Access Control of Nginx
- IP-based access control: http_access_module
- User-based Trust Logon: http_auth_basic_module
I. http_access_module access module
# Allow: Allow access to or all socket s on specified ip or ip segments or unix Syntax: allow address|CIDR|unix:|all Default value: none Context: http,server,location,limit_except # Prohibit: Prohibit the designation of ___________. Syntax: deny address|CIDR|unix:|all Default value: none Context: http,server,location,limit_except
Use case:
server { listen 80; server_name localhost; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { root /opt/site/sam; index index.html index.htm; } #~ Access to pattern matching starting with / admin.html # location ~ ^/admin.html { # root /opt/site/sam; # deny 113.111.48.118; #Prohibit this ip access # allow all; #Allow all other access # index index.html index.htm; # } #~ Access to pattern matching starting with / admin.html location ~ ^/admin.html { root /opt/site/sam; allow 113.111.48.0/24; #The ip segment is allowed to access 113.111.48.0 to 113.111.48.24 deny all; #All other visits are prohibited index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } }
Check the configuration syntax:
[root@sam ~]# nginx -tc /etc/nginx/nginx.conf
Reload configuration
[root@sam ~]# nginx -s reload -c /etc/nginx/nginx.conf
Limitations:
remote_addr: Get the ip address of the previous level, which may be the ip address of the client or the ip address of the previous level agent.
http_x_forwarded_for: All ip addresses, including client ip addresses and all proxy ip addresses
The module of http_access_module uses remote_addr to realize access control. If the client uses proxy to access, it can not get the client ip accurately, but can not control it accurately.
2. User login authentication module of http_auth_basic_module
# User Authentication Configuration # string: login prompt Syntax: auth_basic string|off; Default value: auth_basic off; Default shutdown Context: http,server,location,limit_except # Configure the file path to store user authorization information (account password) Syntax: auth_basic_user_file; Default value: none Context: http,server,location,limit_except
1. New password file (using htpasswd)
Using htpasswd to generate password files
#Create a new password file (specified file name is / etc/nginx/auth_conf), user name is sam, and set the password. [root@sam ~]# htpasswd -c /etc/nginx/auth_conf sam New password: Re-type new password: Adding password for user sam
If there is no htpasswd tool, install httpd-tools:
[root@sam ~]# yum install httpd-tools -y
2. Configuration in server
server { listen 80; server_name localhost; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { root /opt/site/playSports; index index.html index.htm; } #Match access starting with / admin.html location ~ ^/admin.html { root /opt/site/sam; auth_basic "Auth access test!input your password!"; #Landing Tips auth_basic_user_file /etc/nginx/auth_conf; #Password file path index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } }