Nginx Ip白名单 [英] Nginx Ip Whitelist

问题描述

我想将我的Nginx代理服务器配置为仅允许某些IP访问它.

I want to configure my nginx proxy server to only allow certain IPs to access it.

据我所知，这通常是在配置文件中完成的，其中包含允许列表和拒绝列表，但是如果可能的话，我需要一个不同的选项，因为我的白名单非常大.我还需要将其链接到网站，以便用户登录后，如果其IP已更改，则用户将能够更新其IP.

To my knowledge, this is normally done in the config file, with allow and deny lists, but I need a different option if possible, since my whitelist is very big. I also need to link this to a website, so that when a user is logged in, the user will be able to update the user's IP if it has changed.

简而言之，列入白名单的用户将能够使用我的代理服务器，但是如果由于某种原因该用户的IP发生了更改，该用户仍可以登录到我的站点并更新该列入白名单的IP.

In short, a whitelisted user will be able to use my proxy server, but if for any reason the user's IP changes, the user can still login to my site and update that whitelisted IP.

nginx是否可以从htaccess或mysql之类的外部源中读取IP白名单?如果是这样，那么该列表的最佳格式是什么，以便可以轻松链接到该列表并自动进行更新?我正计划使网站专业化，以便当用户登录其帐户时，白名单会自动更新.因此，我希望白名单采用最适合设计师使用的格式，以便更轻松地将白名单与用户帐户集成.

Is there a way for nginx to read an IP whitelist from an external source, from something like htaccess or mysql? If so, what would be the best format for that list, so that it can be easily linked to and automatically updated? I'm planning to get the site professionally built so that when users log in to their accounts, the whitelist is automatically updated. I would therefore like my whitelist to be in the optimal format for the designer to work with, to make it easier to integrate the whitelist with the user accounts.

推荐答案

我知道有两种方法可以解决此问题.

There are two ways I know you could solve this problem.

1. 允许在单独的配置中列出:适用于所有常见的NginX安装

1. Allow-list in separated config: Works on all common NginX installs

您可以将所有allow语句放置在每个站点的简单文本文件中，该文件仅包含allow语句.将其包括在客户端的服务器块下.根据需要使用脚本来更改列表.每次更新允许列表时，最后重新加载(而不重新启动)nginx配置.可能如下所示:

You can place all of the allow statements in a simple text file, per site, that contains nothing but allow statements. Include that under the client's server block. Use scripts as needed to alter the list. Finally reload (not restart) the nginx config every time you update the allow list. This might look as follows:

cat /var/www-allow/client1-allow.conf
allow 192.168.1.1;
allow 10.0.0.1;

cat /etc/nginx/sites/client1.conf
...
server {
    include /var/www-allow/client1-allow.conf;
    deny all;
}

echo Test NginX configuration
nginx -t

echo Reload NginX configuration (**adjust for your setup**)
service nginx reload

使用嵌入式Lua:所需的NginX自定义编译

Use embedded Lua: Required custom compile of NginX

使用第三方嵌入的Lua插件从源代码重新编译NginX.使用lua脚本主动拒绝不支持的IP地址.请参见 access_by_lua 下的第二个示例.您可以使用多种方式使用附加组件.我建议使用access_by_lua_file将lua脚本放置在外部位置.

Recompile NginX from source with the 3rd party embedded Lua add on module. Use a lua script to actively deny unsupported IP addresses. See the second example under access_by_lua. There are a variety of ways you could use the add on. I suggest using access_by_lua_file to put the lua script in an external location.

这两种方法仍然需要您付出一些努力.我认为没有针对您特定目标的嵌入式解决方案.

Both of these approaches will still require some effort on your part. I don't believe a drop-in solution is already available for your specific objectives.

这篇关于Nginx Ip白名单的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！