nginx tcp代理并限制ip访问

Nginx 从1.9.0开始发布ngx_stream_core_module模块，该模块支持tcp代理及负载均衡。

本文记录一下用nginx实现zk的代理并限制指定ip可以访问

配置文件

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;
   #geo $remote_addr $geo {
    #    default 1;
     #   include    conf.d/whitelist.conf;
    #}

    include /etc/nginx/conf.d/*.conf;
}


stream{
  #log

    log_format proxy '$remote_addr [$time_local] '
               '$protocol $status $bytes_sent $bytes_received '
               '$session_time "$upstream_addr" '
               '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

    access_log /var/log/nginx/tcp_access.log proxy;

#allow 127.0.0.1;
       #deny all; #也可以写在文件里，用include导入

    include    tcpconf.d/whitelist.conf;

    #server配置也可以放在配置文件里
    # 统一放置，方便管理 include tcpConf/*.conf;

    upstream zk{
        hash $remote_addr consistent;
        server  127.0.0.1:2181 max_fails=3 fail_timeout=10s;  
    }
    server{
        listen 8182;
        proxy_connect_timeout 20s;
        proxy_timeout 5m;
        proxy_pass zk;
    }
}

 

less conf.d/whitelist.conf
allow 127.0.0.1;
deny all; 

 

less tcpconf/tcp.conf

upstream zk{
        hash $remote_addr consistent;
        server  127.0.0.1:2181 max_fails=3 fail_timeout=10s;
    }
    server{
        listen 8182;
        proxy_connect_timeout 20s;
        proxy_timeout 5m;
        proxy_pass zk;
    }
tcpconf/tcp.conf (END)