nginx针对某个url限制ip访问,常用于后台访问限制
假如我的站点后台地址为: http://www.abc.net/admin.php 那么我想限制只有个别ip可以访问后台,那么需要在配置文件中增加:
location ~ .*admin.* {
allow 1.1.1.1;
allow 12.12.12.0/24;
deny all;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
}
需要注意的是,在这个location下也得加入php解析相关的配置,否则php文件无法解析。
upstream market-api{
server 127.0.0.1:3000;
}
server {
listen 80;
listen 443 ssl;
server_name btc.btc.com;
add_header Access-Control-Allow-Origin *;
ssl_certificate /etc/nginx/cert_sql/15.pem;
ssl_certificate_key /etc/nginx/cert_sql/15.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#root /var/www/api2;
root /var/www/apis;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
location /apis/{
proxy_pass http://market-api;
proxy_set_header Host $host;
}
location /api/ {
if ( !-e $request_filename){
rewrite ^/(.*)$ /api/web/index.php?s=$1 last;
}
}
location ^~ /res/ {
alias /data/api/;
}
include fastcgi-php.conf;
}
location ~ .*index.php* {
allow 12.12.12.0/24;
deny all;
location ~ \.php$ {
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php/php5.6-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}
}
Nginx配置location限制IP访问策略
1.配置如下
server {
listen 80;
server_name localhost;
large_client_header_buffers 4 16k;
client_max_body_size 300m;
client_body_buffer_size 128k;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffer_size 64k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
location / {
root html;
index index.html index.htm;
}
location /project {
allow 220.178.25.22;
allow 172.2.2.0/24;
allow 192.2.2.0/24;
deny all;
proxy_pass http://172.2.2.20:8080/project/;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
2.配置说明
以上配置的作用是允许IP为220.178.25.22,以及172和192网段的机器可以访问这个location地址,其他IP的客户端访问均是403。
其中,24是指子网掩码为255.255.255.0。
3.对照表(子网掩码/CIDR值)
255.0.0.0/8 255.128.0./9 255.192.0./10 255.224.0./11 255.240.0./12 255.248.0./13 255.252.0./14 255.254.0./15 255.255.0./16 255.255.128/17 255.255.192/18 255.255.224/19 255.255.240/20 255.255.248/21 255.255.252/22 255.255.254/23 255.255.255/24 255.255.255.128/25 255.255.255.192/26 255.255.255.224/27 255.255.255.240/28 255.255.255.248/29 255.255.255.252/30