29

I want to configure my nginx proxy server to only allow certain IPs to access it.

To my knowledge, this is normally done in the config file, with allow and deny lists, but I need a different option if possible, since my whitelist is very big. I also need to link this to a website, so that when a user is logged in, the user will be able to update the user's IP if it has changed.

In short, a whitelisted user will be able to use my proxy server, but if for any reason the user's IP changes, the user can still login to my site and update that whitelisted IP.

Where I Need Help

Is there a way for nginx to read an IP whitelist from an external source, from something like htaccess or mysql? If so, what would be the best format for that list, so that it can be easily linked to and automatically updated? I'm planning to get the site professionally built so that when users log in to their accounts, the whitelist is automatically updated. I would therefore like my whitelist to be in the optimal format for the designer to work with, to make it easier to integrate the whitelist with the user accounts.

4

2 回答 2

42

我知道有两种方法可以解决这个问题。

  1. 单独配置中的允许列表:适用于所有常见的 NginX 安装

    您可以将所有允许语句放在一个简单的文本文件中,每个站点只包含允许语句。将其包含在客户端的服务器块下。根据需要使用脚本来更改列表。最后每次更新允许列表时重新加载(而不是重新启动)nginx 配置。这可能如下所示:

    cat /var/www-allow/client1-allow.conf
allow 192.168.1.1;
allow 10.0.0.1;

cat /etc/nginx/sites/client1.conf
...
server {
    include /var/www-allow/client1-allow.conf;
    deny all;
}

echo Test NginX configuration
nginx -t

echo Reload NginX configuration (**adjust for your setup**)
service nginx reload

  2. 使用嵌入式 Lua:需要自定义 NginX 编译

    使用第 3 方嵌入式 Lua 附加模块从源代码重新编译 NginX。使用 lua 脚本主动拒绝不受支持的 IP 地址。请参阅下的第二个示例access_by_lua。您可以通过多种方式使用插件。我建议使用access_by_lua_file将 lua 脚本放在外部位置。

这两种方法仍然需要您付出一些努力。我认为目前还没有针对您的特定目标的即插即用解决方案。

于 2012-12-17T19:38:06.150 回答
0

也许 nginx.shared.dict ( http://wiki.nginx.org/HttpLuaModule#lua_shared_dict ) 会帮助你?

于 2014-09-26T01:13:24.903 回答