nginx dynamically adds methods to access the whitelist
- 2020-05-12 06:52:25
- OfStack
The function of this paper is to enable the website to access the whitelist, for the customer who is not in the whitelist and needs to access, just open a private url, and then automatically get access for 2 hours, after the time is up to automatically delete access
The following steps are required to implement this function:
nginx enables access to whitelist The client opens the specified url and automatically adds the access whitelist Add simple authentication to web addresses Automatically restores the default whitelist every two hours, removing temporary IP access1. nginx configuration access whitelist
This is relatively simple, simple paste 1 under the configuration:
............nginx.conf...........
geo $remote_addr $ip_whitelist {
default 0;
include ip_white.conf;
}
. server period...
location / {
if ($ip_whitelist = 1) {
break;
}
return 403;
}
IP with whitelisting enabled is written in the ip_white.conf file in the form of: 8.8.8.8 1; , simply write IP to ip_white.conf to get access.
2. Use LUA to automatically add whitelist
nginx needs to cooperate with lua module to realize this function. Create a new location. When the client accesses location, lua will be used to get the client IP and the shell script will be written into ip_white.conf.
location /addip {
content_by_lua '
CLIENT_IP = ngx.req.get_headers()["X_real_ip"]
if CLIENT_IP == nil then
CLIENT_IP = ngx.req.get_headers()["X_Forwarded_For"]
end
if CLIENT_IP == nil then
CLIENT_IP = ngx.var.remote_addr
end
if CLIENT_IP == nil then
CLIENT_IP = "unknown"
end
ngx.header.content_type = "text/html;charset=UTF-8";
ngx.say(" your IP : "..CLIENT_IP.."<br/>");
os.execute("/opt/ngx_add.sh "..CLIENT_IP.."")
ngx.say(" Add whitelist completed, the maximum effective time is 2 hours ");
';
}
/opt/ ngx_add.sh shell
#!/bin/bash
ngx_conf=/usr/local/nginx/conf/52os.net/ip_white.conf
ngx_back=/usr/local/nginx/conf/52os.net/ip_white.conf.default
result=`cat $ngx_conf |grep $1`
case $1 in
rec)
rm -rf $ngx_conf
cp $ngx_back $ngx_conf
/usr/local/nginx/sbin/nginx -s reload
;;
*)
if [ -z "$result" ]
then
echo "#####add by web #####" >>$ngx_conf
echo "$1 1;" >> $ngx_conf
/usr/local/nginx/sbin/nginx -s reload
else
exit 0
fi
;;
esac
The script has two functions:
Automatically add IP and reload nginx Restore the default ip_white.conf file. With the timing task, you can cancel the access rights of non-default IPnginx main process runs with root, shell script reload nginx needs to set the sticky bit:
chown root.root /usr/local/nginx/sbin/nginx
chmod 4755 /usr/local/nginx/sbin/nginx
nginx enables lua module see nginx enables lua module
3. Add simple authentication
Add simple username and password authentication using base auth to prevent unauthorized access and generate password files:
printf "52os.net:$(openssl passwd -crypt 123456)\n" >>/usr/local/nginx/conf/pass
Account: 52 os net
Password: 123456
Add in location just now:
location /addip {
auth_basic "nginx auto addIP for 52os.net";
auth_basic_user_file /usr/local/nginx/conf/pass;
autoindex on;
. The Lua code is slightly...
4. Automatically restore the default IP whitelist
IP, which obtained access through web, was set to be valid for two hours. I implemented it by restoring the default IP whitelist file once every two hours. Make a copy of ip_white.conf as the default whitelist template:
cp /usr/local/nginx/conf/52os.net/ip_white.conf /usr/local/nginx/conf/52os.net/ip_white.conf.default
Use the above shell script to recover every two hours with the timing task. The timing task is:
1 */2 * * * root /opt/ngx_add.sh rec