Nginx 反向代理,只允许来自主机名而不是 ip 的连接 [英] Nginx reverse proxy, only allow connection from hostname not ip
问题描述
是否可以只允许用户输入 xxxxxx.com(虚构),因此他们应该进行 DNS 查找并连接.并阻止使用我的公共 ip 连接的用户?
Is it possible to allow only users typing in xxxxxx.com (fictive), so they should make a DNS-lookup and connect. And block users who uses my public ip to connect ?
配置:
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name xxxxxxx.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/jenkins.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the "It appears that your reverse proxy set up is broken" error.
proxy_pass http://10.0.11.32:80;
proxy_read_tenter code hereimeout 360;
proxy_redirect http://10.0.11.32:80 https://xxxxxxx.com;
}
}
推荐答案
$http_host
参数设置为 Host
请求标头的值.nginx
使用该值来选择 server
块.如果未找到 server
块,则使用默认服务器,它要么标记为 default_server
,要么是遇到的第一个 server
块.请参阅本文档.
The $http_host
parameter is set to the value of the Host
request header. nginx
uses that value to select a server
block. If a server
block is not found, the default server is used, which is either marked as default_server
or is the first server
block encountered. See this documentation.
要强制 nginx
只接受命名请求,请使用 catch all 服务器块来拒绝任何其他请求,例如:
To force nginx
to only accept named requests, use a catch all server block to reject anything else, for example:
server {
listen 80 default_server;
return 403;
}
server {
listen 80;
server_name www.example.com;
...
}
使用 SSL 协议,这取决于您是否有 SNI 启用.如果您没有使用 SNI,那么所有 SSL 请求都会通过同一个 server
块,在这种情况下,您需要使用 if
指令来测试 if
指令的值代码>$http_host 值.请参阅this 和 this 了解详情.
With the SSL protocol, it depends on whether or not you have SNI enabled. If you are not using SNI, then all SSL requests pass through the same server
block, in which case you will need to use an if
directive to test the value of the $http_host
value. See this and this for details.
这篇关于Nginx 反向代理,只允许来自主机名而不是 ip 的连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!