我想让 nginx 对特定 url 进行用户级访问控制,
对于其他用户<uid>,他们仅限于访问http://myserver.com/<uid>(方法POST)。像用户larrycai只能 POST 到http://myserver.com/larrycai/xxx.
我不想在上游服务器中有这个控制。
基本身份验证用于访问身份验证,如下所示
server {
...
auth_basic "Auth";
auth_basic_user_file conf/htpasswd;
}
现在如何将经过身份验证的用户映射到它自己的 url ?(我是 nginx 新手)。
我的用例是 docker-registry 前面的 nginx docker 容器,以便更好地控制用户访问。
2015.1.11 更新
与uidunix系统无关,仅用于应用程序,映射到REST接口
是否可以使用像 openresty(基于 lua)这样的额外模块?
我已经能够制定出一个解决方案,使许多用户能够从我的 docker-registry 中提取容器,并且只有特殊的授权用户才能使用 ngx_openresty-1.7.7.1 推送到我的注册表
/usr/local/openresty/nginx/conf/nginx.conf
worker_processes 1;
error_log /var/log/lua.log notice;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# For versions of nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary
upstream docker-registry {
server localhost:5000;
}
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/log/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
server {
listen 443;
server_name docker-registry01.company.com;
ssl on;
ssl_certificate /etc/ssl/certs/docker-registry;
ssl_certificate_key /etc/ssl/private/docker-registry;
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location / {
auth_basic "Restricted";
auth_basic_user_file docker-registry.htpasswd;
access_by_lua_file 'authorize.lua';
include docker-registry.conf;
}
location /_ping {
auth_basic off;
include docker-registry.conf;
}
location /v1/_ping {
auth_basic off;
include docker-registry.conf;
}
}
}
/usr/local/openresty/nginx/conf/docker-registry.conf
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header Authorization ""; # see https://github.com/dotcloud/docker-registry/issues/170
proxy_read_timeout 900;
/usr/local/openresty/nginx/authorize.lua
-- authorization rules
local restrictions = {
all = {
["^/$"] = { "HEAD" }
},
user = {
["^/$"] = { "HEAD", "GET" },
["^/v1/search$"] = { "HEAD", "GET" },
["^/v1/repositories/.*$"] = { "HEAD", "GET" },
["^/v1/images/.*$"] = { "HEAD", "GET" }
},
admin = {
["^/$"] = { "HEAD", "GET" },
["^/v1/search$"] = { "HEAD", "GET" },
["^/v1/repositories/.*$"] = { "HEAD", "GET", "PUT" },
["^/v1/images/.*$"] = { "HEAD", "GET", "PUT" }
}
}
-- list of roles and users
local user_role = {
all = {"all"},
user = {"user", "user2", "user3", "etc..."},
admin = {"admin", "dave_albert", "other_admin", "jenkins"}
}
-- get authenticated user as role
local user = ngx.var.remote_user
local role = nil
for _role, user_list in pairs(user_role) do
for k,user_name in pairs(user_list) do
if user_name == user then
role = _role
end
end
end
-- exit 403 when no matching role has been found
if restrictions[role] == nil then
ngx.header.content_type = 'text/plain'
ngx.status = 403
ngx.say("403 Forbidden: You don't have access to this resource/role.")
return ngx.exit(403)
end
-- get URL
local uri = ngx.var.uri
-- get method
local method = ngx.req.get_method()
local allowed = false
for path, methods in pairs(restrictions[role]) do
-- path matched rules?
local p = string.match(uri, path)
local m = nil
-- method matched rules?
for _, _method in pairs(methods) do
m = m and m or string.match(method, _method)
end
if p and m then
allowed = true
end
end
if not allowed then
ngx.header.content_type = 'text/plain'
ngx.log(ngx.WARN, "Role ["..role.."] not allowed to access the resource ["..method.." "..uri.."]")
ngx.status = 403
ngx.say("403 Forbidden: You don't have access to this resource.")
return ngx.exit(403)
else
ngx.log(ngx.WARN, "User ["..user.."] accessing resource ["..method.." "..uri.."]")
end
您看不到,请在您的配置中获取用户。
您可以通过以下方式限制某些访问权限
location /larrycai {
deny all;
}
总而言之,您不能通过 nginx 限制这一点。您可以编写 PHP 脚本,但这似乎不是您想要的。