Of Stack

nginx set directory whitelist ip whitelist implementation method

  • 2020-05-17 07:47:30
  • OfStack

1. Set the directory whitelist: there is no restriction on the specified request path. If there is no restriction on the request path under the directory api, it can be written as 


server{
    location /app {
      proxy_pass http://192.168.1.111:8095/app;

      limit_conn conn 20;

      limit_rate 500k;

      limit_req zone=foo burst=5 nodelay; 
    }
    location /app/api {
      proxy_pass http://192.168.1.111:8095/app/api
    }
}
#  Due to the nginx It's going to give priority to exact matching, so that's the way you write it api Restrictions on subdirectory paths

2. Set ip whitelist for nginx geo and nginx map

In the absence of an artificial deletion (-- without-http_geo_module or -- without-http_map_module), nginx loads ngx-http-geo-module and ngx-http-map-module by default;

ngx-http-geo-module can be used to create variables whose value depends on the client ip address.

ngx-http-map-module can be created based on other variables and their values, allowing classification, or mapping multiple variables to different values and storing them in one variable. 


Nginx geo  Format specification 
 
Syntax (  Syntax format  ): geo [$address] $variable { ... }
Default (  The default  ): -
Content (  Dan configuration  ): http
Nginx map  Format specification 
Syntax (  Syntax format  ): map String $variable { ... }
Default (  The default  ) : -
Content (  Dan configuration  ): http
 
 Example whitelist configuration 
 
http{
   # ...  Other configuration content 
   # Definition whitelist ip The list of variables 
   geo $whiteiplist {
     default 1 ;
     127.0.0.1/32 0;
     64.223.160.0/19 0;
   }
   # use map Directive mapping will whitelist client requests in the list ip For an empty string 
   map $whiteiplist $limit{
     1 $binary_remote_addr ;
     0 "";
   }
   # Configure the request to limit content 
   limit_conn_zone $limit zone=conn:10m;
   limit_req_zone $limit zone=allips:10m rate=20r/s;
   server{
     location /yourApplicationName {
       proxy_pass http://192.168.1.111:8095/app;
       limit_conn conn 50;
       limit_rate 500k;
       limit_req zone=allips burst=5 nodelay;
     }
   }
}
 Whitelist configuration can be used to filter restrictions on requests from partner customers, search engines, etc 
 
# (special case handling) 
 
# If you want to limit only the specified request, for example, limit only Post Request, then: 
http{
   #  Other requests ..
   # Request the address map mapping 
   map $request_method $limit {
     default "";
     POST $binary_remote_addr;
   }
   # Limit definition 
   limit_req_zone $limit zone=reqlimit:20m rate=10r/s;
   server{
     ... # And general restriction 1 to 
   }
}
# On this basis, if you want to whitelist the specified method, you can: 
http{
   #...
   # Define a whitelist list 
   map $whiteiplist $limitips{
     1 $binary_remote_addr;
     0 "";
   }
 
   # Defines a specified method request limit based on the whitelist list 
   map $request_method $limit {
     default "";
     # POST $binary_remote_addr;
     POST $limitips;
   }
 
   # Reference the request 
   limit_req_zone $limit zone=reqlimit:20m rate=10r/s;
 
   # in server Reference in 
   server{
     #...  Same as the normal limit 
   }
}
Related articles: