ngx_http_access_module模块说明

ngx_http_access_module模块说明

ngx_http_access_module模块：可实现基于ip的访问控制功能

Syntax:    allow address | CIDR | unix: | all;
Default:    —
Context:    http, server, location, limit_except

该ngx_http_access_module模块允许限制对某些客户端地址的访问。

自上而下检查，一旦匹配，将生效,不在匹配后面的策略，条件严格的置前

location / {
    deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;
}

#依次检查规则，直到找到第一个匹配项。在此示例中，仅允许对IPv4网络 10.1.1.0/16（192.168.1.0/24 不包括地址192.168.1.1）和IPv6网络进行访问2001:0db8::/32。在有很多规则的情况下， 最好使用 ngx_http_geo_module模块变量。

测试实例

实验环境

[root@node1 ~]# uname -r
3.10.0-957.el7.x86_64
[root@node1 ~]# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core) 
[root@node1 ~]# nginx -V
nginx version: nginx/1.16.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=www --group=www --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module

ip: 10.0.0.101

实验要求

使用curl 10.0.0.101 页面 ni hao nginx!!!
只能10.0.0.102访问，10.0.0.103禁止访问

配置虚拟主机

server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        access_log  logs/host.access.log  main;

        location / {
            deny 10.0.0.103;
            allow 10.0.0.102;
            deny all;
            root   html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

检查配置文件并重新加载配置文件

[root@node1 ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@node1 ~]# nginx -s reload
#nginx已经启动
[root@node1 ~]# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 10.0.0.101:22           10.0.0.1:65155          ESTABLISHED
tcp        0    180 10.0.0.101:22           10.0.0.1:62206          ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN     

创建nginx的访问页面

echo 'ni hao nginx!!!' > /usr/local/nginx/html/index.html

在10.0.0.102上访问10.0.0.101

[root@node2 ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.102  netmask 255.0.0.0  broadcast 10.255.255.255


[root@node2 ~]# curl 10.0.0.101
ni hao nginx!!!
#可以正常访问

在10.0.0.103上访问10.0.0.101

[root@node3 ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.103  netmask 255.0.0.0  broadcast 10.255.255.255

[root@node3 ~]# curl 10.0.0.101
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.16.0</center>
</body>
</html>
#无法正常访问

在nginx服务器10.0.0.101上查看日志文件

[root@node1 ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.101  netmask 255.0.0.0  broadcast 10.255.255.255


[root@node1 ~]# cat /usr/local/nginx/logs/host.access.log 
10.0.0.103 - - [09/Sep/2020:16:56:44 +0800] "GET / HTTP/1.1" 403 153 "-" "curl/7.29.0" "-"
10.0.0.103 - - [09/Sep/2020:16:56:45 +0800] "GET / HTTP/1.1" 403 153 "-" "curl/7.29.0" "-"

#10.0.0.103访问失败