对于 在 公有云 Load Balance 后面的 nginx 服务器来说,无法使用 allow 或 deny 指令来限制访问服务器的ip,这个时候,需要通过获取到的转发前的IP判断用户真实ip来进行处理,假设创建如下文件,文件名为 ip.txt
set $allowFlag "0";
# your internet out ip
if ( $http_x_forwarded_for !~* "1.2.3.4" ) {
set $allowFlag "${allowFlag}1";
}
# your internal ip
if ( $proxy_add_x_forwarded_for !~* "192.168.1.1" ) {
set $allowFlag "${allowFlag}2";
}
# your lan ip range
if ( $proxy_add_x_forwarded_for !~* "192.168.1." ) {
set $allowFlag "${allowFlag}3";
}
if ($allowFlag = "0123" ) {
return 307 https://some.doamin/your-error-page.html;
break;
#return 403;
}
创建如下一个 test.conf 引入 ip.txt 文件即可
server {
listen 80;
server_name your.domain.com;
server_tokens off;
#charset UTF-8;
#access_log logs/access.log;
include /data/server/nginx-conf/ip.txt;
include "/data/server/nginx-conf/ssl.inc";
ssl_certificate "/data/server/nginx-conf/ssl/your.crt";
ssl_certificate_key "/data/server/nginx-conf/ssl/your.key";
# if ($scheme = http){
# rewrite ^(.*)$ https://$host$1 permanent;
# }
location / {
proxy_pass http://localhost:8080/;
include "/data/server/nginx-conf/proxy.properties";
}
}proxy.properties
#proxy_redirect off;
#proxy_http_version 1.1;
proxy_ignore_client_abort on;
proxy_set_header Connection "";
proxy_pass_header X-Forwarded-Proto;
proxy_pass_header X-Forwarded-Host;
proxy_pass_header X-Forwarded-Port;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 100m;
client_body_buffer_size 256k;
proxy_connect_timeout 30s;
proxy_send_timeout 300s;
proxy_read_timeout 600s;
proxy_buffer_size 256k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_max_temp_file_size 128m;ssl.inc
listen 443 ssl http2;
#优先采取服务器算法
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
#ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256;
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
# SSL session cache timeout defaults to 5 minutes, 1 minute should
# be plenty. This is abused by advertisers like Google and Facebook,
# long timeouts like theirs will look suspicious. See, for example:
# https://www.zdnet.com/article/advertisers-can-track-users-across-the-internet-via-tls-session-resumption/
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
#减少点击劫持
add_header X-Frame-Options SAMEORIGIN;
#禁止服务器自动解析资源类型
add_header X-Content-Type-Options nosniff;
#防XSS攻击
add_header X-Xss-Protection 1;