Nginx ip 白名单 [英] Nginx Ip Whitelist
问题描述
我想将我的 nginx 代理服务器配置为只允许某些 IP 访问它.
I want to configure my nginx proxy server to only allow certain IPs to access it.
据我所知,这通常在配置文件中完成,包含允许和拒绝列表,但如果可能,我需要一个不同的选项,因为我的白名单非常大.我还需要把它链接到一个网站,这样当用户登录时,如果用户的 IP 发生变化,用户将能够更新用户的 IP.
To my knowledge, this is normally done in the config file, with allow and deny lists, but I need a different option if possible, since my whitelist is very big. I also need to link this to a website, so that when a user is logged in, the user will be able to update the user's IP if it has changed.
简而言之,列入白名单的用户将能够使用我的代理服务器,但如果用户的 IP 由于任何原因发生变化,该用户仍然可以登录我的网站并更新列入白名单的 IP.
In short, a whitelisted user will be able to use my proxy server, but if for any reason the user's IP changes, the user can still login to my site and update that whitelisted IP.
nginx 有没有办法从外部源(例如 htaccess 或 mysql)读取 IP 白名单?如果是这样,该列表的最佳格式是什么,以便它可以轻松链接到并自动更新?我计划专业地构建该站点,以便当用户登录到他们的帐户时,白名单会自动更新.因此,我希望我的白名单采用适合设计人员使用的最佳格式,以便更轻松地将白名单与用户帐户集成.
Is there a way for nginx to read an IP whitelist from an external source, from something like htaccess or mysql? If so, what would be the best format for that list, so that it can be easily linked to and automatically updated? I'm planning to get the site professionally built so that when users log in to their accounts, the whitelist is automatically updated. I would therefore like my whitelist to be in the optimal format for the designer to work with, to make it easier to integrate the whitelist with the user accounts.
推荐答案
我知道有两种方法可以解决这个问题.
There are two ways I know you could solve this problem.
单独配置中的允许列表:适用于所有常见的 NginX 安装
您可以将所有的 allow 语句放在一个简单的文本文件中,每个站点只包含允许语句.将其包含在客户端的服务器块下.根据需要使用脚本来更改列表.每次更新允许列表时,最后重新加载(而不是重新启动)nginx 配置.这可能如下所示:
You can place all of the allow statements in a simple text file, per site, that contains nothing but allow statements. Include that under the client's server block. Use scripts as needed to alter the list. Finally reload (not restart) the nginx config every time you update the allow list. This might look as follows:
cat /var/www-allow/client1-allow.conf
allow 192.168.1.1;
allow 10.0.0.1;
cat /etc/nginx/sites/client1.conf
...
server {
include /var/www-allow/client1-allow.conf;
deny all;
}
echo Test NginX configuration
nginx -t
echo Reload NginX configuration (**adjust for your setup**)
service nginx reload
使用嵌入式 Lua:NginX 需要自定义编译
使用第 3 方嵌入式 Lua 附加模块从源代码重新编译 NginX.使用 lua 脚本主动拒绝不支持的 IP 地址.请参阅 access_by_lua 下的第二个示例.您可以通过多种方式使用该插件.我建议使用 access_by_lua_file 将 lua 脚本放在外部位置.
Recompile NginX from source with the 3rd party embedded Lua add on module. Use a lua script to actively deny unsupported IP addresses. See the second example under access_by_lua. There are a variety of ways you could use the add on. I suggest using access_by_lua_file to put the lua script in an external location.
这两种方法仍然需要您付出一些努力.我认为目前还没有针对您的特定目标的简易解决方案.
Both of these approaches will still require some effort on your part. I don't believe a drop-in solution is already available for your specific objectives.
这篇关于Nginx ip 白名单的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
