginx/shop;
        index index.html index.htm;
        limit_req zone=index_req_zone;
    }
}

  

压力测试

[root@my-node51 ~]# yum install httpd-tools
[root@my-node51 ~]# ab -n 50 -c 20 http://www.myshop.com/index.html

Complete requests:      50
Failed requests:        49

 

2023/03/05 17:21:39 [error] 14542#14542: *32 limiting requests, excess: 0.998 by zone "index_req_zone", 
                    client: 192.168.6.51, server: www.myshop.com, request: "GET /index.html HTTP/1.0", host: "www.myshop.com"

 

Nginx连接限制配置
// 全局定义连接限制 Sets parameters for a shared memory zone that will keep states for various keys. 
Syntax: limit_conn_zone key zone=name:size;
Default: -
Context: http
// 引用连接限制
Syntax: limit_conn zone number [burst=number] [nodelay];
Default: -
Context: http,server, location

  

limit_conn_zone $binary_remote_addr zone=index_conn_zone:10m;

server {
    listen 80;
    server_name www.myshop.com;

    location / {
        root /application/nginx/shop;
        index index.html;
        limit_conn index_conn_zone 1;   # 同一时刻只允许1个客户端IP连接
    }
}

  

2023/03/05 17:31:27 [error] 14556#14556: *103 limiting connections by zone "index_conn_zone", 
                    client: 192.168.6.51, server: www.myshop.com, request: "GET /index.html HTTP/1.0", host: "www.myshop.com"