我创建一个新的conf文件来阻止所有公共IP访问,并只提供一个公共IP地址(办公室公共IP)来访问。但当我试图访问它的节目“403 Forbidden nginx”
upstream backend_solr { ip_hash; server ip_address:port; } server { listen 80; server_name www.example.com; index /example/admin.html; charset utf-8; access_log /var/log/nginx/example_access.log main; location / { allow **office_public_ip**; deny all; proxy_pass http://backend_solr-01/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location ~ /favicon\.ico { root html; } location ~ /\. { deny all; }}
但在日志中它显示访问公共IP但禁止访问
IP_Address - - [31/Jul/2017:12:43:05 +0800] "Get /example/admin.html HTTP/1.0" www.example.com "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36" "my_office _IP" "-" "-" "-" 403 564 0.000 - - -
答案 0 :(得分:0)
最后我找出问题的原因为什么 允许ip: 否认所有;
不工作。因为它在连接到网站时使用代理服务器ip加载。 所以如果我们想要允许特定的公共IP,我们也想要代理ip。这是配置。
upstream backend_solr {
ip_hash;
server ip_address:port;
}
server {
listen 80;
server_name www.example.com;
index /example/admin.html;
charset utf-8;
access_log /var/log/nginx/example_access.log main;
location / {
# **
set $allow false;
if ($http_x_forwarded_for ~ " 12\.22\.22\.22?$")-public ip {
set $allow true;
}
set $allow false;
if ($http_x_forwarded_for ~ " ?11\.123\.123\.123?$")- proxy ip {
set $allow true;
}
if ($allow = false) {
return 403 ;
}
# **
proxy_pass http://backend_solr-01/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ /favicon\.ico {
root html;
}
location ~ /\. {
deny all;
}
}
答案 1 :(得分:-1)
这个nginx配置对我有用:
location / { ## Use the request url, not the directory on the filesystem.
allow xxx.xxx.xxx.xxx; ## Your specific IP
deny all;
}
但是,如果您要拒绝或仅允许特定位置,则可以将allow xxx.xxx.xxx.xxx放在该位置之外。