天天看點

nginx 配置 白名單

如果你的伺服器被攻擊很厲害,而且伺服器是自己練手的,不需要其他使用者通路的,那麼就可以配置一下nginx的白名單,規定有哪些ip可以通路你的伺服器

配置如下:

http子產品:

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    geo $remote_addr $geo {
           default 0; #0表示禁止通路
           127.0.0.1 1; #1表示可以通路
        }


    include /usr/local/nginx/conf.d/*.conf;
}


           

server子產品:

server {
      listen 80;
      server_name jenkins.aa.bb;
      location / {
        # 如果不是白名單則 顯示403 禁止通路
        if ( $geo  = 0 ) {
             return 403;
         }
         proxy_set_header        Host $host:$server_port;
         proxy_set_header        X-Real-IP $remote_addr;
         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header        X-Forwarded-Proto $scheme;

         # Fix the "It appears that your reverse proxy set up is broken" error.
         #proxy_pass          http://127.0.0.1:9792;
         proxy_pass          http://127.0.0.1:59932;
         proxy_read_timeout  90;

         #proxy_redirect      http://127.0.0.1:9792 https://jenkins.qinhej.top;

         #Required for new HTTP-based CLI
         proxy_http_version 1.1;
         proxy_request_buffering off;
      }
    }

           

繼續閱讀