Nginx反向代理,仅允许来自主机名的连接而不是IP [英] Nginx reverse proxy, only allow connection from hostname not ip
问题描述
是否可能只允许用户输入xxxxxx.com(虚拟),所以他们应该进行DNS查找并进行连接.并阻止使用我的公共IP进行连接的用户?
Is it possible to allow only users typing in xxxxxx.com (fictive), so they should make a DNS-lookup and connect. And block users who uses my public ip to connect ?
配置:
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name xxxxxxx.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/jenkins.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the "It appears that your reverse proxy set up is broken" error.
proxy_pass http://10.0.11.32:80;
proxy_read_tenter code hereimeout 360;
proxy_redirect http://10.0.11.32:80 https://xxxxxxx.com;
}
}
推荐答案
$http_host
参数设置为Host
请求标头的值. nginx
使用该值选择一个server
块.如果未找到server
块,则使用默认服务器,该服务器标记为default_server
或是遇到的第一个server
块.请参见本文档.
The $http_host
parameter is set to the value of the Host
request header. nginx
uses that value to select a server
block. If a server
block is not found, the default server is used, which is either marked as default_server
or is the first server
block encountered. See this documentation.
要强制nginx
仅接受命名的请求,请使用 catch all 服务器块拒绝其他任何内容,例如:
To force nginx
to only accept named requests, use a catch all server block to reject anything else, for example:
server {
listen 80 default_server;
return 403;
}
server {
listen 80;
server_name www.example.com;
...
}
使用SSL协议,这取决于您是否具有 SNI 已启用.如果未使用SNI,则所有SSL请求都将通过相同的server
块,在这种情况下,您将需要使用if
指令来测试$http_host
值的值.请参见此和
With the SSL protocol, it depends on whether or not you have SNI enabled. If you are not using SNI, then all SSL requests pass through the same server
block, in which case you will need to use an if
directive to test the value of the $http_host
value. See this and this for details.
这篇关于Nginx反向代理,仅允许来自主机名的连接而不是IP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!