Nginx 反向代理，只允许来自主机名而不是 ip 的连接 [英] Nginx reverse proxy, only allow connection from hostname not ip

问题描述

是否可以只允许用户输入 xxxxxx.com(虚构)，因此他们应该进行 DNS 查找并连接.并阻止使用我的公共 ip 连接的用户?

Is it possible to allow only users typing in xxxxxx.com (fictive), so they should make a DNS-lookup and connect. And block users who uses my public ip to connect ?

配置:

server {
listen 80;
return 301 https://$host$request_uri;
}

server {

listen 443;
server_name xxxxxxx.com;

ssl_certificate           /etc/nginx/ssl/server.crt;
ssl_certificate_key       /etc/nginx/ssl/server.key;

ssl on;
ssl_session_cache  builtin:1000  shared:SSL:10m;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;

access_log            /var/log/nginx/jenkins.access.log;

location / {

  proxy_set_header        Host $host;
  proxy_set_header        X-Real-IP $remote_addr;
  proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header        X-Forwarded-Proto $scheme;

  # Fix the "It appears that your reverse proxy set up is broken" error.
  proxy_pass          http://10.0.11.32:80;
  proxy_read_tenter code hereimeout  360;

  proxy_redirect      http://10.0.11.32:80 https://xxxxxxx.com;
}
}

推荐答案

$http_host 参数设置为 Host 请求标头的值.nginx 使用该值来选择 server 块.如果未找到 server 块，则使用默认服务器，它要么标记为 default_server，要么是遇到的第一个 server 块.请参阅本文档.

The $http_host parameter is set to the value of the Host request header. nginx uses that value to select a server block. If a server block is not found, the default server is used, which is either marked as default_server or is the first server block encountered. See this documentation.

要强制 nginx 只接受命名请求，请使用 catch all 服务器块来拒绝任何其他请求，例如:

To force nginx to only accept named requests, use a catch all server block to reject anything else, for example:

server {
    listen 80 default_server;
    return 403;
}

server {
    listen 80;
    server_name www.example.com;
    ...
}

使用 SSL 协议，这取决于您是否有 SNI 启用.如果您没有使用 SNI，那么所有 SSL 请求都会通过同一个 server 块，在这种情况下，您需要使用 if 指令来测试 if 指令的值代码>$http_host 值.请参阅this 和 this 了解详情.

With the SSL protocol, it depends on whether or not you have SNI enabled. If you are not using SNI, then all SSL requests pass through the same server block, in which case you will need to use an if directive to test the value of the $http_host value. See this and this for details.

这篇关于Nginx 反向代理，只允许来自主机名而不是 ip 的连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！