1)针对nginx域名配置所启用的端口(比如80端口)在iptables里做白名单,比如只允许100.110.15.16、100.110.15.17、100.110.15.18访问.但是这样就把nginx的所有80端口的域名访问都做了限制,范围比较大!
|
1
2
3
4
5
|
[root@china ~]# vim /etc/sysconfig/iptables
......
-A INPUT -s 100.110.15.16 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -s 100.110.15.17 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -s 100.110.15.18 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
|
2)如果只是针对nginx下的某一个域名进行访问的白名单限制,那么可以在nginx的配置文件里进行设置,利用$remote_addr参数进行访问的分发限制,如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
[root@china vhosts]# cat test
server {
listen 80;
server_name test
root /var/www/vhosts/test
access_log /var/www/vhosts/test main;
error_log /var/www/vhosts/test
##白名单设置,只允许下面三个来源ip的客户端以及本地能访问该站。主要是下面这三行
if ($remote_addr !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
location / {
try_files $uri $uri/ @router;
index index.php;
}
error_page 500 502 503 504 /50x.html;
location @router {
rewrite ^.*$ /index.php last;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9001;
fastcgi_read_timeout 30;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
#include fastcgi_params;
include fastcgi.conf;
}
}
错误页面内容设置:
[root@china vhosts]# cat /var/www/vhosts/test
网站临时维护中,请稍后访问...
|
3)也可以使用$http_x_forwarded_for参数进行访问的分发限制,如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
server {
listen 80;
server_name test
root /var/www/vhosts/test
access_log /var/www/vhosts/test main;
error_log /var/www/vhosts/test
##白名单设置,只允许下面三个来源ip的客户端以及本地能访问该站。
if ($http_x_forwarded_for !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
location / {
try_files $uri $uri/ @router;
index index.php;
}
error_page 500 502 503 504 /50x.html;
location @router {
rewrite ^.*$ /index.php last;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9001;
fastcgi_read_timeout 30;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
#include fastcgi_params;
include fastcgi.conf;
}
}
|
4)还可以利用nginx的allow、deny参数进行访问限制
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
[root@china vhosts]# cat test
server {
listen 80;
server_name test
root /var/www/vhosts/test
access_log /var/www/vhosts/test main;
error_log /var/www/vhosts/test
##白名单设置,只允许下面三个来源ip的客户端以及本地能访问该站。
allow 100.110.15.16;
allow 100.110.15.17;
allow 100.110.15.18;
allow 127.0.0.1;
deny all;
location / {
try_files $uri $uri/ @router;
index index.php;
}
error_page 500 502 503 504 /50x.html;
location @router {
rewrite ^.*$ /index.php last;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9001;
fastcgi_read_timeout 30;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
#include fastcgi_params;
include fastcgi.conf;
}
}
|