Nginx反向代理，仅允许来自主机名的连接而不是IP [英] Nginx reverse proxy, only allow connection from hostname not ip

问题描述

是否可能只允许用户输入xxxxxx.com(虚拟)，所以他们应该进行DNS查找并进行连接.并阻止使用我的公共IP进行连接的用户?

Is it possible to allow only users typing in xxxxxx.com (fictive), so they should make a DNS-lookup and connect. And block users who uses my public ip to connect ?

配置:

server {
listen 80;
return 301 https://$host$request_uri;
}

server {

listen 443;
server_name xxxxxxx.com;

ssl_certificate           /etc/nginx/ssl/server.crt;
ssl_certificate_key       /etc/nginx/ssl/server.key;

ssl on;
ssl_session_cache  builtin:1000  shared:SSL:10m;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;

access_log            /var/log/nginx/jenkins.access.log;

location / {

  proxy_set_header        Host $host;
  proxy_set_header        X-Real-IP $remote_addr;
  proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header        X-Forwarded-Proto $scheme;

  # Fix the "It appears that your reverse proxy set up is broken" error.
  proxy_pass          http://10.0.11.32:80;
  proxy_read_tenter code hereimeout  360;

  proxy_redirect      http://10.0.11.32:80 https://xxxxxxx.com;
}
}

推荐答案

$http_host参数设置为Host请求标头的值. nginx使用该值选择一个server块.如果未找到server块，则使用默认服务器，该服务器标记为default_server或是遇到的第一个server块.请参见本文档.

The $http_host parameter is set to the value of the Host request header. nginx uses that value to select a server block. If a server block is not found, the default server is used, which is either marked as default_server or is the first server block encountered. See this documentation.

要强制nginx仅接受命名的请求，请使用 catch all 服务器块拒绝其他任何内容，例如:

To force nginx to only accept named requests, use a catch all server block to reject anything else, for example:

server {
    listen 80 default_server;
    return 403;
}

server {
    listen 80;
    server_name www.example.com;
    ...
}

使用SSL协议，这取决于您是否具有 SNI 已启用.如果未使用SNI，则所有SSL请求都将通过相同的server块，在这种情况下，您将需要使用if指令来测试$http_host值的值.请参见此和

With the SSL protocol, it depends on whether or not you have SNI enabled. If you are not using SNI, then all SSL requests pass through the same server block, in which case you will need to use an if directive to test the value of the $http_host value. See this and this for details.

这篇关于Nginx反向代理，仅允许来自主机名的连接而不是IP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！